United States Government Accountability Office GAO Testimony Before the Subcommittee on Coast Guard and Maritime Transportation, Committee on Transportation and Infrastructure, House of Representatives MARITIME SECURITY For Release on Delivery Expected at 9:30 a.m. EST Tuesday, September 11, 2012 Progress and Challenges 10 Years after the Maritime Transportation Security Act Statement of Stephen L. Caldwell, Director Homeland Security and Justice GAO-12-1009T September 11, 2012 MARITIME SECURITY Progress and Challenges 10 Years After the Maritime Transportation Security Act Highlights of GAO-12-1009T, a testimony for the Subcommittee on Coast Guard and Maritime Transportation, Committee on Transportation and Infrastructure, House of Representatives Why GAO Did This Study What GAO Found Ports, waterways, and vessels handle GAO’s work has shown that the Department of Homeland Security (DHS), billions of dollars in cargo annually and through its component agencies, particularly the Coast Guard and U.S. Customs an attack on this maritime and Border Protection (CBP), have made substantial progress in implementing transportation system could impact the various programs that, collectively, have improved maritime security. In general, global economy. November 2012 GAO’s work on maritime security programs falls under four areas: (1) security marks the 10-year anniversary of planning, (2) port facility and vessel security, (3) maritime domain awareness and MTSA, which required a wide range of information sharing, and (4) international supply chain security. DHS has, among security improvements. DHS is the other things, developed various maritime security programs and strategies and lead federal department responsible for has implemented and exercised security plans. For example, the Coast Guard implementing MTSA and it relies on its has developed Area Maritime Security Plans around the country to identify and component agencies, such as the coordinate Coast Guard procedures related to prevention, protection, and Coast Guard and CBP, to help security response at domestic ports. In addition, to enhance the security of U.S. implement the act. The Coast Guard is ports, the Coast Guard has implemented programs to conduct annual inspections responsible for U.S. maritime security of port facilities. To enhance the security of vessels, both CBP and the Coast interests and CBP is responsible for Guard receive and screen advance information on commercial vessels and their screening arriving vessel crew and cargo. This testimony summarizes crews before they arrive at U.S. ports and prepare risk assessments based on GAO’s work on implementation of this information. Further, DHS and its component agencies have increased MTSA requirements over the last maritime domain awareness and have taken steps to better share information by decade and addresses (1) progress improving risk management and implementing a vessel tracking system, among the federal government has made in other things. For example, in July 2011, CBP developed the Small Vessel improving maritime security and (2) Reporting System to better track small boats arriving from foreign locations and key challenges that DHS and its deployed this system to eight field locations. DHS and its component agencies component agencies have have also taken actions to improve international supply chain security, including encountered in implementing maritime developing new technologies to detect contraband, implementing programs to security-related programs. GAO was inspect U.S.-bound cargo at foreign ports, and establishing partnerships with the unable to identify all related federal trade industry community and foreign governments. spending, but estimated funding for certain programs. For example, from Although DHS and its components have made substantial progress, they have 2004 through May 2012, CBP obligated encountered challenges in implementing initiatives and programs to enhance over $390 million to fund its program to maritime security since the enactment of the Maritime Security Transportation partner with companies to review the Act (MTSA) in 2002 in the areas of: (1) program management and security of their supply chains. This implementation; (2) partnerships and collaboration; (3) resources, funding, and statement is based on GAO products sustainability; and (4) performance measures. For example, CBP designed and issued from August 2002 through July implemented an initiative that placed CBP staff at foreign seaports to work with 2012, as well as updates on the status host nation customs officials to identify high-risk, U.S.-bound container cargo, but of recommendations made and budget CBP initially did not have a strategic or workforce plan to guide its efforts. data obtained in August 2012. Further, the Coast Guard faced collaboration challenges when developing and implementing its information management system for enhancing information What GAO Recommends sharing with key federal, state, and local law enforcement agencies because it GAO has made recommendations to did not systematically solicit input from these stakeholders. Budget and funding DHS in prior reports and testimonies to decisions have also affected the implementation of maritime security programs. strengthen its maritime security For example, Coast Guard data indicate that some of its units are not able to programs. DHS generally concurred meet self-imposed standards related to certain security activities—including and has implemented or is in the boarding and escorting vessels. In addition, DHS has experienced challenges in process of implementing them. developing effective performance measures for assessing the progress of its View GAO-12-1009T. For more information, maritime security programs. For example, the Coast Guard developed a contact Stephen L. Caldwell at (202) 512-9610 performance measure to assess its performance in reducing maritime risk, but or firstname.lastname@example.org. has faced challenges using this measure to inform decisions. United States Government Accountability Office Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss the Department of Homeland Security’s (DHS) and other agencies’ implementation of the Maritime Transportation Security Act of 2002 (MTSA). 1 Ports, waterways, and vessels handle billions of dollars in cargo annually, and an attack on our nation’s maritime transportation system could have dire consequences. Ports are inherently vulnerable to terrorist attacks because of their size, general proximity to metropolitan areas, the volume of cargo being processed, and the ready access the ports have to transportation links into the United States. An attack on a port could have a widespread impact on international trade and the global economy. Balancing security concerns with the need to facilitate the free flow of people and commerce remains an ongoing challenge for the public and private sectors alike. November 2012 will mark the 10th anniversary of the enactment of MTSA, which requires a wide range of security improvements designed to help protect the nation’s ports, waterways, and coastal areas from terrorist attacks by requiring a wide range of security improvements. Prior to the terrorist attacks of September 11, 2001, federal attention at ports tended to focus on navigation and safety issues, such as dredging channels and environmental protection. DHS is the lead federal agency responsible for implementing MTSA requirements and it relies on a number of its component agencies that have responsibilities related to maritime security, as follows. 2 • U.S. Coast Guard: The Coast Guard has primary responsibility for ensuring the safety and security of U.S. maritime interests and leading homeland security efforts in the maritime domain. In this capacity, among other things, the Coast Guard conducts port facility and commercial vessel inspections, leads the coordination of maritime 1 Pub. L. No. 107-295, 116 Stat. 2064. 2 Immigration and Customs Enforcement (ICE) also contributes to maritime security in that its mission is to detect and prevent terrorist and criminal acts by targeting the people, money, and materials that support terrorist and criminal networks. In this capacity, ICE contributes to DHS border security efforts, including in the maritime environment, even though its main focus is not on interdicting or screening operations. Page 1 GAO-12-1009T information sharing efforts, and promotes domain awareness in the maritime environment. 3 • U.S. Customs and Border Protection (CBP): CBP is responsible for the screening of incoming vessels’ crew and maritime cargo for the presence of contraband, such as weapons of mass destruction, illicit drugs, or explosives, while facilitating the flow of legitimate trade and passengers. • Transportation Security Administration (TSA): TSA has responsibility for managing the Transportation Worker Identification Credential program, which is designed to control the access of maritime workers to regulated maritime facilities in the United States. 4 • Domestic Nuclear Detection Office (DNDO): DNDO is responsible for acquiring and supporting the deployment of radiation detection equipment, including radiation portal monitors at domestic seaports to support the scanning of cargo containers before they enter U.S. commerce. • Federal Emergency Management Agency (FEMA): FEMA is responsible for administering grants to improve the security of the nation’s highest risk port areas. It is important to note that some of these agencies were made responsible for implementing MTSA requirements in the midst of the most extensive federal reorganization in over 50 years, as most were reorganized into DHS in March 2003, when DHS began operating—less than 5 months after MTSA enactment. This reorganization introduced new chains of command and reporting responsibilities. MTSA implementation also involved coordination with other executive branch agencies, including the Departments of Justice, State, and Transportation. 3 Maritime domain awareness is the understanding by stakeholders involved in maritime security of anything associated with the global maritime environment that could adversely affect the security, safety, economy or environment of the United States. 4 The Coast Guard is responsible for enforcement of the Transportation Worker Identification Credential program. Page 2 GAO-12-1009T In 2006, the Security and Accountability For Every Port Act of 2006 (SAFE Port Act) became law. 5 The act amended MTSA and required DHS to develop, implement, and update, as appropriate, a strategic plan to enhance the security of the international supply chain—the flow of goods from manufacturers to retailers. 6 Further, the SAFE Port Act required DHS to establish pilot projects at three ports to test the feasibility of scanning 100 percent of U.S.-bound cargo containers at foreign ports. 7 My statement today summarizes our work on maritime security since the enactment of MTSA and is focused on • progress the federal government has made in improving maritime security, and • key challenges that DHS and its component agencies have encountered in implementing maritime security-related programs. We were unable to identify all federal spending for these purposes, but were able to estimate obligations or expenditures for certain programs. For example, we were not able to determine obligations for many of the MTSA-related Coast Guard programs—such as port security exercises— because they are funded at the account level (i.e., operating expenses) rather than as specific line items. However, we were able to estimate obligations or expenditures in some instances. For example, from fiscal years 2004 through May 2012, CBP obligated over $390 million for a voluntary program that enables CBP officials to work in partnership with private companies to review and validate companies’ practices for securing their international supply chains. 5 Pub. L. No. 109-347, 120 Stat. 1884. 6 The SAFE Port Act required DHS to report to Congress on this strategic plan by July 2007, with an update of the strategic plan to be submitted to Congress 3 years later. See 6 U.S.C. § 941(a), (g). 7 6 U.S.C. § 981. Related to this SAFE Port Act requirement, in August 2007, the Implementing Recommendations of the 9/11 Commission Act of 2007 was enacted, which required, among other things, that by July 2012, 100 percent of all U.S.-bound cargo containers be scanned at foreign ports, with possible extensions for ports at which certain conditions exist. See Pub. L. No. 110-53, § 1701(a), 121 Stat. 266, 489-90 (amending 6 U.S.C. § 982(b)). Such extensions have been granted, as explained later in this statement. Page 3 GAO-12-1009T In addition to the statement, appendix I summarizes select programs and activities that have been implemented since November 2002 to address maritime security and the associated expenditures, where information was available. The appendix also includes key findings from our work regarding these programs and activities in the last 10 years, as well as the progress that DHS and its component agencies have made in responding to our recommendations. This statement is based primarily on reports and testimonies we have issued from August 2002 through July 2012 related to maritime, port, vessel, and cargo security efforts of the federal government, and other related aspects of implementing MTSA requirements. The statement also includes selected updates—conducted in August 2012—to the information provided in these previously-issued products on the actions DHS and its component agencies have taken to address recommendations made in these products. Where available, we have also included information on the funding for key maritime security related programs through May 2012. This additional information can be seen in appendix I. We conducted the work in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. To perform the work, we visited domestic and overseas ports; reviewed agency program documents, port security plans, and postexercise reports, and other documents; and interviewed officials from the federal, state, local, private, and international sectors, among other things. The officials were from a wide variety of stakeholders to include the Coast Guard, CBP, TSA, port authorities, terminal operators, vessel operators, foreign governments, and international trade organizations. Further details on the scope and methodology for the previously issued reports and testimonies are available within each of the published products. Our work has shown that DHS and its component agencies—particularly DHS Has Made the Coast Guard and CBP—have made substantial progress in Substantial Progress implementing various programs that, collectively, have improved maritime security. In general, our maritime security-related work has addressed in Improving Maritime four areas: (1) national and port-level security planning, (2) port facility Security and vessel security, (3) maritime domain awareness and information Page 4 GAO-12-1009T sharing, and (4) international supply chain security. Detailed examples of progress in each of these four areas are discussed below. National and Port-Level The federal government has made progress in national and port-level Security Planning security planning by, for example, developing various maritime security strategies and plans, and conducting exercises to test these plans. • Developing national-level security strategies: The federal government has made progress developing national maritime security plans. For example, the President and the Secretaries of Homeland Security, Defense, and State approved the National Strategy for Maritime Security and its supporting plans in 2005. The strategy has eight supporting plans that are intended to address the specific threats and challenges of the maritime environment, such as maritime commerce security. We reported in June 2008 that these plans were generally well developed and, collectively, included desirable characteristics, such as (1) purpose, scope, and methodology; (2) problem definition and risk assessment; (3) organizational roles, responsibilities, and coordination; and (4) integration and implementation. Including these characteristics in the strategy and its supporting plans can help the federal government enhance maritime security. 8 For example, better problem definition and risk assessment provide greater latitude to responsible parties for developing approaches that are tailored to the needs of their specific regions or sectors. In addition, in April 2008 DHS released its Small Vessel Security Strategy, which identified the gravest risk scenarios involving the use of small vessels for launching terrorist attacks, as well as specific goals where efforts can achieve the greatest risk reduction across the maritime domain. 9 • Developing port-level security plans: The Coast Guard has developed Area Maritime Security Plans (AMSP) around the country to enhance the security of domestic ports. AMSPs, which are developed by the Coast Guard with input from applicable governmental and private entities, serve as the primary means to 8 GAO, Maritime Security: National Strategy and Supporting Plans Were Generally Well- Developed and Are Being Implemented, GAO-08-672 (Washington, D.C.: June 20, 2008). 9 Department of Homeland Security, Small Vessel Security Strategy (Washington, D.C., April 2008). Page 5 GAO-12-1009T identify and coordinate Coast Guard procedures related to prevention, protection, and security response. Implementing regulations for MTSA specified that these plans include, among other things, (1) operational and physical security measures that can be intensified if security threats warrant it; (2) procedures for responding to security threats, including provisions for maintaining operations at domestic ports; and (3) procedures to facilitate the recovery of the maritime transportation system after a security incident. 10 We reported in October 2007 that to assist domestic ports in implementing the AMSPs, the Coast Guard provided a common template that specified the responsibilities of port stakeholders. 11 Further, the Coast Guard has established Area Maritime Security Committees—forums that involve federal and nonfederal officials who identify and address risks in a port—to, among other things, provide advice to the Coast Guard for developing the associated AMSPs. These plans provide a framework for communication and coordination among port stakeholders and law enforcement officials and identify and reduce vulnerabilities to security threats throughout the port area. • Exercising security plans: DHS has taken a number of steps to exercise its security plans. The Coast Guard and the Area Maritime Security Committee are required to conduct or participate in exercises to test the effectiveness of AMSPs at least once each calendar year, with no more than 18 months between exercises. 