Aviation Security
Further Steps Needed to Strengthen the Security of Commercial Airport Perimeters and Access Controls Gao ID: GAO-04-728 June 4, 2004In the 2 years since passage of the Aviation and Transportation Security Act (ATSA), the Transportation Security Administration (TSA) has primarily focused its efforts on improving aviation security through enhanced passenger and baggage screening. The act also contained provisions directing TSA to take actions to improve the security of airport perimeters, access controls, and airport workers. GAO was asked to assess TSA's efforts to: (1) evaluate the security of airport perimeters and the controls that limit access into secured airport areas, (2) help airports implement and enhance perimeter security and access controls by providing them funding and technical guidance, and (3) implement measures to reduce the potential security risks posed by airport workers.
TSA has begun evaluating the security of airport perimeters and the controls that limit access into secured airport areas. Specifically, TSA is conducting compliance inspections and vulnerability assessments at selected airports. These evaluations--though not complete--have identified perimeter and access control security concerns. While TSA officials acknowledged that conducting these airport security evaluations is essential to identifying additional perimeter and access control security measures and prioritizing their implementation, the agency has not determined how the results will be used to make improvements to the entire commercial airport system. TSA has helped some airport operators enhance perimeter and access control security by providing funds for security equipment, such as electronic surveillance systems. TSA has also begun efforts to evaluate the effectiveness of security-related technologies, such as biometric identification systems. However, TSA has not begun to gather data on airport operators' historical funding of security projects and current needs to aid the agency in setting funding priorities. Nor has TSA developed a plan for implementing new technologies or balancing the costs and effectiveness of these technologies with the security needs of individual airport operators and the commercial airport system as a whole. TSA has taken some steps to reduce the potential security risks posed by airport workers. However, TSA had elected not to fully address all related ATSA requirements. In particular, TSA does not require fingerprint-based criminal history checks and security awareness training for all airport workers, as called for in ATSA. Further, TSA has not required airport vendors to develop security programs, another ATSA requirement. TSA said expanding these efforts would require a time-consuming rulemaking process and impose additional costs on airport operators. Finally, although not required by ATSA, TSA has not developed a plan detailing when and how it intends to address these challenges.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-04-728, Aviation Security: Further Steps Needed to Strengthen the Security of Commercial Airport Perimeters and Access Controls
This is the accessible text file for GAO report number GAO-04-728
entitled 'Aviation Security: Further Steps Needed to Strengthen the
Security of Commercial Airport Perimeters and Access Controls' which
was released on June 08, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO:
Report to Congressional Requesters:
June 2004:
Aviation Security:
Further Steps Needed to Strengthen the Security of Commercial Airport
Perimeters and Access Controls:
GAO-04-728:
GAO Highlights:
Highlights of GAO-04-728, a report to congressional requesters
Why GAO Did This Study:
In the 2 years since passage of the Aviation and Transportation
Security Act (ATSA), the Transportation Security Administration (TSA)
has primarily focused its efforts on improving aviation security
through enhanced passenger and baggage screening. The act also
contained provisions directing TSA to take actions to improve the
security of airport perimeters, access controls, and airport workers.
GAO was asked to assess TSA‘s efforts to: (1) evaluate the security of
airport perimeters and the controls that limit access into secured
airport areas, (2) help airports implement and enhance perimeter
security and access controls by providing them funding and technical
guidance, and (3) implement measures to reduce the potential security
risks posed by airport workers.
What GAO Found:
TSA has begun evaluating the security of airport perimeters and the
controls that limit access into secured airport areas. Specifically,
TSA is conducting compliance inspections and vulnerability assessments
at selected airports. These evaluations”though not complete”have
identified perimeter and access control security concerns. While TSA
officials acknowledged that conducting these airport security
evaluations is essential to identifying additional perimeter and
access control security measures and prioritizing their implementation,
the agency has not determined how the results will be used to make
improvements to the entire commercial airport system.
TSA has helped some airport operators enhance perimeter and access
control security by providing funds for security equipment, such as
electronic surveillance systems. TSA has also begun efforts to evaluate
the effectiveness of security-related technologies, such as biometric
identification systems. However, TSA has not begun to gather data on
airport operators‘ historical funding of security projects and current
needs to aid the agency in setting funding priorities. Nor has TSA
developed a plan for implementing new technologies or balancing the
costs and effectiveness of these technologies with the security needs
of individual airport operators and the commercial airport system as a
whole.
TSA has taken some steps to reduce the potential security risks posed
by airport workers. However, TSA had elected not to fully address all
related ATSA requirements. In particular, TSA does not require
fingerprint-based criminal history checks and security awareness
training for all airport workers, as called for in ATSA. Further, TSA
has not required airport vendors to develop security programs, another
ATSA requirement. TSA said expanding these efforts would require a
time-consuming rulemaking process and impose additional costs on
airport operators. Finally, although not required by ATSA, TSA has not
developed a plan detailing when and how it intends to address these
challenges.
Airport Perimeter Access Gate at a Large Commercial Airport:
[See PDF for image]
Source: GAO.
[End of figure]
What GAO Recommends:
GAO is recommending that the Secretary of Homeland Security direct
TSA‘s Administrator to develop and provide Congress with a plan for
meeting the requirements of the Aviation and Transportation Security
Act and taking other actions to improve airport security.
TSA reviewed a draft of this report and generally agreed with GAO‘s
findings and recommendations. Technical comments were incorporated as
appropriate.
www.gao.gov/cgi-bin/getrpt?GAO-04-728.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Cathleen Berrick at (202)
512-3404 or berrickc@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
TSA Has Begun Evaluating Commercial Airport Security but Needs a Better
Approach for Assessing Results:
TSA Has Begun Efforts but Has Not Fully Developed Plans to Fund
Security Enhancements and Assess Security Technologies:
TSA Has Helped to Reduce Potential Security Risks Posed by Airport
Workers but Has Not Determined How to Fully Address Legislative
Requirements:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach:
Appendix III: Comments from the Department of Homeland Security:
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Staff Acknowledgments:
Tables:
Table 1: Types of Enforcement Actions Used by TSA to Address Airport
Operator Noncompliance with Security Requirements between October 2003
and February 2004:
Table 2: Distribution of AIP Grant Funds Awarded for Security Projects
by Project Type, Fiscal Year 2002:
Table 3: Distribution of Airports Receiving Grants Awarded by TSA for
Perimeter and Access Control-Related Security and Projects Funded:
Figures:
Figure 1: ATSA Requirements Directed to TSA Related to Perimeter,
Access Control, and Airport Worker Security:
Figure 2: Diagram of Typical Commercial Airport Areas and a Comparison
of Security Requirements That Apply to Each Airport Area:
Figure 3: Perimeter and Access Control Security Technologies Tested or
Implemented at Selected Commercial Airports across the Nation:
Figure 4: Elements of a Risk Management Approach:
Figure 5: How a Risk Management Approach Can Guide Decision-Making:
Figure 6: TSA's Threat Assessment and Risk Management Approach:
Abbreviations:
AIP: Airport Improvement Program:
AOA: air operations area:
ATSA: Aviation and Transportation Security Act:
DHS: Department of Homeland Security:
FAA: Federal Aviation Administration:
FBI: Federal Bureau of Investigation:
FSD: federal security director:
NCIC: National Crime Information Center:
PARIS: Performance and Results Information System:
SIDA: security identification display area:
TSA: Transportation Security Administration:
TWIC: Transportation Workers Identification Credential Program:
United States General Accounting Office:
Washington, DC 20548:
June 4, 2004:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Governmental Affairs:
United States Senate:
The Honorable Jim Turner:
Ranking Minority Member:
Select Committee on Homeland Security:
House of Representatives:
In November 2001, shortly after the September 11 terrorist attacks,
President Bush signed into law the Aviation and Transportation Security
Act, or ATSA (Pub. L. No. 107-71). The act established the
Transportation Security Administration (TSA), giving it responsibility
for securing all modes of transportation, including aviation. One of
TSA's first challenges imposed by the act was to improve the security
of airline passenger and baggage screening activities, activities for
which TSA has direct responsibility. The agency is also taking action
to address provisions of the act to improve three other areas of
aviation security: the security of airport perimeters (such as airfield
fencing and access gates), the adequacy of controls restricting
unauthorized access to secured areas (such as building entry ways
leading to aircraft), and security measures pertaining to individuals
who work at airports. Recent media reports of security breaches and
other illegal activities, such as drug smuggling, taking place at some
airports highlight the importance of strengthening security in these
areas. Taken as a whole, these areas, along with passenger and baggage
screening, comprise key elements of the aviation security environment
at commercial airports, both individually and as a nationwide system.
You requested that we examine TSA's efforts to strengthen security
related to perimeter and access controls. This report assesses TSA's
efforts to (1) evaluate the security of airport perimeters and the
controls that limit access into secured airport areas, (2) help
airports implement and enhance perimeter security and access controls
by providing funding and technical guidance, and (3) implement measures
to reduce the potential security risk posed by airport workers. Due to
TSA's concern that the public release of some of our detailed findings
could compromise aviation security, we also issued a restricted version
of this report.
To perform these assessments, we analyzed TSA data on security
evaluations conducted and funds distributed to commercial airports for
security improvements. We also reviewed pertinent legislation,
regulatory requirements, and policy guidance. To determine to what
extent TSA had met requirements, we discussed with our Office of
General Counsel specific requirements contained in three sections of
the act:
* Section 106 (requirements for evaluating airport access controls,
testing and evaluating security technologies, and providing technical
and financial support to small and medium-sized airports);
* Section 136 (recommending commercially available measures to prevent
access to secure airport areas and developing a deployment strategy for
available technology at all large airports); and:
* Section 138 (performing background checks for all employees with
unescorted access to secured airport areas, among others).
We obtained and analyzed TSA data on security breaches, covert testing,
inspections of airport compliance with security regulations, and
vulnerability assessments. (TSA's covert testing data and information
on the test program are classified and are the subject of a separate
classified GAO report.) We discussed the threat scenarios used in TSA
vulnerability assessments with TSA officials to identify those related
to perimeter and access control security. We obtained and analyzed data
from the Federal Aviation Administration (FAA) and TSA on perimeter and
access control-related security funds distributed to commercial airport
nationwide. We reviewed reports on aviation security issued previously
by GAO and the Department of Transportation Inspector General.
In addition, we conducted site visits at 12 commercial airports to
observe airport security procedures and discuss issues related to
perimeter and access control security with airport operator officials.
These were Boston Logan International Airport, Atlanta Hartsfield
Jackson International Airport, Ronald Reagan Washington National
Airport, Washington Dulles International Airport, Orlando
International Airport, Tampa International Airport, Miami
International Airport, Los Angeles International Airport, San Francisco
International Airport, Middle Georgia Regional Airport, Chattanooga
Metropolitan Airport, and Columbus Metropolitan Airport. At 10 of these
airports, we analyzed a sample of records to verify that the procedures
to reduce the security risk of airport workers were followed. We also
discussed security issues with TSA airport and headquarters officials,
airport security coordinators at each of the nation's 21 largest and
busiest airports (referred to by TSA as "category X" airports), as well
as airport industry representatives. More detailed information on our
scope and methodology is contained in appendix I. We conducted our
review from June 2003 through March 2004 in accordance with generally
accepted government auditing standards.
Results in Brief:
TSA has begun evaluating the security of airport perimeters and the
controls that limit access into secured airport areas, but has not yet
determined how the results of these evaluations could be used to make
improvements to the nation's airport system as a whole. Specifically,
TSA is conducting regulatory compliance inspections, covert testing of
selected security procedures, and vulnerability assessments at selected
airports. These evaluations--though not yet completed--have identified
perimeter and access control security concerns. For example, TSA
identified instances where airport operators failed to comply with
existing security requirements, including access control-related
regulations. (Our evaluation of TSA's covert testing of airport access
controls is classified and is discussed in a separate classified
report.) In addition, TSA identified threats to perimeter and access
control security at each of the airports where vulnerability
assessments were conducted in 2003. In January 2004, TSA temporarily
suspended its assessment efforts to conduct higher-priority
vulnerability assessments dealing with airport vulnerability to
shoulder-fired missiles. TSA plans to begin conducting joint
vulnerability assessments with the Federal Bureau of Investigation
(FBI) but has not yet determined how it will allocate existing
resources between its own independent airport assessments and the new
joint assessments, or developed a schedule for conducting future
vulnerability assessments. In addition, TSA has not yet determined how
to use the results of its inspections in conjunction with its efforts
to conduct covert testing and vulnerability assessments to enhance the
overall security of the nation's commercial airport system.
TSA has helped some airports enhance perimeter and access control
security by providing funds for security equipment, such as electronic
surveillance systems. TSA has also begun efforts to evaluate the
effectiveness of security-related technologies, such as biometric
identification systems. Responsibility for funding most airport
security projects shifted in December 2003 from FAA to TSA. As a
result, TSA is developing new policies to determine how to review,
approve, and prioritize security project funding. However, TSA has not
yet begun to gather data on airport operators' historical funding of
security projects and current needs to aid the agency in setting
funding priorities. Nor has TSA developed a plan for implementing new
technologies or balancing the costs and effectiveness of these
technologies with the security needs of individual airports and the
commercial airport system as a whole.
