oversight

Transportation Security Acquisition Reform Act: TSA Generally Addressed Requirements, but Could Improve Reporting on Security-Related Technology

Published by the Government Accountability Office on 2019-01-17.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               United States Government Accountability Office
               Report to Congressional Committees




               TRANSPORTATION
January 2019




               SECURITY
               ACQUISITION
               REFORM ACT

               TSA Generally
               Addressed
               Requirements,
               but Could Improve
               Reporting on Security-
               Related Technology



GAO-19-96
                                               January 2019

                                               TRANSPORTATION SECURITY ACQUISITION
                                               REFORM ACT
                                               TSA Generally Addressed Requirements, but Could
Highlights of GAO-19-96, a report to           Improve Reporting on Security-Related Technology
congressional committees




Why GAO Did This Study                         What GAO Found
Enacted in December 2014, TSARA                Since 2016, the Transportation Security Administration (TSA) generally
introduced legislative reforms to              addressed Transportation Security Acquisition Reform Act (TSARA)
promote greater transparency and               requirements through its policies and procedures for acquisition justifications,
accountability in TSA’s SRT                    baseline requirements, and management of inventory. TSA also, among other
acquisitions.                                  actions, submitted a technology investment plan and annual small-business
                                               contracting goals reports to Congress as required.
TSARA contains a provision that GAO
submit two reports to Congress on              Since December 2014, TSA reported limited security-related technology (SRT)
TSA’s progress in implementing                 acquisitions to Congress under TSARA, submitting its first report in August 2018.
TSARA. In February 2016, GAO                   TSARA contains a report and certification provision pursuant to which TSA is to
issued the first report that found TSA         submit information to Congress 30 days prior to the award of a contract for an
had taken actions to address TSARA.            SRT acquisition exceeding $30 million. Through July 2018, TSA obligated about
This second report examines TSA’s (1)          $1.4 billion on SRT and associated services. TSA officials explained that none of
progress in addressing TSARA                   these obligations—including 7 SRT orders, each in excess of $30 million—
requirements since 2016, (2) reporting         invoked the report and certification provision because the obligations did not
to Congress on SRT acquisitions, and           align with TSA’s implementation policy, which provides that the $30 million
(3) internal communication of its              threshold relates to the contract ceiling of the initial SRT contract and not to
implementation decisions. GAO                  individual task and delivery orders. Revising TSA’s policy to include contracts for
examined TSARA and TSA documents               services that enhance the capabilities of SRT, including any orders for SRT and
and guidance; analyzed TSA contract            associated services in excess of $30 million, would better ensure that Congress
data and reports from TSARA’s                  has the information it needs to effectively oversee TSA’s SRT acquisitions.
enactment in December 2014 through
July 2018 and September 2018,                  TSA has not effectively communicated internally its implementation decisions for
respectively; and interviewed DHS and          what constitutes an SRT under TSARA. TSA officials described to GAO that SRT
TSA officials on actions taken to              must be equipment that is public facing, but TSA’s policy does not clearly state
implement TSARA. GAO also                      the parameters of what is considered an SRT. Without clear guidance, TSA staff
conducted interviews with TSA officials        may be unaware of these parameters and how they apply to future acquisitions
on parameters for reporting on SRT             under TSARA. For example, TSA acquisition program staff were initially unable
acquisitions.                                  to confirm for GAO whether the technologies TSA had acquired were SRTs and
                                               thus subject to TSARA. Updating TSA policy to include detailed parameters for
What GAO Recommends                            what constitutes an SRT would better ensure consistency in applying the act.
GAO recommends that TSA revise its
                                               Examples of Security-Related Technology
policies for the report and certification
provision of TSARA to include
reporting on task and delivery orders
and services associated with SRT, and
clarify in policy what constitutes an
SRT under TSARA. DHS generally
concurred with the recommendations
and described steps it plans to take to
implement them.




View GAO-19-96. For more information,
contact William Russell at (202) 512-8777 or
russellw@gao.gov.



                                                                                         United States Government Accountability Office
Contents


Letter                                                                                  1
               Background                                                               4
               TSA Generally Addressed TSARA Requirements                               9
               TSA’s Narrow Application of TSARA Has Resulted in Limited
                 Reporting to Congress on SRT-related Acquisitions                    14
               TSA Has Not Effectively Communicated Internally Its TSARA
                 Implementation Decisions                                             24
               Conclusion                                                             25
               Recommendations for Executive Action                                   26
               Agency Comments and our Evaluation                                     27

Appendix I     Transportation Security Acquisition Reform Act Requirements            29



Appendix II    Comments from the Department of Homeland Security                      36



Appendix III   GAO Contact and Staff Acknowledgements                                 40


Tables
               Table 1: Transportation Security Administration Contract
                       Obligations for Security-Related Technology (SRT) and
                       Associated Services, December 18, 2014 through July 31,
                       2018                                                           16
               Table 2: Transportation Security Administration (TSA) Policy for
                       What Constitutes a Security-Related Technology (SRT)
                       and a Contract Award for an SRT Acquisition Under the
                       Transportation Security Acquisition Reform Act (TSARA)         17
               Table 3: The Strategic Five-Year Technology Investment Plan 6
                       U.S.C. § 563                                                   29
               Table 4: Acquisition Justification 6 U.S.C. § 563                      31
               Table 5: Baseline Requirements 6 U.S.C. § 563b                         32
               Table 6: Inventory Management 6 U.S.C. § 563c                          34
               Table 7: Small Business Contracting Goals Report 6 U.S.C. §
                       563d                                                           35
               Table 8: Federal Acquisition Regulation Consistency 6 U.S.C. §
                       563e                                                           35




               Page i                                           GAO-19-96 TSA Acquisitions
Figures
          Figure 1: Examples of Security-Related Technology Acquired by
                   the Transportation Security Administration                                        6
          Figure 2: Department of Homeland Security (DHS) Acquisition Life
                   Cycle for Acquisition Programs                                                   7
          Figure 3: Video of the Transportation Security Administration
                   Innovation Task Force Demonstration of Automated
                   Screening Lanes                                                                  13
          Figure 4: Example of the Timeline for a Transportation Security
                   Administration (TSA) Explosives Detection Systems
                   Contract                                                                         22




          Abbreviations

          AIT               Advanced Imaging Technology
          DHS               Department of Homeland Security
          EDS               Explosives Detection System
          FPDS-NG           Federal Procurement Data System-Next Generation
          IDIQ              Indefinite-Delivery/Indefinite-Quantity
          SRT               Security-Related Technology
          STIP              Security Technology Integrated Program
          TSA               Transportation Security Administration
          TSARA             Transportation Security Acquisition Reform Act


          This is a work of the U.S. government and is not subject to copyright protection in the
          United States. The published product may be reproduced and distributed in its entirety
          without further permission from GAO. However, because this work may contain
          copyrighted images or other material, permission from the copyright holder may be
          necessary if you wish to reproduce this material separately.




          Page ii                                                       GAO-19-96 TSA Acquisitions
                       Letter




441 G St. N.W.
Washington, DC 20548




                       January 17, 2019

                       The Honorable Roger F. Wicker
                       Chairman
                       The Honorable Maria Cantwell
                       Ranking Member
                       Committee on Commerce, Science, and Transportation
                       United States Senate

                       The Honorable Bennie G. Thompson
                       Chairman
                       The Honorable Mike Rogers
                       Ranking Member
                       Committee on Homeland Security
                       House of Representatives

                       The Transportation Security Administration (TSA) relies on security-
                       related screening technologies–such as explosives detection systems–to
                       deter, detect, and prevent prohibited items on board commercial aircraft.
                       TSA, a component of the Department of Homeland Security (DHS),
                       anticipates spending a significant portion of its $3.6 billion security
                       capability acquisition budget on these technologies by fiscal year 2020. 1
                       Such technologies are vital to TSA efforts to prevent a terrorist attack on
                       an aircraft using explosives or other prohibited items. In 2017, TSA was
                       responsible for the screening of about 2.4 million passengers, 4.4 million
                       carry-on bags, and 1.2 million checked bags at over 440 TSA-regulated
                       airports in the United States on an average day.

                       In past work, we found that TSA encountered challenges in effectively
                       acquiring and deploying passenger and checked baggage screening
                       technologies and had not consistently implemented DHS policy and best
                       practices for procurement. 2 Additionally, Congress has recognized that
                       TSA historically faced challenges in meeting key performance
                       requirements for several major acquisitions and procurements, resulting
                       in reduced security effectiveness and inefficient expenditures among

                       1
                        TSA, Strategic Five-Year Technology Investment Plan for Aviation Security: 2015 Report
                       to Congress (Aug.12, 2015).
                       2
                        GAO, Advanced Imaging Technology: TSA Needs Additional Information before
                       Procuring Next-Generation Systems, GAO-14-357 (Washington, D.C.: Mar. 31, 2014).




                       Page 1                                                      GAO-19-96 TSA Acquisitions
other things. 3 Enacted in December 2014, the Transportation Security
Acquisition Reform Act (TSARA) introduced legislative reforms to
promote greater transparency and accountability with respect to TSA’s
acquisitions of security-related technology (SRT). 4

Under TSARA, we were directed to submit a report to Congress not later
than 1 year after enactment, and are to submit a subsequent report 3
years thereafter, evaluating TSA’s progress in implementing the act. 5 We
provided Congress with the first report in February 2016. We found that
TSA was using its existing acquisitions policies, among other actions, to
meet TSARA requirements. 6 This second report examines (1) TSA’s
progress in addressing TSARA requirements since 2016, (2) the extent to
which TSA reports to Congress on security-related technology
acquisitions under TSARA, and (3) the extent to which TSA internally
communicates its TSARA implementation decisions.

