Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
5 Conclusions and Recommendations D uring the course of the study, the committee concluded that an effective security program that will lead to the development of a culture of security at Reclamation requires all of the following: ⢠A risk management approach. ⢠An integrated security plan for each facility. ⢠Policies and operational guidance for key aspects of the program. ⢠A collaborative operating environment. ⢠Senior management support and commitment. ⢠Adequate resources. ⢠Performance measurement and evaluation to support continuous improvement. ⢠A method for disseminating lessons learned. ⢠A vision and a long-term plan for a sustainable program. CONCLUSIONS Reclamationâs security program has been driven by the urgency to provide some level of protection to a large number of facilities in the wake of the 1995 bombing of the Murrah Building in Oklahoma City and the 9/11 attacks on the World Trade Center and the Pentagon. In the comÂmitteeâs opinion, Reclamation has made significant progress toward establishing an effective security program. However, the committeeâs overall conclusion is that although the Bureau of Reclamation is now 83
84 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM b  etter able to protect its infrastructure and its people against malicious acts than it was 7 years ago, the security program is not yet mature, well- integrated, or appropriately supported at all levels of the organization. To date, Reclamation has focused on tactical issues: developing a risk management approach; establishing security plans for each facility; staffing a security and law enforcement office; and developing an intel- ligence gathering and analysis capability. Still missing are policies and operational guidance for effective responses to security-related incidents; performance measures to support continual improvement; and a method for disseminating lessons learned. Also missing are the full support and commitment of senior executives and managers at all levels of the organi- zation and adequate resourcesâstaff, expertise, and fundingâto develop a security program that is robust and sustainable. It is now time for Reclamation to take a more strategic approach to its security program. One of its highest priorities should be the develop- ment of a vision and a plan to provide a path forward. The vision should explicitly link the physical assurance of Reclamationâs facilities to its overall mission of providing water and power. The plan should address policy, programmatic, and resource issues and should have the support and commitment of all of Reclamationâs managers. RECOMMENDATIONS The committeeâs findings and recommendations follow. The recom- mendations are intentionally general to allow Reclamation and the SSLE Office some flexibility in determining what processes, tools, or policies will be used to address them. In some cases a recommendation relates to more than one finding. With the exception of the development of a vision and a plan for the security program, the committee has not presented its recommenda- tions in order of priority. However, some recommendations require action sooner than others because they will help to avoid undesirable outcomes and will yield both immediate and long-term benefits. These actions include the development of ⢠An out-of-cycle process for security assessments; ⢠Policy on the use of deadly force; ⢠Response plans for security-related incidents; ⢠A streamlined personal identity verification process; ⢠A pre-project planning process for security-related projects; and ⢠Policies related to the sharing of intelligence-based information.
CONCLUSIONS AND RECOMMENDATIONS 85 A RISK MANAGEMENT APPROACH Finding 1: The risk management process that Reclamation has developed to assign priority for conducting threat and vulnerability assessments, security improvements, and resource allocation is appropriate. Elements of this process, however, need to be continually improved and refined as threats emerge, as risk assessment methods evolve, and as research-based information becomes available. Finding 2: Reclamation plans to conduct security assessments on a 3- to 6-year cycle even though security threats are continually emerging and must be continuously monitored. Discussion of Findings 1 and 2 Reclamation has developed a risk management program that incor- porates a screening procedure; threat scenarios; vulnerability and risk assessments for individual facilities; a cost-benefit analysis for risk miti- gation measures; and a decision analysis framework. The grouping of Reclamationâs facilities into categories that reflect relative risk and con- sequences (screening procedure) has been useful in assigning priority for mitigation projects and resource allocation. Different methods, including RAM-D, MSRA, and the Balanced Survivability Assessment Approach, have been used to conduct threat and vulnerability assessments; these methods are all accepted, standard, and appropriate. To remain abreast of the evolving field of risk assessment, BOR should monitor the new threat and risk assessment methods being developed by the Department of Homeland Security (DHS) and other organizations. In the future, Rec- lamation managers should be ready to use risk assessment methods rec- ommended by the DHS and methodologies that are customized to the specific requirements of dam security, such as RAM-D. Reclamation has patterned its risk management programs after its safety of dams program. Although there are differences in the types of threats being assessed, there are also opportunities to better integrate these programs. Staff have, in fact, indicated that SSLE is moving toward an all-hazards risk management approach that incorporates risks from natu- ral hazards, malicious acts, accidents, and human error. An all-Âhazards approach would be consistent with the National Infrastructure Protection Plan. Currently, however, Reclamationâs safety of dams program and its security program operate independently. For the safety of dams program, Reclamation has institutionalized a rigorous review of every critical dam under its purview. Comprehensive facility reviews (CFRs) are performed every 6 years with participation of subject-matter experts from all levels of BOR. CFRs include a detailed site
