United States Government Accountability Office Report to Congressional Committees TRANSPORTATION January 2019 SECURITY ACQUISITION REFORM ACT TSA Generally Addressed Requirements, but Could Improve Reporting on Security- Related Technology GAO-19-96 January 2019 TRANSPORTATION SECURITY ACQUISITION REFORM ACT TSA Generally Addressed Requirements, but Could Highlights of GAO-19-96, a report to Improve Reporting on Security-Related Technology congressional committees Why GAO Did This Study What GAO Found Enacted in December 2014, TSARA Since 2016, the Transportation Security Administration (TSA) generally introduced legislative reforms to addressed Transportation Security Acquisition Reform Act (TSARA) promote greater transparency and requirements through its policies and procedures for acquisition justifications, accountability in TSA’s SRT baseline requirements, and management of inventory. TSA also, among other acquisitions. actions, submitted a technology investment plan and annual small-business contracting goals reports to Congress as required. TSARA contains a provision that GAO submit two reports to Congress on Since December 2014, TSA reported limited security-related technology (SRT) TSA’s progress in implementing acquisitions to Congress under TSARA, submitting its first report in August 2018. TSARA. In February 2016, GAO TSARA contains a report and certification provision pursuant to which TSA is to issued the first report that found TSA submit information to Congress 30 days prior to the award of a contract for an had taken actions to address TSARA. SRT acquisition exceeding $30 million. Through July 2018, TSA obligated about This second report examines TSA’s (1) $1.4 billion on SRT and associated services. TSA officials explained that none of progress in addressing TSARA these obligations—including 7 SRT orders, each in excess of $30 million— requirements since 2016, (2) reporting invoked the report and certification provision because the obligations did not to Congress on SRT acquisitions, and align with TSA’s implementation policy, which provides that the $30 million (3) internal communication of its threshold relates to the contract ceiling of the initial SRT contract and not to implementation decisions. GAO individual task and delivery orders. Revising TSA’s policy to include contracts for examined TSARA and TSA documents services that enhance the capabilities of SRT, including any orders for SRT and and guidance; analyzed TSA contract associated services in excess of $30 million, would better ensure that Congress data and reports from TSARA’s has the information it needs to effectively oversee TSA’s SRT acquisitions. enactment in December 2014 through July 2018 and September 2018, TSA has not effectively communicated internally its implementation decisions for respectively; and interviewed DHS and what constitutes an SRT under TSARA. TSA officials described to GAO that SRT TSA officials on actions taken to must be equipment that is public facing, but TSA’s policy does not clearly state implement TSARA. GAO also the parameters of what is considered an SRT. Without clear guidance, TSA staff conducted interviews with TSA officials may be unaware of these parameters and how they apply to future acquisitions on parameters for reporting on SRT under TSARA. For example, TSA acquisition program staff were initially unable acquisitions. to confirm for GAO whether the technologies TSA had acquired were SRTs and thus subject to TSARA. Updating TSA policy to include detailed parameters for What GAO Recommends what constitutes an SRT would better ensure consistency in applying the act. GAO recommends that TSA revise its Examples of Security-Related Technology policies for the report and certification provision of TSARA to include reporting on task and delivery orders and services associated with SRT, and clarify in policy what constitutes an SRT under TSARA. DHS generally concurred with the recommendations and described steps it plans to take to implement them. View GAO-19-96. For more information, contact William Russell at (202) 512-8777 or russellw@gao.gov. United States Government Accountability Office Contents Letter 1 Background 4 TSA Generally Addressed TSARA Requirements 9 TSA’s Narrow Application of TSARA Has Resulted in Limited Reporting to Congress on SRT-related Acquisitions 14 TSA Has Not Effectively Communicated Internally Its TSARA Implementation Decisions 24 Conclusion 25 Recommendations for Executive Action 26 Agency Comments and our Evaluation 27 Appendix I Transportation Security Acquisition Reform Act Requirements 29 Appendix II Comments from the Department of Homeland Security 36 Appendix III GAO Contact and Staff Acknowledgements 40 Tables Table 1: Transportation Security Administration Contract Obligations for Security-Related Technology (SRT) and Associated Services, December 18, 2014 through July 31, 2018 16 Table 2: Transportation Security Administration (TSA) Policy for What Constitutes a Security-Related Technology (SRT) and a Contract Award for an SRT Acquisition Under the Transportation Security Acquisition Reform Act (TSARA) 17 Table 3: The Strategic Five-Year Technology Investment Plan 6 U.S.C. § 563 29 Table 4: Acquisition Justification 6 U.S.C. § 563 31 Table 5: Baseline Requirements 6 U.S.C. § 563b 32 Table 6: Inventory Management 6 U.S.C. § 563c 34 Table 7: Small Business Contracting Goals Report 6 U.S.C. § 563d 35 Table 8: Federal Acquisition Regulation Consistency 6 U.S.C. § 563e 35 Page i GAO-19-96 TSA Acquisitions Figures Figure 1: Examples of Security-Related Technology Acquired by the Transportation Security Administration 6 Figure 2: Department of Homeland Security (DHS) Acquisition Life Cycle for Acquisition Programs 7 Figure 3: Video of the Transportation Security Administration Innovation Task Force Demonstration of Automated Screening Lanes 13 Figure 4: Example of the Timeline for a Transportation Security Administration (TSA) Explosives Detection Systems Contract 22 Abbreviations AIT Advanced Imaging Technology DHS Department of Homeland Security EDS Explosives Detection System FPDS-NG Federal Procurement Data System-Next Generation IDIQ Indefinite-Delivery/Indefinite-Quantity SRT Security-Related Technology STIP Security Technology Integrated Program TSA Transportation Security Administration TSARA Transportation Security Acquisition Reform Act This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-19-96 TSA Acquisitions Letter 441 G St. N.W. Washington, DC 20548 January 17, 2019 The Honorable Roger F. Wicker Chairman The Honorable Maria Cantwell Ranking Member Committee on Commerce, Science, and Transportation United States Senate The Honorable Bennie G. Thompson Chairman The Honorable Mike Rogers Ranking Member Committee on Homeland Security House of Representatives The Transportation Security Administration (TSA) relies on security- related screening technologies–such as explosives detection systems–to deter, detect, and prevent prohibited items on board commercial aircraft. TSA, a component of the Department of Homeland Security (DHS), anticipates spending a significant portion of its $3.6 billion security capability acquisition budget on these technologies by fiscal year 2020. 1 Such technologies are vital to TSA efforts to prevent a terrorist attack on an aircraft using explosives or other prohibited items. In 2017, TSA was responsible for the screening of about 2.4 million passengers, 4.4 million carry-on bags, and 1.2 million checked bags at over 440 TSA-regulated airports in the United States on an average day. In past work, we found that TSA encountered challenges in effectively acquiring and deploying passenger and checked baggage screening technologies and had not consistently implemented DHS policy and best practices for procurement. 2 Additionally, Congress has recognized that TSA historically faced challenges in meeting key performance requirements for several major acquisitions and procurements, resulting in reduced security effectiveness and inefficient expenditures among 1 TSA, Strategic Five-Year Technology Investment Plan for Aviation Security: 2015 Report to Congress (Aug.12, 2015). 2 GAO, Advanced Imaging Technology: TSA Needs Additional Information before Procuring Next-Generation Systems, GAO-14-357 (Washington, D.C.: Mar. 31, 2014). Page 1 GAO-19-96 TSA Acquisitions other things. 3 Enacted in December 2014, the Transportation Security Acquisition Reform Act (TSARA) introduced legislative reforms to promote greater transparency and accountability with respect to TSA’s acquisitions of security-related technology (SRT). 4 Under TSARA, we were directed to submit a report to Congress not later than 1 year after enactment, and are to submit a subsequent report 3 years thereafter, evaluating TSA’s progress in implementing the act. 5 We provided Congress with the first report in February 2016. We found that TSA was using its existing acquisitions policies, among other actions, to meet TSARA requirements. 6 This second report examines (1) TSA’s progress in addressing TSARA requirements since 2016, (2) the extent to which TSA reports to Congress on security-related technology acquisitions under TSARA, and (3) the extent to which TSA internally communicates its TSARA implementation decisions. To determine TSA’s progress in addressing TSARA requirements since 2016, we reviewed any updated policy documents and interviewed officials from DHS and TSA with responsibilities for implementing TSARA to gain insights on the extent to which TSA’s policies and procedures have changed since our February 2016 report. In addition, to determine the extent to which TSA addressed the requirements for the Strategic Five-Year Technology Investment Plan (technology investment plan) and 3 See, e.g., H.R. Rpt. No. 113-275 (Nov. 21, 2013); (accompanying H.R. 2719, 113th Cong. (1st Sess. 2013)); S. Rep. No. 113-274 (Nov. 17, 2014) (accompanying S. 1893, 113th Cong. (2d Sess. 2013)). 4 See Pub. L. No. 113-245, 128 Stat. 2871 (2014). (amending title XVI of the Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135). See also H.R. Rep. No. 113- 275, at 7. TSARA defines “security-related technology” as any technology that assists TSA in the prevention of, or defense against, threats to United States transportation systems, including threats to people, property, and information.6 U.S.C. § 561(4). Unless otherwise indicated, reference to specific provisions of TSARA will be cited using the U.S. Code. 5 See Pub. L. No. 113-245, § 4(b), 128 Stat. at 2878. 