oversight

Transportation Security Administration: Progress and Challenges Faced in Strengthening Three Key Security Programs

Published by the Government Accountability Office on 2012-03-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                            United States Government Accountability Office

GAO                         Testimony
                            Before the Committee on Oversight and
                            Government Reform and Committee on
                            Transportation and Infrastructure, House
                            of Representatives
                            TRANSPORTATION
For Release on Delivery
Expected at 1:30 p.m. EDT
Monday, March 26, 2012

                            SECURITY
                            ADMINISTRATION
                            Progress and Challenges
                            Faced in Strengthening
                            Three Key Security
                            Programs
                            Statement of Stephen M. Lord, Director
                            Homeland Security and Justice Issues




GAO-12-541T
Chairmen Issa and Mica, Ranking Members Cummings and Rahall, and
Members of the Committees:

I am pleased to be here today to discuss our past work examining the
Transportation Security Administration’s (TSA) progress and challenges
in improving transportation security. Securing commercial aviation
operations remain a daunting task—with hundreds of airports, thousands
of aircraft, and thousands of flights daily carrying millions of passengers
and pieces of checked baggage. The attempted terrorist bombing of
Northwest flight 253 on December 25, 2009, provided a vivid reminder
that civil aviation remains an attractive terrorist target and underscores
the need for effective passenger screening. Likewise, securing operations
at our nation’s maritime ports requires balancing security to address
potential threats while facilitating the flow of people and goods that are
critical to the U.S. economy and international commerce. Transportation
systems and facilities are vulnerable and difficult to secure given their
size, easy accessibility, large number of potential targets, and proximity to
urban areas.

As noted in our 9/11 Anniversary report, the terrorist attacks of
September 11, 2001, led to profound changes in government agendas,
policies, and structures to confront homeland security threats facing the
nation. 1 As highlighted in this report, the Department of Homeland
Security (DHS) and TSA have made notable achievements since these
attacks, including developing programs and technologies to screen
passengers, and control access to secured airport areas and port
facilities, yet challenges remain.

My testimony today focuses on DHS and TSA’s progress and related
challenges in implementing three key programs:

•   Screening of Passengers by Observation Techniques (SPOT)
    program—A TSA-designed program to provide behavior detection
    officers (BDO) with a means of identifying persons who may pose a
    potential security risk at TSA-regulated airports by focusing on
    behaviors and appearances that deviate from an established baseline
    and that may be indicative of stress, fear, or deception.


1
  GAO, Department of Homeland Security: Progress Made and Work Remaining in
Implementing Homeland Security Missions 10 Years after 9/11, GAO-11-881
(Washington, D.C.: Sept. 7, 2011).




Page 1                                                                GAO-12-541T
•   Advanced Imaging Technology (AIT)—a technology used to screen
    passengers in the nation’s airports.
•   Transportation Worker Identification Credential (TWIC) program—a
    DHS program that requires maritime workers to complete background
    checks and obtain a biometric identification card to gain unescorted
    access to secure areas of regulated maritime facilities.
This statement is based on our reports and testimonies issued from
March 2010 through March 2012 related to TSA’s efforts to manage
transportation security programs as well as selected updates, conducted
from February 2012 through March 2012, related to the current status of
the SPOT and TWIC programs and progress made on implementing
previous GAO recommendations aimed at correcting program
deficiencies. 2 For our past work, we reviewed applicable laws,
regulations, and policies. We also conducted interviews with DHS
component program managers and Science and Technology Directorate
officials to discuss issues related to individual programs, visited selected
airports to observe operations and meet with key program personnel,
analyzed available data from relevant program databases, and used other
methodologies. As part of our TWIC work, our investigators conducted
covert testing at enrollment center(s) to identify whether individuals
providing fraudulent information could acquire an authentic TWIC, and at
maritime ports with facilities regulated pursuant to the Maritime
Transportation Security Act of 2002 (MTSA) to identify security
vulnerabilities and program control deficiencies. More detailed information
on the scope and methodology from our previous work can be found
within each specific report. For the updates, we obtained budget
information from TSA and information on its efforts to conduct a cost-
benefit analysis of the SPOT program, as well as efforts to address TWIC
program internal control weaknesses, among other things. We conducted
this work in accordance with generally accepted government auditing