86 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM examination, a review of changes in the state of the art, and an evalua- tion of risks. They look at many things, such as loading conditions on the dam and downstream populations. Periodic facility reviews (PFRs) are performed midway between CFRs and involve detailed site examination of the structures. Annual inspections are conducted by the area offices in years CFRs or PFRs are not held. The various reviews are designed to also identify important operational and maintenance needs. In 1998 BOR established a ârisk cadreâ composed of five experts at the Technical Services Center to further the development of risk analy- sis processes for dam safety. The risk cadre developed a consistent risk analysis methodology, developed toolboxes for loading probability and consequences, and trained others in risk analysis with the objective of continually improving Reclamationâs risk analysis processes. The exper- tise of this cadre could be expanded to include security-related issues, processes, and training to leverage resources and move toward an all- hazards approach. By more fully integrating the dam safety program with the dam secu- rity program, Reclamation could create a synergy that would heighten awareness of security issues and, ultimately, reduce the overall risks to dams. If Reclamation were to use inspection teams whose members had both safety and security expertise, it might be able to better leverage its resources. For example, the NCI facilities now consume more than half of BORâs security funding. Dam safety resources and business processes, by contrast, are applied to a far larger set of dams. If dam security assess- ments were conducted together with all dam safety assessments, it might be possible to conduct a greater number of security assessments per cycle. In addition, the increased awareness of security issues among all the team members would benefit Reclamation in both the short and long terms. Training these teams to assess both safety and security risks would add to Reclamationâs body of knowledge about the security of dams and provide for greater continuity in institutional knowledge as personnel change jobs or leave the organization. It is also possible that risk mitigation projects could be formulated that would address both safety and security vulner- abilities and result in multiple benefits for both the programs and the public. Combining teams and resources in this way might cost more, at least initially. Also, care would need to be taken to ensure that dam safety does not suffer. For these reasons, it may be best to first try a combined approach on a limited basis to better understand the consequences, both positive and negative, before implementing it Reclamation-wide. As noted in Chapter 3, security-related threats are continually evolv- ing, so that a 3- to 6-year security assessment cycle similar to the dam safety inspection cycle might not be adequate in all cases. While the com-
CONCLUSIONS AND RECOMMENDATIONS 87 mittee supports the implementation of a fixed cycle to ensure that assess- ments are in fact completed, it believes that Reclamation should provide for out-of-cycle security assessments when circumstances change and dictate that a security assessment is necessary. Recommendation 1: Reclamation managers should monitor the new threat and risk assessment methods being developed by the Depart- ment of Homeland Security and others and use those methods that are most appropriate for dams and related infrastructure (Finding 1). Recommendation 2: In addition to conducting security assessments on a 3- to 6-year cycle, Reclamation should institute a process and criteria for conducting out-of-cycle assessments as threats emerge and circum- stances warrant (Finding 2). AN INTEGRATED SECURITY PLAN FOR EACH FACILITY Finding 3: A robust facility security plan provides for defense in depth through an integrated system made up of obstacles that restrict access, surveillance and intrusion detection systems, and a rapid-response force. Although elements of a facility security plan were visible at most sites that the committee visited, the elements did not appear to be effectively integrated. Finding 4: At some sites, the committee could imagine threat scenarios, especially those involving insiders, that could not be countered effec- tively by the forces and fortifications in place. Too often facility security defenses appeared brittle and lacking in depth. If one line of facility security was neutralized, it was too likely that intruders could continue moving forward. Finding 5: Reclamation evaluated a very limited number of standard threat scenarios for its security assessments. Security-related intelligence has not been integrated into site-specific, realistic threat scenarios to the committeeâs knowledge. Discussion of Findings 3, 4, and 5 In the wake of the 9/11 attacks, Reclamation implemented a range of security improvements to protect its NCI dams and other critical facilities. The improvements include obstacles to restrict access, various types of sur- veillance and intrusion detection systems, and some response capabilities. It appears that for the most part the various measures were put in place as
88 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM individual components and were not well integrated to provide defense in depth. The committee also observed Reclamationâs failure to integrate i  ntelligence-based information into site-specific, realistic threat scenarios. In the absence of realistic and specific threat scenarios, risk assessment programs may become bureaucratic exercises. The committee believes that effective training and contingency planning require consideration of a range of scenarios that are both site specific and responsive to cur- rent intelligence-based information. These scenarios should be tested in exercises that reflect the guidelines promulgated in FEMAâs Homeland Security Exercise and Evaluation Program (HSEEP). Care should be taken to refrain from identifying any specific scenario as the anticipated mode of attack so long as other feasible options are open to an attacker. Recommendation 3: Reclamation and the SSLE should review their facility security plans as a system, identify gaps in the integration of the various elements, develop a range of realistic, site-specific threat scenarios based on local conditions and intelligence from all available sources, and conduct both