Aviation Security
Significant Management Challenges May Adversely Affect Implementation of the Transportation Security Administration's Secure Flight Program Gao ID: GAO-06-374T February 9, 2006After the events of September 11, 2001, Congress created the Transportation Security Administration (TSA) and directed it to assume the function of passenger prescreening--or the matching of passenger information against terrorist watch lists to identify persons who should undergo additional security scrutiny--for domestic flights, which is currently performed by the air carriers. To do so, TSA is developing Secure Flight. This testimony covers TSA's progress and challenges in (1) developing, managing, and overseeing Secure Flight; (2) coordinating with key stakeholders critical to program operations; (3) addressing key factors that will impact system effectiveness; and (4) minimizing impacts on passenger privacy and protecting passenger rights. This testimony includes information on areas of congressional interest that GAO has previously reported on.
TSA has made some progress in developing and testing the Secure Flight program. However, TSA has not followed a disciplined life cycle approach to manage systems development, or fully defined system requirements. Rather, TSA has followed a rapid development method intended to develop the program quickly. This process has been ad hoc, resulting in project activities being conducted out of sequence, requirements not being fully defined, and documentation containing contradictory information or omissions. Further, while TSA has taken steps to implement an information security management program for protecting information and assets, its efforts are incomplete. Finally, TSA is proceeding to develop Secure Flight without a program management plan containing program schedule and cost estimates. Oversight reviews of the program have also raised questions about program management. Without following a more rigorous and disciplined life cycle process, including defining system requirements, the Secure Flight program is at serious risk of not meeting program goals. Over the past year, TSA has made some progress in managing risks associated with developing Secure Flight, and has recently taken actions that recognize the need to install more rigor and discipline into the development process. TSA has also taken steps to collaborate with Secure Flight stakeholders whose participation is essential to ensuring that passenger and terrorist watch list data are collected and transmitted to support Secure Flight. However, key program stakeholders--including the U.S. Customs and Border Protection, the Terrorist Screening Center, and air carriers--stated that they need more definitive information about system requirements from TSA to plan for their support of the program. In addition, several activities that will affect Secure Flight's effectiveness are under way, or have not yet been decided. For example, TSA conducted name-matching tests, which compared passenger and terrorist screening database data, to evaluate the ability of the system to function. However, TSA has not yet made key policy decisions which could significantly impact program operations, including what passenger data it will require air carriers to provide and the name-matching technologies it will use. Further, Secure Flight's system development documentation does not fully explain how passenger privacy protections are to be met, and TSA has not issued the privacy notices that describe how it will protect passenger data once Secure Flight becomes operational. As a result, it is not possible to assess how TSA is addressing privacy concerns. TSA is also determining how it will provide for redress, as mandated by Congress, to provide aviation passengers with a process to appeal determinations made by the program and correct erroneous information contained within the prescreening process. However, TSA has not finalized its redress polices.
GAO-06-374T, Aviation Security: Significant Management Challenges May Adversely Affect Implementation of the Transportation Security Administration's Secure Flight Program
This is the accessible text file for GAO report number GAO-06-374T
entitled 'Aviation Security: Significant Management Challenges May
Adversely Affect Implementation of the Transportation Security
Administration's Secure Flight Program' which was released on February
9, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony before the Committee on Commerce, Science, and
Transportation, U.S. Senate:
United States Government Accountability Office:
GAO:
For Release on Delivery Expected at 10:00 a.m. EST:
Thursday, February 9, 2006:
Aviation Security:
Significant Management Challenges May Adversely Affect Implementation
of the Transportation Security Administration's Secure Flight Program:
Statement of Cathleen A. Berrick, Director, Homeland Security and
Justice Issues:
GAO-06-374T:
GAO Highlights:
Highlights of GAO-06-374T a report to the Committee on Commerce,
Science, and Transportation, U.S. Senate:
Why GAO Did This Study:
After the events of September 11, 2001, Congress created the
Transportation Security Administration (TSA) and directed it to assume
the function of passenger prescreening”or the matching of passenger
information against terrorist watch lists to identify persons who
should undergo additional security scrutiny”for domestic flights, which
is currently performed by the air carriers. To do so, TSA is developing
Secure Flight. This testimony covers TSA‘s progress and challenges in
(1) developing, managing, and overseeing Secure Flight; (2)
coordinating with key stakeholders critical to program operations; (3)
addressing key factors that will impact system effectiveness; and (4)
minimizing impacts on passenger privacy and protecting passenger
rights. This testimony includes information on areas of congressional
interest that GAO has previously reported on.
What GAO Found:
TSA has made some progress in developing and testing the Secure Flight
program. However, TSA has not followed a disciplined life cycle
approach to manage systems development, or fully defined system
requirements. Rather, TSA has followed a rapid development method
intended to develop the program quickly. This process has been ad hoc,
resulting in project activities being conducted out of sequence,
requirements not being fully defined, and documentation containing
contradictory information or omissions. Further, while TSA has taken
steps to implement an information security management program for
protecting information and assets, its efforts are incomplete. Finally,
TSA is proceeding to develop Secure Flight without a program management
plan containing program schedule and cost estimates. Oversight reviews
of the program have also raised questions about program management.
Without following a more rigorous and disciplined life cycle process,
including defining system requirements, the Secure Flight program is at
serious risk of not meeting program goals.
Over the past year, TSA has made some progress in managing risks
associated with developing Secure Flight, and has recently taken
actions that recognize the need to instill more rigor and discipline
into the development process. TSA has also taken steps to collaborate
with Secure Flight stakeholders whose participation is essential to
ensuring that passenger and terrorist watch list data are collected and
transmitted to support Secure Flight. However, key program
stakeholders”including the U.S. Customs and Border Protection, the
Terrorist Screening Center, and air carriers”stated that they need more
definitive information about system requirements from TSA to plan for
their support of the program.
In addition, several activities that will affect Secure Flight‘s
effectiveness are under way, or have not yet been decided. For example,
TSA conducted name-matching tests, which compared passenger and
terrorist screening database data, to evaluate the ability of the
system to function. However, TSA has not yet made key policy decisions
which could significantly impact program operations, including what
passenger data it will require air carriers to provide and the name-
matching technologies it will use.
Further, Secure Flight‘s system development documentation does not
fully explain how passenger privacy protections are to be met, and TSA
has not issued the privacy notices that describe how it will protect
passenger data once Secure Flight becomes operational. As a result, it
is not possible to assess how TSA is addressing privacy concerns. TSA
is also determining how it will provide for redress, as mandated by
Congress, to provide aviation passengers with a process to appeal
determinations made by the program and correct erroneous information
contained within the prescreening process. However, TSA has not
finalized its redress polices.
What GAO Recommends:
In a prior report, GAO recommended that the Department of Homeland
Security (DHS) direct TSA to take several actions to manage risks
associated with Secure Flight‘s development, including finalizing
system requirements and test plans, privacy and redress requirements,
and program cost estimates; and establishing plans to obtain data
needed to operate the system. DHS generally concurred with GAO‘s
recommendations, but has not yet completed the actions it plans to
take.
www.gao.gov/cgi-bin/getrpt?GAO-06-374T.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Cathleen A. Berrick (202)
512-3404 or berrickc@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
Thank you for inviting me to participate in today's hearing on the
Transportation Security Administration's (TSA) Secure Flight program.
The purpose of Secure Flight is to enable our government to protect the
public and strengthen aviation security by identifying and scrutinizing
individuals suspected of having ties to terrorism, or who may otherwise
pose a threat to aviation, in order to prevent them from boarding
commercial aircraft in the United States, if warranted, or by
subjecting them to additional security scrutiny prior to boarding an
aircraft. The program also aims to reduce the number of individuals
unnecessarily selected for secondary screening while protecting
passengers' privacy and civil liberties. My testimony today presents
information on the progress TSA has made and the challenges it faces in
(1) developing, managing, and overseeing the Secure Flight program; (2)
coordinating with federal and private sector stakeholders who will play
critical roles in Secure Flight operations; (3) addressing key factors
that will impact system effectiveness; and (4) minimizing program
impacts on passenger privacy and protecting passenger rights.
My testimony is based on our past reviews of the Secure Flight program,
and on preliminary results from our ongoing review of 10 issues related
to the development and implementation of Secure Flight, as mandated by
Public Law 109-90, and as requested by eight congressional
committees.[Footnote 1] (See app. 1 for a description of the 10
issues.) My testimony today updates information presented in our March
2005 report on the status of Secure Flight's development and
implementation,[Footnote 2] including 9 of the 10 areas of
congressional interest.[Footnote 3] In March 2005, we reported that TSA
had made progress in developing and testing Secure Flight, but had not
completed key system testing, had not finalized system requirements or
determined how certain aspects of the program would operate (such as
the basis on which passengers would be selected for preflight
scrutiny), and had not clearly defined the privacy impacts of the
program. At the time, we recommended that TSA take several actions to
manage the risks associated with developing and implementing Secure
Flight, including finalizing system requirements and test plans,
privacy and redress requirements, and program cost estimates.
Today, I present information that suggests that, 3 years after TSA
began developing a program to provide passenger prescreening,
significant challenges remain in developing and implementing the Secure
Flight program. The results I am presenting are based on our review of
available documentation on Secure Flight's systems development and
oversight, policies governing program operations, and our past reports
on the program, and interviews with Department of Homeland Security
(DHS) officials, TSA program officials and their contractors, and other
federal officials who are key stakeholders in the Secure Flight
program. We reviewed TSA's System Development Life Cycle Guidance for
developing information technology systems, and other federal reports
describing best practices in developing and acquiring these systems. We
also reviewed draft TSA documents containing information on the
development and testing of Secure Flight, including concept of
operations, requirements, test plans, and test results. My testimony is
based on TSA documents received, but does not necessarily reflect all
documentation that was only recently made available. In addition to the
TSA documents we have reviewed, we also reviewed reports from the U.S.
Department of Justice Office of the Inspector General (DOJ-OIG), which
reviewed the Secure Flight program, and reports from two oversight
groups that provided advisory recommendations for Secure Flight: DHS's
Privacy and Data Integrity Advisory Committee and TSA's Aviation
Security Advisory Committee Secure Flight Working Group. We interviewed
senior-level TSA officials, including representatives from the Office
of Transportation Threat Analysis and Credentialing, which is
responsible for Secure Flight, and the Office of Transportation
Security Redress (OTSR), to obtain information on Secure Flight's
planning, development, testing, and policy decisions. We also
interviewed representatives from the U.S. Customs and Border Protection
(CBP) and Terrorist Screening Center (TSC)[Footnote 4] to obtain
information about stakeholder coordination. We also interviewed
officials from an air carrier and representatives from aviation trade
organizations regarding issues related to Secure Flight's development
and implementation. In addition, we attended conferences on name-
matching technologies sponsored by MITRE (a federally funded research
and development corporation) and the Office of the Director of National
Intelligence. Our work was conducted from April 2005 to February 2006
in accordance with generally accepted government auditing standards.