12 These exercises are designed to continually improve preparedness by validating information and procedures in the AMSPs, identifying strengths and weaknesses, and practicing command and control within an incident command/unified command framework. To aid in this effort, the Coast Guard initiated the Area Maritime Security Training and Exercise Program in October 2005. This program is designed to involve all port stakeholders in the implementation of the AMSPs. Our prior work has shown that the Coast Guard has exercised these plans and that, since development of the AMSPs, all Area Maritime Security Committees have participated in a port security exercise. 13 Lessons learned from 10 33 C.F.R. § 103.505. 11 GAO, Maritime Security: The SAFE Port Act and Efforts to Secure Our Nation’s Seaports, GAO-08-86T (Washington, D.C.: Oct. 4, 2007). 12 33 C.F.R. § 103.515. 13 GAO. Maritime Security: The SAFE Port Act: Status and Implementation One Year Later, GAO-08-126T (Washington, D.C.: Oct. 30, 2006). Page 6 GAO-12-1009T the exercises are incorporated into plans, which Coast Guard officials said lead to planning process improvements and better plans. Port Facility and Vessel In addition to developing security plans, DHS has taken a number of Security actions to identify and address the risks to port facilities and vessels by conducting facility inspections and screening and boarding vessels, among other things. • Requiring facility security plans and conducting inspections: To enhance the security of port facilities, the Coast Guard has implemented programs to require port facility security plans and to conduct annual inspections of the facilities. Owners and operators of certain maritime facilities are required to conduct assessments of security vulnerabilities, develop security plans to mitigate these vulnerabilities, and implement measures called for in their security plans. Coast Guard guidance calls for at least one announced and one unannounced inspection each year to ensure that security plans are being followed. We reported in February 2008, on the basis of these inspections, the Coast Guard had identified and corrected port facility deficiencies. For example, the Coast Guard identified deficiencies in about one-third of the port facilities inspected from 2004 through 2006, with deficiencies concentrated in certain categories, such as failing to follow facility security plans for port access control. 14 In addition to inspecting port facilities, the Coast Guard also conducts inspections at offshore facilities, such as oil rigs. Requiring the development of these security plans and inspecting facilities to correct deficiencies helps the Coast Guard mitigate vulnerabilities that could be exploited by those with the intent to kill people, cause environmental damage, or disrupt transportation systems and the economy. • Issuing facility access cards: DHS and its component agencies have made less progress in controlling access to secure areas of port facilities and vessels. To control access to these areas, DHS was required by MTSA to, among other things, issue a transportation worker identification credential that uses biometrics, such as 14 GAO, Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program’s Staffing, Practices, and Data, GAO-08-12 (Washington, D.C.: Feb. 14, 2008). Page 7 GAO-12-1009T fingerprints. 15 TSA had already initiated a program to create an identification credential that could be used by workers in all modes of transportation when MTSA was enacted. This program, called the Transportation Worker Identification Credential (TWIC) program, is designed to collect personal and biometric information to validate workers’ identities and to conduct background checks on transportation workers to ensure they do not pose a threat to security. We reported in November 2009 that TSA, the Coast Guard, and the maritime industry took a number of steps to enroll 1,121,461 workers in the TWIC program, or over 93 percent of the estimated 1.2 million potential users, by the April 15, 2009, national compliance deadline. 16 However, as discussed later in this statement, internal control weaknesses governing the enrollment, background check process, and use of these credentials potentially limit the program’s ability to provide reasonable assurance that access to secure areas of MTSA- regulated facilities is restricted to qualified individuals. • Administering the Port Security Grant Program: DHS has taken steps to improve the security of port facilities by administering the Port Security Grant Program. To help defray some of the costs of implementing security at ports around the United States, this program was established in January 2002 when TSA was appropriated $93.3 million to award grants to critical national seaports. 17 MTSA codified the program when it was enacted in November 2002. 18 The Port Security Grant Program awards funds to states, localities, and private port operators to strengthen the nation’s ports against risks associated with potential terrorist attacks. We reported in November 2011 that, for fiscal years 2010 and 2011, allocations of these funds were based on DHS’s risk model and implementation decisions, and were made largely in accordance with risk. For example, we found 15 46 U.S.C. § 70105. 16 GAO, Transportation Worker Identification Credential: Progress Made in Enrolling Workers and Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 2009). 17 Pub. L. No. 107-117, 115 Stat. 2230, 2327 (2002). 18 46 U.S.C. § 70107. Page 8 GAO-12-1009T that allocations of funds to port areas were highly positively correlated to port risk, as calculated by DHS’s risk model. 19 • Reviewing vessel plans and conducting inspections: To enhance vessel security, the Coast Guard has taken steps to help vessel owners and operators develop security plans and the Coast Guard regularly inspects these vessels for compliance with the plans. MTSA requires certain vessel owners and operators to develop security plans, and the Coast Guard is to approve these plans. 20 Vessel security plans are to designate security officers; include information on procedures for establishing and maintaining physical security, passenger and cargo security, and personnel security; describe training and drills, and identify the availability of appropriate security measures necessary to deter transportation security incidents, among other things. The Coast Guard took several steps to help vessel owners and operators understand and comply with these requirements. In particular, the Coast Guard (1) issued updated guidance and established a “help desk” to provide stakeholders with a single point of contact, both through the Internet and over the telephone; (2) hired contractors to provide expertise in reviewing vessel security plans; and (3) conducts regular inspections of vessels. For example, we reported in December 2010 that, according to Coast Guard officials, the Coast Guard is to inspect ferries four times per year. The annual security inspection, which may be combined with a safety inspection and typically occurs when the ferry is out of service, and the quarterly inspections, which are shorter in duration, and generally take place while the ferry remains in service. During calendar years 2006 through 2009, the most recent years for which we have data, the Coast Guard reports that it conducted over 1,500 ferry inspections. 21 These security plan reviews and inspections have enhanced vessel security. • Conducting vessel crew screenings: To enhance the security of port facilities, both CBP and the Coast Guard receive and screen advance information on commercial vessels and their crew before 19 GAO, Port Security Grant Program: Risk Model, Grant Management, and Effectiveness Measures Could Be Strengthened, GAO-12-47 (Washington, D.C.: Nov. 17, 2011). 20 46 U.S.C. § 70103(c) 21 GAO, Maritime Security: Ferry Security Measures Have Been Implemented, but Existing Studies Could Further Enhance Security, GAO-11-207 (Washington, D.C.: Dec. 3, 2010). Page 9 GAO-12-1009T they arrive at U.S. ports and assess risks based on this information. Among the risk factors considered in assessing each vessel and crew member are whether the vessel operator has had past instances of invalid or incorrect crew manifest lists, whether the vessel has a history of seafarers unlawfully landing in the United States, or whether the vessel is making its first arrival at a U.S. seaport within the past year. The Coast Guard may also conduct armed security boardings of arriving commercial vessels based on various factors, including the intelligence it received to examine crew passports and visas, among other things, to ensure the submitted crew lists are accurate. • Conducting vessel escorts and boardings: The Coast Guard escorts and boards certain vessels to help ensure their security. The Coast Guard escorts a certain percentage of high capacity passenger vessels—cruise ships, ferries, and excursion vessels—to protect against an external threat, such as a waterborne improvised explosive device. The Coast Guard has provided escorts for cruise ships to help prevent waterside attacks and has also provided a security presence on passenger ferries during their transit. Further, the Coast Guard has conducted energy commodity tanker security activities, such as security boardings, escorts, and patrols. Such actions enhance the security of these vessels. Maritime Domain DHS has worked with its component agencies to increase maritime Awareness and domain awareness and taken steps to (1) conduct risk assessments, (2) Information Sharing establish area security committees, (3) implement a vessel tracking system, and (4) better share information with other law enforcement agencies through interagency operations centers. • Conducting risk assessments: Recognizing the shortcomings of its existing risk-based models, in 2005 the Coast Guard developed and implemented the Maritime Security Risk Assessment Model (MSRAM) to better assess risks in the maritime domain. We reported in November 2011 that MSRAM provides the Coast Guard with a standardized way of assessing risk to maritime infrastructure, such as chemical facilities, oil refineries, and ferry and cruise ship terminals, among others. Coast Guard units throughout the country use this Page 10 GAO-12-1009T model to improve maritime domain awareness and better assess security risks to key maritime infrastructure. 22 • Establishing Area Maritime Security Committees: To facilitate information sharing with port partners and in response to MTSA, 23 the Coast Guard has established Area Maritime Security Committees. These committees are typically composed of members from federal, state, and local law enforcement agencies; maritime industry and labor organizations; and other port stakeholders that may be affected by security policies. An Area Maritime Security Committee is responsible for, among other things, identifying critical infrastructure and operations, identifying risks, and providing advice to the Coast Guard for developing the associated AMSP. These committees provide a structure that improves information sharing among port stakeholders. • Developing vessel tracking systems: The Coast Guard relies on a diverse array of systems operated by various entities to track vessels and provide maritime domain awareness. For tracking vessels at sea, the Coast Guard uses a long-range identification and tracking system and a commercially provided long-range automatic identification system. 24 For tracking vessels in U.S. coastal areas, inland waterways, and ports, the Coast Guard operates a land-based automatic identification system and also obtains information from radar and cameras in some ports. In addition, in July 2011, CBP developed the Small Vessel Reporting System to better track small boats arriving from foreign locations and deployed this system to eight field locations. Among other things, this system is to allow CBP to 22 GAO, Coast Guard: Security Risk Model Meets DHS Criteria, but More Training Could Enhance Its Use for Managing Programs and Operations, GAO-12-14 (Washington, D.C.: Nov. 17, 2011). 23 46 U.S.C. § 70112(a)(2). 24 The International Maritime Organization is the international body responsible for improving maritime safety. The organization primarily regulates maritime safety and security through the International Convention for the Safety of Life at Sea, 1974. In 2006, amendments to this treaty were adopted that mandated the creation of an international long-range identification and tracking system that, in general, requires the International Maritime Organization member state vessels on international voyages to transmit certain information; the creation of data centers that will, among other roles, receive long-range identification and tracking system information from the vessels; and an information exchange network, centered on an international data exchange for receiving and transmitting long-range identification and tracking information to authorized nations. Page 11 GAO-12-1009T identify potential high-risk small boats to better determine which need to be boarded. • Establishing interagency operations centers: DHS and its component agencies have made limited progress in establishing interagency operations centers. The Coast Guard—in coordination with other federal, state, and local law enforcement agencies (port partners)—is working to establish interagency operations centers at its sectors throughout the country. These interagency operations centers are designed to, among other things, improve maritime domain awareness and the sharing of information among port partners. In October 2007, we reported that the Coast Guard was piloting various aspects of future interagency operations centers at its 35 existing command centers and working with multiple interagency partners to further their development. 25 We further reported in February 2012 that DHS had also begun to support efforts to increase port partner participation and further interagency operations center implementation, such as facilitating the review of an interagency operations center management directive. 26 However, as discussed later in this statement, despite the DHS assistance, the Coast Guard has experienced coordination challenges that have limited implementation of interagency operations centers. International Supply Chain DHS and its component agencies have implemented a number of Security programs and activities intended to improve the security of the international supply chain, including: enhancing cargo screening and inspections, deploying new cargo screening technologies to better detect contraband, implementing programs to inspect U.S.-bound cargo at foreign ports, partnering with the trade industry, and engaging with international partners. • Enhancing cargo screening and inspections: DHS has implemented several programs to enhance the screening of cargo containers in advance of their arrival in the United States. In particular, DHS developed a system for screening incoming cargo, called the Automated Targeting System. The Automated Targeting 25 GAO-08-126T. 26 GAO, Maritime Security: Coast Guard Needs to Improve Use and Management of Interagency Operations Centers, GAO-12-202 (Washington, D.C.: Feb. 13, 2012). Page 12 GAO-12-1009T System is a computerized system that assesses information on each cargo shipment that is to arrive in the United States to assign a risk score. CBP officers then use this risk score, along with other information, such as the shipment’s contents, to determine which shipments to examine. In February 2003, CBP began enforcing new regulations about cargo manifests—called the 24 hour rule—that requires the submission of complete and accurate manifest information 24 hours before a container is loaded onto a U.S.-bound vessel at a foreign port. To enhance CBP’s ability to target high-risk shipments, the SAFE Port Act required CBP to collect additional information related to the movement of cargo to better identify high- risk cargo for inspection. 27 In response to this requirement, in 2009, CBP implemented the Importer Security Filing and Additional Carrier Requirements, collectively known as the 10+2 rule. 28 The cargo information required by the 10+2 rule comprises 10 data elements from importers, such as country of origin, and 2 data elements from vessel carriers, such as the position of each container transported on a vessel (or stow plan), that are to be provided to CBP in advance of arrival of a shipment at a U.S. port. These additional data elements can enhance maritime security. For example, during our review of CBP’s supply chain security efforts in 2010, CBP officials stated that access to vessel stow plans has enhanced their ability to identify containers that are not correctly listed on manifests that could potentially pose a security risk in that no information is known about their origin or contents. 29 • Deploying technologies: DHS technological improvements have been focused on developing and deploying equipment to scan cargo containers for nuclear materials and other contraband to better secure the supply chain. Specifically, to detect nuclear materials, CBP, in coordination with DNDO, has deployed over 1,400 radiation portal 27 See 6 U.S.C. § 943(b). 28 Importer Security Filing and Additional Carrier Requirements, 73 Fed. Reg. 71,730 (Nov. 25, 2008) (codified at 19 C.F.R. pts. 4, 12, 18, 101, 103, 113, 122, 123, 141, 143, 149, 178, & 192). 29 GAO, Supply Chain Security: CBP Has Made Progress in Assisting the Trade Industry in Implementing the New Importer Security Filing Requirements, but Some Challenges Remain, GAO-10-841 (Washington, D.C.: Sept. 10, 2010). Page 13 GAO-12-1009T monitors at U.S. ports of entry. 30 Most of the radiation portal monitors are installed in primary inspection lanes through which nearly all traffic and shipping containers must pass. These monitors alarm when they detect radiation coming from a package, vehicle, or shipping container. CBP then conducts further inspections at its secondary inspection locations to identify the cause of the alarm and determine whether there is a reason for concern. • Establishing the Container Security Initiative: CBP has enhanced the security of U.S.-bound cargo containers through its Container Security Initiative (CSI). CBP launched CSI in January 2002 and the initiative involves partnerships between CBP and foreign customs agencies in select countries to allow for the targeting and examination of U.S.-bound cargo containers before they reach U.S. ports. As part of this initiative, CBP officers use intelligence and automated risk assessment information to identify those U.S.