contingency planning and training exercises using these scenarios. A protocol for regular review and adjustment of scenarios should be adopted to assure that planning and training are aligned with current conditions (Findings 3, 4, 5). Finding 6: Because each Reclamation facility is in a different jurisdiction with different laws and a unique mix of local, county, state, and federal law enforcement entities, the interface between first responders and those that provide follow-up will vary. Facility security plans will therefore need to incorporate distinct arrangements for cooperation among the various responders during a security-related incident. Finding 7: Specific guidelines for command, control, and decision making at individual sites would enable an effective response to a security-related incident. At Reclamation, guidance for these responsibilities was unclear, and procedures were not well understood by staff. Finding 8: Training exercises are important to ensure that when person- nel from multiple government and law enforcement entities respond to a security-related incident, all of the key players understand the proce- dures for command and control and for the transfer of authority as events unfold. Training exercises need to be designed to test site-specific, realistic scenarios and to be aligned with the responsibilities of the responders. Finding 9: Good communication is critical for an effective response to a security-related incident. The committee observed that some communica-
CONCLUSIONS AND RECOMMENDATIONS 89 tion equipment and technologies used by Reclamation and other federal, state, and local law enforcement and security organizations were not interoperable and would hinder communication among responders. Finding 10: Certain communication technologies used in rural areas are subject to failure caused by weather and related events and may not be reliable during a security-related incident. Discussion of Findings 6 Through 10 In the event of a security breach or an actual attack on a BOR facility, a response by appropriately trained and equipped security or law enforce- ment personnel is called for. With few exceptions, such as the Hoover and Grand Coulee dams, Reclamation relies on local law enforcement entities to provide that response. Such entities typically have relatively little train- ing in how to deal with security-related incidents. Given constrained resources and the varying severity of risks to its facilities, Reclamation cannot (and probably should not) maintain an on- site response force for most of its facilities. Alternative security strategies must therefore be explored and implemented. For some of its most criti- cal facilities, Reclamation should determine if the existing response force would be equipped and trained to respond to a significant security inci- dent. For those facilities where an on-site force is justified by the poten- tially severe consequences of a dam failure or other event, Reclamation should determine if that force should be composed of Reclamation staff or the staff of an outside contractor. In other cases, Reclamation should consider if it would be beneficial to collaborate with local law enforcement to provide specialized security-related training for first responders. The security-related training given to Sacramento County law enforcement officials for response at Folsom Dam is an example. The committee noted its concerns about differences in jurisdictional authorities, the dearth of command-and-control plans, unclear lines of communication, and the lack of interoperability of communications sys- tems. These are issues that should be resolved in advance of a security incident through improved planning and training. Better integration between the safety of dams program and the dam security program could result in some beneficial synergies among pro- grams and staff, the leveraging of resources, and an overall improve- ment in security-related response capabilities. As part of the safety of dams program, Reclamation has developed emergency action plans for high and significant hazard facilities. These plans are updated annu- ally. Tabletop and functional exercises are conducted regularly to prac- tice responses to a simulated safety-related incident. These written plans
90 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM could be broadened to include responses to a security-related incident. The plans should clearly define the lines of authority, roles, and respon- sibilities of the security and law enforcement entities that would respond to a security-related incident. They should also describe the mechanisms and processes for ensuring operational coordination among all involved agencies and jurisdictions. Testing of security-related responses would differ from testing dam safety in that there would not be any signs (such as seepage from a dam or torrential rains that could lead to an overtopping) warning that a dam fail- ure is imminent. The procedures for notifying local officials and the public might need to be modified. Other changes might also be warranted. Recommendation 4: Reclamation should ensure that all security and law enforcement entities that would respond to a security-related inci- dent at one of its facilities have a clear understanding of the lines of authority, roles, and responsibilities outlined in the response plan. The various security and law enforcement entities at each facility should train together to practice the actions each entity would be responsible for in a realistic scenario (Findings 6, 7, 8). Recommendation 5: Reclamation should ensure that its personnel have the appropriate equipment and skills to communicate with all other entities expected to respond to a security-related incident. It should validate the effectiveness of the communication methods through appropriate exercises and simulations and work to standardize com- munication approaches (Findings 9, 10). Finding 11: The use of standard ammunition in some parts of some Rec- lamation facilities could substantially compromise the integrity of critical equipment. It was not clear if this was common knowledge throughout SSLE or among those security and law enforcement entities that would respond to a security-related incident. Discussion of Finding 11 Discussions with selected SSLE personnel indicated that the use of standard ammunition in specific portions of facilities could substantially compromise the integrity of critical equipment. Spurred by this discus- sion, the committee also considered the role that nonlethal weapons and new technologies could play regarding forceful responses to malicious acts. A variety of weapons have been developed that can be used against suspected aggressors to impede or halt threatening actions. One such weapon is the Active Denial System, a microwave-emitting device that