To determine TSA’s progress in addressing TSARA requirements since
2016, we reviewed any updated policy documents and interviewed
officials from DHS and TSA with responsibilities for implementing TSARA
to gain insights on the extent to which TSA’s policies and procedures
have changed since our February 2016 report. In addition, to determine
the extent to which TSA addressed the requirements for the Strategic
Five-Year Technology Investment Plan (technology investment plan) and
3
 See, e.g., H.R. Rpt. No. 113-275 (Nov. 21, 2013); (accompanying H.R. 2719, 113th
Cong. (1st Sess. 2013)); S. Rep. No. 113-274 (Nov. 17, 2014) (accompanying S. 1893,
113th Cong. (2d Sess. 2013)).
4
 See Pub. L. No. 113-245, 128 Stat. 2871 (2014). (amending title XVI of the Homeland
Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135). See also H.R. Rep. No. 113-
275, at 7. TSARA defines “security-related technology” as any technology that assists
TSA in the prevention of, or defense against, threats to United States transportation
systems, including threats to people, property, and information.6 U.S.C. § 561(4). Unless
otherwise indicated, reference to specific provisions of TSARA will be cited using the U.S.
Code.
5
See Pub. L. No. 113-245, § 4(b), 128 Stat. at 2878.
6
 We submitted a draft of the first report to the Chairmen and Ranking Members of the
Committee on Commerce, Science, and Transportation United States Senate and the
Committee on Homeland Security House of Representatives on December 18, 2015, in
accordance with TSARA, and subsequently issued a final report that incorporated agency
comments in February of 2016. See GAO, Transportation Security: TSA Has Taken
Actions to Address Transportation Security Acquisition Reform Act Requirements,
GAO-16-285 (Washington D.C.: Feb 17, 2016). See GAO-16-285 appendix I: Status of
TSA Efforts to Address TSARA Requirements, for a list of TSARA’s requirements and the
status of each requirement at the time of issuance.




Page 2                                                         GAO-19-96 TSA Acquisitions
the small business contracting reports in TSARA, we reviewed TSA’s
technology investment plan and TSA’s fiscal years 2015 through 2017
small business contracting reports. Specifically, we (1) analyzed the
updated technology investment plan and small business reports against
TSARA’s requirements and (2) interviewed agency officials to provide
insights into the procedures they used to develop the technology
investment plan and the small business report. To determine whether
TSA is able to ensure it executes its responsibilities under TSARA in a
manner consistent with and not duplicative of the Federal Acquisition
Regulation and departmental policies and directives, we reviewed TSA’s
TSARA Implementation Strategy Memo and supporting documentation,
and interviewed DHS and TSA acquisition officials to verify that policies
contain such assurances. 7 We also interviewed security industry
representatives to gain their perspective on the usefulness of TSA’s
technology investment plan.

To determine the extent that TSA reports to Congress on SRT
acquisitions under TSARA, we reviewed TSA’s TSARA Implementation
Strategy Memo—which recognizes awards for both indefinite-quality
contracts and blanket purchase agreements as subject to TSARA—and
other supporting documentation to identify TSA’s policy for reporting SRT
acquisitions under TSARA and obtained information that TSA submitted
to Congress regarding SRT acquisitions. We interviewed agency officials
to clarify information and provide insights into the rationale for TSA’s
reporting policy. We also interviewed select security manufacturing
vendors for their perspective on TSARA. We reviewed congressional
committee reports to understand the legislative history behind TSARA. To
determine TSA’s obligations for SRT-related acquisitions, we asked TSA
to identify its contracts used for acquisitions of SRT and services
associated with the operation of SRT. We analyzed data from Federal
Procurement Data System-Next Generation (FPDS-NG) from December
18, 2014—TSARA’s date of enactment—through July 2018 on obligations
for SRT contracts and task and delivery orders issued under those
contracts. 8 We obtained FPDS-NG data on obligations for the same time
period for contracts and orders that provide services associated with the

7
 TSA, Transportation Security Acquisition Reform Act of 2014 Implementation Strategy
(June 3, 2015). For the purposes of this report, this document is called the TSARA
Implementation Strategy Memo, TSA’s implementation policy, or implementation strategy
memo.
8
 The Federal Procurement Data System-Next Generation is a comprehensive, web-based
tool for government agencies to report certain contracts and associated modifications.




Page 3                                                     GAO-19-96 TSA Acquisitions
             installation, operation, networking, and maintenance of SRT. Additionally,
             we reviewed any of TSA’s TSARA-related reporting to Congress from
             December 18, 2014 through September 2018. We assessed the reliability
             of the FPDS-NG data by performing electronic testing to identify missing
             data or data that is out of the appropriate range and comparing it to data
             from TSA’s financial management and accounting system. We
             determined that the FPDS-NG data are sufficiently reliable for the
             purposes of this report. We interviewed TSA officials responsible for
             managing TSA’s security screening programs, related acquisitions, and
             the implementation of TSARA to clarify information and provide insights
             into the rationale for TSA’s reporting policy.

             To determine the extent to which TSA internally communicates its TSARA
             implementation decisions, we reviewed TSA’s TSARA Implementation
             Strategy Memo for consistency with the parameters TSA officials
             described for what constitutes an SRT. We interviewed TSA officials to
             gain insights on TSA’s implementation approach—including their
             parameters—and how TSA communicates that approach to staff and
             compared the implementation approach to relevant federal internal
             control standards. 9

             We conducted this performance audit from November 2017 to January
             2019 in accordance with generally accepted government auditing
             standards. Those standards require that we plan and perform the audit to
             obtain sufficient, appropriate evidence to provide a reasonable basis for
             our findings and conclusions based on our audit objectives. We believe
             that the evidence obtained provides a reasonable basis for our findings
             and conclusions based on our audit objectives.


             The Aviation and Transportation Security Act established TSA as the
Background   federal agency with primary responsibility for securing the nation’s civil
             aviation system, which includes acquiring technology to screen and
             secure travelers at the nation’s TSA-regulated airports. 10 TSARA defines
             SRT as any technology that assists TSA in the prevention of, or defense
             against, threats to United States transportation systems, including threats


             9
              GAO, Standards for Internal Control in the Federal Government, GAO-14-704G
             (Washington, D.C.: September 2014).
             10
              See generally Pub. L. No. 107-71, 115 Stat. 597 (2001); 49 U.S.C. § 114.




             Page 4                                                      GAO-19-96 TSA Acquisitions
to people, property, and information. 11 As illustrated in figure 1, TSA
acquired various SRT for passenger and baggage screening, including:

•     Advanced Imaging Technology (AIT)—screens passengers for
      metallic and nonmetallic threats;
•     Explosives Trace Detection—detects various types of commercial and
      military explosives through chemical analysis on passengers and their
      property; and
•     Explosives Detection System (EDS)—provides imaging, screening,
      and detection capabilities to identify possible threats in checked
      baggage contents. 12




11
    6 U.S.C. § 561(4).
12
  TSA generally does not acquire SRT for air cargo or surface transportation systems.
According to TSA officials, a limited number of explosives trace detection units are
purchased every few years for their air cargo testing facility. Officials stated that TSA’s air
cargo and surface transportation programs largely focus on the development of security
policy, industry engagement, and evaluation of research and development of relevant
security technologies. In general, TSA must ensure that all cargo transported on
passenger aircraft is screened using TSA-approved methods. See 49 U.S.C. § 44901(g).




Page 5                                                            GAO-19-96 TSA Acquisitions
Figure 1: Examples of Security-Related Technology Acquired by the Transportation Security Administration




                                        Page 6                                                  GAO-19-96 TSA Acquisitions
DHS Acquisition Process                 TSA follows DHS’s policies and procedures for managing its acquisition
                                        programs, including for acquisition management, test and evaluation, and
                                        resource allocation of its SRT. TSA’s acquisition programs and policies
                                        are primarily set forth in DHS Acquisition Management Directive 102-01
                                        (DHS’s acquisition directive) and DHS Instruction Manual 102-01-001,
                                        Acquisition Management Instruction/Guidebook. 13 DHS acquisition policy
                                        establishes that an acquisition program’s decision authority should review
                                        the program at a series of predetermined acquisition decision events to
                                        assess whether the program is ready to proceed through the acquisition
                                        life cycle phases. An acquisition program is established once it has
                                        passed through the phases that establish the acquisition need and
                                        selects an option that meets this need. Figure 2 depicts the DHS
                                        acquisition life cycle.

Figure 2: Department of Homeland Security (DHS) Acquisition Life Cycle for Acquisition Programs




                                        Under DHS’s acquisition directive, TSA is to ensure, among other things,
                                        that required acquisition documents are completed. Two of these key
                                        acquisition documents are:

                                        (1) the life cycle cost estimate, which provides an exhaustive and
                                        structured accounting of all resources and associated cost elements
                                        required to develop, produce, deploy, and sustain a program; and


                                        13
                                          For the purposes of this report, we refer to DHS Acquisition Management Directive 102-
                                        01 as DHS’s acquisition directive. TSA’s acquisition programs are generally subject to the
                                        Federal Acquisition Regulation, which establishes uniform acquisition policies and
                                        procedures for executive agencies, as well as the DHS Acquisition Regulation, which
                                        supplements the Federal Acquisition Regulation through additional acquisition policies and
                                        procedures for the Department. See 48 C.F.R. §§ 1.101, 3001.101.




                                        Page 7                                                        GAO-19-96 TSA Acquisitions
                     (2) the acquisition program baseline, which establishes a program’s cost,
                     schedule, and performance metrics.

                     These documents are used throughout the process to identify instances
                     when an acquisition program exceeds cost, schedule, or performance
                     thresholds.

                     TSA’s acquisition policies, which supplement DHS policies, generally
                     designate roles and responsibilities and identify the procedures that TSA
                     is to use to implement the requirements in DHS policies. In December
                     2017, TSA reorganized its acquisition offices, which are responsible for
                     implementing TSARA’s requirements, from two offices (Office of
                     Acquisition and Office of Security Capabilities) into three offices:
                     Requirements and Capabilities, Acquisition Program Management, and
                     Contracting and Procurement.


TSARA Requirements   TSARA includes a number of requirements for TSA, including developing
                     and submitting a biennial technology investment plan and annual small
                     business contracting goals reports to Congress, adhering to various
                     acquisition and inventory policies and procedures, and ensuring
                     consistency with Federal Acquisition Regulation and departmental
                     policies and directives. 14 TSARA also includes requirements for justifying
                     acquisitions and establishing acquisition baselines, which largely codify
                     aspects of DHS’s existing acquisition policy described in DHS’s
                     acquisition directive. 15 TSA fulfills these requirements through the
                     processes outlined in DHS’s acquisition directive when establishing a new
                     acquisition program or modifying an existing acquisition program. See
                     Appendix I for the list of TSARA’s requirements.




