Maritime Security
One Year Later: A Progress Report on the SAFE Port Act Gao ID: GAO-08-171T October 16, 2007Because the safety and economic security of the United States depend in substantial part on the security of its 361 seaports, the United States has a vital national interest in maritime security. The Security and Accountability for Every Port Act (SAFE Port Act), modified existing legislation and created and codified new programs related to maritime security. The Department of Homeland Security (DHS) and its U.S. Coast Guard, Transportation Security Agency, and U.S. Customs and Border Protection have key maritime security responsibilities. This testimony synthesizes the results of GAO's completed work and preliminary observations from GAO's ongoing work related to the SAFE Port Act pertaining to (1) overall port security, (2) security at individual facilities, and (3) cargo container security. To perform this work GAO visited domestic and overseas ports; reviewed agency program documents, port security plans, and post-exercise reports; and interviewed officials from the federal, state, local, private, and international sectors.
Federal agencies have improved overall port security efforts by establishing committees to share information with local port stakeholders, taking steps to establish interagency operations centers to monitor port activities, conducting operations such as harbor patrols and vessel escorts, writing port-level plans to prevent and respond to terrorist attacks, testing such plans through exercises, and assessing the security at foreign ports. However, these agencies face resource constraints and other challenges trying to meet the SAFE Port Act's requirements to expand these activities. For example, the Coast Guard faces budget constraints in trying to expand its current command centers and include other agencies at the centers. Similarly, private facilities and federal agencies have taken action to improve security at about 3,000 individual facilities by writing facility-specific security plans, inspecting facilities to ensure they are complying with their plans, and developing special identification cards for workers to prevent terrorists from getting access to secure areas. Federal agencies face challenges trying to meet the act's requirements to expand the scope or speed the implementation of such activities. For example, the Transportation Security Agency missed the act's July 2007 deadline to implement the identification card program at 10 selected ports because of delays in testing equipment and procedures. Federal programs related to the security of cargo containers have also improved as agencies are enhancing systems to identify high-risk cargo, expanding partnerships with other countries to screen containers before they depart for the United States, and working with international organizations to develop a global framework for container security. Federal agencies face challenges implementing container security aspects of the SAFE Port Act and other legislation. For example, Customs and Border Protection must test and implement a new program to screen 100 percent of all incoming containers overseas--a departure from its existing risk-based programs.
GAO-08-171T, Maritime Security: One Year Later: A Progress Report on the SAFE Port Act
This is the accessible text file for GAO report number GAO-08-171T
entitled 'Maritime Security: One Year Later: A Progress Report on the
SAFE Port Act' which was released on October 16, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony before the Committee on Homeland Security and Governmental
Affairs, U.S. Senate:
GAO:
For Release on Delivery Expected at 10:00 a.m. EDT:
Tuesday, October 16, 2007:
Maritime Security:
One Year Later: A Progress Report on the SAFE Port Act:
Statement of Stephen L. Caldwell, Director:
Homeland Security and Justice Issues:
GAO-08-171T:
GAO Highlights:
Highlights of GAO-08-171T, a testimony before the Committee on Homeland
Security and Governmental Affairs, U.S. Senate.
Why GAO Did This Study:
Because the safety and economic security of the United States depend in
substantial part on the security of its 361 seaports, the United States
has a vital national interest in maritime security. The Security and
Accountability for Every Port Act (SAFE Port Act), modified existing
legislation and created and codified new programs related to maritime
security. The Department of Homeland Security (DHS) and its U.S. Coast
Guard, Transportation Security Agency, and U.S. Customs and Border
Protection have key maritime security responsibilities. This testimony
synthesizes the results of GAO‘s completed work and preliminary
observations from GAO‘s ongoing work related to the SAFE Port Act
pertaining to (1) overall port security, (2) security at individual
facilities, and (3) cargo container security. To perform this work GAO
visited domestic and overseas ports; reviewed agency program documents,
port security plans, and post-exercise reports; and interviewed
officials from the federal, state, local, private, and international
sectors.
What GAO Found:
Federal agencies have improved overall port security efforts by
establishing committees to share information with local port
stakeholders, taking steps to establish interagency operations centers
to monitor port activities, conducting operations such as harbor
patrols and vessel escorts, writing port-level plans to prevent and
respond to terrorist attacks, testing such plans through exercises, and
assessing the security at foreign ports. However, these agencies face
resource constraints and other challenges trying to meet the SAFE Port
Act‘s requirements to expand these activities. For example, the Coast
Guard faces budget constraints in trying to expand its current command
centers and include other agencies at the centers.
Similarly, private facilities and federal agencies have taken action to
improve security at about 3,000 individual facilities by writing
facility-specific security plans, inspecting facilities to ensure they
are complying with their plans, and developing special identification
cards for workers to prevent terrorists from getting access to secure
areas. Federal agencies face challenges trying to meet the act‘s
requirements to expand the scope or speed the implementation of such
activities. For example, the Transportation Security Agency missed the
act‘s July 2007 deadline to implement the identification card program
at 10 selected ports because of delays in testing equipment and
procedures.
Federal programs related to the security of cargo containers have also
improved as agencies are enhancing systems to identify high-risk cargo,
expanding partnerships with other countries to screen containers before
they depart for the United States, and working with international
organizations to develop a global framework for container security.
Federal agencies face challenges implementing container security
aspects of the SAFE Port Act and other legislation. For example,
Customs and Border Protection must test and implement a new program to
screen 100 percent of all incoming containers overseas”a departure from
its existing risk-based programs.
Figure: Ports contain a wide variety of activities and infrastructure.
[See PDF for image]
Source: United States Coast Guard.
[End of figure]
What GAO Recommends:
GAO has made recommendations to DHS to develop strategic plans, better
plan the use of its human capital, establish performance measures, and
otherwise improve program operations. DHS has generally concurred with
our recommendations and is making progress implementing them. We
provided a draft of this information to DHS agencies and incorporated
technical comments as appropriate.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.GAO-08-171T]. For more information, contact
Stephen Caldwell (202) 512- 9610 or caldwells@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
I am pleased to be here today to discuss port and cargo security
functions related to provisions of the Security and Accountability for
Every Port Act (SAFE Port Act).[Footnote 1] The nation's 361 seaports
are the gateway for more than 80 percent of our foreign trade.
Worldwide, some 30 large ports, spread across North America, Asia, and
Europe constitute the world's primary, interdependent trading web. Much
of this trade--particularly high-value cargo--enters and leaves in
cargo containers.
In our post 9/11 environment, however, the potential security
weaknesses presented by these economic gateways have become apparent.
Sprawling, easily accessible by water and land, often close to urban
areas, and containing facilities that represent opportunities for
inflicting significant damage as well as causing economic mayhem, ports
present potential terrorist targets. Further, they are potential
conduits for weapons prepared elsewhere and concealed in cargo designed
to move quickly to many locations beyond the ports themselves.
Since the 9/11 attacks, Congress has established a new port security
framework--much of which was set in place by the Maritime
Transportation Security Act (MTSA).[Footnote 2] Enacted in November
2002, MTSA was designed, in part, to help protect the nation's ports
and waterways from terrorist attacks by requiring a wide range of
security improvements. Among the major requirements included in MTSA
were (1) conducting vulnerability assessments for port facilities and
vessels; (2) developing security plans to mitigate identified risks for
the national maritime system, ports, port facilities, and vessels; (3)
developing the Transportation Worker Identification Credential (TWIC),
a biometric identification card to help restrict access to secure areas
to only authorized personnel; and (4) establishing of a process to
assess foreign ports, from which vessels depart on voyages to the
United States. The Department of Homeland Security (DHS)--itself a
creation of the new security environment brought on by the 9/11
attacks--administers much of this framework, which also attempts to
balance security priorities with the need to facilitate legitimate
trade.
