Aviation Security
Efforts to Measure Effectiveness and Address Challenges Gao ID: GAO-04-232T November 5, 2003It has been 2 years since the attacks of September 11,2001, exposed vulnerabilities in the nation's aviation system. Since then, billions of dollars have been spent on a wide range of initiatives designed to enhance the security of commercial aviation. However, vulnerabilities in aviation security continue to exist. As a result, questions have been raised regarding the effectiveness of established initiatives in protecting commercial aircraft from threat objects, and whether additional measures are needed to further enhance security. Accordingly, GAO was asked to describe the Transportation Security Administration's (TSA) efforts to (1) measure the effectiveness of its aviation security initiatives, particularly its passenger screening program; (2) implement a risk management approach to prioritize efforts and focus resources; and (3) address key challenges to further enhance aviation security.
TSA has implemented numerous initiatives designed to enhance aviation security, but has collected limited information on the effectiveness of these initiatives in protecting commercial aircraft. Our recent work on passenger screening found that little testing or other data exist that measures the performance of screeners in detecting threat objects. However, TSA is taking steps to collect data on the effectiveness of its security initiatives, including developing a 5-year performance plan detailing numerous performance measures, as well as implementing several efforts to collect performance data on the effectiveness of passenger screening--such as fielding the Threat Image Projection System and increasing screener testing. TSA has developed a risk management approach to prioritize efforts, assess threats, and focus resources related to its aviation security initiatives as we previously recommended, but has not yet fully implemented this approach. A risk management approach is a systematic process to analyze threats, vulnerabilities, and the criticality (or relative importance) of assets to better support key decisions. TSA is developing and implementing both a criticality and a vulnerability assessment tool to provide a basis for risk-based decision-making. TSA is currently using some components of these tools and plans to fully implement its risk management approach by the summer 2004. TSA faces a number of programmatic and management challenges as it continues to enhance aviation security. These include the implementation of the new computer-assisted passenger prescreening system, as well as strengthening baggage screening, airport perimeter and access controls, air cargo, and general aviation security. TSA also must manage the costs associated with aviation security and address human capital challenges, such as sizing its workforce as efficiency is improved with security-enhancing technologies--including the integration of explosive detection systems into in-line baggage-handling systems. Further challenges in sizing its workforce may be encountered if airports are granted permission to opt out of using federal screeners.
GAO-04-232T, Aviation Security: Efforts to Measure Effectiveness and Address Challenges
This is the accessible text file for GAO report number GAO-04-232T
entitled 'Aviation Security: Efforts to Measure Effectiveness and
Address Challenges' which was released on November 05, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony before the Committee on Commerce, Science and Transportation,
U.S. Senate:
United States General Accounting Office:
GAO:
For Release on Delivery Expected at 9:30 a.m. EDT:
Wednesday, November 5, 2003:
AVIATION SECURITY:
Efforts to Measure Effectiveness and Address Challenges:
Statement of Cathleen A. Berrick, Director Homeland Security and
Justice Issues:
GAO-04-232T:
GAO Highlights:
Highlights of GAO-04-232T, a testimony to the Committee on Commerce,
Science and Technology, U.S. Senate
Why GAO Did This Study:
It has been 2 years since the attacks of September 11, 2001, exposed
vulnerabilities in the nation‘s aviation system. Since then, billions
of dollars have been spent on a wide range of initiatives designed to
enhance the security of commercial aviation. However, vulnerabilities
in aviation security continue to exist. As a result, questions have
been raised regarding the effectiveness of established initiatives in
protecting commercial aircraft from threat objects, and whether
additional measures are needed to further enhance security.
Accordingly, GAO was asked to describe the Transportation Security
Administration‘s (TSA) efforts to (1) measure the effectiveness of its
aviation security initiatives, particularly its passenger screening
program; (2) implement a risk management approach to prioritize
efforts and focus resources; and (3) address key challenges to further
enhance aviation security.
What GAO Found:
TSA has implemented numerous initiatives designed to enhance aviation
security, but has collected limited information on the effectiveness
of these initiatives in protecting commercial aircraft. Our recent
work on passenger screening found that little testing or other data
exist that measures the performance of screeners in detecting threat
objects. However, TSA is taking steps to collect data on the
effectiveness of its security initiatives, including developing a 5-
year performance plan detailing numerous performance measures, as well
as implementing several efforts to collect performance data on the
effectiveness of passenger screening”such as fielding the Threat Image
Projection System and increasing screener testing.
TSA has developed a risk management approach to prioritize efforts,
assess threats, and focus resources related to its aviation security
initiatives as we previously recommended, but has not yet fully
implemented this approach. A risk management approach is a systematic
process to analyze threats, vulnerabilities, and the criticality (or
relative importance) of assets to better support key decisions. TSA is
developing and implementing both a criticality and a vulnerability
assessment tool to provide a basis for risk-based decision-making. TSA
is currently using some components of these tools and plans to fully
implement its risk management approach by the summer 2004.
TSA faces a number of programmatic and management challenges as it
continues to enhance aviation security. These include the
implementation of the new computer-assisted passenger prescreening
system, as well as strengthening baggage screening, airport perimeter
and access controls, air cargo, and general aviation security. TSA
also must manage the costs associated with aviation security and
address human capital challenges, such as sizing its workforce as
efficiency is improved with security-enhancing technologies”including
the integration of explosive detection systems into in-line baggage-
handling systems. Further challenges in sizing its workforce may be
encountered if airports are granted permission to opt out of using
federal screeners.
What GAO Recommends:
In prior reports and testimonies, GAO has made numerous
recommendations to strengthen aviation security and to improve the
management of federal aviation security organizations. We also have
ongoing reviews assessing many of the issues addressed in this
testimony and will issue separate reports on these areas at a later
date.
www.gao.gov/cgi-bin/getrpt?-GAO-04-232T.
To view the full product, including the scope and methodology, click
on the link above. For more information, contact Cathleen A. Berrick
at (202) 512-8777 or bbeberrickc@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
I appreciate the opportunity to participate in today's hearing to
discuss the security of our nation's aviation system. It has been more
than 2 years since the attacks of September 11, 2001, exposed
vulnerabilities in commercial aviation. Since then, billions of dollars
have been spent and a wide range of programs and initiatives have been
implemented to enhance aviation security. However, recent reviews and
covert testing conducted by GAO and Department of Homeland Security
Office of Inspector General, as well as media reports, revealed
continuing weaknesses and vulnerabilities in aviation security. For
example, the recent incident involving a college student who placed box
cutters, clay resembling plastic explosives, and bleach on commercial
aircraft illustrated that aviation security can still be compromised.
As a result of these challenges, the Transportation Security
Administration (TSA), which is responsible for ensuring the security of
aviation, is faced with the daunting task of determining how to
allocate its limited resources to have the greatest impact in
addressing threats and enhancing security.
My testimony today focuses on three areas that are fundamental to TSA's
success in allocating its resources and enhancing aviation security.
These areas are (1) the need to measure the effectiveness of TSA's
aviation security initiatives that have already been implemented,
particularly its passenger screening program; (2) the need to implement
a risk management approach to prioritize efforts, assess threats, and
focus resources; and (3) the need to address key programmatic and
management challenges that must be overcome to further enhance aviation
security. This testimony is based on our prior work, reviews of TSA
documentation, and discussions with TSA officials.
In summary:
Although TSA has implemented numerous programs and initiatives to
enhance aviation security, it has collected limited information on the
effectiveness of these programs and initiatives. Our recent work on
TSA's passenger screening program showed that although TSA has made
numerous enhancements in passenger screening, it has collected limited
information on how effective these enhancements have been in improving
screeners' ability to detect threat objects. The Aviation and
Transportation Security Act (ATSA), which was enacted with the primary
goal of strengthening the security of the nation's aviation system,
requires that TSA establish acceptable levels of performance for
aviation security initiatives and develop annual performance plans and
reports to measure and document the effectiveness of those
initiatives.[Footnote 1] Although TSA has developed an annual
performance plan and report as required by ATSA, to date these tools
have focused on TSA's progress in meeting deadlines to implement
programs and initiatives mandated by ATSA, rather than on the
effectiveness of these programs and initiatives. TSA has recognized
that its data on the effectiveness of its aviation security initiatives
are limited and is taking steps to collect objective data to assess its
performance, which is to be incorporated in DHS's 5-year performance
plan.