TSA has taken some steps to implement measures to reduce the potential
security risk posed by airport workers. However, at the time of our
review, TSA had not fully addressed all related requirements in the
2001 Aviation and Transportation Security Act. For example, TSA
required fingerprint-based criminal history records checks and security
awareness training for most, but not all, airport workers called for in
the act. TSA relies on background checks as a method of screening most
airport workers in lieu of physical screening, as is conducted for
passengers and their baggage. However, TSA has not analyzed the
security threat posed by airport workers in terms of the potential
costs and security benefits of physically screening all airport
workers. Further, TSA has not addressed the act's provision that calls
for the agency to require that airport vendors with direct access to
the airfield and aircraft develop security programs to address security
measures specific to vendor employees. TSA said that expanding
requirements for background checks and security awareness training for
additional workers and establishing requirements for vendor security
programs would be costly to implement and would require time-consuming
rule-making efforts to assess potential impacts and obtain and
incorporate public comment on any proposed regulations.
This report contains recommendations to the Secretary of the Department
of Homeland Security (DHS) to help the department articulate and
justify future decisions on how best to proceed with security
evaluations, fund and implement security improvements--including new
security technologies--and implement additional measures to reduce the
potential security risks posed by airport workers. We provided a draft
of this report to TSA officials who generally concurred with our
findings and recommendations. TSA's written comments are presented in
appendix III.
Background:
ATSA, signed into law on November 19, 2001,[Footnote 1] shifted certain
responsibilities for aviation security from commercial airport
operators and air carriers to the federal government and the newly
created Transportation Security Administration. Specifically, ATSA
granted TSA direct operational responsibility for the screening of
passengers and their baggage, as well as responsibility for overseeing
U.S. airport operators' efforts to maintain and improve the security of
commercial airport perimeters, access controls, and workers. While
airport operators, not TSA, retain direct day-to-day operational
responsibility for these areas of security, ATSA's sections 106, 136,
and 138 direct TSA to improve the security of airport perimeters and
the access controls leading to secured airport areas, as well as
measures to reduce the security risks posed by airport workers, as
shown in figure 1.
Figure 1: ATSA Requirements Directed to TSA Related to Perimeter,
Access Control, and Airport Worker Security:
Requirements for evaluating airport access controls:
Assess and test for airport compliance with access control requirements
on an ongoing basis and report annually on the findings of the
assessments; assess the effectiveness of penalties in ensuring
compliance with security procedures and take any other appropriate
enforcement actions when noncompliance is found. Sec.106(c)(2).
Requirements for strengthening the security of airport perimeters and
access controls:
Within 6 months after enactment of the act, recommend to airport
operators commercially available measures or procedures to prevent
access to secure airport areas by unauthorized persons. This 6-month
assessment shall review emerging security technologies and procedures
and shall include a 12- month deployment strategy for currently
available technology at all category X (i.e., the largest and busiest)
airports. Sec. 136.[A].
Requirements for strengthening the security of airport perimeters and
access controls:
Establish a pilot program in no fewer than 20 airports to test and
evaluate technology for providing access control and security
protections for closed or secure areas. Sec. 106(d).
Requirements for strengthening the security of airport perimeters and
access controls:
Develop a plan to provide technical support and financial assistance
to small- and medium-sized airports to enhance security operations and
to defray the cost of security. Sec. 106(b).
Requirements for reducing the risks posed by airport workers:
Perform background checks for all employees with unescorted access to
secured airport areas and individuals who have regularly escorted
access to secured airport areas and review available law enforcement
databases and records of other governmental and international agencies. Sec. 138.
Requirements for reducing the risks posed by airport workers:
Require airports and air carriers to develop security awareness
training programs for airport employees; ground crews; gate, ticket,
curbside agents of the air carriers; and other individuals employed at
airports. Sec. 106(e).
Requirements for reducing the risks posed by airport workers:
Require vendors having direct access to the airfield and aircraft to
develop their own security programs. Sec. 106(a).
Requirements for reducing the risks posed by airport workers:
Require screening/ inspection of all persons, vehicles, equipment,
goods, and property before entering secured areas of U.S. commercial
airports. Sec. 106(a).
Source: TSA and GAO.
[A] Section 136 also requires the Secretary of Transportation to
conduct a review of reductions in unauthorized access at the category X
airports no later than 18 months after the enactment of ATSA.
[End of figure]
* On February 17, 2002, TSA assumed responsibility from FAA for certain
aspects of security at the nation's commercial airports, including
FAA's existing aviation security programs, plans, regulations, orders,
and directives.[Footnote 2] Soon thereafter, on February 22, 2002, the
Department of Transportation issued regulations to reflect the change
in jurisdiction from FAA to TSA.[Footnote 3] Also, TSA reissued
security directives originally issued by FAA after September 11, 2001,
related to perimeter and access control security.
TSA hired 158 federal security directors (FSDs) to oversee the
implementation of these requirements at airports nationwide. The FSDs
also work with inspection teams from TSA's Aviation Regulatory
Inspection Division to conduct compliance inspections. In addition, as
part of its oversight role, TSA headquarters staff conducts covert
testing[Footnote 4] and vulnerability assessments to help individual
airport operators determine how to improve security and to gather data
to support systemwide analysis of security vulnerabilities and
weaknesses. Airport operators are responsible for implementing TSA
security requirements for airport perimeters, access controls, and
airport workers. Each airport's security program, which must be
approved by TSA, outlines the security policies, procedures, and
systems the airport intends to use in order to comply with TSA security
requirements.
There are about 450 commercial airports in the United States.[Footnote
5] Depending upon the type of aircraft operations, airport operators
must establish either complete, supporting, or partial security
programs.[Footnote 6] Complete security programs include guidelines for
performing background checks on airport workers, providing security
training for these workers, and controlling access to secured airport
areas, among other things. Federal regulations also require that
commercial airports with complete security programs designate areas
where specific security practices and measures are in place and provide
a diagram of these areas. Figure 2 is a diagram of a typical commercial
airport and the security requirements that apply to each airport area.
Figure 2: Diagram of Typical Commercial Airport Areas and a Comparison
of Security Requirements That Apply to Each Airport Area:
[See PDF for image]
[End of figure]
TSA classifies airports into one of five categories (X, I, II, III, and
IV) based on various factors, such as the total number of take-offs and
landings annually, the extent to which passengers are screened at the
airport, and other special security considerations. U.S. commercial
airports are divided into different areas with varying levels of
security. Individual airport operators determine the boundaries for
each of these areas on a case-by-case basis, depending on the physical
layout of the airport. As a result, some of these areas may overlap.
Secured areas, security identification display areas (SIDA), and air
operations areas (AOA) are not to be accessed by passengers, and
typically encompass areas near terminal buildings, baggage loading
areas, and other areas that are close to parked aircraft and airport
facilities, including air traffic control towers and runways used for
landing, taking off, or surface maneuvering. On the other hand, sterile
areas are located within the terminal where passengers wait after
screening to board departing aircraft. Access to these areas is
controlled by TSA screeners at checkpoints where they conduct physical
screening of passengers and their carry-on baggage for weapons and
explosives.
According to TSA estimates, there are about 1,000,000 airport and
vendor employees who work at the nation's commercial airports. About
900,000 of these workers perform duties in the secured or SIDA areas.
Airport operators issue SIDA badges to these airport workers. These
badges identify the workers and grant them the authority to access the
SIDA and secured areas without an escort. Examples of workers with
unescorted access to the SIDA and secured areas include workers who
access aircraft, including mechanics, catering employees, refuelers,
cleaning crews, baggage handlers, and cargo loaders. TSA estimates
there are an additional 100,000 employees who work in sterile airport
areas, such as the concourse or gate area where passenger flights load
and unload. Examples of employees who work or perform duties in the
sterile area include those operating concessions and shops, and other
air carrier or vendor employees. Other workers may, from time to time,
need to enter the SIDA or secured area and must be accompanied by an
escort who has been granted unescorted access authority. According to
TSA, only a relatively small number of airport workers need regular
escorted access to the SIDA and secured areas.[Footnote 7] Job
functions in this category would include delivery personnel,
construction workers, and specialized maintenance crews.
Methods used by airports to control access through perimeters or into
secured areas vary because of differences in the design and layout of
individual airports, but all access controls must meet minimum
performance standards in accordance with TSA requirements. There are a
variety of commercially available technologies that are currently used
for these purposes or are used for other industries but could be
applied to airports. In addition, TSA has a research and development
program to develop new and emerging technologies for these and other
security-related purposes.
TSA Has Begun Evaluating Commercial Airport Security but Needs a Better
Approach for Assessing Results:
TSA has three efforts under way to evaluate the security of commercial
airports' perimeters and the controls that limit unauthorized access
into secured areas. While ATSA only requires that TSA perform
compliance inspections, the agency also relies on covert
testing[Footnote 8] of selected security procedures and vulnerability
assessments to meet the legislation's mandate to strengthen perimeter
and access control security. TSA acknowledged the importance of
conducting these evaluation efforts as an essential step to determine
the need for, and prioritization of, additional perimeter security and
access control security measures. But the agency has not yet
established several elements needed for effective short-and long-term
management of these evaluations, such as schedules for conducting its
efforts and an analytical approach to using the results of its
evaluations to make systematic improvements to the nation's commercial
airport system.
TSA Has Revised Its Approach to Conducting Airport Compliance
Inspections but Has Not Determined How to Use Results to Strengthen
Security:
ATSA, (Sec. 106 (c)(2)), requires TSA to assess and test for airport
compliance with federal access control security requirements and report
annually on its findings. TSA originally planned to conduct
comprehensive assessments at each commercial airport periodically.
Staff from TSA's Aviation Regulatory Inspection Division along with
local airport inspection staff working under federal security directors
completed relatively few comprehensive airport inspections in fiscal
year 2002, although TSA completed considerably more in 2003. In
addition, TSA records indicated that a significant number of
individual, or "supplemental" inspections of specific areas of security
or local airport security concerns were conducted in fiscal years 2002
and 2003, respectively. TSA, however, did not identify the scope of
these inspections, or how many airports were inspected through its
supplemental inspections. In addition, the agency did not report on the
results of these comprehensive or individual supplemental inspections,
as required by ATSA. According to TSA, the agency was limited in its
ability to analyze these data because compliance reports submitted
during this time frame were compiled in a prototype reporting system
that was under development. In July 2003, TSA deployed the automated
system--Performance and Results Information System (PARIS)--and began
to compile the results of compliance reviews.
In TSA's Annual Inspection and Assessment Plan for fiscal year 2004,
TSA revised its approach for reviewing airport operator compliance with
security regulations.[Footnote 9] According to TSA, the new inspection
process uses risk management principles that consider threat factors,
local security issues, and input from airport operators and law
enforcement to target key vulnerabilities and critical assets. Under
the new inspection process, the local federal security director at each
airport is responsible for determining the scope and emphasis of the
inspections, as well as managing local TSA inspection staff. According
to the agency, the continuous inspections approach resulted in
completion of a significant number of individual inspections of airport
access controls and other security requirements in the first few months
of fiscal year 2004.
The percentage of inspections that found airport operators to be in
compliance with security requirements, including those related to
perimeters and access control, was high. According to TSA, its goal is
for airport operators to be in 100 percent compliance with security
requirements. Despite the generally high compliance rates, TSA
identified some instances of airport noncompliance involving access
controls.
According to TSA, the agency's new approach to conducting compliance
inspections is designed to be a cooperative process based on the
premise that voluntary and collaborative airport operator compliance to
facilitate solutions to security issues is more effective than the use
of penalties to enforce compliance. This approach is intended to
identify the root causes of security problems, develop solutions
cooperatively with airport operators, and focus the use of civil
enforcement actions on the most serious security risks revealed by
TSA's inspections. As a result, TSA said that the majority of airport
inspection violations related to airport security was addressed through
on-site counseling with airport operator officials, rather than
administrative actions or civil monetary penalties, which TSA is
authorized to issue when airport operators fail to address identified
areas of noncompliance.[Footnote 10] According to TSA, on-site
counseling is used only for minor infractions that can be easily and
quickly corrected. Administrative actions progress from a warning
notice suggesting corrective steps to a letter of correction that
requires an airport operator to take immediate action to avoid civil
penalties. TSA was able to provide the number of cases in which it
recommended the issuance of civil penalties to airport operators for
violations of security requirement.[Footnote 11] Table 1 shows the
various types of enforcement actions used by TSA to address airport
operator noncompliance with security requirements for the period
between October 2003 and February 2004.
Table 1: Types of Enforcement Actions Used by TSA to Address Airport
Operator Noncompliance with Security Requirements between October 2003
and February 2004:
Enforcement action: Resolved with counseling;
Sanction used: None;
Number of enforcement actions: 571.
Enforcement action: Administrative action;
Sanction used: Warning notice;
Number of enforcement actions: 106.
Enforcement action: Administrative action;
Sanction used: Letter of correction;
Number of enforcement actions: 123.
Enforcement action: Civil penalties recommended;
Sanction used: Monetary;
Number of enforcement actions: 67.
Enforcement action: Total;
Number of enforcement actions: 867.
Source: GAO analysis of TSA data.
[End of table]
TSA had not assessed the effectiveness of these penalties in ensuring
airport compliance with security requirements as required by ATSA (Sec.