Summary:
In developing and managing the Secure Flight program, TSA has not
conducted critical activities in accordance with best practices for
large-scale information technology programs. Specifically, TSA has not
followed a disciplined life cycle approach in developing Secure Flight,
in which all phases of the project are defined by a series of orderly
phases and the development of related documentation. Program officials
stated that they have instead used a rapid development method that was
intended to enable them to develop the program more quickly. However,
as a result of this approach, the development process has been ad hoc,
with project activities conducted out of sequence. For example, program
officials declared the design phase complete before requirements for
designing Secure Flight had been detailed. Our evaluations of major
federal information technology programs, and research by others, has
shown that following a disciplined life cycle management process
decreases the risks associated with acquiring systems. As part of the
life cycle process, TSA must define and document Secure Flight's
requirements--including how Secure Flight is to function and perform,
the data needed for the system to function, how various systems
interconnect, and how system security is achieved. We found that Secure
Flight's requirements documentation contained contradictory and missing
information. TSA officials have acknowledged that they have not
followed a disciplined life cycle approach in developing Secure Flight,
and stated that they are currently rebaselining the program to follow
their standard Systems Development Life cycle process, including
defining system requirements. We also found that while TSA has taken
steps to implement an information security management program for
protecting Secure Flight information and assets, its efforts are
incomplete, based on federal standards and industry best practices.
Without a completed system security program, Secure Flight may not be
adequately protected against unauthorized access and use or disruption,
once the program becomes operational. Finally, TSA is proceeding with
Secure Flight development without an effective program management plan
that contains current program schedules and cost estimates. TSA
officials stated they have not maintained an updated schedule in part
because the agency has not yet promulgated a necessary regulation
requiring commercial air carriers to submit certain passenger data
needed to operate Secure Flight, and air carrier responses to this
regulation can impact when Secure Flight will be operational and at
what cost. While we recognize that program unknowns introduce
uncertainty into the program-planning process, uncertainty is a
practical reality in planning all programs and is not a reason for not
developing plans, including cost and schedule estimates that reflect
known and unknown aspects of the program. Further, several oversight
reviews of the program have been conducted and raise questions about
program management, including the lack of fully defined requirements.
TSA has recently taken actions that recognize the need to instill more
rigor and discipline into the development and management of Secure
Flight, including hiring a program manager with information systems
program management credentials, and more completely defining system
requirements and a program management plan, including the development
of schedules and cost estimates.
TSA has taken steps to collaborate with Secure Flight stakeholders
whose participation is essential to ensuring that passenger and
terrorist watch list data are collected and transmitted for Secure
Flight operations, but additional information and testing are needed to
enable stakeholders to provide the necessary support for the program.
TSA has, for example, drafted policy and technical guidance to help
inform air carriers of their Secure Flight responsibilities, and has
begun receiving feedback from the air carriers on this information. TSA
is also in the early stages of coordinating with U.S. Customs and
Border Protection and the federal Terrorist Screening Center on broader
issues of integration and interoperability related to other people-
screening programs used by the government to combat terrorism. In
addition, TSA has conducted preliminary network connectivity testing
between TSA and federal stakeholders to determine, for example, how
information will be transmitted from CBP to TSA and back. However,
these tests used only dummy data, and were conducted in a controlled
environment, rather than in a real-world operational environment.
According to CBP, without real data, it is not possible to conduct
stress testing to determine if the system can handle the volume of data
traffic that will be required by Secure Flight. TSA acknowledged it has
not determined what the real data volume requirements will be, and
cannot do so until the regulation for air carriers has been issued and
their data management role has been finalized. All key program
stakeholders also stated that additional information is needed before
they can finalize their plans to support Secure Flight operations. A
TSC official stated, for example, that until TSA provides estimates of
the volume of potential name matches that TSC will be required to
screen, TSC cannot make decisions about required resources. Also,
ongoing coordination of prescreening and name-matching initiatives with
CBP and TSC can impact how Secure Flight is implemented.
In addition to collaborating with stakeholders, TSA has, over the past
11 months, made some progress in evaluating factors that could
influence system effectiveness. However, several activities are under
way, or are to be decided, that will also affect Secure Flight's
effectiveness, including operational testing to provide information
about Secure Flight's ability to function. TSA has been testing name-
matching technologies to determine what type of passenger data will be
needed to match against terrorist watch list data. These tests have
been conducted thus far in a controlled, rather than real-world
environment, using historical data, but additional testing is needed to
learn more about how these technologies will perform in an operational
environment. In addition, due to program delays, TSA has not yet
conducted comprehensive end-to-end testing to verify that the entire
system functions as intended, although it had planned to do so last
summer. TSA also has not yet conducted stress testing to determine how
the system will handle peak data volumes. In addition, TSA has not made
key policy decisions for determining the passenger information that air
carriers will be required to collect, the name-matching technologies
that will be used to vet passenger names against terrorist watch list
data; and thresholds that will be set to determine the relative volume
of passengers who are to be identified as potential matches against the
database. TSA plans to finalize decisions on these factors as system
development progresses. However, until these decisions are made, data
requirements will remain unsettled and key stakeholders--in particular,
air carriers--will not have the information they need to assess and
plan for needed changes to their systems to interface with Secure
Flight. On the issue of data quality and accuracy, while the
completeness and accuracy of data contained in the government's
terrorist screening database can never be certain--given the varying
quality of intelligence information gathered, and changes in this
information over time--TSC has established some processes to help
ensure the quality of these data. However, in a review of the TSC's
role in Secure Flight, the Department of Justice Office of Inspector
General found that TSC could not ensure that the information contained
in its databases was complete or accurate. According to a TSC official,
TSA and TSC plan to enter into a letter of agreement that will describe
the data elements from the terrorist-screening database, among other
things, to be used for Secure Flight. To address accuracy, TSA and TSC
plan to work together to identify false positives--passengers
inappropriately matched against data contained in the terrorist-
screening database--by using intelligence analysts to monitor the
accuracy of data matches. An additional factor that could impact the
effectiveness of Secure Flight in identifying known or suspected
terrorists is the system's inability to identify passengers who assume
the identity of another individual by committing identity theft, or who
use false identifying information. Secure Flight is neither intended to
nor designed to address these vulnerabilities.
Because Secure Flight's system development documentation does not fully
address how passenger privacy protections are to be met, it is not
possible to assess potential system impacts on individual privacy
protections. The Privacy Act and the Fair Information Practices--a set
of internationally recognized privacy principles that underlie the
Privacy Act--limit the collection, use, and disclosure of personal
information by federal agencies. TSA officials have stated that they
are committed to meeting the requirements of the Privacy Act and the
Fair Information Practices However, it is not yet evident how this will
be accomplished because TSA has not decided what passenger data
elements it plans to collect, or how such data will be provided by
stakeholders. Further, TSA is in the process of developing but has not
issued the systems of records notice, which is required by the Privacy
Act, or the privacy impact assessment, which is required by the E-
Government Act, that would describe how TSA will protect passenger data
once Secure Flight becomes operational. Moreover, privacy requirements
were not incorporated into the Secure Flight system development process
in a manner that would explain whether personal information will be
collected and maintained in the system in a manner that complies with
privacy and security requirements. In our review of Secure Flight's
system requirements, we found that privacy concerns were broadly
defined in functional requirements documentation, which states that the
Privacy Act must be considered in developing the system. However, these
broad functional requirements have not been translated into specific
system requirements. TSA officials stated that they are completing work
on integrating privacy and requirements into the Secure Flight system
as the program is being developed, and that new privacy notices will be
issued in conjunction with a forthcoming regulation prior to proceeding
with the system's initial operating capability. Until TSA finalizes
these requirements and notices, however, privacy protections and
impacts cannot be assessed. TSA is also determining how it will meet a
congressional mandate that the Secure Flight program include a process
whereby aviation passengers determined to pose a threat to aviation
security may appeal that determination and correct erroneous
information contained within the prescreening system. According to TSA
officials, no final decisions have been made regarding how TSA will
address the redress requirements, but information on the process will
be contained within the privacy notices released in conjunction with
the forthcoming regulation.
Background:
TSA is responsible for securing all modes of transportation while
facilitating commerce and the freedom of movement for the traveling
public. Passenger prescreening is one program among many that TSA uses
to secure the domestic aviation sector. The process of prescreening
passengers--that is, determining whether airline passengers might pose
a security risk before they reach the passenger-screening checkpoint--
is used to focus security efforts on those passengers that represent
the greatest potential threat. Currently, U.S. air carriers conduct
passenger prescreening by comparing passenger names against government-
supplied terrorist watch lists and applying the Computer-Assisted
Passenger Prescreening System rules, known as CAPPS rules.[Footnote 5]
Development of Legacy Passenger Prescreening Systems:
Following the events of September 11, and in accordance with the
requirement set forth in the Aviation and Transportation Security Act
that a computer-assisted passenger prescreening system be used to
evaluate all passengers before they board an aircraft,[Footnote 6] TSA
established the Office of National Risk Assessment to develop and
maintain a capability to prescreen passengers in an effort to protect
U.S. transportation systems and the public against potential
terrorists. In March 2003, this office began developing the second-
generation computer-assisted passenger prescreening system, known as
CAPPS II, to provide improvements over the current prescreening
process, and to screen all passengers flying into, out of, and within
the United States.
Based in part on concerns about privacy and other issues expressed by
us and others, DHS canceled the development of CAPPS II in August 2004
and shortly thereafter announced that it planned to develop a new
passenger prescreening program called Secure Flight. In contrast to
CAPPS II, Secure Flight, among other changes, will only prescreen
passengers flying domestically within the United States, rather than
passengers flying into and out of the United States. Also, the CAPPS
rules will not be implemented as part of Secure Flight, but rather the
rules will continue to be applied by commercial air carriers. Secure
Flight will operate on the Transportation Vetting Platform
(TVP)[Footnote 7]--the underlying infrastructure (hardware and
software) to support the Secure Flight application, including security,
communications, and data management; and, the Secure Flight application
is to perform the functions associated with receiving, vetting, and
returning requests related to the determination of whether passengers
are on government watch lists. This application is also to be
configurable--meaning that it can be quickly adjusted to reflect
changes to workflow parameters. Aspects of Secure Flight are currently
undergoing development and testing, and policy decisions regarding the
operations of the program have not been finalized.[Footnote 8]
Overview of Secure Flight Operations:
As currently envisioned, under Secure Flight, when a passenger makes
flight arrangements, the organization accepting the reservation, such
as the air carrier's reservation office or a travel agent, will enter
passenger name record (PNR) information obtained from the passenger,
which will then be stored in the air carrier's reservation
system.[Footnote 9] While the government will be asking for only
portions of the PNR, the PNR data can include the passenger's name,
phone number, number of bags, seat number, and form of payment, among
other information. Approximately 72 hours prior to the flight, portions
of the passenger data contained in the PNR will be sent to Secure
Flight through a network connection provided by DHS's CBP. Reservations
or changes to reservations that are made less than 72 hours prior to
flight time will be sent immediately to TSA through CBP.
Upon receipt of passenger data, TSA plans to process the passenger data
through the Secure Flight application running on the TVP. During this
process, Secure Flight is to determine if the passenger data match the
data extracted daily from TSC's Terrorist Screening Database (TSDB)--
the information consolidated by TSC from terrorist watch lists to
provide government screeners with a unified set of terrorist-related
information. In addition, TSA will screen against its own watch list
composed of individuals who do not have a nexus to terrorism but who
may pose a threat to aviation security.[Footnote 10]
In order to match passenger data to information contained in the TSDB,
TSC plans to provide TSA with an extract of the TSDB for use in Secure
Flight, and provide updates as they occur. This TSDB subset will
include all individuals classified as either selectees (individuals who
are selected for additional security measures prior to boarding an
aircraft) or no-flys (individuals who will be denied boarding unless
they are cleared by law enforcement personnel).[Footnote 11] To perform
the match, Secure Flight is to compare the passenger, TSDB, and other
watch list data using automated name-matching technologies. When a
possible match is generated, TSA and potentially TSC analysts will
conduct a manual review comparing additional law enforcement and other
government information with passenger data to determine if the person
can be ruled out as a possible match. TSA is to return the matching
results to the air carriers through CBP. Figure 1 illustrates how
Secure Flight is intended to operate.