TSA has developed a risk management approach to prioritize efforts,
assess threats, and focus resources related to its aviation security
initiatives as recommended by GAO, but has not yet fully implemented
this approach. TSA's aviation security efforts are varied and vast, and
its resources are fixed. As a result, a risk management approach is
needed to better support key decisions, linking resources with
prioritized efforts.[Footnote 2] TSA has not yet fully implemented its
risk management tools because until recently its resources and efforts
were largely focused on meeting the aviation security mandates included
in ATSA. TSA has acknowledged the need for a risk management approach
and expects to complete the development and automation of its risk
management tools by September 2004.
TSA faces a number of programmatic and management challenges as it
continues to address threats to our nation's aviation system. These
challenges include implementing various aviation security programs,
such as the Computer-Assisted Passenger Prescreening System[Footnote
3]--CAPPS II--and addressing broader security concerns related to the
security of air cargo and general aviation.[Footnote 4] TSA also faces
challenges in managing the costs of aviation security and in
strategically managing its workforce of about 60,000 people, most of
whom are deployed at airports to detect weapons and explosives. TSA has
been addressing these and other challenges through a variety of
efforts. We have work in progress that is examining TSA's efforts in
addressing many of these challenges.
Background:
Ensuring the security of our nation's commercial aviation system has
been a long-standing concern. As demonstrated by the 1988 bombing of a
U.S. airliner over Lockerbie, Scotland, and the 1995 plot to blow up as
many as 12 U.S. aircraft in the Pacific region discovered by Philippine
authorities, U.S. aircraft have long been a target for terrorist
attacks. Many efforts have been made to improve aviation security, but
as we and others have documented in numerous reports and studies,
weaknesses in the system continue to exist. It was these weaknesses
that terrorist exploited to hijack four commercial aircraft in
September 2001, with tragic results.
On November 19, 2001, the President signed into law the Aviation and
Transportation Security Act, with the primary goal of strengthening the
security of the nation's aviation system. ATSA created TSA as an agency
within the Department of Transportation with responsibility for
securing all modes of transportation, including aviation. ATSA mandated
specific improvements to aviation security and established deadlines
for completing many of them. TSA's main focus during its first year of
operation was on meeting these ambitious deadlines, particularly
federalizing the screener workforce at commercial airports nationwide
by November 19, 2002, while at the same time establishing a new federal
organization from the ground up. The Homeland Security Act, signed into
law on November 25, 2002, transferred TSA from the Department of
Transportation to the new Department of Homeland Security.[Footnote 5]
Virtually all aviation security responsibilities now reside with TSA,
including the screening of air passengers and baggage, a function that
had previously been the responsibility of air carriers. TSA is also
responsible for ensuring the security of air cargo and overseeing
security measures at airports to limit access to restricted areas,
secure airport perimeters, and conduct background checks for airport
personnel with access to secure areas, among other responsibilities.
Limited Information Exists on the Effectiveness of Aviation Security
Initiatives:
TSA has implemented numerous initiatives designed to enhance aviation
security but has collected little information on the effectiveness of
these initiatives. ATSA requires that TSA establish acceptable levels
of performance and develop annual performance plans and reports to
measure and document the effectiveness of its security
initiatives.[Footnote 6] Although TSA has developed these performance
tools, as required by ATSA, it currently focuses on progress toward
meeting ATSA deadlines, rather than on the effectiveness of its
programs and initiatives. However, TSA is taking steps to collect
objective data to assess its performance.
Evaluation of Program Effectiveness:
TSA currently has limited information on the effectiveness of its
aviation security initiatives. As we reported in September
2003,[Footnote 7] the primary source of information collected on
screeners' ability to detect threat objects is the covert testing
conducted by TSA's Office of Internal Affairs and Program Review.
However, TSA does not consider the results of these covert tests to be
a measure of performance but rather a "snapshot" of a screener's
ability to detect threat objects at a particular point in time, and as
a system-wide performance indicator. At the time we issued our report,
the Office of Internal Affairs and Program Review had conducted 733
covert tests of passenger screeners at 92 airports. Therefore, only
about 1 percent of TSA's nearly 50,000 screeners had been subject to a
covert test.
In addition to conducting covert tests at screening checkpoints, TSA
conducts tests to determine whether the current Computer-Assisted
Passenger Screening System is working as designed, threat objects are
detected during the screening of checked baggage, and access to
restricted areas of the airport is limited only to authorized
personnel.[Footnote 8] While the Office of Internal Affairs has
conducted about 2,000 access tests, it has conducted only 168 Computer-
Assisted Passenger Screening System and checked baggage tests. Based on
an anticipated increase in staff from about 100 in fiscal year 2003 to
200 in fiscal year 2004, the Office of Internal Affairs and Program
Review plans to conduct twice as many covert tests next year.[Footnote
9]
Another key source of data on screener performance in detecting threat
objects is the Threat Image Projection (TIP) system, which places
images of threat objects on the X-ray screen during actual operations
and records whether screeners identify the threat object.[Footnote 10]
The Federal Aviation Administration began deploying TIP in late 1999 to
continuously measure screener performance and to train screeners in
becoming more adept at detecting hard-to-spot threat objects. However,
TIP was shut down immediately following the September 11 terrorist
attacks because of concerns that it would result in screening delays
and panic, as screeners might think that they were actually viewing a
threat object. Although TSA officials recognized that TIP is a key tool
in measuring, maintaining, and enhancing screener performance, they
only recently began reactivating TIP on wide-scale basis because of
competing priorities, a lack of training, and a lack of resources
needed to deploy TIP activation teams. Once TIP is fully deployed and
operational at every checkpoint at all airports, as it is expected to
be in April 2004, TSA headquarters and federal security
directors[Footnote 11] will have the capability to analyze this
performance data in a number of ways, including by individual
screeners, checkpoints, terminals, and airports.
When fully deployed, the annual screener recertification test results
will provide another source of data on screener performance. ATSA
requires that TSA collect performance information on each screener
through conducting an annual proficiency review to ensure he or she
continues to meet all qualifications and standards required to perform
the screening function. Although TSA began deploying federal screeners
to airports in April 2002, TSA only recently began implementing the
annual recertification program and does not expect to complete testing
at all airports until March 2004. The recertification testing is
comprised of three components: (1) image recognition; (2) knowledge of
standard operating procedures; and (3) practical demonstration of
skills, to be administered by a contractor. TSA officials consider
about 28,000 screeners as having already completed the first two
components because they successfully passed competency tests TSA
administered at many airports as part of a screener workforce reduction
effort. However, these competency tests did not include the third
component of TSA's planned annual screener recertification program--the
practical demonstration of skills. TSA officials awarded a contract for
this component of the annual proficiency reviews in September 2003.
TSA's Performance Management Information System for passenger and
baggage screening operations is designed to collect performance data,
but it currently contains little information on screener performance in
detecting threat objects. The Performance Management Information System
collects a wide variety of metrics on workload, staffing, and equipment
and is used to identify some performance indicators, such as the level
of absenteeism, the average time for equipment repairs, and the status
of TSA's efforts to meet goals for 100 percent electronic baggage
screening.[Footnote 12] However, the system does not contain any
performance metrics related to the effectiveness of passenger
screeners. TSA is planning to integrate performance information from
various systems into the Performance Management Information System to
assist the agency in making strategic decisions. TSA further plans to
continually enhance the system as it learns what data are needed to
best manage the agency. In addition to making improvements to the
Performance Management Information System, TSA is currently developing
performance indexes for both individual screeners and the screening
system as a whole. The screener performance index will be based on data
such as the results of performance evaluations and recertification
tests, and the index for the screening system will be based on
information such as covert test results and screener effectiveness
measures. TSA has not yet fully established its methodology for
developing the indexes, but it expects to have the indexes developed by
the end of fiscal year 2004.