106 (c)(2)). TSA said the agency was not able to conduct inspections at
all commercial airports in prior years, or assess the effectiveness of
the use of penalties to ensure airport compliance because of limited
personnel assigned to perform these tasks and agency decisions to
direct these resources to address other areas of aviation security,
such as passenger and baggage screening operations. According to TSA,
the primary focus of field inspectors was to monitor passenger and
baggage screening operations immediately following the attacks of
September 11. As a result, routine inspections were not assigned as
high a priority during the months following the attacks. For example,
while DHS authorized TSA to use 639 full-time employees for the purpose
of performing airport security inspections in fiscal year 2003, TSA
allocated 358 full-time employees for this purpose. TSA said that the
agency is hiring new regulatory inspectors at airports to help conduct
required inspections. In its fiscal year 2005 budget submission, TSA
requested over 1,200 full-time employees to conduct compliance
inspections.
TSA said airport compliance inspections are needed to ensure that
airport operators take steps to address deficiencies as they are
identified. TSA also said that the agency has proposed measuring the
performance of individual airport against national performance
averages, and airports that fall below accepted levels of compliance
will receive additional inspections or other actions. However, TSA has
not yet developed a plan outlining how the results of its compliance
inspections will be used to interpret and help analyze the results of
airport vulnerability assessments and covert testing. For example, at
the time of our review, a majority of airports tested had high
compliance rates, indicating that these airports are implementing most
security regulations. However, assessing airport operator compliance
with security requirements as a stand-alone measure does not provide a
complete picture of the level of security at these airports. Covert
testing and vulnerability assessments provide additional information
that, taken together with the results of compliance inspections,
provide a more complete picture of the security environment at
commercial airports on a systemwide basis.
Initial Airport Vulnerability Assessments Reveal Security Concerns, but
TSA Lacks Both a Timetable for Completion and a Plan for Making
Systematic Improvements:
From September to December 2003,[Footnote 12] TSA conducted
vulnerability assessments at some of the nation's commercial airports
to help individual airport operators determine how to improve security.
At the time of our review, TSA had not established a schedule for
completing assessments at the remaining airports. TSA is conducting
these vulnerability assessments as part of a broader effort to
implement a risk management approach to better prepare for and
withstand terrorist threats. A risk management approach is a systematic
process to analyze threats, vulnerabilities, and the criticality (or
relative importance) of assets to better support key decisions. (See
app. II for a description of risk management principles and TSA's tools
for implementing these principles.)[Footnote 13] TSA uses various
threat scenarios that describe potentially dangerous situations as a
basis for conducting its vulnerabilities assessments. During the
assessments, TSA and airport operators review the scenarios and rank
them according to the risk each poses to the individual airport.
As part of each vulnerability assessment, TSA provided airport
operators with a report on the results and recommended short-and long-
term countermeasures to reduce the threats identified. According to
TSA, some of these countermeasures may be difficult for (1) airport
operators to implement because of limited availability of security
funding and (2) TSA to mandate because issuing new security regulations
is an often time-consuming process that involves public comment and
analysis of potential impacts.[Footnote 14] However, TSA does have
authority under 49 U.S.C. § 114(l)(2) to issue regulations or security
directives immediately in order to protect transportation security.
Various sources have highlighted the importance of TSA's continuing
efforts to assess airport vulnerabilities. For example, in December
2003, the President issued a directive[Footnote 15] calling for
assessments of the vulnerability of critical infrastructure, including
airports, to assist in developing the nation's homeland security
strategy. In addition, TSA data on reported security breaches[Footnote
16] of airport access controls revealed that such known breaches have
increased in recent years.[Footnote 17] Further, airport operator
officials we spoke with noted the importance of vulnerability
assessments as the key step in determining needed security enhancements
at each airport. Specifically, airport security coordinators at 12 of
the nation's 21 largest and busiest airports said that a TSA
vulnerability assessment would facilitate their efforts to
comprehensively identify and effectively address perimeter and access
control security weaknesses.
At the time of our review, TSA had allocated 9 staff to conduct the
vulnerability assessments and another 5 staff to analyze the
results.[Footnote 18] According to TSA, these staff also perform other
assessment and analytical tasks. Although TSA initially said that it
expected to conduct additional assessments in 2004, the agency
suspended its efforts to use established threat scenarios to assess
vulnerabilities in January 2004. TSA said that the agency elected to
redirect staff resources to conduct higher priority assessments of the
threat posed by shoulder-fired missiles, also referred to as man
portable air defense systems (MANPADS). In addition, TSA said that the
agency planned to begin conducting joint vulnerability assessments with
the FBI. The FBI previously conducted joint assessments with FAA in
response to requirements established in the Federal Aviation
Administration Reauthorization Act of 1996. At the time of our review,
TSA said that the agency had not yet determined how to allocate its
resources to conduct vulnerability assessments using established threat
scenarios versus initiating joint assessment efforts with the FBI. When
TSA resumes its scenario-based assessment efforts, the agency plans to
prioritize its efforts by focusing on the most critical airports. (TSA
said the agency intends to determine the criticality of commercial
airports based on factors such as current threat intelligence, the
number of fatalities that could occur during an attack on the airport,
and the economic and sociopolitical importance of the facility.):
After TSA resumes its assessment efforts, the agency intends to compile
baseline data on security vulnerabilities to enable it to conduct a
systematic analysis of airport security vulnerabilities on a nationwide
basis. TSA said such an analysis is essential since it will allow the
agency to determine minimum standards and the adequacy of security
policies and help the agency and airports better direct limited
resources. Nonetheless, at the time of our review, TSA had not yet
developed a plan that prioritizes its assessment efforts, provides a
schedule for completing these assessments, or describes how assessment
results will be used to help guide agency decisions on what, if any,
security improvements are needed.
TSA Has Begun Efforts but Has Not Fully Developed Plans to Fund
Security Enhancements and Assess Security Technologies:
Through funding of a limited number of security enhancements, TSA has
helped to improve perimeter and access control security at some
airports. However, at the time of our review, TSA had not yet developed
a plan to prioritize expenditures to ensure that funds provided have
the greatest impact in improving the security of the commercial airport
system. Concerning evaluations of security technologies, ATSA contained
three provisions (Secs. 136, 106(b), and 106(c)) directing TSA to
assess security technologies related to perimeter and access control
security and develop a plan to provide technical (and funding)
assistance to small-and medium-sized airport operators. TSA has not
fully addressed these provisions or developed plans for how and when
these requirements will be met. Some airport operators are currently
testing or implementing security technologies independently, while
others are waiting for TSA to complete its own technology assessments
and issue guidance.
TSA Assumed Responsibility for Funding Security Improvements but Has
Not Yet Set Priorities:
In fiscal years 2002 and 2003, TSA worked with FAA to review and
approve security-related Airport Improvement Program (AIP) grant
applications[Footnote 19] for perimeter security and access control
projects and other security-related projects. As we reported in October
2002,[Footnote 20] perimeter and access control security measures--
fencing, surveillance and fingerprinting equipment, and access control
systems--accounted for almost half of fiscal year 2002 AIP funding for
security projects, as shown in table 2.
Table 2: Distribution of AIP Grant Funds Awarded for Security Projects
by Project Type, Fiscal Year 2002:
Dollars in millions.
Type of security project: Access control;
Grant award amount: $141.8;
Percentage of total security funding: 25.3%.
Type of security project: Perimeter fencing;
Grant award amount: $78.1;
Percentage of total security funding: 13.9%.
Type of security project: Surveillance and fingerprinting equipment;
Grant award amount: $51.4;
Percentage of total security funding: 9.2%.
Subtotal;
Grant award amount: $271.3;
Percentage of total security funding: 48.4%.
Other security projects funded (primarily terminal modifications);
Grant award amount: $289.8;
Percentage of total security funding: 51.6%.
Total;
Grant award amount: $561.1;
Percentage of total security funding: 100.0%.
Source: GAO analysis of AIP grant awards.
[End of table]
In fiscal year 2003, FAA provided a total of $491 million for security-
related AIP projects, including about $45.6 million for perimeter
fencing projects and another $56.9 million for access control security,
a total of about 21 percent of security funding. In addition, Congress
appropriated a $175 million supplement to the program in January 2002
to reimburse 317 airports for post-September 11 security
mandates.[Footnote 21]
TSA said that FAA's AIP served as its plan to provide the financial
assistance to small and medium-sized airports required by Section
106(b) of ATSA. According to TSA, local federal security directors
worked with FAA officials to review and approve security-related AIP
grant applications submitted by individual airports, evaluating their
merits on an airport-by-airport basis based on guidelines developed and
provided by TSA. TSA has not, however, developed an approach to
prioritize funding for perimeter and access control security projects
at small-and medium-sized (or larger) airports. Without a plan to
consider airports' security needs systematically, including those of
small-and medium-sized airports, TSA could not ensure that the most
critical security needs of the commercial airport system were
identified and addressed in a priority order. More importantly, because
TSA has assumed primary responsibility for funding security-related
projects, FAA's AIP cannot continue to serve as TSA's plan for
providing financial assistance to small-and medium-sized airports.
Without a plan, TSA could be less able to document, measure, and
improve the effectiveness of the agency's efforts to provide funding
support for enhancing perimeter and access control security.
While acknowledging the lack of a specific plan, TSA said the agency
had, in conjunction with FAA, deployed and installed explosive
detection systems, explosive trace detection and metal detection
devices, and other security equipment at many small-and medium-sized
airports for use by federal screeners at those airports and that over
300 small-and medium-sized airports had received technical support and
equipment of some kind. However, in advising FAA throughout this
process, TSA did not compile and analyze historical information on the
cost and types of technology used or the specific airports receiving
AIP assistance for perimeter and access control-related security
enhancement projects (although TSA stated that historical data were
available that could be used to conduct such analyses). FAA has
historically maintained data on the uses of AIP funding (including the
types of projects funded, amounts, and locations) in a commonly used
commercial database system (Access). In addition, airport associations,
such as the American Association of Airport Executives, also collect
and disseminate information on the use of AIP funds for security
enhancements.[Footnote 22] Without analyses of such historical
information, TSA's ability to establish a baseline of security funding
for current and future planning efforts to enhance perimeter and access
controls could be limited.
In addition to consulting with FAA to provide funding for airport
security projects through the AIP, TSA recently began providing
security funding directly to airport operators. Specifically, in
December 2003, TSA awarded approximately $8 million in grants to 8
airports as part of $17 million appropriated by Congress for enhancing
the security of airport terminals, including access controls and
perimeter security.[Footnote 23] Table 3 provides a brief description
of the perimeter and access control security-related projects at the 8
airports TSA selected for funding.[Footnote 24]
Table 3: Distribution of Airports Receiving Grants Awarded by TSA for
Perimeter and Access Control-Related Security and Projects Funded:
Airport: Providence T. F. Green;
Funding: $2.38 million;
Purpose of security project: Video surveillance system for detecting
and tracking unauthorized persons and vehicles that may breach the
perimeter of the airport and advanced ground radar-based security
display system for detecting persons or vehicles inside the airport
perimeter.
Airport: Newark International;
Funding: $1.67 million;
Purpose of security project: Video surveillance system for detecting
and tracking persons and vehicles that breach the airport perimeter.
Airport: Helena Regional;
Funding: $1.2 million;
Purpose of security project: Sensors to detect intruders on airport
property.
Airport: Boston Logan International Airport;
Funding: $989,879;
Purpose of security project: Automated system to manage security
equipment.
Airport: Pittsburgh International;
Funding: $600,453;
Purpose of security project: Video surveillance system to monitor
airport exits from controlled terminal areas.
Airport: Chicago Midway Airport;
Funding: $533,016;
Purpose of security project: Physical barrier system that can be
deployed so that the evacuation of an entire concourse may be avoided
should an incident occur at the checkpoint.
Airport: Denver International;
Funding: $309,033;
Purpose of security project: Video surveillance system to monitor
airport exits from controlled terminal areas.
Airport: Key West International;
Funding: $195,400;
Purpose of security project: Video surveillance system for detecting
and tracking persons and vehicles on the air operations area.
Source: GAO analysis of TSA data.
[End of table]
The Vision 100--Century of Aviation Reauthorization Act shifted most of
the responsibility for airport security project funding from FAA and
the AIP to TSA by establishing a new Federal Aviation Security Capital
Fund in December 2003.[Footnote 25] Through the new fund, Congress
authorized up to $500 million for airport security for each fiscal year
from 2004 through 2007. Of the total, $250 million will be derived from
passenger security fees, along with an additional authorization of up
to $250 million. Of this amount, half of the money from each funding
source is to be allocated pursuant to a formula that considers airport
size and security risk.[Footnote 26] The other half would be
distributed at the Under Secretary's discretion, with priority given to
fulfilling intentions to obligate under letters of intent that TSA has
issued. TSA said it is working on, but had not yet developed policies
and procedures for, first, defining how the agency will fund and
prioritize airport security projects under the new program or second,
determining how much, if any, of the new funding will be used for
perimeter security and access control projects.[Footnote 27] However,
TSA said that the administration requested in its 2005 budget
justification that Congress eliminate the allocation formula so that
the agency could allocate funds according to a threat-based, risk
assessment approach, regardless of the size of the airport.
TSA Lacks a Technology Plan to Guide Future Enhancements to Airport
Perimeter Security and Access Controls:
TSA has begun efforts to test commercially available and emerging
security technologies to enhance perimeter and access control security.