The SAFE Port Act, which was enacted in October 2006, is one of the
latest additions to this port security framework. The act made a number
of adjustments to programs within this framework, creating additional
programs or lines of effort and altering others. The SAFE Port Act
created and codified new programs and initiatives, and amended some of
the original provisions of MTSA. The SAFE Port Act included provisions
that (1) codified the Container Security Initiative (CSI) and the
Customs-Trade Partnership Against Terrorism (C-TPAT), two programs
administered by U.S. Customs and Border Protection (CBP) to help reduce
threats associated with cargo shipped in containers, as well as
established the Domestic Nuclear Detection Office (DNDO), which is
responsible for conducting research, development, testing, and
evaluation of radiation detection equipment; (2) required interagency
operational centers where agencies organize to fit the security needs
of the port area at selected ports; (3) set an implementation schedule
and fee restrictions for TWIC; (4) required that all containers
entering high volume U.S. ports be scanned for radiation sources by
December 31, 2007; and (5) required additional data be made available
to CBP for targeting cargo containers for inspection.[Footnote 3] This
statement summarizes our recently completed and ongoing work.
Over the past several years, we have examined and reported on many of
the programs in this new port security framework. This statement is
designed both to provide an overview of what we have earlier reported
about these programs and to describe, with the preliminary information
available, what DHS is doing as a result of the SAFE Port Act
requirements and the challenges the agency faces in doing so. This
statement discusses three key areas and 19 programs, as shown in table
1.
Table 1: Summary of Three Key Areas and 19 Programs in This Statement:
Program: Overall port security.
Program: Overall port security: Area Maritime Security Committees;
Description: Committees consisting of key port stakeholders who share
information and develop port security plans.
Program: Overall port security: Interagency Operational Centers;
Description: Command centers where agencies share information,
coordinate their activities, and coordinate joint efforts.
Program: Overall port security: Port security operations;
Description: Activities to maintain security and deter attacks, such as
boat patrols and vessel escorts.
Program: Overall port security: Area Maritime Security Plans;
Description: Plan laying out local port vulnerabilities,
responsibilities, and some response actions.
Program: Overall port security: Port security exercises;
Description: Exercises among various port stakeholders to test the
effectiveness of port security plans.
Program: Overall port security: Evaluations of security at foreign
ports;
Description: Coast Guard program where officers visit and assess
security conditions at foreign ports.
Program: Port facility security;
Program: Port facility security plans;
Description: Plans that include, among other things, operational and
physical security measures and procedures for responding to security
threats.
Program: Port facility security plans: Port facility security
compliance monitoring;
Description: Coast Guard review of port facility security plans and
compliance with such plans.
Program: Port facility security plans: Transportation Worker
Identification Credential;
Description: Biometric identification cards to be issued to port
workers to help secure access to areas of ports.
Program: Port facility security plans: Background checks;
Description: DHS requirements for persons who enter secure or
restricted areas or transport hazardous cargo.
Program: Container security;
Program: Container security: Automated Targeting System;
Description: Risk-based decision system to determine cargo shipped in
containers requiring inspection.
Program: Container security: Customs In-Bond System;
Description: The in-bond system allows goods to transit the United
States without officially entering U.S. commerce.
Program: Container security: Container Security Initiative;
Description: Stationing CBP officers at foreign ports to help identify
and inspect high-risk cargo to be shipped in containers destined for
the United States.
Program: Container security: Customs-Trade Partnership Against
Terrorism;
Description: Partnership between private companies and CBP to improve
international supply chain security.
Program: Container security: Promoting Global Standards;
Description: Efforts to work with members of the customs and trade
community on approaches to standardizing supply chain security.
Program: Container security: Domestic Nuclear Detection Office;
Description: Research, development, testing and evaluation of radiation
detection equipment to prevent nuclear or radiological materials from
entering the United States.
Program: Container security: Megaports Initiative;
Description: Radiation detection technology at foreign ports to stop
the proliferation of weapons of mass destruction.
Program: Secure Freight Initiative; Description: Combines Container
Security Initiative scanning with Megaports Initiative radiation
detection at foreign ports.
Program: Container security: 100 Percent Container Scanning at Foreign
Ports; Description: Scanning by nonintrusive imaging and radiation
detection equipment of all cargo containers at foreign ports inbound to
the United States by 2012.
Source: GAO.
[End of table]
This statement is organized into three main areas, as follows:
* programs related to overall port security, such as those for
coordinating among stakeholders, conducting security operations,
developing security plans, and conducting exercises to test security
procedures;
* programs related specifically to security at individual facilities,
such as examining security measures and ensuring that only properly
cleared individuals have access to port areas; and,
* programs related specifically to cargo container security, such as
screening containers at ports both here and abroad and forming
partnerships with the private sector.
This statement is based primarily on a body of work we completed in
response to congressional requests and mandates for analysis of
maritime, port, and cargo security efforts of the federal
government.[Footnote 4] In some cases, we provide preliminary
observations from our ongoing work. Thus, the timeliness of the data
that were the basis for our prior reporting varies depending on when
our products were issued and the preliminary observations are subject
to change as we complete our work.
We conducted all of our work in accordance with generally accepted
government auditing standards. To perform both our completed and
ongoing work we visited several domestic and overseas ports; reviewed
agency program documents, port security plans, and post-exercise
reports, and other documents; and interviewed officials from the
federal, state, local, private, and international sectors. The
officials were from a wide variety of port stakeholders to include
Coast Guard, CBP, TSA, port authorities, terminal operators, vessel
operators, foreign governments, and international organizations. While
this body of work does not cover all the provisions of the SAFE Port
Act, it does cover a wide range of these provisions as shown in Table
1.
We provided a draft of the information in this testimony to DHS. DHS
provided technical comments, which we incorporated as appropriate.
Summary:
Regarding overall security at U.S. ports, federal agencies have taken a
number of steps to improve maritime security and implement many aspects
of MTSA. The Coast Guard has established Area Maritime Security
Committees (AMSCs) to coordinate activities and share information among
the various stakeholders at specific ports. The Coast Guard also has
local operations centers where it coordinates its activities. The SAFE
Port Act requires that all high-priority ports have interagency
operational centers no later than 3 years after the act's
enactment.[Footnote 5] Given the capabilities and organization of its
existing centers, the Coast Guard estimates it will cost $260 million
to meet this requirement and has begun evaluating ways to expand
current centers to meet the act's requirements. The Coast Guard also
conducts a number of operations at U.S. ports to deter and prevent
terrorist attacks, such as harbor patrols or vessel escorts. While the
Coast Guard has set specific requirements for the level of these
activities, they are not always able to complete them at some ports due
to resource constraints. The Coast Guard, in collaboration with the
MTSA-required AMSCs, has written port-specific security plans to deter
and respond to terrorist attacks--but these plans do not fully address
recovery issues (e.g., how to reopen a port after an attack) and
natural disasters (e.g., hurricanes or earthquakes). The Coast Guard,
again in collaboration with the AMSCs, has sponsored exercises to test
the port security plans. But the Coast Guard will face challenges, such
as including recovery scenarios, expanding the program in line with
SAFE Port Act requirements to include new scenarios and improve the
communication of lessons learned during exercises. Finally, security in
our own ports is dependent on security in foreign ports where vessels
depart for the United States. The Coast Guard has implemented a MTSA-
required program to work with foreign countries to inspect and
strengthen security at their ports, but will likely face challenges in
hiring and training sufficient staff to meet SAFE Port Act requirements
to increase the frequency of such inspections. A related challenge is
that many of the foreign countries that the Coast Guard has visited--to
include several countries in the Caribbean Basin--are poor and lack the
resources to make major improvements on their own.
Regarding security at approximately 3,000 individual facilities,
federal agencies and the facilities themselves have taken positive
steps. In line with MTSA, facilities have written and implemented
security plans and the Coast Guard has generally inspected such
facilities to verify compliance and take enforcement actions where
necessary. The SAFE Port Act increased requirements for the scope and
frequency of these activities, doubling the frequency of Coast Guard
inspections of facilities and requiring unannounced inspections. The
Coast Guard has issued guidance on how the new requirements are to be
met, but the impact on resource needs remains uncertain. To control
access to individual facilities at ports, MTSA required a program to
develop secure and biometric transportation worker identification
credentials (TWIC). Under the program, transportation workers would
have to undergo background checks to receive TWIC cards. The SAFE Port
Act established a July 1, 2007 milestone for the implementation of the
TWIC program at the 10 highest risk ports. The Transportation Security
Administration (TSA), the agency responsible for implementing TWIC, did
not meet the July deadline, citing the need to conduct additional
testing of the systems and technologies that will be used to enroll the
estimated 770,000 workers that are required to obtain a TWIC card.