-bound cargo shipments at risk of containing weapons of mass destruction or other terrorist contraband. We reported in January 2008 that through CSI, CBP has placed staff at 58 foreign seaports that, collectively, account for about 86 percent of the container shipments to the United States. 31 According to CBP officials, the overseas presence of CBP officials has led to more effective information sharing between CBP and host government officials regarding targeting of U.S.-bound shipments. • Partnering with the trade industry: CBP efforts to improve supply chain security include partnering with members of the trade industry. In an effort to strike a balance between the need to secure the international supply chain while also facilitating the flow of legitimate commerce, CBP developed and administers the Customs-Trade Partnership Against Terrorism program. The program is voluntary and enables CBP officials to work in partnership with private companies to review the security of their international supply chains and improve the security of their shipments to the United States. For example, participating companies develop security measures and agree to allow CBP to verify, among other things, that their security measures 30 Radiation portal monitors are large stationary detectors through which cargo containers and trucks pass as they enter the United States. 31 GAO, Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed, GAO-08-187 (Washington, D.C.: Jan. 25, 2008). Page 14 GAO-12-1009T (1) meet or exceed CBP’s minimum security requirements and (2) are actually in place and effective. In return for their participation, members receive benefits, such as a reduced number of inspections or shorter wait times for their cargo shipments. CBP initiated the Customs-Trade Partnership Against Terrorism program in November 2001, and as of November 2010, the most recent date for which we had data, CBP had awarded initial certification—or acceptance of the company’s agreement to voluntarily participate in the program 32—to over 10,000 companies. 33 During the course of a company’s membership, CBP security specialists observe and validate the company’s security practices. Thus, CBP is in a position to identify security changes and improvements that could enhance supply chain security. • Achieving mutual recognition arrangements: CBP has actively engaged with international partners to define and achieve mutual recognition of customs security practices. For example, in June 2007, CBP signed a mutual recognition arrangement with New Zealand— the first such arrangement in the world—to recognize each other’s customs-to-business partnership programs, such as CBP’s Customs- Trade Partnership Against Terrorism. As of July 2012, CBP had signed six mutual recognition arrangements. 34 • Implementing the International Port Security Program: Pursuant to MTSA, the Coast Guard implemented the International Port Security Program in April 2004. 35 Under this program, the Coast Guard and host nations jointly review the security measures in place at host nations’ ports to compare their practices against established security standards, such as the International Maritime Organization’s 32 Acceptance occurs after a review of the company’s security profile and compliance with customs laws and regulations. 33 Aside from maritime container shippers, members include many top air carriers and freight forwarders. 34 CBP has signed mutual recognition arrangements with Canada, the European Union, Japan, Jordan, Korea, and New Zealand. 35 46 U.S.C. § 70108. Page 15 GAO-12-1009T International Ship and Port Facility Security Code. 36 Coast Guard teams have been established to conduct country visits, discuss security measures implemented, and collect and share best practices to help ensure a comprehensive and consistent approach to maritime security at ports worldwide. 37 If a country is not in compliance, vessels from that country may be subject to delays before being allowed into the United States. According to Coast Guard documentation, the Coast Guard has visited almost all of the countries that have vessel traffic between them and the United States and attempts to visit countries at least annually to maintain a cooperative relationship. DHS and its component agencies have encountered a number of Challenges Have challenges in implementing programs and activities to enhance maritime Hindered security since the enactment of MTSA in 2002. In general, these challenges are related to (1) program management and implementation; Implementation of (2) partnerships and collaboration; (3) resources, funding, and Maritime Security sustainability; and (4) performance measures. Many of our testimonies Programs and reports in the last 10 years have cited these challenges and appendix I summarizes some of the key findings from those products. Examples of challenges in each of these four areas are detailed below. Program Management and DHS and its component agencies have faced program management and Implementation implementation challenges in developing MTSA-related security programs, including a lack of adequate planning and internal controls, as well as problems with acquisition programs. • Lack of planning: Given the urgency to take steps to protect the country against terrorism after the September 11, 2001 attacks, some of the actions taken by DHS and its component agencies used an 36 The International Port Security Program (ISPS) uses the ISPS Code as the benchmark by which it measures the effectiveness of a country’s antiterrorism measures in a port. The code was developed after the September 11, 2001 attacks and established measures to enhance the security of ships and port facilities with a standardized and consistent security framework. The ISPS Code requires facilities to conduct an assessment to identify threats and vulnerabilities and then develop security plans based on the assessment. The requirements of this code are performance-based; therefore compliance can be achieved through a variety of security measures. 37 Subsequently, in October 2006, the SAFE Port Act required the Coast Guard to reassess security measures at such foreign ports at least once every 3 years. Pub. L. No. 109-347, § 234, 120 Stat. 1884, 1918-19. Page 16 GAO-12-1009T “implement and amend” approach, which has negatively affected the management of some programs. For example, CBP quickly designed and rolled out CSI in January 2002. However, as we reported in July 2003, CBP initially did not have a strategic plan or workforce plan for this security program, which are essential to long-term success and accountability. 38 As a result, CBP subsequently had to take actions to address these risks by, for example, developing CSI goals. The Customs-Trade Partnership Against Terrorism program experienced similar problems. For example, when the program was first implemented, CBP lacked a human capital plan. CBP has taken steps to address C-TPAT management and staffing challenges, including implementing a human capital plan. • Lack of adequate internal controls: Several maritime security programs implemented by DHS and its component agencies did not have adequate internal controls. For example, we reported in May 2011 that internal controls over the TWIC program were not designed to provide reasonable assurance that only qualified applicants could acquire the credentials. During covert tests at several selected ports, our investigators were successful in accessing ports using counterfeit credentials and authentic credentials acquired through fraudulent means. 39 As a result of our findings, DHS is in the process of assessing internal controls to identify needed corrective actions. In another example, we found that the Coast Guard did not have procedures in place to ensure that its field units conducted security inspections of offshore energy facilities annually in accordance with its guidance. 40 In response to this finding, the Coast Guard has taken steps to update its inspections database to ensure inspections of offshore facilities are completed. • Inadequate acquisitions management: DHS has also experienced challenges managing some of its acquisition programs. As discussed earlier, CBP coordinated with DNDO to deploy radiation detection 38 GAO, Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors, GAO-03-770 (Washington, D.C.: July 25, 2003). 39 GAO, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, GAO-11-657 (Washington, D.C.: May 10, 2011). 40 GAO, Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure, GAO-12-37 (Washington, D.C.: Oct. 28, 2011). Page 17 GAO-12-1009T monitors at U.S. ports of entry. However, we reported in June 2009 that DHS’s cost analysis of one type of device—the advanced spectroscopic portal radiation detection monitors—did not provide a sound analytical basis for DHS’s decision to deploy the devices. 41 DNDO officials stated that they planned to update the cost-benefit analysis; however, after spending more than $200 million on the program, DHS announced, in February 2010, that it was scaling back its plans for development and use of the devices, and subsequently announced, in July 2011, that it was ending the program. DNDO was also involved in developing more advanced nonintrusive inspection equipment—the cargo advanced automated radiography system—in order to better detect nuclear materials that might be heavily shielded. In September 2010 we reported that DNDO was engaged in the research and development phase while simultaneously planning for the acquisition phase and pursued the acquisition and deployment of the radiography machines without fully understanding that the machines would not fit within existing inspection lanes at CBP ports of entry because it had not sufficiently coordinated the operating requirements with CBP. 42 DHS spent $113 million on the program and ended up canceling the acquisition and deployment phase of the program in 2007. Partnerships and DHS has improved how it collaborates with maritime security partners, Collaboration but challenges in this area remain that stem from issues such as the launch of programs without adequate stakeholder coordination and problems inherent in working with a wide variety of stakeholders. • Lack of port partner coordination: The Coast Guard experienced coordination challenges in developing its information-management and sharing system, called WatchKeeper, which is designed to enhance information sharing with law enforcement agencies and other partners. In particular, we found in February 2012 that the Coast Guard did not systematically solicit input from key federal, state, and local law enforcement agencies that are its port partners at the interagency operations centers, and that port partner involvement in 41 GAO, Combating Nuclear Smuggling: Lessons Learned from DHS Testing of Advanced Radiation Detection Portal Monitors, GAO-09-804T (Washington, D.C.: June 25, 2009). 42 GAO, Combating Nuclear Smuggling: Inadequate Communication and Oversight Hampered DHS Efforts to Develop an Advanced Radiography System to Detect Nuclear Materials, GAO-10-1041T (Washington D.C.: Sept. 15, 2010). Page 18 GAO-12-1009T the development of WatchKeeper requirements and the interagency operations center concept was primarily limited to CBP. 43 As a result, this lack of port partner input has jeopardized such centers from meeting their intended purpose of improving information sharing and enhancing maritime domain awareness. We reported that the Coast Guard had begun to better coordinate with its port partners to solicit their input on WatchKeeper requirements, but noted that the Coast Guard still faced challenges in getting other port partners to use WatchKeeper as an information sharing tool. We further found that DHS did not initially assist the Coast Guard in encouraging other DHS components to use WatchKeeper to enhance information sharing. However, DHS had increased its involvement in the program so we did not make any recommendations relative to this issue. We did, however, recommend that the Coast Guard implement a more systematic process to solicit and incorporate port partner input to WatchKeeper and the Coast Guard has begun to take actions to address this recommendation. We believe, though, that it is too soon to tell if such efforts will be successful in ensuring that the interagency operations centers serve as more than Coast Guard–centric command and control centers. • Challenges in coordinating with multiple levels of stakeholders: One example of challenges that DHS and its component agencies have faced with state, local, and tribal stakeholders concerns Coast Guard planning for Arctic operations. The Coast Guard’s success in implementing an Arctic plan rests in part on how successfully it communicates with key stakeholders—including the more than 200 Alaska native tribal governments and interest groups—but we found in September 2010 that the Coast Guard did not initially share plans with them. 44 Coast Guard officials told us that they had been focused on communication with congressional and federal stakeholders and intended to share Arctic plans with other stakeholders once plans were determined. DHS agrees that it needs to communicate with additional stakeholders and has taken steps to do so. 43 GAO, Maritime Security: Coast Guard Needs to Improve Use and Management of Interagency Operations Centers, GAO-12-202 (Washington, D.C.: Feb. 13, 2012). 44 GAO, Coast Guard: Efforts to Identify Arctic Requirements Are Ongoing, but More Communication about Agency Planning Efforts Would Be Beneficial, GAO-10-870 (Washington, D.C.: Sept. 15, 2010). Page 19 GAO-12-1009T • Difficulties in coordinating with other federal agencies: DHS has at times experienced challenges coordinating with other federal agencies to enhance maritime security. For example, we reported in September 2010 that federal agencies, including DHS, had collaborated with international and industry partners to counter piracy, but they had not implemented some key practices for enhancing and sustaining collaboration. 45 Somali pirates have attacked hundreds of ships and taken thousands of hostages since 2007. As Somalia lacks a functioning government and is unable to repress piracy in its waters, the National Security Council—the President’s principal arm for coordinating national security policy among government agencies— developed the interagency Countering Piracy off the Horn of Africa: Partnership and Action Plan (Action Plan) in December 2008 to prevent, disrupt, and prosecute piracy off the Horn of Africa in collaboration with international and industry partners. According to U.S. and international stakeholders, the U.S. government has shared information with partners for military coordination. However, agencies have made less progress on several key efforts that involve multiple agencies—such as those to address piracy through strategic communications, disrupt pirate finances, and hold pirates accountable—in part because the Action Plan does not designate which agencies should lead or carry out 13 of the 14 tasks. We recommended that the National Security Council bolster interagency collaboration and the U.S. contribution to counterpiracy efforts by clarifying agency roles and responsibilities and encouraging the agencies to develop joint guidance to implement their efforts. In March 2011, a National Security Staff official stated that an interagency policy review will examine roles and responsibilities and implementation actions to focus U.S. efforts for the next several years. • Difficulties in coordinating with private sector stakeholders: In some cases progress has been hindered because of difficulties in coordination with private sector stakeholders. For example, CBP program officials reported in 2010 that having access to Passenger Name Record data for cruise line passengers—such as a passenger’s full itinerary, reservation booking date, phone number, and billing information—could offer security benefits similar to those derived from screening airline passengers. However, CBP does not require this 45 GAO, Maritime Security: Actions Needed to Assess and Update Plan and Enhance Collaboration among Partners Involved in Countering Piracy off the Horn of Africa, GAO-10-856 (Washington, D.C.: Sept. 24, 2010). Page 20 GAO-12-1009T information from all cruise lines on a systematic basis because CBP officials stated that they would need further knowledge about the cruise lines’ connectivity capabilities to estimate the cost to both CBP and the cruise lines to obtain such passenger data. In April 2010, we recommended that CBP conduct a study to determine whether requiring cruise lines to provide automated Passenger Name Record data to CBP on a systematic basis would benefit homeland security. 46 In July 2011, CBP reported that it had conducted site surveys at three ports of entry to assess the advantage of having cruise line booking data considered in a national targeting process, and had initial discussions with a cruise line association on the feasibility of CBP gaining national access to cruise line booking data. • Limitations in working with international stakeholders: DHS and its component agencies face inherent challenges and limitations working with international partners because of sovereignty issues. For example, we reported in July 2010 that sovereignty concerns have limited the Coast Guard’s ability to assess the security of foreign ports. In particular, reluctance by some countries to allow the Coast Guard to visit their ports because of concerns over sovereignty was a challenge cited by Coast Guard officials who were trying to complete port visits under the International Port Security Program. 47 According to the Coast Guard officials, before permitting Coast Guard officials to visit their ports, some countries insisted on visiting and assessing a sample of U.S ports. Similarly, we reported in April 2005 that CBP had developed a staffing model for CSI to determine staffing needs at foreign ports to implement the program, but was unable to fully staff some ports because of the need for host government permission, among other diplomatic and practical considerations. 48 Resources, Funding, and Economic constraints, such as declining revenues and increased security Sustainability costs, have required DHS to make choices about how to allocate its 46 GAO, Maritime Security: Varied Actions Taken to Enhance Cruise Ship Security, but Some Concerns Remain, GAO-10-400 (Washington, D.C.: Apr. 9, 2010). 47 GAO, Maritime Security: DHS Progress and Challenges in Key Areas of Port Security, GAO-10-940T (Washington, D.C.: July 21, 2010). 