CONCLUSIONS AND RECOMMENDATIONS 91 heats the skin of those targeted by it. This weapon and others like it could be used to halt the advance of persons at the helm or wheel of a suspected mobile improvised explosive device before they pose a threat that would necessitate deadly force. Another new tool permits tactical teams to use noise-flash diversionary devices to break through doors by directing the energy from the devices at the locking mechanisms of doors. The commit- tee believes that Reclamation would be wise to investigate such options as part of an overall review of its approach to dealing with potential terrorist attacks or other malicious acts. Recommendation 6: Reclamation should investigate how nonÂlethal weapons and new technologies can be used effectively during a response to a security-related incident (Finding 11). Finding 12: The committee observed design and installation flaws in sev- eral risk mitigation projects. The personnel at the relevant facilities clearly believed that such flaws could have been avoided if the SSLE staff had sought their input during the planning process, before the projects were designed and installed. Discussion of Finding 12 Inadequate preproject planning has long been recognized as one of the variables that can most negatively affect a facility project (Smith and Tucker, 1983). A critical step in preproject planning is defining project scope and planning for execution because it is at this stage that risks are analyzed, preliminary designs are formulated, critical decisions are made, and the specific project execution approach is defined (FFC, 2003). Inade quate scope definition inevitably results in the need for changes, which in turn causes rework, increases project time and cost, lowers productiv- ity, and undermines the morale of the workforce (OâConnor and Vickery, 1986). Stakeholder identification and team alignment are also critical to p  roject success. A typical preproject planning team is composed of a wide variety of functional groups with diverse priorities, requirements, and expectations, such as facilities managers and tenants, technical rep- resentatives, fire marshals, designers, and security specialists. Align- ment incorporates all of the distinct viewpoints into a uniform set of project objectives that meets the organizationâs mission and business requirements. Implementing an effective preproject planning process for Reclama- tionâs risk-mitigation projects should overcome the types of design flaws observed, avoid rework, use available resources more effectively, and
92 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM improve working relationships. SSLE should ensure that the appropri- ate stakeholders for each project and each facility are represented on the preproject planning team. Recommendation 7: Reclamation should establish an effective pre- p  roject planning process to improve the design of risk mitigation projects, avoid rework, use available resources more effectively, and improve working relationships. The SSLE should ensure that represen- tatives from the area offices and facility operators are involved early in the process when decisions are made about project scope and imple- mentation strategy (Finding 12). POLICIES AND OPERATIONAL GUIDANCE FOR KEY ASPECTS OF THE PROGRAM Finding 13: The distinction between law enforcement and security within Reclamation is not clear, and the resulting ambiguity has raised issues regarding the use of deadly force during a security-related incident. Discussion of Finding 13 P.L. 107-69 gives Reclamation law enforcement authority but does not address issues related to security or antiterrorism. Reclamation has been trying to operate its security program within the confines of P.L. 107-69, which has created issues in regard to the use of deadly force. Specifically, federal law enforcement officers and other armed personnel do not have clear guidance on how to determine when deadly force may be appropri- ate in a security-related incident. Developing such guidance, however, requires more than a Reclamation-wide policy statement. Because of the many statutes and local jurisdictions, policies on the use of deadly force will need to be developed in collaboration with individual state and local law enforcement officials so that the guidance will be legally binding. Recommendation 8: Reclamation and the SSLE should work with local law enforcement entities to expedite the development of clear, legally binding guidance on the use of deadly force. The guidance should clearly address how the defense-of-life rule might apply in specific types of security-related incidents (Finding 13). Finding 14: Reclamation has not adequately addressed threats posed by insidersâReclamation staff, facility operators, contractorsâto override physical security components and take control of dam operations.
CONCLUSIONS AND RECOMMENDATIONS 93 Discussion of Finding 14 The use of insiders by terroristsâthrough physical coercion or by collaborationâto override security components and seize operation of a facility is a serious threat. A single individual with knowledge of dam operations, such as a disgruntled employee, could also pose a serious threat. An insider could be a Reclamation or water and power authority employee or one of the many contractors who have access to some Recla- mation facilities on a daily basis. Although contractors are required to undergo the PIV process, it is not clear whether PIVs are used routinely and consistently across the five BOR regions. Reclamation managers and personnel acknowledged the threat posed by insiders. However, the committee was not convinced that the threat had been fully appreciated or that effective measures to prevent or respond to such a threat had been fully developed. Recommendation 9: Reclamation should determine if there are ways to streamline the personal identity verification process for employees and contractors while ensuring that the process