Figure 1: Planned Operation of Secure Flight:
[See PDF for image]
[A] Information about confirmed no-flies and certain selectees are
shared with appropriate federal agencies which coordinate the
appropriate law enforcement response.
[End of figure]
As shown in figure 1, when the passenger checks in for the flight at
the airport, the passenger is to receive a level of screening based on
his or her designated category. A cleared passenger is to be provided a
boarding pass and allowed to proceed to the screening checkpoint in the
normal manner. A selectee passenger is to receive additional security
scrutiny at the screening checkpoint.[Footnote 12] A no-fly passenger
will not be issued a boarding pass. Instead, appropriate law
enforcement agencies will be notified. Law enforcement officials will
determine whether the individual will be allowed to proceed through the
screening checkpoint or if other actions are warranted, such as
additional questioning of the passenger or taking the passenger into
custody.
TSA Has Not Followed a Disciplined Life Cycle Approach or Fully Defined
System Requirements, Schedule, and Costs:
TSA has not followed a disciplined life cycle approach in developing
Secure Flight, in accordance with best practices for large-scale
information technology programs. Following a disciplined life cycle,
activities and related documentation are to be developed in a logical
sequence. TSA also has not finalized and documented functional and
system requirements that fully link to each other and to source
documents. Without adequately defined requirements, TSA cannot finalize
a system security plan or develop a reliable program schedule or life
cycle cost estimates. In addition to these concerns, other reviews that
have been conducted of Secure Flight have raised questions about the
management of the program.
TSA Has Not Followed a Disciplined Life Cycle Process or Fully Defined
System Requirements but Plans to Address These Issues:
Based on evaluations of major federal information technology programs
like Secure Flight, and research by others, following a disciplined
life cycle management process in which key activities and phases of the
project are conducted in a logical and orderly process and are fully
documented, helps ensure that programs achieve intended goals within
acceptable levels of cost and risk. Such a life cycle process begins
with initial concept definition and continues through requirements
determination to final testing, implementation, and maintenance. TSA
has established a System Development Life Cycle (SDLC) that defines a
series of orderly phases and associated steps and documentation. The
SDLC serves as the mechanism to ensure that systems are effectively
managed and overseen. Figure 2 provides a description of TSA's SDLC
phases and related documentation.
Figure 2: Summary of TSA's System Development Life Cycle Process:
[See PDF for image]
[End of figure]
TSA has not followed its SDLC in developing and managing Secure Flight.
Rather, program officials stated that they have used a rapid
development method that was intended to enable them to develop the
program more quickly. However, these officials could not provide us
with details on how this approach was implemented. As a result, our
analysis of steps performed and documentation developed indicates that
Secure Flight has not been pursued within the context of a logical,
disciplined, system development methodology. Rather the process has
been ad hoc, with project activities conducted out of sequence. For
example, program officials declared that the program's design phase was
completed before system requirements had been adequately detailed, and
key activities have yet to be adequately performed, such as program
planning and defining system requirements. TSA officials acknowledged
that problems arose with Secure Flight as a result of using this
approach. As a result, it is currently unclear what Secure Flight
capabilities are to be developed, by when, at what cost, and what
benefits are to accrue from the program. Without clarification on these
decision points, the program is at risk of failure.
Defining and documenting system requirements is integral to life cycle
development. Based on best practices and our prior work in this area,
the expected capabilities of a system such as Secure Flight should be
defined in terms of requirements for functionality (what the system is
to do), performance (how well the system is to execute functions), data
(what data are needed by what functions, when, and in what form),
interface (what interactions with related and dependent systems are
needed), and security. Further, system requirements should be
unambiguous, consistent with one another, linked (that is, traceable
from one source level to another),[Footnote 13] verifiable, understood
by stakeholders, and fully documented.
TSA has prepared certain Secure Flight requirements documents, and
officials stated that they are now reviewing those requirements
documents.[Footnote 14] We support these review efforts because we
found, in the requirements documents we reviewed, inconsistencies and
ambiguities in requirements documentation for system functions,
performance, data, and security--and that these documents were not
always complete. For example, according to TSA's SDLC guidance and best
practices for developing information technology systems, systems like
Secure Flight should have a comprehensive concept of operations
covering all aspects of the program during the planning phase (see fig.
2). We reported in our March 2005 report that TSA had not yet finalized
a concept of operations, which would describe conceptually the full
range of Secure Flight operations and interfaces with other systems,
and we recommended that it develop one. Since March 2005, TSA documents
refer to numerous concept of operations, such as a long concept of
operations, a short concept of operations, and an initial operational
capability concept of operations. TSA provided a June 2005 concept of
operations for our review, but this document does not contain key
system requirements, such as the high-level requirements for security
and privacy.
In addition, we found that Secure Flight requirements were unclear or
missing. For example, while the requirements that we reviewed state
that the system be available 99 percent of the time, this only covers
the TVP and Secure Flight application. It does not include requirements
for the interfacing systems critical for Secure Flight operations.
Thus, the availability requirements for all of the components of the
Secure Flight system are not yet known. Some data requirements are also
vague or incomplete; for example, one data requirement is that the data
is current, but the meaning of current is not defined. In addition,
only some system security requirements are identified in the security
document provided to us for the TVP, and sections in TSA's Systems
Requirements Specification contain only placeholder notes--"to be
finalized"--for security and privacy requirements.
TSA officials acknowledged that it is important that requirements be
traceable to ensure that they are consistently, completely, and
correctly defined, implemented, and tested. To help accomplish this,
TSA officials stated that they use a requirements tracking tool for
Secure Flight that can align related requirements to different
documents, and thus establish traceability (e.g., it can map the
Systems Requirements Specification to a functional requirements
document). According to program officials, this tool can also be used
for aligning and tracing requirements to test cases (i.e., scenarios
used to determine that the system is working as intended). We found,
however, that requirements for Secure Flight have not been fully
traced. For example, we were not able to trace system capabilities in
contractual documents to the concept of operations and then to the
various requirement documents, to design phase use cases, and to test
cases. In addition, contractor staff we interviewed stated that they
were unable to use this tool to align or trace necessary requirements
without the aid of supplemental information. Without internal alignment
among system documentation relating to requirements, there is not
adequate assurance that the system produced will perform as intended.
In addition, we found that available Secure Flight requirements
documents did not define the system's boundaries, including interfaces,
for each of the stakeholders--that is, the scope of the system from end
to end, from an air carrier to CBP, to TSA, to TSC, and back to TSA,
then again to CBP and air carriers (refer to fig. 1 for an overview of
this process). Defining a system's boundaries is important in ensuring
that system requirements reflect all of the processes that must be
executed to achieve a system's intended purpose. According to TSA's
SDLC guidance, a System Boundary Document is to be developed early in
the system life cycle. However, in its third year of developing a
passenger prescreening system, TSA has not yet prepared such a
document. Although the System Boundary Document was not available, the
program's Systems Security Document does refer to an "accreditation
boundary," which defines the Secure Flight system from the standpoint
of system security accreditation and certification. According to this
definition of what Secure Flight includes, those systems that are
needed to accomplish Secure Flight program goals (e.g., those of
commercial air carriers, CBP, and TSC) are not part of Secure Flight.
If the boundary documents, and thus the requirements, do not reflect
all system processes and connections that need to be performed, the
risk is increased that the system will not achieve Secure Flight's
intended purpose. Moreover, until all system requirements have been
defined, TSA will not be able to stress-test Secure Flight in an
operational, end-to-end mode. In our March 2005 report, we recommended
that TSA finalize its system requirements documents and ensure that
these documents address all system functionality. Although TSA agreed
with our recommendations, the requirements documentation that we
reviewed showed that the agency has not yet completed these activities.
Our evaluations of major federal information technology programs, and
research by others, has shown that following a disciplined life cycle
management process decreases the risks associated with acquiring
systems. The steps and products in the life cycle process each have
important purposes, and they have inherent dependencies among
themselves. Thus, if earlier steps and products are omitted or
deficient, later steps and products will be affected, resulting in
costly and time-consuming rework. For example, a system can be
effectively tested to determine whether it meets requirements only if
these requirements have already been fully defined. Concurrent,
incomplete, and omitted activities in life cycle management exacerbate
the program risks. Life cycle management weaknesses become even more
critical as the program continues, because the size and complexity of
the program will likely only increase, and the later problems are
found, the harder and more costly they will likely be to fix.
In October 2005, Secure Flight's director of development stated in a
memorandum to the assistant TSA administrator responsible for Secure
Flight that by not following a disciplined life cycle approach, in
order to expedite the delivery of Secure Flight, the government had
taken a calculated risk during the requirements definition, design, and
development phases of the program's life cycle development. The
director stated that by prioritizing delivery of the system by a
specified date in lieu of delivering complete documentation, TSA had to
lower its standards of what constituted acceptable engineering
processes and documentation. Since then, TSA officials stated that the
required system documentation associated with each phase of the TSA
life cycle is now being developed to catch up with development efforts.
In addition, TSA recognized that it faces challenges preparing required
systems documentation, and to help in this regard it has recently hired
a certified systems program manager to manage systems development. In
January 2006, this program manager stated that as Secure Flight moves
forward, TSA's SDLC would be followed in order to instill greater rigor
and discipline into the system's development. In addition, TSA plans to
hire a dedicated program director for Secure Flight to manage program
activities, schedules, milestones, costs, and program contractors,
among other things.
Comprehensive System Security Management Program Has Not Yet Been
Established in Accordance with Federal Guidance:
TSA has taken steps to implement an information system security
management program for protecting Secure Flight information and assets.
Secure Flight's security plans and the related security review, which
TSA developed and conducted to establish authority to operate, are
important steps in the system's development. However, the steps related
to system security TSA has taken to date are individually incomplete,
and collectively fall short of a comprehensive system security
management program. Federal guidance and industry best practices
describe critical elements of a comprehensive information system
security management program. Without effective system security
management, it is unlikely that Secure Flight will, for example, be
adequately protected against unauthorized access and use, disruption,
modification, and destruction.
According to National Institute of Standards and Technology
(NIST)[Footnote 15] and Office of Management and Budget (OMB) guidance
under the Federal Information Security Management Act, as well as
industry best practices, a comprehensive system security management
program includes (1) conducting a system wide risk assessment that is
based on system threats and vulnerabilities, (2) developing system
security requirements and related policies and procedures that govern
the operation and use of the system and address identified risks, (3)
certifying that the system is secure based on sufficient review and
testing to demonstrate that the system meets security requirements, and
(4) accrediting the system as secure in an operational setting.
TSA has developed two system security plans--one for the TVP and one
for the Secure Flight application. However, neither of these plans nor
the security activities that TSA has conducted to date are complete.