48 GAO, Container Security: A Flexible Staffing Model and Minimum Equipment Requirements Would Improve Overseas Targeting and Inspection Efforts, GAO-05-557 (Washington, D.C.: Apr. 26, 2005). Page 21 GAO-12-1009T resources to most effectively address human capital issues and sustain the programs and activities it has implemented to enhance maritime security. • Human capital shortfalls: Human capital issues continue to pose a challenge to maritime security. For example, we reported in November 2011 that Coast Guard officials from 21 of its 35 sectors (60 percent) told us that limited staff time posed a challenge to incorporating MSRAM into strategic, operational, and tactical planning efforts. 49 Similarly, Coast Guard officials responsible for conducting maritime facility inspections in 4 of the 7 sectors we visited to support our 2008 report on inspections said meeting all mission requirements for which they were responsible was or could be a challenge because of more stringent inspection requirements and a lack of inspectors, among other things. Officials in another sector said available staffing could adequately cover only part of the sector’s area of responsibility. 50 • Budget and funding constraints: Budget and funding decisions also affect the implementation of maritime security programs. For example, within the constrained fiscal environment that the federal government is operating, the Coast Guard has had to prioritize its activities and Coast Guard data indicate that some units are not able to meet self- imposed standards related to certain security activities—including boarding and escorting vessels. We reported in October 2007 that this prioritization of activities had also led to a decrease in resources the Coast Guard had available to provide technical assistance to foreign countries to improve their port security. 51 To overcome this, Coast Guard officials have worked with other agencies, such as the Departments of Defense and State, and international organizations, such as the Organization of American States, to secure funding for training and assistance. Further, in the fiscal year 2013 budget, the Coast Guard will have less funding to sustain current assets needed for security missions so that more funds will be available for its top priority—long-term recapitalization of vessels. 49 GAO-12-14. 50 GAO-08-12. 51 GAO-08-126T. Page 22 GAO-12-1009T Performance Measures Another challenge that DHS and its component agencies have faced in implementing maritime security-related programs has been the lack of adequate performance measures. In particular, DHS has not always implemented standard practices in performance management. 52 These practices include, among other things, collecting reliable and accurate data, using data to support missions, and developing outcome measures. • Lack of reliable and accurate data: DHS and its component agencies have experienced challenges collecting complete, accurate, and reliable data. For example, in January 2011 we reported that both CBP and the Coast Guard tracked the frequency of illegal seafarer incidents at U.S. seaports, but the records of these incidents varied considerably among the two component agencies and between the agencies’ field and headquarters units. 53 As a result, the data DHS used to inform its strategic and tactical plans were of undetermined reliability. 54 We recommended that CBP and the Coast Guard determine why their data varied and jointly establish a process for sharing and reconciling records of illegal seafarer entries at U.S. seaports. DHS concurred and has made progress in addressing the recommendation. Another example of a lack of reliable or accurate data pertains to the Maritime Information for Safety & Law Enforcement database (MISLE). The MISLE database is the Coast Guard’s primary data system for documenting facility inspections and other activities, but flaws in this database have limited the Coast Guard’s ability to accurately assess these activities. For example, during the course of our 2011 review of security inspections of offshore energy infrastructure, we found inconsistencies in how offshore facility inspection results and other data were recorded in MISLE. 55 In July 2011, and partly in response to our review, the Coast 52 The standard practices discussed in this statement can be found in GAO, Executive Guide: Effectively Implementing the Government Performance and Results Act, GAO- GGD-96-118 (Washington D.C.: June 1996). 53 Illegal seafarers include both absconders (a seafarer CBP has ordered detained on board a vessel in port, but who departs a vessel without permission) and deserters (a seafarer CBP grants permission to leave a vessel, but who does not return when required). 54 GAO, Maritime Security: Federal Agencies Have Taken Actions to Address Risks Posed by Seafarers, but Efforts Can Be Strengthened, GAO-11-195 (Washington D.C.: Jan. 14, 2011). 55 GAO, Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure, GAO-12-37 (Washington D.C.: Oct. 28, 2011). Page 23 GAO-12-1009T Guard issued new MISLE guidance on documenting the annual security inspections of offshore facilities in MISLE and distributed this guidance to all relevant field units. While this action should improve accountability, the updated guidance does not address all of the limitations we noted with the MISLE database. • Not using data to manage programs: DHS and its component agencies have not always had or used performance information to manage their missions. For example, work we completed in 2008 showed that Coast Guard officials used MISLE to review the results of inspectors’ data entries for individual maritime facilities, but the officials did not use the data to evaluate the facility inspection program overall. 56 We found that a more thorough evaluation of the facility compliance program could provide information on, for example, the variations we identified between Coast Guard units in oversight approaches, the advantages and disadvantages of each approach, and whether some approaches work better than others. • Lack of outcome-based performance measures: DHS and its component agencies have also experienced difficulties developing and using performance measures that focus on outcomes. Outcome- based performance measures describe the intended result of carrying out a program or activity. For example, although CBP had performance measures in place for its Customs-Trade Partnership Against Terrorism program, these measures focused on program participation and facilitating trade and travel and not on improving supply chain security, which is the program’s purpose. We recommended in July 2003, March 2005, and April 2008 that CBP develop outcome-based performance measures for this program. 57 In response to our recommendations, CBP has identified measures to quantify actions required and to gauge Customs-Trade Partnership Against Terrorism’s impact on supply chain security. The Coast Guard has faced similar issues with developing and using outcome-based performance measures. For example, we reported in November 2011 that the Coast Guard developed a measure to report its performance 56 GAO-08-12. 57 See GAO-03-770, Cargo Security, Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of Improved Security, GAO-05-404 (Washington, D.C.: Mar. 11, 2005); and Supply Chain Security: U.S. Customs and Border Protection Has Enhanced Its Partnership with Import Trade Sectors, but Challenges Remain in Verifying Security Practices, GAO-08-240 (Washington, D.C.: Apr. 25, 2008). Page 24 GAO-12-1009T in reducing maritime risk, but faced challenges using this measure to inform decisions. 58 The Coast Guard has improved the measure to make it more valid and reliable and believes it is a useful proxy measure of performance, but notes that developing outcome-based performance measures is challenging because of limited historical data on maritime terrorist attacks. Given the uncertainties in estimating risk reduction, though, it is unclear if the measure will provide meaningful performance information with which to track progress over time. Similarly, FEMA has experienced difficulties developing outcome-based performance measures. For example, in November 2011 we reported that FEMA was developing performance measures to assess its administration of the Port Security Grant Program, but had not implemented measures to assess the program’s grant effectiveness. 59 FEMA has taken initial steps to develop measures to assess the effectiveness of its grant programs, but it does not have a plan and related milestones for implementing measures specifically for the Port Security Grant Program. Without such performance measures it could be difficult for FEMA to effectively manage the process of assessing whether the program is achieving its stated purpose of strengthening critical maritime infrastructure against risks associated with potential terrorist attacks. We recommended that DHS develop a plan with milestones for implementing performance measures for the Port Security Grant Program. DHS concurred with the recommendation and stated that FEMA is taking actions to implement it. Mr. Chairman and members of the subcommittee, this completes my prepared statement. I would be happy to respond to any questions you or other members of the subcommittee may have at this time. 58 GAO-12-14. 59 GAO-12-47. Page 25 GAO-12-1009T Appendix I: Summary of Select Maritime Appendix I: Summary of Select Maritime Security-Related Programs and Activities Security-Related Programs and Activities This appendix provides information on select programs and activities that have been implemented in maritime security since enactment of the Maritime Transportation Security Act (MTSA) in 2002. The information includes an overview of each program or activity; obligations information, where available; a summary of key findings and recommendations from prior GAO work, if applicable; and a list of relevant GAO products. The Department of Homeland Security (DHS) is the lead federal agency responsible for implementing MTSA requirements and related maritime security programs. DHS relies on a number of its component agencies that have responsibilities related to maritime security, including the following: 1 • U.S. Coast Guard: The Coast Guard has primary responsibility for ensuring the safety and security of U.S. maritime interests and leading homeland security efforts in the maritime domain. • U.S. Customs and Border Protection (CBP): CBP is responsible for the maritime screening of incoming commercial cargo for the presence of contraband, such as weapons of mass destruction, illicit drugs, or explosives, while facilitating the flow of legitimate trade and passengers. • Transportation Security Administration (TSA): TSA has responsibility for managing the Transportation Worker Identification Credential (TWIC) program, which is designed to control the access of maritime workers to regulated maritime facilities. 2 • Domestic Nuclear Detection Office (DNDO): DNDO is responsible for acquiring and supporting the deployment of radiation detection equipment, including radiation portal monitors at U.S. ports of entry. 1 In addition to the DHS component agencies, the Department of Defense has worked with DHS to draft a National Strategy for Maritime Security and has placed staff at Interagency Operations Centers to coordinate information sharing on maritime security issues with DHS component agencies and other law enforcement agencies. The Department of Energy funds the installation of radiation detection equipment at select seaports overseas through its Megaports Initiative, and the Department of State reviews foreign seafarers’ applications for U.S. visas. 2 The Coast Guard is responsible for enforcement of the Transportation Worker Identification Credential program. Page 26 GAO-12-1009T Appendix I: Summary of Select Maritime Security-Related Programs and Activities • Federal Emergency Management Agency (FEMA): FEMA is responsible for administering grants to improve the security of the nation’s highest risk port areas. This appendix is based primarily on GAO reports and testimonies issued from August 2002 through July 2012 related to maritime, port, vessel, and cargo security efforts of the federal government, and other aspects of implementing MTSA-related security requirements. The appendix also includes selected updates—conducted in August 2012—to the information provided in these previously-issued products on the actions DHS and its component agencies have taken to address recommendations made in these products and the obligations for key programs and activities through May 2012. The obligations information provided in this appendix represents obligations for certain maritime security programs and activities that we were able to identify from available agency sources, such as agency congressional budget justifications, budget in brief documents, and prior GAO products. 3 It does not represent the total amount obligated for maritime security. In some cases, information was not available because of agency reporting practices. For example, we were not able to determine obligations for many of the MTSA-related Coast Guard programs and activities because they are funded at the account level (i.e., operating expenses) rather than as specific line items. While we were not able to identify obligations for every maritime security program and activity, many of the Coast Guard’s programs and activities in maritime security fall under its ports, waterways, and coastal security mission. Table 1 shows the reported budget authority for the Coast Guard’s ports, waterways, and coastal security mission for fiscal years 2004 through 2013. The remainder of the budget-related information contained in this appendix generally pertains to obligations. In several instances we obtained appropriations information when obligations information was not available. 3 The information provided generally reflects agency obligations, unless noted otherwise. Page 27 GAO-12-1009T Appendix I: Summary of Select Maritime Security-Related Programs and Activities Table 1: Ports, Waterways, and Coastal Security Mission’s Reported Budget Authority (in millions), Fiscal Years 2004 through 2013 a Fiscal year Funding 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 $1,853 $1,638 $1,760 $1,362 $1,554 $1,641 $1,598 $1,651 $1,918 $1,738 Source: GAO analysis of Budget in Brief reports. a Budget authority data for fiscal year 2003 were not available. Fiscal year 2013 is requested. Page 28 GAO-12-1009T National Strategy for Maritime Security National Strategy for Funding Information Maritime Security We were unable to obtain funding information for this strategy. The National Strategy for Maritime Security, published in September Summary of Key Findings and Recommendations 2005, aimed to align all federal government maritime security In June 2008, we reported that the National Strategy for Maritime Security and programs and activities into a the supporting plans that implement the strategy show that, collectively, the plans comprehensive and cohesive national address four of the six desirable characteristics of an effective national strategy effort involving appropriate federal, that we identified in 2004 and partially address the remaining two. The four state, local, and private sector characteristics that are addressed include: (1) purpose, scope, and methodology; entities. Homeland Security (2) problem definition and risk assessment; (3) organizational roles, Presidential Directive 13 (HSPD-13) responsibilities, and coordination; and (4) integration and implementation. The directed the Secretaries of Defense two characteristics that are partially addressed are: (1) goals, objectives, and Homeland Security to lead a joint activities, and performance measures and (2) resources, investments, and risk effort to draft a National Strategy for management. Specifically, only one of the supporting plans mentions Maritime Security. performance measures and many of these measures are presented as possible In addition to the National Strategy, or potential performance measures. However, in other work reported on in HSPD-13 directed DHS to develop August 2007, we noted the existence of performance measures for individual eight supporting implementation plans maritime security programs. These characteristics are partially addressed to address the specific threats and primarily because the strategy and its plans did not contain information on challenges of the maritime performance measures and the resources and investments elements of these environment. While the plans address characteristics. The resources, investments, and risk management characteristic different aspects of maritime security, is also partially addressed. While the strategic actions and recommendations they are mutually linked and reinforce discussed in the maritime security strategy and supporting implementation plans each other. The supporting plans are constitute an approach to minimizing risk and investing resources, the strategy as follows: and seven of its supporting implementation plans did not include information on the sources and types of resources needed for their implementation. In addition, • National Plan to Achieve Domain the national strategy and three of the supporting plans also lack investment Awareness strategies to direct resources to necessary actions. To address this, the working • Global Maritime Intelligence group tasked with monitoring implementation of the plans recommended that the Integration Plan Maritime Security Policy Coordination Committee—the primary forum for • Interim Maritime Operational coordinating U.S. national maritime strategy—examine the feasibility of creating Threat Response Plan an interagency investment strategy for the supporting plans. We recognized that • International Outreach and other documents were used for allocating resources and, accordingly, we did not Coordination Strategy make any recommendations. • Maritime Infrastructure Recovery Plan • Maritime Transportation System Relevant GAO Products Security Plan • Maritime Commerce Security Maritime Security: Coast Guard Efforts to Address Port Recovery and Salvage Plan Response. GAO-12-494R. Washington, D.C.: April 6, 2012. See page 4. • Domestic Outreach Plan National Strategy and Supporting Plans Were Generally Well-Developed and Are Being Implemented. GAO-08-672. Washington, D.C.: June 20, 2008. Department of Homeland Security: Progress Report on Implementation of Mission and Management Functions. GAO-07-454. Washington, D.C.: August 17, 2007. See pages 108-109. Page 29 GAO-12-1009T Area Maritime Security Plans Area Maritime Security Budget Authority Information Plans Activities related to AMSPs are not specifically identified in the Coast Guard budget. Such activities fall under the Coast Guard’s ports, waterways and coastal Area Maritime Security Plans security mission. See table 1 for the reported budget authority for that mission for (AMSPs) are developed by the Coast fiscal years 2004 through 2013. Guard with input from applicable governmental and private entities and Summary of Key Findings and Recommendations these plans serve as the primary means to identify and coordinate Our work on AMSP showed progress and an evolution toward plans that were Coast Guard procedures related to focused on preventing terrorism and included discussion regarding natural prevention, protection, and security disasters with detailed information on plans for recovery after an incident. We response. Among other requirements, reported in October 2007 that the Coast Guard developed guidance and a MTSA directed the Coast Guard to template to help ensure that all major ports had an original AMSP that was to be develop AMSPs—to be updated updated every 5 years. Our 2007 reports stated that there was a wide variance in every 5 years—for ports throughout ports’ natural disaster planning efforts and that AMSPs—limited to security the nation (46 U.S.C. § incidents—could benefit from unified planning to include an all-hazards 70103(b)(2)(G)). AMSPs are approach. In our March 2007 report on this issue, we recommended that DHS developed for each of 43 encourage port stakeholders to use existing forums for discussing all-hazards geographically defined port areas. In planning. The Coast Guard’s early attempts to set out the general priorities for 2006, the Security and Accountability recovery operations in its guidelines for the development of AMSPs offered for Every Port Act (SAFE Port Act) added a requirement that AMSPs limited instruction and assistance for developing procedures to address recovery include recovery issues by identifying situations. Our April 2012 report stated that each of the seven Coast Guard salvage equipment able to restore AMSPs that we reviewed had incorporated key recovery and salvage response 1 operational trade capacity (46 U.S.C. planning elements as called for by legislation and Coast Guard guidance. § 70103(b)(2)(G)). Specifically, the plans included the roles and responsibilities of special recovery units, instructions for gathering key information on the status of maritime assets (such as bridges), identification of recovery priorities, and plans for salvage of assets following an incident. Relevant GAO Products Maritime Security: Coast Guard Efforts to Address Port Recovery and Salvage Response. GAO-12-494R. Washington, D.C.: April 6, 2012. The SAFE Port Act: Status and Implementation One Year Later. GAO-08-126T. Washington, D.C.: October 30, 2007. Pages 12-14. Port Risk Management: Additional Federal Guidance Would Aid Ports in Disaster Planning and Recovery. GAO-07-412. Washington, D.C.: March 28, 2007. 