Transportation Security Administration's Office of Intelligence
Responses to Posthearing Questions Regarding Secure Flight Gao ID: GAO-06-1051R August 4, 2006This letter responds to Congress's request for additional information related to Congress's June 14, 2006, hearing on the progress and challenges of the Transportation Security Administration's (TSA) Office of Intelligence. As discussed in the statement at the hearing, for over 3 years, TSA has faced numerous challenges in developing a federal passenger prescreening program, known currently as Secure Flight, because TSA did not follow a disciplined life cycle development approach.
TSA has faced numerous challenges in developing a federal passenger presreeening program, known currently as Secure Flight, because TSA did not follow a disciplined life cycle development approach. Although TSA made some progress, it suspended the program's development earlier this year to reassess program direction, and it anticipates completing the reassessment by the end of September 2006. Whatever direction Secure Flight takes, TSA needs to follow a disciplined system development approach that fully defines system requirements, schedule, and costs; coordinate with critical stakeholders; ensure system effectiveness through assessing name-matching technologies and policies to match passenger and terrorist watch list data; conduct stress and end-to-end testing that verifies that the entire system functions as intended; and establish privacy protocols and access to a redress process.
GAO-06-1051R, Transportation Security Administration's Office of Intelligence: Responses to Posthearing Questions Regarding Secure Flight
This is the accessible text file for GAO report number GAO-06-1051R
entitled 'Transportation Security Administration's Office of
Intelligence: Responses to Posthearing Questions Regarding Secure
Flight' which was released on August 7, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
August 4, 2006:
The Honorable Rob Simmons:
Chairman:
Subcommittee on Intelligence, Information Sharing and Terrorism Risk
Assessment:
Committee on Homeland Security:
House of Representatives:
Subject: Transportation Security Administration's Office of
Intelligence: Responses to Posthearing Questions Regarding Secure
Flight:
Dear Mr. Chairman:
This letter responds to your request for additional information related
to the subcommittee's June 14, 2006, hearing on the progress and
challenges of the Transportation Security Administration's (TSA) Office
of Intelligence. Enclosed are our responses to the supplemental
questions you submitted for the record. Our responses are based largely
on information contained in our report entitled Aviation Security:
Secure Flight Development and Testing Under Way, but Risks Should Be
Managed as System Is Further Developed (GAO-05-356, March 28, 2005),
and our testimonies entitled Aviation Security: Significant Management
Challenges May Adversely Affect Implementation of the Transportation
Security Administration's Secure Flight Program (GAO-06-374T, February
9, 2006), and Aviation Security: Management Challenges Remain for the
Transportation Security Administration's Secure Flight Program (GAO- 06-
864T, June 14, 2006).
As discussed in my statement at the hearing, for over 3 years, TSA has
faced numerous challenges in developing a federal passenger
prescreening program, known currently as Secure Flight, because TSA did
not follow a disciplined life cycle development approach. Although TSA
made some progress, it suspended the program's development earlier this
year to reassess program direction, and it anticipates completing the
reassessment by the end of September 2006. Whatever direction Secure
Flight takes, TSA needs to follow a disciplined system development
approach that fully defines system requirements, schedule, and costs;
coordinate with critical stakeholders; ensure system effectiveness
through assessing name-matching technologies and policies to match
passenger and terrorist watch list data; conduct stress and end-to-end
testing that verifies that the entire system functions as intended; and
establish privacy protocols and access to a redress process.
If you have any further questions or would like to discuss any of the
issues in more detail, I can be reached at (202) 512-3404 or
berrickc@gao.gov.
Sincerely yours,
Signed by:
Cathleen A. Berrick:
Director:
Homeland Security and Justice Issues:
Enclosure--1:
Response to Supplemental Questions for the Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk Assessment,
Committee on Homeland Security, House of Representatives:
Hearing on:
The Transportation Security Administration's Office of Intelligence:
Progress and Challenges:
June 14, 2006:
Ms. Berrick, what benefits will Secure Flight provide, once developed,
over the current passenger prescreening process managed by air
carriers?
Answer:
1. Until the Transportation Security Administration (TSA) completes its
Secure Flight rebaselining efforts[Footnote 1] and decisions are made
regarding the future direction of the program, the specific goals or
benefits expected from Secure Flight over the current air carrier
prescreening are uncertain. However, TSA officials have stated in the
past that Secure Flight would:
* transfer the passenger name-matching process from the air carriers to
the federal government,
* provide a uniform and consistent prescreening name-matching process
by using the same name-matching technology,
* utilize more exhaustive watch list information than is currently
provided to the air carriers, and:
* maintain a tighter control over sensitive security terrorist watch
list information by eliminating the need to distribute it outside of
the federal government.