In conjunction with measuring the performance of its passenger
screening operations, TSA must also assess the performance of the five
pilot airports that are currently using contract screeners to determine
the feasibility of using private screening companies instead of federal
screeners.[Footnote 13] Although ATSA allows airports to apply to opt
out of using federal screeners beginning in November 2004, TSA has not
yet determined how to evaluate and measure the performance of the pilot
program. In early October 2003, TSA awarded a contract to BearingPoint,
Inc., to compare the performance of pilot screening with federal
screening, including the overall strengths and weaknesses of both
systems, and determine the reasons for any differences.[Footnote 14]
The evaluation is scheduled to be completed by March 31, 2004.[Footnote
15] TSA has acknowledged that designing an effective evaluation of the
screeners at the pilot airports will be challenging because key
operational areas, including training, assessment, compensation, and
equipment, have to a large extent been held constant across all
airports, and therefore are not within the control of the private
screening companies.[Footnote 16] In its request for proposal for the
pilot airport evaluation, TSA identified several data sources for the
evaluation, including the Performance Management Information System and
the Office of Internal Affairs and Program Review's covert testing of
passenger screeners. However, as we recently reported, data from both
of these systems in measuring the effectiveness of screening operations
is limited. As a result, it will be a challenge for TSA to effectively
compare the performance of the contract pilot airports with the
performance of airports using federal screeners.
TSA Is Developing Performance Evaluation Tools:
TSA has recognized the need to strengthen the assessment of its
performance, and has initiated efforts to develop and implement
strategic and performance plans to clarify goals, establish performance
measures, and measure the performance of its security initiatives.
Strategic plans are the starting point for an agency's planning and
performance measurement efforts. Strategic plans include a
comprehensive mission statement based on the agency's statutory
requirements, a set of outcome-related strategic goals, and a
description of how the agency intends to achieve these goals. The
Government Performance and Results Act (GPRA)[Footnote 17] establishes
a framework for strategic plans that requires agencies to:
* clearly establish results-oriented performance goals in strategic and
annual performance plans for which they will be held accountable,
* measure progress toward achieving those goals,
* determine the strategies and resources to effectively accomplish the
goals,
* use performance information to make programmatic decisions necessary
to improve performance, and:
* formally communicate results in performance reports.
Although the Department of Homeland Security plans to issue one
strategic plan for the Department, it plans to incorporate strategic
planning efforts from each of its component agencies. TSA recently
completed a draft of its input into the Department of Homeland
Security's strategic plan. TSA officials stated that the draft is
designed to ensure their security initiatives are aligned with the
agency's goals and objectives, and that these initiatives represent the
most efficient use of their resources. TSA officials submitted the
draft plan to stakeholders in September 2003 for their review and
comment. The Department of Homeland Security plans to issue its
strategic plan by the end of the year.[Footnote 18]
In addition to developing a strategic plan, TSA is developing a
performance plan to help it evaluate the current effectiveness and
levels of improvement in its programs, based on established performance
measures. TSA submitted to the Congress a short-term performance plan
in May 2003, as required by ATSA, that included performance goals and
objectives. The plan also included an initial set of 32 performance
measures, including the percentage of bags screened by explosive
detection systems and the percentage of screeners in compliance with
training standards. However, these measures were primarily output-based
(measuring whether specific activities were achieved) and did not
measure the effectiveness of TSA's security initiatives. TSA officials
acknowledge that the goals and measures included in the report were
narrowly focused, and that in moving forward additional performance-
based measures are needed.
In addition to developing a short-term performance plan, ATSA also
requires that TSA develop a 5-year performance plan and annual
performance report, including an evaluation of the extent to which its
goals and objectives were met. TSA is currently developing performance
goals and measures as part of its annual planning process and will
collect baseline data throughout fiscal year 2004 to serve as a
foundation for its performance targets. TSA also plans to increase its
focus on measuring the effectiveness of various aspects of the aviation
security system in its 5-year performance plan. According to TSA's
current draft strategic plan, which outlines its overall goals and
strategies for fiscal years 2003 through 2008, its efforts to measure
the effectiveness of the aviation security system will include:
* random and scheduled reviews of the efficiency and effectiveness of
security processes;
* oversight of compliance with security standards and approved programs
through a combination of inspections, testing, interviews, and record
reviews--to include TIP;
* measurement of performance against standards to ensure expected
standards are met and to drive process improvements; and:
* collection and communication of performance data using a state-of-
the-art data collection and reporting system.
In our January 2003 report on TSA's actions and plans to build a
results-oriented culture, we recommended next steps that TSA should
take to strengthen its strategic planning efforts.[Footnote 19] These
steps include establishing security performance goals and measures for
all modes of transportation that involves stakeholders, and applying
practices that have been shown to provide useful information in agency
performance plans. We also identified practices that TSA can apply to
ensure the usefulness of its required 5-year performance plan to TSA
managers, the Congress, and other decision makers or interested
parties. Table 1 outlines the practices we identified for TSA.
Table 1: Summary of Opportunities to Help Ensure Useful Annual Plans
and Applied Practices:
Opportunities to help ensure useful annual plans: Articulate a results
orientation; Applied practices: Create a set of performance goals and
measures that addresses important dimensions of program performance and
balances competing priorities; Use intermediate goals and measures to
show progress or contribution to intended results; Include explanatory
information on the goals and measures; Develop performance goals to
address mission-critical management problems; Show baseline and trend
data for past performance; Identify projected target levels of
performance for multiyear goals; Link the goals of component
organizations to departmental strategic goals.
Opportunities to help ensure useful annual plans: Coordinate cross-
cutting programs; Applied practices: Identify programs that contribute
to the same or similar results; Set complementary performance goals to
show how differing program strategies are mutually reinforcing and
establish common or complementary performance measures, as
appropriate; Describe--briefly or refer to a separate document--
planned coordination strategies.
Opportunities to help ensure useful annual plans: Show how strategies
will be used to achieve goals; Applied practices: Link strategies and
programs to specific performance goals and describe how they will
contribute to the achievement of those goals; Describe strategies to
leverage or mitigate the effects of external factors on the
accomplishment of performance goals; Discuss strategies to resolve
mission-critical management problems; Discuss--briefly or refer to a
separate plan--plans to ensure that mission-critical processes and
information systems function properly and are secure.
Opportunities to help ensure useful annual plans: Show performance
consequences of budget and other resource decisions; Applied practices:
Show how budgetary resources relate to the achievement of performance
goals; Discuss--briefly and refer to the agency capital plan--how
proposed capital assets (specifically information technology
investments) will contribute to achieving performance goals; Discuss-
-briefly or refer to a separate plan--how the agency will use its human
capital.
Opportunities to help ensure useful annual plans: Build the capacity to
gather and use performance information; Applied practices: Identify
internal and external sources of data; Describe efforts to verify and
validate performance data; Identify actions to compensate for
unavailable or low-quality data; Discuss implications of data
limitations for assessing performance.
Source: GAO.
[End of table]
TSA agreed with our recommendation and plans to incorporate these
principles into the data it provides DHS for the department's 5-year
performance plan and annual performance report. DHS plans to complete
its 5-year performance plan and annual performance report by February
2004, as required by GPRA.
The Congress has also recognized the need for TSA to collect
performance data and, as part of the Federal Aviation Administration's
(FAA) reauthorization act--Vision 100: Century of Aviation
Reauthorization Act--is currently considering a provision that would
require the Secretary of the Department of Homeland Security to conduct
a study of the effectiveness of the aviation security system.