For example, while security threats and vulnerabilities were assessed
in the documentation and risks were identified in risk assessments,
requirements to address these risks were only partially defined in the
security plan for the TVP, and they were not included at all in the
plan for the Secure Flight application. In addition, the sections on
security requirements and privacy requirements in the System
Requirements Specification document read "to be finalized" with no
further description.
Moreover, we also found that the security systems plans did not reflect
the current level of risk designated for the program. For example,
although the July 15, 2005, System Security Plan for the TVP arrived at
an overall assessment of its exposure to risks as being "medium," an
August 23, 2005, requirements document found that the security risk
level for the TVP was "high." As a system moves from a medium to a high
level of risk, the security requirements become more stringent. TSA has
not provided us with an updated System Security Plan for the TVP that
addressed this greater level of risk by including additional NIST
requirements for a high-risk system. In addition, this TVP System
Security Plan included only about 40 percent of the NIST requirements
associated with a medium-risk system. Without addressing all NIST
requirements, in addition to those required for a high-risk system, TSA
may not have proper controls in place to protect sensitive information.
According to federal guidance and requirements, the determination and
approval of the readiness of a system to securely operate is
accomplished via a certification and accreditation process. On
September 30, 2005, the TSA assistant administrator responsible for
Secure Flight formally granted authority, based on certification and
accreditation results, for the TVP and the Secure Flight application to
operate.[Footnote 16] However, the team performing the certification
found that TSA was unsure whether they tested all components of the
security system for the TVP and the Secure Flight application, because
TSA lacked an effective and comprehensive inventory system. Therefore
the certification team could not determine whether its risk assessments
were complete or accurate. This team also documented 62 security
vulnerabilities for the Secure Flight application and 82 security
vulnerabilities for the TVP. The certification team recommended
authority to operate on the condition that corrective action or
obtaining an exemption for the identified vulnerabilities would be
taken within 90 days or the authority to operate would expire. TSA
officials stated that these vulnerabilities had been addressed except
for three that are being reviewed in a current security audit.
Program Management Plan and Supporting Schedules and Cost Estimates for
Secure Flight Have Not Been Maintained:
TSA has proceeded with Secure Flight development over the past year
without a complete and up-to-date program management plan, and without
associated cost and schedule estimates showing what work will be done
by whom, at what cost, and when. A program management plan can be
viewed as a central instrument for guiding program development. Among
other things, the plan should include a breakout of the work activities
and products that are to be conducted in order to deliver a mission
capability to satisfy stated requirements and produce promised mission
results. This information, in turn, provides the basis for determining
the time frames and resources needed for accomplishing this work,
including the basis for milestones, schedules, and cost estimates. TSA
has not provided us with either the complete and up-to-date program
management plan, or an estimated schedule and costs for Secure Flight.
According to a TSA official, an updated program management plan is
currently being developed and is about 90 percent complete.
In lieu of a program management plan with a schedule and milestones,
TSA has periodically disclosed program milestones. However, the basis
for and meaning of these milestones have not been made clear, and TSA's
progress in meeting these milestones has not been measured and
disclosed. TSA's SDLC and OMB[Footnote 17] guidance require that
programs like Secure Flight provide risk-adjusted schedule goals,
including key milestones, and that programs demonstrate satisfactory
progress toward achieving their stated performance goals. In March
2005, we reported that the milestone that TSA set for achieving initial
operating capability for Secure Flight had slipped from April 2005 to
August 2005. TSA officials stated that TSA revised this milestone to
state that instead of achieving initial operating capability, it would
begin operational testing. This new milestone subsequently slipped
first to September 2005, then to November 2005. Since that time, the
program has not yet begun operational testing or initial operations,
and TSA has not yet produced an updated schedule identifying when
program operations will begin or when other key milestones are to be
achieved to guide program development and implementation. Further,
while agency officials stated that they are now planning for
operational testing of an unspecified capability, no milestone date has
been set for doing so.
TSA officials stated that they have not maintained an updated program
schedule for Secure Flight in part because the agency has not yet
determined the rulemaking approach it will pursue for requiring
commercial air carriers to submit certain passenger data needed to
operate Secure Flight, among other things. Specifically, TSA officials
stated that a schedule with key milestones, such as operational
testing, cannot be set until after air carriers have responded to the
rulemaking and provided their plans and schedules for participating in
Secure Flight. The rulemaking has been pending since the spring of
2005, and the rule remains in draft form and is under review, according
to TSA officials. Once the rule has been issued, TSA officials stated
that air carriers will be given time to respond with their plans and
schedules. TSA officials further stated that until this occurs, and a
decision is made as to how many air carriers will participate in a yet-
to-be-defined initial phase of the program (they are expected to begin
incrementally), a program schedule cannot be set.
Further, TSA has not yet established cost estimates for developing and
deploying either an initial or a full operating capability for Secure
Flight, and it has not developed a life-cycle cost estimate (estimated
costs over the expected life of a program, including direct and
indirect costs and costs of operation and maintenance). TSA also has
not updated its expenditure plan--plans that generally identify near-
term program expenditures--to reflect the cost impact of program
delays, estimated costs associated with obtaining system connectivity
with CBP, or estimated costs expected to be borne by air carriers.
Program and life cycle cost estimates are critical components of sound
program management for the development of any major investment.
Developing cost estimates is also required by OMB guidance and can be
important in making realistic decisions about developing a system.
Expenditure plans are designed to provide lawmakers and other officials
overseeing a program's development with a sufficient understanding of
the system acquisition to permit effective oversight, and to allow for
informed decision making about the use of appropriated funds.
In our March 2005 report, we recommended that TSA develop reliable life
cycle cost estimates and expenditure plans for the Secure Flight
program, in accordance with guidance issued by OMB, in order to provide
program managers and oversight officials with the information needed to
make informed decisions about program development and resource
allocations. Although TSA agreed with our recommendation, it has not
yet provided this information. TSA officials stated that developing
program and life cycle cost estimates for Secure Flight is challenging
because no similar programs exist from which to base cost estimates and
because of the uncertainties surrounding Secure Flight requirements.
Further, they stated that cost estimates cannot be accurately developed
until after system testing is completed and policy decisions have been
made regarding Secure Flight requirements and operations.
Notwithstanding these statements, TSA officials stated that they are
currently assessing program and life cycle costs as part of their
rebaselining and that this new baseline will reflect updated cost,
funding, scheduling, and other aspects of the program's development.
While we recognize that program unknowns introduce uncertainty into the
program-planning process, including estimating tasks, time frames, and
costs, uncertainty is a practical reality in planning all programs and
is not a reason for not developing plans, including cost and schedule
estimates, that reflect known and unknown aspects of the program. In
program planning, assumptions need to be made and disclosed in the
plans, along with the impact of the associated uncertainty on the plans
and estimates. As more information becomes known over the life of the
program, these plans should be updated to recognize and reflect the
greater confidence in activities that can be expressed with estimates.
Program management plans and related schedules and cost estimates--
based on well-defined requirements--are important in making realistic
decisions about a system's development, and can alert an agency to
growing schedule or cost problems and the need for mitigating actions.
Moreover, best practices and related federal guidance emphasize the
need to ensure that programs and projects are implemented at acceptable
costs and within reasonable and expected time frames. Investments such
as Secure Flight are approved on the expectation that programs and
projects will meet certain commitments to produce certain capabilities
and benefits (mission value) within the defined schedule and cost.
Until an updated program management plan and related schedules and cost
estimates and expenditure plans, are prepared for Secure Flight--which
should be developed despite program uncertainties, and updated as more
information is gained--TSA and Congress will not be able to provide
complete oversight over the program's progress in meeting established
commitments.
Oversight Reviews of Secure Flight Have Been Conducted and Raised
Questions about Program Management:
DHS and TSA have executive and advisory oversight mechanisms in place
to oversee Secure Flight. As we reported in March 2005, the DHS
Investment Review Board (IRB)--designed to review certain programs at
key phases of development to help ensure they meet mission needs at
expected levels of costs and risks--reviewed the TVP from which Secure
Flight will operate, in January 2005.[Footnote 18] As a result of this
review, the board withheld approval for the TVP to proceed from
development and testing into production and deployment until a formal
acquisition plan, a plan for integrating and coordinating Secure Flight
with other DHS people-screening programs, and a revised acquisition
program baseline (cost, schedule, and performance parameters) had been
completed. Since that time, TSA has not yet addressed these conditions
and has not obtained approval from the IRB to proceed into production.
DHS officials stated that an IRB review is scheduled to be held in
March 2006--14 months after the IRB last met to examine Secure Flight-
-to review Secure Flight and other people-screening programs, including
international prescreening conducted by CBP. Specifically, the board
will review the acquisition strategy and progress for each program,
focusing, in part, on areas of potential duplication. According to TSA
officials, the agency intends to establish a new program cost,
schedule, and capability baseline for Secure Flight, which will be
provided to the IRB for review.
DHS's Data Privacy and Integrity Advisory Committee also reviewed
Secure Flight during the last year.[Footnote 19] Committee members have
diverse expertise in privacy, security, and emerging technology, and
come from large and small companies, the academic community, and the
nonprofit sector. In December 2005, the committee issued five
recommendations on key aspects of the program, including
recommendations designed to minimize data collection and provide an
effective redress mechanism to passengers who believe they have been
incorrectly identified for additional security scrutiny. TSA officials
stated that they are considering the advisory committees' findings and
recommendations as part of their rebaselining efforts.
In September 2004, TSA appointed an independent working group within
the Aviation Security Advisory Committee,[Footnote 20] composed of
government privacy and security experts, to review Secure Flight. The
working group issued a report in September 2005 that concluded, among
other things, that TSA had not produced a comprehensive policy document
for Secure Flight that could define oversight or governance
responsibilities, nor had it provided an accountability structure for
the program. The group attributed this omission to the lack of a
program-level policy document issued by a senior executive, which would
clearly state program goals. The working group also questioned Secure
Flight's oversight structure and stated that it should focus on the
effectiveness of privacy aspects of the program and, in doing so,
consider oversight regimes for federal law enforcement and U.S.
intelligence activities.
In addition to oversight reviews initiated by DHS and TSA, the DOJ-OIG
issued a report in August 2005 reviewing TSC's role in supporting
Secure Flight.[Footnote 21] In its report, the DOJ-OIG reported that
TSC faced several key factors that were unknown with respect to
supporting Secure Flight, including when the program will begin, the
volume of inquiries it will receive, the number of TSC resources
required to respond to these inquiries, and the quality of the data it
will have to analyze. In light of these findings, the DOJ-OIG report
recommended that, among other things, TSC better prepare itself for
future needs related to Secure Flight by strengthening its budgeting
and staffing processes and by improving coordination with TSA on data
exchange standards. In June 2005, a DOJ-OIG report recommended that TSC
conduct a record-by-record review of the TSDB to improve overall data
quality and integrity. TSC agreed with all recommendations
made.[Footnote 22]
TSA Has Made Progress in Coordinating with Critical Stakeholders but
More Work Remains:
TSA has drafted policy and technical guidance to help inform air
carriers of their Secure Flight responsibilities, and has begun
coordinating with CBP and TSC on Secure Flight requirements and broader
issues of integration and interoperability between Secure Flight and
other people-screening programs. However, TSA has not yet provided
information and technical requirements that all stakeholders need to
finalize their plans to support the program's operations, and to
adequately plan for the resources needed to do so.