However, TSA has not yet fully addressed three ATSA requirements
related to testing, assessing, recommending, and deploying airport
security technologies and has not taken steps to otherwise compile and
communicate the results of airport operators' independent efforts to
test and deploy security technologies.[Footnote 28]
Two ATSA provisions required that TSA assess technologies for enhancing
perimeter and access control security. The first provision (Sec. 136)
required that TSA (1) recommend commercially available security
measures or procedures for preventing access to secured airport areas
by unauthorized persons within 6 months of the act's passage and (2)
develop a 12-month deployment strategy for commercially available
security technology at the largest and busiest airports (category
X).[Footnote 29] TSA has not explicitly addressed the requirements in
this provision and did not meet the associated legislative deadlines.
For example, TSA has not recommended commercially available
technologies to improve surveillance and use of controls at access
points by May 2002 or developed a deployment strategy. TSA said the
agency failed to meet these deadlines because resources and management
attention were primarily focused on meeting the many deadlines and
requirements associated with passenger and baggage screening, tasks for
which TSA has direct operational responsibility.
The second technology provision of ATSA (Sec. 106(d)) requires that TSA
establish a pilot program to test, assess, and provide information on
new and emerging technologies[Footnote 30] for improving perimeter and
access control security at 20 airports. TSA's $20 million Airport
Access Control Pilot Program is intended to assist the agency in
developing minimum performance standards for airport security systems,
assess the suitability of emerging security technologies, and share
resulting information with airport operators and other aviation
industry stakeholders. In October 2003, TSA selected a systems
integrator to oversee the program and coordinate testing; however, the
agency has not selected the specific technologies to be evaluated. TSA
plans to look at four areas: biometric identification systems, new
identification badges, controls to prevent unauthorized persons from
piggybacking (following authorized airport workers into secured areas),
and intrusion detection systems.[Footnote 31] TSA said the agency will
conduct the technology assessments in two phases and that the second
phase is scheduled to be completed by the end of 2005.[Footnote 32]
However, TSA has not developed a plan describing the steps it will take
once the program is completed, although TSA said the agency intends to
communicate the results of both assessment phases to airport operators.
TSA also said the agency will determine how to use results of the
technology assessments and if it will issue any new security or
performance standards to airports nationwide when both program
assessment phases are completed. Without a plan that considers the
potential steps the agency may need to take to effectively use the
results of the pilot tests--for example, by issuing new standards--
TSA's ability to take effective and immediate steps once the program is
completed could be limited.
In addition to the pilot program, testing of a national credentialing
system for workers in all modes of transportation--the Transportation
Workers Identification Credential (TWIC) Program--is another effort
that may help TSA address the requirement in Section 136 of ATSA
related to testing and recommending commercially available security
technologies to enhance perimeter and access control security.
According to TSA, the program is intended to establish a uniform
identification credential for 6 million workers who require unescorted
physical or cyber access to secured areas of transportation facilities.
The card is intended to combine standard background checks and new and
emerging biometric technology so that a worker can be positively
matched to his or her credential. According to TSA, the agency spent
$15 million for the program in fiscal year 2003. In April 2003, TSA
awarded a contract for $3.8 million to an independent contractor to
assist TSA in the technology evaluation phase of the TWIC program and
to test and evaluate different types of technologies at multiple
facilities across different modes of transportation at pilot sites.
Congress directed $50 million for the TWIC program for fiscal year
2004. This program is scheduled for completion in 2008. We have a
separate review under way looking at TSA's TWIC pilot testing at
maritime ports and expect to report to the Senate Commerce Committee
later this year.
Airport operators and aviation industry associations identified a
number of operational issues that they said need to be resolved for the
TWIC card to be feasible. For example, they said the TWIC card would
have to be compatible with the many types of card readers used at
airports around the country, or new card readers would have to be
installed. At large airports, this could entail replacing hundreds of
card readers, and airport representatives have expressed concerns about
how this effort would be funded. According to TSA, however, the TWIC
card is intended to be compatible with all airports' card readers.
Nonetheless, TSA has not yet conducted an analysis of the cost and
operational impacts of implementing the program at airports nationwide.
TSA said it intends to gather additional information needed to conduct
such an analysis at some point in the future.
The third provision of ATSA related to technology (Sec. 106(b))
requires that TSA develop a plan to provide technical (and funding)
support to small-and medium-sized airports. TSA had not developed such
a plan. As discussed earlier, TSA said that FAA's AIP was the agency's
effort to meet this provision. However, this was an FAA plan and did
not fully meet the requirement. More importantly, because the amount of
money coming from the AIP for security-related projects will be
significantly reduced, and thereby TSA's continuing in involvement with
FAA in administering the program, the AIP cannot continue to serve as
TSA's plan for providing technical assistance to small-and medium-sized
airports. Without a plan, TSA could be less able to document, measure,
and improve the effectiveness of the agency's efforts to provide
technical support for enhancing perimeter and access control security.
Airport Operators' Response to Lack of TSA Guidance on Security
Technology Varies:
We contacted airport operator officials responsible for security at the
nation's 21 largest and busiest U.S. commercial airports to obtain
their views on the need for technical guidance from TSA to enhance the
security of perimeters and access controls. Some airport operators said
they were waiting for TSA to complete its technology assessments before
enhancing perimeter and access control security, while other airport
operators were independently testing and deploying security
technologies. Officials at these airports said they are waiting for TSA
to provide guidance before proceeding with security upgrades. These
airport operators also said that security technology is very costly,
and they cannot afford to pay for testing technology prior to
purchasing and installing such technology at their airports. They said
that information or guidance from TSA about what technologies are
available or most effective to safeguard airport perimeters would be
beneficial. Conversely, officials at other airports also said they were
assessing what is needed to improve their perimeter security and access
controls by independently testing and installing security technologies.
Several of these officials said that the trial-and-error approach to
improving security would not be necessary if TSA would act as a
clearinghouse for information on the most effective security
technologies and how they can be applied. They said that their
independent efforts did not always ensure that increasingly limited
resources for enhancing security were used in the most effective way.
In addition to contacting the 21 largest and busiest airports, we
identified 13 other airports as examples of airports that have tested
or implemented technologies for improving airport perimeter and access
control security.[Footnote 33] Figure 3 shows where various perimeter
and access control security technologies were being tested at the time
of our review or had been implemented at selected commercial airports
across the nation.
Figure 3: Perimeter and Access Control Security Technologies Tested or
Implemented at Selected Commercial Airports across the Nation:
[See PDF for image]
Source: GAO and American Association of Airport Executives.
[End of figure]
While some independent efforts have been successful in identifying
effective security technologies, others have been less successful. For
example, one airport operator said it contracted with a private
technology vendor to install identity authentication technology to
screen documents presented by job applicants. The airport completed a
5-month pilot program in the fall of 2002 and subsequently purchased
two workstations to implement the technology at the airport at a cost
of $130,000. Another airport operator conducted an independent pilot
program in 2002 to test a biometric recognition system in order to
identify airport workers. The system compared 15 airport workers
against a database of 250 airport workers, but operated at a high
failure rate. Although compiling information on this pilot test and
other airports' efforts would augment TSA's own efforts to assess
technology, TSA has not considered the costs and benefits of compiling
and assessing the information being collected through these independent
efforts. TSA agreed that compiling such data could be beneficial, but
the agency had not yet focused its attention on gathering data to
generate useful information on such independent testing efforts.
Without taking steps to collect and disseminate the results of these
independent airport operator efforts to test and deploy security
technologies, TSA could miss opportunities to enhance its own testing
activities, as well as help other airport operators avoid potentially
costly and less effective independent test programs.
TSA Has Helped to Reduce Potential Security Risks Posed by Airport
Workers but Has Not Determined How to Fully Address Legislative
Requirements:
TSA has taken steps to increase measures to reduce the potential
security risks posed by airport workers, but it has not addressed all
of the requirements in ATSA related to background checks, screening,
security training, and vendor security programs or developed plans that
describe the actions they intend to take to fully address these
requirements. For example, TSA required criminal history records checks
and security awareness training for most, but not all, the airport
workers called for in ATSA (Secs. 138(a)(8) and 106(e), respectively).
Finally, TSA does not require airport vendors with direct access to the
airfield and aircraft to develop security programs, which would include
security measures for vendor employees and property, as required by
ATSA (Sec. 106(a)). TSA cited resource, regulatory, and operational
concerns associated with performing checks on additional workers, and
providing additional training, as well as the potentially significant
costs to vendors to establish and enforce independent security
programs. However, TSA had not yet completed analyses to quantify these
costs, determine the extent to which the industry would oppose
regulatory changes, or determine whether it would be operationally
feasible for TSA to monitor implementation of such programs.
Background Checks Are Not Required for All Airport Workers, and the
Checks Have Limitations:
TSA requires most airport workers who perform duties in secured and
sterile areas to undergo a fingerprint-based criminal history records
check, and it requires airport operators to compare applicants' names
against TSA's aviation security watch lists.[Footnote 34] Once workers
undergo this review, they are granted access to airport areas in which
they perform duties. For example, those workers who have been granted
unescorted access to secured areas are authorized access to these areas
without undergoing physical screening for prohibited items (which
passengers undergo prior to boarding a flight). To meet TSA
requirements, airport operators transmit applicants' fingerprints to a
TSA contractor, who in turn forwards the fingerprints to TSA, who
submits them to the FBI to be checked for criminal histories that could
disqualify an applicant for airport employment. TSA also requires that
airport operators verify that applicants' names do not appear on TSA's
"no fly" and "selectee" watch lists to determine whether applicants are
eligible for employment.[Footnote 35]
According to TSA, all airport workers who have unescorted access to
secured airport areas--approximately 900,000 individuals nationwide--
underwent a fingerprint-based criminal history records check and
verification that they did not appear on TSA's watch lists by December
6, 2002, as required by regulation. In late 2002, TSA required airport
operators to conduct fingerprint-based checks and watch list
verifications for an additional approximately 100,000 airport workers
who perform duties in sterile areas. As of April 2004, TSA said that
airport operators had completed all of these checks. To verify that
required criminal checks were conducted, we randomly sampled airport
employee files at 9 airports we visited during our review and examined
all airport employee files at a 10th airport.[Footnote 36] Based on our
samples, we estimate that criminal history record checks at 7 of the
airports were conducted for 100 percent of the airport
employees.[Footnote 37] In the other 2 airports in which samples were
conducted, we estimate that criminal history checks were conducted for
98 percent and 96 percent of the airport workers.[Footnote 38] At the
10th airport, we examined all airport employee files.We found that
criminal history checks were conducted for 93 percent of the airport
employees there. Although airport operators could not provide
documentation that the checks were conducted in a small number of
cases, airport security officials said that no individuals were granted
access to secured or sterile areas without the completion of such a
check. TSA said that verification of airport compliance with background
check requirements was a standard part of airport compliance
inspections. For example, according to TSA, the agency conducted
criminal history records check verification inspections at 103 airports
between October 1, 2003, and February 9, 2004, and found that the
airports were in compliance about 99 percent of the time.
TSA does not require airport workers who need access to secured areas
from time to time (such as construction workers), and who must be
regularly escorted, to undergo a fingerprint check or scan against law
enforcement databases, even though such checks are also required by
ATSA (Sec. 138(a)(6)). Although TSA does not require that airport
operators conduct these checks, TSA drafted a proposed rule in 2002 to
require checks on individuals escorted in secured areas. The draft rule
also set forth minimum standards for providing escorts for these
individuals. In a February 2003 report on TSA's efforts to enhance
airport security, the Department of Transportation Inspector General
recommended that TSA revise its proposed rule to enhance the security
benefits that the new rule could provide by including (1) additional
background check requirements, (2) a more specific description of
escort procedures, and (3) a clarification on who would be exempt from
such requirements.[Footnote 39] However, at the time of our review, TSA
had not addressed these recommendations, issued the proposed rule, or
developed a schedule for conducting and completing the rule making
process. According to TSA, the agency plans to proceed with its rule
making to address background checks for those who have regularly
escorted access, and, in consultation with DHS and the Office of
Management and Budget, has included this rule making as part of a
priority list of 20 rule makings that the agency plans to initiate in
the next 12 months.
The Effectiveness of Fingerprint-Based Criminal Checks Is Limited:
While TSA has taken steps to conduct fingerprint-based checks for
airport employees who work in secured and sterile areas, certain
factors limit the effectiveness of these checks. For example,
fingerprint-based checks only identify individuals with fingerprints
and a criminal record on file with the FBI's national fingerprint
database. Limitations of these checks were highlighted by recent
multifederal agency investigations, which found that thousands of
airport workers falsified immigration, Social Security, or criminal
history information to gain unescorted access to secured and sterile
airport areas.[Footnote 40] In some of these cases, airport workers who
had provided false information to obtain unescorted access underwent a
fingerprint-based check and passed.[Footnote 41] TSA noted that the
federal government had not yet developed a system that would allow
interagency database searches to provide access to social security and
immigration information.[Footnote 42]
Another limitation with TSA's process for conducting background checks
on airport workers is that fingerprint checks do not include a review
of, among other things, all available local (county and municipal)
criminal record files. As a result, an individual could pass the
fingerprint check although he or she had a local criminal record. TSA
officials did not consider the lack of a local criminal records check
to be a limiting factor because local criminal records are not likely
to include any of the 28 criminal convictions that would disqualify an
individual from obtaining unescorted access to secured airport areas.