Finally, while DHS has created the Screening Coordination Office (SCO)
to better coordinate TWIC with other programs that require background
checks, it will be challenged to fully coordinate all the DHS screening
programs, ensuring that the cost and benefits of potentially
eliminating or keeping different screening programs are properly
considered, and coordinating with other federal screening programs
outside DHS.
Regarding the security of cargo containers--which carry a large volume
of the world's commerce through our ports--CBP has developed a layered
security strategy to identify and inspect containers that may contain
terrorist weapons of mass destruction (WMD). CBP has refined its
Automated Targeting System (ATS) to better analyze shipping information
and identify suspicious containers. However, it does not have the most
up to date information for certain containers--those that transit
beyond the ports as part of the in-bond system, which allows goods to
transit the United States without officially entering U.S. commerce.
CBP has expanded and improved the management of its Container Security
Initiative (CSI) where the agency places U.S. customs officials in
foreign ports to help target and inspect suspicious containers.
Similarly, CBP has expanded and improved the management of its Customs-
Trade Partnership Against Terrorism (C-TPAT) where private companies
agree to improve the security of their supply chains in exchange for
reduced scrutiny over their shipments. The SAFE Port Act codified these
two programs into law and required enhanced management and oversight of
these programs. CBP is working to meet these new requirements, but our
prior and ongoing work suggests that it may face challenges setting
equipment standards and conducting validations of company practices.
Furthermore, our work has shown that the Domestic Nuclear Detection
Office (DNDO) needs to take additional action to ensure adequate
testing of radiation detection equipment that CBP uses at domestic
ports to scan containers for radiation. The Department of Energy (DOE)
is expanding its Megaports program that complements CSI by providing
foreign nations with radiation detection equipment to scan containers
moving through their ports. The SAFE Port Act also required pilot
programs to test new technologies or combine existing technologies to
test the feasibility of scanning all U.S.-bound containers overseas.
More recent legislation required that all containers bound for the
United States be scanned overseas by 2012 with possible extensions for
individual ports. Our preliminary observations suggest this requirement
potentially creates new challenges for CBP in terms of integrating this
with existing programs, working with foreign governments, overcoming
logistical barriers, testing new technology, determining resource
requirements and responsibilities, and other issues.
We have reviewed many of the MTSA and SAFE Port Act related programs
and made prior recommendations to the appropriate agencies to develop
strategic plans, better plan their use of human capital, establish
performance measures, and otherwise improve the operations of these
programs. In general, these agencies have concurred with our
recommendations and are making progress implementing them.
Prior Actions Have Improved Port Security, but Issues Remain:
Port security overall has improved because of the development of
organizations and programs such as AMSCs, Area Maritime Security Plans
(AMSPs), maritime security exercises, and the International Port
Security Program, but challenges to successful implementation of these
efforts remain. Additionally, agencies may face challenges addressing
the additional requirements directed by the SAFE Port Act, such as a
provision that DHS establish interagency operational centers at all
high-priority ports. AMSCs and the Coast Guard's sector command centers
have improved information sharing, but the types and ways information
is shared varies.[Footnote 6] AMSPs, limited to security incidents,
could benefit from unified planning to include an all-hazards approach.
Maritime security exercises would benefit from timely and complete
after action reports, increased collaboration across federal agencies,
and broader port level coordination. The Coast Guard's International
Port Security Program is currently evaluating the antiterrorism
measures maintained at foreign seaports.
Area Maritime Security Committees Share Information and Coast Guard
Plans to Expand Interagency Operational Centers:
Two main types of forums have developed for agencies to coordinate and
share information about port security: area committees and Coast Guard
sector command centers. AMSCs serve as a forum for port stakeholders,
facilitating the dissemination of information through regularly
scheduled meetings, issuance of electronic bulletins, and sharing key
documents. MTSA provided the Coast Guard with the authority to create
AMSCs--composed of federal, state, local, and industry members--that
help to develop the AMSP for the port. As of August 2007, the Coast
Guard had organized 46 AMSCs. Each has flexibility to assemble and
operate in a way that reflects the needs of its port area, resulting in
variations in the number of participants, the types of state and local
organizations involved, and the way in which information is shared.
Some examples of information shared includes assessments of
vulnerabilities at specific port locations, information about potential
threats or suspicious activities, and Coast Guard strategies intended
for use in protecting key infrastructure. As part of an ongoing effort
to improve its awareness of the maritime domain, the Coast Guard
developed 35 sector command centers, four of which operate in
partnership with the U.S. Navy.[Footnote 7]
We have previously reported that both of these types of forums have
helped foster cooperation and information-sharing.[Footnote 8] We
further reported that AMSCs provided a structure to improve the
timeliness, completeness, and usefulness of information sharing between
federal and nonfederal stakeholders. These committees improved upon
previous information-sharing efforts because they established a formal
structure and new procedures for sharing information. In contrast to
AMSCs, the Coast Guard's sector command centers can provide continuous
information about maritime activities and involve various agencies
directly in operational decisions using this information. We have
reported that these centers have improved information sharing, and the
types of information and the way information is shared varies at these
centers depending on their purpose and mission, leadership and
organization, membership, technology, and resources.
The SAFE Port Act called for establishment of interagency operational
centers, directing the Secretary of DHS to establish such centers at
all high-priority ports no later than 3 years after the Act's
enactment. The act required that the centers include a wide range of
agencies and stakeholders and carry out specified maritime security
functions. In addition to authorizing the appropriation of funds and
requiring DHS to provide the Congress a proposed budget and cost-
sharing analysis for establishing the centers, the act directed the new
interagency operational centers to utilize the same compositional and
operational characteristics of existing sector command centers.
According to the Coast Guard, none of the 35 centers meets the
requirements set forth in the SAFE Port Act. Nevertheless, the four
centers the Coast Guard operates in partnership with the Navy are a
significant step in meeting these requirements, according to a senior
Coast Guard official. The Coast Guard is currently piloting various
aspects of future interagency operational centers at existing centers
and is also working with multiple interagency partners to further
develop this project.[Footnote 9] DHS has submitted the required budget
and cost-sharing analysis proposal, which outlines a 5-year plan for
upgrading its centers into future interagency operations centers to
continue to foster information sharing and coordination in the maritime
domain. The Coast Guard estimates the total acquisition cost of
upgrading 24 sectors that encompass the nation's high priority ports
into interagency operations centers will be approximately $260 million,
to include investments in information system, sensor network,
facilities upgrades and expansions. According to the Coast Guard,
future interagency operations centers will allow the Coast Guard and
its partners to use port surveillance with joined tactical and
intelligence information, and share this data with port partners
working side-by-side in expanded facilities.
In our April 2007 testimony, we reported on various challenges the
Coast Guard faces in its information sharing efforts.[Footnote 10]
These challenges include obtaining security clearances for port
security stakeholders and creating effective working relationships with
clearly defined roles and responsibilities. In our past work, we found
the lack of federal security clearances among area committee members
had been routinely cited as a barrier to information sharing.[Footnote
11] In turn, this inability to share classified information may limit
the ability to deter, prevent, and respond to a potential terrorist
attack. The Coast Guard, having lead responsibility in coordinating
maritime information, has made improvements to its program for granting
clearances to area committee members and additional clearances have
been granted to members with a need to know.[Footnote 12] In addition,
the SAFE Port Act includes a specific provision requiring DHS to
sponsor and expedite security clearances for participants in
interagency operational centers. However, the extent to which these
efforts will ultimately improve information sharing is not yet known.