                     14
                       TSA, Strategic Five-Year Technology Investment Plan Biennial Refresh: 2017 Report to
                     Congress (Dec. 19, 2017). TSA, Small-Business Contracting Goals Report: Fiscal Year
                     2015 Report to Congress (Apr. 28, 2016); TSA, Small-Business Contracting Goals Report:
                     Fiscal Year 2016 Report to Congress (Apr. 7, 2017) and TSA, Small-Business Contracting
                     Goals Report: Fiscal Year 2017 Report to Congress (Mar. 6, 2018).
                     15
                       See, e.g., 6 U.S.C. § 563a(a) (establishing criteria for determining whether an
                     acquisition is justified).




                     Page 8                                                         GAO-19-96 TSA Acquisitions
                             Since 2016, TSA generally addressed TSARA requirements through its
TSA Generally                acquisitions policies and procedures. Since our February 2016 report,
Addressed TSARA              TSA has also developed and issued an updated technology investment
                             plan. Further, TSA has continued to submit an annual report to Congress
Requirements                 on TSA’s performance record in meeting its published small business
                             contracting goals.


TSA Policies and             TSA continues to address TSARA’s requirements, including those related
Procedures Continue to       to acquisition justifications, baseline requirements, managing inventory
                             and consistency with regulations. In addition, TSA developed an updated
Address TSARA’s
                             technology investment plan and submitted small business contracting
Requirements                 goals reports to Congress in accordance with TSARA.

Acquisition Justifications   TSARA provides that before TSA implements any SRT acquisition, the
                             agency must, in accordance with DHS policies and directives, conduct an
                             analysis to determine whether the acquisition is justified. 16 The analysis
                             must include elements such as cost effectiveness and confirmation that
                             there are no significant risks to human health or safety posed by the
                             proposed acquisition, among others. In February 2016, we reported that
                             DHS and TSA had policies and procedures that were in place prior to
                             TSARA addressed each of the elements required in the analysis. 17 For
                             example, DHS’s acquisition directive includes several of these elements
                             in its process for establishing a new acquisition program. TSARA also
                             includes a provision requiring TSA to submit information (i.e. report) to
                             Congress 30 days prior to the award of a contract for an SRT acquisition
                             over $30 million. 18 TSA established procedures that address this
                             provision, as discussed later in this report, by developing a template for
                             providing justifications under this provision.

                             We found that, since 2016, TSA continues to have policies in place, such
                             as DHS’s acquisition directive, to address the analysis-related
                             requirements. TSA officials stated they would use these policies and
                             procedures to address TSARA’s requirements.




                             16
                              See 6 U.S.C. § 563a(a).
                             17
                              GAO-16-285.
                             18
                              See 6 U.S.C. § 563a(b).




                             Page 9                                              GAO-19-96 TSA Acquisitions
Baseline Requirements   TSARA requires that before TSA implements any SRT acquisition, the
                        appropriate acquisition official from the department shall establish and
                        document a set of formal baseline requirements and subsequently review
                        whether acquisitions are meeting these requirements. 19 Additionally,
                        TSARA provides that TSA must report a breach if results of any
                        assessment find that (1) actual or planned costs exceed the baseline
                        costs by more than 10 percent, (2) actual or planned schedule for delivery
                        has been delayed more than 180 days, or (3) there is a failure to meet
                        any performance milestone that directly impacts security effectiveness. 20
                        Pursuant to TSARA, in March 2016, TSA reported two breaches to
                        Congress for the Passenger Screening Program and Security Technology
                        Integrated Program (STIP), a data management system that connects
                        transportation security equipment to a single network. 21 Further, in
                        February 2016, we reported that TSA had policies in place that require it
                        to prepare an acquisition program baseline, risk management plan, and
                        staffing requirements before acquiring SRT, in accordance with TSARA
                        requirements. 22 We found that since our February 2016 report, TSA
                        continues to leverage the existing DHS acquisition directive to meet all of
                        TSARA’s baseline requirements.

Managing Inventory      TSARA requires that TSA, among other things:

                        •     to the extent practicable, use existing units in inventory before
                              procuring more equipment to fulfill a mission need;
                        •     track the location, use, and quantity of security-related equipment in
                              inventory; and



                        19
                            See 6 U.S.C. § 563b(a)-(b)(1).
                        20
                          See 6 U.S.C. § 563b(b)(2) (providing further that such breach reports, which are to be
                        submitted to the Committee on Commerce, Science, and Transportation of the Senate
                        and the Committee on Homeland Security of the House of Representatives, must also
                        include the cause for such excessive costs, delay, or failure, and a plan for corrective
                        action).
                        21
                          The primary cause of the breach or delivery delay was the new Information Technology
                        security requirements for the Credential Authentication Technology and the Security
                        Technology Integrated Program that occurred after the planned schedule was set. TSA,
                        Passenger Screening Program (PSP) and the Security Technology Integrated Program
                        (STIP) Delivery Delay Report (Mar. 14, 2016). TSA’s plan for corrective action was to seek
                        vendor proposals to develop cybersecurity solutions.
                        22
                            GAO-16-285.




                        Page 10                                                       GAO-19-96 TSA Acquisitions
                               •     implement internal controls to ensure accurate and up-to-date data on
                                     SRT owned, deployed, and in use. 23

                               In 2016, we reported that TSA’s policies and procedures address TSARA
                               requirements for managing inventory. 24

                               We found that since our February 2016 report, TSA continues to use
                               established policies and procedures to address TSARA’s inventory
                               management requirements. For example, TSA continues to use the
                               Security Equipment Management Manual, which describes the policies
                               and procedures that require TSA to use equipment in its inventory if, for
                               example, an airport opens a new terminal. Additionally, TSA has
                               procedures to track the location, use, and quantity of security-related
                               equipment in inventory, regardless of whether such equipment is in use. 25
                               Specifically, TSA has procedures to track the entire life cycle of
                               equipment, including initial possession, any moves, and disposal. Further,
                               TSA continues to use standard operating procedures developed by its
                               Internal Control Branch, which describe TSA’s system of internal controls
                               to conduct reviews, report, and follow-up on corrective actions.

Consistency with Regulations   TSARA provides that TSA must execute its acquisition-related
                               responsibilities in a manner consistent with and not duplicative of the
                               Federal Acquisition Regulation and DHS policies and directives. 26 In
                               2016, we reported that TSA’s policy documents state that TSA is required
                               to ensure that its policies and directives are in accordance with the
                               Federal Acquisition Regulation and DHS acquisition and inventory
                               policies and procedures. We also reported that according to TSA’s
                               TSARA Implementation Strategy Memo (implementation strategy memo),
                               TSA was able to address this requirement by, among other things,
                               forming a working group as part of an effort to ensure that TSA
                               implemented TSARA in a manner consistent with the Federal Acquisition
                               Regulation and DHS policies and directives. We found that no changes
                               have been made to the implementation strategy memo since our 2016
                               report and TSA still has policies in place to execute the responsibilities

                               23
                                   See 6 U.S.C. § 563c(a)-(b).
                               24
                                   GAO-16-285.
                               25
                                   TSA, Security Equipment Management Manual (Oct. 14, 2015).
                               26
                                   6 U.S.C. § 563e.




                               Page 11                                                    GAO-19-96 TSA Acquisitions
                        set forth in TSARA in a manner consistent with and not duplicative of the
                        Federal Acquisition Regulation and DHS policies and directives.


TSA Developed an        TSARA requires TSA to develop and submit to Congress a Strategic
Updated Technology      Five-Year Technology Investment Plan (technology investment plan) and
                        update it on a biennial basis. 27 The technology investment plan is to
Investment Plan in
                        include, among other things, a set of SRT acquisition needs that includes
Accordance with TSARA   planned technology programs and projects with defined objectives, goals,
                        timelines and measures, and an identification of currently deployed SRTs
                        that are at or near the end of their life cycles.

                        In August 2015, TSA developed and submitted to Congress the first
                        technology investment plan and in 2016 we reported that the 2015 plan
                        generally addressed TSARA requirements. In December 2017, TSA
                        developed and submitted to Congress an updated technology investment
                        plan in accordance with TSARA. The updated plan details the aviation
                        security efforts TSA initiated, developed, or completed since the initial
                        plan was released. The updated plan also includes the extent to which
                        TSA’s acquisitions were consistent with technology programs and
                        projects identified in the initial plan, as required by TSARA. 28

                        TSA officials stated that a positive effect of TSARA’s requirement to
                        develop the technology investment plan has been the establishment of
                        the Innovation Task Force. The task force, created in the Spring of 2016,
                        is tasked to identify and demonstrate emerging capabilities and facilitate
                        other innovative projects at select airports. TSA established the task force
                        based on feedback from industry representatives provided during
                        development of the initial plan. 29 A TSA official who manages the task

                        27
                          6 U.S.C. § 563(a), (g). The TSA Modernization Act, enacted as part of the FAA
                        Reauthorization Act of 2018 on October 5, 2018, amends § 563 by, among other things,
                        requiring TSA, in collaboration with relevant industry and government stakeholders, to
                        annually submit an update of the plan in an appendix to the budget request and publish it
                        in an unclassified format in the public domain. See Pub. L. No. 115-254, div. K, tit. I,
                        subtit. B, § 1917, 132 Stat. 3186 (2018).
                        28
                          See 6 U.S.C. § 563(g)(2).
                        29
                          The TSA Modernization Act, enacted in October 2018, establishes In a statute a
                        requirement for TSA to establish an innovation task force to, among other things, cultivate
                        innovations in transportation security and, in doing so, is to conduct activities to identify
                        and develop an innovative technology, emerging security capability, or process designed
                        to enhance transportation security. See Pub. L. No. 115-254, div. K, tit. I, subtit. B, § 1916,
                        132 Stat. 3186.




                        Page 12                                                          GAO-19-96 TSA Acquisitions
                          force said that it led to efficiencies in TSA’s acquisition process. The
                          official noted, for example, that the task force began demonstrating
                          Automated Screening Lanes in March 2016 and by October 2016 DHS
                          approved additional deployments of the technology. For a video of TSA’s
                          Innovation Task Force demonstration of Automated Screening Lanes, see
                          the hyperlink in the note for figure 3.

                          Figure 3: Video of the Transportation Security Administration Innovation Task
                          Force Demonstration of Automated Screening Lanes




                          Note: To view the full TSA-produced video, please click on the video hyperlink.