According to TSA, local criminal files do not include the more serious
crimes such as murder, treason, arson, kidnapping, and espionage that
are listed in state and federal criminal databases. Further, several
airport operator officials we spoke with expressed concern about cases
in which individuals had committed disqualifying criminal offenses and
were ultimately granted access to secured areas because federal law
(and TSA's implementing regulation) disqualifies an individual only if
he or she has been convicted of an offense within 10 years of applying
for employment at the airport. Others said that a few disqualifying
criminal offenses, such as air piracy, warranted a lifetime rather than
a 10-year ban on employment in secured airport areas. Also, current
regulation requires that airport workers must report if they are
convicted of a crime after the initial criminal check is conducted and
surrender their security identification badges within 24 hours of their
conviction.[Footnote 43] In addressing the issue of background checks
in May 2003, the Department of Transportation's Inspector General
issued a statement supporting random recurrent background
checks.[Footnote 44]
TSA recognizes the potential limitations of current fingerprint check
requirements and has taken steps to improve the process. For example,
in 2002, TSA began conducting an additional two-part background check
consisting of a name-based FBI National Crime Information Center (NCIC)
check and a terrorist link analysis against selected terrorism
databases for the approximately 100,000 airport workers who perform
duties in sterile areas. TSA said it expanded the background check
process for these workers because it believed that the cost was more
feasible for airport operators to bear, given these workers represent a
significantly smaller population than workers who have unescorted
access to secured areas. TSA used the NCIC database, a computerized
index of documented criminal justice information, to conduct a criminal
history record check that compares an individual's name against 19
nationwide criminal history lists.[Footnote 45] The terrorist link
analysis determines whether an airport worker is known to pose a
potential terrorist threat. TSA officials noted that the terrorist link
analysis could identify personal information on airport employment
applications, among other things, thus improving the current background
check process.
TSA Faces Challenges in Expanding the Scope of Background Checks:
TSA faces challenges in expanding the scope and frequency of current
background check requirements to include additional airport workers and
more extensive background checks. In terms of expanding background
checks to include airport workers who have regularly escorted access to
secured areas, TSA said that determining how many workers are regularly
escorted in secured airport areas is a challenge because these
individuals (such as construction workers) enter the airport on an
infrequent and unpredictable basis. TSA said airport officials could
not easily determine how many workers are regularly escorted in secured
areas and which workers would warrant a background check. TSA had not
conducted any sampling or other analysis efforts to attempt to
determine how many workers this might include.
In terms of expanding the scope of current background check
requirements to include more extensive checks on airport workers who
have unescorted access to secured areas, TSA cited the time needed to
establish regulatory requirements for the more extensive checks and the
potential costs of conducting the checks as challenges. In contrast, to
reduce the security risk associated with federal airport screeners, TSA
conducts far more extensive checks before providing screeners the same
level or lower levels of airport access.
The agency supports conducting the expanded checks for all commercial
aviation workers and estimated that the cost to perform fingerprint-
based criminal history records checks for all secured and sterile area
workers nationwide has been approximately $60 million to $80 million
(or about $60 to $80 for each of the approximately 1 million secured
and sterile area workers). TSA had not estimated the costs of applying
additional checks to all airport workers. In addition, TSA stated that
increasing the frequency of background checks would also increase costs
to airport operators. However, TSA had not developed a specific cost
analysis to assess the costs of expanding the scope and frequency of
the checks or whether the additional security provided by taking such
steps would warrant the additional costs.
TSA said the agency is considering alternatives for how these
additional checks would be funded. TSA also said that requiring airport
workers themselves to pay for a portion of the background check, which
is a common practice at some airports, could help to fund these
additional checks. In recognition of the potential security risk posed
by airport workers, TSA said the agency was weighing the costs and
security benefits of expanding the scope and frequency of current
background check requirements to include additional airport workers, as
well as more extensive checks. However, TSA has not yet established a
plan outlining how and when it will do so. For example, TSA has not yet
proposed specific analyses to support its decision making or a schedule
describing when it plans to decide this issue.
TSA Cites Challenges to Physically Screening All Airport Workers:
TSA has different requirements for screening airport workers. For
sterile area workers, TSA requires, among other things, that they be
screened at the checkpoint. According to TSA's Office of Chief Counsel,
TSA intended that sterile area workers be required to enter sterile
areas through the passenger-screening checkpoint and be physically
screened. However, airport officials, with the FSD's approval, may
allow sterile area workers to enter sterile areas through employee
access points or may grant them unescorted access authority and SIDA
badges.[Footnote 46]
TSA does not require airport workers who have been granted unescorted
SIDA access to be physically screened for prohibited items when
entering secured areas. According to TSA, the agency relies on its
fingerprint-based criminal history records check as a means of meeting
the ATSA requirement that all individuals entering secured areas at
airports be screened and that the screening of airport workers provides
at least the same level of protection that results from physical
screening of passengers and their baggage. However, as previously
noted, there are limitations with the scope and effectiveness of the
background check process. TSA acknowledged that physically screening
airport workers for access to secured areas could increase security,
but it cited challenges such as the need (and associated costs) for
more screening staff and increased passenger delays. Although TSA said
fingerprint checks are a more economically feasible alternative, the
agency had not conducted analyses to determine the actual costs,
assessed the potential operational delays that could occur, or the
reduction of the risk posed by airport workers that physical screening
would provide. However, in October 2002, TSA conducted an analysis of
threats posed by airport workers with access to secured areas, and one
recommendation in the resulting report was to require airport operators
to conduct random physical screening of workers entering secured
areas.[Footnote 47] TSA elected not to adopt this recommendation
because of what it characterized as the cost and operational
difficulties in physically screening workers. However, TSA did not
gather or analyze data from airports to substantiate its claim.
Some airport operator officials we contacted agreed with TSA that
physically screening workers prior to entering secured areas would be
costly and difficult. For example, some airport operator officials said
physical screening of these airport workers would result in increased
staffing costs and longer wait times for passengers at passenger-
screening checkpoints, or could require screening airport workers at a
location separate from passengers to avoid passenger delays. In
addition to the operational difficulty of physically screening each
worker, TSA and airport operators noted that some airport workers must
use prohibited items (such as box cutters and knives) to perform their
job functions, and monitoring which workers are allowed to carry such
items could be difficult. Also, these prohibited items would still be
available to workers who wished to use them to cause harm even after
they had been physically screened. At one airport we visited, airport
workers who have access to secured areas are required to undergo
physical screening when they arrive at work through centralized
employee-screening checkpoints but are not screened when they
subsequently enter secured areas through other access points.
TSA has not estimated the cost associated with requiring physical
screening of secured area airport workers, although airport operators
and industry associations believe the cost would be significant. While
TSA is weighing the security benefits of requiring physical screening
of workers who have access to secured airport areas against the
associated costs, the agency has yet to determine whether such
requirements will be established. According to TSA, screening in the
form of enhanced background checks on all airport workers--checks that
would investigate Social Security information, immigration status, and
links to terrorism--would, if instituted, further ensure that airport
workers were trustworthy and reduce risk, if not the need to physically
screen workers. However, TSA has not developed a plan defining when and
how the agency will determine whether it will institute these expanded
checks or if physically screening airport workers who need access to
secured areas is ultimately necessary and feasible.
TSA Requires Security Training for Some but Not All Airport Workers:
ATSA, (Sec. 106(e)), mandates that TSA require airport operators and
air carriers to develop security awareness training programs for
airport workers such as ground crews, and gate, ticket, and curbside
agents of air carriers. However, while TSA requires such training for
these airport workers if they have unescorted access to secured areas,
the agency does not require training for airport workers who perform
duties in sterile airport areas.[Footnote 48] According to TSA,
training requirements for these airport workers have not been
established because additional training would result in increased costs
for airport operators. Nonetheless, officials at some airports we
visited said that the added cost is warranted and have independently
required security training for their airport employees that work in
sterile areas to increase awareness of their security responsibilities.
Among other things, security training teaches airport workers their
responsibility to challenge suspicious persons who are not authorized
to be in secured areas (an area included in TSA airport covert testing
programs). Some airport operator officials said they also used
challenge reward programs, whereby airport workers are given rewards
for challenging suspicious persons or individuals who are not
authorized to be in secured areas, as a way of reinforcing security
awareness training.
Many airport operator officials we spoke with were concerned that
security training for airport workers in secured areas is not required
by TSA regulations on a recurrent basis, an issue previously raised by
the Department of Transportation's Inspector General.[Footnote 49] TSA
also agreed that recurrent training could be beneficial in raising the
security awareness of airport workers. Although recurrent training is
not required by ATSA or by TSA regulation, a federal law does require
recurrent security training for the purpose of improving secured area
access controls.[Footnote 50] Other airport operators independently
provide recurrent training for individuals who demonstrate a lack of
security awareness.
TSA has acknowledged the value of recurrent training for its own
workforce. We previously identified that training for TSA employees--
airport screeners--should be recurrent, and TSA said it is developing a
recurrent training program for its screening workforce to aid in
maintaining security awareness, among other things.[Footnote 51] At the
time of our review, TSA said it was considering the benefits of
expanding the scope and frequency of security training against the
associated costs in time and money to airport operators and businesses.
However, TSA had not developed a plan or schedule for conducting the
analyses needed to support its decision making or projected when a
decision might be made.
TSA Does Not Require Airport Vendors to Develop Their Own Security
Programs:
TSA has not issued a regulation requiring airport vendors[Footnote 52]
(companies doing business in or with the airport) with direct access to
the airfield and aircraft to develop a security program, as required by
ATSA (Sec. 106(a)). TSA had not developed an estimate of the number of
airport vendors nationwide, although TSA officials said the number
could be in the thousands. As an example, security officials at an
airport we visited said that over 550 airport vendors conducted
business in or with the airport. According to TSA, existing airport
security requirements address the potential security risks posed by
vendors and their employees. For example, vendor employees that perform
duties in secured or sterile areas are required to undergo a
fingerprint-based criminal history records check, just as other airport
workers are and are prevented by access controls from entering secured
airport areas if they are not authorized to do so. However, as
discussed above, fingerprint-based criminal history records checks may
have limitations.
Many airport operator and airport association officials we spoke with
said that requiring vendors to develop their own security program would
be redundant because the airport's security program comprises all
aspects that a vendor program would include, such as requirements for
employee security training, procedures for challenging suspicious
persons, background checks, monitoring and controlling employee
identification badges, and securing equipment and vehicles. In
addition, some said such a requirement would also place a financial and
administrative burden on vendors doing business at the airport,
particularly the smaller ones, to develop and update such programs. Two
airport vendors we spoke with said that developing security programs
could be costly, time-consuming, and require the use of a consultant
with the necessary security expertise to develop such a plan. In
addition, vendors said that airport operators are in the best position
and have the necessary expertise to determine security policies for all
workers, including vendors, working at the airport.[Footnote 53]
According to TSA, requiring vendors to develop and maintain their own
security programs would also present a resource challenge to TSA's
inspection staff. In addition to conducting reviews of airport operator
and air carrier compliance with federal security regulations, the
already understaffed inspection workforce would also have to determine
a way to review vendor security programs and enforce any violations.
According to TSA, the process of reviewing the programs and verifying
implementation of the program's provisions could require visits to
thousands of different vendor locations spread throughout the United
States.[Footnote 54] Despite these challenges, TSA said the agency is
considering the costs, benefits, and feasibility of issuing a
regulation that would require airport vendors to develop security
programs in order to meet the requirements in ATSA. TSA said that it
has formed a working group to consider the best approach to take, and
this group could become the core of any future rule-making team if
necessary. However, the agency has not developed a plan detailing when
this analysis will be complete or when any decisions about whether to
issue a new rule will be made.
Conclusions:
During its first 2 years, TSA assumed a wide variety of
responsibilities to ensure that airport perimeter and access controls
are secure and that the security risks posed by airport workers are
reduced. Given the range of TSA's responsibilities and its relative
newness, it is understandable that airport security evaluations remain
incomplete and that some provisions of ATSA--which pose operational and
funding challenges--have not been met. TSA has begun efforts to
evaluate the security environments at airports, fund security projects
and test technologies, and reduce the risks posed by airport workers.
However, these efforts have been in some cases fragmented rather than
cohesive. As a result, TSA has not yet determined how it will address
the resource, regulatory, and operational challenges the agency faces
in (1) identifying security weaknesses of the commercial airport system
as a whole, (2) prioritizing funding to address the most critical
needs, or (3) taking additional steps to reduce the risks posed by
airport workers. Without a plan to address the steps it will take to
fulfill the wide variety of security oversight responsibilities the
agency has assumed in the area of perimeter and access control
security, TSA will be less able to justify its resource needs and
clearly identify its progress in addressing requirements in ATSA and
associated improvements in this area of airport security. Such a plan
would also provide a better framework for Congress and others
interested in holding TSA accountable for the effectiveness of its
efforts.