As the Coast Guard expands its relationships with multiple interagency
partners, collaborating and sharing information effectively under new
structures and procedures will be important. While some of the existing
centers achieved results with existing interagency relationships, other
high-priority ports might face challenges establishing new working
relationships among port stakeholders and implementing their own
interagency operational centers. Finally, addressing potential
overlapping responsibilities --such as leadership roles for the Coast
Guard and its interagency partners--will be important to ensure that
actions across the various agencies are clear and coordinated.
Operations to Provide Overall Port Security Face Resource Constraints:
As part of its operations, the Coast Guard has also imposed additional
activities to provide overall port security. The Coast Guard's
operations order, Operation Neptune Shield, first released in 2003,
specifies the level of security activities to be conducted. The order
sets specific activities for each port; however, the amount of each
activity is established based on the port's specific security concerns.
Some examples of security activities include conducting waterborne
security patrols, boarding high-interest vessels, escorting vessels
into ports, and enforcing fixed security zones. When a port security
level increases, the amount of activity the Coast Guard must conduct
also increases.[Footnote 13] The Coast Guard uses monthly field unit
reports to indicate how many of its security activities it is able to
perform. Our review of these field unit reports indicates that many
ports are having difficulty meeting their port security
responsibilities, with resource constraints being a major factor. In an
effort to meet more of its security requirements, the Coast Guard uses
a strategy that includes partnering with other government agencies,
adjusting its activity requirements, and acquiring resources. Despite
these efforts, many ports are still having difficulty meeting their
port security requirements. The Coast Guard is currently studying what
resources are needed to meet certain aspects of its port security
program, but to enhance the effectiveness of its port security
operations, a more comprehensive study to determine all additional
resources and changes to strategy to meet minimum security requirements
may be needed.
Area Maritime Security Plans Are in Place but Need to Address Recovery
and Natural Disasters:
Implementing regulations for MTSA specified that AMSPs include, among
other things, operational and physical security measures in place at
the port under different security levels, details of the security
incident command and response structure, procedures for responding to
security threats including provisions for maintaining operations in the
port, and procedures to facilitate the recovery of the marine
transportation system after a security incident. A Coast Guard
Navigation and Vessel Inspection Circular (NVIC) provided a common
template for AMSPs and specified the responsibilities of port
stakeholders under them.[Footnote 14] As of September 2007, 46 AMSPs
are in place at ports around the country. The Coast Guard approved the
plans by June 1, 2004, and MTSA requires that they be updated at least
every 5 years.
The SAFE Port Act added a requirement to AMSPs, which specified that
they include recovery issues by identifying salvage equipment able to
restore operational trade capacity. This requirement was established to
ensure that the waterways are cleared and the flow of commerce through
United States ports is reestablished as efficiently and quickly as
possible after a security incident. While the Coast Guard sets out the
general priorities for recovery operations in its guidelines for the
development of AMSPs, we have found that this guidance offers limited
instruction and assistance for developing procedures to address
recovery situations.
The Maritime Infrastructure Recovery Plan (MIRP) recognizes the limited
nature of the Coast Guard's guidance and notes the need to further
develop recovery aspects of the AMSPs.[Footnote 15] The MIRP provides
specific recommendations for developing the recovery sections of the
AMSPs. The AMSPs that we reviewed often lacked recovery specifics and
none had been updated to reflect the recommendations made in the MIRP.
The Coast Guard is currently updating the guidance for the AMSPs and
aims to complete the updates by the end of calendar year 2007 so that
the guidance will be ready for the mandatory 5-year re-approval of the
AMSPs in 2009. Coast Guard officials commented that any changes to the
recovery section would need to be consistent with the national
protocols developed for the SAFE Port Act.[Footnote 16] Additionally,
related to recovery planning, the Coast Guard and CBP have developed
specific interagency actions focused on response and recovery. This
should provide the Coast Guard and CBP with immediate security options
for the recovery of ports and commerce.
Further, AMSPs generally do not address natural disasters (i.e., they
do not have an all-hazards approach).[Footnote 17] In a March 2007
report examining how ports are dealing with planning for natural
disasters such as hurricanes and earthquakes, we noted that AMSPs cover
security issues but not other issues that could have a major impact on
a port's ability to support maritime commerce.[Footnote 18] As
currently written, AMSPs are concerned with deterring and, to a lesser
extent, responding to security incidents. We found, however, that
unified consideration of all risks--natural and man-made--faced by a
port may be beneficial. Because of the similarities between the
consequences of terrorist attacks and natural or accidental disasters,
much of the planning for protection, response, and recovery
capabilities is similar across all emergency events. Combining
terrorism and other threats can thus enhance the efficiency of port
planning efforts. This approach also allows port stakeholders to
estimate the relative value of different mitigation alternatives. The
exclusion of certain risks from consideration, or the separate
consideration of a particular type of risk, raises the possibility that
risks will not be accurately assessed or compared, and that too many or
too few resources will be allocated toward mitigation of a particular
risk.
As ports continue to revise and improve their planning efforts,
available evidence indicates that by taking a systemwide approach and
thinking strategically about using resources to mitigate and recover
from all forms of disaster, ports will be able to achieve the most
effective results. AMSPs provide a useful foundation for establishing
an all-hazards approach. While the SAFE Port Act does not call for
expanding AMSPs in this manner, it does contain a requirement that
natural disasters and other emergencies be included in the scenarios to
be tested in the Port Security Exercise Program. On the basis of our
prior work, we found there are challenges in using AMSCs and AMSPs as
the basis for broader all-hazards planning. These challenges include
determining the extent that security plans can serve all-hazards
purposes. We recommended that DHS encourage port stakeholders to use
the AMSCs and MTSA-required AMSPs to discuss all-hazards planning. DHS
concurred with this recommendation.
Maritime Security Exercises Require a Broader Scope and Participation:
The Coast Guard Captain of the Port and the AMSC are required by MTSA
regulations to conduct or participate in exercises to test the
effectiveness of AMSPs annually, with no more than 18 months between
exercises. These exercises--which have been conducted for the past
several years--are designed to continuously improve preparedness by
validating information and procedures in the area plan, identifying
weaknesses and strengths, and practicing command and control within an
incident command/unified command framework. In August 2005, the Coast
Guard and the TSA initiated the Port Security Training Exercise Program
(PortSTEP)--an exercise program designed to involve the entire port
community, including public governmental agencies and private industry,
and intended to improve connectivity of various surface transportation
modes and enhance AMSPs. Between August 2005 and October 2007, the
Coast Guard expected to conduct PortSTEP exercises for 40 area
committees and other port stakeholders. Additionally, the Coast Guard
initiated its own Area Maritime Security Training and Exercise Program
(AMStep) in October 2005. This program was also designed to involve the
entire port community in the implementation of the AMSP. Between the
two programs, PortSTEP and AMStep, all AMSCs have received a port
security exercise each year since inception.
The SAFE Port Act included several new requirements related to security
exercises, such as establishing a Port Security Exercise Program to
test and evaluate the capabilities of governments and port stakeholders
to prevent, prepare for, mitigate against, respond to, and recover from
acts of terrorism, natural disasters, and other emergencies at
facilities that MTSA regulates. The act also required the establishment
of a port security exercise improvement plan process that would
identify, disseminate, and monitor the implementation of lessons
learned and best practices from port security exercises.
Though we have not specifically examined compliance with these new
requirements, our work in examining past exercises suggests that
implementing a successful exercise program faces several
challenges.[Footnote 19]
These challenges include setting the scope of the program to determine
how exercise requirements in the SAFE Port Act differ from area
committee exercises that are currently performed. This is especially
true for incorporating recovery scenarios into exercises. In this past
work, we also found that Coast Guard terrorism exercises frequently
focused on prevention and awareness, but often did not include recovery
activities. According to the Coast Guard, with the recent emphasis on
planning for recovery operations, it has held several exercises over
the past year that have included in part, or solely, recovery
activities. It will be important that future exercises also focus on
recovery operations so public and private stakeholders can cover gaps
that might hinder commerce after a port incident. Other long-standing
challenges include completing after-action reports in a timely and
thorough manner and ensuring that all relevant agencies participate.
According to the Coast Guard, as the primary sponsor of these programs,
it faces a continuing challenge in getting comprehensive participation
in these exercises.