6 We submitted a draft of the first report to the Chairmen and Ranking Members of the Committee on Commerce, Science, and Transportation United States Senate and the Committee on Homeland Security House of Representatives on December 18, 2015, in accordance with TSARA, and subsequently issued a final report that incorporated agency comments in February of 2016. See GAO, Transportation Security: TSA Has Taken Actions to Address Transportation Security Acquisition Reform Act Requirements, GAO-16-285 (Washington D.C.: Feb 17, 2016). See GAO-16-285 appendix I: Status of TSA Efforts to Address TSARA Requirements, for a list of TSARA’s requirements and the status of each requirement at the time of issuance. Page 2 GAO-19-96 TSA Acquisitions the small business contracting reports in TSARA, we reviewed TSA’s technology investment plan and TSA’s fiscal years 2015 through 2017 small business contracting reports. Specifically, we (1) analyzed the updated technology investment plan and small business reports against TSARA’s requirements and (2) interviewed agency officials to provide insights into the procedures they used to develop the technology investment plan and the small business report. To determine whether TSA is able to ensure it executes its responsibilities under TSARA in a manner consistent with and not duplicative of the Federal Acquisition Regulation and departmental policies and directives, we reviewed TSA’s TSARA Implementation Strategy Memo and supporting documentation, and interviewed DHS and TSA acquisition officials to verify that policies contain such assurances. 7 We also interviewed security industry representatives to gain their perspective on the usefulness of TSA’s technology investment plan. To determine the extent that TSA reports to Congress on SRT acquisitions under TSARA, we reviewed TSA’s TSARA Implementation Strategy Memo—which recognizes awards for both indefinite-quality contracts and blanket purchase agreements as subject to TSARA—and other supporting documentation to identify TSA’s policy for reporting SRT acquisitions under TSARA and obtained information that TSA submitted to Congress regarding SRT acquisitions. We interviewed agency officials to clarify information and provide insights into the rationale for TSA’s reporting policy. We also interviewed select security manufacturing vendors for their perspective on TSARA. We reviewed congressional committee reports to understand the legislative history behind TSARA. To determine TSA’s obligations for SRT-related acquisitions, we asked TSA to identify its contracts used for acquisitions of SRT and services associated with the operation of SRT. We analyzed data from Federal Procurement Data System-Next Generation (FPDS-NG) from December 18, 2014—TSARA’s date of enactment—through July 2018 on obligations for SRT contracts and task and delivery orders issued under those contracts. 8 We obtained FPDS-NG data on obligations for the same time period for contracts and orders that provide services associated with the 7 TSA, Transportation Security Acquisition Reform Act of 2014 Implementation Strategy (June 3, 2015). For the purposes of this report, this document is called the TSARA Implementation Strategy Memo, TSA’s implementation policy, or implementation strategy memo. 8 The Federal Procurement Data System-Next Generation is a comprehensive, web-based tool for government agencies to report certain contracts and associated modifications. Page 3 GAO-19-96 TSA Acquisitions installation, operation, networking, and maintenance of SRT. Additionally, we reviewed any of TSA’s TSARA-related reporting to Congress from December 18, 2014 through September 2018. We assessed the reliability of the FPDS-NG data by performing electronic testing to identify missing data or data that is out of the appropriate range and comparing it to data from TSA’s financial management and accounting system. We determined that the FPDS-NG data are sufficiently reliable for the purposes of this report. We interviewed TSA officials responsible for managing TSA’s security screening programs, related acquisitions, and the implementation of TSARA to clarify information and provide insights into the rationale for TSA’s reporting policy. To determine the extent to which TSA internally communicates its TSARA implementation decisions, we reviewed TSA’s TSARA Implementation Strategy Memo for consistency with the parameters TSA officials described for what constitutes an SRT. We interviewed TSA officials to gain insights on TSA’s implementation approach—including their parameters—and how TSA communicates that approach to staff and compared the implementation approach to relevant federal internal control standards. 9 We conducted this performance audit from November 2017 to January 2019 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The Aviation and Transportation Security Act established TSA as the Background federal agency with primary responsibility for securing the nation’s civil aviation system, which includes acquiring technology to screen and secure travelers at the nation’s TSA-regulated airports. 10 TSARA defines SRT as any technology that assists TSA in the prevention of, or defense against, threats to United States transportation systems, including threats 9 GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September 2014). 10 See generally Pub. L. No. 107-71, 115 Stat. 597 (2001); 49 U.S.C. § 114. Page 4 GAO-19-96 TSA Acquisitions to people, property, and information. 11 As illustrated in figure 1, TSA acquired various SRT for passenger and baggage screening, including: • Advanced Imaging Technology (AIT)—screens passengers for metallic and nonmetallic threats; • Explosives Trace Detection—detects various types of commercial and military explosives through chemical analysis on passengers and their property; and • Explosives Detection System (EDS)—provides imaging, screening, and detection capabilities to identify possible threats in checked baggage contents. 12 11 6 U.S.C. § 561(4). 12 TSA generally does not acquire SRT for air cargo or surface transportation systems. According to TSA officials, a limited number of explosives trace detection units are purchased every few years for their air cargo testing facility. Officials stated that TSA’s air cargo and surface transportation programs largely focus on the development of security policy, industry engagement, and evaluation of research and development of relevant security technologies. In general, TSA must ensure that all cargo transported on passenger aircraft is screened using TSA-approved methods. See 49 U.S.C. § 44901(g). Page 5 GAO-19-96 TSA Acquisitions Figure 1: Examples of Security-Related Technology Acquired by the Transportation Security Administration Page 6 GAO-19-96 TSA Acquisitions DHS Acquisition Process TSA follows DHS’s policies and procedures for managing its acquisition programs, including for acquisition management, test and evaluation, and resource allocation of its SRT. TSA’s acquisition programs and policies are primarily set forth in DHS Acquisition Management Directive 102-01 (DHS’s acquisition directive) and DHS Instruction Manual 102-01-001, Acquisition Management Instruction/Guidebook. 13 DHS acquisition policy establishes that an acquisition program’s decision authority should review the program at a series of predetermined acquisition decision events to assess whether the program is ready to proceed through the acquisition life cycle phases. An acquisition program is established once it has passed through the phases that establish the acquisition need and selects an option that meets this need. Figure 2 depicts the DHS acquisition life cycle. Figure 2: Department of Homeland Security (DHS) Acquisition Life Cycle for Acquisition Programs Under DHS’s acquisition directive, TSA is to ensure, among other things, that required acquisition documents are completed. Two of these key acquisition documents are: (1) the life cycle cost estimate, which provides an exhaustive and structured accounting of all resources and associated cost elements required to develop, produce, deploy, and sustain a program; and 13 For the purposes of this report, we refer to DHS Acquisition Management Directive 102- 01 as DHS’s acquisition directive. TSA’s acquisition programs are generally subject to the Federal Acquisition Regulation, which establishes uniform acquisition policies and procedures for executive agencies, as well as the DHS Acquisition Regulation, which supplements the Federal Acquisition Regulation through additional acquisition policies and procedures for the Department. See 48 C.F.R. §§ 1.101, 3001.101. Page 7 GAO-19-96 TSA Acquisitions (2) the acquisition program baseline, which establishes a program’s cost, schedule, and performance metrics. These documents are used throughout the process to identify instances when an acquisition program exceeds cost, schedule, or performance thresholds. TSA’s acquisition policies, which supplement DHS policies, generally designate roles and responsibilities and identify the procedures that TSA is to use to implement the requirements in DHS policies. In December 2017, TSA reorganized its acquisition offices, which are responsible for implementing TSARA’s requirements, from two offices (Office of Acquisition and Office of Security Capabilities) into three offices: Requirements and Capabilities, Acquisition Program Management, and Contracting and Procurement. TSARA Requirements TSARA includes a number of requirements for TSA, including developing and submitting a biennial technology investment plan and annual small business contracting goals reports to Congress, adhering to various acquisition and inventory policies and procedures, and ensuring consistency with Federal Acquisition Regulation and departmental policies and directives. 14 TSARA also includes requirements for justifying acquisitions and establishing acquisition baselines, which largely codify aspects of DHS’s existing acquisition policy described in DHS’s acquisition directive. 15 TSA fulfills these requirements through the processes outlined in DHS’s acquisition directive when establishing a new acquisition program or modifying an existing acquisition program. See Appendix I for the list of TSARA’s requirements. 14 TSA, Strategic Five-Year Technology Investment Plan Biennial Refresh: 2017 Report to Congress (Dec. 19, 2017). TSA, Small-Business Contracting Goals Report: Fiscal Year 2015 Report to Congress (Apr. 28, 2016); TSA, Small-Business Contracting Goals Report: Fiscal Year 2016 Report to Congress (Apr. 7, 2017) and TSA, Small-Business Contracting Goals Report: Fiscal Year 2017 Report to Congress (Mar. 6, 2018). 15 See, e.g., 6 U.S.C. § 563a(a) (establishing criteria for determining whether an acquisition is justified). Page 8 GAO-19-96 TSA Acquisitions Since 2016, TSA generally addressed TSARA requirements through its TSA Generally acquisitions policies and procedures. Since our February 2016 report, Addressed TSARA TSA has also developed and issued an updated technology investment plan. Further, TSA has continued to submit an annual report to Congress Requirements on TSA’s performance record in meeting its published small business contracting goals. TSA Policies and TSA continues to address TSARA’s requirements, including those related Procedures Continue to to acquisition justifications, baseline requirements, managing inventory and consistency with regulations. In addition, TSA developed an updated Address TSARA’s technology investment plan and submitted small business contracting Requirements goals reports to Congress in accordance with TSARA. Acquisition Justifications TSARA provides that before TSA implements any SRT acquisition, the agency must, in accordance with DHS policies and directives, conduct an analysis to determine whether the acquisition is justified. 