1 See 46 U.S.C. § 70103(b)(2)(E), (G). Page 30 GAO-12-1009T Port Security Exercises Port Security Exercises Budget Authority Information Activities related to port security exercises are not specifically identified in the Port Security Exercises are designed Coast Guard budget. Such activities fall under the Coast Guard’s ports, to continuously improve preparedness waterways and coastal security mission. See table 1 for the reported budget by validating information and authority for that mission for fiscal years 2004 through 2013. procedures in the AMSPs, identifying strengths and weaknesses, and practicing command and control Summary of Key Findings and Recommendations within an incident command/unified In January 2005, we reported that the Coast Guard had conducted many command framework. The Coast exercises and was successful in identifying areas for improvement—which is the Guard Captain of the Port—the port purpose of such exercises. For example, Coast Guard port security exercises officer designated to enforce, among other things, port security—and the identified opportunities to improve incident response in the areas of Area Maritime Security Committee—a communication, resources, coordination, and decision-making authority. Further, committee of key port stakeholders we reported that after-action reports were not being completed in a timely who share information and develop manner. We recommended that the Coast Guard review its actions for ensuring port security plans—are required by the timely submission of after-action reports on terrorism-related exercises and Coast Guard regulations to conduct or determine if further actions are needed. To address the issue of timeliness, the participate in exercises to test the Coast Guard reduced the timeframe allowed for submitting an after-action report. effectiveness of AMSPs annually, with All reports are now required to be reviewed, validated, and entered into the no more than 18 months between applicable database within 21 days of the end of an exercise or operation. In exercises (33 C.F.R § 103.515). After addition, our analysis of 26 after-action reports for calendar year 2006 showed an these exercises are conducted, the improvement in the quality of these reports in that each report listed specific Coast Guard requires that the units exercise objectives and lessons learned. As a result of these improvements in participating in the exercise submit an meeting requirements for after action reports, the Coast Guard is in a better after-action report describing the position to identify and correct barriers to a successful response to a terrorist results and highlighting any lessons threat. Our October 2011 report on offshore energy infrastructure stated that the learned. Coast Guard had conducted exercises and taken corrective actions, as In August 2005, the Coast Guard and appropriate, to strengthen its ability to prevent a terrorist attack on an offshore TSA initiated the Port Security facility. This included a national-level exercise that focused on, among other Training Exercise Program. things, protecting offshore facilities in the Gulf of Mexico. The exercise resulted in Additionally, the Coast Guard initiated more than 100 after-action items and, according to Coast Guard documentation, its own Area Maritime Security the Coast Guard had taken steps to resolve the majority of them and was Training and Exercise Program in working on the others. October 2005. Both programs were designed to involve the entire port community in exercises. In 2006, the Relevant GAO Products SAFE Port Act included several new requirements related to security Maritime Security: Coast Guard Should Conduct Required Inspections of exercises, such as establishing a Port Offshore Energy Infrastructure. GAO-12-37. Washington, D.C.: October 28, Security Exercise Program and an 2011. See pages 17-18 and 48-49. improvement plan process that would identify, disseminate, and monitor the The SAFE Port Act: Status and Implementation One Year Later. GAO-08-126T. implementation of lessons learned Washington, D.C.: October 30, 2007. See pages 14-15. and best practices from port security exercises (6 U.S.C. § 912). Homeland Security: Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention. GAO-05-170, January 14, 2004. Page 31 GAO-12-1009T Maritime Facility Security Plans Maritime Facility Budget Authority Information Security Plans Activities related to maritime facility security plans are not specifically identified in the Coast Guard budget. Such activities fall under the Coast Guard’s ports, MTSA requires various types of waterways and coastal security mission. See table 1 for the reported budget maritime facilities to develop and authority for that mission for fiscal years 2004 through 2013. implement security plans and it places federal responsibility for approving Summary of Key Findings and Recommendations and overseeing these plans with DHS (46 U.S.C. § 70103(c)). DHS, in turn, Our work on this issue found that the Coast Guard has made progress by has delegated this administrative generally requiring maritime facilities to develop security plans and conducting responsibility to the Coast Guard. The required annual inspections. We also reported that the Coast Guard’s inspections SAFE Port Act, enacted in 2006, were identifying and correcting facility deficiencies. For example, in February requires the Coast Guard to conduct 2008, we reported that the Coast Guard identified deficiencies in about one-third at least two inspections of each of the facilities inspected from 2004 through 2006, with deficiencies concentrated maritime facility annually—one of in certain categories, such as failing to follow facility security plans for access which is to be unannounced—to verify control. Our work also found areas for improvement as well. For example, in continued compliance with each February 2008 we made recommendations to help ensure effective facility’s security plan (46 U.S.C. § implementation of MTSA-required facility inspections. For example, we 70103(c)(4)(D)). As of June 2004, recommended that the Coast Guard reassess the number of inspections staff approximately 3,150 facilities were needed, among other things. In response, the Coast Guard took action to required to develop facility security plans. implement these recommendations. In our October 2011 report on inspections of offshore energy facilities, we noted that the Coast Guard had taken actions to help ensure the security of offshore energy facilities, such as developing and reviewing security plans, but faced difficulties ensuring that all facilities complied with requirements. We recommended that the Coast Guard develop policies or guidance to ensure that annual security inspections are conducted and information entered into databases is more useful for management. The Coast Guard concurred with these recommendations and stated that it plans to update its guidance and improve its inspection database in 2013. Relevant GAO Products Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure. GAO-12-37. Washington, D.C.: October. 28, 2011. Maritime Security: The SAFE Port Act: Status and Implementation One Year Later. GAO-08-126T. Washington D.C.: October 30, 2007. See pages 19-21. Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data. GAO-08-12. Washington D.C.: February 14, 2008. Department of Homeland Security: Progress Report on Implementation of Mission and Management Functions. GAO-07-454. Washington D.C.: August 17, 2007. See page 110. Maritime Security: Substantial Work Remains to Translate New Planning Requirements to Effective Port Security. GAO-04-838. Washington, D.C.: June 30, 2004. Page 32 GAO-12-1009T Port Security Grant Program a Port Security Grant Table 2: Total PSGP Funding Fiscal Year 2003 through 2012 (in millions) Program Fiscal year PSGP 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 The Port Security Grant Program Funding amount 244b 179 141 168 311c 389 389 288 235 97.5 (PSGP) provides federal funding to Total for all years $2,441.5dd defray some of the costs of Source: FEMA’s annual PSGP grant guidance and GAO analysis of DHS appropriations implementing security measures at a Target funding amounts as presented in FEMA’s annual grant guidance. domestic ports. The program was b This figure includes $169 million in PSGP funding and $75 million in additional funding for port established in January 2002 and security under the Urban Areas Security Initiative—another DHS grant program that provides funding codified by MTSA (46 U.S.C. § for building and sustaining national preparedness capabilities. 70107). DHS administers the PSGP c This figure includes fiscal year 2007 appropriations , as well as $110 million in fiscal year 2007 through the Federal Emergency supplemental appropriation. Management Agency (FEMA), and d Total funding includes totals through fiscal year 2012, as well as $150 million provided pursuant to the Coast Guard provides subject the American Recovery and Reinvestment Act (ARRA). Pub. L. No. 111-5, 123 Stat. 145, 164 (2009). matter expertise to FEMA on the maritime industry to inform grant Summary of Key Findings and Recommendations award decisions. We reported in November 2011 that the PSGP is one of DHS’s tools to protect Based on risk, each port is placed into critical maritime infrastructure from risks such as terrorist attacks. Consistent with one of three funding groups—Group I risk management principles, in November 2011, we also reported that PSGP (highest risk group), Group II (next allocations were highly correlated to risk and DHS has taken steps to strengthen highest risk group), or Group III. Port the PSGP risk allocation model by improving the quality and precision of the data areas not identified in these groups inputs. However, since fiscal year 2006, we have also reported that DHS did not are eligible to apply for funding as have measures to assess the programs’ effectiveness and recommended that part of the “All Other Port Areas” DHS develop performance measures. In November 2011, we reported that DHS Group. Port areas use PSGP funding was not in the best position to monitor the program’s effectiveness and to increase portwide risk recommended that FEMA establish time frames and related milestones for management, enhance maritime domain awareness, and improve port implementing performance measures. We also recommended that FEMA update recovery and resiliency efforts the PSGP risk model to incorporate variability in port vulnerabilities. DHS through developing security plans, concurred with our recommendations and is taking steps to address them. For purchasing security equipment, and example, DHS officials stated that FEMA is in the process of developing providing security training to performance measures. employees. Relevant GAO Products Port Security Grant Program: Risk Model, Grant Management, and Effectiveness Measures Could Be Strengthened. GAO-12-47. Washington, D.C.: November 17, 2011. Maritime Security: Responses to Questions for the Record. GAO-11-140R. Washington D.C.: October 22, 2010. See pages 12-15. Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure. GAO-06-91. Washington, D.C.: December 15, 2005. See pages 49-67. Page 33 GAO-12-1009T Transportation Worker Identification Credential Transportation Worker Table 3: Total TWIC Funding Authority, Fiscal Years 2003 through June 2012 (in millions) Identification Credential Fiscal year The Transportation Worker TWIC 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Identification Credential (TWIC) Funding authoritya 25.0 49.7 5.0 15.0 18.6 50.6 109.3 45.0 45.0 30.2 program, administered by the Coast Total for all years $393.4 Guard and TSA, requires maritime workers to complete background Source: GAO analysis of TWIC program funding reported by TSA and FEMA. checks and obtain a biometric a Funding authority includes appropriations with reprogramming and adjustments and TWIC fee identification card to gain unescorted authority. TWIC fee authority represent the dollar amount TSA is authorized to collect from TWIC access to secure areas of regulated enrollment fees and not the actual dollars collected. TSA reports it has collected $41.7 million for fiscal year 2008, $76.2 million for fiscal year 2009, $30.6 million for fiscal year 2010, $26.5 million for maritime facilities. fiscal year 2011, and $21.1 million for fiscal year 2012 (as of June 30). The total does not include $151 million in FEMA security grant funding. MTSA required the Secretary of Homeland Security to prescribe Summary of Key Findings and Recommendations regulations preventing individuals from having unescorted access to Our work on TWIC has shown that DHS, TSA, and the Coast Guard have made secure areas of MTSA-regulated progress in enrolling workers and activating TWICs. For example, in November facilities unless they possess a 2009, we reported that over 93 percent of the estimated TWIC users were biometric transportation security card enrolled in the program by the April 15, 2009 compliance deadline. However, and are authorized to be in such an TSA, the Coast Guard, and maritime industry stakeholders have faced area. It also tasked DHS with the responsibility to issue identification challenges in implementing the TWIC program. These challenges include cards to eligible individuals. enrolling and issuing TWICs to a larger population than was originally anticipated, ensuring that TWIC access control technologies perform effectively According to the most recently- in the harsh maritime environment, and balancing security requirements with the available data from the Coast Guard, need to facilitate the flow of legitimate maritime commerce. We have as of December 2010 and January 2011, there were 2,509 facilities and recommended that DHS take actions to identify effective and cost-efficient 12,908 vessels, respectively, that methods for meeting TWIC program objectives and evaluate those actions. In were subject to MTSA regulations and general DHS concurred with our recommendations and has plans underway to had to implement TWIC provisions. implement them. In addition, as mandated by the Coast Guard Authorization Act According to TSA, as of August 9, 2 of 2010, we are currently assessing the results of the TWIC pilot and will report 2012, it has activated over 2 million TWIC cards. on our findings later this year. Relevant GAO Products Transportation Worker Identification Credential: Internal Control Weaknesses Need to be Corrected to Help Achieve Security Objectives. GAO-11-657. Washington, D.C.: May 10, 2011. Transportation Worker Identification Credential: Progress Made in Enrolling Works and Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card Readers. GAO-10-43. Washington, D.C.: November 18, 2009. 2 Pub. L. No. 111-281, § 802, 124 Stat. 2905, 2989 (2010). Page 34 GAO-12-1009T Vessel Security Plans Vessel Security Plans Budget Authority Information Activities related to vessel security plans are not specifically identified in the Coast Guard regulations require Coast Guard budget. Such activities fall under the Coast Guard’s ports, owners and operators of certain waterways and coastal security mission. See table 1 for the reported budget vessels to conduct assessments to authority for that mission for fiscal years 2004 through 2013. identify security vulnerabilities, and to develop plans to mitigate these vulnerabilities (33 C.F.R. §§ 104.300- Summary of Key Findings and Recommendations .415). The Coast Guard set a deadline for vessels to operate under We reported in June 2004 that the Coast Guard had identified and corrected an approved or self certified security deficiencies in vessel security plans, though the extent of review and approval of plan by July 1, 2004. The U.S. Coast such plans varied widely. Our more recent vessel security work has focused on Guard was responsible for (1) specific types of vessels—including ferries, cruise ships, and energy commodity determining which vessels are tankers—and found that the Coast Guard has taken a number of steps to required to create these plans and (2) improve their security, such as screening vehicles and passengers on ferries. reviewing and approving the vessel Our September 2010 report on piracy found that the Coast Guard had ensured security plans. that the security plans for U.S.