TSA Has Begun Collaborating with Key Stakeholders, but Their
Participation Will Be Limited Until System Requirements Have Been
Finalized:
As we reported in March 2005, key federal and commercial stakeholders-
-CBP, TSC, and commercial air carriers--will play a critical role in
the collection and transmission of data needed for Secure Flight to
operate successfully. Accordingly, TSA will need to ensure that
requirements for each stakeholder are determined. For instance, TSA
will need to define how air carriers are to connect to CBP and what
passenger data formats and structures will be used. Although more
remains to be done, TSA has worked to communicate and coordinate
requirements with stakeholders. For example, TSA has maintained weekly
communications with CBP and TSC regarding their roles and
responsibilities related to Secure Flight operations.
TSA has also begun to address air carriers' questions about forthcoming
Secure Flight requirements. For example, TSA Officials have produced
draft air carrier guidance, known as the Secure Flight Data
Transmission Plan Guidance (DTPG).[Footnote 23] The final DTPG is to
include guidance to air carriers addressing the following areas: Secure
Flight's mission overview and objectives, project planning phases,
aircraft operator operations and airport procedures, technical data
requirements, aircraft operator application development, Secure Flight
operations, and system maintenance and support. According to TSA
officials, air carriers have received copies of a partial draft DTPG,
and some air carriers have submitted feedback to Secure Flight's
Airline Implementation and Operations Team that TSA says it is working
to address.
In addition to drafting guidance, TSA has conducted preliminary network
connectivity testing between TSA and federal stakeholders. For example,
messages have been transmitted from CBP to TSA and back. However, such
tests included only dummy data. According to CBP officials, no real-
time passenger data have been used in this testing, and system stress
testing has not yet been conducted.[Footnote 24] Without real-time
passenger data, the official said, CBP cannot estimate total capacity
or conduct stress testing to ensure the system operates effectively.
Further, according to a TSC official, testing has been conducted to
show that a data exchange between the TSC and TSA is functioning, but
the system has not been stress-tested to determine if it can handle the
volume of data traffic that will be required to operate Secure Flight.
According to this official, TSA has not specified what these data
volume requirements will be. TSA officials acknowledged that they have
not yet made this determination and stated that they will not be able
to do so until they (1) issue the rule, and (2) have received the air
carrier plans for participating in Secure Flight based on requirements
identified in the rule.
Although CBP, TSC, and air carrier officials we interviewed
acknowledged TSA's outreach efforts, they cited several areas where
additional information was needed from TSA before they could fully
support Secure Flight. Several CBP officials stated, for example, that
they cannot proceed with establishing connectivity with all air
carriers until DHS publishes the rule--the regulation that will specify
what type of information is to be provided for Secure Flight--and the
air carriers provide their plans for providing this information.
Similarly, a TSC official stated that TSC cannot make key decisions on
how to support Secure Flight until TSA provides estimates of the volume
of potential name matches that TSC will be required to screen, as
identified above. The TSC official stated that without this
information, TSC cannot make decisions about required resources, such
as personnel needed to operate its call center.[Footnote 25] As we
reported in March 2005, air carriers also expressed concerns regarding
the uncertainty of the Secure Flight system and data requirements, and
the impact these requirements may have on the airline industry and
traveling public. Air carriers will not be able to begin to modify
their passenger data systems to record the data attributes--such as
full name and date of birth, which Secure Flight will use to conduct
name matching--until TSA determines and communicates which specific
data attributes are to be used.
Oversight groups that have reviewed Secure Flight agreed that
additional work was needed to improve the flow of information to, and
coordination with, program stakeholders. In its December 2005 report on
Secure Flight, the DHS Data Privacy and Integrity Advisory Committee
stated that TSA needs to be clear with air carriers about what
information it needs now and what information it may consider
requesting in the future, to enable air carriers to avoid sequential
revisions of data-handling systems. Also, in September 2005, the
Aviation Security Advisory Committee working group expressed concerns
about the lack of clarity regarding how Secure Flight will interact
with other screening programs.
Further, in its August 2005 audit of TSC's support of Secure Flight,
the DOJ-OIG reported that TSC officials believed that their ability to
prepare for the implementation of Secure Flight has been hampered by
TSA's failure to make, communicate, and comply with key program and
policy decisions in a timely manner, such as the launch date and volume
of screening to be conducted during initial implementation. In
addition, the report noted that because TSA is unsure about how many
air carriers will participate in the initial phase of the program,
neither TSA nor TSC can know how many passenger records will be
screened, and cannot project the number of watch list hits that will be
forwarded to the TSC for action. Finally, the DOJ-OIG report concluded
that the shifting of critical milestones--including TSA's schedule
slippages over the past year--has affected TSC's ability to adequately
plan for its role in Secure Flight.
Despite TSA's outreach efforts, stakeholder participation in Secure
Flight is dependent on TSA's effort to complete its definition of
requirements and describe these in the rule. Because TSA has not fully
defined system requirements, key stakeholders have not been able to
fully plan for or make needed adjustments to their systems. In our
March 2005 report, we recommended that TSA develop a plan for
establishing connectivity among the air carriers, CBP, and TSC to help
ensure the secure, effective, and timely transmission of data for use
in Secure Flight operations. Although TSA has continued to coordinate
with these key stakeholders, at present the agency has still not
completed the plans and agreements necessary to ensure the effective
support of Secure Flight.
Ongoing Coordination of Prescreening and:
Name-Matching Initiatives Can Impact How Secure Flight Is Implemented:
In January 2006, TSA officials stated that they are in the early stages
of coordinating with CBP on broader issues of integration and
interoperability related to other people-screening programs. These
broader coordination efforts, which are focused on minimizing
duplicative efforts that may exist between the agencies that screen
individuals using watch list data and achieving synergies and
efficiencies, are important because they may affect how Secure Flight
will operate initially and in the future. Specifically, TSA Officials
stated that they are coordinating more closely with CBP's international
prescreening initiatives for passengers on flights bound for the United
States. The Air Transport Association and the Association of European
Airlines--organizations representing air carriers--had requested, among
other things, that both domestic and international prescreening
function through coordinated information connections and avoid
unnecessary duplication of communications, programming, and information
requirements.[Footnote 26]
In response to air carrier concerns, and the initiatives of DHS to
minimize duplicative efforts, officials from both CBP and TSA explained
that they are beginning to work together to ensure that air carriers
have a single interface with the government for prescreening both
domestic and international passengers. TSA and CBP officials further
stated that they will try to use CBP's network to transmit domestic and
international passenger data to and from the air carriers, thus
providing the air carriers with a single interface for sending and
receiving information.[Footnote 27] TSA and CBP officials also stated
that air carriers should receive a common notification about whether a
passenger--domestic or international--requires normal processing,
additional screening, or is not permitted to board a plane. However,
according to these officials, TSA and CBP have not yet resolved other
system differences--such as the fact that their prescreening systems
use different passenger data elements, documentation,[Footnote 28] and
name matching technologies--that could lead to conflicting
notifications that would instruct air carriers to handle a passenger
differently for an international than for a domestic flight. Both TSA
and CBP officials agreed that additional coordination efforts are
needed to resolve these differences, and stated that they plan to work
closely together in developing a prescreening capability for both
domestic and international passengers.[Footnote 29] Decisions made as a
result of further coordination could result in changes to the way that
Secure Flight is implemented.
In addition to coordinating with CBP on international prescreening, TSA
faces additional coordination challenges working with TSC.
Specifically, according to TSC officials, TSC has an initiative under
way to, among other things, better safeguard watch list data.
Currently, TSC exports watch list data to other federal agencies, such
as TSA and the State Department, for use in these agencies' screening
efforts or processes for examining documents and records related to
terrorism. However, TSC is currently developing a new system whereby
watch list data would not be exported, but rather would be maintained
by TSC. This system, called Query, is to serve as a common shared
service that will allow agencies to directly search the TSDB using
TSC's name matching technology for their own purposes. TSC has
conducted limited testing of the system. If TSC chooses to use Query,
TSA will be required to modify the system architecture for Secure
Flight in order to accommodate the new system. According to a TSC
official, this effort could be costly. While TSA acknowledged in its
draft concept of operations plan in June 2005 that Secure Flight would
need to be modified to accommodate TSC's Query "as necessary," the
agency has not made adjustments to its system requirements or conducted
a cost analysis of expected impacts on the Secure Flight program.
Rather, TSA has decided that it will continue developing the Secure
Flight application, which includes TSA's name-matching technologies.
Thus, TSC will need to export watch list data to TSA to support Secure
Flight, once it becomes operational.
Key Factors That Will Influence the Effectiveness of Secure Flight Have
Not Been Finalized or Resolved:
Several activities are under way, or are to be decided, that will
affect Secure Flight's effectiveness, including how operational testing
is conducted, and how data requirements and data accuracy are
determined. TSA has been testing and evaluating name-matching
technologies for determining what type of passenger data will be needed
to match against the TSDB. These tests have been conducted thus far in
a controlled, rather than real-world environment, using historical
data, and additional testing is needed. In addition, TSA has not made
key decisions regarding how the name-matching technologies to be used
by Secure Flight will operate or which data will be used to conduct
name matching. While TSA is not responsible for ensuring the accuracy
of passenger data, the agency must nonetheless advise stakeholders on
data accuracy and quality requirements. Another factor that could
impact the effectiveness of Secure Flight in identifying known or
suspected terrorists is the system's inability to identify passengers
who assume the identity of another individual by committing identity
theft, or passengers who use false identifying information. Secure
Flight is neither intended to nor designed to address these
vulnerabilities.
Tests of Name-Matching Capability Are Under Way, but Full System
Testing Has Not Yet Been Conducted:
TSA has tested--and continues to test--the effectiveness of one aspect
of the Secure Flight system, namely name-matching technologies. These
name-matching tests will help TSA determine what passenger data will be
needed for the system to match most effectively passenger records with
information contained in the TSDB. These tests are critical to defining
data requirements and making decisions about how to configure the name-
matching technologies. Additional tests will need to be conducted in an
operational, real-world environment to fully understand how to
configure the system effectively. This is because the name-matching
tests conducted to date were conducted in a controlled, rather than
real-world, environment--that is, under controlled, or simulated,
conditions. For example, TSA used historic air carrier passenger data
from June 2004 and historic and simulated watch list data to test the
functionality and effectiveness of Secure Flight's name-matching
technologies that match air carrier passenger records with potential
terrorists in the TSDB.
Additional testing beyond name-matching also needs to be conducted,
after TSA rebaselines its program, defines system requirements, and
begins adhering to its SDLC. For example, stress and operational
testing[Footnote 30] would help determine whether Secure Flight can
process the volume of data expected and operate as intended in an
operational environment. As we reported in March 2005, TSA had planned
to conduct a series of operational tests consisting of increasingly
larger increments of the system's functionality until the complete
system was tested. These tests were to begin in June 2005. However, due
to program delays, TSA has not yet conducted this end-to-end testing
needed to verify that the entire system, including any interfaces with
external systems, functions as intended in an operational environment.
TSA also has not yet conducted the stress testing needed to measure the
system's performance and availability in times of particularly heavy
(i.e., peak) loads. Recently, TSA documented its overall strategy for
conducting these tests and developed draft test plans. TSA officials
stated that information about its plans for future testing will be
included in its rebaselined program plan. Until this testing is
complete, it will not be possible to determine whether Secure Flight
will function as intended in an operational environment.