remains effective in identi- fying those who may pose a threat to security. Criteria and a program for conducting periodic security reviews for key Reclamation personnel should also be developed (Finding 14). Finding 15: Reclamation-wide guidance on site access procedures for contractors and on safeguarding plans and drawings for construction projects has not been issued. In the absence of such guidance, some area offices have developed their own procedures. Discussion of Finding 15 With numerous ongoing construction projects, plans and drawings for Reclamation facilities and projects are used by staff and contractors daily. The Reclamation Manual does not include guidance on the safeguarding of plans or limitations on the number of copies in circulation. The report Managing Construction and Infrastructure in the 21st Century Bureau of Reclamation said that âconsistently implementing Reclamationâs mission will require clear statements of policy and definitions of authority and standards (NRC, 2006, p. 97). It recommended that âpolicies, proce- dures, and standards should be developed centrally and implemented locallyâ (NRC, 2006, p. 98). These statements also apply to Reclamationâs security program. In some cases, such as personnel security clearances, Reclamation can adapt government-wide guidance (HSPD-12) to its specific situation. In other
94 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM cases, Reclamation may have to look to other federal agencies with similar programs. Where SSLE has drafted policy guidance and standards, that guidance should be vetted with the area and regional offices and modi- fied as needed, so that approval can be sought from Reclamationâs senior management as soon as possible. Policy guidance should always have some flexibility that allows for its adaptation to local situations. Recommendation 10: Reclamation and the SSLE should move expedi- tiously to develop policies for site access for contractors and for the safeguarding of project plans and drawings. Policies should be for- mulated in close collaboration with area and regional managers and should be flexible enough to distinguish among different situations (Finding 15). Finding 16: The objectives and operating procedures for law enforcement are different from those for security. The legislation giving Reclamation law enforcement authority does not address issues of antiterrorism or security, nor does it permit Reclamation to directly hire its own law enforcement personnel. Discussion of Finding 16 The committee is not in a position to recommend specific changes to the authorizing legislation. However, several areas of Reclamationâs security program should be reviewed to determine if the authorizing legislation needs to be changed. Currently, it is not within Reclamationâs authority or responsibility to warn the public directly or to evacuate them in the event of an impending dam failure. The premise is that if a dam is in danger of failing owing to torrential rains, a design flaw, or other safety-related cause, there will be sufficient time to notify local authorities and to evacuate people before downstream flooding occurs. This operating procedure does not take into account a dam failure caused by a malicious act in which there may be little or no advance warning of downstream flooding. The committee believes this is an area that should be reviewed to determine if the current procedures remain appropriate in a security-related incident or if legisla- tive or other changes are needed. The committee recommends that Reclamation should first work with local entities and others to develop legally binding policies on the use of deadly force. Reclamation should also identify security-related issues that arise through its inability to directly hire law enforcement personnel. If Reclamation identifies gaps in its authority that constrain an effective response to a security-related incident, it may be necessary to go to Con-
CONCLUSIONS AND RECOMMENDATIONS 95 gress to request authorizing legislation that is a better fit with Reclama- tionâs mission, its operations, and its culture. Recommendation 11: Reclamationâs senior executives and security man- agers should identify the gaps in their authority for creating an effec- tive security program and, if necessary, seek authorizing legislation that will allow implementation of a more robust program (Finding 16). A COLLABORATIVE OPERATING ENVIRONMENT Finding 17: With its largely decentralized organizational structure and heavy reliance on partnerships and contractors, Reclamation is funda- mentally dependent on collaboration within and among organizations to achieve its mission. Imposing a centralized security program on a culture that is accustomed to distributed program management and  authority has resulted in tensions and ineffective working relationships between the SSLE staff in Denver and the staff of regional and area offices. Finding 18: Sound working relationships are based on effective communi- cations and trust. Managerial actions and the behavior of SSLEâs Denver- based staff have in some cases created distrust among the regional and area office staff that is damaging to internal working relationships and that limits the effectiveness of the security program. Discussion of Findings 17 and 18 The 2006 NRC report Managing Construction and Infrastructure in the 21st Century Bureau of Reclamation states as follows: A major factor in achieving the desired balance between decentralized and centralized authority and responsibility is the quality and quantity of communicationâparticularly face-to-face communication. A lot can be achieved if managers at the area, regional, and headquarters levels know and trust each other. This trust is the product of consistent and open lines of communication. Without good communication, suspicions will grow and the organization will not function well. . . . Reclamation . . . needs to plan and budget for frequent meetings to exchange ideas on manage- ment and technical issues. (NRC, 2006, p. 38) This statement applies equally to Reclamationâs security program, which is managed centrally but is highly dependent on the field offices to identify potential threats and to prevent, deter, and mitigate them. Ten- sion between the SSLE and the field offices is, in part, a function of the organizational structure and the relative newness of the security program.