The Coast Guard Is Evaluating the Security of Foreign Ports, but Faces
Resource Challenges:
The security of domestic ports also depends upon security at foreign
ports where cargoes bound for the United States originate. To help
secure the overseas supply chain, MTSA required the Coast Guard to
develop a program to assess security measures in foreign ports and,
among other things, recommend steps necessary to improve security
measures in those ports. The Coast Guard established this program,
called the International Port Security Program, in April 2004. Under
this program, the Coast Guard and host nations review the
implementation of security measures in the host nations' ports against
established security standards, such as the International Maritime
Organization's International Ship and Port Facility Security (ISPS)
Code.[Footnote 20] Coast Guard teams have been established to conduct
country visits, discuss security measures implemented, and collect and
share best practices to help ensure a comprehensive and consistent
approach to maritime security in ports worldwide. The conditions of
these visits, such as timing and locations, are negotiated between the
Coast Guard and the host nation. Coast Guard officials also make annual
visits to the countries to obtain additional observations on the
implementation of security measures and ensure deficiencies found
during the country visits are addressed.[Footnote 21]
Both the SAFE Port Act and other congressional directions have called
for the Coast Guard to increase the pace of its visits to foreign
countries. Although MTSA did not set a time frame for completion of
these visits, the Coast Guard initially set a goal to visit the
approximately 140 countries that conduct maritime trade with the United
States by December 2008. In September 2006, the conference report
accompanying the fiscal year 2007 DHS Appropriations Act directed the
Coast Guard to "double the amount" at which it was conducting its
visits.[Footnote 22] Subsequently, in October 2006, the SAFE Port Act
required the Coast Guard to reassess security measures at the foreign
ports every 3 years. Coast Guard officials said they will comply with
the more stringent requirements and will reassess countries on a 2-year
cycle. With the expedited pace, the Coast Guard now expects to assess
all countries by March 2008, after which reassessments will begin.
We are currently conducting a review of the Coast Guard's International
Port Security Program that evaluates the Coast Guard's implementation
of international enforcement programs. The report, expected to be
issued in early 2008, will cover issues related to the program, such as
the extent to which the program is using a risk-based approach in
carrying out its work, what challenges the program faces as it moves
forward, and the extent to which the observations collected during the
country visits are used by other programs such as the Coast Guard's
port state control inspections and high interest vessel boarding
programs.
As of September 2007, the Coast Guard reported that it has visited 109
countries under this program and plans to visit another 29 more by
March 2008.[Footnote 23] For the countries for which the Coast Guard
has issued a final report, the Coast Guard reported that most had
"substantially implemented the security code," while a few countries
were found to have not yet implemented the ISPS Code and will be
subject to a reassessment or other sanctions. The Coast Guard also
found several facilities needing improvements in areas such as access
controls, communication devices, fencing, and lighting.
While our review is still preliminary, Coast Guard officials told us
that to plan and prepare for the next cycle of reassessments that are
to begin next year, they are considering modifying their current visit
methodology to incorporate a risk-based approach to prioritize the
order and intensity of the next round of country visits. To do this,
they have consulted with a contractor to develop an updated country
risk prioritization model. Under the previous model, the priority
assigned to a country for a visit was weighted heavily towards the
volume of U.S. trade with that country. The new model being considered
is to incorporate other factors, such as corruption and terrorist
activity levels within the countries. Program officials told us that
the details of this revised approach have yet to be finalized.
Coast Guard officials told us that as they complete the first round of
visits and move into the next phase of revisits, challenges still exist
in implementing the program. One challenge identified was that the
faster rate at which foreign ports will now be reassessed will require
hiring and training new staff--a challenge the officials expect will be
made more difficult because experienced personnel who have been with
the program since its inception are being transferred to other
positions as part of the Coast Guard's rotational policy. These
officials will need to be replaced with newly assigned personnel.
Reluctance by some countries to allow the Coast Guard to visit their
ports due to concerns over sovereignty was another challenge cited by
program officials in completing the first round of visits. According to
these officials, before permitting Coast Guard officials to visit their
ports, some countries insisted on visiting and assessing a sample of
U.S. ports. The Coast Guard was able to accommodate their request
through the program's reciprocal visit feature in which the Coast Guard
hosts foreign delegations to visit U.S. ports and observe ISPS Code
implementation in the United States. This subsequently helped gain the
cooperation of the countries in hosting a Coast Guard visit to their
own ports. However, as they begin to revisit countries as part of the
program's next phase, program officials stated that sovereignty
concerns may still be an issue. Some countries may be reluctant to host
a comprehensive country visit on a recurring basis because they believe
the frequency--once every 2 to 3 years--is too high. Sovereignty also
affects the conditions of the visits, such as timing and locations,
because such visits are negotiated between the Coast Guard and the host
nation. Thus the Coast Guard team making the visit could be precluded
from seeing locations that are not in compliance.
Another challenge program officials cite is having limited ability to
help countries build on or enhance their capacity to implement the ISPS
Code requirements. For example, the SAFE Port Act required that GAO
report on various aspects of port security in the Caribbean Basin. We
earlier reported that although the Coast Guard found that most of the
countries had substantially implemented the ISPS Code, some facilities
needed to make improvements or take additional measures.[Footnote 24]
In addition, our discussions with facility operators and government
officials in the region indicated that assistance--such as additional
training--would help enhance their port security. Program officials
stated that while their visits provide opportunities for them to
identify potential areas to improve or help sustain the security
measures put in place, other than sharing best practices or providing
presentations on security practices, the program does not currently
have the resources to directly assist countries with more in-depth
training or technical assistance. To overcome this, program officials
have worked with other agencies (e.g., the Departments of Defense and
State) and international organizations (e.g., the Organization of
American States) to secure funding for training and assistance to
countries where port security conferences have been held (e.g., the
Dominican Republic and the Bahamas). Program officials indicated that
as part of reexamining the approach for the program's next phase, they
will also consider possibilities to improve the program's ability to
provide training and capacity building to countries when a need is
identified.
Port Facility Security Efforts Continue, but Additional Evaluation is
Needed:
To improve the security at individual facilities at ports, many long-
standing programs are underway. However, new challenges to their
successful implementation have emerged. The Coast Guard is required to
conduct assessments of security plans and facility compliance
inspections, but faces challenges in staffing and training to meet the
SAFE Port Act's additional requirements such as the sufficiency of
trained personnel and guidance to conduct facility inspections. TSA's
TWIC program has addressed some of its initial program challenges, but
will continue to face additional challenges as the program rollout
continues. Many steps have been taken to ensure that transportation
workers are properly screened, but redundancies in various background
checks have decreased efficiency and highlighted the need for increased
coordination.
The Coast Guard's Compliance Monitoring of Maritime Facilities
Identifies Deficiencies, but Program Effectiveness Overall Has Not Been
Evaluated:
MTSA and its implementing regulations required owners and operators of
certain maritime facilities (e.g., power stations, chemical
manufacturing facilities, and refineries that are located on waterways
and receive foreign vessels) to conduct assessments of their security
vulnerabilities, develop security plans to mitigate these
vulnerabilities, and implement measures called for in the security
plans by July 1, 2004. Under the Coast Guard regulations, these plans
are to include items such as measures for access control, responses to
security threats, and drills and exercises to train staff and test the
plan.[Footnote 25] The plans are "performance-based," meaning that the
Coast Guard has specified the outcomes it is seeking to achieve and has
given facilities responsibility for identifying and delivering the
measures needed to achieve these outcomes.
Under MTSA, Coast Guard guidance calls for the Coast Guard to conduct
one on-site facility inspection annually to verify continued compliance
with the plan. The SAFE Port Act, enacted in 2006, required the Coast
Guard to conduct at least two inspections--one of which was to be
unannounced--of each facility annually. We currently have ongoing work
that reviews the Coast Guard's oversight strategy under MTSA and SAFE
Port Act requirements. The report, expected later this year, will
cover, among other things, the extent to which the Coast Guard has met
its inspection requirements and found facilities to be in compliance
with its security plans, the sufficiency of trained inspectors and
guidance to conduct facility inspections, and aspects of the Coast
Guard's overall management of its MTSA facility oversight program,
particularly documenting compliance activities.