As we stated in our February 2006 testimony, over the last 3 years TSA
has faced a number of challenges in developing and implementing Secure
Flight to ensure the program operates effectively. Key factors that
could influence the effectiveness of Secure Flight remain to be
finalized or resolved. More specifically, we stated that the program's
effectiveness would be dependent on TSA:
* assessing name-matching technologies that would be used to vet
passenger names against names in the Terrorist Screening Database
(TSDB) to learn more about how these technologies would perform in an
operational environment,
* performing stress testing to determine the system's capabilities to
handle peak data loads to identify the relative volume of passengers
who can be identified as potential matches against the database, and:
* undertaking a comprehensive end-to-end testing to verify that the
entire system would function as intended.
2. Ms. Berrick, your February 2006 Senate testimony made clear that the
success of Secure Flight depends a great deal on the accuracy and
completeness of records contained within the Terrorist Screening
Center's "master" terrorist watch list--the Terrorist Screening
Database (TSDB). As you know, the Department of Justice Inspector
General found significant problems with the accuracy and completeness
of the TSDB last June. To your knowledge, what progress has the
Terrorist Screening Center (TSC) made in this area, and what is TSA
doing to help ensure the accuracy of name matches against the TSDB?
Answer:
In June 2005, the Department of Justice's Office of the Inspector
General reported that TSC could not ensure the completeness and
accuracy of the data in the TSDB. Since that time, TSC officials stated
that they have established processes to help ensure that the records
within the TSDB, which may be required for Secure Flight, are as
accurate and complete as possible. These processes include:
* conducting a record-by-record review that should improve the quality
of the TSDB records,
* updating procedures for daily review of each new or modified record,
and:
* using automated rules to check the completeness of records received
from other agencies.
As of June 2006, this record-by-record review was still ongoing.
In addition, GAO currently has ongoing reviews of screening agencies'
use of TSDB data that will provide additional information on TSC
efforts to improve the quality of its records and how these efforts
could possibly affect the end users of these data.
3. In your view, Ms Berrick, how central is TSA's Office of
Intelligence to the success of the Secure Flight program, and why?
Answer:
Currently, TSA's Office of Intelligence serves as a liaison between the
intelligence community and the air carriers who use the terrorist watch
list information in their prescreening of passengers. Specifically, the
Office of Intelligence receives watch list data from the Terrorist
Screening Center, prepares it for distribution to the air carriers, and
sends it to the Transportation Security Operations Center, which in
turn posts it to a secure Web site that is accessed by the air carriers
for use in their name-matching processes. When an air carrier cannot
resolve a potential match during its prescreening process, the air
carrier contacts an Office of Intelligence analyst for assistance in
resolving the potential match. If needed, the Office of Intelligence
also contacts Terrorist Screening Center analysts who can access
additional information to try to resolve the potential match. As a
result, the Office of Intelligence plays a key role in current program
operations.
Until TSA completes its Secure Flight rebaselining efforts and
decisions are made regarding the future direction of the program, the
role of the Office of Intelligence and its relationship with Secure
Flight is uncertain. However, Secure Flight's draft June 2005 concept
of operations stated that the program would employ its own analysts to
conduct the manual reviews of passenger names that were potential
matches against the watch lists as a result of the Secure Flight
automated matching process. If assistance was needed in adjudicating a
match, these analysts would notify the Terrorist Screening Center.
These analysts would also notify the Office of Intelligence of
potential passenger matches so it could conduct situational awareness
with the air carrier, and when any inhibited boarding pass was released
to a no-fly passenger who had been cleared through the process.
4. Ms. Berrick, you testified in February that in addition to TSA's
Secure Flight program, Customs and Border Protection (CBP) was
developing a passenger prescreening program to match the names of
international travelers bound for the U.S. against terrorist watch
lists before their flight departs for the U.S. How are TSA and CBP
working together, if at all, to coordinate these programs?
Answer:
As part of its ongoing rebaselining of the Secure Flight program, TSA
has stated that it is collaborating with CBP to provide "one face" to
air carriers for domestic and international passenger prescreening,
that is, a strategic alignment that will allow for the collection and
transmission of passenger data in a unified manner and at a uniform
contact point to address issues that arise during either domestic or
international prescreening processes. In July 2006, TSA officials
stated that they had been meeting weekly with CBP to discuss their
coordination efforts, but did not provide information on the actions
being discussed.
Further, in announcing CBP's Notice of Proposed Rulemaking for its
Advance Passenger Information System (APIS), CBP reaffirmed the
Department of Homeland Security's commitment to a common reporting
process for the airline industry through APIS and TSA's Secure Flight
program. CBP and TSA plan to continue their coordination of Pre-
Departure APIS for international flights and Secure Flight for domestic
flights by leveraging information gained during the Pre-Departure APIS
Notice of Proposed Rulemaking. It is anticipated that TSA and CBP's
joint efforts will allow for the prescreening function to occur through
coordinated information connections and avoid duplication of
communications, programming, and information requirements.