2
  We are evaluating the results of a TWIC pilot and the DHS report on the results of the
TWIC pilot that was submitted to the House Committees on Homeland Security and
Transportation and Infrastructure and the Senate Committees on Commerce, Science,
and Transportation and Homeland Security and Governmental Affairs, as well as to the
Comptroller General, on February 27, 2012 pursuant to section 802 of the Coast Guard
Authorization Act of 2010. See Pub.L. No. 111-281, 124 Stat. 2905, 2989-90 (2010). We
plan to issue a report with the results from this work by the end of 2012. At the request of
the House Committee on Transportation and Infrastructure we are initiating a review of the
SPOT program which will examine TSA efforts to address some of the limitations
identified in earlier DHS and GAO studies. We plan to issue a report with the results from
this work in 2013.




Page 2                                                                         GAO-12-541T
             standards. Those standards require that we plan and perform the audit to
             obtain sufficient, appropriate evidence to provide a reasonable basis for
             our findings and conclusions based on our audit objectives. We believe
             that the evidence obtained provides a reasonable basis for our findings
             and conclusions based on our audit objectives. We conducted our related
             investigative work in accordance with standards prescribed by the Council
             of the Inspectors General on Integrity and Efficiency.


             The Aviation and Transportation Security Act (ATSA) established TSA as
Background   the federal agency with primary responsibility for securing the nation’s
             civil aviation system, which includes the screening of all passengers and
             property transported from and within the United States by commercial
             passenger aircraft. 3 In accordance with ATSA, all passengers, their
             accessible property, and their checked baggage are screened pursuant to
             TSA-established procedures at the 446 airports presently regulated for
             security by TSA. These procedures generally provide, among other
             things, that passengers pass through security checkpoints where they
             and their identification documents, and accessible property, are checked
             by transportation security officers (TSO), other TSA employees, or by
             private-sector screeners under TSA’s Screening Partnership Program. 4
             Airport operators, however, also have direct responsibility for
             implementing TSA security requirements, such as those relating to
             perimeter security and access controls, in accordance with their approved
             security programs and other TSA direction.

             TSA relies upon multiple layers of security to deter, detect, and disrupt
             persons posing a potential risk to aviation security. These layers include
             BDOs, who examine airport passenger behaviors and appearances to
             identify passengers who might pose a potential security risk at TSA-
             regulated airports; travel document checkers, who examine tickets,
             passports, and other forms of identification; TSOs responsible for
             screening passengers and their carry-on baggage at passenger


             3
               See Pub. L. No. 107-71, 115 Stat. 597 (2001). For purposes of this testimony,
             “commercial passenger aircraft” refers to U.S. or foreign-flagged air carriers operating
             under TSA-approved security programs with regularly scheduled passenger operations to
             or from a U.S. airport.
             4
              Private-sector screeners, employed by an entity under contract to and overseen by TSA,
             and not TSOs, perform screening activities at the 16 airports currently participating in
             TSA’s Screening Partnership Program as of March 2012. See 49 U.S.C. § 44920.




             Page 3                                                                      GAO-12-541T
checkpoints, using X-ray equipment, magnetometers, AIT, and other
devices; random employee screening; and checked-baggage screening. 5

MTSA required the Secretary of Homeland Security to prescribe
regulations preventing individuals from having unescorted access to
secure areas of MTSA-regulated facilities and vessels unless they
possess a biometric transportation security card 6 and are authorized to be
in such an area. 7 Pursuant to MTSA, the Secretary shall issue such
biometric transportation security cards to eligible individuals unless the
Secretary determines that an applicant poses a security risk warranting
denial of the card. The TWIC program is designed to implement these
biometric maritime security card requirements. The program requires
maritime workers to complete background checks to obtain a biometric
identification card and be authorized to be in the secure area by the
owner/operator in order to gain unescorted access to secure areas of
MTSA-regulated facilities and vessels. Within DHS, TSA and the U.S.
Coast Guard manage the TWIC program.