TSA Continues to Submit   TSARA requires TSA to submit an annual report to Congress on TSA’s
Required Small Business   performance record in meeting its published small business contracting
                          goals during the preceding fiscal year. 30
Reports to Congress
                          If the preceding year’s goals were not met or TSA’s performance was
                          below the published small business contracting goals set for the
                          department, TSARA requires that TSA’s small business report includes a

                          30
                            See 6 U.S.C. § 563d (providing that such report shall be submitted to the Committee on
                          Commerce, Science, and Transportation of the Senate and the Committee on Homeland
                          security of the House of Representatives). See also 15 U.S.C. § 644(g)(2) (requiring the
                          head of each federal agency to, after consultation with the Small Business Administration,
                          establish goals for the participation by small business concerns in procurement contracts
                          of the agency).




                          Page 13                                                               GAO-19-96 TSA Acquisitions
                       list of challenges that contributed to TSA’s performance and an action
                       plan, with benchmarks, for addressing each of the challenges identified
                       that is prepared after consultation with other federal departments and
                       agencies. 31 Since our last review, TSA has submitted small business
                       reports for fiscal years 2014 through 2017 and has reported achieving its
                       small business contracting goals.


                       Through July 2018, TSA’s narrow application of TSARA’s report and
TSA’s Narrow           certification provision resulted in no SRT acquisitions being reported to
Application of TSARA   Congress pursuant to TSARA. In August 2018, TSA provided its first
                       three notifications on SRT acquisitions to Congress under this provision.
Has Resulted in
Limited Reporting to
Congress on SRT-
related Acquisitions




                       31
                        See 6 U.S.C. § 563d(2).




                       Page 14                                            GAO-19-96 TSA Acquisitions
None of the Over $1         TSA did not provide any information on contract awards or task or
Billion TSA Obligated to    delivery orders for the acquisition of SRT and associated services to
                            Congress under TSARA’s report and certification provision from
Acquire SRT and
                            enactment through July 2018. Under the provision, TSA is to provide
Associated Services From    Congress with a comprehensive justification and a certification that the
December 18, 2014           benefits to transportation security justify the contract cost not later than 30
Through July 2018           days preceding the award of a contract for any SRT acquisition over $30
Resulted in TSA Reporting   million. 32
Under TSARA                 Our analysis of FPDS-NG data on contract obligations from December
                            18, 2014 through July 2018 found approximately $1.4 billion in obligations
                            for acquisitions of SRT and for services associated with the operation of
                            SRT, as shown in table 1. 33 Specifically, TSA obligated $591 million for
                            SRT. For services associated with an SRT that are necessary to ensure
                            its continuous and effective operation, such as maintenance and
                            engineering support services, TSA obligated $772 million during this
                            timeframe. 34


                            32
                              See 6 U.S.C. § 563a(b) (providing further that this information is to be submitted to the
                            Committee on Commerce, Science, and Transportation of the Senate and the Committee
                            on Homeland Security of the House of Representatives). For the purposes of this report,
                            we refer to the submission of information under this provision as a report. In addition to
                            TSARA’s report and certification provision, TSA is subject to separate statutory reporting
                            obligations to Congress in accordance with a recurring provision DHS’s annual
                            appropriations acts, as implemented through the DHS Homeland Security Acquisition
                            Manual and TSA Internal Guidance and Procedure Memorandum 0500.39 (May 18,
                            2018). Specifically, TSA must provide notification to the Committees on Appropriations of
                            the Senate and House of Representatives 5 full business days in advance of new contract
                            awards and task and delivery orders on DHS multiple award contracts, among other
                            award types, totaling in excess of $1,000,000. See, e.g., Pub. L. No. 115-141, div. F, §
                            507, 132 Stat. 348 (2018). Notification under this appropriations provision is to include the
                            amount of the award, the fiscal year for which the funds for the award were appropriated,
                            the type of contract, and the account from which the funds are being drawn; it is not
                            required to contain the more evaluative information, such as the results of the
                            comprehensive acquisition justification and the cost-benefit certification required under
                            TSARA.
                            33
                              TSA officials identified the following technologies that, as of September 2018, are the
                            only technologies acquired by TSA that fall within TSARA’s SRT definition: AIT, Advanced
                            Technology, Bottle Liquid Scanners, Explosives Trace Detection, Walk-through Metal
                            Detector/Enhanced Metal Detector, Explosives Detection System, Boarding Pass
                            Scanner, Credential Authentication Technology, Computed Tomography, and Automated
                            Screening Lane.
                            34
                              Engineering support may include addressing changing security needs related to the
                            operation of SRT, such as software or hardware improvements and threat detection
                            algorithm development that help meet the security screening requirements.




                            Page 15                                                         GAO-19-96 TSA Acquisitions
Table 1: Transportation Security Administration Contract Obligations for Security-Related Technology (SRT) and Associated
Services, December 18, 2014 through July 31, 2018

SRT and                                        Description                                                                                   Total Obligations
Associated Services                                                                                                                        (Dollars in millions)
                                                                         a
SRT                                            Acquisition of SRT                                                                                              591
Maintenance Services                           All types of maintenance services for SRT, including corrective and                                             581
                                               preventative maintenance
System Integration                             Installation and deployment of SRT                                                                              132
Security Technology Integrated                 SRT network connectivity                                                                                         44
Program
Security Technology Support                    Engineering support, system management, information technology support                                           15
                                                      b
Services                                       for SRT
Total                                                                                                                                                         1,363
Source: GAO analysis of Federal Procurement Data System-Next Generation data. | GAO-19-96

                                                              Note: The total obligations for associated services (Maintenance Service, System Integration,
                                                              Security Technology Integrated Program, and Security Technology Support Services) is
                                                              approximately $772 million.
                                                              a
                                                               TSA’s contracts for SRT may also include associated services, such as engineering support
                                                              services, threat detection algorithm development, installation and deployment of equipment, training
                                                              services, maintenance services, and the purchase of equipment warranties.
                                                              b
                                                               Engineering support may include addressing changing security needs related to the operation of
                                                              SRT, such as software or hardware improvements, threat detection algorithm development, and other
                                                              system enhancements that help meet the security screening requirements.




TSA’s Policy for                                              TSA officials said that none of the agency’s acquisition activities from
Implementing TSARA’s                                          enactment through July 2018 invoked TSARA’s report and certification
                                                              provision because the activities did not align with TSA’s policy that
Report and Certification
                                                              identifies SRT acquisitions subject to this provision. TSA’s policy on what
Provision Reflects a                                          constitutes an SRT and the award of a contract for an SRT acquisition
Narrow Application of the                                     ultimately determine what acquisitions are subject to TSARA’s report
Act




                                                              Page 16                                                               GAO-19-96 TSA Acquisitions
                                                                and certification provision. 35 See table 2 for TSA’s policy.

Table 2: Transportation Security Administration (TSA) Policy for What Constitutes a Security-Related Technology (SRT) and a
Contract Award for an SRT Acquisition Under the Transportation Security Acquisition Reform Act (TSARA)

SRT                                         Equipment or technologies procured by TSA, for the screening and inspection of persons, property, and
                                            credentials, as well as equipment or technologies that the public directly interacts with or is impacted
                                            by.
Contract award for an SRT                   The TSARA report and certification provision for the award of a contract for an SRT acquisition pertains
acquisition                                 to an initial equipment contract award, including indefinite-quantity contracts or blanket purchase
                                            agreements, where the contract ceiling exceeds the $30 million threshold or any SRT contract award
                                            that will potentially exceed the $30 million threshold when combined with future estimated contract
                                            awards for the same technology type. It does not apply to individual task and delivery order awards
                                            issued under the parent contract.
Source: GAO analysis of TSA documentation and officials’ statements. | GAO-19-96

                                                                Note: Indefinite-delivery contracts are awarded to one or more contractors to acquire supplies and/or
                                                                services when the exact times and/or exact quantities of future deliveries are not known at the time of
                                                                award. See 48 C.F.R. § 16.501-1. Indefinite-quantity contracts provide for an indefinite quantity,
                                                                within stated limits, of products or services during a fixed period. § 16.504(a). In general, pursuant to
                                                                an indefinite-delivery/indefinite-quantity contract agencies issue orders for the delivery of supplies or
                                                                for the performance of tasks during the period of the contract. See § 16.501-1. In general, agencies
                                                                may use blanket purchase agreements under FAR part 8.4 to acquires supplies and services through
                                                                the Federal Supply Schedule program, which is directed and managed by the General Services
                                                                Administration and provides federal agencies with a simplified process for obtaining commercial
                                                                supplies and services at prices associated with volume buying, and under FAR part 13.3 as a
                                                                simplified method of filling anticipated repetitive needs for supplies or services by establishing “charge
                                                                accounts” with qualified sources of supply but subject to a dollar threshold. See 48 C.F.R. §§ 8.402,
                                                                13.303-1.




                                                                35
                                                                  As stated above, the TSARA report and certification provision requires TSA to submit
                                                                information to congressional committees at least 30 days before the award of a contract
                                                                for any SRT acquisition over $30 million. 6 U.S.C. § 563a(b). The Federal Acquisition
                                                                Regulation (FAR) defines “acquisition” as the acquiring by contract with appropriated
                                                                funds of supplies or services (including construction) by and for the use of the Federal
                                                                Government through purchase or lease, whether the supplies or services are already in
                                                                existence or must be created, developed, demonstrated, and evaluated. 48 C.F.R.
                                                                § 2.101. The FAR establishes that acquisition begins at the point when agency needs are
                                                                established and includes the description of requirements to satisfy agency needs,
                                                                solicitation and selection of sources, award of contracts, contract financing, contract
                                                                performance, contract administration, and those technical and management functions
                                                                directly related to the process of fulfilling agency needs by contract. Id. The FAR defines a
                                                                “contract” as a mutually binding legal relationship obligating the seller to furnish the
                                                                supplies or services and they buyer to pay for them, and establishes that contracts include
                                                                (but are not limited to) awards and notices of awards; job orders or task letters issued
                                                                under basic ordering agreements; letter contracts; orders, such as purchase orders, under
                                                                which the contract becomes effective by written acceptance or performance; and bilateral
                                                                contract modifications. Id.