Key Policy Decisions That Will Impact System Effectiveness Have Not
Been Made:
Key policy decisions that will influence the effectiveness of Secure
Flight in identifying passengers who should undergo additional security
scrutiny have not yet been made. These policy decisions include (1)
determining the passenger information that air carriers will be
required to collect and provide for vetting, (2) the name-matching
technologies that will be used to vet passenger data against data
contained in the TSDB, and (3) the thresholds that will be set to
determine when a passenger will be identified as a potential match
against the TSDB. These three decisions, discussed below, are all
critical to ensuring that Secure Flight identifies potential terrorist
threats as effectively as possible while minimizing the number of
potential matches that will require further review by TSA and TSC
analysts.
(1) Determining the passenger information that air carriers will be
required to collect and provide for vetting: TSA needs to decide which
data attributes air carriers will be required to provide in passenger
data to be used to match against data contained in the TSDB, such as
full first, middle, and last name plus other discrete identifiers, such
as date of birth. Using too many data attributes can increase the
difficulty of matching, since the risk of errors or mismatches
increases. Using too few attributes can create an unnecessarily high
number of incorrect matches due to, among other things, the difficulty
of differentiating among similar common names without using further
information. Initial TSA test results have shown that the use of name
and date of birth alone might not be sufficient for decreasing the
number of false positives--that is, passengers inappropriately matched
against data contained in the TSDB.
(2) Selecting name-matching technologies used to vet passenger names
against the TSDB: TSA must determine what type or combination of name-
matching technologies to acquire and implement for Secure Flight, as
these different technologies have different capabilities. For example,
TSA's PNR testing showed that some name-matching technologies are more
capable than others at detecting significant name modifications, which
allows for the matching of two names that contain some variation.
Detecting variation is important because passengers may intentionally
make alterations to their names in an attempt to conceal their
identity. Also, unintentional variations can result from different
translations of nonnative names or data entry errors. For example, some
name-matching technologies might correctly discriminate between "John
Smith" and "John Smythe," others may not. However, name matching
technologies that are best at detecting name variations may also
increase the number of potential matches that will have to be further
reviewed, which could be offset using a combination of name matching
technologies. TSA officials stated in November 2005 that it planned to
continuously evaluate the best name-matching technologies or
combination of technologies to enhance the system in future iterations.
TSA officials recently stated that they had made, but not yet
documented, an initial determination regarding the name-matching
technologies that will be used for Secure Flight and that they plan to
conduct continuous reviews of the name-matching technologies to address
circumstances as they arise.
(3) Selecting thresholds for determining when a possible name match has
occurred: TSA has discretion to determine what constitutes a possible
match between a passenger's data and a TSDB record.[Footnote 31] For
each name that is matched, the name-matching tool will assign a numeric
score that indicates the strength of the potential match.[Footnote 32]
For example, a score of 95 out of 100 would indicate a more likely
match than a score of 85. If TSA were to set the threshold too high,
many names may be cleared and relatively few flagged as possible
matches--that is, there is a possibility that terrorists' names may not
be matched. Conversely, if the threshold were set too low, passengers
may be flagged unnecessarily, and relatively few cleared through the
automated process. As an example of the importance of setting
thresholds, during one of the PNR tests conducted, TSA set the name-
matching threshold at 80, which resulted in over 60 percent of
passengers requiring manual review. Alternatively, when TSA set the
threshold at 95, less than 5 percent of the same group of passenger
records were identified as requiring further review. With about 1.8
million passengers traveling domestically per day, having a threshold
that is too low could produce an unmanageable number of matches--
possibly leading to passenger delays--while setting the threshold too
high could result in the system missing potential terrorists. Although
TSA will not decide how the thresholds should be set until it conducts
additional evaluations, it has indicated that the threshold might be
adjusted to reflect changes in the terrorist threat level. This would
result in Secure Flight flagging more names for potential manual review
in order to ensure greater scrutiny in response to changing conditions.
TSA plans to finalize decisions on these factors as system development
progresses. However, until these decisions are made, requirements will
remain unsettled and key stakeholders--in particular air carriers--will
not have the information they need to assess and plan for changes to
their systems necessary for interfacing with Secure Flight. Air
carriers and reservation companies will also not know which additional
data attributes they may be required to collect from passengers, to
support Secure Flight operations, as reservations are made. These
decisions will also directly influence the number of analysts that TSA
and TSC will need to manually review potential matches to the TSDB.
Accordingly, stakeholders have expressed concern that they have not
been provided information about what these decisions are. They stated
that they are awaiting additional information from TSA in order to move
forward with their plans to interface with and support Secure Flight.
Efforts to Improve Data Quality and Accuracy Are Under Way, but
Additional Work Remains:
Two additional factors that will impact the effectiveness of Secure
Flight are (1) the accuracy and completeness of data contained in TSC's
TSDB and in passenger data submitted by air carriers, and (2) the
ability of TSA and TSC to identify false positives and resolve possible
mistakes during the data matching process, in order to minimize
inconveniencing passengers. According to TSA and TSC officials, the
data attributes that Secure Flight will require for name matching need
to be included in both the passenger data and the TSDB in order for the
automated system to effectively match names between the two lists. As
we reported in March 2005, while the completeness and accuracy of data
contained in the TSDB can never be certain--given the varying quality
of intelligence information gathered, and changes in this information
over time--TSC has established some processes to help ensure the
quality of these data. However, the DOJ-OIG, in its June 2005 review of
TSC,[Footnote 33] found that that the TSC could not ensure that the
information contained in its databases was complete or
accurate.[Footnote 34] According to a TSC official, since the time of
the DOJ-OIG review, TSC has taken several steps to improve the quality
of TSDB records, including conducting a record-by-record review,
updating procedures for a daily review of each new or modified record,
and using automated rules to check the completeness of records received
from other agencies.[Footnote 35] According to this official, TSA and
TSC plan to enter into a letter of agreement that will describe the
TSDB data elements that TSC will produce for TSA, among other things,
to be used for Secure Flight. However, these data requirements have not
yet been determined.
In order to obtain accurate and complete passenger data from air
carriers, TSA plans to describe the required data attributes that must
be contained in passenger data provided to TSA in the forthcoming rule.
TSA also plans to issue a final and complete DTPG to specify the data
formats and other transmission requirements. However, the accuracy and
completeness of the information contained in the passenger data record
will still be dependent on the air carriers' reservations systems and
passengers, and the air carriers' modifications of their systems for
transmitting the data in the proper format. These steps are not
trivial, as indicated by the June 2004 historical passenger data
provided by the air carriers for TSA's name-matching tests. For these
tests, many passenger data records submitted by air carriers were found
to be inaccurate or incomplete, creating problems during the automated
name-matching process. For example, some passenger data included
invalid characters or prefixes, such as "Mr." and "Mrs.," in the name
fields. Other inaccuracies included invalid characters or prefixes,
spelling errors, and inverted birth date information. Additionally,
some of the records had omitted or incomplete data elements necessary
for performing the automated match or were in an unusable format.
In a related effort to address accuracy, TSA and TSC plan to work
together to identify false positives as passenger data are matched
against data in the TSDB and to resolve mistakes to the extent possible
before inconveniencing passengers. The agencies will use intelligence
analysts during the actual matching of passenger data to data contained
in the TSDB to increase the accuracy of data matches. As indicated in
figure 1, when TSA's name-matching technologies indicate a possible
match, TSA analysts are to manually review all of the passenger data
and other information to determine if the passenger can be ruled out as
a match to the TSDB. If a TSA analyst cannot rule out a possible match,
the record will be forwarded to a TSC analyst to conduct a further
review using additional information. According to a TSC official, TSA
and TSC analysts participated in a tabletop exercises to test the
consistency of their respective manual reviews, and found that the
matching logic used by both groups of analysts was consistent. This
official stated that TSA and TSC also tested their operational
procedures, and found gaps in their procedures that are now being
addressed. According to this official, TSA and TSC plan to conduct
additional joint exercises. Completing these exercises will be
important to further understanding the effectiveness of using
intelligence analysts to clear misidentified passengers during Secure
Flight operations.
False Identifying Information and Identity Theft Could Impact the
Security Benefits of Secure Flight:
Another factor that could affect Secure Flight's effectiveness in
identifying known or suspected terrorists is the system's inability to
identify passengers who falsify their identifying information or who
commit identity theft.[Footnote 36] TSA Officials stated that the
program is not intended to or designed to protect against the use of
falsified identities or to detect identity theft. However, TSA
officials stated that the use of commercial data during the name-
matching process may help identify situations in which a passenger
submits fictitious information such as a false address. In the spring
of 2005, a TSA contractor tested the use of commercial data composed of
personally identifiable information (such as name and address) to
determine, among other things, if such data could be used to increase
Secure Flight's effectiveness in identifying false or stolen
identities. However, according to the DHS Data Privacy and Integrity
Advisory Committee report, testing performed to date does not provide a
reasonable case for utilizing commercial data as part of Secure Flight.
TSA officials are not currently pursuing the use of commercial data to
support Secure Flight because the fiscal year 2006 DHS appropriations
act prohibits TSA from using data or databases obtained from or that
remain under the control of a non-federal entity,[Footnote 37]
effectively terminating this type of testing for the duration of fiscal
year 2006.[Footnote 38] Further, TSA officials stated that
incorporating biometrics--technologies that can automate the
identification of people by one or more of their distinct physical or
behavioral characteristics--is not currently envisioned for Secure
Flight. As noted in our previous work, biometric technologies, such as
fingerprint recognition, are being used in other TSA screening
programs.[Footnote 39] Moreover, the current prescreening process of
matching passenger names against no-fly and selectee lists implemented
by air carriers also does not protect against identity theft or the use
of fictitious identities.
Secure Flight Privacy Notices and Passenger Redress Process Cannot Be
Finalized Until Program Requirements Are More Fully Defined:
TSA is aware of, and plans to address, the potential for Secure Flight
to adversely affect travelers' privacy and impact their rights.
However, TSA, as part of its requirements development process, has not
yet clearly identified the privacy impacts of the planned system or the
full actions it plans to take to mitigate them. Nor has the agency
completed its assessment of the potential impact on passenger privacy
of the system in an operational environment or defined its redress
process for Secure Flight because, in part, the operational plans and
system requirements for Secure Flight have not been finalized. TSA
officials stated that they are in the process of reviewing new privacy
notices that will be issued in conjunction with a forthcoming rule
making prior to proceeding with its initial operating capability, and
that these notices will also address certain aspects of Secure Flight's
redress process. Until TSA finalizes system requirements and notices,
however, privacy protections and impacts cannot be assessed.
Privacy Cannot Be Fully Assessed Because System Development
Documentation Does Not Fully Address Privacy Requirements:
The Privacy Act and the Fair Information Practices--a set of
internationally recognized privacy principles that underlie the Privacy
Act--limit the collection, use, and disclosure of personal information
by federal agencies.[Footnote 40] While TSA has reiterated its
commitment to meet the requirements of the Privacy Act and the Fair
Information Practices, it is not yet evident how this will be
accomplished.[Footnote 41] To begin with, TSA has not decided what data
attributes from the PNR it plans to collect, or how such data will be
provided by airlines, through CBP, to TSA. Further, according to TSA
officials, the agency is in the process of developing but has not
issued the system of records notice, which is required by the Privacy
Act,[Footnote 42] or the privacy impact assessment, which is required
by the E-Government Act,[Footnote 43] that would describe how TSA
considered privacy in the development of the system and how it will
protect passenger data once the system becomes operational.