Recommendations for Executive Action:
To help ensure that TSA is able to articulate and justify future
decisions on how best to proceed with security evaluations, fund and
implement security improvements--including new security technologies--
and implement additional measures to reduce the potential security
risks posed by airport workers, we recommend that the Secretary of
Homeland Security direct TSA's Administrator to develop and provide
Congress with a plan for meeting the requirements of ATSA. In addition,
at a minimum, we recommend the following four actions be addressed:
* Establish schedules and an analytical approach for completing
compliance inspections and vulnerability assessments for evaluating
airport security.
* Conduct assessments of technology, compile the results of these
assessments as well as assessments conducted independently by airport
operators, and communicate the integrated results of these assessments
to airport operators.
* Use the information resulting from the security evaluation and
technology assessment efforts cited above as a basis for providing
guidance and prioritizing funding to airports for enhancing the
security of the commercial airport system as a whole.
* Determine, in conjunction with aviation industry stakeholders, if and
when additional security requirements are needed to reduce the risks
posed by airport workers and develop related guidance, as needed.
Agency Comments:
We provided a draft copy of this report to the Department of Homeland
Security and the Transportation Security Administration for their
review and comment. TSA generally concurred with the findings and
recommendations in the report and provided formal written comments that
are presented in appendix III. These comments noted that TSA has
started to, or plans to, implement many of the actions we recommended.
TSA also provided technical comments that we incorporated as
appropriate.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from the date of this report. At that time, we will send copies to
appropriate congressional committees; the Secretary, DHS; the
Secretary, DOT; the Director of Office of Management and Budget; and
other interested parties. We will also make copies available to others
upon request. In addition, the report will be available at no charge on
GAO's Web site at http://www.gao.gov.
If you or your staff have any questions about this report, please
contact me at (202) 512-3404 or at berrickc@gao.gov or Chris Keisling,
Assistant Director, at (404) 679-1917 or at keislingc@gao.gov. Key
contributors to this report are listed in appendix IV.
Signed by:
Cathleen A. Berrick:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
To assess the Transportation Security Administration's (TSA) efforts to
(1) evaluate the security of airport perimeters and the controls that
limit access into secured airport areas, (2) help airports implement
and enhance perimeter security and access controls by providing funding
and technical guidance, and (3) implement measures to reduce the
potential security risk posed by airport workers, we reviewed pertinent
legislation (the Aviation and Transportation Security Act, or ATSA),
regulatory requirements, and policy guidance. We discussed specific
ATSA requirements related to Sections 106, 136, and 138, which address
perimeter and access control security, as well as strengthening
requirements for airport workers, with our Office of General Counsel to
determine to what extent TSA had met these requirements. We limited our
review of TSA's efforts to test, assess, and deploy security
technologies as it related to provisions in Sections 106 and 136 of
ATSA. We also obtained and analyzed TSA data on security breaches,
inspections of airport compliance with security regulations, and
vulnerability assessments. (TSA's covert testing data and information
on the test program is classified and is the subject of a separate GAO
report.) We discussed the threat scenarios used in TSA vulnerability
assessments with TSA officials to identify those related to perimeter
and access control security. We also obtained and analyzed data from
the Federal Aviation Administration (FAA) and TSA on perimeter and
access control-related security funds distributed to commercial
airports nationwide. We also reviewed reports on aviation security
issued previously by us and the Department of Transportation Inspector
General.
We discussed the reliability of TSA's airport security breach data for
fiscal years 2001, 2002, and 2003 (through October); vulnerability
assessment data for 2003; and compliance inspection data for fiscal
years 2002, 2003, and 2004 (to February) with TSA officials in charge
of both efforts. Specifically, we discussed methods for inputting,
compiling, and maintaining the data. In addition, we reviewed reports
related to TSA's compliance reviews and vulnerability assessments to
determine the results and identify any inconsistencies in the data.
Subsequently, no inconsistencies were found, and we determined that the
data provided by TSA were sufficiently reliable for the purposes of our
review.
In addition, we conducted site visits at 12 commercial airports (8
category X, 1 category I, 1 category II, 1 category III, and 1 category
IV) to observe airport security procedures and discuss issues related
to perimeter and access control security with airport officials.
Airports we visited were Boston Logan International Airport, Atlanta
Hartsfield Jackson International Airport, Ronald Reagan Washington
National Airport, Washington Dulles International Airport, Orlando
International Airport, Tampa International Airport, Miami
International Airport, Los Angeles International Airport, San Francisco
International Airport, Middle Georgia Regional Airport, Chattanooga
Metropolitan Airport, and Columbus Metropolitan Airport. We chose these
airports on the basis of several factors, including airport size,
geographical dispersion, and airport efforts to test and implement
security technologies. We also conducted semistructured interviews with
airport security coordinators at each of the 21 category X airports to
discuss their views on perimeter and access control security issues. In
addition, we contacted or identified 13 other airports that had tested
or implemented perimeter and access control security technologies.
We reviewed a random sample of 838 airport workers at 10 of the 12
airports we visited (categories X, I, and II) where workers were
indicated as having a fingerprint-based criminal history records check
in calendar year 2003 to verify that these workers had undergone the
check. We did not conduct a records review at the category III and IV
commercial airports we visited. We randomly selected probability
samples from the study populations of airport workers who underwent a
fingerprint-based criminal history record check in the period between
January 1, 2003, and the date in which we selected our sample or
December 31, 2003, whichever was earlier. With these probability
samples, each member of the study populations had a nonzero probability
of being included, and that probability could be computed for any
member. Each sample element selected was subsequently weighted in the
analysis to account statistically for all the members of the population
at each airport. Because we followed a probability procedure based on
random selections at each airport, our samples are only one of a large
number of samples that we might have drawn. Since each sample could
have provided different estimates, we express our confidence in the
precision of our particular samples' results as 95 percent confidence
intervals (e.g., plus or minus 7 percentage points). These are the
intervals that would contain the actual population value for 95 percent
of the samples we could have drawn. As a result, we are 95 percent
confident that each of the confidence intervals in this report will
include the true values in the respective study populations.
Further, we interviewed TSA headquarters officials in Arlington,
Virginia, and from the Office of Internal Affairs and Program Review,
Office of Aviation Operations, Office of Chief Counsel, Credentialing
Program Office, Office of Aviation Security Measures, and officials
from the Office of Technology in Atlantic City, New Jersey, to discuss
the agency's efforts to address perimeter and access control security.
We also spoke with officials from two aviation industry associations--
the American Association of Airport Executives and Airports Council
International--to obtain their views on the challenges associated with
improving perimeter and access control security. We also interviewed
airport vendors to determine the need and feasibility of requiring all
vendors to develop their own security programs.
We conducted our work between June 2003 and March 2004 in accordance
with generally accepted government auditing standards.
[End of section]
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach:
Risk management is a systematic and analytical process to consider the
likelihood that a threat will endanger an asset, an individual, or a
function and to identify actions to reduce the risk and mitigate the
consequences of an attack. Risk management principles acknowledge that
while risk cannot be eliminated, enhancing protection from existing or
potential threats can help reduce it. Accordingly, a risk management
approach is a systematic process to analyze threats, vulnerabilities,
and the criticality (or relative importance) of assets to better
support key decisions. The purpose of this approach is to link
resources with efforts that are of the highest priority. Figure 4
describes the elements of a risk management approach.
Figure 4: Elements of a Risk Management Approach:
A threat assessment identifies and evaluates potential threats on the
basis of factors such as capabilities, intentions, and past activities.
This assessment represents a systematic approach to identifying
potential threats before they materialize, and is based on threat
information gathered from both the intelligence and law enforcement
communities. However, even if updated often, a threat assessment might
not adequately capture some emerging threats. The risk management
approach, therefore, uses vulnerability and criticality assessments as
additional input to the decision-making process.: A vulnerability
assessment identifies weaknesses that may be exploited by identified
threats and suggests options to address those weaknesses. In general, a
vulnerability assessment is conducted by a team of experts skilled in
such areas as engineering, intelligence, security, information systems,
finance, and other disciplines.
A threat assessment identifies and evaluates potential threats on the
basis of factors such as capabilities, intentions, and past activities.
This assessment represents a systematic approach to identifying
potential threats before they materialize, and is based on threat
information gathered from both the intelligence and law enforcement
communities. However, even if updated often, a threat assessment might
not adequately capture some emerging threats. The risk management
approach, therefore, uses vulnerability and criticality assessments as
additional input to the decision-making process.: A criticality
assessment evaluates and prioritizes assets and functions in terms of
specific criteria, such as their importance to public safety and the
economy. The assessment provides a basis for identifying which
structures or processes are relatively more important to protect from
attack. As such, it helps managers to determine operational
requirements and target resources at their highest priorities, while
reducing the potential for targeting resources at lower priorities.
Source: GAO.
[End of figure]
Figure 5 illustrates how the risk management approach can guide
decision making and shows that the highest risks and priorities emerge
where the three elements of risk management overlap.
Figure 5: How a Risk Management Approach Can Guide Decision-Making:
[See PDF for image]
[End of figure]
For example, an airport that is determined to be a critical asset,
vulnerable to attack, and a likely target would be at most risk and,
therefore, would be a higher priority for funding compared with an
airport that is only vulnerable to attack. In this vein, aviation
security measures shown to reduce the risk to the most critical assets
would provide the greatest protection for the cost.
According to TSA, once established, risk management principles will
drive all decisions--from standard setting to funding priorities and to
staffing. TSA has not yet fully implemented its risk management
approach, but it has taken steps in this direction. Specifically, TSA's
Office of Threat Assessment and Risk Management is in various stages of
developing four assessment tools that will help assess threats,
criticality, and vulnerabilities. TSA plans to fully implement and
automate its risk management approach by September 2004. Figure 6 shows
TSA's threat assessment and risk management approach.
Figure 6: TSA's Threat Assessment and Risk Management Approach:
[See PDF for image]
[End of figure]
The first tool, which will assess criticality, will determine a
criticality score for a facility or transportation asset by
incorporating factors such as the number of fatalities that could occur
during an attack and the economic and sociopolitical importance of the
facility or asset. This score will enable TSA, in conjunction with
transportation stakeholders, to rank facilities and assets within each
mode and thus focus resources on those that are deemed most important.
TSA is working with another Department of Homeland Security (DHS)
office--the Information and Analysis Protection Directorate--to ensure
that the criticality tool will be consistent with DHS's overall
approach for managing critical infrastructure.
A second tool--the Transportation Risk Assessment and Vulnerability
Tool (TRAVEL)--assesses threats and analyzes vulnerabilities at those
transportation assets TSA determines to be nationally critical. The
tool is used in a TSA-led and -facilitated assessment that will be
conducted on the site of the transportation asset. The facilitated
assessments typically take several days to complete and are conducted
by TSA subject matter experts, along with airport representatives such
as operations management, regulatory personnel, security personnel, and
law enforcement agents. Specifically, the tool assesses an asset's
baseline security system and that system's effectiveness in detecting,
deterring, and preventing various threat scenarios, and it produces a
relative risk score for potential attacks against a transportation
asset or facility. Established threat scenarios contained in the TRAVEL
tool outlines a potential threat situation including the target,
threatening act, aggressor type, tactic/dedication, contraband,
contraband host, and aggressor path. In addition, TRAVEL will include a
cost-benefit component that compares the cost of implementing a given
countermeasure with the reduction in relative risk to that
countermeasure. TSA is working with economists to develop the cost-
benefit component of this model and with the TSA Intelligence Service
to develop relevant threat scenarios for transportation assets and
facilities. According to TSA officials, a standard threat and
vulnerability assessment tool is needed so that TSA can identify and
compare threats and vulnerabilities across transportation modes. If
different methodologies are used in assessing the threats and
vulnerabilities, comparisons could be problematic. However, a standard
assessment tool would ensure consistent methodology.
A third tool--the Transportation Self-Assessment Risk Module (TSARM)--
will be used to assess and analyze vulnerabilities for assets that the
criticality assessment determines to be less critical. The self-
assessment tool included in TSARM will guide a user through a series of
security-related questions in order to develop a comprehensive security
baseline of a transportation entity and will provide mitigating
strategies for use when the threat level increases. For example, as the
threat level increases from yellow to orange, as determined by DHS, the
assessment tool might advise an entity to take increased security
measures, such as erecting barriers and closing selected entrances. TSA
had deployed one self-assessment module in support of targeted maritime
vessel and facility categories.[Footnote 55]
The fourth risk management tool that TSA is currently developing is the
TSA Vulnerability Assessment Management System (TVAMS). TVAMS is TSA's
intended repository of criticality, threat, and vulnerability
assessment data. TVAMS will maintain the results of all vulnerability
assessments across all modes of transportation. This repository will
provide TSA with data analysis and reporting capabilities. TVAMS is
currently in the conceptual stage and requirements are still being
gathered.
[End of section]
Appendix III: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Office of the Administrator
601 South 12th Street
Arlington,VA 22202-4220:
Transportation Security Administration:
MAY 24, 2004:
Ms. Cathleen Berrick:
Director, Homeland Security & Justice Issues:
U.S. General Accounting Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Ms. Berrick:
Thank you for the opportunity to comment on GAO's draft report
entitled, "Aviation Security: Further Steps Needed to Strengthen the
Security of Commercial Airport Perimeters and Access Control," GAO-04-
728.
The Transportation Security Administration (TSA) appreciates the work
done in this report to identify areas where security of our Nation's
airports may be enhanced. TSA believes that GAO's identification of
areas where improvements are needed will contribute to our ongoing
efforts to strengthen aviation security. We generally concur with the
report and its recommendations and appreciate the discussion of
challenges and next steps. However, there are a number of areas within
the report about which we would like to comment.