Risk Management Approach Needed To Focus Security Efforts:
As TSA moves forward in addressing aviation security concerns, it needs
adequate tools to ensure that its efforts are appropriately focused,
strategically sound, and achieving expected results. Because of limited
funding, TSA needs to set priorities so that its resources can be
focused and directed to those aviation security enhancements most in
need of implementation. In recent years, we have consistently advocated
the use of a risk management approach to respond to various national
security and terrorism challenges, and have recommended that TSA apply
this approach to strengthen security in aviation as well as in other
modes of transportation.[Footnote 20] TSA agreed with our
recommendation and is adopting a risk management approach.
Risk management is a systematic and analytical process to consider the
likelihood that a threat will endanger an asset, an individual, or a
function and to identify actions to reduce the risk and mitigate the
consequences of an attack. Risk management principles acknowledge that
while risk cannot be eliminated, enhancing protection from existing or
potential threats can help reduce it. Accordingly, a risk management
approach is a systematic process to analyze threats, vulnerabilities,
and the criticality (or relative importance) of assets to better
support key decisions. The purpose of this approach is to link
resources with efforts that are of the highest priority. Figure 1
describes the risk management approach.
Figure 1: Elements of a risk management approach:
A threat assessment identifies and evaluates potential threats on the
basis of factors such as capabilities, intentions, and past activities.
This assessment represents a systematic approach to identifying
potential threats before they materialize, and is based on threat
information gathered from both the intelligence and law enforcement
communities. However, even if updated often, a threat assessment might
not adequately capture some emerging threats. The risk management
approach, therefore, uses vulnerability and criticality assessments as
additional input to the decision-making process; A vulnerability
assessment identifies weaknesses that may be exploited by identified
threats and suggests options to address those weaknesses. In general, a
vulnerability assessment is conducted by a team of experts skilled in
such areas as engineering, intelligence, security, information systems,
finance, and other disciplines; A criticality assessment evaluates and
prioritizes assets and functions in terms of specific criteria, such as
their importance to public safety and the economy. The assessment
provides a basis for identifying which structures or processes are
relatively more important to protect from attack. As such, it helps
managers to determine operational requirements and target resources at
their highest priorities, while reducing the potential for targeting
resources at lower priorities.
Source: GAO.
[End of figure]
Figure 2 illustrates how the risk management approach can guide
decision making and shows that the highest risks and priorities emerge
where the three elements of risk management overlap.
Figure 2: A Risk Management Approach:
[See PDF for image]
[End of figure]
For example, an airport that is determined to be a critical asset,
vulnerable to attack, and a likely target would be at most risk and
therefore would be a higher priority for funding compared with an
airport that is only vulnerable to attack. In this vein, aviation
security measures shown to reduce the risk to the most critical assets
would provide the greatest protection for the cost.
Over the past several years, we have concluded that comprehensive
threat, vulnerability, and criticality assessments are key in better
preparing against terrorist attacks, and we have recommended that TSA
apply this risk management approach to strengthen security in aviation.
TSA agreed with our recommendation and is adopting a risk management
approach in an attempt to enhance security across all modes of
transportation. According to TSA officials, once established, risk
management principles will drive all decisions--from standard setting
to funding priorities to staffing. TSA has not yet fully implemented
its risk management approach, but it has taken steps in this direction.
Specifically, TSA's Office of Threat Assessment and Risk Management is
developing four assessment tools that will help assess threats,
criticality, and vulnerabilities. Figure 3 illustrates TSA's threat
assessment and risk management approach.
Figure 3: TSA's Risk Management Approach and Tools:
[See PDF for image]
Source: TSA.
[End of figure]
The first tool, which will assess criticality, will determine a
criticality score for a facility or transportation asset by
incorporating factors such as the number of fatalities that could occur
during an attack and the economic and sociopolitical importance of the
facility or asset. This score will enable TSA, in conjunction with
transportation stakeholders, to rank facilities and assets within each
mode and thus focus resources on those that are deemed most important.
TSA is working with another Department of Homeland Security office--the
Information and Analysis Protection Directorate--to ensure that the
criticality tool will be consistent with the Department's overall
approach for managing critical infrastructure.
A second tool--the Transportation Risk Assessment and Vulnerability
Tool (TRAVEL)--will assess threats and analyze vulnerabilities at those
transportation assets TSA determines to be nationally critical. The
tool will be used in a TSA-led and facilitated assessment that will be
conducted on the site of the transportation asset.[Footnote 21]
Specifically, the tool will assess an asset's baseline security system
and that system's effectiveness in detecting, deterring, and preventing
various threat scenarios, and it will produce a relative risk score for
potential attacks against a transportation asset or facility. In
addition, TRAVEL will include a cost-benefit component that compares
the cost of implementing a given countermeasure with the reduction in
relative risk to that countermeasure. TSA is working with economists to
develop the cost-benefit component of this model and with the TSA
Intelligence Service to develop relevant threat scenarios for
transportation assets and facilities. According to TSA officials, a
standard threat and vulnerability assessment tool is needed so that TSA
can identify and compare threats and vulnerabilities across
transportation modes. If different methodologies are used in assessing
the threats and vulnerabilities, comparisons could be problematic.
However, a standard assessment tool would ensure consistent
methodology.
A third tool--the Transportation Self-Assessment Risk Module (TSARM)--
will be used to assess and analyze vulnerabilities for assets that the
criticality assessment determines to be less critical. The self-
assessment tool included in TSARM will guide a user through a series of
security-related questions in order to develop a comprehensive security
baseline of a transportation entity and will provide mitigating
strategies for when the threat level increases. For example, as the
threat level increases from yellow to orange, as determined by the
Department of Homeland Security, the assessment tool might advise an
entity to take increased security measures, such as erecting barriers
and closing selected entrances. TSA had deployed one self-assessment
module in support of targeted maritime vessel and facility
categories.[Footnote 22]
The fourth risk management tool that TSA is currently developing is the
TSA Vulnerability Assessment Management System (TVAMS). TVAMS is TSA's
intended repository of criticality, threat, and vulnerability
assessment data. TVAMS will maintain the results of all vulnerability
assessments across all modes of transportation. This repository will
provide TSA with data analysis and reporting capabilities. TVAMS is
currently in the conceptual stage and requirements are still being
gathered.
TSA is now using components of these risk management tools and is
automating others so that the components can be used remotely by
stakeholders, such as small airports, to assess their risks. For
example, according to TSA officials, TSA has conducted assessments at 9
of 443 commercial airports using components of its TRAVEL tool. Three
of these assessments were conducted at category X airports (the largest
and busiest airports), and the remaining 6 assessments were conducted
at airports in lower categories. TSA plans to conduct approximately 100
additional assessments of commercial airports in 2004 using TRAVEL and
plans to begin compiling data on security vulnerability trends in 2005.
Additionally, TSA plans to fully implement and automate its risk
management approach by September 2004.
TSA Faces Additional Programmatic And Management Challenges:
In addition to collecting performance data and implementing a risk
management approach, TSA faces a number of other programmatic and
management challenges in strengthening aviation security. These
challenges include implementing the new Computer-Assisted Passenger
Prescreening System; strengthening baggage screening, airport
perimeter and access controls, air cargo, and general aviation
security; managing the costs of aviation security initiatives; and
managing human capital. TSA has been addressing these challenges
through a variety of efforts. We have work in progress that is
examining TSA's efforts in most of these areas, and we will be
reporting on TSA's progress in the future.
Computer-Assisted Passenger Prescreening System (CAPPS II):
ATSA authorized TSA to develop a new Computer-Assisted Passenger
Prescreening System, or CAPPS II. This system is intended to replace
the current Computer-Assisted Passenger Screening program, which was
developed in the mid-1990s by the Federal Aviation Administration to
enable air carriers to identify passengers requiring additional
security attention. The current system is maintained as a part of the
airlines' reservation systems and, operating under federal guidelines,
uses a number of behavioral characteristics to select passengers for
additional screening.