16 The analysis must include elements such as cost effectiveness and confirmation that there are no significant risks to human health or safety posed by the proposed acquisition, among others. In February 2016, we reported that DHS and TSA had policies and procedures that were in place prior to TSARA addressed each of the elements required in the analysis. 17 For example, DHS’s acquisition directive includes several of these elements in its process for establishing a new acquisition program. TSARA also includes a provision requiring TSA to submit information (i.e. report) to Congress 30 days prior to the award of a contract for an SRT acquisition over $30 million. 18 TSA established procedures that address this provision, as discussed later in this report, by developing a template for providing justifications under this provision. We found that, since 2016, TSA continues to have policies in place, such as DHS’s acquisition directive, to address the analysis-related requirements. TSA officials stated they would use these policies and procedures to address TSARA’s requirements. 16 See 6 U.S.C. § 563a(a). 17 GAO-16-285. 18 See 6 U.S.C. § 563a(b). Page 9 GAO-19-96 TSA Acquisitions Baseline Requirements TSARA requires that before TSA implements any SRT acquisition, the appropriate acquisition official from the department shall establish and document a set of formal baseline requirements and subsequently review whether acquisitions are meeting these requirements. 19 Additionally, TSARA provides that TSA must report a breach if results of any assessment find that (1) actual or planned costs exceed the baseline costs by more than 10 percent, (2) actual or planned schedule for delivery has been delayed more than 180 days, or (3) there is a failure to meet any performance milestone that directly impacts security effectiveness. 20 Pursuant to TSARA, in March 2016, TSA reported two breaches to Congress for the Passenger Screening Program and Security Technology Integrated Program (STIP), a data management system that connects transportation security equipment to a single network. 21 Further, in February 2016, we reported that TSA had policies in place that require it to prepare an acquisition program baseline, risk management plan, and staffing requirements before acquiring SRT, in accordance with TSARA requirements. 22 We found that since our February 2016 report, TSA continues to leverage the existing DHS acquisition directive to meet all of TSARA’s baseline requirements. Managing Inventory TSARA requires that TSA, among other things: • to the extent practicable, use existing units in inventory before procuring more equipment to fulfill a mission need; • track the location, use, and quantity of security-related equipment in inventory; and 19 See 6 U.S.C. § 563b(a)-(b)(1). 20 See 6 U.S.C. § 563b(b)(2) (providing further that such breach reports, which are to be submitted to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security of the House of Representatives, must also include the cause for such excessive costs, delay, or failure, and a plan for corrective action). 21 The primary cause of the breach or delivery delay was the new Information Technology security requirements for the Credential Authentication Technology and the Security Technology Integrated Program that occurred after the planned schedule was set. TSA, Passenger Screening Program (PSP) and the Security Technology Integrated Program (STIP) Delivery Delay Report (Mar. 14, 2016). TSA’s plan for corrective action was to seek vendor proposals to develop cybersecurity solutions. 22 GAO-16-285. Page 10 GAO-19-96 TSA Acquisitions • implement internal controls to ensure accurate and up-to-date data on SRT owned, deployed, and in use. 23 In 2016, we reported that TSA’s policies and procedures address TSARA requirements for managing inventory. 24 We found that since our February 2016 report, TSA continues to use established policies and procedures to address TSARA’s inventory management requirements. For example, TSA continues to use the Security Equipment Management Manual, which describes the policies and procedures that require TSA to use equipment in its inventory if, for example, an airport opens a new terminal. Additionally, TSA has procedures to track the location, use, and quantity of security-related equipment in inventory, regardless of whether such equipment is in use. 25 Specifically, TSA has procedures to track the entire life cycle of equipment, including initial possession, any moves, and disposal. Further, TSA continues to use standard operating procedures developed by its Internal Control Branch, which describe TSA’s system of internal controls to conduct reviews, report, and follow-up on corrective actions. Consistency with Regulations TSARA provides that TSA must execute its acquisition-related responsibilities in a manner consistent with and not duplicative of the Federal Acquisition Regulation and DHS policies and directives. 26 In 2016, we reported that TSA’s policy documents state that TSA is required to ensure that its policies and directives are in accordance with the Federal Acquisition Regulation and DHS acquisition and inventory policies and procedures. We also reported that according to TSA’s TSARA Implementation Strategy Memo (implementation strategy memo), TSA was able to address this requirement by, among other things, forming a working group as part of an effort to ensure that TSA implemented TSARA in a manner consistent with the Federal Acquisition Regulation and DHS policies and directives. We found that no changes have been made to the implementation strategy memo since our 2016 report and TSA still has policies in place to execute the responsibilities 23 See 6 U.S.C. § 563c(a)-(b). 24 GAO-16-285. 25 TSA, Security Equipment Management Manual (Oct. 14, 2015). 26 6 U.S.C. § 563e. Page 11 GAO-19-96 TSA Acquisitions set forth in TSARA in a manner consistent with and not duplicative of the Federal Acquisition Regulation and DHS policies and directives. TSA Developed an TSARA requires TSA to develop and submit to Congress a Strategic Updated Technology Five-Year Technology Investment Plan (technology investment plan) and update it on a biennial basis. 27 The technology investment plan is to Investment Plan in include, among other things, a set of SRT acquisition needs that includes Accordance with TSARA planned technology programs and projects with defined objectives, goals, timelines and measures, and an identification of currently deployed SRTs that are at or near the end of their life cycles. In August 2015, TSA developed and submitted to Congress the first technology investment plan and in 2016 we reported that the 2015 plan generally addressed TSARA requirements. In December 2017, TSA developed and submitted to Congress an updated technology investment plan in accordance with TSARA. The updated plan details the aviation security efforts TSA initiated, developed, or completed since the initial plan was released. The updated plan also includes the extent to which TSA’s acquisitions were consistent with technology programs and projects identified in the initial plan, as required by TSARA. 28 TSA officials stated that a positive effect of TSARA’s requirement to develop the technology investment plan has been the establishment of the Innovation Task Force. The task force, created in the Spring of 2016, is tasked to identify and demonstrate emerging capabilities and facilitate other innovative projects at select airports. TSA established the task force based on feedback from industry representatives provided during development of the initial plan. 29 A TSA official who manages the task 27 6 U.S.C. § 563(a), (g). The TSA Modernization Act, enacted as part of the FAA Reauthorization Act of 2018 on October 5, 2018, amends § 563 by, among other things, requiring TSA, in collaboration with relevant industry and government stakeholders, to annually submit an update of the plan in an appendix to the budget request and publish it in an unclassified format in the public domain. See Pub. L. No. 115-254, div. K, tit. I, subtit. B, § 1917, 132 Stat. 3186 (2018). 28 See 6 U.S.C. § 563(g)(2). 29 The TSA Modernization Act, enacted in October 2018, establishes In a statute a requirement for TSA to establish an innovation task force to, among other things, cultivate innovations in transportation security and, in doing so, is to conduct activities to identify and develop an innovative technology, emerging security capability, or process designed to enhance transportation security. See Pub. L. No. 115-254, div. K, tit. I, subtit. B, § 1916, 132 Stat. 3186. Page 12 GAO-19-96 TSA Acquisitions force said that it led to efficiencies in TSA’s acquisition process. The official noted, for example, that the task force began demonstrating Automated Screening Lanes in March 2016 and by October 2016 DHS approved additional deployments of the technology. For a video of TSA’s Innovation Task Force demonstration of Automated Screening Lanes, see the hyperlink in the note for figure 3. Figure 3: Video of the Transportation Security Administration Innovation Task Force Demonstration of Automated Screening Lanes Note: To view the full TSA-produced video, please click on the video hyperlink. TSA Continues to Submit TSARA requires TSA to submit an annual report to Congress on TSA’s Required Small Business performance record in meeting its published small business contracting goals during the preceding fiscal year. 30 Reports to Congress If the preceding year’s goals were not met or TSA’s performance was below the published small business contracting goals set for the department, TSARA requires that TSA’s small business report includes a 30 See 6 U.S.C. § 563d (providing that such report shall be submitted to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland security of the House of Representatives). See also 15 U.S.C. § 644(g)(2) (requiring the head of each federal agency to, after consultation with the Small Business Administration, establish goals for the participation by small business concerns in procurement contracts of the agency). Page 13 GAO-19-96 TSA Acquisitions list of challenges that contributed to TSA’s performance and an action plan, with benchmarks, for addressing each of the challenges identified that is prepared after consultation with other federal departments and agencies. 