The Department of State (State) has established policies related to transportation security for overseas U.S. personnel, but gaps exist in guidance and monitoring. GAO reviewed 26 posts and found that all 26 had issued transportation security and travel notification policies. However, policies at 22 of the 26 posts lacked elements required by State, due in part to fragmented implementation guidance on what such policies should include. State also lacks a clear armored vehicle policy for overseas posts and procedures for monitoring if posts are assessing their armored vehicle needs at least annually as required by State. These gaps limit State’s ability to ensure that posts develop clear policies that are consistent with State’s requirements and that vehicle needs for secure transit are met.

While State provides several types of training related to overseas transportation security, weaknesses exist in post-specific refresher training. Regional security officers (RSO) receive required training related to transportation security in special agent courses, and nonsecurity staff reported receiving relevant training before departing for posts—including on topics such as defensive driving and the importance of taking personal responsibility for one’s security—as well as new arrival briefings at posts. At most of the 9 posts GAO visited, however, staff had difficulty remembering key details covered in new arrival briefings or described the one-time briefings as inadequate. State’s requirements for providing refresher briefings are unclear, potentially putting staff at greater risk.

State.gov Emails

We should note that family members who do not work for our embassies and consulates do not have state.gov emails. And by the way, they are the ones  who are driving around in their host countries — from homes to schools, to groceries, to playdates, etc — in their private vehicles with diplomatic plates. Excerpt from the GAO report:

RSOs at the nine posts we visited told us they communicated transportation-related threat information to post personnel through various methods, such as post-issued radios, personal and official e-mail, text messages to work and personal mobile phones, and phone trees. However, we learned of instances at four of the nine posts in which personnel did not receive important threat information in a timely manner.  For instance, at one of the posts we visited, the RSO sent a security notice restricting travel along a specific road and warning that recent violent protests in the area had resulted in injuries and even death, but because the notice was sent exclusively to state.gov e-mail addresses, some non-State personnel at the post did not receive it at the e-mail address they regularly used and were unaware of the restriction. The personnel subsequently traveled through the restricted area, resulting in an embassy vehicle being attacked with rocks while on unauthorized travel through the area. While no one was hurt, the vehicle’s front windshield was smashed. The RSO told us that to avoid similar situations in the future, he would add the personnel’s regularly used e-mail addresses to his distribution list for security notices. At another post, focus group participants stated that they did not receive any information from the RSO or other post officials about the security-related closure of a U.S. consulate in the same country and instead learned about the closure from media sources. Participants in focus groups at two other posts stated that threat information is often either obsolete by the time they receive it or may not reach staff in time for them to avoid the potential threats.

Personnel at more than half of the nine posts we visited cited difficulty using travel notification systems or were unaware or unsure of their post’s travel notification requirements. While three of the nine posts we visited permit personnel to use e-mail or other means to inform the RSO of their travel plans, the remaining six posts require personnel to complete an official travel notification form that is only accessible through a State information system called OpenNet. However, according to officials responsible for managing State’s information resources, including OpenNet, not all post personnel have OpenNet accounts. Specifically, all State personnel at overseas posts have OpenNet accounts, but some non-State agencies, such as the U.S. Agency for International Development, typically only have a limited number of OpenNet account holders at each post; some smaller agencies, such as the Peace Corps, usually have none. One focus group participant from a non-State agency told us that because she does not have an OpenNet account, her ability to submit travel notifications as required depends on whether or not she is able to find one of the few individuals at the post from her agency that does have an OpenNet account. Similarly, the travel notification policy for another post requires that post personnel use an OpenNet-based travel notification system even though the policy explicitly acknowledges that not all post personnel have OpenNet accounts.

The FAH establishes a minimum requirement for the number of armored vehicles at each post. The FAH also states that post Emergency Action Committees (EAC) must meet at least annually to discuss post armored vehicle programs and requirements.21 According to the FAM, it is important that EACs provide information on posts’ armored vehicle requirements to ensure there is sufficient time to budget for the costs of such vehicles, including the extra costs associated with armoring them.22

We found that DS may not be meeting the first of these FAH requirements, and EACs are not meeting the second requirement at every post. With respect to the first requirement, DS officials initially explained that under the FAH, every embassy and consulate is required to have a certain number of armored vehicles, but we found that not every consulate met this requirement as of May 2016. These potential deficiencies exist in part because DS has not instituted effective monitoring procedures to ensure that every embassy or consulate is in compliance with the FAH’s armored vehicle policy.

1. Create consolidated guidance for RSOs that specifies required elements to include in post travel notification and transportation security policies. For example, as part of its current effort to develop standard templates for certain security directives, DS could develop templates for transportation security and travel notification policies that specify the elements required in all security directives as recommended by the February 2005 Iraq ARB as well as the standard transportation-related elements that DS requires in such policies.
2. Create more comprehensive guidance for DS reviewers to use when evaluating posts’ transportation security and travel notification policies. For example, the checklist DS reviewers currently use could be modified to stipulate that reviewers should check all security directives for DS-required elements recommended by the February 2005 Iraq ARB. The checklist could also provide guidance on how to take the presence or absence of these required elements into account when assigning a score to a given policy.
3. Clarify whether or not the FAH’s armored vehicle policy for overseas posts is that every post must have sufficient armored vehicles, and if DS determines that the policy does not apply to all posts, articulate the conditions under which it does not apply.
4. Develop monitoring procedures to ensure that all posts comply with the FAH’s armored vehicle policy for overseas posts once the policy is clarified.

5. Implement a mechanism, in coordination with other relevant State offices, to ensure that EACs discuss their posts’ armored vehicle needs at least once each year.
6. Clarify existing guidance on refresher training, such as by delineating how often refresher training should be provided at posts facing different types and levels of threats, which personnel should receive refresher training, and how the completion of refresher training should be documented.
7. Improve guidance for RSOs, in coordination with other relevant State offices and non-State agencies as appropriate, on how to promote timely communication of threat information to post personnel and timely receipt of such information by post personnel.
8. Take steps, in coordination with other relevant State offices and non- State agencies as appropriate, to make travel notification systems easily accessible to post personnel who are required to submit such notifications, including both State and non-State personnel.

Nevertheless, participants in 10 of our 13 focus groups either had difficulty recalling certain security policies and requirements or described their security briefings as inadequate. Participants noted that this was, in part, because it can be challenging to remember the content of new arrival security briefings while they are simultaneously managing the process of moving and adjusting to a new post and because of the one-time nature of new arrival briefings. DS headquarters officials stated that most violations of post travel policies are due to personnel forgetting the information conveyed in the new arrival briefings.