On December 17, 2003, President Bush issued Homeland Security
Presidential Directive 7 (HSPD-7), which directs the establishment of
"a national policy for Federal departments and agencies to identify and
prioritize United States critical infrastructure and key resources and
to protect them from terrorist attacks." The Department of Homeland
Security (DHS) is responsible under HSPD-7 for developing a National
Critical Infrastructure Protection Plan, which is being managed by the
DHS's Information Analysis and Infrastructure Protection Directorate
(IAIP). This plan will be comprised of Sector Specific Plans (SSPs),
and TSA has been assigned the primary responsibility to coordinate
development of the SSP for Transportation. The development of this plan
will involve intensive interaction with other DHS directorates and
agencies, such as IAIP and the Coast Guard, and the Department of
Transportation (DOT) and its modal administrations. The plan, which
will be developed over the next several months will identify federal
and private-sector stakeholders in each portion of the transportation
sector, their roles and relationships; their means of communication;
how important assets in the transportation sector will be identified,
assessed, and prioritized; how protective programs will be developed;
how progress in reducing risk will be measured and how program
effectiveness will be communicated; and how research and development
will be prioritized in the sector.
The development of the National Critical Infrastructure Protection Plan
(NCIPP) and each sector chapter within the NCIPP is a monumental but
essential task that requires the support and coordination of Federal
departments and agencies, State and local governments, and the private
sector.
TSA is on an aggressive timetable to complete the Transportation SSP to
feed into the NCIPP. Therefore, while the GAO report concludes that TSA
has not yet determined how it "will address the resource, regulatory,
and operational challenges the agency faces in identifying security
weaknesses of the commercial airport system as a whole," it is TSA's
belief that the SSP and the NCIPP will provide the necessary framework
and guidance to address challenges and prioritize resources according
to the most critical needs across the entire transportation system,
including the commercial aviation sector.
Additionally, TSA believes that the report creates the impression that
TSA has done less than it actually has to provide security for
commercial aviation. Much has been accomplished in the less than two
years since enactment of the Aviation and Transportation Security Act
(ATSA), and intervening time since completion of the Federalization of
passenger security screening at U.S. airports on November 19, 2002. We
have instituted a system of reinforcing rings of security to mitigate
the risk of future terrorist or criminal acts. These security measures,
supported by intelligence and threat analysis, work together to help
secure aviation from curbside to cockpit. While no single component of
our security system is infallible, we believe our system of mutually
supporting rings of security has substantially improved the security of
the traveling public. We believe the civil aviation sector is more
secure today than it has ever been; however, we are always mindful that
there is much yet to be done as we mature our many-layered "system of
systems."
While we recognize that the scope of this report was confined to a
review of airport perimeter security and access control, it is
important to look at the totality of security measures put in place to
protect civil aviation in order to completely assess where we are today
in regards to aviation security.
[See PDF for image]
[End of figure]
All of the elements in our system of systems complement one another.
First, the flow of intelligence information on terrorists, their
methods and their plans, has greatly improved our understanding of the
threats that we face and helped us to focus our resources on meeting
those threats. TSA has also increased the level of existing
coordination with our international partners at airports overseas and
with air carriers that fly into and out of the United States. TSA and
the Federal Aviation Administration (FAA) have helped fund many local
airport projects to improve perimeter security, such as the
construction of perimeter access roads, the installation of access
control systems, electronic surveillance and intrusion detection
systems, and security fencing.
Current security directives contain many requirements for
implementation by airport and aircraft operators that relate to
screening or inspecting people and material entering airport
perimeters, including "secured" areas, security identification display
areas, and the air operations area where commercial aircraft are
located and serviced. For example, these security directives require
specific measures at vehicle access gates, inspections of service
personnel and their personal property, and identification checks at
controlled access points to secured areas. Such countermeasures are
implemented systematically at essentially all airports throughout the
nation with some variations allowed by request.
TSA works closely with the FAA in the administration of the Airport
Improvement Program (AIP), which is an FAA program, to assist in
prioritizing applications for security related improvement projects.
Federal Security Directors (FSDs) are also involved at the beginning of
the AIP application process and actively collaborate with the airport
operator to identify projects that would provide the greatest security
impact for that particular airport. TSA plans to disseminate guidelines
to FSDs to better define and provide guidance on the use of such funds.
TSA headquarters personnel and FSDs will use information regarding the
way in which these funds are used by the specific airports to make
better-informed judgments about proposed security improvements
occurring at U.S. airports.
TSA and other DHS component agencies, including Customs and Border
Protection and Immigration and Customs Enforcement, continue to work
daily with the FAA, DOT and other Federal and State agencies to
effectively utilize communal resources to further secure and protect
aviation. As we strive for nationwide consistency in the application of
reasonable and prudent security measures, we will continue to take
local concerns into account. Integrated planning with contributions
from industry and local authorities is essential, but we must also
maintain the ability to rapidly change security measures based upon the
latest assessments from intelligence and law enforcement agencies:
Deploying screeners at almost 450 commercial airports around the
country less than a year after our establishment was a remarkable feat.
Similarly, by December 31, 2002, we met the Congressional deadline in
the Aviation and Transportation Security Act to screen checked baggage
for explosives. A highly trained force of screeners physically screens
every passenger entering the sterile areas of airports. Aviation
screeners receive a minimum of 40 hours of classroom training, 60 hours
of on-the-job training, and are subject to periodic proficiency
assessments and unannounced testing. Screeners are now provided
continuous
on-the-job training and immediate feedback and remediation through our
deployment of the enhanced Threat Image Projection system. They are
made aware of new threats and methods of concealment. We have also
greatly improved the technology used at screening checkpoints and have
improved our capability to detect weapons, explosives, and other
prohibited items.
As part of our focus on improved perimeter security, TSA conducts
assessments to identify vulnerable areas and needed security measures.
The analysis of the results of these assessments will allow TSA to
prioritize resources and take necessary steps to close any identified
gaps. As you note in your report, TSA redirected resources from
assessments using the Transportation Risk Assessment and Vulnerability
Evaluation (TRAVEL) tool to conduct MANPADS assessments that were
considered a higher priority at the time. Although resources were
temporarily redirected from the TRAVEL to MANPADS assessments, a
substantial number of compliance inspections were performed during this
time, particularly in the areas of access control and access media.
TSA's active completion of these MANPADS assessments ultimately
provided valuable information for inclusion in broader airport
perimeter security assessments at the airports at which they were
conducted, helping us to fulfill our compliance inspection plan and
develop the self assessment tool for aviation. All this was done in
addition to the many layers of security that we have put in place since
9/11. Since the completion of GAO's report, TSA has renewed its TRAVEL
efforts, and has begun conducting joint vulnerability assessments (JVA)
with the FBI. These vulnerability assessments are threat-based and will
be applied at critical commercial airports. The JVA uses current, FBI-
developed threat information as its starting point, and then focuses on
defining an airport's security system against a current threat. The
application of the JVA tool will allow TSA to leverage existing FBI
resources and knowledge base to better assess security gaps and
vulnerabilities at particular airports. In addition to these government
facilitated assessments, a self-assessment tool will be made available
to airports that are deemed less critical which focus on prevention and
mitigation of a base array of threat scenarios developed for various
categories of transportation modes.
As part of our overall strategy to strengthen security of the aviation
system, our analysis and evaluation of the results from the security
evaluations, various assessments, and compliance inspections will be
used to assess priorities and allocate resources to those areas which
we believe require additional security measures.
TSA expanded the Federal Air Marshal Service (FAMS) from dozens of
agents before 9/11 to thousands of highly trained law enforcement
officers, flying the skies on both domestic and international flights.
The FAMS transfer to U.S. Immigration and Customs Enforcement (ICE)
created a "surge capacity" to effectively support overall homeland
security efforts by cross-training FAMs and BICE agents to counter
aviation security threats.
Under FAA rules, all commercial passenger aircraft that fly in the
United States now have reinforced cockpit doors, making it highly
unlikely that terrorists could successfully storm the cockpit. Pilots
are now trained to refrain from opening the flight deck door, and if
terrorists should somehow breach the reinforced flight deck door, they
would meet with a flight deck crew determined to protect the flight
deck at all costs. An increasing number of
pilots are armed and trained to use lethal force against an intruder on
the flight deck. The Federal Flight Deck Officers (FFDOs) that are
currently flying have now flown over ten thousand flights, quietly
providing another layer of security in our system of systems. As more
FFDOs are deputized, this number will rise quickly into the hundreds of
thousands of flights. With the enactment of the Vision 100 - Century of
Aviation Reauthorization Act (Public Law 108-176), the FFDO program was
expanded beyond commercial and charter passenger pilots. Now, cargo
pilots and other flightcrew members - specifically flight engineers and
navigators on both passenger and cargo planes - are also eligible and
being trained for the program.
As you point out in your report, TSA is addressing ATSA requirements
related to testing, assessing, and deploying airport security
technologies. However, your report states that TSA has not developed a
plan to fully address certain sections of ATSA related to perimeter and
access control security. Working closely with the Department of
Homeland Security (DHS) Science and Technology (S&T) Directorate, we
have established an ambitious program to develop and deploy new
security technologies and use technology to enhance human performance.
Our efforts are well underway. TSA is currently involved in several
programs that meet the ATSA requirements to assess security
technologies and has provided guidance to FSDs and airport operators on
security technologies. TSA recently selected eight airports to
participate in Phase I of the Access Control Pilot Program, which will
test Radio Frequency Identification (RFID) technology, anti-
piggybacking technology, advanced video surveillance technology, and
various biometric technologies. Testing this off-the-shelf technology
will give TSA the ability to determine the suitability of use in a
real-world operational environment. Based on this analysis, TSA will
then determine which technologies will be evaluated in Phase II. The
information gleaned from this pilot will then be provided to industry
representatives so that they may make informed decisions when designing
access control systems to meet their security and regulatory needs. We
also have a robust test and evaluation program that has evaluated a
number of biometric devices, perimeter intrusion sensors, and anti-
piggybacking devices. Our program also includes developmental efforts
such as the ASDE-3/X radar enhancement program to allow this deployed
equipment to detect potential perimeter intrusion events. Additionally,
TSA has developed a number of guides to assist in selecting and
deploying security technologies, including reports with subjects such
as perimeter security design, biometrics at domestic airports, and
technology to address tailgating and piggybacking.
In addition to the Access Control Pilot Program, TSA recently awarded
Airport Terminal Security Enhancement grants totaling $8.2 million to
ten airports. The grants will be used to deploy various technologies,
including state-of-the-art video surveillance and RFID tags to track
the location of mobile resources such as baggage carts and other
vehicles in the secure areas of the airports. The first round of grants
for terminal improvements was awarded in December 2003 to eight
airports. This program is part of TSA's ongoing effort to work with the
airports and private industry to explore and deploy the most advanced
technology commercially available to enhance security for the aviation
system.
As you also point out in your report, TSA expanded coverage of the
aviation workforce with background checks when we directed that all
sterile area workers undergo a two-part
check in late 2002 and early 2003. Further, we are planning to conduct
enhanced background checks on all sterile area and SIDA workers this
year.
In further identifying the challenges that TSA faces in ensuring the
effective and efficient security of the aviation system as a whole, TSA
looks to partnerships created through stakeholder outreach, which has
always been a priority for TSA. We work collaboratively with industry
management and labor, and consumer stakeholders in identifying
opportunities to increase efficiency and areas for improvement. We will
continue to involve stakeholders in our decision-making process and
communicate regularly and clearly with our customers, our partners, and
our employees. In fact, TSA is actively involved in the development of
a process tool to provide information to decision makers to achieve a
balance of safety, security, and efficiency. The U.S. Commercial
Aviation Partnership (USCAP) is a process that allows stakeholders to
define areas of consensus and disagreement on the costs and benefits of
significant security proposals. This tool is a means to focus
stakeholder discussions on policy and economic impacts. TSA has the
opportunity to use this tool as one source for the mandatory regulatory
evaluation and to encourage policy discussions with meaningful cost and
benefit comparisons.
TSA also continues to capitalize on its Federal partnerships and
working with the DHS S&T Directorate, TSA is beginning a comprehensive
review of the civil aviation security system now that over two years
have passed since the enactment of the Aviation and Transportation
Security Act and nearly fourteen years have passed since the Aviation
Security Improvement Act of 1990. We are incorporating this review as
part of our constant evaluation of the security measures we have put
into place, and will be able to use the results of this report, along
with our other evaluative efforts to consider other approaches to
improved aviation security that may be available. We have learned a
great deal very quickly, but there is still more to do to successfully
accomplish our transportation security mission.
Much of this additional work hinges on understanding the bigger picture
of our national transportation security system, which is intennodal,
interdependent, and international in scope.
In sum, we appreciate your review of perimeter security and access
control and commend you for the thorough analysis and discussion that
comprises this report. We believe many of your recommendations are
already being addressed by efforts well underway. As we
continue to be cognizant of the areas where we can improve, we remain
vigilant and focused on the security challenges we face.
Thank you for the opportunity to contribute comments to the draft
report.