A federal regulation (known as the credential rule) issued in January 2007
sets a compliance deadline, subsequently extended to April 15, 2009,
whereby each maritime worker would be required to hold a TWIC in order
to obtain unescorted access to secure areas of MTSA-regulated facilities
and vessels. 8 A second rule, the card reader rule, is currently under
development and is expected to address how the access-control
technologies, such as biometric card readers, are to be used for
confirming the identity of the TWIC holder against the biometric
information on the TWIC. TSA conducted a pilot program ending on May
31, 2011, testing the use of TWICs with biometric card readers to help


5
 AIT, commonly referred to as body scanners, produces images of the body to screen
passengers for metallic and nonmetallic threats including weapons, explosives, and other
objects concealed under layers of clothing.
6
 Biometrics refers to technologies that measure and analyze human body
characteristics—such as fingerprints, eye retinas and irises, voice patterns, facial patterns,
and hand measurements—for authentication purposes.
7
  See Pub. L. No. 107-295, § 101, 116 Stat. 2064, 2073-74 (2002) (codified as amended
at 46 U.S.C. § 70105).
8
 The credential rule established that all maritime workers requiring unescorted access to
secure areas of MTSA-regulated facilities and vessels were expected to hold TWICs by
September 25, 2008. See 72 Fed. Reg. 3,492 (Jan. 25, 2007). The final compliance date
was subsequently extended to April 15, 2009. See 73 Fed. Reg. 25,562 (May 7, 2008).




Page 4                                                                           GAO-12-541T
                       inform the development of a second TWIC regulation, among other
                       purposes.


                       TSA developed the SPOT program in an effort to respond to potential
Additional DHS and     threats to aviation security by identifying individuals who may pose a
TSA Actions Needed     threat to aviation security, including terrorists planning or executing an
                       attack who were not likely to be identified by TSA’s other screening
to Validate TSA’s      security measures. This program was designed to focus on identifying
Behavior-Based         behaviors and appearances that deviate from an established baseline
                       and that may be indicative of stress, fear, or deception. As we reported in
Screening Program,     September 2011, TSA had deployed about 3,000 BDOs to about 160 of
Establish              the approximately 446 TSA-regulated airports in the United States at
Performance            which passengers and their property are subject to TSA-mandated
                       screening procedures. 9 The following describes progress achieved and
Measures, and Assess   challenges faced by TSA in validating the science underlying the SPOT
Costs and Benefits     program, developing performance measures, and conducting cost-benefit
                       analysis of SPOT.

                       Validation efforts. TSA has taken actions to validate the science
                       underlying its behavior detection program, but more work remains. In May
                       2010 we reported that TSA deployed SPOT nationwide before first
                       determining whether there was a scientifically valid basis for using
                       behavior and appearance indicators as a means for reliably identifying
                       passengers who may pose a risk to the U.S. aviation system. 10 We
                       recommended that DHS convene an independent panel of experts to
                       review DHS’s efforts to validate the program and determine whether the
                       validation methodology used was sufficiently comprehensive. DHS
                       concurred with our recommendation, and its Science and Technology
                       Directorate completed a validation study in April 2011 to determine the
                       extent to which SPOT was more effective than random screening at
                       identifying security threats and how the program’s behaviors correlate to



                       9
                         See GAO, Aviation Security: TSA Has Made Progress, but Additional Efforts Are
                       Needed to Improve Security, GAO-11-938T (Washington, D.C.: Sept. 16, 2011). In our
                       September 2011 testimony, we cited 463 TSA-regulated airports. TSA has subsequently
                       reduced that number to 446.
                       10
                          See GAO, Aviation Security: Efforts to Validate TSA’s Passenger Screening Behavior
                       Detection Program Underway, but Opportunities Exist to Strengthen Validation and
                       Address Operational Challenges, GAO-10-763 (Washington, D.C.: May 20, 2010).