Our work is preliminary. However, according to our analysis of Coast
Guard records and statements from officials, the Coast Guard seems to
have conducted facility compliance exams annually at most--but not all-
-facilities. Redirection of staff to a higher-priority mission, such as
Hurricane Katrina emergency operations, may have accounted for some
facilities not having received an annual exam. The Coast Guard also
conducted a number of unannounced inspections--about 4,500 in 2006,
concentrated in around 1,200 facilities--prior to the SAFE Port Act's
passage. According to officials we spoke with, the Coast Guard selected
facilities for unannounced inspection based on perceived risk and
inspection convenience (e.g., if inspectors were already at the
facility for another purpose). The Coast Guard has identified facility
plan compliance deficiencies in about one-third of facilities inspected
each year, and the deficiencies identified are concentrated in a small
number of categories (e.g., failure to follow the approved plan for
ensuring facility access control, record keeping, or meeting facility
security officer requirements). We are still in the process of
reviewing the data Coast Guard uses to document compliance activities
and will have additional information in our forthcoming report.
Sectors we visited generally reported having adequate guidance and
staff for conducting consistent compliance exams, but until recently,
little guidance on conducting unannounced inspections, which are often
incorporated into work while performing other mission tasks. Lacking
guidance on unannounced inspections, the process for conducting one
varied considerably in the sectors we visited. For example, inspectors
in one sector found the use of a telescope effective in remotely
observing facility control measures (such as security guard
activities), but these inspectors primarily conduct unannounced
inspections as part of vehicle patrols. Inspectors in another sector
conduct unannounced inspections at night, going up to the security gate
and querying personnel about their security knowledge (e.g., knowledge
of high-security level procedures). As we completed our fieldwork, the
Coast Guard issued a Commandant message with guidance on conducting
unannounced inspections. This message may provide more consistency, but
how the guidance will be applied and its impact on resource needs
remain uncertain. Coast Guard officials said they plan to revise their
primary circular on facility oversight by February 2008. They are also
planning to revise MTSA regulations to conform to SAFE Port Act
requirements in 2009 (in time for the reapproval of facility security
plans) but are behind schedule.
We recommended in June 2004 that the Coast Guard evaluate its
compliance inspection efforts taken during the initial 6-month period
after July 1, 2004, and use the results to strengthen its long-term
strategy for ensuring compliance.[Footnote 26] The Coast Guard agreed
with this recommendation. Nevertheless, based on our ongoing work, it
appears that the Coast Guard has not conducted a comprehensive
evaluation of its oversight program to identify strengths or target
areas for improvement after 3 years of program implementation. Our
prior work across a wide range of public and private-sector
organizations shows that high-performing organizations continuously
assess their performance with information about results based on their
activities.[Footnote 27] For decision makers to assess program
strategies, guidance, and resources, they need accurate and complete
data reflecting program activities. We are currently reviewing the
accuracy and completeness of Coast Guard compliance data and will
report on this issue later this year.
TSA Has Made Progress in Implementing the TWIC Program, but Key
Deadline Has Been Missed as TSA Evaluates Test Program:
To control access to secure areas of port facilities and vessels, the
Secretary of DHS was required by MTSA to, among other things, issue a
transportation worker identification card that uses biometrics, such as
fingerprints. TSA had already initiated a program to create an
identification credential that could be used by workers in all modes of
transportation when MTSA was enacted. This program, called the TWIC
program, is designed to collect personal and biometric information to
validate workers' identities, conduct background checks on
transportation workers to ensure they do not pose a threat to security,
issue tamper-resistant biometric credentials that cannot be
counterfeited, verify these credentials using biometric access control
systems before a worker is granted unescorted access to a secure area,
and revoke credentials if disqualifying information is discovered, or
if a card is lost, damaged, or stolen. TSA, in partnership with the
Coast Guard, is focusing initial implementation on maritime facilities.
We have previously reported on the status of this program and the
challenges that it faces.[Footnote 28] Most recently, we reported that
TSA has made progress in implementing the TWIC program and addressing
problems we previously identified regarding contract planning and
oversight and coordination with stakeholders.[Footnote 29] For example,
TSA reported that it added staff with program and contract management
expertise to help oversee the contract and developed plans for
conducting public outreach and education efforts.
The SAFE Port Act required TSA to implement TWIC at the 10 highest-risk
ports by July 1, 2007, conduct a pilot program to test TWIC access
control technologies in the maritime environment; issue regulations
requiring TWIC card readers based on the findings of the pilot; and
periodically report to Congress on the status of the program. However,
TSA did not meet the July 1 deadline, citing the need to conduct
additional testing of the systems and technologies that will be used to
enroll the estimated 770,000 workers that will be required to obtain a
TWIC card. According to TSA officials, the agency plans to complete
this testing and begin enrolling workers at the Port of Wilmington on
October 16, 2007, and begin enrolling workers at additional ports in
November 2007.[Footnote 30] TSA is also in the process of conducting a
pilot program to test TWIC access control technologies in the maritime
environment that will include a variety of maritime facilities and
vessels in multiple geographic locations. According to TSA, the results
of the pilot program will help the agency issue future regulations that
will require the installation of access control systems necessary to
read the TWIC cards.
It is important that TSA establish clear and reasonable time frames for
implementing TWIC as the agency begins enrolling workers and issuing
TWIC cards in October. TSA could face additional challenges as the TWIC
implementation progresses; these include monitoring the effectiveness
of contract planning and oversight. TSA has developed a quality
assurance surveillance plan with performance metrics that the
enrollment contractor must meet to receive payment. The agency has also
taken steps to strengthen government oversight of the TWIC contract by
adding staff with program and contract management expertise. However,
the effectiveness of these steps will not be clear until implementation
of the TWIC program begins. Ensuring a successful enrollment process
for the program presents another challenge. According to TSA, the
agency has made communication and coordination top priorities by taking
actions such as establishing a TWIC stakeholder communication committee
and requiring the enrollment contractor to establish a plan for
coordinating and communicating with all stakeholders who will be
involved in the program. Finally, TSA will have to address access
control technologies to ensure that the program is implemented
effectively. It will be important that TSA's TWIC access control
technology pilot ensure that these technologies work effectively in the
maritime environment before facilities and vessels will be required to
implement them.
DHS Working to Coordinate Multiple Background Check Programs for
Transportation Workers:
Since the 9/11 attacks, the federal government has taken steps to
ensure that transportation workers, many of whom transport hazardous
materials or have access to secure areas in locations such as port
facilities, are properly screened to ensure they do not pose a security
risk. Concerns have been raised, however, that transportation workers
may face a variety of background checks, each with different standards.
In July 2004, the 9/11 Commission reported that having too many
different biometric standards, travel facilitation systems,
credentialing systems, and screening requirements hampers the
development of information crucial for stopping terrorists from
entering the country, is expensive, and is inefficient.[Footnote 31]
The commission recommended that a coordinating body raise standards,
facilitate information-sharing, and survey systems for potential
problems. In August 2004, Homeland Security Presidential Directive - 11
announced a new U.S. policy to "implement a coordinated and
comprehensive approach to terrorist-related screening--in immigration,
law enforcement, intelligence, counterintelligence, and protection of
the border, transportation systems, and critical infrastructure--that
supports homeland security, at home and abroad."
DHS components have begun a number of their own background check
initiatives. For example, in January 2007, TSA determined that the
background checks required for three other DHS programs satisfied the
background check requirement for the TWIC program.[Footnote 32] That
is, an applicant who has already undergone a background check in
association with any of these three programs does not have to undergo
an additional background check and pays a reduced fee to obtain a TWIC
card. Similarly, the Coast Guard plans to consolidate four credentials
and require that all pertinent information previously submitted by an
applicant at a Coast Guard Regional Examination Center will be
forwarded by the center to TSA through the TWIC enrollment process.