96 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM Until security is embedded into Reclamationâs culture, the program will operate as a bolted-on function. Communication and trust are also a function of managerial behavior. When SSLE staff bypass regional and area offices to talk directly with local law enforcement or Reclamation stakeholders, fail to seek input on risk mitigation projects from the area offices and facility operators, or so restrict the flow of security-related information that it affects the ability of the field personnel to do their jobs, they signal their lack of trust and respect. The outcome is resentment on the part of the field personnel and poor working relationships that hinder the effectiveness of the security program. Recommendation 12: SSLE managers should recognize and respect the importance that regional and area staff attach to their working rela- tionships with their operators, contractors, and local law enforcement personnel. SSLE should work through the regional directors and area office managers when developing risk-mitigation projects and other activities that require the input of local law enforcement personnel, operators, and other stakeholders. SSLE should also intensify its efforts to communicate the goals, methods, priorities, and budget constraints of the security program through face-to-face meetings with regional and area office managers. To be effective, communication should routinely be two way (Findings 17, 18). Finding 19: An inflexible commitment to the need-to-know doctrine inhibits the sharing of intelligence-based information among SSLE staff in Denver, the regional special agents, and the area office personnel who might be in the best position to deter some threats and who would be the first responders to an incident. Discussion on Finding 19 The rationale for restricting the dissemination of classified information is clear. However, much information on suspicious activities or incidents is not classified but âsensitive,â a more ambiguous category. Reports on incidents or the activities of suspect individuals or representatives of sus- pect groups often are not passed on to managers of neighboring facilities because the material is deemed to be sensitive. This lack of communica- tion and overly restrictive information sharing frustrates conscientious, responsible operating officials, who feel they are not being given informa- tion that would allow them to meet their security-related responsibilities effectively. The holding back of information by the LEA also undercuts the authority and credibility of the RSAs and makes it unnecessarily difficult
CONCLUSIONS AND RECOMMENDATIONS 97 for them to build trust and good working relationships with Reclamation field personnel and local officials. The committee recognizes that the LEA is constrained in exactly how much intelligence-based information may be transmitted and to whom. It is not clear, however, whether the LEA has conveyed to the field offices what those constraints might be. Two-way conversations with field per- sonnel by means of conference calls or face-to-face meetings about the goals, methods, constraints, and priorities of the security program could begin to build trust and improve working relationships. Improved work- ing relationships would improve the effectiveness of the security program and help to embed security into Reclamationâs culture. Recommendation 13: SSLE staff should endeavor to find ways to Âbetter inform senior managers and field personnel about potential threats to facilities based on security-related intelligence. They should also communicate the constraints under which they operate, especially the restrictions on dissemination of intelligence-based information (Find- ing 19). Finding 20: Field personnel and others who have reported potentially valuable information about suspicious activities to the SSLE in Denver only rarely receive feedback on how or if the information was used. As a consequence, some field personnel view security-related communication as a one-way street and are reluctant to report on information about suspi- cious activities since their effort appears to have no effect. Discussion of Finding 20 The committee repeatedly heard that operations personnel who have reported information of potential intelligence value to an RSA or the LEA seem only rarely to be told if the information was useful. Because they receive no feedback, some quietly admit that they no longer bother to report information about suspicious activities. This reluctance to report information because there is so rarely any feedback could result in the failure to recognize a threat to Reclamation facilities in time to take pre- ventive actions. Recommendation 14: When security-related information is collected at the local level and forwarded to the Denver office, the SSLE should provide feedback on the disposition of that information. It should at least acknowledge receipt of the information and encourage continued reporting of suspicious activities (Finding 20).
98 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM Finding 21: Although the SSLEâs Denver-based staff may have the technical skills to carry out their job responsibilities, they have not in general  displayed the communication, negotiation, and team-building skills needed for the sound working relationships that are critical to Reclamation. Discussion of Finding 21 Immediately after the 9/11 attacks, as Reclamation was creating the SSLE, positions were primarily filled by transferring people, some of whom may not have had much security-related experience, from else- where in Reclamation and the DOI. In the years since, Reclamation has made an effort to recruit personnel with backgrounds in security and law enforcement and to upgrade the organizationâs overall security-related knowledge, skills, and abilities. Because Reclamation relies on good working relationships with inter- nal staff and outside partners for effective operations, SSLE staff in par- ticular need good communication, negotiation, and team-building skills. Training in these skills for current staff could help to improve internal and external working relationships and the overall effectiveness of the secu- rity program. When recruiting new personnel, special emphasis should be given to these types of skills in job descriptions and during the interview process. Recommendation 15: Reclamation should provide the SSLE staff with additional training in communication, negotiation, and team-building skills (Finding 21). SENIOR MANAGEMENT SUPPORT AND COMMITMENT Finding 22: Creating an effective security program and a culture of secu- rity requires the dedicated support and commitment of Reclamationâs managers at all levels of the organization. Currently, such support and commitment are uneven. Some managers clearly understand the link between Reclamationâs mission and security, and they are spearheading efforts to implement effective security procedures and programs. Others regard security as an unwelcome intrusion into other activities and resent the redirection of resources from other activities to security. Finding 23: Building commitment and support for the security program is primarily the responsibility of Reclamationâs senior executivesâthe com- missioner, deputy commissioners, and regional directors and the director and program managers of the SSLE Office.