In the wake of the September 11, 2001, terrorist attacks, a number of
weaknesses in the current prescreening program were exposed. For
example, although the characteristics used to identify passengers for
additional screening are classified, several have become public
knowledge through the press or on the Internet. Although enhancements
have been made to address some of these weaknesses, the behavioral
traits used in the system may not reflect current intelligence
information. It is also difficult to quickly modify the system to
respond to real-time changes in threats. Additionally, because the
current system operates independently within each air carrier
reservation system, changes to each air carrier's system to modify the
prescreening system can be costly and time-consuming.
In contrast, CAPPS II is planned to be a government-run program that
will provide real-time risk assessment for all airline passengers.
Unlike the current system, TSA is designing CAPPS II to identify and
compare personal information with commercially available data to
confirm a passenger's identity. The system will then run the
identifying information against government databases and generate a
"risk" score for the passenger. The risk score will determine the level
of screening that the passenger will undergo before boarding. TSA
currently estimates that initial implementation of CAPPS II will occur
during the fall of 2004, with full implementation expected by the fall
of 2005.
TSA faces a number of challenges that could impede their ability to
implement CAPPS II. Among the most significant are the following:
* concerns about travelers' privacy rights and the safeguards
established to protect passenger data;
* the accuracy of the databases being used by the CAPPS II system and
whether inaccuracies could generate a high number of false positives
and erroneously prevent or delay passengers from boarding their
flights;
* the length of time that data will be retained by TSA;
* the availability of a redress process through which passengers could
get erroneous information corrected;
* concerns that identify theft, in which someone steals relevant data
and impersonates another individual to obtain that person's low risk
score, may not be detected and thereby negate the security benefits of
the system; and:
* obtaining the international cooperation needed for CAPPS II to be
fully effective, as some countries consider the passenger information
required by CAPPS II as a potential violation of their privacy laws.
We are currently assessing these and other challenges in the
development and implementation of the CAPPS II system and expect to
issue a final report on our work in early 2004.
Checked Baggage Screening:
Checked baggage represents a significant security concern, as explosive
devices in baggage can, and have, been placed in aircraft holds. ATSA
required screening of all checked baggage on commercial aircraft by
December 31, 2002, using explosive detection systems to electronically
scan baggage for explosives. According to TSA, electronic screening can
be accomplished by bulk explosives detection systems (EDS)[Footnote 23]
or Explosives Trace Detection (ETD) systems.[Footnote 24] However, TSA
faced challenges in meeting the mandated implementation date. First,
the production capabilities of EDS manufacturers were insufficient to
produce the number of units needed. Additionally, according to TSA, it
was not possible to undertake all of the airport modifications
necessary to accommodate the EDS equipment in each airport's baggage
handling area. In order to ensure that all checked baggage is screened,
TSA established a program that uses alternative measures, including
explosives sniffing dogs, positive passenger bag match,[Footnote 25]
and physical hand searches at airports where sufficient EDS or ETD
technology is not available. TSA was granted an extension for screening
all checked baggage electronically, using explosives detection systems,
until December 31, 2003.
Although TSA has made progress in implementing EDS technology at more
airports, it has reported that it will not meet the revised mandate for
100 percent electronic screening of all checked baggage. Specifically,
as of October 2003, TSA reported that it will not meet the deadline for
electronic screening by December 31, 2003, at five airports. Airport
representatives with whom we spoke expressed concern that there has not
been enough time to produce, install, and integrate all of the systems
required to meet the deadline.
In addition to fielding the EDS systems at airports, difficulties exist
in integrating these systems into airport baggage handling systems. For
those airports that have installed EDS equipment, many have been
located in airport lobbies as stand-alone systems. The chief drawback
of stand-alone systems is that because of their size and weight there
is a limit to the number of units that can be placed in airport
lobbies, and numerous screeners are required to handle the checked bags
because each bag must be physically conveyed to the EDS machines and
then moved back to the conveyor system for transport to the baggage
handling room in the air terminal. Some airports are in the process of
integrating the EDS equipment in-line with the conveyor belts that
transport baggage from the ticket counter to the baggage handling area;
however, the reconfiguring of airports for in-line checked baggage
screening can be extensive and costly.[Footnote 26] TSA has reported
that in-line EDS equipment installation costs range from $1 million to
$3 million per piece of equipment. In February 2003, we identified
letters of intent[Footnote 27] as a funding option that has been
successfully used to leverage private sources of funding.[Footnote 28]
TSA has since written letters of intent covering seven airports
promising multiyear financial support totaling over $770 million for
in-line integration of EDS equipment.[Footnote 29] Further, TSA
officials have stated that they have identified 25 to 35 airports as
candidates for further letters of intent pending Congressional
authorization of funding. We are examining TSA's baggage screening
program, including its issuance of letters of intent, in an ongoing
assignment.
Perimeter and Access Controls:
Prior to September 2001, work performed by GAO, and others, highlighted
the vulnerabilities in controls for limiting access to secure airport
areas. In one report, we noted that GAO special agents were able to use
fictitious law enforcement badges and credentials to gain access to
secure areas, bypass security checkpoints, and walk unescorted to
aircraft departure gates.[Footnote 30] The agents, who had been issued
tickets and boarding passes, could have carried weapons, explosives, or
other dangerous objects onto aircraft. Concerns over the adequacy of
the vetting process for airport workers who have unescorted access to
secure airport areas have also arisen, in part, as a result of federal
agency airport security sweeps that uncovered hundreds of instances in
which airport workers lied about their criminal history, or immigration
status, or provided false or inaccurate Social Security numbers on
their application for security clearances to obtain employment.
ATSA contains provisions to improve perimeter access security at the
nation's airports and strengthen background checks for employees
working in secure airport areas, and TSA has made some progress in this
area. For example, federal mandates were issued to strengthen airport
perimeter security by limiting the number of airport access points, and
they require random screening of individuals, vehicles, and property
before entry at the remaining perimeter access points. Further, TSA
made criminal history checks mandatory for employees with access to
secure or sterile airport areas. To date, TSA has conducted
approximately 1 million of these checks. TSA also has plans to develop
a pilot airport security program and is reviewing security technologies
in the areas of biometrics access control identification systems (i.e.,
fingerprints or iris scans), anti-piggybacking technologies (to prevent
more than one employee from entering a secure area at a time), and
video monitoring systems for perimeter security. TSA solicited
commercial airport participation in the program. It is currently
reviewing information from interested airports and plans to select 20
airports for the program.
Although progress has been made, challenges remain with perimeter
security and access controls at commercial airports. Specifically, ATSA
contains numerous requirements for strengthening perimeter security and
access controls, some of which contained deadlines, which TSA is
working to meet. In addition, a significant concern is the possibility
of terrorists using shoulder-fired portable missiles from locations
near the airport. We reported in June 2003 that airport operators have
increased their patrols of airport perimeters since September 2001, but
industry officials stated that they do not have enough resources to
completely protect against missile attacks.[Footnote 31] A number of
technologies could be used to secure and monitor airport perimeters,
including barriers, motion sensors, and closed-circuit television.
Airport representatives have cautioned that as security enhancements
are made to airport perimeters, it will be important for TSA to
coordinate with the Federal Aviation Administration and the airport
operators to ensure that any enhancements do not pose safety risks for
aircraft. To further examine these threats and challenges, we have
ongoing work assessing TSA's progress in meeting ATSA provisions
related to improving perimeter security, access controls, and
background checks for airport employees and other individuals with
access to secure areas of the airport, as well as the nature and extent
of the threat from shoulder-fired missiles.