In April 2007, we completed a study of DHS background check programs as
part of a SAFE Port Act requirement to do so.[Footnote 33] We found
that the six programs we reviewed were conducted independently of one
another, collected similar information, and used similar background
check processes. Further, each program operated separate enrollment
facilities to collect background information and did not share it with
the other programs. We also found that DHS did not track the number of
workers who, needing multiple credentials, were subjected to multiple
background check programs. Because DHS is responsible for a large
number of background check programs, we recommended that DHS ensure
that its coordination plan includes implementation steps, time frames,
and budget requirements; discusses potential costs/benefits of program
standardization; and explores options for coordinating and aligning
background checks within DHS and other federal agencies.
DHS concurred with our recommendations and continues to take steps--
both at the department level and within its various agencies--to
consolidate, coordinate, and harmonize such background check
programs.[Footnote 34] At the department level, DHS created SCO in July
2006 to coordinate DHS background check programs. SCO is in the early
stages of developing its plans for this coordination. In December 2006,
SCO issued a report identifying common problems, challenges, and needed
improvements in the credentialing programs and processes across the
department. The office awarded a contract in April 2007 that will
provide the methodology and support for developing an implementation
plan to include common design and comparability standards and related
milestones to coordinate DHS screening and credentialing programs.
Since April 2007, DHS and SCO signed a contract to produce three
deliverables to align its screening and credentialing activities, set a
method and time frame for applying a common set of design and
comparability standards, and eliminate redundancy through
harmonization. These three deliverables are as follows:
* Credentialing framework: A framework completed in July 2007 that
describes a credentialing life-cycle of registration and enrollment,
eligibility vetting and risk assessment, issuance, expiration and
revocation, and redress. This framework was to incorporate risk-based
levels or criteria, and an assessment of the legal, privacy, policy,
operational, and technical challenges.
* Technical review: An assessment scheduled for completion in October
2007 is to be completed by the contractor in conjunction with the DHS
Office of the Chief Information Officer. This is to include a review of
the issues present in the current technical environment and the
proposed future technical environment needed to address those issues,
and provide recommendations for targeted investment reuse and key
target technologies.
* Transition plan: A plan scheduled to be completed in November 2007 is
to outline the projects needed to actualize the framework, including
identification of major activities, milestones, and associated timeline
and costs.
Stakeholders in this effort include multiple components of DHS and the
Departments of State and Justice.
In addition, the DHS Office of the Chief Information Officer (CIO) and
the director of SCO issued a memo in May 2007 to promote
standardization across screening and credentialing programs. In this
memo, DHS indicated that (1) programs requiring the collection and use
of fingerprints to vet individuals will use the Automated Biometric
Identification System (IDENT); (2) these programs are to reuse existing
or currently planned and funded infrastructure for the intake of
identity information to the greatest extent possible; (3) its CIO is to
establish a procurement plan to ensure that the department can handle a
large volume of automated vetting from programs currently in the
planning phase; and (4) to support the sharing of databases and
potential consolidation of duplicative applications, the Enterprise
Data Management Office is currently developing an inventory of
biographic data assets that DHS maintains to support identity
management and screening processes.
While continuing to consolidate, coordinate, and harmonize background
check programs, DHS will likely face additional challenges, such as
ensuring that its plans are sufficiently complete without being overly
restrictive, and lack of information regarding the potential costs and
benefits associated with the number of redundant background checks. SCO
will be challenged to coordinate DHS's background check programs in
such a way that any common set of standards developed to eliminate
redundant checks meets the varied needs of all the programs without
being so strict that it unduly limits the applicant pool or so
intrusive that potential applicants are unwilling to take part. Without
knowing the potential costs and benefits associated with the number of
redundant background checks that harmonization would eliminate, DHS
lacks the performance information that would allow its program managers
to compare their program results with goals. Thus, DHS cannot be
certain where to target program resources to improve performance. As we
recommended, DHS could benefit from a plan that includes, at a minimum,
a discussion of the potential costs and benefits associated with the
number of redundant background checks that would be eliminated through
harmonization.
Container Security Programs Continue to Expand and Mature, but New
Challenges Emerge:
Through the development of strategic plans, human capital strategies,
and performance measures, several container security programs have been
established and matured. However, these programs continue to face
technical and management challenges in implementation. As part of its
layered security strategy, CBP developed the Automated Targeting System
as a decision support tool to assess the risks of individual cargo
containers. ATS is a complex mathematical model that uses weighted
rules that assign a risk score to each arriving shipment based on
shipping information (e.g., manifests, bills of lading, and entry
data). Although the program has faced quality assurance challenges from
its inception, CBP has made significant progress in addressing these
challenges. CBP's in-bond program does not collect detailed information
at the U.S. port of arrival that could aid in identifying cargo posing
a security risk and promote the effective use of inspection resources.
In the past, CSI has lacked sufficient staff to meet program
requirements. C-TPAT has faced challenges with validation quality and
management in the past, in part due to its rapid growth. The Department
of Energy's (DOE) Megaports Initiative faces ongoing operational and
technical challenges in the installation and maintenance of radiation
detection equipment at ports. In addition, implementing the Secure
Freight Initiative and the 9/11 Commission Act of 2007 presents
additional challenges for the scanning of cargo containers inbound to
the United States.
Management of the Automated Targeting System Has Improved:
CBP is responsible for preventing terrorists and WMD from entering the
United States. As part of this responsibility, CBP addresses the
potential threat posed by the movement of oceangoing cargo containers.
To perform this mission, CBP officers at seaports utilize officer
knowledge and CBP automated systems to assist in determining which
containers entering the country will undergo inspections, and then
perform the necessary level of inspection of each container based upon
risk. To assist in determining which containers are to be subjected to
inspection, CBP uses a layered security strategy that attempts to focus
resources on potentially risky cargo shipped in containers while
allowing other ocean going containers to proceed without disrupting
commerce. ATS is one key element of this strategy. CBP uses ATS as a
decision support tool to review documentation, including electronic
manifest information submitted by the ocean carriers on all arriving
shipments, and entry data submitted by brokers to develop risk scores
that help identify containers for additional inspection.[Footnote 35]
CBP requires the carriers to submit manifest information 24 hours prior
to a United States-bound sea container being loaded onto a vessel in a
foreign port. CBP officers use these scores to help them make decisions
on the extent of documentary review or additional inspection as
required.
We have conducted several reviews of ATS and made recommendations for
its improvement.[Footnote 36] Consistent with these recommendations,
CBP has implemented a number of important internal controls for the
administration and implementation of ATS.[Footnote 37] For example, CBP
(1) has established performance metrics for ATS, (2) is manually
comparing the results of randomly conducted inspections with the
results of inspections resulting from ATS analysis of the shipment
data, and (3) has developed and implemented a testing and simulation
environment to conduct computer-generated tests of ATS. Since our last
report on ATS, the SAFE Port Act required that the CBP Commissioner
take additional actions to improve ATS. These requirements included
steps such as (1) having an independent panel review the effectiveness
and capabilities of ATS; (2) considering future iterations of ATS that
would incorporate smart features;[Footnote 38] (3) ensuring that ATS
has the capability to electronically compare manifest and other
available data to detect any significant anomalies and facilitate their
resolution; (4) ensuring that ATS has the capability to electronically
identify, compile, and compare select data elements following a
maritime transportation security incident; and (5) developing a
schedule to address recommendations made by GAO and the Inspectors
General of the Department of the Treasury and DHS.
CBP's Management of the In-Bond Cargo System Impedes Efforts to Manage
Security Risks:
CBP's in-bond system--which allows goods to transit the United States
without officially entering U.S. commerce--must balance the competing
goals of providing port security, facilitating trade, and collecting
trade revenues. However, we have earlier reported that CBP's management
of the system has impeded efforts to manage security risks.