                                                                Page 17                                                                  GAO-19-96 TSA Acquisitions
                            TSA’s TSARA Implementation Strategy Memo states, “[t]o support
                            [TSARA] and ensure Congress is receiving the necessary information
                            regarding critical TSA acquisitions, TSA will focus on security screening
                            related technologies[,]” which will ensure “the necessary actions are
                            implemented for those technologies the public directly interacts with (i.e.
                            is impacted by).” 36 According to TSA officials, security screening related
                            technologies, i.e. SRT, subject to TSARA must (1) be equipment or
                            technology and (2) interact with (or impact) the public. Specific examples
                            of SRT subject to TSARA, as identified by TSA officials, are the
                            equipment typically deployed to airports to assist in the physical
                            screening of passengers and their property, such as AIT, EDS, and
                            boarding pass scanners.

                            TSA officials explained that in accordance with its policy, TSA provided its
                            first three notifications to Congress under TSARA’s report and
                            certification provision in August 2018, more than 30 days prior to the
                            award of three new SRT contracts, each with ceiling values in excess of
                            $30 million. 37

TSA Does Not Report SRT-    Since the enactment of TSARA through July 2018, TSA awarded multiple
Associated Services Under   indefinite-delivery/indefinite-quantity (IDIQ) contracts and entered into a
TSARA                       blanket purchase agreement for services associated with the operation of
                            SRT, each with values in excess of $30 million, and issued orders under




                            36
                              Transportation Security Administration, Transportation Security Acquisition Reform Act
                            of 2014 Implementation Strategy (June 3, 2015).
                            37
                              In September 2018, TSA awarded two contracts related to Reduced Size Explosives
                            Detection Systems with contract values of $40 million and $58 million, to purchase and
                            install new units and retrofit deployed units with new hardware and software to improve
                            threat detection capabilities. TSA also awarded a $500 million indefinite-delivery/indefinite-
                            quantity contract to purchase and install Medium Speed Explosives Detection Systems.




                            Page 18                                                         GAO-19-96 TSA Acquisitions
the contracts and agreement that exceeded $30 million. 38 In accordance
with TSA’s implementation policy, which applies to acquisitions of
physical screening equipment, TSA did not report these acquisition
actions under TSARA’s report and certification provision.

TSA officials said, consistent with its implementation policy, that services
associated with the operation of the SRT, such as engineering support,
maintenance services, and other services described in table 1, are not
SRT, as TSARA defines the term, because they are not equipment that
directly interacts with the public. Associated services, however, are
necessary to ensure the effective performance of SRT. For example,
engineering support can assist in addressing changing security needs,
such as through the development of threat detection algorithms and other
software or hardware improvements. Associated services have also been
used to extend the intended lifecycle of SRT already deployed to airport
checkpoints. TSA officials said that research and development
advancements have allowed TSA to upgrade existing equipment that had
reached the end of its initial lifecycle rather than acquire new equipment.
Further, TSA will likely need to increase spending on maintenance
services because the equipment parts may break down when used past
their intended life cycles. Consequently, through maintenance and
hardware improvements, for example, TSA has been able to offset the
need to procure new SRT by upgrading and maintaining existing SRT.




38
    Indefinite-delivery contracts are awarded to one or more contractors to acquire supplies
and/or services when the exact times and/or exact quantities of future deliveries are not
known at the time of award. See 48 C.F.R. § 16.501-1. Indefinite-quantity contracts
provide for an indefinite quantity, within stated limits, of products or services during a fixed
period. § 16.504(a). In general, pursuant to an IDIQ contract agencies issue orders for the
delivery of supplies or for the performance of tasks during the period of the contract. See §
16.501-1. In general, agencies may use blanket purchase agreements under FAR part 8.4
to acquires supplies and services through the Federal Supply Schedule program, which is
directed and managed by the General Services Administration and provides federal
agencies with a simplified process for obtaining commercial supplies and services at
prices associated with volume buying, and under FAR part 13.3 as a simplified method of
filling anticipated repetitive needs for supplies or services by establishing “charge
accounts” with qualified sources of supply but subject to a dollar threshold. See 48 C.F.R.
§§ 8.402, 13.303-1.




Page 19                                                           GAO-19-96 TSA Acquisitions
Examples of contract actions for the associated services described in
table 1 include:

•     Maintenance Services: TSA awarded three IDIQ contracts in 2015
      and 2016, with ceiling values ranging from $76 million to $222 million,
      and issued 10 orders under these IDIQ contracts with obligations that
      each exceeded $30 million;
•     System Integration: TSA awarded three IDIQ contracts in 2015, each
      with a ceiling value of $450 million;
•     STIP: In November 2017, TSA awarded a blanket purchase
      agreement with a ceiling value of $250 million; and
•     Security Technology Support Services: TSA awarded three IDIQ
      contracts in 2017 with ceiling values ranging from $65 million to $169
      million.
The report of the Committee on Homeland Security of the House of
Representatives on TSARA explains that the law introduces greater
transparency and accountability for TSA spending decisions and codifies
acquisition best-practices that the committee believes will result in more
effective and efficient SRT acquisitions at TSA. 39 As explained in the
report, TSARA is, in part, a response to historical examples where TSA
spent significant funds on SRT acquisitions that failed to meet security
performance objectives or wasted federal funds. 40 Consistent with the
purpose of the statute expressed in the committee report, TSARA’s report
and certification provision promotes greater transparency over TSA
acquisition practices.

TSA obligates a significant amount of funds—approximately $772 million
from TSARA’s enactment through July 2018—for services that help
ensure the effective and continuous operation of SRT. Applying TSARA’s
report and certification provision to a broader range of services
associated with the operation of SRT would provide Congress with



39
    See H.R. Rep. No. 113-275, at 7. See also S. Rep. No. 113-274.
40
  Among other examples, the committee report references the $29.6 million acquisition of
207 explosives trace portal (puffer) machines in 2006, which represented the first
deployment of a checkpoint technology whose development had been initiated by TSA,
and states that the machines had been inadequately tested and failed to work in dirty,
humid airport environments, which ultimately resulted in them being removed from
service. See H.R. Rep. No. 113-275, at 15.




Page 20                                                      GAO-19-96 TSA Acquisitions
                           increased transparency and improved oversight of TSA’s SRT acquisition
                           practices.

TSA Does Not Report SRT    According to TSA’s TSARA implementation policy, indefinite-quantity
Task and Delivery Orders   contracts or blanket purchase agreements for “security screening related
Under TSARA                technology equipment”, i.e. SRT, are subject to TSARA’s report and
                           certification provision when the ceiling value exceeds $30 million. 41 The
                           implementation policy also explains that the provision does not apply to
                           individual task and delivery orders placed under these contracts or
                           agreements. 42 However, IDIQ contracts typically have a lengthy period of
                           performance—for example one base year followed by four option years.
                           Specifically, from December 18, 2014 through July 2018, all of TSA’s 14
                           active contracts for SRT were IDIQ contracts awarded prior to the
                           enactment of TSARA on December 18, 2014. Further, 8 of the 14
                           contracts had been in place for 5 or more years, and according to TSA
                           officials, the agency had extended the original period of performance for 9
                           of the 14 contracts. Per its implementation policy, TSA did not report to
                           Congress under TSARA’s report and certification provision on the seven
                           task orders, ranging from $31 million to $70 million, to purchase and
                           install EDS, EDS upgrade kits, and explosives trace detection systems
                           issued under IDIQ contracts in place at the time of TSARA’s enactment. 43

                           41
                             Transportation Security Administration, Transportation Security Acquisition Reform Act
                           of 2014 Implementation Strategy (June 3, 2015).
                           42
                              For other contract types, the implementation strategy memo explains that the report and
                           certification provision applies to any award that exceeds $30 million or any award that will
                           potentially exceed $30 million when combined with future estimated contract awards for
                           the same technology type. For an example of how the combination of future estimated
                           contract awards requires compliance with TSARA’s report and certification provision, the
                           implementation policy provides, and TSA further explained, that when a contract is
                           awarded for a particular SRT type (e.g., advance imaging technology) at $20 million in
                           fiscal year 2015, and it is anticipated that an additional award of $10 million for AIT will be
                           let in fiscal year 2016 at $10 million, the report and certification provision would apply and
                           TSA would provide the requisite information 30 days before the first of the two contract
                           awards. TSA further explained that in the event the cumulative amount of contract awards
                           for a particular SRT exceeds $30 million (i.e., where such a cumulative amount is not
                           initially anticipated), the report and certification provision would be applicable and TSA
                           would submit the requisite information at the time the cumulative amount in excess of the
                           $30 million threshold becomes known.
                           43
                             An EDS upgrade kit addresses the technical obsolescence of EDS deployed in the field
                           and includes the installation of new hardware and software on to the EDS. In accordance
                           with the recurring requirement in DHS’s annual appropriations acts, as implemented
                           through the DHS Homeland Security Acquisition Manual and TSA Internal Guidance and
                           Procedure Memorandum 0500.39, TSA provided requisite notification to the
                           appropriations committees with respect to the seven task orders.




                           Page 21                                                          GAO-19-96 TSA Acquisitions
                                         See figure 4 for an example of an EDS IDIQ contract where TSA issued
                                         orders in excess of $30 million and extended the contract’s original period
                                         of performance.

Figure 4: Example of the Timeline for a Transportation Security Administration (TSA) Explosives Detection Systems Contract




                                         a
                                          Indefinite-Delivery / Indefinite-Quantity contracts provide flexibility in cases where the government
                                         cannot determine the exact quantities and required timing of a product or service. In general, the
                                         government must order, and the contractor must provide, a minimum agreed-upon quantity of
                                         products or services and the contractor must provide any other quantities ordered by the government
                                         up to a stated maximum during the contract’s period of performance.
                                         b
                                          Enacted in December 2014, TSARA introduced legislative reforms to promote greater transparency
                                         and accountability with respect to TSA’s acquisitions of security-related technology. See Pub. L. No.
                                         113-245, 128 Stat. 2871 (2014); see also H.R. Rep. No. 113-275, (Nov. 21, 2013), at 7
                                         (accompanying H.R. 2719, 113th Cong. (1st Sess. 2013)).