CONCLUSIONS AND RECOMMENDATIONS 99 Discussion of Findings 22 and 23 To develop a culture of security, every employee, contractor, and stakeholder affiliated with Reclamation should be involved in security in some capacity. All employees and those contractors who work at BOR facilities should be aware of and educated about Reclamationâs security policies and procedures. Contractors, operators, and other stakeÂholders, including suppliers (hydroelectric, irrigation, and water districts), should have an understanding of BOR security as it affects their roles and responsibilities. Reclamationâs commissioner, deputy commissioners, and regional directors and the SSLE director and program managers are responsible for leading change within the organization and leading people to achieve the organizationâs mission. Development of a security program and a culture of security represents a significant change within Reclamation. The link between security and achievement of Reclamationâs mission must be consistently communicated from the top of the organization if security is to be fully supported at the field level. The dynamic nature of security-related threats must also be addressed to guard against com- placency. Reclamationâs facility operators, contractors, and stakeholders must understand that implementation of physical improvements and the hiring of site security guards is not the endgame but the beginning of a continuous process. Recommendation 16: Reclamationâs senior executives and SSLE person- nel should clearly communicate the critical link between security and Reclamationâs mission. Management must guard against sending the wrong signals to field personnel: that terrorism âcanât happen here [in rural America]â; that field personnel and operators no longer need to be vigilant; or that threats no longer exist because some steps have been taken to improve the security of facilities (Findings 22, 23). ADEQUATE RESOURCES Finding 24: The resourcesânumber of staff, expertise, fundingâÂcurrently available for Reclamationâs security program are not sufficient to operate and sustain an effective program. Finding 25: Folsom Dam requires special consideration within the national critical infrastructure classification owing to the magnitude of the potential consequences of a security-related failure. The level of resources required for effective security is greater at Folsom than elsewhere.
100 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM Discussion of Findings 24 and 25 An effective security program must have enough people possess- ing the necessary competencies to carry out assigned tasks and must be adequately funded. Reclamation is attempting to protect 450 facilities dis- tributed across 17 states with fewer than 50 full-time-equivalent positions, supplemented by service contractors who provide intelligence analysis and site security. The program has primarily been funded by redirecting resources from other programs, including safety of dams and facilities maintenance, to security. Although a majority of the available resources has so far been focused on the NCI facilities, including Folsom Dam, additional resources may be needed for these facilities, especially Folsom, in the coming years. For its other critical facilities, Reclamation has a backlog of risk-mitigation projects that have not been implemented, partly owing to a shortage of resources for designing and installing them. In addition, only three full- scale exercises have been conducted, again owing to resource limitations. Additional training for SSLE staff in communication, negotiation, and other behavioral skills is required to develop the sound working relation- ships that are fundamental to Reclamationâs activities. Reclamationâs overall budget has been decreasing at the same time as demands for funding facilities operations and maintenance and security requirements have been increasing. The committee is not in a position to recommend specific staff or budget increases, nor would it be appropri- ate to do so. However, in the committeeâs opinion, trying to implement a wide range of programs and meet increasing demands with decreasing resources will result in less effective programs and undesirable outcomes. The consequences of a security-related failure of a critical dam under Reclamationâs stewardship and the associated costs would outweigh the costs incurred to prevent such a failure. Recommendation 17: High-level attention should be given to deter- mining how to provide additional resources to support a more robust security program without compromising other activities that are critical to Reclamationâs mission (Findings 24, 25). Finding 26: Security improvements benefit the public at large and are not limited to a specific set of stakeholders. Reclamationâs proposal to make some security-related costs fully reimbursable creates tension with its stakeholders. The safety of dams program, in which reimbursable project costs are split between Reclamation and its stakeholders, may serve as a model for developing criteria, a process, and a cost-sharing percentage for reimbursing the costs of some security-related operations and main- tenance activities.
CONCLUSIONS AND RECOMMENDATIONS 101 Discussion of Finding 26 To supplement security-related funding and reduce pressures on other programs, Reclamation has sought to make some security-related activi- ties, especially site security guards, fully reimbursable and thereby shift the funding responsibility to water and power authorities and other ben- eficiaries. According to the SSLE, Reclamation currently devotes between $20 million and $21 million to security guard costs. This initiative has become contentious for Reclamation and its stake- holders. Although designating projects that benefit a specific set of stake- holders as reimbursable is a well-established and accepted procedure within Reclamation and with its stakeholders, security projects also ben- efit the general public. It is therefore not unreasonable for water and power authorities or other stakeholders to object to fully funding activi- ties that also benefit others. Some stakeholders are reluctant to provide the necessary funding, while others may simply lack the funds. Others may not agree with BORâs risk assessments or the measures needed to correct security deficiencies. Some of this controversy might be eliminated if the same cost-sharing mechanism used for some operations and maintenance costs related to dam safety could be applied to dam security costsâthat is, 85 percent federal funds and 15 percent stakeholder funds. Recommendation 18: Where stakeholder reimbursements are sought for security-related operations and maintenance activities, the ratio that is used for the safety of dams programâ85 percent federal funding and 15 percent stakeholder fundingâshould be considered as the starting point (Finding 26). PERFORMANCE MEASUREMENT Finding 27: Reclamation has developed some performance measures for evaluating the risk mitigation component of its site security program. Additional measures are needed to evaluate processes related to deter- rence of and response to security-related incidents. Discussion of Finding 27 Performance measures help organizations to identify where their objectives are not being met or where they are being exceeded. Managers can then investigate the reasons for this and make appropriate adjust- ments. Ultimately, an effective performance measurement system should inform decisions about the allocation of resources within an organization. Although it can be difficult to develop effective security-related perfor-