                       Page 5                                                                     GAO-12-541T
identifying high-risk travelers. 11 The study found that SPOT was more
effective than random screening to varying degrees. However, as noted in
the study, the assessment was an initial validation step and was not
designed to fully validate whether behavior detection can be used to
reliably identify individuals in an airport environment who pose a security
risk. In addition, DHS outlined several limitations to the study. For
example, the study noted that BDOs were aware that individuals they
were screening were referred to them as the result of BDO-identified
SPOT indicators or random selection. DHS stated that this had the
potential to introduce bias into the assessment, and that additional work
would be needed to comprehensively validate the program.

DHS’s study made recommendations related to the need for further
validation efforts, comparing SPOT with other screening programs, and
broader program evaluation issues, some of which echoed
recommendations we made in May 2010. DHS’s recommendations are
intended to help the program conduct a more comprehensive validation of
whether the science can be used for counterterrorism purposes in the
aviation environment. Given the broad scope of the additional work and
needed resources identified by DHS for addressing the
recommendations, it could take several years to complete. Officials
further stated that it is undertaking actions to address some of these
recommendations, such as conducting additional analysis of the
program’s behaviors and associated SPOT scoring system in
coordination with DHS’s Science and Technology Directorate. 12
According to TSA, a refined list of the behaviors and appearances used in
the SPOT program to identify high-risk passengers will be completed by
mid-2012. TSA is taking actions to refine the program, but questions
related to the program’s validity will remain until TSA demonstrates that
using behavior detection techniques can help secure the aviation system
against terrorist threats.


11
   See DHS, SPOT Referral Report Validation Study Final Report Volume I: Technical
Report (Washington, D.C.: Apr. 5, 2011). DHS’s study defines high-risk passengers as
travelers who knowingly and intentionally try to defeat the security process, including
those carrying serious prohibited items, such as weapons; illegal items, such as drugs; or
fraudulent documents, or those who were ultimately arrested by law enforcement.


12
   TSA developed a scoring system to help determine which passengers exhibited enough
SPOT behaviors to be referred to secondary screening or to law enforcement officers for
additional screening, or both.




Page 6                                                                        GAO-12-541T
According to TSA, as part of its SPOT improvement efforts, TSA is pilot
testing revised procedures for BDOs at Boston-Logan and Detroit
International Airports to engage passengers entering screening in casual
conversation to help determine suspicious behaviors. According to TSA,
after a passenger’s travel documents are verified, a BDO will briefly
engage each passenger in conversation. If more information is needed to
help determine suspicious behaviors, the officer will refer the passenger
to a second BDO for a more thorough conversation to determine if
additional screening is needed. TSA noted that these BDOs have
received additional training in interviewing methods. TSA plans to expand
this pilot program to additional airports. We will be assessing this pilot as
part of a follow-on review of the SPOT program requested by the
Chairman of the House Transportation and Infrastructure Committee and
plan to report on the results in 2013.

Performance measures. Our work on TSA’s behavior detection program
has underscored the importance of developing sound measures to
evaluate the effectiveness of TSA security programs. The Office of
Management and Budget (OMB) encourages the use of outcome
measures—which track progress toward a strategic goal by documenting
the beneficial results of programs—because they are more meaningful
than output measures, which tend to be more process oriented or a
means to an end. 13 Congress also needs information on whether and in
what respects a program is working well or poorly to support its oversight
of agencies and their budgets. As we reported in May 2010, TSA had




13
   DHS’s National Infrastructure Protection Plan (Washington, D.C.: June 2006), internal
controls standards, and our previous work on program assessment state that performance
metrics and associated program evaluations are needed to determine if a program works
and to identify adjustments that may improve its results. The NIPP includes a risk
management framework that consists of six steps, which closely reflects GAO’s risk
management framework. (See GAO, Risk Management: Further Refinements Needed to
Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure,
GAO-06-91 (Washington, D.C.: Dec. 15, 2005). Like GAO’s framework, the NIPP’s risk
management framework is a repetitive process that continuously uses the results of each
step to inform the activities in both subsequent and previous steps over time. The NIPP
risk management framework is designed to produce a systematic and comprehensive
understanding of risk and ultimately provide for security investments based on this
knowledge of risk.