Air Cargo Security:
As we and the Department of Transportation's Inspector General have
reported, vulnerabilities exist in ensuring the security of cargo
carried aboard commercial passenger and all-cargo aircraft. TSA has
reported that an estimated 12.5 million tons of cargo are transported
each year--9.7 million tons on all-cargo planes and 2.8 million tons on
passenger planes. Potential security risks are associated with the
transport of air cargo--including the introduction of undetected
explosive and incendiary devices in cargo placed aboard aircraft. To
reduce these risks, ATSA requires that all cargo carried aboard
commercial passenger aircraft be screened and that TSA have a system in
place as soon as practicable to screen, inspect, or otherwise ensure
the security of cargo on all-cargo aircraft. Despite these
requirements, it has been reported that less than 5 percent of cargo
placed on passenger airplanes is physically screened.[Footnote 32]
TSA's primary approach to ensuring air cargo security and safety is to
ensure compliance with the "known shipper" program--which allows
shippers that have established business histories with air carriers or
freight forwarders to ship cargo on planes. However, we and the
Department of Transportation's Inspector General have identified
weaknesses in the known shipper program and in TSA's procedures for
approving freight forwarders, such as possible tampering with freight
at various handoff points before it is loaded into an
aircraft.[Footnote 33]
Since September 2001, TSA has taken a number of actions to enhance
cargo security, such as implementing a database of known shippers in
October 2002. The database is the first phase in developing a cargo
profiling system similar to the Computer-Assisted Passenger
Prescreening System. However, in December 2002, we reported that
additional operational and technological measures, such as checking the
identity of individuals making cargo deliveries, have the potential to
improve air cargo security in the near term.[Footnote 34] We further
reported that TSA lacks a comprehensive plan with long-term goals and
performance targets for cargo security, time frames for completing
security improvements, and risk-based criteria for prioritizing actions
to achieve those goals. Accordingly, we recommended that TSA develop a
comprehensive plan for air cargo security that incorporates a risk
management approach, includes a list of security priorities, and sets
deadlines for completing actions. TSA agreed with this recommendation
and expects to develop such a plan by the end of 2003. It will be
important that this plan include a timetable for implementation to help
ensure that vulnerabilities in this area are reduced.
General Aviation Security:
Since September 2001, TSA has taken limited action to improve general
aviation security, leaving general aviation far more open and
potentially vulnerable than commercial aviation. General aviation is
vulnerable because general aviation pilots and passengers are not
screened before takeoff and the contents of general aviation planes are
not screened at any point. General aviation includes more than 200,000
privately owned airplanes, which are located in every state at more
than 19,000 airports.[Footnote 35] More than 550 of these airports also
provide commercial service. In the last 5 years, about 70 aircraft have
been stolen from general aviation airports, indicating a potential
weakness that could be exploited by terrorists. This vulnerability was
demonstrated in January 2002, when a teenage flight student stole and
crashed a single-engine airplane into a Tampa, Florida skyscraper.
Moreover, general aviation aircraft could be used in other types of
terrorist acts. It was reported that the September 11th hijackers
researched the use of crop dusters to spread biological or chemical
agents.
We reported in September 2003 that TSA chartered a working group on
general aviation within the existing Aviation Security Advisory
Committee.[Footnote 36] The working group consists of industry
stakeholders and is designed to identify and recommend actions to close
potential security gaps in general aviation. On October 1, 2003, the
working group issued a report that included a number of recommendations
for general aviation airport operators' voluntary use in evaluating
airports' security requirements. These recommendations are both broad
in scope and generic in their application, with the intent that every
general aviation airport and landing facility operators may use them to
evaluate that facility's physical security, procedures,
infrastructure, and resources. TSA is taking some additional action to
strengthen security at general aviation airports, including developing
a risk-based self-assessment tool for general aviation airports to use
in identifying security concerns. We have ongoing work that is
examining general aviation security in further detail.
Aviation Security Funding:
TSA faces two key funding and accountability challenges in securing the
commercial aviation system: (1) paying for increased aviation security
and (2) ensuring that these costs are controlled. The costs associated
with the equipment and personnel needed to screen passengers and their
baggage alone are huge. The Department of Homeland Security
appropriation includes $3.7 billion for aviation security for fiscal
year 2004, with about $1.8 billion for passenger screening and $1.3
billion for baggage screening. ATSA created a passenger security fee to
pay for the costs of aviation security, but the fee has not generated
enough money to do so. The Department of Transportation's Inspector
General reported that the security fees are estimated to generate only
about $1.7 billion during fiscal year 2004.
A major funding challenge is paying for the purchase and installation
of the remaining explosives detection systems, including integration
into airport baggage-handling systems. Integrating the equipment with
the baggage-handling systems is expected to be costly because it will
require major facility modifications. For example, modifications needed
to integrate the equipment at Boston's Logan International Airport are
estimated to cost $146 million. Modifications for Dallas/Fort Worth
International Airport are estimated to cost $193 million. According to
TSA and the Department of Transportation's Inspector General, the cost
of integrating the equipment nationwide could be $3 billion.
A key question that must be addressed is how to pay for these
installation costs. The Federal Aviation Administration's Airport
Improvement Program (AIP) and passenger facility charges have been
eligible sources for funding this work.[Footnote 37] During fiscal year
2002, AIP grant funds totaling $561 million were used for terminal
modifications to enhance security. However, using these funds for
security reduced the funding available for other airport development
and rehabilitation projects. To provide financial assistance to
airports for security-related capital investments, such as the
installation of explosives detection equipment, proposed aviation
reauthorization legislation would establish an aviation security
capital fund that would authorize $2 billion over the next 4 years. The
funding would be made available to airports in letters of intent, and
large and medium hub airports would be expected to provide a match of
10 percent of a project's costs. A 5 percent match would be required
for all other airports.
In February 2003, we identified letters of intent as a funding option
that has been successfully used to leverage private sources of
funding.[Footnote 38] TSA has since signed letters of intent covering
seven airports--Boston Logan, Dallas/Fort Worth, Denver, Los Angeles,
McCarran (Las Vegas), Ontario (California), and Seattle/Tacoma
international airports. Under the agreements, TSA will pay 75 percent
of the cost of integrating the explosives detection equipment into the
baggage-handling systems. The payments will stretch out over 3 to 4
years. TSA officials have identified more airports that would be
candidates for similar agreements.
Another challenge is ensuring continued investment in transportation
research and development. For fiscal year 2003, TSA was appropriated
about $110 million for research and development, of which $75 million
was designated for the next-generation explosives detection systems.
However, TSA proposed to reprogram $61.2 million of these funds to be
used for other purposes, leaving about $12.7 million to be spent on
research and development in that year. This proposed reprogramming
could limit TSA's ability to sustain and strengthen aviation security
by continuing to invest in research and development for more effective
equipment to screen passengers, their carry-on and checked baggage, and
cargo. In ongoing work, we are examining the nature and scope of
research and development work by TSA and the Department of Homeland
Security, including their strategy for accelerating the development of
transportation security technologies.
Human Capital Management:
As it organizes itself to protect the nation's transportation system,
TSA faces the challenge of strategically managing its workforce of
about 60,000 people--more than 80 percent of whom are passenger and
baggage screeners. Additionally, over the next several years, TSA faces
the challenge of sizing and managing this workforce as efficiency is
improved with new security-enhancing technologies, processes, and
procedures. For example, as explosives detection systems are integrated
with baggage-handling systems, the use of more labor-intensive
screening methods, such as trace detection techniques and manual bag
searches, can be reduced. Other planned security enhancements, such as
CAPPS II and the registered traveler program, also have the potential
to make screening more efficient. Further, if airports opt out of the
federal screener program and use their own or contract employees to
provide screening instead of TSA screeners, a significant impact on TSA
staffing could occur.
To assist agencies in managing their human capital more strategically,
we have developed a model that identifies cornerstones and related
critical success factors that agencies should apply and steps they can
take.[Footnote 39] Our model is designed to help agency leaders
effectively lead and manage their people and integrate human capital
considerations into daily decision making and the program results they
seek to achieve. In January 2003, we reported that TSA was addressing
some critical human capital success factors by using a wide range of
tools available for hiring, and beginning to link individual
performance to organizational goals.[Footnote 40] However, concerns
remain about the size and training of that workforce, the adequacy of
the initial background checks for screeners, and TSA's progress in
setting up a performance management system. TSA is currently developing
a human capital strategy, which it expects to be completed by the end
of this year.