31 Since our last review, TSA has submitted small business reports for fiscal years 2014 through 2017 and has reported achieving its small business contracting goals. Through July 2018, TSA’s narrow application of TSARA’s report and TSA’s Narrow certification provision resulted in no SRT acquisitions being reported to Application of TSARA Congress pursuant to TSARA. In August 2018, TSA provided its first three notifications on SRT acquisitions to Congress under this provision. Has Resulted in Limited Reporting to Congress on SRT- related Acquisitions 31 See 6 U.S.C. § 563d(2). Page 14 GAO-19-96 TSA Acquisitions None of the Over $1 TSA did not provide any information on contract awards or task or Billion TSA Obligated to delivery orders for the acquisition of SRT and associated services to Congress under TSARA’s report and certification provision from Acquire SRT and enactment through July 2018. Under the provision, TSA is to provide Associated Services From Congress with a comprehensive justification and a certification that the December 18, 2014 benefits to transportation security justify the contract cost not later than 30 Through July 2018 days preceding the award of a contract for any SRT acquisition over $30 Resulted in TSA Reporting million. 32 Under TSARA Our analysis of FPDS-NG data on contract obligations from December 18, 2014 through July 2018 found approximately $1.4 billion in obligations for acquisitions of SRT and for services associated with the operation of SRT, as shown in table 1. 33 Specifically, TSA obligated $591 million for SRT. For services associated with an SRT that are necessary to ensure its continuous and effective operation, such as maintenance and engineering support services, TSA obligated $772 million during this timeframe. 34 32 See 6 U.S.C. § 563a(b) (providing further that this information is to be submitted to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security of the House of Representatives). For the purposes of this report, we refer to the submission of information under this provision as a report. In addition to TSARA’s report and certification provision, TSA is subject to separate statutory reporting obligations to Congress in accordance with a recurring provision DHS’s annual appropriations acts, as implemented through the DHS Homeland Security Acquisition Manual and TSA Internal Guidance and Procedure Memorandum 0500.39 (May 18, 2018). Specifically, TSA must provide notification to the Committees on Appropriations of the Senate and House of Representatives 5 full business days in advance of new contract awards and task and delivery orders on DHS multiple award contracts, among other award types, totaling in excess of $1,000,000. See, e.g., Pub. L. No. 115-141, div. F, § 507, 132 Stat. 348 (2018). Notification under this appropriations provision is to include the amount of the award, the fiscal year for which the funds for the award were appropriated, the type of contract, and the account from which the funds are being drawn; it is not required to contain the more evaluative information, such as the results of the comprehensive acquisition justification and the cost-benefit certification required under TSARA. 33 TSA officials identified the following technologies that, as of September 2018, are the only technologies acquired by TSA that fall within TSARA’s SRT definition: AIT, Advanced Technology, Bottle Liquid Scanners, Explosives Trace Detection, Walk-through Metal Detector/Enhanced Metal Detector, Explosives Detection System, Boarding Pass Scanner, Credential Authentication Technology, Computed Tomography, and Automated Screening Lane. 34 Engineering support may include addressing changing security needs related to the operation of SRT, such as software or hardware improvements and threat detection algorithm development that help meet the security screening requirements. Page 15 GAO-19-96 TSA Acquisitions Table 1: Transportation Security Administration Contract Obligations for Security-Related Technology (SRT) and Associated Services, December 18, 2014 through July 31, 2018 SRT and Description Total Obligations Associated Services (Dollars in millions) a SRT Acquisition of SRT 591 Maintenance Services All types of maintenance services for SRT, including corrective and 581 preventative maintenance System Integration Installation and deployment of SRT 132 Security Technology Integrated SRT network connectivity 44 Program Security Technology Support Engineering support, system management, information technology support 15 b Services for SRT Total 1,363 Source: GAO analysis of Federal Procurement Data System-Next Generation data. | GAO-19-96 Note: The total obligations for associated services (Maintenance Service, System Integration, Security Technology Integrated Program, and Security Technology Support Services) is approximately $772 million. a TSA’s contracts for SRT may also include associated services, such as engineering support services, threat detection algorithm development, installation and deployment of equipment, training services, maintenance services, and the purchase of equipment warranties. b Engineering support may include addressing changing security needs related to the operation of SRT, such as software or hardware improvements, threat detection algorithm development, and other system enhancements that help meet the security screening requirements. TSA’s Policy for TSA officials said that none of the agency’s acquisition activities from Implementing TSARA’s enactment through July 2018 invoked TSARA’s report and certification provision because the activities did not align with TSA’s policy that Report and Certification identifies SRT acquisitions subject to this provision. TSA’s policy on what Provision Reflects a constitutes an SRT and the award of a contract for an SRT acquisition Narrow Application of the ultimately determine what acquisitions are subject to TSARA’s report Act Page 16 GAO-19-96 TSA Acquisitions and certification provision. 35 See table 2 for TSA’s policy. Table 2: Transportation Security Administration (TSA) Policy for What Constitutes a Security-Related Technology (SRT) and a Contract Award for an SRT Acquisition Under the Transportation Security Acquisition Reform Act (TSARA) SRT Equipment or technologies procured by TSA, for the screening and inspection of persons, property, and credentials, as well as equipment or technologies that the public directly interacts with or is impacted by. Contract award for an SRT The TSARA report and certification provision for the award of a contract for an SRT acquisition pertains acquisition to an initial equipment contract award, including indefinite-quantity contracts or blanket purchase agreements, where the contract ceiling exceeds the $30 million threshold or any SRT contract award that will potentially exceed the $30 million threshold when combined with future estimated contract awards for the same technology type. It does not apply to individual task and delivery order awards issued under the parent contract. Source: GAO analysis of TSA documentation and officials’ statements. | GAO-19-96 Note: Indefinite-delivery contracts are awarded to one or more contractors to acquire supplies and/or services when the exact times and/or exact quantities of future deliveries are not known at the time of award. See 48 C.F.R. § 16.501-1. Indefinite-quantity contracts provide for an indefinite quantity, within stated limits, of products or services during a fixed period. § 16.504(a). In general, pursuant to an indefinite-delivery/indefinite-quantity contract agencies issue orders for the delivery of supplies or for the performance of tasks during the period of the contract. See § 16.501-1. In general, agencies may use blanket purchase agreements under FAR part 8.4 to acquires supplies and services through the Federal Supply Schedule program, which is directed and managed by the General Services Administration and provides federal agencies with a simplified process for obtaining commercial supplies and services at prices associated with volume buying, and under FAR part 13.3 as a simplified method of filling anticipated repetitive needs for supplies or services by establishing “charge accounts” with qualified sources of supply but subject to a dollar threshold. See 48 C.F.R. §§ 8.402, 13.303-1. 35 As stated above, the TSARA report and certification provision requires TSA to submit information to congressional committees at least 30 days before the award of a contract for any SRT acquisition over $30 million. 6 U.S.C. § 563a(b). The Federal Acquisition Regulation (FAR) defines “acquisition” as the acquiring by contract with appropriated funds of supplies or services (including construction) by and for the use of the Federal Government through purchase or lease, whether the supplies or services are already in existence or must be created, developed, demonstrated, and evaluated. 48 C.F.R. § 2.101. The FAR establishes that acquisition begins at the point when agency needs are established and includes the description of requirements to satisfy agency needs, solicitation and selection of sources, award of contracts, contract financing, contract performance, contract administration, and those technical and management functions directly related to the process of fulfilling agency needs by contract. Id. The FAR defines a “contract” as a mutually binding legal relationship obligating the seller to furnish the supplies or services and they buyer to pay for them, and establishes that contracts include (but are not limited to) awards and notices of awards; job orders or task letters issued under basic ordering agreements; letter contracts; orders, such as purchase orders, under which the contract becomes effective by written acceptance or performance; and bilateral contract modifications. Id. Page 17 GAO-19-96 TSA Acquisitions TSA’s TSARA Implementation Strategy Memo states, “[t]o support [TSARA] and ensure Congress is receiving the necessary information regarding critical TSA acquisitions, TSA will focus on security screening related technologies[,]” which will ensure “the necessary actions are implemented for those technologies the public directly interacts with (i.e. is impacted by).” 36 According to TSA officials, security screening related technologies, i.e. SRT, subject to TSARA must (1) be equipment or technology and (2) interact with (or impact) the public. Specific examples of SRT subject to TSARA, as identified by TSA officials, are the equipment typically deployed to airports to assist in the physical screening of passengers and their property, such as AIT, EDS, and boarding pass scanners. TSA officials explained that in accordance with its policy, TSA provided its first three notifications to Congress under TSARA’s report and certification provision in August 2018, more than 30 days prior to the award of three new SRT contracts, each with ceiling values in excess of $30 million. 37 TSA Does Not Report SRT- Since the enactment of TSARA through July 2018, TSA awarded multiple Associated Services Under indefinite-delivery/indefinite-quantity (IDIQ) contracts and entered into a TSARA blanket purchase agreement for services associated with the operation of SRT, each with values in excess of $30 million, and issued orders under 36 Transportation Security Administration, Transportation Security Acquisition Reform Act of 2014 Implementation Strategy (June 3, 2015). 