-flagged vessels have been updated with piracy annexes if they transited high risk areas. Our work has also identified additional According to the Coast Guard, as of opportunities to enhance vessel security. For example, in 2010 we reported that June 2004 there were almost 10,000 vessels operating in more than 300 the Coast Guard had not implemented recommendations from five agency domestic ports that were required to contracted studies on ferry security and that the Coast Guard faced challenges comply with these MTSA protecting energy tankers. We made recommendations aimed at increasing requirements. These maritime security aboard vessels. In general DHS has concurred with these vessels, ranging from oil tankers and recommendations and is in the process of implementing them. freighters to tugboats and passenger ferries, can be vulnerable on many security-related fronts and, therefore, Relevant GAO Products must be able to restrict access to Maritime Security: Ferry Security Measures Have Been Implemented, but areas on board, such as the pilot Evaluating Existing Studies Could Further Enhance Security. GAO-11-207. house or other control stations critical Washington D.C.: December 3, 2010. to the vessels’ operation. Maritime Security: Actions Needed to Assess and Update Plan and Enhance The effect of the Coast Guard’s Collaboration Among Partners Involved in Countering Piracy off the Horn of oversight of vessel security plans Africa. GAO-10-856. Washington D.C: September 30, 2010. See pages 57-59. extends far beyond U.S. waters to high risk areas—such as the Horn of Maritime Security: Varied Actions Taken to Enhance Cruise Ship Security, but Africa—where piracy has surged in Some Concerns Remain. GAO-10-400. Washington, D.C.: April 9, 2010. the last few years. For example, the Maritime Security: Federal Efforts Needed to Address Challenges in Preventing Coast Guard ensures that the more and Responding to Terrorist Attacks on Energy Commodity Tankers. GAO-08- than 100 U.S.-flagged vessels that 141. Washington, D.C.: December 10, 2007. travel through that region have updated security plans, and the Coast Maritime Security: Substantial Work Remains to Translate New Planning Guard checks for compliance when Requirements to Effective Port Security. GAO-04-838. Washington, D.C.: June these vessels are at certain ports. 30, 2004. Page 35 GAO-12-1009T Small Vessel Security Activities Small Vessel Security Budget Authority Information Activities Activities related to small vessel security activities are not specifically identified in the Coast Guard budget. Such activities fall under the Coast Guard’s ports, Small vessel Small vessel security security activities activities areare waterways and coastal security mission. See table 1 for the reported budget those in those in place place to to address address the the threat threat authority for that mission for fiscal years 2004 through 2013. posed by posed by the the millions millions of of small small vessels vessels in use in use in in U.S. U.S. waterways. waterways. Related Related to to Summary of Key Findings and Recommendations this threat, this threat, DHSDHS released released its its Small Small Vessel Security Vessel Security Strategy Strategy in in April April 2008 2008 We reported in October 2010 that DHS—including the Coast Guard and CBP— as part as part ofof its its effort effort to to mitigate mitigate the the and other entities are taking actions to reduce the risk from small vessels attacks. vulnerability of vulnerability of vessels vessels to to waterside waterside These actions include the development of the Small Vessel Security Strategy, attacks from attacks from small small vessels. vessels. As As part part of of community outreach, the establishment of security zones in U.S. ports and the Strategy, the Strategy, DHS DHS identified identified the the four four waterways, escorts of vessels that could be targeted for attack and port-level gravest risk gravest risk scenarios scenarios involving involving the the vessel tracking with radars and cameras since other vessel tracking systems— use of use of small small vessels vessels forfor terrorist terrorist such as the Automatic Identification System—are only required on larger vessels. attacks—(1) aa waterborne attacks—(1) waterborne improvised Our October 2010 work indicates, however, that the expansion of vessel tracking explosive device, explosive device, (2)(2) aa means means of of to all small vessels may be of limited utility because of, among other things, the smuggling weapons smuggling weapons intointo the the United United large number of small vessels, the difficulty identifying threatening actions, and States, (3) States, (3) aa means means of of smuggling smuggling the challenges associated with getting resources on scene in time to prevent an humans into humans into the the United United States, States, andand attack once it has been identified. To enhance actions to address the small (4) aa platform (4) platform for for conducting conducting an an attack attack vessel threat DNDO has worked with the Coast Guard and local ports to develop that uses that uses aa rocket rocket or or other other weapon weapon launched at at aa sufficient sufficient distance distance to and test equipment for detecting nuclear material on small maritime vessels. As launched allow the the attackers attackers to to evade evade part of our broader work on DNDO’s nuclear detection architecture, in January allow defensive fire. defensive fire. 2009 we recommended that DNDO develop a comprehensive plan for installing radiation detection equipment that would define how DNDO would achieve and Several DHS component agencies monitor its goal of detecting the movement of radiological and nuclear materials have roles in protecting against through potential smuggling routes, such as small maritime vessels. DHS threats posed by small vessels. The generally concurred with the recommendation and is in the process of Coast Guard is responsible for implementing it. protecting the maritime region; CBP is responsible for keeping terrorists and Relevant GAO Products their weapons out of the United States, securing and facilitating trade, Maritime Security: DHS Progress and Challenges in Key Areas of Port Security. and cargo container security; and GAO-10-940T. Washington, D.C.: July 21, 2010. See pages 7-10. DNDO is responsible for developing, Maritime Security: Vessel Tracking Systems Provide Key Information, but the acquiring, and deploying radiation detection equipment to support the Need for Duplicate Data Should Be Reviewed. GAO-09-337. Washington, D.C.: efforts of DHS and other federal March 17, 2009. See pages 30-37. agencies. MTSA, and other legislation Nuclear Detection: Domestic Nuclear Detection Office Should Improve Planning and directives, require that these to Better Address Gaps and Vulnerabilities. GAO-09-257. Washington, D.C.: component agencies protect the January 29, 2009. See pages 18-23. nation’s ports and waterways from terrorist attacks through a wide range Nuclear Detection: Preliminary Observations on the Domestic Nuclear Detection of security improvements. Office’s Efforts to Develop a Global Nuclear Detection Architecture. GAO-08- 999T Washington, D.C.: July 16, 2008. Page 36 GAO-12-1009T Controls over Foreign Seafarers Controls over Foreign Budget Authority Information Seafarers Activities related to controls over foreign seafarers are not specifically identified in the Coast Guard budget. Some of these fall under the Coast Guard’s ports, In fiscal year 2009, maritime crew— waterways and coastal security mission. See table 1 for the reported budget known as seafarers—made about 5 authority amounts for that mission for fiscal years 2004 through 2013 million entries into U.S. ports on commercial cargo and cruise ship Summary of Key Findings and Recommendations vessels. This is important because the overwhelming majority of We reported in January 2011 that the federal government uses a multi-faceted seafarers on arriving vessels are strategy to address foreign seafarer risks. The State Department starts the aliens. Because the U.S. government process by reviewing seafarer applications for U.S. visas. As part of this process, has no control over foreign seafarer consular officers review applications, interview applicants’, screen applicant credentialing practices, concerns have been raised that it is possible for information against federal databases, and review supporting documents to aliens to fraudulently obtain seafarer assess whether the applicants pose a potential threat to national security, among credentials to gain entry into the other things. In addition, DHS and its component agencies conduct advance- United States or conduct attacks. screening inspections, assess risks, and screen seafarers. However, our work Therefore, DHS considers the illegal noted opportunities to enhance seafarer inspection methods. For example, in entry of an alien through a U.S. January 2011, we reported that CBP inspected all seafarers entering the United seaport through exploitation of States, but noted that CBP did not have the technology to electronically verify the maritime industry practices to be a identity and immigration status of crews on board cargo vessels, thus limiting key concern. Within DHS, the Coast CBP’s ability to ensure it could identify fraudulent documents presented by Guard and CBP conduct a variety of foreign seafarers. We made several recommendations to, among other things, seafarer-related enforcement and facilitate better understanding of the potential need and feasibility of expanding compliance boardings and electronic verification of seafarers on board vessels and to improve data inspections. For example, the Coast collection and sharing. In that same report we also noted discrepancies between Guard conducts inspections of vessel CBP and Coast Guard data on illegal seafarer entries at domestic ports and we crew as part of its regulatory recommended that the two agencies jointly establish a process for sharing and responsibility under MTSA. Other reconciling such records. DHS concurred with our recommendations and is in the departments participate as well, such process of taking actions to implement them. For example, CBP met with the as the State Department, which DHS Screening Coordination Office to determine risks associated with not reviews foreign seafarers’ electronically verifying foreign seafarers for admissibility. Further, DHS reported applications for U.S. visas. in July 2011 that CBP and the Coast Guard were working to assess the costs A few countries account for a large associated with deploying equipment to provide biometric reading capabilities on share of arriving foreign seafarers, board vessels. with the Philippines, India, and Russia supplying the most. According to the Coast Guard, approximately 80 Relevant GAO Product percent of seafarers arriving by Maritime Security: Federal Agencies Have Taken Actions to Address Risks commercial vessel did so aboard Posed by Seafarers, but Efforts Can Be Strengthened. GAO-11-195. passenger vessels, such as cruise Washington, D.C.: January 14, 2011. ships. Page 37 GAO-12-1009T Maritime Security Risk Analysis Model Maritime Security Risk Budget Authority Information Analysis Model Activities related to MSRAM are not specifically identified in the Coast Guard budget. Such activities fall under the Coast Guard’s ports, waterways and coastal The Maritime Security Risk Analysis security mission. See table 1 for the reported budget authority for that mission for Model (MSRAM) is the Coast Guard’s fiscal years 2004 through 2013. primary tool for assessing and managing security risks in the Summary of Key Findings and Recommendations maritime domain. The Coast Guard uses MSRAM to meet DHS’s Our work on MSRAM found that the Coast Guard’s risk management and risk requirement for using risk-informed assessment efforts have developed and evolved and that the Coast Guard has approaches to prioritize its made progress in assessing maritime security risks using MSRAM. For example, investments. our work in this area in 2005 found that the Coast Guard was ahead of other DHS components in establishing a foundation for using risk management. After MSRAM provides the Coast Guard the September 11, 2001 terrorist attacks, the Coast Guard greatly expanded the with a standardized way of assessing scope of its risk assessment activities. It conducted three major security risk to maritime infrastructure, such as assessments at ports, which collectively resulted in progress in understanding chemical facilities, oil refineries, and prioritizing risks within a port. We also reported in July 2010 that by hazardous cargo vessels, passenger developing MSRAM, the Coast Guard had begun to address the limitations of its ferries, and cruise ship terminals, previous port security risk model. In our more recent work, we reported that among others. MSRAM calculates the MSRAM generally aligns with DHS risk assessment criteria, but noted that risk of a terrorist attack based on scenarios—a combination of target additional documentation and training could benefit MSRAM users. We made and attack modes—in terms of recommendations to the Coast Guard to strengthen MSRAM, better align it with threats, vulnerabilities, and risk management guidance, and facilitate its increased use across the agency. In consequences to more than 28,000 general, the Coast Guard has concurred with our recommendations and has maritime targets. The model focuses implemented some and taken actions to implement others. For example, the on individual facilities and cannot Coast Guard uses risk management to drive resource allocations across its model system impacts or more missions and is in the process of making MSRAM available for external peer complex scenarios involving adaptive review. The Coast Guard expects to complete these actions later this year, or intelligent adversaries. The Coast Guard also uses MSRAM as input Relevant GAO Products into other DHS maritime security programs, such as FEMA’s Port Coast Guard: Security Risk Model Meets DHS Criteria, but More Training Could Security Grant Program. Enhance Its Use for Managing Programs and Operations. GAO-12-14. Washington, D.C: November 17, 2011. The Coast Guard Authorization Act of 2010 required the Coast Guard to Maritime Security: DHS Progress and Challenges in Key Areas of Port Security. make MSRAM available, in an GAO-10-940T. Washington, D.C.: July 21, 2010. See pages 3-6. unclassified version, on a limited Risk Management: Further Refinements Needed To Assess Risks and Prioritize basis to regulated vessels and Protective Measures at Ports and Other Critical Infrastructure. GAO-06-91. facilities to conduct risk assessments Washington, D.C.: December 15, 2005. See pages 30-48. of their own facilities and vessels (Pub. L. No. 111-281, § 827, 124 Stat. 2905, 3004-05). Page 38 GAO-12-1009T Area Maritime Security Committees Area Maritime Security Budget Authority Information Committees Activities related to AMSCs are not specifically identified in the Coast Guard budget. Such activities fall under the Coast Guard’s ports, waterways and coastal Area Maritime Security Committees security mission. See table 1 for the reported budget authority for that mission for (AMSCs) consist of key stakeholders fiscal years 2004 through 2013. who (1) may be affected by security policies and (2) share information and Summary of Key Findings and Recommendations develop port security plans. AMSCs, which are required by Coast Guard Our work in this area has noted that the Coast Guard has established AMSCs in regulations that implement MTSA, major U.S. ports. We also reported in April 2005 that the AMSCs improved also identify critical port infrastructure information sharing among port stakeholders, and made improvements in the and risks to the port, develop timeliness, completeness, and usefulness of such information. The types of mitigation strategies for these risks, information shared included threats, vulnerabilities, suspicious activities, and and communicate appropriate Coast Guard strategies to protect port infrastructure. The AMSCs also served as security information to port a forum for developing Area Maritime Security Plans. While establishing AMSCs stakeholders (33 C.F.R. §§ 103.300- has increased information sharing among port stakeholders, our earlier work .310). AMSCs were created, in part, noted that the lack of federal security clearances for non-federal members of because ports are sprawling enterprises that often cross committees hindered some information sharing. To address this issue, we made jurisdictional boundaries; and the recommendations to ensure that non-federal officials received needed security need to share information among clearances in a timely manner. The Coast Guard agreed with our federal, state and local agencies is recommendations and has since taken actions to address them, including (1) central to effective prevention and distributing memos to field office officials clarifying their role in granting security response. clearances to AMSC members, (2) developing a database to track the recipients of security clearances, and (3) distributing an informational brochure outlining the According to the Coast Guard, it has security clearance process. organized 43 area maritime security committees, covering the nation’s 361 Relevant GAO Products ports. Recommended members of AMSCs are a diverse array of port Maritime Security: The SAFE Port Act: Status and Implementation One Year stakeholders to include federal, state Later. GAO-08-126T. Washington, D.C.: October 30, 2007. See pages 8-11. and local agencies, as well as private sector entities to include terminal Maritime Security: Information-Sharing Efforts are Improving, GAO-06-933T. operators, yacht clubs, shipyards, Washington, D.C.: July 10, 2006. marine exchanges, commercial fishermen, trucking and railroad Maritime Security: New Structures Have Improved Information Sharing, but companies, organized labor, and Security Clearance Processing Requires Further Attention. GAO-05-394. trade associations. Washington, D.C.: April 15, 2005. Page 39 GAO-12-1009T Interagency Operations Centers Interagency Operations Appropriations Information Centers The Coast Guard received $60 million in appropriations in fiscal year 2008 that Congress directed the Coast Guard to use to begin the process of establishing Interagency Operations Centers IOCs. The Coast Guard received an additional $14 million in congressionally- (IOCs) are physical or virtual centers directed appropriations from fiscal years 2009 through 2012 to fund IOC of collaboration to improve maritime implementation, for a total of $74 million in IOC funding since fiscal year 2008. domain awareness and operational coordination among port partners— Summary of Key Findings