Nevertheless, until TSA completes its rebaselining, how and when TSA
and CBP's passenger prescreening programs will be coordinated remains
uncertain.
5. Ms. Berrick, your February testimony before the Senate mentions that
TSA and TSC should conduct joint exercises to further understand "the
effectiveness of using intelligence analysts to clear misidentified
passengers during Secure Flight operations." What additional joint
exercises are you aware of since this past February, and what kinds of
exercises--in your view--would assist TSA's Office of Intelligence as
it gears up to support Secure Flight? What basic questions should TSA
and the TSC be striving to answer at this point?
Answer:
When TSA began rebaselining Secure Flight in February 2006, it
suspended development and testing of the program. However, prior to
rebaselining, TSA had conducted development and testing activities with
key stakeholders, including the joint exercises with TSC analysts.
Although we encourage TSA to continue its coordination with major
stakeholders--including TSC--in order to develop an effective and
efficient passenger prescreening program, it would be premature to
speculate about the nature of testing needed until TSA announces its
rebaselined program. As TSA continues its rebaselining and before it
resumes development and testing, TSA, in collaboration with
stakeholders including TSC, should address several questions that are
fundamental to Secure Flight's effectiveness, including:
* What passenger data should Secure Flight collect to provide the best
possible results when matched against data contained in the no-fly and
selectee lists, which are derived from the TSDB?
* What TSDB data attributes will be provided by the TSC and what name
matching technologies will Secure Flight use to compare the passenger
data with the TSDB no-fly and selectee watch lists?
* What manual review policies and procedures will be established by TSA
and TSC to determine whether a potential match returned from Secure
Flight's automated matching process is a false positive or an actual
match against the watch list?
6. Ms. Berrick, to your knowledge, is TSA's Secure Flight development
team planning to increase the number of TSA analysts on staff to help
administer the Secure Flight program? What sense do you have about
TSA's capacity to handle the name matching process that will be
required under Secure Flight if a passenger name cannot be
differentiated from a terrorist included on the watch list?
Answer:
TSA's Secure Flight draft June 2005 concept of operations describes
TSA's plans at that time for resolving potential passenger name matches
to the terrorist watch list. While the concept of operations did not
identify the number of analysts required, TSA officials had stated that
they planned to use their own intelligence analysts who were currently
involved in other people screening programs, such as the crew vetting
program. As envisioned in 2005, Secure Flight operational testing was
to begin with two air carriers, which TSA thought they could service
with their current analyst staff or contractors and also provide the
experience needed to more accurately determine the number of analysts
needed for full operations. Until TSA completes its rebaselining of
Secure Flight and establishes specific system requirements, TSA cannot
determine the workload and number of analysts that will be required for
the program. Further, without established system requirements and more
concrete results from TSA's testing of the automated matching system,
we can not assess TSA's capacity to manually review the potential
passenger name matches for air carrier operations in a timely manner.
7. Ms. Berrick, you reported to the Senate Commerce Committee in
February that TSA had not yet clearly identified the privacy impacts of
Secure Flight "or the full actions it plans to take to mitigate them."
What should this Committee be looking at to ensure that if Secure
Flight moves forward, that privacy is properly taken into account?
Answer:
In our previous reports and testimonies on Secure Flight, we
recommended that TSA integrate privacy and other passenger rights
protections into all aspects of Secure Flight operations. Such
protections include statutory requirements, such as the Privacy Act,
and the Fair Information Practices, a set of internationally recognized
privacy principles that limit the collection, use, and disclosure of
personal information by federal agencies. In monitoring this aspect of
Secure Flight's development, the committee could review TSA's system of
records notice and the privacy impact assessment that TSA plans to
complete as part of Secure Flight's rebaselining and continued system
development. These documents will describe how TSA considered privacy
in the development of the system, and how it will protect passenger
data once the system becomes operational.
In addition, the committee could review TSA's plans for redress for
passengers affected by Secure Flight. As we stated in our February and
June 2006 testimonies, TSA currently provides individuals with an
opportunity to seek redress, including a process for passengers who
experience delays under the current name matching conducted by the air
carriers. However, it is not clear if this current system will be used
for Secure Flight or be able to accommodate redress related
specifically to the operation of Secure Flight.
In July 2006, TSA officials reiterated that they plan to address
privacy and redress concerns as they rebaseline and further develop
Secure Flight. Their system of records notice, privacy impact
assessment, and plans for redress will be put forth along with their
announcement of the rebaselined program or a rulemaking that is
supposed to, among other things, describe the passenger data to be
provided by air carriers.