                                         One of TSA’s most recent SRT contract awards further illustrates how
                                         TSA’s policy to only report on initial contract awards, and not orders
                                         issued pursuant to the contract, has resulted in limited reporting under
                                         TSARA’s report and certification provision. In September 2018, TSA
                                         awarded a new $500 million IDIQ contract for the acquisition of medium
                                         speed explosives detection systems. TSA reported this contract award to
                                         the requisite committees pursuant to the report and certification provision
                                         and consistent with its implementation policy. 44 However, under TSA’s
                                         policy, this is the only notification that Congress will receive pursuant to

                                         44
                                           TSA also submitted notification of the award of this contract to the appropriations
                                         committees in accordance with the recurring requirement in DHS’s annual appropriations
                                         acts, as implemented through DHS and TSA policies.




                                         Page 22                                                               GAO-19-96 TSA Acquisitions
TSARA over the course of the contract’s period of performance. For
example, TSA also issued a $55 million order to purchase and install
medium speed EDS units under this IDIQ contract, but per its
implementation policy, TSA did not report on this order under the
provision to Congress and per its policy would not do so for any
subsequent orders during the contract’s period of performance. 45

TSA has developed a policy with parameters for determining which
contract actions are subject to TSARA. However, TSA’s policy limits the
application of the report and certification provision only to initial contract
awards for physical security screening equipment. According to TSA
officials, TSA established this policy in order to ensure Congress is
informed as early as possible that there is potential for an award in
excess of $30 million as opposed to the point at which amounts awarded
reach $30 million. However, the implementation policy expressly excludes
orders in excess of $30 million issued under IDIQ contracts or blanket
purchase agreements for SRT.

Due to this narrow application of TSARA to its SRT acquisitions, TSA did
not report any information to Congress pursuant to TSARA’s report and
certification provision through July 2018. In addition, as currently
implemented this policy will continue to result in TSA providing Congress
with limited information in the future. As described earlier, TSARA was
enacted to introduce greater transparency and accountability for TSA
spending decisions. 46 Because TSA’s policy for the report and
certification provision excludes reporting on task and delivery orders, TSA
misses the opportunity to inform Congress of the more routine SRT
obligations that exceed TSARA’s $30 million threshold. 47 In addition,
applying TSARA’s report and certification provision to services that result

45
  TSA issued the order simultaneous with the award of the IDIQ contract, but did not
make any mention of this in the notification it provided pursuant to TSARA. TSA did,
however, provide notification to the appropriations committees within 5 days in advance of
issuing the order.
46
 See H.R. Rep. No. 113-275, at 7; see also S. Rep. No. 113-274.
47
  Such a requirement would be consistent with the broader statutory requirement that
serves as the basis for DHS’s policy to provide 5 day advance notice to the appropriations
committees for the award of contracts, including task or delivery orders, in excess of $1
million. See, e.g., Pub. L. No. 115-141, div. F, § 507, 132 Stat. 348 (2018). However,
unlike the 5-day notice TSA provides to the appropriations committees, TSARA requires
TSA to report to its authorizing committees 30 days prior to the award of an SRT
acquisitions contract that exceeds $30 million.




Page 23                                                       GAO-19-96 TSA Acquisitions
                       in new capabilities, enhancements, or otherwise upgrade SRTs would
                       provide Congress with increased transparency and improved oversight of
                       TSA’s SRT acquisition practices.


                       TSA has not effectively communicated its implementation decisions
TSA Has Not            internally for what constitutes an SRT under TSARA. After the enactment
Effectively            of TSARA, TSA formed a working group to evaluate the act and develop
                       an implementation strategy. The resulting policy is documented in TSA’s
Communicated           TSARA Implementation Strategy Memo, published in June 2015.
Internally Its TSARA   According to TSA officials, the memo is the only formal document that
                       describes TSA’s TSARA policy. Among other things, the memo
Implementation         designates roles and responsibilities for TSARA’s requirements and
Decisions              outlines TSA’s approach to implementing each requirement.

                       To explain what constitutes an SRT for the purposes of TSARA, TSA
                       officials described various parameters to us that guide their decision-
                       making. However, not all of these parameters are documented in the
                       implementation strategy memo. Specifically, the memo states that, “To
                       support [TSARA] and ensure Congress is receiving the necessary
                       information regarding critical TSA acquisitions, TSA will focus on security
                       screening related technologies. This ensures the necessary actions are
                       implemented for those technologies the public directly interacts with (i.e.
                       is impacted by).” TSA officials clarified for us that technologies the public
                       does not directly interact with or that do not otherwise impact the public in
                       some physical manner, such as STIP and Secure Flight, are not
                       considered SRT and thus not subject to TSARA, but this distinction is not
                       clearly documented. 48 Further, the memo does not explicitly explain which
                       technologies are considered SRT and which are not. For example, TSA
                       officials told us that SRT under TSARA excludes software such as
                       updates to threat detection algorithms, and other associated services
                       such as STIP, but this is not documented in the memo.

                       TSA acquisition program staff are responsible for determining if a new
                       acquisition qualifies as SRT under TSARA and initiating TSA’s

                       48
                         According to TSA officials, another reason that STIP is not considered an SRT under
                       TSARA is that TSA does not procure any equipment for the screening and inspection of
                       persons, property, and credentials under the program. For reasons similar to STIP, TSA
                       does not consider Secure Flight—its passenger prescreening program that screens
                       passenger-supplied information against watchlists maintained by the U.S. government to
                       identify potential threats to the Nation’s civil aviation system—to be an SRT.




                       Page 24                                                     GAO-19-96 TSA Acquisitions
             congressional notification process. TSA officials stated that program staff
             rely upon the TSARA Implementation Strategy Memo to make these
             decisions. During our review, TSA’s acquisition program staff were initially
             unable to confirm in all instances whether the security-related equipment
             they had acquired were subject to TSARA. Over the course of our review,
             TSA officials clarified the application of TSARA’s SRT definition to us and
             based on our inquiries, confirmed a list of existing technologies that are
             considered SRT. However, this information has not been documented in
             the TSARA Implementation Strategy Memo. TSA officials explained that
             there was a lot of activity after TSARA was initially enacted to determine
             how to comply with TSARA, but after the implementation working group
             disbanded, activity subsequently faded. Consequently, the
             implementation strategy memo has not been updated since its initial
             distribution in June 2015. TSA officials stated that they plan to update the
             implementation strategy memo by the end of calendar year 2018 to reflect
             the new offices responsible for implementing TSARA’s requirements due
             to an internal reorganization. 49

             Effective information and communication are vital for an entity to achieve
             its objectives. Standards for Internal Control in the Federal Government
             states that management should document policies in the appropriate level
             of detail and internally communicate the necessary quality information to
             achieve the entity’s objectives. In the absence of a policy that clearly
             states what constitutes an SRT and with several large acquisitions
             pending, TSA may be missing an opportunity to ensure effective and
             consistent implementation of TSARA. 50


             TSA spends hundreds of millions of dollars each year developing,
Conclusion   acquiring, deploying, and maintaining technologies in furtherance of its
             mission to ensure civil aviation security. Through TSARA, Congress
             sought to address challenges faced by TSA in effectively managing its
             acquisitions and procurements by specifying measures for TSA to

             49
               TSA officials also reported in July 2018 that they will clarify the definition of SRT and the
             meaning of “impacting the public” within the revised Implementation Strategy Memo;
             however, TSA has yet to make such a modification.
             50
               TSA officials reported that the agency will have several large SRT acquisitions in fiscal
             year 2019. For example, TSA continues to prepare for the broader deployment of
             Computed Tomography units and will likely finalize a request for vendors to submit
             proposals for Computed Tomography acquisition contracts in 2019. TSA also plans on
             awarding additional medium speed explosives detection systems contracts in 2019.




             Page 25                                                          GAO-19-96 TSA Acquisitions
                      implement that align with identified acquisition best practices and
                      increase the transparency and accountability of TSA’s SRT acquisitions.
                      Overall, TSA has policies and procedures in place to accomplish many of
                      the reforms sought by TSARA, but more could be done to improve the
                      transparency of its spending on SRTs. Specifically, reporting on individual
                      task and delivery orders as well as associated services under TSARA’s
                      report and certification provision would help TSA ensure that Congress
                      has timely information it could use to effectively oversee TSA
                      acquisitions. TSA took a positive step towards greater transparency on
                      SRT spending with its first notifications to Congress in August 2018—in
                      accordance with its policy—, but TSA’s existing policy does not require
                      similar notification for associated services or for individual task and
                      delivery orders issued that exceed $30 million.

                      Further, while TSA developed the TSARA Implementation Strategy
                      Memo, which serves as TSA’s policy for implementing TSARA,
                      designated roles and responsibilities for TSARA’s requirements, and
                      outlined TSA’s approach to implement each requirement, TSA has not
                      clearly documented and internally communicated its parameters on what
                      constitutes an SRT under TSARA. With several large acquisitions
                      pending, clear guidance would better assure that staff understand how
                      TSARA’s reporting requirements apply. In the absence of updated
                      internal policy to clearly communicate what is or is not an SRT, TSA will
                      continue to be at risk of inconsistent and incomplete implementation of
                      TSARA.


                      We are making the following three recommendations to TSA:
Recommendations for
Executive Action      The TSA Administrator should revise TSA’s policy to require that TSA
                      also submit information under TSARA’s report and certification provision
                      prior to the award of contracts and blanket purchase agreements for
                      services associated with the operation of security-related technology,
                      such as maintenance and engineering services, that exceed $30 million.
                      (Recommendation 1)

                      The TSA Administrator should revise TSA’s policy to require that TSA
                      also submit information under TSARA’s report and certification provision
                      prior to the issuance of individual task and delivery orders for security-
                      related technology acquisitions that exceed $30 million.
                      (Recommendation 2)




                      Page 26                                             GAO-19-96 TSA Acquisitions
                     The TSA Administrator should clarify and document what constitutes an
                     SRT under TSARA as part of the planned update of TSA’s TSARA
                     implementation policy. (Recommendation 3)


                     We provided a draft of this product to DHS for comment. In its comments,
Agency Comments      reproduced in appendix II, DHS generally concurred with each of the
and our Evaluation   three recommendations and described steps it plans to take to implement
                     them. TSA also provided technical comments, which we incorporated as
                     appropriate.

