The federal civilian entities GAO selected-the Department of Homeland Security's (DHS) Federal Emergency Management Agency (FEMA), the General Services Administration (GSA), the Department of Justice's United States Marshals Service (USMS), the Smithsonian Institution (Smithsonian), and the Social Security Administration (SSA)-have implemented a range of enhancements to improve physical security. The Interagency Security Committee (ISC), which is chaired by DHS and has representation from across federal civilian entities, has a risk management standard that federal executive branch entities are to follow, where ISC specifies enhancements entities should implement to effectively minimize risk and meet baseline levels of protection. The ISC has identified six general categories of enhancements: interior security, facility structure, security systems, facility entrance, site improvements, and operations and administration. Enhancements can include, among other things, security systems, contract guard forces, and blast resistant windows. The five federal entities paid for security enhancements using a range of methods such as: paying for enhancements as part of their rent to GSA; paying fees to security organizations to install or operate security screening services; and paying for enhancements during renovation projects. Entities reported having limited ability to track facility security expenditures, particularly when these costs were: (1) funded partially by another entity; (2) were part of rent costs and not separately identified; or (3) were not a separate line-item for entities' funding. GAO's work at these entities showed that several factors drive security costs. For example, site and facility-related factors-such as geographic location, age and size of the facility, and historical designation-drive these costs. Also, implementing security enhancements in new construction projects generally costs less compared to renovations. Officials from the selected entities said they have used a range of practices to manage costs, such as researching and selecting the least costly vendors, considering costs in relation to risk when deciding on enhancements, and developing some performance measures. ISC's risk management standard states that federal entities should use a cost analysis methodology that considers all costs and should establish a comprehensive performance measurement and testing program to, among other things, help allocate resources. These aspects of the standard represent a rigorous approach to determining cost effectiveness and measuring performance in the security environment; however, the ISC does not provide detailed guidance or specify methodologies federal entities could use for implementation. In fact, the selected entities have had difficulty implementing these parts of the standard to the degree specified by ISC, noting that further guidance would be beneficial. ISC is well positioned to provide entities with such guidance. Implementing these parts of the standard could better able federal entities to assess the cost effectiveness of their security investments.