Page 7                                                                        GAO-12-541T
established output-based performance measures 14 for the SPOT
program, such as the number of SPOT referrals to law enforcement
officers and subsequent arrests; however, it had not fielded outcome-
oriented performance measures, such as identifying individuals who may
pose a threat to the transportation system, to evaluate the effectiveness
of the SPOT program. With such outcome measures, TSA could more
fully assess SPOT’s contribution to improving aviation security.

As noted in our May 2010 report, SPOT officials told us that it was not
known if the SPOT program resulted in the arrest of anyone who is a
terrorist or who was planning to engage in terrorist-related activity.
According to TSA, in fiscal year 2010, SPOT referred about 50,000
passengers for additional screening and made about 3,600 referrals to
law enforcement officers. The referrals to law enforcement officers
yielded approximately 300 arrests. Of these 300 arrests, TSA stated that
27 percent were illegal aliens, 17 percent were drug related, 14 percent
were related to fraudulent documents, 12 percent were related to
outstanding warrants, and 30 percent were related to other offenses. As
highlighted in our May 2010 report, we examined the travel of key
individuals allegedly involved in six terrorist plots that have been
uncovered by law enforcement agencies. We determined that at least 16
of the individuals allegedly involved in these plots moved through 8
different airports where the SPOT program had been implemented. In
total, these individuals moved through SPOT airports on at least 23
different occasions. 15

In May 2010, we recommended that to better measure the effectiveness
of the program and evaluate the performance of BDOs, TSA should


14
   According to OMB Circular No. A-11, outputs describe the level of activity that will be
provided over a period of time, including a description of the characteristics (e.g.,
timeliness) established as standards for the activity. They also refer to the internal
activities of a program (i.e., the products and services delivered). Output measures help
determine the extent to which an activity was performed as planned. Outcome-related
measures are more robust measures because they provide a more comprehensive
assessment of the success of the agency’s efforts, as stated in DHS’s 2009 NIPP.
15
   For example, according to Department of Justice documents, in December 2007 an
individual who later pleaded guilty to providing material support to Somali terrorists
boarded a plane at the Minneapolis-Saint Paul International Airport en route to Somalia to
join terrorists there. Similarly, in August 2008 an individual who later pleaded guilty to
providing material support to al-Qaeda boarded a plane at Newark Liberty International
Airport en route to Pakistan to receive terrorist training to support his efforts to attack the
New York subway system.




Page 8                                                                            GAO-12-541T
establish a plan that includes objectives, milestones, and time frames to
develop outcome-oriented performance measures. 16 DHS concurred with
our recommendation while noting that it is difficult to establish measures
for a deterrence-based program. According to TSA, the agency has
recently developed a metrics framework, which includes process
measures, output measures, and outcome measures, that will allow
SPOT programs at each airport to measure their improvement year by
year. After the framework is validated by DHS’s Science and Technology
Directorate and subject matter experts, TSA expects to roll out this
metrics framework as part of TSA’s general performance management
system in the fourth quarter of fiscal year 2012. We plan to assess this
framework as part of our recently initiated review of SPOT.

Cost-Benefit Analysis. As we reported in May 2010, TSA did not
complete a cost-benefit analysis before deploying the SPOT program.
According to the DHS National Infrastructure Protection Plan, security
strategies should be informed by, among other things, a risk assessment
that includes threat, vulnerability, and consequence assessments;
information such as cost-benefit analyses to prioritize investments; and
performance measures to assess the extent to which a strategy reduces
or mitigates the risk of terrorist attacks. 17 Our prior work has shown that
cost-benefit analyses help congressional and agency decision makers
assess and prioritize resource investments and consider potentially more
cost-effective alternatives, and that without this ability, agencies are at
risk of experiencing cost overruns, missed deadlines, and performance
shortfalls. 18

In May 2010, we reported that TSA did not conduct such an analysis of
SPOT prior to full-scale nationwide deployment, and we recommended
that it do so, including a comparison of the SPOT program with other
security screening programs, such as random screening, or already
existing security measures. DHS concurred with our recommendation and
noted that TSA was developing an initial cost-benefit analysis. However, it
was not clear from DHS’s comments whether its cost-benefit analysis


16
     GAO-10-763.
17
  DHS, National Infrastructure Protection Plan. In 2009, DHS issued an updated plan that
replaced the one issued in 2006.
18
  See GAO, Homeland Security: DHS and TSA Acquisition and Development of New
Technologies, GAO-11-957T (Washington, D.C.: Sept. 22, 2011).