TSA has proposed cutting the screener workforce by an additional 3,000
during fiscal year 2004. This planned reduction has raised concerns
about passenger delays at airports and has led TSA to begin hiring
part-time screeners to make more flexible and efficient use of its
workforce. In addition, TSA used an abbreviated background check
process to hire and deploy enough screeners to meet ATSA's screening
deadlines during 2002. After obtaining additional background
information, TSA terminated the employment of some of these screeners.
TSA reported 1,208 terminations as of May 31, 2003, that it ascribed to
a variety of reasons, including criminal offenses and failures to pass
alcohol and drug tests. Furthermore, the national media have reported
allegations of operational and management control problems that emerged
with the expansion of the Federal Air Marshal Service, including
inadequate background checks and training, uneven scheduling, and
inadequate policies and procedures. We reported in January 2003 that
TSA had taken the initial steps in establishing a performance
management system linked to organizational goals. Such a system will be
critical for TSA to motivate and manage staff, ensure the quality of
screeners' performance, and, ultimately, restore public confidence in
air travel. In ongoing work, we are examining the effectiveness of
TSA's efforts to train, equip, and supervise passenger screeners, and
we are assessing the effects of expansion on the Federal Air Marshal
Service.[Footnote 41]
Concluding Observations:
As TSA moves forward in addressing aviation security concerns, it needs
the information and tools necessary to ensure that its efforts are
appropriately focused, strategically sound, and achieving expected
results. Without knowledge about the effectiveness of its programs and
a process for prioritizing planned security initiatives, TSA and the
public have little assurance regarding the level of security provided,
and whether TSA is using its resources to maximize security benefits.
Additionally, as TSA implements new security initiatives and addresses
associated challenges, measuring program effectiveness and
prioritizing efforts will help it focus on the areas of greatest
importance. We are encouraged that TSA is undertaking efforts to
develop the information and tools needed to measure its performance and
focus its efforts on those areas of greatest need.
Mr. Chairman, this concludes my statement. I would be pleased to answer
any questions that you or other members of the Committee may have.
Contact Information:
For further information on this testimony, please contact Cathleen A.
Berrick at (202) 512-8777. Individuals making key contributions to this
testimony include Mike Bollinger, Lisa Brown, Jack Schulze, Maria
Strudwick, and Susan Zimmerman.
[End of section]
Related GAO Products:
Airport Passenger Screening: Preliminary Observations on Progress Made
and Challenges Remaining. GAO-03-1173. Washington, D.C.: September 24,
2003.
Aviation Security: Progress since September 11, 2001, and the
Challenges Ahead. GAO-03-1150T. Washington, D.C.: September 9, 2003:
Transportation Security: Federal Action Needed to Help Address Security
Challenges. GAO-03-843. Washington, D.C.: June 30, 2003.
Transportation Security: Post-September 11th Initiatives and Long-Term
Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003.
Aviation Security: Measures Needed to Improve Security of Pilot
Certification Process. GAO-03-248NI. Washington, D.C.: February 3, 2003
(NOT FOR PUBLIC DISSEMINATION).
Aviation Security: Vulnerabilities and Potential Improvements for the
Air Cargo System. GAO-03-286NI. Washington, D.C.: December 20, 2002
(NOT FOR PUBLIC DISSEMINATION).
Aviation Security: Vulnerabilities and Potential Improvements for the
Air Cargo System. GAO-03-344. Washington, D.C.: December 20, 2002.
Aviation Security: Vulnerability of Commercial Aviation to Attacks by
Terrorists Using Dangerous Goods. GAO-03-30C. Washington, D.C.:
December 3, 2002:
Aviation Security: Registered Traveler Program Policy and
Implementation Issues. GAO-03-253. Washington, D.C.: November 22, 2002.
Aviation Security: Transportation Security Administration Faces
Immediate and Long-Term Challenges. GAO-03-971T. Washington, D.C.: July
25, 2002.
Aviation Security: Information Concerning the Arming of Commercial
Pilots. GAO-02-822R. Washington, D.C.: June 28, 2002.
Aviation Security: Deployment and Capabilities of Explosive Detection
Equipment. GAO-02-713C. Washington, D.C.: June 20, 2002 (CLASSIFIED).
Aviation Security: Information on Vulnerabilities in the Nation's Air
Transportation System. GAO-01-1164T. Washington, D.C.: September 26,
2001 (NOT FOR PUBLIC DISSEMINATION).
Aviation Security: Information on the Nation's Air Transportation
System Vulnerabilities. GAO-01-1174T. Washington, D.C.: September 26,
2001 (NOT FOR PUBLIC DISSEMINATION).
Aviation Security: Vulnerabilities in, and Alternatives for, Preboard
Screening Security Operations. GAO-01-1171T. Washington, D.C.:
September 25, 2001.
Aviation Security: Weaknesses in Airport Security and Options for
Assigning Screening Responsibilities. GAO-01-1165T. Washington, D.C.:
September 21, 2001.
Aviation Security: Terrorist Acts Demonstrate Urgent Need to Improve
Security at the Nation's Airports. GAO-01-1162T. Washington, D.C.:
September 20, 2001.
Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in
Aviation Security. GAO-01-1166T. Washington, D.C.: September 20, 2001.
Responses of Federal Agencies and Airports We Surveyed about Access
Security Improvements. GAO-01-1069R. Washington, D.C.: August 31, 2001.
Responses of Federal Agencies and Airports We Surveyed about Access
Security Improvements. GAO-01-1068R. Washington, D.C.: August 31, 2001
(RESTRICTED).
FAA Computer Security: Recommendations to Address Continuing
Weaknesses. GAO-01-171. Washington, D.C.: December 6, 2000.
Aviation Security: Additional Controls Needed to Address Weaknesses in
Carriage of Weapons Regulations. GAO/RCED-00-181. Washington, D.C.:
September 29, 2000.
FAA Computer Security: Actions Needed to Address Critical Weaknesses
That Jeopardize Aviation Operations. GAO/T-AIMD-00-330. Washington,
D.C.: September 27, 2000.
FAA Computer Security: Concerns Remain due to Personnel and Other
Continuing Weaknesses. GAO/AIMD-00-252. Washington, D.C.: August 16,
2000.
Aviation Security: Long-Standing Problems Impair Airport Screeners'
Performance. GAO/RCED-00-75. Washington, D.C.: June 28, 2000.
Aviation Security: Screeners Continue to Have Serious Problems
Detecting Dangerous Objects. GAO/RCED-00-159. Washington, D.C.: June
22, 2000 (NOT FOR PUBLIC DISSEMINATION).
Security: Breaches at Federal Agencies and Airports. GAO-OSI-00-10.
Washington, D.C.: May 25, 2000.
Aviation Security: Screener Performance in Detecting Dangerous Objects
during FAA Testing Is Not Adequate. GAO/T-RCED-00-143. Washington,
D.C.: April 6, 2000 (NOT FOR PUBLIC DISSEMINATION).
FOOTNOTES
[1] P.L. 107-71.
[2] A risk management approach is a systematic process to analyze
threats, vulnerabilities, and the criticality (or relative importance)
of assets to better support key decisions by linking resources with
prioritized efforts.
[3] CAPPS II is a system intended to perform a risk assessment of all
airline passengers to identify those requiring additional security
attention.
[4] General aviation consists of all civil aircraft and excludes
commercial and military aircraft.
[5] P.L. No. 107-296.
[6] An annual performance plan is to provide the direct linkage between
the strategic goals outlined in the agencies' strategic plan and the
day-to-day activities of managers and staff. Additionally, annual
performance plans are to include performance goals for an agency's
program activities as listed in the budget, a summary of the necessary
resources that will be used to measure performance, and a discussion of
how the performance information will be verified. An annual performance
report is to review and discuss an agency's performance compared with
the performance goals it established in its annual performance plan.