Moreover, privacy requirements were not incorporated into the Secure
Flight system development process in such a way that would explain
whether personal information will be collected and maintained in the
system in a manner that complies with statutory requirements and TSA's
SDLC guidance. One requirement of the privacy impact assessment is that
privacy be addressed in the systems development documentation. In
addition, TSA's SDLC guidance acknowledges that privacy protections
should be planned for and carried out as part of the system development
process. In our review of Secure Flight's system requirements, we found
that privacy concerns were broadly addressed in Secure Flight's
functional requirements, but had not been translated into specific
system requirements. For example, the functional requirements stated
that the Privacy Act must be considered in the development of the
system, but the system requirements documents do not reflect how
privacy protections will be supported by the system. Rather, system
requirements documents state that privacy requirements are "yet to be
finalized." TSA's Privacy Officer stated that she has been
collaborating with the system development team, but this is not evident
in the documents we reviewed.
Without taking steps to ensure that privacy protections are built into
the system requirements, TSA cannot be assured that it will be in
compliance with the Privacy Act once operational, and it runs the risk
of repeating problems it experienced last spring. We reported in July
2005 that TSA's initially issued privacy notices for the Secure Flight
data-processing tests did not meet Privacy Act requirements because
personal information was used in testing in ways that the agency had
not disclosed to the public.[Footnote 44] We explained that in its fall
2004 notices, TSA had informed the public of its plans to use personal
information during Secure Flight testing, including the use of
commercial data in a limited manner. However, these initial notices did
not fully describe how personal information would be collected, used,
and stored for commercial data testing as it was carried out. As a
result, individuals were not fully informed that their personal
information was being collected and used, nor did they have the
opportunity to comment on this or become informed on how they might
exercise their rights of access to their information. Although TSA did
not fully disclose its use of personal information prior to beginning
Secure Flight commercial data testing, the agency issued revised
privacy notices in June 2005 to more fully disclose the nature of the
commercial tests and address the issues disclosed by us.
As we reported in March 2005, until TSA fully defines its operational
plans for Secure Flight and addresses international privacy concerns,
it will remain difficult to determine whether the planned system will
offer reasonable privacy protections to passengers who are subject to
prescreening or mitigate potential impacts on passengers' privacy. At
that time, we recommended that TSA finalize privacy policies and issue
associated documentation prior to Secure Flight achieving initial
operating capability. TSA acknowledged that it needs to publish new
privacy notices to cover the collection, use, and storage of personal
data for Secure Flight's initial and full operating capability, before
beginning operational testing. TSA officials stated that these privacy
notices are currently being reviewed by TSA and DHS and will be
released in conjunction with the forthcoming rulemaking.
TSA Has Not Determined Secure Flight's Redress Process:
Congress mandates that Secure Flight include a process whereby aviation
passengers determined to pose a threat to aviation security may appeal
that determination and correct erroneous information contained within
the prescreening system.[Footnote 45] TSA currently has a process in
place that allows passengers who experience delays, under the current
process run by air carriers, to submit a passenger identity
verification form to TSA and request that the agency place their names
on a cleared list. If, upon review, TSA determines that the passenger's
identity is distinct from the person on a watch list, TSA will add the
passenger's name to its cleared list, and will forward the updated list
to the air carriers. TSA will also notify the passenger of his or her
cleared status and explain that in the future the passenger may still
experience delays.[Footnote 46] Recently, TSA has automated the cleared
list process, enabling the agency to further mitigate inconvenience to
travelers on the cleared list.
The Intelligence Reform and Terrorism Prevention Act, enacted in
December 2004, directs TSA to include certain elements in its Secure
Flight redress policy.[Footnote 47] Specifically, it requires the
establishment of a timely and fair process for individuals identified
as a threat to appeal the determination to TSA and correct any
erroneous information.[Footnote 48] It further requires that TSA
establish a method for maintaining a record of air passengers who have
been misidentified and have corrected erroneous information. To prevent
repeated delays of misidentified passengers, this record must contain
information determined by TSA to authenticate the identity of such a
passenger. In January 2006, TSA officials stated that no final
decisions have been made regarding how TSA will address the relevant
requirements for redress found in the Intelligence Reform and Terrorism
Prevention Act requirements. However, OTSR officials stated that a
cleared list will be part of the process. The June 2005 concept of
operations describes a process where individuals that are frequently
misidentified as being on the TSDB and TSA selectee list can request to
be placed on a list of individuals who have been cleared.
In our March 2005 report, we recommended that TSA finalize its Secure
Flight redress policies and procedures prior to achieving its initial
operating capability. Information concerning aspects of the redress
process will be published before operational tests or full
implementation of the Secure Flight process, and will be contained
within the privacy notices that TSA officials stated will be released
in conjunction with the forthcoming rulemaking. Moving forward, TSA has
assigned a manager to serve as liaison with DHS on privacy and redress
issues.
Concluding Observations:
TSA has continued its development and testing of Secure Flight, but has
made limited progress in addressing longstanding issues related to
system development and testing, program management, and privacy and
redress protections. To make and demonstrate progress on any large-
scale information technology program, such as Secure Flight, an agency
must first adequately define what program capabilities, such as
requirements related to performance, security, privacy, and data
content and accuracy, are to be provided. These requirements can then
in turn be used to produce reliable estimates of what these
capabilities will cost, when they will be delivered, and what mission
value or benefits will accrue as a result. For Secure Flight, well-
defined requirements would provide a guide for developing the system
and a baseline to test the developed system to ensure that it delivers
necessary capabilities, and would help to ensure that key program
areas--such as security, system connectivity, and privacy and redress
protections--are appropriately managed.
When we reported on Secure Flight in March 2005, TSA had committed to
take action on our recommendations to manage the risks associated with
developing and implementing Secure Flight, including finalizing the
concept of operations, system requirements and test plans; completing
formal agreements with CBP and air carriers to obtain passenger data;
developing life cycle cost estimates and a comprehensive set of
critical performance measures; issuing new privacy notices; and putting
a redress process in place. Over the past 11 months, TSA has made some
progress on all of these areas, including conducting further testing of
factors that could influence system effectiveness and corroborating
with key stakeholders. However, TSA has not completed any of the
actions it had scheduled to accomplish. In particular, TSA has not yet
developed complete system requirements or conducted important system
testing (including stress testing), fully established security
measures, made key decisions that will determine system effectiveness,
developed a program management plan and a schedule for accomplishing
program goals, or published updated privacy and redress notices. Taken
as a whole, this lack of progress indicates that the program has not
been effectively managed and is at risk of failure.
While we recognize that TSA faces program uncertainties that can
directly impact Secure Flight's development and progress, uncertainty
is a component of most programs, and should not be used as a reason for
not defining requirements and developing plans and cost estimates, to
manage risk. We believe that Secure Flight, like all programs, can
utilize best practices to develop such plans to manage program
uncertainties.
To its credit, TSA has recently taken actions that recognize the need
to instill more rigor and discipline into the development and
management of Secure Flight, including hiring a program manager with
information systems program management credentials. We also support
TSA's efforts to rebaseline the program, including defining system
requirements and finalizing a program management plan, including the
development of schedules and cost estimates, before proceeding with
program development. In fact, proceeding with operational testing and
completing other key program activities should not be pursued until TSA
puts in place a more disciplined life cycle process and defines system
requirements. In the absence of this and other program information,
such as requirements, capabilities, and benefits, further investment in
this program would be difficult to justify.
We are also encouraged that DHS's IRB--the executive decision making
authorities--has scheduled a review of Secure Flight and other people-
screening programs. Given the potential duplication with CBP's new
initiatives for international prescreening, DHS, TSA, and CBP need to
assess alternative system solutions that should be factored into Secure
Flight's rebaselined program and be the basis for IRB decisions
regarding Secure Flight's future. Notwithstanding these efforts,
however, much work remains to be accomplished before Secure Flight is
positioned to be properly executed so that informed and prudent
investment decisions can be made.
Mr. Chairman, this concludes my prepared statement. I will be pleased
to respond to any questions that you or other members of the committee
have at the appropriate time.
GAO Contacts and Staff Acknowledgments:
For further information about this testimony, please contact Cathleen
Berrick, at 202-512-3404 or at berrickc@gao.gov, or Randolph C. Hite at
202-512-6256 or at hiter@gao.gov.
Other key contributors to this statement were David Alexander, Amy
Bernstein, Mona Nichols Blake, John de Ferrari, Christine Fossett,
Brent Helt, Richard Hung, Thomas Lombardi, C. James Madar, Matthew
Mohning, David Plocher, Karl Seifert, and William Wadsworth.
[End of section]
Appendix I: Legislatively Mandated Secure Flight Issues to be Certified
by DHS and Reviewed by GAO:
Legislative mandated issue (number and short title): 1. Redress
process;
Description of mandated issue: A system of due process exists whereby
aviation passengers determined to pose a threat are either delayed or
prohibited from boarding their scheduled flights by TSA may appeal such
decisions and correct erroneous information contained in CAPPS II or
Secure Flight or other follow-on/successor programs.
Legislative mandated issue (number and short title): 2. Accuracy of
databases and effectiveness of Secure Flight;
Description of mandated issue: The underlying error rate of the
government and private databases that will be used to both establish
identity and assign a risk level to a passenger will not produce a
large number of false positives that will result in a significant
number of passengers being treated mistakenly or security resources
being diverted.
Legislative mandated issue (number and short title): 3. Stress testing;
Description of mandated issue: TSA has stress-tested and demonstrated
the efficacy and accuracy of all search technologies in CAPPS II or
Secure Flight or other follow-on/successor programs and has
demonstrated that CAPPS II or Secure Flight or other follow-
on/successor programs can make an accurate predictive assessment of
those passengers who may constitute a threat to aviation.
Legislative mandated issue (number and short title): 4. Internal
oversight;
Description of mandated issue: The Secretary of Homeland Security has
established an internal oversight board to monitor the manner in which
CAPPS II or Secure Flight or other follow-on/successor programs are
being developed and prepared.
Legislative mandated issue (number and short title): 5. Operational
safeguards;
Description of mandated issue: TSA has built in sufficient operational
safeguards to reduce the opportunities for abuse.
Legislative mandated issue (number and short title): 6. Security
measures;
Description of mandated issue: Substantial security measures are in
place to protect CAPPS II or Secure Flight or other follow-on/successor
programs from unauthorized access by hackers or other intruders.
Legislative mandated issue (number and short title): 7. Oversight of
system use and operation;
Description of mandated issue: TSA has adopted policies establishing
effective oversight of the use and operation of the system.
Legislative mandated issue (number and short title): 8. Privacy
concerns;
Description of mandated issue: There are no specific privacy concerns
with the technological architecture of the system.
Legislative mandated issue (number and short title): 9. Modifications
with respect to intrastate travel to accommodate states with unique air
transportation needs;
Description of mandated issue: TSA has, in accordance with the
requirements of section 44903 (j)(2)(B) of title 49, United States
Code, modified CAPPS II or Secure Flight or other follow-on/successor
programs with respect to intrastate transportation to accommodate
states with unique air transportation needs and passengers who might
otherwise regularly trigger primary selectee status.
Legislative mandated issue (number and short title): 10. Life-cycle
cost estimates and expenditure plans;
Description of mandated issue: Appropriate life-cycle cost estimates,
and expenditure and program plans exist.