Page 9                                                                     GAO-12-541T
                        would include a comparison of the SPOT program with other TSA security
                        screening programs and existing security measures as we recommended.
                        As of March 2012, TSA has not conducted a cost-benefit analysis, which
                        could help the agency establish the value of the program relative to other
                        layers of aviation security. Moreover, a cost-benefit analysis could also be
                        useful in considering future program growth. The program’s budget has
                        increased from $198 million in fiscal year 2009 to a requested $227
                        million in fiscal year 2013, a 15 percent increase over 5 years. In March
                        2012, TSA officials stated that TSA has developed a “risk and cost
                        analysis framework,” which has been applied to several different TSA
                        programs, such as its AIT. TSA is refining the framework in order to
                        complete the risk and cost analysis work for SPOT BDOs, which could
                        provide TSA management with additional information on whether its BDO
                        allocation is a prudent investment. We will be assessing this issue as part
                        of our recently initiated review of SPOT.


                        As we reported in March 2010, in response to the December 25, 2009,
Full-Body Scanners      attempted bombing of Northwest flight 253, the Secretary of Homeland
Not Fully Utilized at   Security announced five corrective actions to improve aviation security,
                        including accelerating deployment of AIT to identify materials such as
Some Airports           those used in the attempted Christmas Day bombing. 19 According to TSA
                        officials, AIT was to provide enhanced security benefits compared to
                        walk-through metal detectors, such as enhanced detection capabilities for
                        identifying nonmetallic threat objects and liquids.

                        In January 2012, we issued a classified report on TSA’s procurement and
                        deployment of AIT, commonly referred to as full body scanners, at airport
                        checkpoints. 20 As of March 2012, TSA has deployed about 640 AIT units
                        to 165 TSA-regulated airports. Among other things, we reported instances
                        where AIT units were not being used, which raised questions about the



                        19
                           See GAO-10-484T. The other four actions include modifying the criteria used to create
                        terrorist watch lists, establishing a partnership between DHS and the Department of
                        Energy and its national laboratories to develop new technologies to deter threats to
                        aviation, strengthen the presence of Federal Air Marshals aboard U.S.-bound flights, and
                        working with international partners to strengthen international security measures and
                        standards for aviation security.
                        20
                           Details from this section were removed because TSA deemed them Sensitive Security
                        Information, which must be protected from public disclosure pursuant to 49 C.F.R. part
                        1520.




                        Page 10                                                                     GAO-12-541T
cost-effectiveness of this acquisition. We analyzed TSA’s utilization data
collected from March 2010 through February 2011 on all deployed AIT
units and found that some deployed units were not used regularly,
decreasing their potential security benefit. During this time period, some
of the deployed AIT units were used on less than 5 percent of the days
they were available since their deployment. 21 Additionally, some units
were used on less than 30 percent of the days available since their
installation. 22 Moreover, we reported that at some of the 12 airports we
visited, AIT units were deployed but were not regularly used. For
example, at one airport we observed that TSA had deployed 3 AIT units
in an airport terminal that typically handles one flight a day of
approximately 230 passengers. TSA officials reported that 2 of the AIT
units were seldom used because of the lack of passengers and stated
that they believed the AIT units were deployed based on space
constraints in areas where they could be placed. According to the Federal
Acquisition Regulation, acquisition begins at the point when agency
needs are established and includes, among other things, the description
of requirements to satisfy agency needs. 23 The limited use of some of
these machines may indicate that there was not a clear need for them at
the time they were acquired at the locations in which they were deployed.
Each AIT unit costs approximately $250,000 to acquire and install.
Additionally, each AIT unit is budgeted for five full-time equivalent (FTE)
personnel, each of which costs approximately $63,000 per year. 24 Using
these figures, we estimate that the first year total cost–including
acquisition, installation, and equipment operator salary—was several
million dollars. 25 In January 2012, we made a recommendation to TSA to
study current AIT utilization and address the extent to which currently