37 In September 2018, TSA awarded two contracts related to Reduced Size Explosives Detection Systems with contract values of $40 million and $58 million, to purchase and install new units and retrofit deployed units with new hardware and software to improve threat detection capabilities. TSA also awarded a $500 million indefinite-delivery/indefinite- quantity contract to purchase and install Medium Speed Explosives Detection Systems. Page 18 GAO-19-96 TSA Acquisitions the contracts and agreement that exceeded $30 million. 38 In accordance with TSA’s implementation policy, which applies to acquisitions of physical screening equipment, TSA did not report these acquisition actions under TSARA’s report and certification provision. TSA officials said, consistent with its implementation policy, that services associated with the operation of the SRT, such as engineering support, maintenance services, and other services described in table 1, are not SRT, as TSARA defines the term, because they are not equipment that directly interacts with the public. Associated services, however, are necessary to ensure the effective performance of SRT. For example, engineering support can assist in addressing changing security needs, such as through the development of threat detection algorithms and other software or hardware improvements. Associated services have also been used to extend the intended lifecycle of SRT already deployed to airport checkpoints. TSA officials said that research and development advancements have allowed TSA to upgrade existing equipment that had reached the end of its initial lifecycle rather than acquire new equipment. Further, TSA will likely need to increase spending on maintenance services because the equipment parts may break down when used past their intended life cycles. Consequently, through maintenance and hardware improvements, for example, TSA has been able to offset the need to procure new SRT by upgrading and maintaining existing SRT. 38 Indefinite-delivery contracts are awarded to one or more contractors to acquire supplies and/or services when the exact times and/or exact quantities of future deliveries are not known at the time of award. See 48 C.F.R. § 16.501-1. Indefinite-quantity contracts provide for an indefinite quantity, within stated limits, of products or services during a fixed period. § 16.504(a). In general, pursuant to an IDIQ contract agencies issue orders for the delivery of supplies or for the performance of tasks during the period of the contract. See § 16.501-1. In general, agencies may use blanket purchase agreements under FAR part 8.4 to acquires supplies and services through the Federal Supply Schedule program, which is directed and managed by the General Services Administration and provides federal agencies with a simplified process for obtaining commercial supplies and services at prices associated with volume buying, and under FAR part 13.3 as a simplified method of filling anticipated repetitive needs for supplies or services by establishing “charge accounts” with qualified sources of supply but subject to a dollar threshold. See 48 C.F.R. §§ 8.402, 13.303-1. Page 19 GAO-19-96 TSA Acquisitions Examples of contract actions for the associated services described in table 1 include: • Maintenance Services: TSA awarded three IDIQ contracts in 2015 and 2016, with ceiling values ranging from $76 million to $222 million, and issued 10 orders under these IDIQ contracts with obligations that each exceeded $30 million; • System Integration: TSA awarded three IDIQ contracts in 2015, each with a ceiling value of $450 million; • STIP: In November 2017, TSA awarded a blanket purchase agreement with a ceiling value of $250 million; and • Security Technology Support Services: TSA awarded three IDIQ contracts in 2017 with ceiling values ranging from $65 million to $169 million. The report of the Committee on Homeland Security of the House of Representatives on TSARA explains that the law introduces greater transparency and accountability for TSA spending decisions and codifies acquisition best-practices that the committee believes will result in more effective and efficient SRT acquisitions at TSA. 39 As explained in the report, TSARA is, in part, a response to historical examples where TSA spent significant funds on SRT acquisitions that failed to meet security performance objectives or wasted federal funds. 40 Consistent with the purpose of the statute expressed in the committee report, TSARA’s report and certification provision promotes greater transparency over TSA acquisition practices. TSA obligates a significant amount of funds—approximately $772 million from TSARA’s enactment through July 2018—for services that help ensure the effective and continuous operation of SRT. Applying TSARA’s report and certification provision to a broader range of services associated with the operation of SRT would provide Congress with 39 See H.R. Rep. No. 113-275, at 7. See also S. Rep. No. 113-274. 40 Among other examples, the committee report references the $29.6 million acquisition of 207 explosives trace portal (puffer) machines in 2006, which represented the first deployment of a checkpoint technology whose development had been initiated by TSA, and states that the machines had been inadequately tested and failed to work in dirty, humid airport environments, which ultimately resulted in them being removed from service. See H.R. Rep. No. 113-275, at 15. Page 20 GAO-19-96 TSA Acquisitions increased transparency and improved oversight of TSA’s SRT acquisition practices. TSA Does Not Report SRT According to TSA’s TSARA implementation policy, indefinite-quantity Task and Delivery Orders contracts or blanket purchase agreements for “security screening related Under TSARA technology equipment”, i.e. SRT, are subject to TSARA’s report and certification provision when the ceiling value exceeds $30 million. 41 The implementation policy also explains that the provision does not apply to individual task and delivery orders placed under these contracts or agreements. 42 However, IDIQ contracts typically have a lengthy period of performance—for example one base year followed by four option years. Specifically, from December 18, 2014 through July 2018, all of TSA’s 14 active contracts for SRT were IDIQ contracts awarded prior to the enactment of TSARA on December 18, 2014. Further, 8 of the 14 contracts had been in place for 5 or more years, and according to TSA officials, the agency had extended the original period of performance for 9 of the 14 contracts. Per its implementation policy, TSA did not report to Congress under TSARA’s report and certification provision on the seven task orders, ranging from $31 million to $70 million, to purchase and install EDS, EDS upgrade kits, and explosives trace detection systems issued under IDIQ contracts in place at the time of TSARA’s enactment. 43 41 Transportation Security Administration, Transportation Security Acquisition Reform Act of 2014 Implementation Strategy (June 3, 2015). 42 For other contract types, the implementation strategy memo explains that the report and certification provision applies to any award that exceeds $30 million or any award that will potentially exceed $30 million when combined with future estimated contract awards for the same technology type. For an example of how the combination of future estimated contract awards requires compliance with TSARA’s report and certification provision, the implementation policy provides, and TSA further explained, that when a contract is awarded for a particular SRT type (e.g., advance imaging technology) at $20 million in fiscal year 2015, and it is anticipated that an additional award of $10 million for AIT will be let in fiscal year 2016 at $10 million, the report and certification provision would apply and TSA would provide the requisite information 30 days before the first of the two contract awards. TSA further explained that in the event the cumulative amount of contract awards for a particular SRT exceeds $30 million (i.e., where such a cumulative amount is not initially anticipated), the report and certification provision would be applicable and TSA would submit the requisite information at the time the cumulative amount in excess of the $30 million threshold becomes known. 43 An EDS upgrade kit addresses the technical obsolescence of EDS deployed in the field and includes the installation of new hardware and software on to the EDS. In accordance with the recurring requirement in DHS’s annual appropriations acts, as implemented through the DHS Homeland Security Acquisition Manual and TSA Internal Guidance and Procedure Memorandum 0500.39, TSA provided requisite notification to the appropriations committees with respect to the seven task orders. Page 21 GAO-19-96 TSA Acquisitions See figure 4 for an example of an EDS IDIQ contract where TSA issued orders in excess of $30 million and extended the contract’s original period of performance. Figure 4: Example of the Timeline for a Transportation Security Administration (TSA) Explosives Detection Systems Contract a Indefinite-Delivery / Indefinite-Quantity contracts provide flexibility in cases where the government cannot determine the exact quantities and required timing of a product or service. In general, the government must order, and the contractor must provide, a minimum agreed-upon quantity of products or services and the contractor must provide any other quantities ordered by the government up to a stated maximum during the contract’s period of performance. b Enacted in December 2014, TSARA introduced legislative reforms to promote greater transparency and accountability with respect to TSA’s acquisitions of security-related technology. See Pub. L. No. 113-245, 128 Stat. 2871 (2014); see also H.R. Rep. No. 113-275, (Nov. 21, 2013), at 7 (accompanying H.R. 2719, 113th Cong. (1st Sess. 2013)). One of TSA’s most recent SRT contract awards further illustrates how TSA’s policy to only report on initial contract awards, and not orders issued pursuant to the contract, has resulted in limited reporting under TSARA’s report and certification provision. In September 2018, TSA awarded a new $500 million IDIQ contract for the acquisition of medium speed explosives detection systems. TSA reported this contract award to the requisite committees pursuant to the report and certification provision and consistent with its implementation policy. 44 However, under TSA’s policy, this is the only notification that Congress will receive pursuant to 44 TSA also submitted notification of the award of this contract to the appropriations committees in accordance with the recurring requirement in DHS’s annual appropriations acts, as implemented through DHS and TSA policies. Page 22 GAO-19-96 TSA Acquisitions TSARA over the course of the contract’s period of performance. For example, TSA also issued a $55 million order to purchase and install medium speed EDS units under this IDIQ contract, but per its implementation policy, TSA did not report on this order under the provision to Congress and per its policy would not do so for any subsequent orders during the contract’s period of performance. 