8. Ms. Berrick, you note in your prepared statement today that Secure
Flight "was neither intended nor designed to address" the situation
where a person has assumed another person's identity through identity
theft. In recent weeks, we have learned that millions of veterans may
have had their names and Social Security numbers stolen from the home
of a Department of Veterans Affairs' contractor. Given this
development, should TSA be exploring some sort of identity theft
safeguards as part of the Secure Flight rebaselining effort? What
recommendations, if any, do you have in this regard?
Answer:
Secure Flight was designed to take over the passenger prescreening
responsibility, or the matching of passenger data against terrorist
watch lists prior to a passenger receiving a boarding pass from the air
carriers. TSA officials have stated that Secure Flight represents only
one layer of security within the aviation infrastructure and is not
designed or intended to protect against all vulnerabilities, such as
identity theft. While TSA has recognized that identity theft is a
vulnerability for Secure Flight, the extent to which it will be
addressed under the rebaselined program remains unknown. However, we
believe that this important issue, which will affect Secure Flight's
effectiveness, will also affect other Department of Homeland Security
programs and, therefore, should be addressed by TSA. We do not have any
specific recommendations on how TSA should address this vulnerability
at this time.
9. Ms. Berrick, you state in your prepared remarks that GAO is
supportive of the rebaselining of the Secure Flight program. In your
view, what principles should guide TSA's efforts to get the program
right, and what role does TSA's Office of Intelligence have in this
regard?
Answer:
There are several interrelated principles that should guide TSA in its
development and implementation of the passenger prescreening program.
These principles are:
1. development of a program using the sound management principles in
TSA's System Development Life Cycle, including development of program
goals and requirements, a schedule and the associated costs for
attaining those goals, and an effective program for securing the system
and its data;
2. development of a system that maximizes the accuracy and completeness
of the data used and the effectiveness of the automated tools and
manual processes used for name matching;
3. coordination with stakeholders, including CBP, TSC, and air
carriers; and:
4. establishment of privacy protocols, protection of passenger rights,
and access to redress for passengers impacted by Secure Flight.
TSA has not made clear the role and relationship of the Office of
Intelligence in its efforts to rebaseline the Secure Flight program.
10. Ms. Berrick, over the last three years, GAO's numerous reports and
testimonies on Secure Flight have highlighted significant challenges.
What do you believe are the most formidable challenges facing TSA's
efforts with Secure Flight, and what do you believe TSA must do to
overcome these challenges? How central is the role for TSA's Office of
Intelligence in getting Secure Flight "right" and how should it be
coordinating its efforts with the Terrorist Screening Center and other
entities in this regard?
Answer:
Based on our Secure Flight work over the last three years, four key
challenges have been identified that are directly related to principles
discussed in our response to the previous question. These challenges
are:
1. developing, managing, and overseeing the program through a
comprehensive System Development Life Cycle plan that would include
establishing program goals and systems requirements, developing cost
and schedule estimates that reflect all aspects of the program, and
designing a security program that protects the system and the data it
uses;
2. addressing key factors that will affect the effectiveness of Secure
Flight in identifying individuals on the no-fly and selectee lists that
include (1) assessing passenger name-matching technologies and policies
that will be used to match passenger names against terrorist watch list
data, (2) conducting stress testing to determine how Secure Flight
would handle peak data volumes, and (3) performing comprehensive end-
to-end operational testing to determine that the system performs as
intended;
3. coordinating with federal and private sector stakeholders, such as
CBP, TSC, and air carriers, that play a critical role in collecting,
transmitting, and analyzing the data needed for Secure Flight
operations; and:
4. minimizing program impacts on passenger privacy, protecting
passenger rights, and providing access to redress for passengers
affected by Secure Flight.
Until TSA completes rebaselining Secure Flight and establishes specific
system requirements, it is difficult to determine the exact roles that
TSA's Office of Intelligence, TSC, and other stakeholders will fulfill.
However, no matter what the outcome of TSA's rebaselining is, the
Office of Intelligence and TSC will likely play an important role in
determining whether passengers' names that have been matched to a name
contained in the TSDB are actual matches. For the Office of
Intelligence and TSC to function as part of Secure Flight, TSA will
need to determine the level of staff support that it will require for
each entity so that vetting outcomes can be handled in a timely manner.
(440536):
FOOTNOTES
[1] In early 2006, TSA suspended development of Secure Flight and
initiated a reassessment, or rebaselining, of the program. As of July
2006, TSA was continuing with its rebaselining efforts, which it
expects to complete before the end of September 2006.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