[7] U.S. General Accounting Office, Airport Passenger Screening:
Preliminary Observations on Progress Made and Challenges Remaining,
GAO-03-1173 (Washington, D.C.: Sept. 24, 2003).
[8] The original Computer Assisted Passenger Screening System is a
stand-alone application residing in an air carrier's reservation system
that analyzes certain behavioral patterns to score and calculate each
passenger's need for additional screening.
[9] Currently, the Office of Internal Affairs and Program Review has 7
team leaders assigned full-time to covert testing and plans to have a
total of 14 full-time team leaders by the end of December 2003. The
team leaders draw from the remaining staff within the office, such as
auditors and analysts, to perform the testing. According to TSA
officials, overall, 95 percent of the staff in the Office of Internal
Affairs and Program Review participate in covert testing as a
collateral responsibility.
[10] TIP is designed to test screeners' detection capabilities by
projecting threat images, including guns and explosives, into bags as
they are screened. Screeners are responsible for positively identifying
the threat image and calling for the bag to be searched. Once prompted,
TIP identifies to the screener whether the threat is real and then
records the screener's performance in a database that could be analyzed
for performance trends.
[11] Federal security directors oversee security at each of the
nation's commercial airports.
[12] The Performance Management Information System also contains
metrics on human resources, sizing, checkpoint, feedback, and
incidents.
[13] ATSA requires TSA to implement a pilot program using contract
screeners at five commercial airports--one in each of the five airport
categories. The purpose of the pilot program is to determine the
feasibility of using private screening companies rather than federal
screeners.
[14] According to the August 8, 2003, request for quotation for the
evaluation of the contract screening pilot program, BearingPoint must
include informed performance comparisons, both quantitative and
qualitative, of private versus federal screeners overall and within
different sizes and categories of airports.
[15] Based on the time frames established in the request for quotation,
BearingPoint, Inc. is required to develop a project plan and evaluation
model no later than December 12, 2003.
[16] TSA's request for proposal for the pilot program evaluation notes
that there are a significant number of operational and managerial
elements at the discretion of the private screening companies that
should be considered in the evaluation, including supervision,
overhead, materials, recruiting, and scheduling.
[17] The Government Performance and Results Act of 1993 shifts the
focus of government operations from process to results by establishing
a foundation for examining agency mission, performance goals and
objectives, and results. Under the Act, agencies are to prepare 5-year
strategic plans that set the general direction for their efforts, and
annual performance plans that establish connections between the long-
term strategic goals outlined in the strategic plans and the day-to-day
activities of managers and staff. Finally, the Act requires that each
agency report annually on the extent to which it is meeting its annual
performance goals and the actions needed to achieve or modify those
goals that have not been met.
[18] TSA is also developing a National Transportation Security System
Plan, a draft of which is currently under review within TSA. TSA plans
to promote consistent and mutually supporting intermodal planning in
cooperation with administrators and in collaboration with key
stakeholders from all modes of transportation. TSA designed the plan
for use by agencies, owners, and operators of the transportation system
to guide them as they develop their individual security plans.
Accordingly, the National Transportation System Security Plan will
include national modal plans to capture and tailor transportation
security requirements for each mode of transportation, with particular
emphasis on intermodal connections. Each modal plan will focus on
security for people (workforce and passengers), cargo (baggage and
shipments), infrastructure (vehicles, facilities, and right of ways),
and response preparedness.
[19] U.S. General Accounting Office, Transportation Security
Administration: Actions and Plans to Build a Results-Oriented Culture,
GAO-03-190 (Washington, D.C.: Jan. 17, 2003).
[20] U.S. General Accounting Office, Homeland Security: A Risk
Management Approach Can Guide Preparedness Efforts, GAO-02-208T
(Washington, D.C.: Oct. 31, 2001); and GAO-03-344.
[21] A vulnerability assessment using the TRAVEL tool requires the
participation of TSA subject matter experts along with representatives
from the transportation asset. Operations management, facilities
management, security personnel, and law enforcement agents are examples
of the individuals involved in analyzing each threat scenario and
corresponding security system.
[22] TSA's Maritime Self-Assessment Risk Module was developed in
response to requirements outlined in the Maritime Transportation
Security Act of 2002. The Act mandates that any facility or vessel that
the Secretary believes might be involved in a transportation security
incident will be subject to a vulnerability assessment and must submit
a security plan to the United States Coast Guard by January 1, 2004.
[23] Explosives detection systems use probing radiation to examine
objects inside baggage and identify the characteristic signatures of
threat explosives. EDS equipment operates in an automated mode.
[24] Explosive trace detection works by detecting vapors and residues
of explosives. Human operators collect samples by rubbing bags with
swabs, which are chemically analyzed to identify any traces of
explosive materials.
[25] Positive passenger bag match is an alternative method of screening
checked baggage, which requires that the passenger be on the same
aircraft as the checked baggage.
[26] In-line screening involves incorporating EDS machines into airport
baggage handling systems to improve throughput of baggage and to
streamline airport operations.
[27] A letter of intent represents a nonbinding commitment from an
agency to provide multiyear funding to an entity beyond the current
authorization period. Thus, that letter allows an airport to proceed
with a project without waiting for future federal funds because the
airport and investors know that allowable costs are likely to be
reimbursed.
[28] U.S. General Accounting Office, Airport Finance: Past Funding
Levels May Not Be Sufficient to Cover Airports' Planned Capital
Development, GAO-03-497T (Washington, D.C.: Feb. 25, 2003).
[29] The seven airports include Denver International Airport, Las Vegas
McCarran International Airport, Los Angeles International Airport,
Ontario International Airport, Seattle/Tacoma International Airport,
Dallas/Fort Worth International Airport, and Boston Logan International
Airport. The purpose is to help defray the costs of installing
permanent explosive detection systems that are integrated with
airports' checked baggage conveyor systems.
[30] U.S. General Accounting Office, Security: Breaches at Federal
Agencies and Airports, GAO\T-OSI-00-10 (Washington, D.C.: May 25,
2000).
[31] U.S. General Accounting Office, Transportation Security: Federal
Action Needed to Help Address Security Challenges, GAO-03-843
(Washington, D.C.: June 30, 2003).
[32] Congressional Research Service, Air Cargo Security, September 11,
2003.
[33] U.S. General Accounting Office, Aviation Security: Vulnerabilities
and Potential Improvements for the Air Cargo System, GAO-03-344
(Washington, D.C.: Dec. 20, 2002).
[34] See footnote 33.
[35] Of the 19,000 general aviation airports, 5,400 are publicly owned.
TSA is currently focusing its efforts on these publicly owned airports.
TSA is still unclear about its role in inspecting privately owned
general aviation airports.
[36] U.S. General Accounting Office, Aviation Security: Progress since
Septermber 11TH, and the Challenges Ahead, GAO-03-1150T (Washington,
D.C.: September 9, 2003).
[37] The Airport Improvement Program trust fund is used to fund capital
improvements to airports, including some security enhancements, such as
terminal modifications to accommodate explosive detection equipment.
[38] U.S. General Accounting Office, Airport Financing: Past Funding
Levels May Not Be Sufficient to Cover Airports' Planned Capital
Development, GAO-03-497T (Washington, D.C.: Feb. 25, 2003).
[39] U.S. General Accounting Office, A Model of Strategic Human Capital
Management, GAO-02-373SP (Washington, D.C.: March 2002).
[40] U.S. General Accounting Office, Transportation Security
Administration: Actions and Plans to Build a Results-Oriented Culture,
GAO-03-190 (Washington, D.C.: Jan. 13, 2003).
[41] The Federal Air Marshal Service has been transferred out of TSA
and into the Department of Homeland Security's Bureau of Immigration
and Customs Enforcement.