21
   The specific number of AIT units used on less than 5 percent of the days available
since their deployment was deleted because it is considered Sensitive Security
Information.
22
   The specific number of AIT units used on less than 30 percent of the days available
since their installation was deleted because it is considered Sensitive Security Information.
23
     See 48 C.F.R. § 2.101.
24
  We estimated that the 486 AIT units deployed at the time would cost approximately
$153 million in labor to operate per year. This was based on 5 FTEs per unit and the
average TSO salary and benefit cost of $63,000.
25
   We did not include the specific cost information in the public version of the report as it
would identify the number of AIT units in question, which is considered Sensitive Security
Information.




Page 11                                                                          GAO-12-541T
                        deployed AIT units are used. TSA concurred with our recommendation
                        and plans to take efforts to address it.


                        The TWIC program is intended to improve maritime security by using a
Additional Actions      federally sponsored credential to enhance access controls to secure
Needed to Strengthen    areas at MTSA-regulated facilities and vessels. As of March 20, 2012, the
                        TWIC program has enrolled over 2.1 million maritime workers and issued
Internal Controls and   nearly 2 million credentials. The TWIC is to be used by individuals
Address TWIC            requesting unescorted access to MTSA-regulated facilities and vessels
                        and currently is to be visually inspected by facility and vessel operators.
Effectiveness           The following describes progress made and challenges faced by DHS
                        related to the TWIC program’s system of internal controls and DHS’s
                        efforts in assessing the effectiveness of TWIC.

                        Internal Controls. DHS has established a system of TWIC-related
                        processes and controls to assist in implementation of the program. In May
                        2011, we reported that internal control weaknesses governing the
                        enrollment, background checking, and use of TWIC potentially limit the
                        program’s ability to meet the program’s stated mission needs or provide
                        reasonable assurance that access to secure areas of MTSA-regulated
                        facilities is restricted to qualified individuals. 26 Key program weaknesses
                        included an inability to provide reasonable assurance that only qualified
                        individuals can acquire TWICs or that once issued a TWIC, TWIC holders
                        have continued to meet eligibility requirements.

                        As we reported in May 2011, to meet the stated program purpose, TSA’s
                        focus in designing the TWIC program was on facilitating the issuance of
                        TWICs to maritime workers. However, TSA did not assess the internal
                        controls in place to determine whether they provided reasonable
                        assurance that the program could meet defined mission needs for limiting
                        access to only qualified individuals. 27 For example, controls that the TWIC



                        26
                          GAO, Transportation Worker Identification Credential: Internal Control Weaknesses
                        Need to Be Corrected to Help Achieve Security Objectives, GAO-11-657 (Washington,
                        D.C.: May 10, 2011).
                        27
                           In accordance with GAO, Standards for Internal Control in the Federal
                        Government,GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), the design of the
                        internal controls is to be informed by identified risks the program faces from both internal
                        and external sources, the possible effect of those risks, control activities required to
                        mitigate those risks, and the cost and benefits of mitigating those risks.




                        Page 12                                                                        GAO-12-541T
program had in place to identify the use of potentially counterfeit identity
documents were not used to routinely inform background checking
processes. Additionally, controls were not in place to determine whether
an applicant has a need for a TWIC. Further, TWIC program controls
were not designed to provide reasonable assurance that TWIC holders
maintained their eligibility once issued TWICs. For example, controls
were not designed to determine whether TWIC holders have committed
disqualifying crimes at the federal or state levels after being granted a
TWIC.