Source: GAO.
[End of table]
FOOTNOTES
[1] Section 518 of the Department of Homeland Security Appropriations
Act, 2006 (Pub. L. No. 109-90) requires GAO to report to the Committees
on Appropriations of the Senate and House of Representatives on the 10
issues listed in § 522(a) the Department of Homeland Security
Appropriations Act, 2005 (Pub. L. No. 108-334), not later than 90 days
after the Secretary of the Department of Homeland Security certifies to
the above-named committees that Secure Flight has satisfied the 10
issues. These 10 issues relate to system development and
implementation, effectiveness, program management and oversight, and
privacy and redress. We are also conducting our ongoing review in
response to requests from the United States Senate: the Committee on
Commerce, Science, and Transportation, and its Subcommittee on
Aviation; Committee on Appropriations, Subcommittee on Homeland
Security; Committee on Homeland Security and Governmental Affairs;
Committee on Judiciary; also the House of Representatives: Committee on
Transportation and Infrastructure, Committee on Homeland Security; and
the Chairman of the Committee on Government Reform.
[2] GAO, Aviation Security: Secure Flight Development and Testing Under
Way, but Risks Should Be Managed as System Is Further Developed, GAO-05-
356 (Washington, D.C.: March 2005).
[3] This statement does not provide information on the area of
congressional interest related to modifications with respect to
intrastate travel to accommodate states with unique air transportation
needs because data were not yet available to us on the effect of these
modifications on air carriers.
[4] TSC was established in accordance with Homeland Security
Presidential Directive-6 to consolidate the government's approach to
terrorism screening, including the use of terrorist information for
screening purposes. TSC is an interagency effort involving DHS,
Department of Justice, Department of State, and intelligence community
representatives and is administered by the Federal Bureau of
Investigation.
[5] CAPPS rules are characteristics that are used to select passengers
who require additional security scrutiny. CAPPS rules are Sensitive
Security Information.
[6] Aviation and Transportation Security Act, Pub. L. No. 107-71, §
136, 115 Stat. 597, 637 (2001).
[7] TSA plans to use this centralized vetting capability to identify
terrorist threats in support of various DHS and TSA programs. In
addition to Secure Flight, TSA plans to use the platform to ensure that
persons working at sensitive locations; serving in trusted positions
with respect to the transportation infrastructure; or traveling as
cockpit and cabin crew into, within, and out of the United States are
properly screened depending on their activity within the transportation
system. In addition to supporting the Secure Flight and Crew Vetting
programs, TSA expects to leverage the platform with other applications
such as TSA screeners and screener applicants, commercial truck drivers
with hazardous materials endorsements, aviation workers with access to
secure areas of the airports, alien flight school candidates, and
applicants for TSA's domestic Registered Traveler program.
[8] The Intelligence Reform and Terrorism Prevention Act of 2004
requires that TSA begin to assume responsibility for the passenger
prescreening function within 180 days after the completion of testing.
Pub. L. No. 108-458 § 4012, 118 Stat. 3638, 3714-19 (codified as
amended at 49 U.S.C. § 44903(j)(2)).
[9] This description of the Secure Flight system, as well as the
graphic illustrating the system in figure1, is based on TSA's draft
June 9, 2005, concept of operations, a document that gives a high-level
overview of the Secure Flight system.
[10] TSA also plans to utilize a cleared list as part of the watch list
matching process; the cleared list is composed of individuals who are
frequently misidentified as being on the TSDB and who have applied, and
been approved, to be on the list.
[11] These measures may include additional screening or other law
enforcement actions.
[12] Some selectees will receive a boarding pass from air carriers, but
be required to undergo secondary screening prior to boarding the
aircraft, while other selectees will first be met by law enforcement
personnel, who will determine if the individual should receive a
boarding pass. In addition, air carriers, through their application of
the CAPPS rules, may also designate a passenger as a selectee.
[13] Examples of higher-order sources include legislation, which may
dictate certain requirements, and other system documentation, such as
the operational concept. When requirements are managed well,
traceability can be established from the source requirements to lower-
level requirements and from the lower level back to their source. Such
bidirectional traceability helps determine that all source requirements
have been addressed completely and that all lower-level requirements
can be verified as derived from a valid source.
[14] Key requirements documentation we reviewed included the
Transportation Vetting Platform/Secure Flight System Requirements
Specification (May 13, 2005), the Secure Flight System Security Plan
(July 15, 2005), the Transportation Vetting Platform System Security
Plan (July 15, 2005), Transportation Vetting Platform and Secure Flight
Security Risk Assessment (July 15, 2005), and documentation called for
under Federal Information Processing Standard (FIPS) 199 (August 23,
2005).
[15] The NIST requirements provide guidelines for selecting and
specifying security controls for information systems supporting the
executive agencies of the federal governments. The guidelines apply to
all components of an information system that processes, stores, or
transmits federal information.
[16] An authorization to operate is issued for the information system,
if, after assessing the results of the security certification, the
authorizing official deems that the risk to agency operations, agency
assets, or individuals is acceptable.
[17] OMB, Circular No. A-11, Part 7, Sec. 300. Planning, Budgeting,
Acquisition, and Management of Capital Assets.
[18] The DHS Investment Review Board also reviewed the CAPPS II program
in October 2003 and authorized the program to proceed with the system's
development.
[19] The committee was established under the authority of the Homeland
Security Act, P.L. 107-296, in accordance with the provisions of the
Federal Advisory Committee Act (5 U.S.C. App.2). At the first meeting
of the committee, in April 2005, Secure Flight was recommended as a
program for examination for numerous reasons, including the number of
citizens affected by the program, weaknesses in the program's redress
system identified by us in our March 2005 report, and the program's
potential use as a model for other related DHS efforts.
[20] The Aviation Security Advisory Committee, now within DHS, was
formed in 1989 to provide advice on a variety of aviation security
issues.
[21] Department of Justice Office of the Inspector General, Review of
the Terrorist Screening Center's Efforts to Support the Secure Flight
Program, August 2005. Congress requested that the DOJ-OIG evaluate
TSC's plans to support Secure Flight to report these findings to the
House and Senate Appropriations Committees.
[22] Department of Justice Office of the Inspector General, Review of
the Terrorist Screening Center, June 2005.
[23] The current draft of the DTPG also includes several appendices
that provide additional, detailed program information to airlines,
including an Interface Control Document containing detailed technical
information such as message content and screen layout, a high-level
technical plan for implementing various components of Secure Flight,
detailed programming specifications for message timing and instructions
for various passenger vetting scenarios, a recommendation that the
airline industry develop an industry standard method for communicating
Full Name (FN) and Date of Birth (DOB), and the system operational test
plans.
[24] Stress testing refers to measuring a system's performance and
availability in times of particularly heavy (i.e., peak) load.
[25] According to the DOJ-OIG, when Secure Flight becomes operational,
TSC anticipates a significantly greater operational workload as a
result of the program and an increased need for staff, space, and
funding.
[26] Correspondence to the Honorable Michael Chertoff, Secretary,
Department of Homeland Security, October 27, 2005.
[27] CBP and TSA officials stated they will use this same network to
transmit data for their respective international and domestic
prescreening efforts. Different addresses on the passenger information
will ensure that TSA and CBP data are routed to the appropriate
handling agencies for screening.
[28] For international prescreening, name-matching is conducted using
data elements from a passport, whereas passports are not required for
domestic flights.
[29] We currently have an on-going review of CBP's international
prescreening process, including assessing the current process for
conducting international passenger prescreening and reviewing the
benefits and challenges of implementing additional or enhanced
international prescreening strategies.
[30] Whereas stress testing is used to determine the maximum capacity
of the system, operational testing is used to ensure that the system
operates as intended, including the people and the information
technology systems operating together in their expected environments.
[31] The name matching process depends on the level of false positive
and false negative matches deemed acceptable. False negatives are
passengers incorrectly not matched to a watch list.
[32] The score is based, in part, on how much weight is given to, say,
name or date of birth relative to each other.
[33] Department of Justice Office of the Inspector General, Review of
the Terrorist Screening Center, June 2005. According to the DOJ Office
of the Inspector General's report, some errors in the TSDB might be
corrected by a manual review conducted by intelligence analysts and a
redress process.
[34] We have an ongoing review of the reasons misidentifications occur
using TSDB data, and the efforts by the TSC and other agencies to
reduce these errors.
[35] Department of Justice Office of the Inspector General, Review of
the Terrorist Screening Center's Efforts to Support the Secure Flight
Program, August 2005.
[36] Falsifying identifying information involves passenger attempted to
hide their true identities by submitting fictitious identifying
information, such as false addresses, when purchasing tickets. Identity
theft would involve a passenger "stealing" another person's identifying
information, such as name and date of birth, and then using that
identifying information to create fraudulent documents associated with
the identity (such as a driver's license containing the stolen
identifiers with the thief's picture). This is sometimes referred to as
identity fraud.
[37] The Department of Homeland Security Appropriations Act, 2006, Pub.
L. No. 109-90, § 518 (e), 119 Stat. 2064, 2085 (2005).
[38] This prohibition on the use of appropriated funds does not apply
to passenger name record data obtained from air carriers.
[39] GAO, Aviation Security: Challenges in Using Biometric
Technologies, GAO-04-785T (Washington, D.C.: May 19, 2004).
[40] Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified
as amended at 5 U.S.C. § 552a).
[41] Also, in its mandate regarding Secure Flight, Congress asked that
GAO review whether there are any specific privacy concerns with the
technological architecture of the Secure Flight system.
[42] The Privacy Act requires that an agency publish a system of
records notice in the Federal Register upon establishment or revision
of the existence and character of any system of records. See §
552a(e)(4).
[43] The E-Government Act of 2002 requires agencies to conduct a
privacy impact assessment before developing systems that collect,
maintain, or disseminate information in an identifiable form. Pub. L.
No. 107-347, 116 Stat. 2899.
[44] GAO, Aviation Security: Transportation Security Administration Did
Not Fully Disclose Uses of Personal Information during Secure Flight
Program Testing in Initial Privacy Notices, but Has Recently Taken
Steps to More Fully Inform the Public, GAO-05-864R (Washington, D.C.:
July 22, 2005).
[45] See Pub. L. Nos. 108-334, § 522(a)(1); and 109-90, § 518(a).
[46] TSA's Office of Transportation Security Redress manages redress
for the current watch list matching process conducted by the air
carriers. Currently OTSR is developing an agency-wide policy for
redress and has interviewed TSA Officials as part of this effort, but
found that Secure Flight requirements were not sufficiently defined for
use in drafting the new policy. TSA officials stated that they are
continuing to discuss the Secure Flight redress process with OSTR.
[47] See Pub. L. No. 108-458, § 4012(a) (codified at 49 U.S.C. §
44903(j)(2)(C), (G)).
[48] This requirement generally addresses principles from both the
Privacy Act--that individuals be able to access and correct their
personal information--and the Fair Information Practice of individual
participation--that individuals be able to know about the collection of
personal information, to access that information, to request
correction, and to challenge the denial of such requests. However,
Secure Flight's redress system will be challenging for two significant
reasons. First, much of the information underlying decisions to add
individuals to the TSDB is likely to be classified, and as such will
not be accessible to passengers. Second, TSA does not control the
content of the TSDB that it intends to use as the primary input in
making screening decisions.