102 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM mance measures, some measures have been developed and are being used by Reclamation and other federal organizations. Recommendation 19: Reclamation should establish a set of performance measures for its security program elements to encourage continual improvement. Where appropriate, it should use measures developed by other federal programs that are active in law enforcement and intelli- gence gathering. Performance outcomes should be measurable, achiev- able, and consistent (Finding 27). A METHOD FOR DISSEMINATING LESSONS LEARNED Finding 28: Lessons-learned processes can be useful for sharing experi- ence-based information in an organization and for continually improving organizational processes, knowledge, and standards. Sources of lessons learned include after-action reports from training exercises, other forms of simulation, and other organizations. Finding 29: Reclamationâs security program does not appear to have a formal lessons-learned program in place. Where after-action reports f  ollowed major exercises, they were not disseminated to all the regions or the area offices that could have benefited from knowing the exercise results. Discussion of Findings 28 and 29 A report of the Government Accountability Office stated that use of lessons learned is a key component of an organizational culture com- mitted to continuous improvement (GAO, 2002). Lessons-learned mech- anisms communicate acquired knowledge effectively and ensure that beneficial information is factored into planning, work processes, and activities. They are a powerful way to share good ideas for improving work processes, facility or equipment design, and operation, quality, safety, and cost-effectiveness. The after-action reports produced for Reclamationâs training exer- cises are one source of lessons learned. For future exercises, Reclamation should consider using the template for after-action reporting provided in the HSEEP. Recommendation 20: In the short term, SSLE should distribute after- action reports to the appropriate staff at all area and regional offices to leverage the knowledge gained from training exercises. The field staff should ensure that the documents are kept secure. In the longer
CONCLUSIONS AND RECOMMENDATIONS 103 term, Reclamation should develop a process and a database for captur- ing and disseminating lessons learned by looking to other organiza- tions and agencies that have successful lessons-learned approaches (Findings 28, 29). A VISION AND A LONG-TERM PLAN Finding 30: Among their other objectives, organizational mission and vision statements, plans, and goals are meant to inspire and motivate employees and stakeholders. Typically, they are driven by an organi- zationâs senior executives and reflect their priorities and values. Infra structure security does not appear explicitly in Reclamationâs mission and vision statements, plans, or goals. The failure to mention it conveys the idea that infrastructure security does not have the support and commit- ment of senior management, nor has it been given priority. Finding 31: Reclamation does not appear to have a plan for a security program that is robust, mature, and sustainable. When asked about their goals for the security program, senior managers focused on tactical issues. Strategic issues, such as how security is to be embedded in Reclamationâs culture and how regional security coordination is to be improved, were not mentioned. Discussion of Findings 30 and 31 Mission and vision statements, plans, and goals are all important because among other things they are meant to inspire and motivate employees and stakeholders. An organizationâs vision and its strategic goals typically are communicated from senior executives to managers and line staff. Security is not explicitly addressed in Reclamationâs mission statement, its vision statement, its plan for implementing the vision, or its overarching goals. If security were a well-established program embedded in Reclamationâs culture, the lack of an explicit reference to it might not be significant. However, because security is a relatively new program, the failure to mention it in the organizationâs key statements about its mission and goals signals that it is not a priority at Reclamation and conveys a lack of support for it and commitment to it on the part of senior management. In the short term, Reclamation should consider addressing security in its vision and strategic goals statements, by linking secure facilities to the achievement of its mission. If Reclamation is to develop a security program that is mature, robust, and sustainable, one of its highest priorities should be to develop a long-range plan. The vision statement for the security program should
104 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM e  xplicitly state what it is designed to accomplish in relation to Reclama- tionâs mission. For example, it might emphasize the physical assurance of Reclamationâs facilities in the face of security threats, predicated on a culture of preparedness. If Reclamation moves toward integrating the dam safety and security programs, physical assurance would be an objec- tive of an all-hazards approach. Once a vision statement for the security program has been formu- lated, additional strategic goals and objectives can be set to provide a framework for addressing policy, program, and resource issues and for creating a culture of security that is as strong as Reclamationâs culture of safety. Recommendation 21: Where appropriate, Reclamationâs leadership should emphasize in its policy statements the link between security and the achievement of Reclamationâs mission. A plan for sustaining an effective security program should be developed. Such a plan should include a vision, goals, and objectives, and strategies for accomplishing them (Findings 30 and 31). REFERENCES Federal Facilities Council (FFC). 2003. Starting Smart: Key Practices for Developing Scopes of Work for Facility Projects. Washington, D.C.: The National Academies Press. Government Accountability Office (GAO). 2002. Using Strategic Human Capital Management to Drive Transformational Change. Washington, D.C.: GAO. National Research Council (NRC). 2006. Managing Construction and Infrastructure in the 21st Century Bureau of Reclamation. Washington, D.C.: The National Academies Press. OâConnor, J., and C. Vickroy. 1986. Control of Construction Project Scope. Source Document 6. Austin, Tex: Construction Industry Institute. Smith, M., and R. Tucker. 1983. An Assessment of the Potential Problems Occurring in the Engi- neering Phase of an Industrial Project. Report to Texaco, Inc. Austin, Tex.: Analysis, Inc.