Sincerely,
Signed by:
David M. Stone, ADM
Acting Administrator:
[End of section]
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Norman J. Rabkin (202) 512-3610 Cathleen A. Berrick (202) 512-3404
Chris Keisling (404) 679-1917:
Staff Acknowledgments:
In addition to those named above, Leo Barbour, Amy Bernstein,
Christopher Currie, Dave Hooper, Thomas Lombardi, Sara Ann Moessbauer,
Jan Montgomery, Steve Morris, Octavia Parks, Dan Rodriguez, and Sidney
Schwartz were key contributors to this report.
FOOTNOTES
[1] ATSA, Pub. L. No. 107-71, 115 Stat. 597 (2001).
[2] ATSA created TSA as an agency within the Department of
Transportation and referred to the head of the TSA as the Under
Secretary of Transportation for Security. Since the transfer of TSA to
the newly created DHS pursuant to the Homeland Security Act of 2002,
Pub. L. 107-296,116 Stat. 2135, the title of the head of TSA has been
administratively changed to Administrator. Within DHS, TSA is a
distinct entity under the authority of the Under Secretary for Border
and Transportation Security.
[3] TSA regulations governing airport security are codified at Title 49
of the Code of Federal Regulations, Chapter XII.
[4] Covert testing involves TSA agents working undercover to evaluate,
among other things, the effectiveness of access control processes and
procedures.
[5] According to TSA, the total number of commercial airports regulated
for security in the United States varies from about 429 to 456,
depending on various factors such as the type and level of commercial
operations that an aircraft operator conducts at that particular
airport, the time of year or season where a particular airport is
located, and the economic stability of that airport's region.
[6] Supporting and partial security programs contain fewer requirements
and typically apply to smaller airports. An aircraft operator may
receive permission from TSA to amend its security program, provided
that the proposed amendments are consistent with safety and the public
interest and provide the requisite level of security. Also, if TSA
concludes that the needs of safety and the public interest require an
amendment to an aircraft operator's security program, the agency may
amend the program on its own initiative.
[7] Regular escorted access is not defined in statute or by regulation.
[8] Our evaluation of TSA's covert testing of airport access controls
is classified and is discussed in a separate report.
[9] TSA's inspections review for compliance in 14 areas.
[10] The statutory authority for TSA to issue fines and penalties to
individual airport operators, air carriers, and individual airport or
airline workers for not complying with established security procedures
is 49 U.S.C. § 46301. The penalty for an aviation security violation is
found at 49 U.S.C. § 46301(a)(4) and states that the maximum civil
penalty for violating chapter 449 [49 U.S.C. §§ 44901 et seq.] or
another requirement under this title administered by the TSA's
administrator shall be $10,000 except that the maximum civil penalty
shall be $25,000 in the case of a person operating an aircraft for the
transportation of passengers or property for compensation.
[11] According to TSA, the agency's new automated reporting system
documents the number of cases in which a civil penalty was recommended.
TSA did not confirm the number of penalties issued.
[12] Prior to September 2003, TSA completed a vulnerability assessment
of a "generic" large airport that focused on threats coming through an
airport's perimeter. According to TSA, the assessment and its results,
which were issued in October 2002, were of limited value because they
focused on one airport area (perimeters) in isolation, and thus needed
to be revalidated and updated in the context of the entire airport
operation environment.
[13] U.S. General Accounting Office, Homeland Security: A Risk
Management Approach Can Guide Preparedness Efforts, GAO-02-208T
(Washington, D.C.: Oct. 31, 2001).
[14] We have previously reported on the challenges associated with the
issuance of aviation regulations, see U.S. General Accounting Office,
Aviation Rulemaking: Further Reform Is Needed to Address Long-standing
Problems, GAO-01-821 (Washington, D.C.: July 6, 2001).
[15] On December 17, 2003, President Bush issued a Homeland Security
Presidential Directive (#7) addressing critical infrastructure
identification, prioritization, and protection. The directive calls for
federal departments and agencies to identify, prioritize, and
coordinate the protection of critical infrastructure and key resources
in order to prevent, deter, and mitigate the effects of deliberate
efforts to destroy, incapacitate, or exploit them. The directive also
requires federal departments and agencies to work with state and local
governments and the private sector to accomplish this objective.
[16] A breach of security does not necessarily mean that a threat was
imminent or successful. According to TSA, the significance of a breach
must be considered in light of several factors, including the intent of
the perpetrator and whether existing security measures and procedures
successfully responded to, and mitigated against, the breach so that no
harm to persons, facilities, or other assets resulted.
[17] According to TSA, differences in the way FAA reported and complied
breach data may account for some portion of the increase from 2001 to
2003. Through its PARIS, TSA hopes to standardize breach data reporting
in the future. PARIS became operational in July 2003.
[18] The Coast Guard, another agency within DHS, elected to hire a
contractor to conduct similar assessments of seaports.
[19] Historically, FAA has provided technical support and financial
assistance to airports through its AIP grant program, including the
acquisition and installation of security equipment, based on formal
requests airport operator officials submitted in accordance with 49
U.S.C. §§ 47101 et seq., and the Airport and Airway Improvement Act of
1982, Pub. L. No. 97-248, 96 Stat. 671.
[20] U.S. General Accounting Office, Airport Finance: Using Airport
Grant Funds for Security Projects Has Affected Some Development
Projects, GAO-03-27 (Washington, D.C.: Oct. 15, 2002).
[21] Department of Defense Appropriations Act, Pub. L. No. 107-117, 115
Stat. 2230, 2328 (2002).
[22] We contacted several airport operators to obtain specific examples
of how AIP funds were used. For example, one airport operator used
about $2.5 million to upgrade perimeter security and access controls by
installing an automatic security gate, connecting perimeter gates to
security systems, adding new video screens in the airport emergency
operations center, adding motion sensors along airport SIDA perimeters
to detect unauthorized intrusion into the SIDA area, among other
things. Another airport operator used $884,000 for additional law
enforcement personnel, airport surveillance, and the revalidation of
airport identification badges.
[23] As part of the 2002 Supplemental Appropriations Act for Further
Recovery from and Response to Terrorist Attacks on the United States,
Pub. L. No. 107-206, 116 Stat. 820, 879-80.
[24] After we completed our review, TSA announced the award of an
additional $8.2 million in grants to 10 airports for perimeter and
access control security-related enhancements.
[25] Vision 100--Century of Aviation Reauthorization Act, Pub. L. No.
108-176, § 605, 117 Stat. 2490, 2566-68 (2003).
[26] Forty percent is allocated to large hub airports, 20 percent for
medium hub airports, 15 percent for small and nonhub airports, and 25
percent distributed at the Secretary's discretion on the basis of
security risks.
[27] The fiscal year 2004 Department of Homeland Security
Appropriations Act, Pub. L. No. 108-90, 117 Stat.1137, 1141-42,
precludes the obligation or expenditure of any funds to carry out
provisions o f the Aviation Security Capital Fund.
[28] GAO has a separate, ongoing review of TSA's research and
development program.
[29] Section 136 also requires the Secretary of Transportation to
conduct a review of reductions in unauthorized access at the category X
airports no later than 18 months after the enactment of ATSA.
[30] TSA defines new and emerging technologies as commercial products
that have not been implemented in an airport security application or
products that will be produced in 9 months in sufficient quantities for
large-scale deployment.
[31] The requirements to assess biometric identification systems and
the controls that prevent unauthorized persons from piggybacking are
specified in ATSA, Section 136.
[32] After we completed our review, TSA announced the selection of 8
airports to participate in the first phase of the pilot program.
[33] We identified these 13 airports through our site visits to
selected airports and through discussions with officials from one of
the primary associations representing airport operators, the American
Association of Airport Executives.
[34] In 49 U.S.C. § 44936 airports and air carriers are required to
conduct fingerprint-based criminal history records checks for all
workers seeking unescorted access to the SIDA. Specifically, no
individual may be given unescorted access authority if he or she has
been convicted, or found not guilty by reason of insanity, of any of 28
disqualifying offenses during the 10 years before the date of the
individual's application for unescorted access authority, or while the
individual has unescorted access authority.
[35] TSA's no-fly list contains the names of individuals that pose, or
are suspected of posing, a threat to civil aviation or national
security. Individuals on this list will not be permitted to board an
aircraft. There is also a selectee process by which individuals who
meet certain criteria are set aside for additional screening.
[36] We visited a total of 12 U.S. commercial airports. We did not
conduct a records review at the category III and IV commercial airports
we visited.
[37] The 95 percent confidence intervals associated with these
estimates extend from 96 percent to 100 percent for 5 of the 7
airports. The analogous interval for a 6th airport extends from 95
percent to 100 percent, and the analogous interval for the 7th airport
extends from 94 percent to 100 percent.
[38] The 95 percent confidence intervals for these estimates extend
from 92 percent to 99.7 percent, and from 90 percent to 99 percent,
respectively.
[39] Department of Transportation Office of Inspector General, Progress
Implementing Sections 106 and 138 of the Aviation and Transportation
Security Act, SC-2003-023, February 27, 2003.
[40] Operation Tarmac was a joint investigation initiated by the
Immigration and Naturalization Service, U.S. Attorneys' offices, FBI,
Department of Transportation Inspector General, Social Security
Administration, and FAA after the September 11 attacks. The operation
was aimed at identifying and arresting airport workers who obtained
their positions and security status through fraud. Results of the
sweeps through airports nationwide has resulted in over 4,200 airport
workers being caught having falsified information in order to be hired
and be granted SIDA badges. Most of the fraud is through falsification
or misrepresentation of Social Security information and immigration
documents.
[41] Other airport operator officials we spoke with use additional
measures to ensure that an individual provides accurate information
prior to being hired at the airport. One airport operator we contacted
verifies the accuracy of Social Security numbers and immigration
documents before hiring new workers. Officials at this and another
airport said they conducted supplemental background checks at the
airport operator's own expense to provide further assurance that
applicants have no criminal record and have provided accurate
information on employment applications. However, these employer checks
are not to be confused with, or substitutes for, checks for secured
area access badges issued by airport badging authorities.
[42] We previously reported that federal watch lists do not have the
capability to automatically share information on immigration status and
biographical, financial, and other data. See U.S. General Accounting
Office, Information Technology: Terrorist Watch Lists Should Be
Consolidated to Promote Better Integration and Sharing, GAO-03-322
(Washington, D.C.: Apr. 15, 2003).
[43] 49 C.F.R. § 1542.209(l).
[44] Inspector General, United States Department of Transportation:
Statement Before the National Commission on Terrorist Attacks Upon the
U.S. on Aviation Security, CC-2003-117 (Washington, D.C.: May 22,
2003).
[45] The 19 nationwide criminal files include: stolen article file,
boat file, convicted person on supervised release file, convicted
sexual offender registry, deported felon file, foreign fugitive file,
gun file, license plate file, missing person file, originating agency
identifier file, protection order file, securities file, SENTRY file,
unidentified persons file, Secret Service Protective order file,
vehicle file, violent gang and terrorist organization file, wanted
persons file, and vehicle/boat part file.
[46] The issue of sterile area worker screening was raised at a March
17, 2004, hearing of the Subcommittee on Aviation, House Committee on
Transportation and Infrastructure. During the hearing, the chairman
asked TSA to survey FSDs to determine how this requirement is being
met. In addition, as part of a separate effort, GAO is surveying FSDs,
to determine, among other things, the extent to which sterile area
workers are being physically screened.
[47] U.S. Department of Transportation, Transportation Security
Administration, TSA Airside Security Risk Assessment, October 3, 2002.
[48] TSA regulations governing security training are virtually the same
as those required previously under FAA.
[49] Inspector General, United States Department of Transportation:
Statement Before the National Commission on Terrorist Attacks Upon the
United States on Aviation Security, CC-2003-117 (Washington, D.C.: May
22, 2003).
[50] See 49 U.S.C. §§ 44903(g)(2)(B), 44935(a),(c).
[51] U.S. General Accounting Office, Airport Passenger Screening:
Preliminary Observations on Progress Made and Challenges Remaining,
GAO-03-1173 (Washington, D.C.: Sept. 24, 2003).
[52] The Department of Transportation's Inspector General recommended
that TSA issue this regulation in its Audit Report--Progress
Implementing Sections 106 and 138 of the Aviation and Transportation
Security Act; Report Number SC-2003-023 (February 27, 2003). Current
TSA regulation (1542.113) allows for but does not require airport
tenants (entities conducting business on airport property) to develop
security programs. TSA did not maintain data on airport vendors or
tenants that have developed such a program to date.
[53] According to TSA, current security directives address some aspects
of vendor security; however, the specific content of security
directives is security sensitive information protected from disclosure
under 49 CFR 1520.7(b). As a result, the relevant sections are
described in the restricted version of this report.
[54] Depending upon the scope of the possible regulation, the term
"vendor" could include all of the companies involved in the supply
chain that serves an airport. TSA said that since the supply chain for
delivery of office products to the businesses located in the airport's
sterile areas could include stages conducted by manufacturers,
suppliers, transporters, retailers, and customers, the aggregate number
of potential vendors cannot be readily determined.
[55] TSA's Maritime Self-Assessment Risk Module was developed in
response to requirements outlined in the Maritime Transportation
Security Act of 2002. The act mandates that any facility or vessel that
the Secretary believes might be involved in a transportation security
incident will be subject to a vulnerability assessment and must submit
a security plan to the U.S. Coast Guard.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