45 TSA has developed a policy with parameters for determining which contract actions are subject to TSARA. However, TSA’s policy limits the application of the report and certification provision only to initial contract awards for physical security screening equipment. According to TSA officials, TSA established this policy in order to ensure Congress is informed as early as possible that there is potential for an award in excess of $30 million as opposed to the point at which amounts awarded reach $30 million. However, the implementation policy expressly excludes orders in excess of $30 million issued under IDIQ contracts or blanket purchase agreements for SRT. Due to this narrow application of TSARA to its SRT acquisitions, TSA did not report any information to Congress pursuant to TSARA’s report and certification provision through July 2018. In addition, as currently implemented this policy will continue to result in TSA providing Congress with limited information in the future. As described earlier, TSARA was enacted to introduce greater transparency and accountability for TSA spending decisions. 46 Because TSA’s policy for the report and certification provision excludes reporting on task and delivery orders, TSA misses the opportunity to inform Congress of the more routine SRT obligations that exceed TSARA’s $30 million threshold. 47 In addition, applying TSARA’s report and certification provision to services that result 45 TSA issued the order simultaneous with the award of the IDIQ contract, but did not make any mention of this in the notification it provided pursuant to TSARA. TSA did, however, provide notification to the appropriations committees within 5 days in advance of issuing the order. 46 See H.R. Rep. No. 113-275, at 7; see also S. Rep. No. 113-274. 47 Such a requirement would be consistent with the broader statutory requirement that serves as the basis for DHS’s policy to provide 5 day advance notice to the appropriations committees for the award of contracts, including task or delivery orders, in excess of $1 million. See, e.g., Pub. L. No. 115-141, div. F, § 507, 132 Stat. 348 (2018). However, unlike the 5-day notice TSA provides to the appropriations committees, TSARA requires TSA to report to its authorizing committees 30 days prior to the award of an SRT acquisitions contract that exceeds $30 million. Page 23 GAO-19-96 TSA Acquisitions in new capabilities, enhancements, or otherwise upgrade SRTs would provide Congress with increased transparency and improved oversight of TSA’s SRT acquisition practices. TSA has not effectively communicated its implementation decisions TSA Has Not internally for what constitutes an SRT under TSARA. After the enactment Effectively of TSARA, TSA formed a working group to evaluate the act and develop an implementation strategy. The resulting policy is documented in TSA’s Communicated TSARA Implementation Strategy Memo, published in June 2015. Internally Its TSARA According to TSA officials, the memo is the only formal document that describes TSA’s TSARA policy. Among other things, the memo Implementation designates roles and responsibilities for TSARA’s requirements and Decisions outlines TSA’s approach to implementing each requirement. To explain what constitutes an SRT for the purposes of TSARA, TSA officials described various parameters to us that guide their decision- making. However, not all of these parameters are documented in the implementation strategy memo. Specifically, the memo states that, “To support [TSARA] and ensure Congress is receiving the necessary information regarding critical TSA acquisitions, TSA will focus on security screening related technologies. This ensures the necessary actions are implemented for those technologies the public directly interacts with (i.e. is impacted by).” TSA officials clarified for us that technologies the public does not directly interact with or that do not otherwise impact the public in some physical manner, such as STIP and Secure Flight, are not considered SRT and thus not subject to TSARA, but this distinction is not clearly documented. 48 Further, the memo does not explicitly explain which technologies are considered SRT and which are not. For example, TSA officials told us that SRT under TSARA excludes software such as updates to threat detection algorithms, and other associated services such as STIP, but this is not documented in the memo. TSA acquisition program staff are responsible for determining if a new acquisition qualifies as SRT under TSARA and initiating TSA’s 48 According to TSA officials, another reason that STIP is not considered an SRT under TSARA is that TSA does not procure any equipment for the screening and inspection of persons, property, and credentials under the program. For reasons similar to STIP, TSA does not consider Secure Flight—its passenger prescreening program that screens passenger-supplied information against watchlists maintained by the U.S. government to identify potential threats to the Nation’s civil aviation system—to be an SRT. Page 24 GAO-19-96 TSA Acquisitions congressional notification process. TSA officials stated that program staff rely upon the TSARA Implementation Strategy Memo to make these decisions. During our review, TSA’s acquisition program staff were initially unable to confirm in all instances whether the security-related equipment they had acquired were subject to TSARA. Over the course of our review, TSA officials clarified the application of TSARA’s SRT definition to us and based on our inquiries, confirmed a list of existing technologies that are considered SRT. However, this information has not been documented in the TSARA Implementation Strategy Memo. TSA officials explained that there was a lot of activity after TSARA was initially enacted to determine how to comply with TSARA, but after the implementation working group disbanded, activity subsequently faded. Consequently, the implementation strategy memo has not been updated since its initial distribution in June 2015. TSA officials stated that they plan to update the implementation strategy memo by the end of calendar year 2018 to reflect the new offices responsible for implementing TSARA’s requirements due to an internal reorganization. 49 Effective information and communication are vital for an entity to achieve its objectives. Standards for Internal Control in the Federal Government states that management should document policies in the appropriate level of detail and internally communicate the necessary quality information to achieve the entity’s objectives. In the absence of a policy that clearly states what constitutes an SRT and with several large acquisitions pending, TSA may be missing an opportunity to ensure effective and consistent implementation of TSARA. 50 TSA spends hundreds of millions of dollars each year developing, Conclusion acquiring, deploying, and maintaining technologies in furtherance of its mission to ensure civil aviation security. Through TSARA, Congress sought to address challenges faced by TSA in effectively managing its acquisitions and procurements by specifying measures for TSA to 49 TSA officials also reported in July 2018 that they will clarify the definition of SRT and the meaning of “impacting the public” within the revised Implementation Strategy Memo; however, TSA has yet to make such a modification. 50 TSA officials reported that the agency will have several large SRT acquisitions in fiscal year 2019. For example, TSA continues to prepare for the broader deployment of Computed Tomography units and will likely finalize a request for vendors to submit proposals for Computed Tomography acquisition contracts in 2019. TSA also plans on awarding additional medium speed explosives detection systems contracts in 2019. Page 25 GAO-19-96 TSA Acquisitions implement that align with identified acquisition best practices and increase the transparency and accountability of TSA’s SRT acquisitions. Overall, TSA has policies and procedures in place to accomplish many of the reforms sought by TSARA, but more could be done to improve the transparency of its spending on SRTs. Specifically, reporting on individual task and delivery orders as well as associated services under TSARA’s report and certification provision would help TSA ensure that Congress has timely information it could use to effectively oversee TSA acquisitions. TSA took a positive step towards greater transparency on SRT spending with its first notifications to Congress in August 2018—in accordance with its policy—, but TSA’s existing policy does not require similar notification for associated services or for individual task and delivery orders issued that exceed $30 million. Further, while TSA developed the TSARA Implementation Strategy Memo, which serves as TSA’s policy for implementing TSARA, designated roles and responsibilities for TSARA’s requirements, and outlined TSA’s approach to implement each requirement, TSA has not clearly documented and internally communicated its parameters on what constitutes an SRT under TSARA. With several large acquisitions pending, clear guidance would better assure that staff understand how TSARA’s reporting requirements apply. In the absence of updated internal policy to clearly communicate what is or is not an SRT, TSA will continue to be at risk of inconsistent and incomplete implementation of TSARA. We are making the following three recommendations to TSA: Recommendations for Executive Action The TSA Administrator should revise TSA’s policy to require that TSA also submit information under TSARA’s report and certification provision prior to the award of contracts and blanket purchase agreements for services associated with the operation of security-related technology, such as maintenance and engineering services, that exceed $30 million. (Recommendation 1) The TSA Administrator should revise TSA’s policy to require that TSA also submit information under TSARA’s report and certification provision prior to the issuance of individual task and delivery orders for security- related technology acquisitions that exceed $30 million. (Recommendation 2) Page 26 GAO-19-96 TSA Acquisitions The TSA Administrator should clarify and document what constitutes an SRT under TSARA as part of the planned update of TSA’s TSARA implementation policy. (Recommendation 3) We provided a draft of this product to DHS for comment. In its comments, Agency Comments reproduced in appendix II, DHS generally concurred with each of the and our Evaluation three recommendations and described steps it plans to take to implement them. TSA also provided technical comments, which we incorporated as appropriate. While DHS concurred with our recommendation to revise TSA's policy to