                     While DHS concurred with our recommendation to revise TSA's policy to
                     include reporting on contracts over $30 million for services associated
                     with the operation of security-related technology, in its letter, DHS stated
                     that not all services associated with an SRT should be subject to
                     TSARA's reporting requirements. Specifically, it noted that TSA will revise
                     policy language and instructions to ensure that the justification analysis
                     and certification analysis required under TSARA is submitted prior to the
                     award contracts and blanket purchase agreements for services that would
                     result in new capabilities, enhancements, or otherwise upgrade SRT. It
                     distinguishes these services from services that are indirectly related to the
                     SRT or used to keep the SRT operational, such as deployment and
                     system integration.

                     We agree with this distinction and do not consider all of the associated
                     services mentioned in this report as necessary for inclusion in TSA’s
                     revised policy. Further, we recognize that TSA, in conjunction with
                     feedback from Congress, is best positioned to determine the services
                     included in its revised policy for reporting under TSARA, consistent with
                     its interest in avoiding duplicative or administratively burdensome
                     reporting and delays in the acquisition process. We are encouraged by
                     DHS’s plans to implement this recommendation and its recognition that
                     the additional information will provide Congress with increased
                     transparency and an opportunity for more effective oversight of TSA’s
                     acquisitions.

                     DHS also described planned actions to address our recommendation to
                     revise TSA’s policy to include reporting on individual task and delivery
                     orders that exceed $30 million. DHS expects to complete the revisions by
                     September 30, 2019. If implemented, this action should provide Congress
                     with greater transparency over TSA’s SRT acquisitions.




                     Page 27                                              GAO-19-96 TSA Acquisitions
DHS also noted that, in accordance with our recommendation to update
its implementation guidance, it plans to (1) clarify and document what
constitutes an SRT under TSARA and (2) document all offices
responsible for implementing TSARA’s requirements in its TSARA
implementation strategy memo by September 30, 2019. If implemented,
guidance that is clear and documented will better assure that staff across
all DHS offices will understand how to consistently implement TSARA.


We are sending copies of this report to the appropriate congressional
committees and the Secretary of Homeland Security. In addition, the
report is available at no charge on the GAO website at
http://www.gao.gov.

If you or your staff have any questions concerning this report, please
contact me at (202) 512-8777 or russellw@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. GAO staff who made significant
contributions to this report are listed in Appendix III.




W. William Russell, Acting Director,
Homeland Security and Justice




Page 28                                            GAO-19-96 TSA Acquisitions
Appendix I: Transportation Security
                                           Appendix I: Transportation Security
                                           Acquisition Reform Act Requirements



Acquisition Reform Act Requirements

                                           In tables three through eight, we identify the requirements of the
                                           Transportation Security Acquisition Reform Act (TSARA), as enacted on
                                           December 18, 2014. 1

Table 3: The Strategic Five-Year Technology Investment Plan 6 U.S.C. § 563

Statute              Requirement
6 U.S.C.             The Transportation Security Administrator (TSA) Administrator shall, within 180 days of the Transportation
§563(a)              Security Acquisition Reform Act’s (TSARA) enactment (enacted Dec. 18, 2014), develop and submit to
                     Congress a strategic 5-year technology investment plan (the Plan).
                         •    The Plan may include a classified addendum to report sensitive transportation security risks,
                              technology vulnerabilities, or other sensitive security information.
                         •    To the extent possible, the plan shall be published in an unclassified format in the public domain.
§ 563(b)             The Administrator shall develop the Plan in consultation with (1) the Under Secretary for Management, (2) the
                     Under Secretary for Science and Technology, (3) the Chief Information Officer, and (4) with the aviation
                     industry stakeholder advisory committee established by the Administrator.
§ 563(c)             The Administrator must obtain approval of the DHS Secretary prior to publishing the unclassified Plan in the
                     public domain.
§563(d)              The Plan shall include—
§ 563(d)(1)          An analysis of transportation security risks and the associated capability gaps that would be best addressed by
                                                                                                                                   a
                     security-related technology, including consideration of the most recent quadrennial homeland security review.
§ 563(d)(2)          A set of security-related acquisition technology needs that is prioritized based on risk and associated capability
                     gaps identified by the analysis completed under § 563(d)(1) and includes planned technology programs and
                     projects with defined objectives, goals, timelines, and measures.
§ 563(d)(3)          An analysis of current and forecast trends in domestic and international passenger travel.
§ 563(d)(4)          An identification of currently deployed security-related technologies that are at or near the end of their
                     lifecycles.
§ 563(d)(5)          An identification of test, evaluation, modeling, and simulation capabilities including target methodologies,
                     rationales, and timelines necessary to support the acquisition of the security-related technologies expected to
                     meet the needs under § 563(d)(2).
§ 563(d)(6)          An identification of opportunities for public-private partnerships, small and disadvantaged company
                     participation, intra government collaboration, university centers of excellence, and national laboratory
                     technology transfer.



                                           1
                                            See Pub. L. No. 113-245, 128 Stat. 2871 (2014). Specifically, section 3(a) of TSARA
                                           amends title XVI of the Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat.
                                           2312 (2002), as amended, by adding section 1601 and sections 1611 through 1616, which
                                           may also be found at 6 U.S.C. §§ 561, 563-563e. In this report, references to TSARA will
                                           generally be cited to title 6 of the U.S. Code unless otherwise indicated. Section 3(c) of
                                           TSARA further provides that nothing in the section 3 should be construed to affect any
                                           amendment made by title XVI of the Homeland Security Act as in effect before TSARA’s
                                           enactment. This Appendix and the Tables therein, do not reflect amendments to the
                                           statute made through the TSA Modernization Act, which was enacted as part of the FAA
                                           Reauthorization Act of 2018 on October 5, 2018. See Pub. L. No 115-254, div. K, tit. I,
                                           subtit. B § 1917, 132 Stat. 3186 (2018).




                                           Page 29                                                          GAO-19-96 TSA Acquisitions
                                                                Appendix I: Transportation Security
                                                                Acquisition Reform Act Requirements




 Statute                          Requirement
 § 563(d)(7)                      An identification of the TSA’s acquisition workforce needs for the management of planned security-related
                                  technology acquisitions, including consideration of leveraging acquisition expertise of other federal agencies.
 § 563(d)(8)                      An identification of the security resources, including information security resources, that will be required to
                                  protect security-related technology from physical or cyber theft, diversion, sabotage, or attack.
 § 563(d)(9)                      An identification of initiatives to streamline TSA’s acquisition process and provide greater predictability and
                                  clarity to small, medium, and large businesses, including the timeline for testing and evaluation.
 § 563(d)(10)                     An assessment of the impact to commercial aviation passengers.
 § 563(d)(11)                     A strategy for consulting airport management, air carrier representatives, and Federal security directors
                                  whenever an acquisition will lead to the removal of equipment at airports, and how the strategy for consulting
                                  with such officials of the relevant airports will address potential negative impacts on commercial passengers or
                                  airport operations.
 § 563(d)(12)                     In consultation with the National Institutes of Standards and Technology an identification of security-related
                                  technology interface standards, in existence or if implemented could promote more interoperable passenger,
                                  baggage, and cargo screening systems.
 § 563(e)                         The Plan shall, to the extent possible and in a manner consistent with fair and equitable practices—


 § 563(e)(1)                      Leverage emerging technology trends and research and development investment trends within the public and
                                  private sectors.
 § 563(e)(2)                      Incorporate private sector input, including from the aviation industry advisory committee established by the
                                  Administrator, through requests for information, industry days, and other innovative means consistent with the
                                  Federal Acquisition Regulation.
 § 563(e)(3)                      In consultation with the Under Secretary for Science and Technology, identify technologies in existence or in
                                  development that, with or without adaptation, are expected to be suitable to meeting mission needs.
 § 563(f)                         The Administrator shall include with the Plan a list of nongovernment persons that contributed to the writing of
                                  the Plan.
 § 563(g)                         Beginning 2 years after the date the Plan is submitted to Congress under § 563(a), and biennially thereafter,
                                  the Administrator shall submit to Congress—
                                      •   An update of the plan.
                                      •   A report on the extent to which each security-related technology acquired by TSA since the last
                                          issuance or update of the Plan is consistent with the planned technology program and projects
                                          identified under § 563(d)(2) for that security-related technology.
Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96
                                                                a
                                                                 See 6 U.S.C. § 347 (requiring, in general, that the Secretary of Homeland Security conduct a review
                                                                of the homeland security of the nation every 4 years).




                                                                Page 30                                                              GAO-19-96 TSA Acquisitions
                                                                Appendix I: Transportation Security
                                                                Acquisition Reform Act Requirements




Table 4: Acquisition Justification 6 U.S.C. § 563

 Statute                        Requirement
 6 U.S.C.                       Before the Transportation Security Administration (TSA) implements any security-related technology acquisition,
 § 563a(a)                      the Administrator, in accordance with Department of Homeland Security (DHS) policies and directives, shall
                                determine whether the acquisition is justified by conducting an analysis that includes—
 § 563a(a)(1)                   An identification of the scenarios and level of risk to transportation security from those scenarios that would be
                                addressed by the security-related technology acquisition.
 § 563a(a)(2)                   An assessment of how the proposed acquisition aligns to the strategic 5-year technology investment plan (the
                                Plan).
 § 563a(a)(3)                   A comparison of the total expected lifecycle cost against the total expected quantitative and qualitative benefits
                                to transportation security.
 § 563a(a)(4)                   An analysis of alternative security solutions, including policy or procedure solutions, to determine if the
                                proposed security-related technology acquisition is the most effective and cost-efficient solution based on cost-
                                benefit considerations.
 § 563a(a)(5)                   An assessment of the potential privacy and civil liberties implications of the proposed acquisition that includes,
                                to the extent practicable, consultation with organizations that advocate for the protection of privacy and civil
                                liberties.
 § 563a(a)(6)                   A determination that the proposed acquisition is consistent with fair information practice principles issued by the
                                DHS Privacy Officer.
 § 563a(a)(7)                   Confirmation that there are no significant risks to human health or safety posed by the proposed acquisition.
 § 563a(a)(8)                   An estimate of the benefits to commercial aviation passengers.
 § 563a(b)(1)                   Not later than the end of the 30-day period preceding the award by TSA of a contract for any security-related
                                technology acquisition exceeding $30 million, the Administrator shall submit to the Committee on Commerce,
                                Science, and Transportation of the Senate and the Committee on Homeland Security of the House of
                                Representatives (the Committees) the results of the comprehensive acquisition justification under § 563a(a) and
                                a certification by the Administrator that the benefits to transportation security justify the contract cost.
 § 563a(b)(2)                   If there is a known or suspected imminent threat to transportation security, the Administrator may reduce the 30-
                                day period under § 563a(b)(1) to 5 days to rapidly respond to the threat and shall immediately notify the
                                Committees of the known or suspected imminent threat.
Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96