We further reported that internal control weaknesses in TWIC enrollment,
background checking, and use could have contributed to the breach of
selected MTSA-regulated facilities during covert tests conducted by our
investigators. During these tests at several selected ports, our
investigators were successful in accessing port facilities using counterfeit
TWICs, authentic TWICs acquired through fraudulent means, and false
business cases (i.e., reasons for requesting access). Our investigators
did not gain unescorted access to a port where a secondary port-specific
identification was required in addition to the TWIC. TSA and Coast Guard
officials stated that the TWIC alone is not sufficient and that the
cardholder is also required to present a business case. However, our
covert tests demonstrated that having an authentic TWIC and a legitimate
business case were not always required in practice.

In our May 2011 report, we recommended that the Secretary of
Homeland Security perform an internal control assessment of the TWIC
program by (1) analyzing existing controls, (2) identifying related
weaknesses and risks, and (3) determining cost-effective actions needed
to correct or compensate for those weaknesses so that reasonable
assurance of meeting TWIC program objectives can be achieved. DHS
officials concurred with our recommendations. As of March 2012, DHS
reported that it had initiated a review of current internal controls,
established a working group with executive oversight to develop and
implement solutions to these recommendations, and completed a number
of short-term actions to partially address some of the weaknesses. We
plan to assess these actions as part of our review of the TWIC pilot and
will issue a report on our assessment later this year.

TWIC’s Effectiveness. As we reported in May 2011, DHS asserted that
the absence of the TWIC program would leave America’s critical maritime




Page 13                                                            GAO-12-541T
port facilities vulnerable to terrorist activities. 28 However, to date, DHS
has not assessed the effectiveness of TWIC at enhancing security or
reducing risk for MTSA-regulated facilities and vessels. Further, DHS has
not demonstrated that TWIC, as currently implemented and planned with
card readers, is more effective than prior approaches used to limit access
to ports and facilities, such as using facility-specific identity credentials
with business cases (i.e., reasons for requesting access).

According to TSA and Coast Guard officials, because the program was
mandated by Congress as part of MTSA, DHS did not conduct a risk
assessment to identify and mitigate program risks prior to implementation.
However, internal control weaknesses raise questions about the
effectiveness of the TWIC program. Moreover, as we have previously
reported, Congress also needs information on whether and in what
respects a program is working well or poorly to support its oversight of
agencies and their budgets, and agencies’ stakeholders need
performance information to accurately judge program effectiveness.
Therefore, we recommended in our May 2011 report that the Secretary of
Homeland Security conduct an effectiveness assessment that includes
addressing internal control weaknesses and, at a minimum, evaluate
whether use of TWIC in its present form and planned use with readers
would enhance the posture of security beyond efforts already in place
given costs and program risks. We further recommended that the internal
control and effectiveness assessments be used as the basis for
evaluating the costs, benefits, and security risks of the TWIC program
prior to requiring the use of TWICs with card readers. DHS concurred with
our recommendation. As of March 2012, DHS reports that it is further
evaluating the TWIC program using its risk assessment model. This step
could help inform DHS of the TWIC program’s effectiveness.


Chairmen Issa and Mica, Ranking Members Cummings and Rahall, and
Members of the Committees, this concludes my prepared statement. I
would be pleased to respond to any questions that you may have at this
time.



28
   See DHS, Transportation Worker Identification Credentialing (TWIC), DHS Exhibit 300
Public Release BY10/TSA (Washington, D.C.: Apr. 17, 2009), and Transportation Worker
Identification Credentialing (TWIC), DHS Exhibit 300 Public Release BY09/TSA
(Washington, D.C.: July 27, 2007).




Page 14                                                                    GAO-12-541T
                  If you or your staff have any questions about this testimony, please
GAO Contact and   contact me at (202) 512-4379 or lords@gao.gov. Contact points for our
Staff             Offices of Congressional Relations and Public Affairs may be found on
                  the last page of this statement. Individuals making key contributions to
Acknowledgments   this testimony are David M. Bruno, Assistant Director; Steve D. Morris,
                  Assistant Director; Carissa Bryant; Joseph P. Cruz; Emily Gunn, and Tom
                  Lombardi. Key contributors to the previous work that this testimony is
                  based on are listed in each individual product.




(441062)
                  Page 15                                                       GAO-12-541T
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.