include reporting on contracts over $30 million for services associated with the operation of security-related technology, in its letter, DHS stated that not all services associated with an SRT should be subject to TSARA's reporting requirements. Specifically, it noted that TSA will revise policy language and instructions to ensure that the justification analysis and certification analysis required under TSARA is submitted prior to the award contracts and blanket purchase agreements for services that would result in new capabilities, enhancements, or otherwise upgrade SRT. It distinguishes these services from services that are indirectly related to the SRT or used to keep the SRT operational, such as deployment and system integration. We agree with this distinction and do not consider all of the associated services mentioned in this report as necessary for inclusion in TSA’s revised policy. Further, we recognize that TSA, in conjunction with feedback from Congress, is best positioned to determine the services included in its revised policy for reporting under TSARA, consistent with its interest in avoiding duplicative or administratively burdensome reporting and delays in the acquisition process. We are encouraged by DHS’s plans to implement this recommendation and its recognition that the additional information will provide Congress with increased transparency and an opportunity for more effective oversight of TSA’s acquisitions. DHS also described planned actions to address our recommendation to revise TSA’s policy to include reporting on individual task and delivery orders that exceed $30 million. DHS expects to complete the revisions by September 30, 2019. If implemented, this action should provide Congress with greater transparency over TSA’s SRT acquisitions. Page 27 GAO-19-96 TSA Acquisitions DHS also noted that, in accordance with our recommendation to update its implementation guidance, it plans to (1) clarify and document what constitutes an SRT under TSARA and (2) document all offices responsible for implementing TSARA’s requirements in its TSARA implementation strategy memo by September 30, 2019. If implemented, guidance that is clear and documented will better assure that staff across all DHS offices will understand how to consistently implement TSARA. We are sending copies of this report to the appropriate congressional committees and the Secretary of Homeland Security. In addition, the report is available at no charge on the GAO website at http://www.gao.gov. If you or your staff have any questions concerning this report, please contact me at (202) 512-8777 or russellw@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made significant contributions to this report are listed in Appendix III. W. William Russell, Acting Director, Homeland Security and Justice Page 28 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Appendix I: Transportation Security Acquisition Reform Act Requirements Acquisition Reform Act Requirements In tables three through eight, we identify the requirements of the Transportation Security Acquisition Reform Act (TSARA), as enacted on December 18, 2014. 1 Table 3: The Strategic Five-Year Technology Investment Plan 6 U.S.C. § 563 Statute Requirement 6 U.S.C. The Transportation Security Administrator (TSA) Administrator shall, within 180 days of the Transportation §563(a) Security Acquisition Reform Act’s (TSARA) enactment (enacted Dec. 18, 2014), develop and submit to Congress a strategic 5-year technology investment plan (the Plan). • The Plan may include a classified addendum to report sensitive transportation security risks, technology vulnerabilities, or other sensitive security information. • To the extent possible, the plan shall be published in an unclassified format in the public domain. § 563(b) The Administrator shall develop the Plan in consultation with (1) the Under Secretary for Management, (2) the Under Secretary for Science and Technology, (3) the Chief Information Officer, and (4) with the aviation industry stakeholder advisory committee established by the Administrator. § 563(c) The Administrator must obtain approval of the DHS Secretary prior to publishing the unclassified Plan in the public domain. §563(d) The Plan shall include— § 563(d)(1) An analysis of transportation security risks and the associated capability gaps that would be best addressed by a security-related technology, including consideration of the most recent quadrennial homeland security review. § 563(d)(2) A set of security-related acquisition technology needs that is prioritized based on risk and associated capability gaps identified by the analysis completed under § 563(d)(1) and includes planned technology programs and projects with defined objectives, goals, timelines, and measures. § 563(d)(3) An analysis of current and forecast trends in domestic and international passenger travel. § 563(d)(4) An identification of currently deployed security-related technologies that are at or near the end of their lifecycles. § 563(d)(5) An identification of test, evaluation, modeling, and simulation capabilities including target methodologies, rationales, and timelines necessary to support the acquisition of the security-related technologies expected to meet the needs under § 563(d)(2). § 563(d)(6) An identification of opportunities for public-private partnerships, small and disadvantaged company participation, intra government collaboration, university centers of excellence, and national laboratory technology transfer. 1 See Pub. L. No. 113-245, 128 Stat. 2871 (2014). Specifically, section 3(a) of TSARA amends title XVI of the Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2312 (2002), as amended, by adding section 1601 and sections 1611 through 1616, which may also be found at 6 U.S.C. §§ 561, 563-563e. In this report, references to TSARA will generally be cited to title 6 of the U.S. Code unless otherwise indicated. Section 3(c) of TSARA further provides that nothing in the section 3 should be construed to affect any amendment made by title XVI of the Homeland Security Act as in effect before TSARA’s enactment. This Appendix and the Tables therein, do not reflect amendments to the statute made through the TSA Modernization Act, which was enacted as part of the FAA Reauthorization Act of 2018 on October 5, 2018. See Pub. L. No 115-254, div. K, tit. I, subtit. B § 1917, 132 Stat. 3186 (2018). Page 29 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Acquisition Reform Act Requirements Statute Requirement § 563(d)(7) An identification of the TSA’s acquisition workforce needs for the management of planned security-related technology acquisitions, including consideration of leveraging acquisition expertise of other federal agencies. § 563(d)(8) An identification of the security resources, including information security resources, that will be required to protect security-related technology from physical or cyber theft, diversion, sabotage, or attack. § 563(d)(9) An identification of initiatives to streamline TSA’s acquisition process and provide greater predictability and clarity to small, medium, and large businesses, including the timeline for testing and evaluation. § 563(d)(10) An assessment of the impact to commercial aviation passengers. § 563(d)(11) A strategy for consulting airport management, air carrier representatives, and Federal security directors whenever an acquisition will lead to the removal of equipment at airports, and how the strategy for consulting with such officials of the relevant airports will address potential negative impacts on commercial passengers or airport operations. § 563(d)(12) In consultation with the National Institutes of Standards and Technology an identification of security-related technology interface standards, in existence or if implemented could promote more interoperable passenger, baggage, and cargo screening systems. § 563(e) The Plan shall, to the extent possible and in a manner consistent with fair and equitable practices— § 563(e)(1) Leverage emerging technology trends and research and development investment trends within the public and private sectors. § 563(e)(2) Incorporate private sector input, including from the aviation industry advisory committee established by the Administrator, through requests for information, industry days, and other innovative means consistent with the Federal Acquisition Regulation. § 563(e)(3) In consultation with the Under Secretary for Science and Technology, identify technologies in existence or in development that, with or without adaptation, are expected to be suitable to meeting mission needs. § 563(f) The Administrator shall include with the Plan a list of nongovernment persons that contributed to the writing of the Plan. § 563(g) Beginning 2 years after the date the Plan is submitted to Congress under § 563(a), and biennially thereafter, the Administrator shall submit to Congress— • An update of the plan. • A report on the extent to which each security-related technology acquired by TSA since the last issuance or update of the Plan is consistent with the planned technology program and projects identified under § 563(d)(2) for that security-related technology. Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96 a See 6 U.S.C. § 347 (requiring, in general, that the Secretary of Homeland Security conduct a review of the homeland security of the nation every 4 years). Page 30 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Acquisition Reform Act Requirements Table 4: Acquisition Justification 6 U.S.C. § 563 Statute Requirement 6 U.S.C. Before the Transportation Security Administration (TSA) implements any security-related technology acquisition, § 563a(a) the Administrator, in accordance with Department of Homeland Security (DHS) policies and directives, shall determine whether the acquisition is justified by conducting an analysis that includes— § 563a(a)(1) An identification of the scenarios and level of risk to transportation security from those scenarios that would be addressed by the security-related technology acquisition. § 563a(a)(2) An assessment of how the proposed acquisition aligns to the strategic 5-year technology investment plan (the Plan). § 563a(a)(3) A comparison of the total expected lifecycle cost against the total expected quantitative and qualitative benefits to transportation security. § 563a(a)(4) An analysis of alternative security solutions, including policy or procedure solutions, to determine if the proposed security-related technology acquisition is the most effective and cost-efficient solution based on cost- benefit considerations. § 563a(a)(5) An assessment of the potential privacy and civil liberties implications of the proposed acquisition that includes, to the extent practicable, consultation with organizations that advocate for the protection of privacy and civil liberties. § 563a(a)(6) A determination that the proposed acquisition is consistent with fair information practice principles issued by the DHS Privacy Officer. § 563a(a)(7) Confirmation that there are no significant risks to human health or safety posed by the proposed acquisition. § 563a(a)(8) An estimate of the benefits to commercial aviation passengers. § 563a(b)(1) Not later than the end of the 30-day period preceding the award by TSA of a contract for any security-related technology acquisition exceeding $30 million, the Administrator shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security of the House of Representatives (the Committees) the results of the comprehensive acquisition justification under § 563a(a) and a certification by the Administrator that the benefits to transportation security justify the contract cost. § 563a(b)(2) If there is a known or suspected imminent threat to transportation security, the Administrator may reduce the 30- day period under § 563a(b)(1) to 5 days to rapidly respond to the threat and shall immediately notify the Committees of the known or suspected imminent threat. Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96 Page 31 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Acquisition Reform Act Requirements Table 5: Baseline Requirements 6 U.S.C. § 563b Statute Requirement 6 U.S.C. Before the Transportation Security Administration (TSA) implements any security-related technology § 563b(a)(1) acquisition, the appropriate acquisition official of the Department shall establish and document a set of formal baseline requirements. §563b(a)(2) The baseline requirements under § 563b(a)(1) shall— § 563b(a)(2)(A) Include the estimated costs (including lifecycle costs), schedule, and performance milestones for the planned duration of the acquisition. § 563b(a)(2)(B) Identify the acquisition risks and a plan for mitigating those risks. § 563b(a)(2)(C) Assess the personnel necessary to manage the acquisition process, manage the ongoing program, and support training and other operations as necessary. § 563b(a)(3) In establishing the performance milestones under § 563b(a)(2)(A), the appropriate acquisition official of the Department, to the extent possible and in consultation with the Under Secretary for Science and Technology, shall ensure that achieving those milestones is technologically feasible. §563b(a)(4) The Administrator, in consultation with the Under Secretary for Science and Technology, shall develop a test and evaluation plan that describes— § 563b(a)(4)(A) The activities that are expected to be required to assess acquired technologies against the performance milestones established under § 563b(a)(2)(A). § 563b(a)(4)(B) The necessary and cost-effective combination of laboratory testing, field testing, modeling, simulation, and supporting analysis to ensure that such technologies meet TSA’s mission needs. § 563b(a)(4)(C) An efficient planning schedule to ensure that test and evaluation activities are completed without undue delay. § 563b(a)(4)(D) If commercial aviation passengers are expected to interact with the security-related technology, methods that could be used to measure passenger acceptance of and familiarization with the security-related technology. § 563b(a)(5) The appropriate acquisition official of the Department— • Subject to § 563b(a)(5)(B), shall utilize independent reviewers to verify and validate the performance milestones and cost estimates developed under paragraph § 563b(a)(2) for a security-related technology that pursuant to § 563(d)(2) has been identified as a high priority need in the most recent Plan. • Shall ensure that the use of independent reviewers does not unduly delay the schedule of any acquisition. § 563b(a)(6) The Administrator shall establish a streamlined process for an interested vendor of a security-related technology to request and receive appropriate access to the baseline requirements and test and evaluation plans that are necessary for the vendor to participate in the acquisitions process for that technology. § 563b(b)(1)(A) The appropriate acquisition official of the Department shall review and assess each implemented acquisition to determine if the acquisition is meeting the baseline requirements established under § 563b(a). The review shall include an assessment of whether— • The planned testing and evaluation activities have been completed. • The results of that testing and evaluation demonstrate that the performance milestones are technologically feasible. Page 32 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Acquisition Reform Act Requirements Statute Requirement § 563b(b)(2) Not later than 30 days after making a finding that the actual or planned costs exceed the baseline costs by more than 10 percent; the actual or planned schedule for delivery has been delayed by more than 180 days; or there is a failure to meet any performance milestones that directly impacts security effectiveness (that is, a breach finding), the Administrator shall submit a report to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security of the House of Representatives that includes— • The results of any assessment that finds a breach. • The cause for such excessive costs, delay, or failure. • A plan for corrective action. Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96 Page 33 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Acquisition Reform Act Requirements Table 6: Inventory Management 6 U.S.C. § 563c Statute Requirement 6 U.S.C. Before the procurement of additional quantities of equipment to fulfill a mission need, the Administrator, to the § 563c(a) extent practicable, shall utilize any existing units in the Transportation Security Administration inventory to meet that need. § 563c(b)(1) The Administrator shall establish a process for tracking— • The location of security-related equipment in the inventory under § 563c(a). • The utilization status of security-related technology in the inventory under § 563c(a). • The quantity of security-related equipment in the inventory under § 563c(a). § 563c(b)(2) The Administrator shall implement internal controls to ensure up-to-date accurate data on security-related technology owned, deployed, and in use. § 563c(c)(1) The Administrator shall establish logistics principles for managing inventory in an effective and efficient manner. § 563c(c)(2) The Administrator may not use just-in-time logistics if doing so (A) would inhibit necessary planning for large-scale delivery of equipment to airports or other facilities; or (B) would unduly diminish surge capacity for response to a terrorist threat. Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96 Page 34 GAO-19-96 TSA Acquisitions Appendix I: Transportation Security Acquisition Reform Act Requirements Table 7: Small Business Contracting Goals Report 6 U.S.C. § 563d Statute Requirement 6 U.S.C. Not later than 90 days after the date of enactment of the Transportation Security Acquisition Reform Act, and § 563d annually thereafter, the Transportation Security Administration (TSA) Administrator shall submit a report to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Homeland Security of the House of Representatives that includes— § 563d(1) TSA’s performance record with respect to meeting its published small-business contracting goals during the preceding fiscal year. § 563d(2) If the goals described in § 563d(1) were not met or TSA’s performance was below the published small business contracting goals of the Department of Homeland Security (DHS)— § 563d(2)(A) A list of challenges, including deviations from TSA’s subcontracting plans, and factors that contributed to the level of performance during the preceding fiscal year. § 563d(2)(B) An action plan, with benchmarks, for addressing each of the challenges identified in § 563d(2)(A) that— § 563d(2)(B)(i) Is prepared after consultation with the Secretary of Defense and the heads of federal departments and agencies that achieved their published goals for prime contracting with small and minority-owned businesses, including small and disadvantaged businesses, in prior fiscal years. § 563d(2)(B)(ii) Identifies policies and procedures that could be incorporated by TSA in furtherance of achieving TSA’s published goal for such contracting. § 563d(3) A status report on the implementation of the action plan that was developed in the preceding fiscal year in accordance with § 563d(2)(B), if such a plan was required. Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96 Table 8: Federal Acquisition Regulation Consistency 6 U.S.C. § 563e Statute Requirement 6 U.S.C. The TSA Administrator shall execute the responsibilities set forth in §§ 563-563d in a manner consistent with, § 563e and not duplicative of, the Federal Acquisition Regulation and Department of Homeland Security’s policies and directives. Source: GAO Analysis of Transportation Security Acquisition Reform Act I GAO-19-96 Page 35 GAO-19-96 TSA Acquisitions Appendix II: Comments from the Department Appendix II: Comments from the Department of Homeland Security of Homeland Security Page 36 GAO-19-96 TSA Acquisitions Appendix II: Comments from the Department of Homeland Security Page 37 GAO-19-96 TSA Acquisitions Appendix II: Comments from the Department of Homeland Security Page 38 GAO-19-96 TSA Acquisitions Appendix II: Comments from the Department of Homeland Security Page 39 GAO-19-96 TSA Acquisitions Appendix III: GAO Contact and Staff Appendix III: GAO Contact and Staff Acknowledgements Acknowledgements W. William Russell, 202-512-8777 or russellw@gao.gov GAO Contact In addition to the contact named above, Kevin Heinz (Assistant Director), Staff Amber Edwards (Analyst-in-Charge), Winchee Lin, Cristina Norland, Acknowledgements Richard Hung, Thomas Lombardi, Amanda Miller, and Richard Cederholm made key contributions to this report. (102356) Page 40 GAO-19-96 TSA Acquisitions The Government Accountability Office, the audit, evaluation, and investigative GAO’s Mission arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is Obtaining Copies of through GAO’s website (https://www.gao.gov). Each weekday afternoon, GAO GAO Reports and posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to https://www.gao.gov Testimony and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at https://www.gao.gov. Contact: To Report Fraud, Website: https://www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in Automated answering system: (800) 424-5454 or (202) 512-7700 Federal Programs Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400, Congressional U.S. Government Accountability Office, 441 G Street NW, Room 7125, Relations Washington, DC 20548 Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707 Strategic Planning and U.S. Government Accountability Office, 441 G Street NW, Room 7814, External Liaison Washington, DC 20548 Please Print on Recycled Paper.
Transportation Security Acquisition Reform Act: TSA Generally Addressed Requirements, but Could Improve Reporting on Security-Related Technology
Published by the Government Accountability Office on 2019-01-17.
Below is a raw (and likely hideous) rendition of the original report. (PDF)