                                                                Page 31                                                GAO-19-96 TSA Acquisitions
                                          Appendix I: Transportation Security
                                          Acquisition Reform Act Requirements




Table 5: Baseline Requirements 6 U.S.C. § 563b

Statute                 Requirement
6 U.S.C.                Before the Transportation Security Administration (TSA) implements any security-related technology
§ 563b(a)(1)            acquisition, the appropriate acquisition official of the Department shall establish and document a set of
                        formal baseline requirements.
§563b(a)(2)             The baseline requirements under § 563b(a)(1) shall—
§ 563b(a)(2)(A)         Include the estimated costs (including lifecycle costs), schedule, and performance milestones for the
                        planned duration of the acquisition.
§ 563b(a)(2)(B)         Identify the acquisition risks and a plan for mitigating those risks.
§ 563b(a)(2)(C)         Assess the personnel necessary to manage the acquisition process, manage the ongoing program, and
                        support training and other operations as necessary.
§ 563b(a)(3)            In establishing the performance milestones under § 563b(a)(2)(A), the appropriate acquisition official of the
                        Department, to the extent possible and in consultation with the Under Secretary for Science and
                        Technology, shall ensure that achieving those milestones is technologically feasible.
§563b(a)(4)             The Administrator, in consultation with the Under Secretary for Science and Technology, shall develop a
                        test and evaluation plan that describes—
§ 563b(a)(4)(A)         The activities that are expected to be required to assess acquired technologies against the performance
                        milestones established under § 563b(a)(2)(A).
§ 563b(a)(4)(B)         The necessary and cost-effective combination of laboratory testing, field testing, modeling, simulation, and
                        supporting analysis to ensure that such technologies meet TSA’s mission needs.
§ 563b(a)(4)(C)         An efficient planning schedule to ensure that test and evaluation activities are completed without undue
                        delay.
§ 563b(a)(4)(D)         If commercial aviation passengers are expected to interact with the security-related technology, methods
                        that could be used to measure passenger acceptance of and familiarization with the security-related
                        technology.
§ 563b(a)(5)            The appropriate acquisition official of the Department—
                            •   Subject to § 563b(a)(5)(B), shall utilize independent reviewers to verify and validate the
                                performance milestones and cost estimates developed under paragraph § 563b(a)(2) for a
                                security-related technology that pursuant to § 563(d)(2) has been identified as a high priority need
                                in the most recent Plan.
                            •   Shall ensure that the use of independent reviewers does not unduly delay the schedule of any
                                acquisition.
§ 563b(a)(6)            The Administrator shall establish a streamlined process for an interested vendor of a security-related
                        technology to request and receive appropriate access to the baseline requirements and test and evaluation
                        plans that are necessary for the vendor to participate in the acquisitions process for that technology.
§ 563b(b)(1)(A)         The appropriate acquisition official of the Department shall review and assess each implemented
                        acquisition to determine if the acquisition is meeting the baseline requirements established under §
                        563b(a).
                        The review shall include an assessment of whether—
                            •     The planned testing and evaluation activities have been completed.
                            •     The results of that testing and evaluation demonstrate that the performance milestones are
                                  technologically feasible.




                                          Page 32                                                         GAO-19-96 TSA Acquisitions
                                                                Appendix I: Transportation Security
                                                                Acquisition Reform Act Requirements




 Statute                               Requirement
 § 563b(b)(2)                          Not later than 30 days after making a finding that the actual or planned costs exceed the baseline costs by
                                       more than 10 percent; the actual or planned schedule for delivery has been delayed by more than 180
                                       days; or there is a failure to meet any performance milestones that directly impacts security effectiveness
                                       (that is, a breach finding), the Administrator shall submit a report to the Committee on Commerce, Science,
                                       and Transportation of the Senate and the Committee on Homeland Security of the House of
                                       Representatives that includes—
                                            •     The results of any assessment that finds a breach.
                                            •     The cause for such excessive costs, delay, or failure.
                                            •     A plan for corrective action.
Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96




                                                                Page 33                                               GAO-19-96 TSA Acquisitions
                                                                Appendix I: Transportation Security
                                                                Acquisition Reform Act Requirements




Table 6: Inventory Management 6 U.S.C. § 563c

 Statute                   Requirement
 6 U.S.C.                  Before the procurement of additional quantities of equipment to fulfill a mission need, the Administrator, to the
 § 563c(a)                 extent practicable, shall utilize any existing units in the Transportation Security Administration inventory to meet that
                           need.
 § 563c(b)(1)              The Administrator shall establish a process for tracking—
                               •  The location of security-related equipment in the inventory under § 563c(a).
                               •  The utilization status of security-related technology in the inventory under § 563c(a).
                               •  The quantity of security-related equipment in the inventory under § 563c(a).
 § 563c(b)(2)              The Administrator shall implement internal controls to ensure up-to-date accurate data on security-related
                           technology owned, deployed, and in use.
 § 563c(c)(1)              The Administrator shall establish logistics principles for managing inventory in an effective and efficient manner.
 § 563c(c)(2)              The Administrator may not use just-in-time logistics if doing so (A) would inhibit necessary planning for large-scale
                           delivery of equipment to airports or other facilities; or (B) would unduly diminish surge capacity for response to a
                           terrorist threat.
Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96




                                                                Page 34                                                GAO-19-96 TSA Acquisitions
                                                                Appendix I: Transportation Security
                                                                Acquisition Reform Act Requirements




Table 7: Small Business Contracting Goals Report 6 U.S.C. § 563d

  Statute                 Requirement
  6 U.S.C.                Not later than 90 days after the date of enactment of the Transportation Security Acquisition Reform Act, and
  § 563d                  annually thereafter, the Transportation Security Administration (TSA) Administrator shall submit a report to the
                          Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security of
                          the House of Representatives that includes—
  § 563d(1)               TSA’s performance record with respect to meeting its published small-business contracting goals during the
                          preceding fiscal year.
  § 563d(2)               If the goals described in § 563d(1) were not met or TSA’s performance was below the published small business
                          contracting goals of the Department of Homeland Security (DHS)—
  § 563d(2)(A)            A list of challenges, including deviations from TSA’s subcontracting plans, and factors that contributed to the level of
                          performance during the preceding fiscal year.
  § 563d(2)(B)            An action plan, with benchmarks, for addressing each of the challenges identified in § 563d(2)(A) that—
  § 563d(2)(B)(i)         Is prepared after consultation with the Secretary of Defense and the heads of federal departments and agencies that
                          achieved their published goals for prime contracting with small and minority-owned businesses, including small and
                          disadvantaged businesses, in prior fiscal years.
  § 563d(2)(B)(ii) Identifies policies and procedures that could be incorporated by TSA in furtherance of achieving TSA’s published
                   goal for such contracting.
  § 563d(3)               A status report on the implementation of the action plan that was developed in the preceding fiscal year in
                          accordance with § 563d(2)(B), if such a plan was required.
Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96




Table 8: Federal Acquisition Regulation Consistency 6 U.S.C. § 563e

 Statute                        Requirement
 6 U.S.C.                       The TSA Administrator shall execute the responsibilities set forth in §§ 563-563d in a manner consistent with,
 § 563e                         and not duplicative of, the Federal Acquisition Regulation and Department of Homeland Security’s policies and
                                directives.
Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96




                                                                Page 35                                              GAO-19-96 TSA Acquisitions
Appendix II: Comments from the Department
             Appendix II: Comments from the Department
             of Homeland Security



of Homeland Security




             Page 36                                     GAO-19-96 TSA Acquisitions
Appendix II: Comments from the Department
of Homeland Security




Page 37                                     GAO-19-96 TSA Acquisitions
Appendix II: Comments from the Department
of Homeland Security




Page 38                                     GAO-19-96 TSA Acquisitions
Appendix II: Comments from the Department
of Homeland Security




Page 39                                     GAO-19-96 TSA Acquisitions
Appendix III: GAO Contact and Staff
                   Appendix III: GAO Contact and Staff
                   Acknowledgements



Acknowledgements


                   W. William Russell, 202-512-8777 or russellw@gao.gov
GAO Contact
                   In addition to the contact named above, Kevin Heinz (Assistant Director),
Staff              Amber Edwards (Analyst-in-Charge), Winchee Lin, Cristina Norland,
Acknowledgements   Richard Hung, Thomas Lombardi, Amanda Miller, and Richard
                   Cederholm made key contributions to this report.




(102356)
                   Page 40                                            GAO-19-96 TSA Acquisitions
                         The Government Accountability Office, the audit, evaluation, and investigative
GAO’s Mission            arm of Congress, exists to support Congress in meeting its constitutional
                         responsibilities and to help improve the performance and accountability of the
                         federal government for the American people. GAO examines the use of public
                         funds; evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.

                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through GAO’s website (https://www.gao.gov). Each weekday afternoon, GAO
GAO Reports and          posts on its website newly released reports, testimony, and correspondence. To
                         have GAO e-mail you a list of newly posted products, go to https://www.gao.gov
Testimony                and select “E-mail Updates.”

Order by Phone           The price of each GAO publication reflects GAO’s actual cost of production and
                         distribution and depends on the number of pages in the publication and whether
                         the publication is printed in color or black and white. Pricing and ordering
                         information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
                         Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                         TDD (202) 512-2537.
                         Orders may be paid for using American Express, Discover Card, MasterCard,
                         Visa, check, or money order. Call for additional information.

                         Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO         Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                         Visit GAO on the web at https://www.gao.gov.

                         Contact:
To Report Fraud,
                         Website: https://www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in
                         Automated answering system: (800) 424-5454 or (202) 512-7700
Federal Programs
                         Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400,
Congressional            U.S. Government Accountability Office, 441 G Street NW, Room 7125,
Relations                Washington, DC 20548

                         Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs           U.S. Government Accountability Office, 441 G Street NW, Room 7149
                         Washington, DC 20548

                         James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707
Strategic Planning and   U.S. Government Accountability Office, 441 G Street NW, Room 7814,
External Liaison         Washington, DC 20548




                            Please Print on Recycled Paper.