and Recommendations including federal, state, and local law enforcement agencies. These port Our work on IOCs found that they provided promise in improving maritime partners use these centers to domain awareness and information sharing. The Departments of Homeland participate in maritime security Security, Defense, and Justice all participated to some extent in three early activities, such as the implementation prototype IOCs. These IOCs improved information sharing through the collection and administration of intelligence of real time operational information. Thus, IOCs can provide continuous activities, information sharing, and information about maritime activities and directly involve participating agencies in vessel tracking. operational decisions using this information. For example, agencies have collaborated in vessel boardings, cargo examinations, and enforcement of port The SAFE Port Act required the security zones. In February 2012, however, we reported that the Coast Guard did establishment of certain IOCs, and not meet the SAFE Port Act’s deadline to establish IOCs at all high-risk ports the Coast Guard Authorization Act of within 3 years of enactment. This was due, in part because the Coast Guard was 2010 further specified that IOCs not appropriated funds to establish the IOCs in a timely manner and because the should provide, where practicable, for definition of a fully operational IOC was evolving during this period. As of October the physical collocation of the Coast 2010—the most recent date for which we had data available—32 of the Coast Guard with its port partners, where practicable, and that IOCs should Guard’s 35 sectors had made progress in implementing IOCs, but none of the include information-management IOCs had achieved full operating capability. In our February 2012 report, we systems (46 U.S.C. § 70107A). made several recommendations to the Coast Guard to help ensure effective implementation and management of its WatchKeeper information sharing To facilitate IOC implementation and system, such as revising the integrated master schedule. DHS concurred with the sharing of information across IOC the recommendations, subject to the availability of funds. participants, the Coast Guard began implementing implemented a web- Relevant GAO Products based information management and Maritime Security: Coast Guard Needs to Improve Use and Management of sharing system called WatchKeeper in 2005. Interagency Operations Centers. GAO-12-202. Washington, D.C.: February 13, 2012. Maritime Security: The SAFE Port Act: Status and Implementation One Year Later. GAO-08-126T. Washington, D.C.: October 30, 2007. See pages 8-11. Maritime Security: Information-Sharing Efforts are Improving, GAO-06-933T. Washington, D.C.: July 10, 2006. Maritime Security: New Structures have Improved Information Sharing, but Security Clearance Processing Requires Further Attention. GAO-05-394. Washington, D.C. April 15, 2005. Page 40 GAO-12-1009T Vessel Tracking Vessel Tracking Funding Information Funding for vessel tracking is not specifically identified in the DHS budget and so Vessel tracking activities are those we were not able to determine costs allocated for the program. In March 2009, used to track vessels at sea and in however, we reported that the Coast Guard expected its long-range identification coastal areas in order to attempt to and tracking system, one element of vessel tracking, to cost $5.3 million in fiscal determine the degree of risk presented by each vessel while year 2009 and approximately $4.2 million per year after that. We also noted in minimizing disruption on the marine that report that long-range automatic identification system technology, another transportation system. Within DHS, vessel tracking effort, was not far enough along to know how much it would cost. the Coast Guard has programs and uses several technologies to track vessels. In general, these vessel Summary of Key Findings and Recommendations tracking systems work for larger Our work on vessel tracking found that the Coast Guard has developed a variety commercial vessels, such as those of vessel tracking systems that provide information key to identifying high risk 300 gross tons or more, with vessels and developing a system of security measures to reduce risks requirements to have the tracking associated with them. We reported on the Coast Guard’s early efforts to develop technologies. These systems are not a vessel information system, as well as more recent efforts to develop an effective at tracking smaller vessels, automatic information system to track vessels at sea. Our work in the vessel which can present a threat to larger tracking area showed opportunities for the Coast Guard to reduce costs and vessels and maritime infrastructure. eliminate duplication. For example, in July 2004 we reported that some local port entities were willing to assume the expense and responsibility for automatic MTSA included the first federal vessel tracking requirements to improve the information tracking if they were able to use the data, along with the Coast nation’s security by mandating that Guard, for their own purposes. Further, in March 2009, we reported that the certain vessels operate an automatic Coast Guard was using three different means to track large vessels at sea, identification system—a tracking resulting in potential duplication in information provided. As a result, we made system used for identifying and several recommendations to reduce costs, including that the Coast Guard locating vessels—while in U.S. waters partner with local ports and analyze the extent to which duplicate information is (46 U.S.C. § 70114). MTSA also needed to track large vessels. In general, the Coast Guard concurred with our allowed for the development of a recommendations and has taken steps to partner with local port entities and long-range automated vessel tracking analyze the performance of vessel tracking systems. system that would track vessels at sea based on existing onboard radio Relevant GAO Products equipment and data communication systems that can transmit the vessel’s Maritime Security: Vessel Tracking Systems Provide Key Information, but the identity and position to rescue forces Need for Duplicate Data Should Be Reviewed. GAO-09-337. Washington, D.C.: in the case of an emergency. Later, March 17, 2009. the Coast Guard and Maritime Transportation Act of 2004 amended Maritime Security: Partnering Could Reduce Federal Costs and Facilitate MTSA to require the development of a Implementation of Automatic Vessel Identification System. GAO-04-868. long-range tracking system (46 U.S.C. § 70115). Washington, D.C.: July 23, 2004. Coast Guard: Vessel Identification System Development Needs to Be Reassessed. GAO-02-477. Washington, D.C.: May 24, 2002. Page 41 GAO-12-1009T Automated Targeting System Automated Targeting Table 4: Total ATS Obligations, Fiscal Year 2005 through May 2012 (in millions) System Fiscal year ATS 2005 2006 2007 2008 2009 2010 2011 2012a Obligations 29.8 27.9 26.8 26.8 32.5 32.6 32.4 7.7 The Automated Targeting System (ATS) is a computerized model that Total for all years $216.5 CBP officers use as a decision Source: DHS. support tool to help them identify and a target maritime cargo containers for Represents fiscal year obligations through May 2012. inspection. ATS was developed in the aftermath of the terrorist attacks of Summary of Key Findings and Recommendations September 11, 2001 to address the concern that terrorists might attempt Our work on ATS has shown that CBP made progress in implementing ATS and to smuggle a weapon of mass enhancing it through the use of additional data. For example, in March 2004, we destruction into the United States reported that CBP has (1) refined ATS to target high risk cargo containers for using one of the millions of cargo physical inspection, (2) implemented national targeting training, and (3) sought to containers that arrive at our nation’s improve the quality and timeliness of manifest information. Also, in response to seaports. CBP uses ATS as part of its our 2004 recommendation that CBP initiate an external peer review of ATS, CBP mission to enhance container security contracted with a consulting firm to evaluate CBP’s targeting methodology and and reduce the vulnerabilities recommend improvements. Our September 2010 report regarding the additional associated with the supply chain—the information required by the 10+2 rule indicated that the new information on flow of goods from manufacturers to vessel stow plans enabled CBP to identify containers with incomplete manifest retailers. Specifically, CBP uses ATS data, which are inherently higher risk. We also reported, however, that CBP had to identify high-risk containers that not yet incorporated the new information and recommended that it set time require additional research or frames and milestones for updating its national security targeting criteria. CBP inspection at foreign or U.S. seaports. generally concurred with our recommendations and has begun to address them. We are in the process of completing an updated review of ATS for the House In 2006, the SAFE Port Act required Committee on Energy and Commerce and anticipate issuing a report later this that DHS collect additional data to year. identify high-risk cargo for inspection (6 U.S.C. § 943(b)). In response to this requirement, in January 2009, Relevant GAO Products CBP implemented the Importer Supply Chain Security: CBP Has Made Progress in Assisting the Trade Industry Security Filing and Additional Carrier Requirements, collectively known as in Implementing the New Importer Security Filing Requirements, but Some the 10+2 rule. Under this rule, Challenges Remain. GAO-10-841. Washington, D.C.: September 10, 2010. importers are required to provide CBP with additional information, such as The SAFE Port Act: Status and Implementation One Year Later. GAO-08-126T. customs entry information, and Washington, D.C.: October 30, 2007. See pages 6 and 27-28. carriers are required to provide CBP Cargo Container Inspections: Preliminary Observations on the Status of Efforts to with information, such as cargo Improve the Automated Targeting System. GAO-06-591T. Washington, D.C.: manifest and vessel stowage information. The collection of this March 30, 2006. additional cargo information is Homeland Security: Summary of Challenges Faced in Targeting Oceangoing intended to further enhance CBP’s Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 31, ability to use ATS to identify high-risk 2004. shipments. Page 42 GAO-12-1009T Advanced Spectrographic Portal Program Advanced Funding Information Spectrographic Portal Overall, DHS spent more than $280 million developing and testing the ASP Program program. The advanced spectroscopic portal Summary of Key Findings and Recommendations (ASP) program was designed to In September 2007, we found that DNDO’s initial testing of the ASP were not an develop and deploy a more advanced objective and rigorous assessment of the ASP’s capabilities. For example, radiation portal monitor to detect and DNDO used biased test methods that enhanced the performance of the ASP identify radioactivity coming from during testing. At the same time, DNDO did not use a critical CBP standard containers and trucks at seaports and land border crossings. From 2005 to operating procedure for testing deployed equipment. We made several 2011, DNDO was developing and recommendations about improving the testing of ASPs which DNDO testing the ASP and planned to use subsequently implemented. In May 2009, we reported that DNDO improved the these machines to replace some of rigor of its testing; however, this improved testing revealed that the ASPs had a the currently deployed radiation portal limited ability to detect certain nuclear materials at anything more than light monitors used by CBP at ports-of- shielding levels. In particular, we reported that ASPs performed better than entry for primary screening, as well as currently deployed radiation portal monitors in detecting nuclear materials the handheld identification devices concealed by light shielding, but differences in sensitivity were less notable when currently used by CBP for secondary shielding was slightly below or above that level. In addition, further testing in screening. If they performed well, CBP ports revealed too many false alarms for the detection of certain high-risk DNDO expected that the ASP could nuclear materials. According to CBP officials, these false alarms are very (1) better detect key threat material disruptive in a port environment in that any alarm for this type of nuclear material and (2) increase the flow of would cause CBP to take enhanced security precautions because such materials commerce by reducing the number of (1) could be used in producing an improvised nuclear device and (2) are rarely referrals for secondary inspections. part of legitimate or routine cargo. In 2012, we reported that once ASP testing However, ASPs cost significantly became more rigorous, these machines did not perform well enough to warrant more than currently deployed portal deployment. Accordingly, DHS scaled back the program in 2010 and later monitors. We estimated in September cancelled the program in July 2012. 2008 that the lifecycle cost of each ASP (including deployment costs) was about $822,000, compared with Relevant GAO Products about $308,000 for radiation portal Combating Nuclear Smuggling: DHS has Developed Plans for Its Global Nuclear monitors, and that the total program cost for DNDO’s latest plan for Detection Architecture, but Challenges Remain in Deploying Equipment. GAO- deploying radiation portal monitors— 12-941T. Washington D.C: July 26, 2012. including ASPs—would be about $2 Combating Nuclear Smuggling: DHS Improved Testing of Advanced Radiation billion. Detection Portal Monitors, but Preliminary Results Show Limits of the New Technology. GAO-09-655. Washington D.C.: May 21, 2009. Combating Nuclear Smuggling: DHS’s Program to Procure and Deploy Advanced Radiation Detection Portal Monitors Is Likely to Exceed the Department’s Previous Cost Estimates. GAO-08-1108R. Washington, D.C.: September 22, 2008. Combating Nuclear Smuggling: Additional Actions Needed to Ensure Adequate Testing of Next Generation Radiation Detection Equipment. GAO-07-1247T. Washington, D.C.: September 18, 2007. Page 43 GAO-12-1009T Container Security Initiative Container Security Table 5: Total CSI and Secure Freight Initiative (SFI) Obligations, Fiscal Year 2004 through May 2012 (in millions) Initiative Fiscal year a CSI and SFI 2004 2005 2006 2007 2008 2009 2010 2011 2012b The Container Security Initiative (CSI) Obligations 61.4 126.1 138.0 138.5 145.9 148.9 145.5 106.9 51.6 is a bilateral government partnership Total for all years $1,062.8 program to station CBP officers at foreign seaports where they identify Source: DHS, U.S.-bound shipments at risk of a We were unable to distinguish between CSI and SFI obligations because they are funded out of the containing weapons of mass same budget line item. destruction or other terrorist b Represents fiscal year obligations through May 2012. contraband. CBP launched CSI in January 2002 in an effort to protect global trade lanes by targeting and Summary of Key Findings and Recommendations examining high-risk containers as Our work on CSI showed that the program has matured and improved, meeting early as possible in their movement its strategic goals by increasing both the number of CSI locations and the through the global supply chain. The proportion of total U.S.-bound containers passing through CSI ports. In addition, program was meant to address relationships with host governments have improved over time, leading to concerns (after the terrorist attacks of increased information sharing between governments and a bolstering of host September 11, 2001), that terrorists government customs and port security practices. Our reports made could smuggle weapons of mass destruction inside containers bound recommendations to CBP to further strengthen the CSI program by, among other for the United States. things, revising its staffing model, developing performance measures, and improving its methods for conducting on-site evaluations. CBP generally agreed As part of the program, foreign with our recommendations and has taken actions to address them. For example, governments allow CBP officers in the in response to one of our recommendations, in January 2009, CBP began CSI program to work closely with host transferring CSI staff from overseas ports to perform targeting remotely from the customs officials. CBP officers at the National Targeting Center in the United States. As part of this effort, foreign CSI seaports are responsible for staffing levels for CSI decreased and CBP was able to decrease the program’s targeting U.S.-bound high-risk cargo operating costs by over $35 million. shipped in containers and other tasks, whereas host government customs officials examine the high-risk cargo— Relevant GAO Products when requested by CBP—by Supply Chain Security: Container Security Programs Have Matured, but scanning containers using various Uncertainty Persists over the Future of 100 Percent Scanning. GAO-12-422T. types of nonintrusive inspection Washington, D.C.: February 7, 2012. See pages 12-13. equipment or by physically searching the containers before they are loaded Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports onto vessels bound for the United Have Increased, but Improved Data Collection and Performance Measures Are States. By fiscal year 2007 CBP Needed. GAO-08-187. Washington, D.C.: January 25, 2008. reached its goal of operating CSI in 58 foreign seaports, which collectively Container Security: A Flexible Staffing Model and Minimum Equipment accounted for more than 80 percent Requirements Would Improve Overseas Targeting and Inspection Efforts. GAO- of the cargo shipped to the United 05-557. Washington, D.C.: Apr. 26, 2005. States. Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors. GAO-03-770. Washington, D.C.: July 25, 2003. Page 44 GAO-12-1009T Megaports Initiative Megaports Initiative Table 6: Total Megaports Expenditures, Fiscal Year 2003 through December 2011 (in millions) Megaports Fiscal year The Megaports Initiative seeks to Initiative 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 deter, detect, and interdict nuclear or other radiological materials smuggled Expenditure through foreign seaports. Established amount \a 1.3 56.4 60.9 57.1 88.7 102.7 136.4 167.3 145.1 33.8 by the Department of Energy (DOE) Total for all years $849.8 in 2003, the Initiative funds the Source: DOE installation of radiation detection a equipment at select seaports Expenditures are expressed in constant dollars. The total for fiscal year 2012 is as of December overseas. The Initiative trains foreign 2011. personnel to use this equipment to scan shipping containers entering and Summary of Key Findings and Recommendations leaving these seaports—regardless of destination—for nuclear and other We reported in March 2005 that the Megaports Initiative had established radioactive material that could be Megaports at two seaports—Rotterdam, the Netherlands, which is the largest used against the United States or its port in Europe, and Piraeus, Greece, where security concerns had increased allies. prior to the 2004 Olympic Games. DOE had trained foreign customs officials and provided radiation detection equipment to both seaports. However, we also To help decision-makers identify and reported that the Initiative had limited success in initiating work at seaports prioritize foreign seaports for identified as high priority. Among other things, we reported that it was difficult to participation in the Megaports gain the cooperation of foreign governments, in part because some countries Initiative, DOE uses a model that ranks foreign ports according to their were concerned that scanning large volumes of containers would create delays, relative attractiveness to potential thereby inhibiting the flow of commerce at their ports. We also found that the nuclear smugglers. The Maritime Initiative did not have a comprehensive long-term plan to guide the Initiative’s Prioritization Model incorporates efforts and faced several operational and technical challenges in installing information, such as port security radiation detection equipment at foreign seaports. We also previously reported conditions, volume of container traffic that DOE had faced several operational and technical challenges specific to passing through ports, the proximity installing and maintaining radiation detection equipment, including ensuring the of the ports to sources of nuclear ability to detect radioactive material, overcoming the physical layout of ports and material, and the proximity of the cargo container-stacking configurations, and sustaining equipment in port ports to the United States. The model environments with high winds and sea spray. We recommended that DOE (1) is updated regularly to incorporate develop a comprehensive long-term plan for the Initiative that identifies criteria new information. for deciding how to strategically set priorities for establishing Megaports and (2) reevaluate cost estimates and adjust long-term projections as necessary. DOE has implemented both recommendations. We are currently updating our work on the Megaports Initiative and expect to issue a report later this year. Relevant GAO Products Maritime Security: The SAFE Port Act: Status and Implementation One Year Later. GAO-08-126T. Washington, D.C.: October 30, 2007. See pages 41-42. Preventing Nuclear Smuggling: DOE Has Made Limited Progress in Installing Radiation Detection Equipment at Highest Priority Foreign Seaports. GAO-05- 375. Washington, D.C.: March 31, 2005. Page 45 GAO-12-1009T Secure Freight Initiative Secure Freight Initiative Obligations Information Obligations for this initiative are included with obligations for the Container The Secure Freight Initiative (SFI) Security Initiative, as shown in table 5 above. established pilot projects to test the feasibility of scanning 100 percent of U.S.-bound containers at foreign ports Summary of Key Findings and Recommendations to address concerns that terrorists We reported in October 2009 that CBP and DOE have been successful in would smuggle weapons of mass integrating images and radiological signatures of scanned containers onto a destruction (WMD) inside cargo computer screen that can be reviewed remotely from the United States. They containers bound for the United have also been able to use SFI as a test bed for new applications of existing States. CBP shares responsibility for technology, such as mobile radiation scanners. However, we reported in June the initiative with the State Department and the Department of 2008 that CBP has faced difficulties in implementing SFI due to challenges in Energy (DOE) as part of its host nation examination practices, performance measures, resource constraints, responsibilities for overseeing logistics, and technology limitations. We recommended in October 2009 that oceangoing container security and DHS, in consultation with the Secretaries of Energy and State, conduct cost- reducing the vulnerabilities associated benefit and feasibility analyses and provide the results to Congress. CBP stated with the supply chain. it does not plan to develop comprehensive cost estimates because SFI has been reduced to one port and it has no funds to develop such cost estimates. DHS and SFI was created, in part, due to CBP have not performed a feasibility assessment of 100 percent scanning to statutory requirements. The SAFE inform Congress as to what cargo scanning they can do, so this recommendation Port Act requires that pilot projects be has not yet been addressed. We will continue to monitor DHS and CBP actions established at three ports to test the that could address this recommendation. feasibility of scanning 100 percent of U.S.-bound containers at foreign ports (6 U.S.C. § 981). In August 2007, 2 Relevant GAO Products months before the pilot began operations, the Implementing Supply Chain Security: Container Security Programs Have Matured, but Recommendations of the 9/11 Uncertainty Persists over the Future of 100 Percent Scanning. GAO-12-422T. Commission Act of 2007 (9/11 Act) Washington, D.C.: February 7, 2012. See pages 15-19. was enacted, which requires, among other things, that by July 2012, 100 Maritime Security: Responses to Questions for the Record. GAO-11-140R. percent of all U.S.-bound cargo Washington, D.C.: October 22, 2010. See pages 17-21. containers be scanned before being Supply Chain Security: Feasibility and Cost-Benefit Analysis Would Assist DHS placed on a vessel at a foreign port, and Congress in Assessing and Implementing the Requirement to Scan 100 with possible extensions for ports Percent of U.S.-Bound Containers. GAO-10-12. Washington, D.C.: October 30, under certain conditions (6 U.S.C. § 2009. 982(b)). Ultimately, CBP implemented SFI at six ports. CBP Works with International Entities to Promote Global Customs Security Logistical, technological, and other Standards and Initiatives, but Challenges Remain. GAO-08-538. Washington, challenges prevented the participating D.C.: August 15, 2008. See pages 31-34. ports from achieving 100 percent scanning and DHS and CBP have Supply Chain Security: Challenges to Scanning 100 Percent of U.S.-Bound since reduced the scope of the SFI Cargo Containers. GAO-08-533T. Washington, D.C.: June 12, 2008. program from six ports to one. Further, in May 2012, the Secretary of Homeland Security issued a 2-year extension for all ports, thus delaying the implementation date for 100 percent scanning until July 2014. Page 46 GAO-12-1009T Customs-Trade Partnership Against Terrorism Customs-Trade Table 7: Total C-TPAT Obligations, Fiscal Year 2005 through May 2012 (in millions) Partnership Against Fiscal year 2012a Terrorism C-TPAT 2004 2005 2006 2007 2008 2009 2010 2011 Obligations 14.0 37.8 67.4 49.7 57.4 52.4 46.5 44.5 23.6 Total for all years $393.5 The Customs-Trade Partnership Against Terrorism (C-TPAT) program Source: DHS. is a voluntary program that enables a Represents fiscal year obligations through May 2012. CBP officials to work in partnership with private companies to review and approve the security of their Summary of Key Findings and Recommendations international supply chains. In We reported in April 2008 that the program holds promise as part of CBP’s multi- November 2001, CBP announced the faceted maritime security strategy. The program allows CBP to develop C-TPAT program as part of its efforts partnerships with the trade community, which is a challenge given the toward facilitating the free flow of international nature of the industry and resulting limits on CBP’s jurisdiction and goods while ensuring that the activities. C-TPAT provides CBP with a level or information sharing that would containers do not pose a threat to otherwise not be available. However, our reports raised a number of concerns homeland security. In October 2006, about the overall management of the program and its challenges in verifying that the SAFE Port Act established a C-TPAT members meet security criteria. We recommended that CBP strengthen statutory framework for the C-TPAT program, codified its existing program management by developing planning documents, performance membership processes, and added measures, and improving the process for validating security practices of C-TPAT new components—such as time members. CBP agreed with these recommendations and has addressed them. frames for certifying, validating, and revalidating members’ security practices (6 U.S.C. §§ 961-973). Relevant GAO Products Supply Chain Security: Container Security Programs Have Matured, but Companies that join the C-TPAT Uncertainty Persists over the Future of 100 Percent Scanning. GAO-12-422T. program commit to improving the Washington, D.C.: February 7, 2012. See pages 13-14. security of their supply chains and agree to provide CBP with information Supply Chain Security: Feasibility and Cost-Benefit Analysis Would Assist DHS on their specific security measures. In and Congress in Assessing and Implementing the Requirement to Scan 100 addition, the companies agree to Percent of U.S.-Bound Containers. GAO-10-12. Washington, D.C.: October 30, allow CBP to verify, among other 2009. See pages 41-43. things, that their security measures meet or exceed CBP’s minimum Supply Chain Security: U.S. Customs and Border Protection Has Enhanced Its security requirements. This allows Partnership with Import Trade Sectors, but Challenges Remain in Verifying CBP to ensure that the security Security Practices. GAO-08-240. Washington, D.C.: April 25, 2008. measures outlined in a member's security profile are in place and Cargo Security: Partnership Program Grants Importers Reduced Scrutiny with effective. In return for their Limited Assurance of Improved Security. GAO-05-404. Washington, D.C.: March participation in the program, C-TPAT 11, 2005. members are entitled a reduced likelihood of scrutiny of their cargo. Container Security: Expansion of Key Customs Programs Will Require Greater CBP has awarded initial C-TPAT Attention to Critical Success Factors. GAO-03-770. Washington, D.C.: July 25, certification—or acceptance of the company’s agreement to voluntarily 2003. participate in the program—to over 10,000 companies, as of February 2012. Page 47 GAO-12-1009T Mutual Recognition Arrangements Mutual Recognition Budget Authority Information Arrangements MRA are included in the Other International Programs budget line item, but there is no specific line item for these activities. As such, we were unable to determine MRA obligations information. Mutual recognition arrangements (MRAs) allow for the supply chain security-related practices and Summary of Key Findings and Recommendations programs taken by the customs administration of one country to be In our work on international supply chain security we reported that CBP has recognized by the administration of recognized that the United States is no longer self-contained in security another. As of July 2012, CBP has matters—either in its problems or its solutions. That is, the growing made such arrangements with five interdependence of nations necessitates that policymakers work in partnerships countries and an economic union as across national boundaries to improve supply chain security. We also reported part of its efforts to partner with that other countries are interested in developing customs-to-business partnership international organizations and programs similar to CBP’s C-TPAT program. Other countries are also interested develop supply chain security in bi-lateral or multi-lateral arrangements with other countries to mutually standards that can be implemented recognize each others’ supply chain container security programs. For example, throughout the international officials within the European Union and elsewhere see the C-TPAT program as community. one potential model for enhancing global supply chain security. Thus, CBP has According to CBP, a network of committed to promoting mutual recognition arrangements based on an mutual recognition could lead to international framework of standards governing customs and related business greater efficiency in improving relationships in order to enhance global supply chain security. Our work on other international supply chain security by, programs indicated that CBP does not always have critical information on other for example, reducing redundant countries’ customs examination procedures and practices, even at CSI ports examinations of cargo containers and where we have stationed officers. However, our reports to date have not made avoiding the unnecessary burden of any specific recommendations related to mutual recognition arrangements. addressing different sets of requirements as a shipment moves Relevant GAO Products throughout the global supply chain. CBP and other international customs Supply Chain Security: Container Security Programs Have Matured, but officials see mutual recognition Uncertainty Persists over the Future of 100 Percent Scanning. GAO-12-422T. arrangements as providing a possible Washington, D.C.: February 7, 2012. See pages 13-14. strategy for the CSI program (which includes stationing CBP officers Supply Chain Security: CBP Works with International Entities to Promote Global abroad). As of July 2012, CBP had Customs Security Standards and Initiatives, but Challenges Remain. GAO-08- signed six mutual recognition 538. Washington, D.C.: August 15, 2008. See pages 23-31. arrangements. Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed. GAO-08-187. Washington, D.C.: January 25, 2008. See pages 33-40. Page 48 GAO-12-1009T International Port Security Program International Port Budget Authority Information Security Program Activities related to the International Port Security Program are not specifically identified in the Coast Guard budget. Such activities fall under the Coast Guard’s ports, waterways and coastal security mission. See table 1 for the reported The International Port Security budget authority for that mission for fiscal years 2004 through 2013. Program (IPSP) provides for the Coast Guard and other countries’ counterpart agencies to visit and Summary of Key Findings and Recommendations assess the implementation of security measures in each others’ ports Our work on the International Port Security Program found that the Coast Guard against established security had made progress in visiting and assessing port security in foreign ports. We standards. The underlying reported in October 2007 that the Coast Guard had visited more than 100 assumption for the program is that the countries and found that most of the countries had substantially implemented the security of domestic ports also ISPS code. The Coast Guard had also consulted with a contractor to develop a depends upon security at foreign more risk-based approach to planning foreign country visits, such as ports where vessels and cargoes incorporating information on corruption and terrorist activities levels within a bound for the United States originate. country. The Coast Guard has made progress despite a number of challenges. MTSA required the Coast Guard to For example, the Coast Guard has been able to alleviate challenges related to develop such a program to assess sovereignty concerns of some countries by including a reciprocal visit feature in security measures in foreign ports which the Coast Guard hosts foreign delegations to visit U.S. ports and observe and, among other things, recommend ISPS Code implementation in the United States. Another challenge program steps necessary to improve security officials overcame was the lack of resources to improve security in poorer measures in those ports. To address countries. Specifically, Coast Guard officials worked with other federal agencies this requirement, the Coast Guard (e.g., the Departments of Defense and State) and international organizations established the International Port (e.g., the Organization of American States) to secure funding for training and Security Program in April 2004. assistance to poorer countries that need to strengthen port security efforts. Subsequently, in October 2006, the SAFE Port Act required the Coast Guard to reassess security measures at such foreign ports at least once Relevant GAO Products every 3 years (46 U.S.C. §§ 70108, 70109). Maritime Security: DHS Progress and Challenges in Key Areas of Port Security. In implementing the program, the GAO-10-940T. Washington, D.C.: July 21, 2010. See pages 10-11. Coast Guard uses the International Maritime Organization’s International Maritime Security: The SAFE Port Act: Status and Implementation One Year Ship and Port Facility Security (ISPS) Later. GAO-08-126T. Washington, D.C.: October 30, 2007. See pages 15-19. Code. This code serves as the Information on Port Security in the Caribbean Basin. GAO-07-804R. Washington, benchmark by which it measures the D.C.: June 29, 2007. effectiveness of a country’s antiterrorism measures in a port. Coast Guard teams conduct country visits, discuss implemented security measures, and collect and share best practices to help ensure a comprehensive and consistent approach to maritime security in ports worldwide. Page 49 GAO-12-1009T Appendix II: GAO Contact and Staff Appendix II: GAO Contact and Staff Acknowledgments Acknowledgments For questions about this statement, please contact Stephen L. Caldwell at (202) 512-9610 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Individuals making key contributions to this statement include Christopher Conrad (Assistant Director), Adam Anguiano, Aryn Ehlow, Allyson Goldstein, Paul Hobart, Amanda Kolling, Glen Levis, and Edwin Woodward. Additional contributors include Frances Cook, Tracey King, and Jessica Orr. (441104) Page 50 GAO-12-1009T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (http://www.gao.gov). Each weekday GAO Reports and afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted Testimony products, go to http://www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: http://www.gao.gov/fraudnet/fraudnet.htm E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, email@example.com, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, firstname.lastname@example.org, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Maritime Security: Progress and Challenges 10 Years after the Maritime Transportation Security Act
Published by the Government Accountability Office on 2012-09-11.
Below is a raw (and likely hideous) rendition of the original report. (PDF)