Specifically, CBP does not collect detailed information on in-bond
cargo at the U.S. port of arrival that could aid in identifying cargo
posing a security risk and promote effective use of inspection
resources.[Footnote 39]
The in-bond system is designed to facilitate the flow of trade
throughout the United States and is estimated to be widely used. The
U.S. customs system allows cargo to move from the U.S. arrival port,
without appraisal or payment of duties to another U.S. port for
official entry into U.S. commerce or for exportation.[Footnote 40] In-
bond regulations currently permit bonded carriers from 15 to 60 days,
depending on the mode of shipment, to reach their final destination and
allow them to change a shipment's final destination without notifying
CBP. The in-bond system allows the trade community to avoid congestion
and delays at U.S. seaports whose infrastructure has not kept pace with
the dramatic growth in trade volume. In-bond facilitates trade by
allowing importers and shipping agents the flexibility to move cargo
more efficiently. Using the number of in-bond transactions reported by
CBP for the 6-month period of October 2004 to March 2005, we found over
6.5 million in-bond transactions were initiated nationwide. Some CBP
port officials have estimated that in-bond shipments represent from 30
percent to 60 percent of goods received at their ports.[Footnote 41]
As discussed earlier in this testimony, CBP uses manifest information
it receives on all cargo arriving at U.S. ports (including in-bond
cargo) as input for ATS scoring to aid in identifying security risks
and setting inspection priorities. For regular cargo, the ATS score is
updated with more detailed information as the cargo makes official
entry at the arrival port. For in-bond cargo, the ATS scores generally
are not updated until these goods move from the port of arrival to the
destination port for official entry into United States commerce, or not
updated at all for cargo that is intended to be exported.[Footnote 42]
As a result, in-bond goods might transit the United States without
having the most accurate ATS risk score.
Entry information frequently changes the ATS score for in-bond
goods.[Footnote 43] For example, CBP provided data for four major ports
comparing the ATS score assigned to in-bond cargo at the port of
arrival based on the manifest to the ATS score given after goods made
official entry at the destination port.[Footnote 44] These data show
that for the four ports, the ATS score based on the manifest
information stayed the same an average of 30 percent of the time after
being updated with entry information, ATS scores increased an average
of 23 percent of the time and decreased an average of 47 percent of the
time. A higher ATS score can result in higher priority being given to
cargo for inspection than otherwise would be given based solely on the
manifest information. A lower ATS score can result in cargo being given
a lower priority for inspection and potentially shift inspection
resources to cargo deemed a higher security risk. Without having the
most accurate ATS score, in-bond goods transiting the United States
pose a potential security threat because higher-risk cargo may not be
identified for inspection at the port of arrival. In addition, scarce
inspection resources may be misdirected to in-bond goods that a
security score based on better information might have shown did not
warrant inspection.
We earlier recommended that the Commissioner of CBP take action in
three areas to improve the management of the in-bond program, which
included collecting and using improved information on in-bond shipments
to update the ATS score for in-bond movements at the arrival port and
enable better informed decisions affecting security, trade and revenue
collection.[Footnote 45] DHS agreed with most of our recommendations.
According to CBP, they are in the process of developing an in-bond
weight set to be utilized to further identify cargo posing a security
risk. The weight set is being developed based on expert knowledge,
analysis of previous in-bond seizures, and creation of rules based on
in-bond concepts.
The SAFE Port Act of 2006 contains provisions related to securing the
international cargo supply chain, including provisions related to the
movement of in-bond cargo. Specifically, it requires that CBP submit a
report to several congressional committees on the in-bond system that
includes an assessment of whether ports of arrival should require
additional information for in-bond cargo, a plan for tracking in-bond
cargo in CBP's Automated Commercial Environment information system, and
assessment of the personnel required to ensure reconciliation of in-
bond cargo between arrival port and destination port. The report must
also contain an assessment of the feasibility of reducing transit time
while traveling in-bond, and an evaluation of the criteria for
targeting and examining in-bond cargo. Although the report was due June
30, 2007, CBP has not yet finalized the report and released it to
Congress.
The CSI Program Continues to Mature, but Addressing SAFE Port Act
Requirements Adds New Challenges:
CPB initiated its CSI program to detect and deter terrorists from
smuggling WMD via cargo containers before they reach domestic seaports
in January 2002. The SAFE Port Act formalized the CSI program into law.
Under CSI, foreign governments sign a bilateral agreement with CBP to
allow teams of U.S. customs officials to be stationed at foreign
seaports to identify cargo container shipments at risk of containing
WMD. CBP personnel use automated risk assessment information and
intelligence to target to identify those at risk containing WMD. When a
shipment is determined to be high risk, CBP officials refer it to host
government officials who determine whether to examine the shipment
before it leaves their seaport for the United States. In most cases,
host government officials honor the U.S. request by examining the
referred shipments with nonintrusive inspection equipment and, if they
deem necessary, by opening the cargo containers to physically search
the contents inside.[Footnote 46] CBP planned to have a total of 58
seaports by the end of fiscal year 2007.
Our 2003 and 2005 reports on the CSI program found both successes and
challenges faced by CBP in implementing the program.[Footnote 47] Since
our last CSI report in 2005, CBP has addressed some of the challenges
we identified and has taken steps to improve the CSI program.
Specifically, CBP contributed to the Strategy to Enhance International
Supply Chain Security that DHS issued in July 2007, which addressed a
SAFE Port Act requirement and filled an important gap--between broad
national strategies and program-specific strategies, such as for CSI--
in the strategic framework for maritime security that has evolved since
9/11. In addition, in 2006 CBP issued a revised CSI strategic plan for
2006 to 2011, which added three critical elements that we had
identified in our April 2005 report as missing from the plan's previous
iteration. In the revised plan, CBP described how performance goals and
measures are related to CSI objectives, how CBP evaluates CSI program
operations, and what external factors beyond CBP's control could affect
program operations and outcomes. Also, by expanding CSI operations to
58 seaports by the end of September 2007, CBP would have met its
objective of expanding CSI locations and program activities. CBP
projected that at the end of fiscal year 2007 between 85 and 87 percent
of all U.S. bound shipments in containers will pass through CSI ports
where the risk level of the container cargo is assessed and the
contents are examined as deemed necessary.
Although CBP's goal is to review information about all U.S.-bound
containers at CSI seaports for high-risk contents before the containers
depart for the United States, we reported in 2005 that the agency has
not been able to place enough staff at some CSI ports to do
so.[Footnote 48] Also, the SAFE Port Act required DHS to develop a
human capital management plan to determine adequate staffing levels in
U.S. and CSI ports. CBP has developed a human capital plan, increased
the number of staff at CSI ports, and provided additional support to
the deployed CSI staff by using staff in the United States to screen
containers for various risk factors and potential inspection. With
these additional resources, CBP reports that manifest data for all US-
bound container cargo are reviewed using ATS to determine whether the
container is at high risk of containing WMD. However, the agency faces
challenges in ensuring that optimal numbers of staff are assigned to
CSI ports due in part to its reliance on placing staff overseas at CSI
ports without systematically determining which functions could be
performed overseas and which could be performed domestically.
Also, in 2006 CBP improved its methods for conducting onsite
evaluations of CSI ports, in part by requiring CSI teams at the
seaports to demonstrate their proficiency at conducting program
activities and by employing electronic tools designed to assist in the
efficient and systematic collection and analysis of data to help in
evaluating the CSI team's proficiency. In addition, CBP continued to
refine the performance measures it uses to track the effectiveness of
the CSI program by streamlining the number of measures it uses to six,
modifying how one measure is calculated to address an issue we
identified in our April 2005 report; and developing performance targets
for the measures. We are continuing to review these assessment
practices as part of our ongoing review of the CSI program, and expect
to report on the results of this effort shortly.
Similar to our recommendation in a previous CSI report, the SAFE Port
Act called upon DHS to establish minimum technical criteria for the use
of nonintrusive inspection equipment in conjunction with CSI. The act
also directs DHS to require that seaports receiving CSI designation
operate such equipment in accordance with these criteria and with
standard operating procedures developed by DHS. CBP officials stated
that their agency faces challenges in implementing this requirement due
to sovereignty issues and the fact that the agency is not a standard
setting organization, either for equipment or for inspections processes
or practices. However, CBP has developed minimum technical standards
for equipment used at domestic ports and the World Customs Organization
(WCO)[Footnote 49] had described issues--not standards--to consider
when procuring inspection equipment. Our work suggests that CBP may
face continued challenges establishing equipment standards and
monitoring host government operations, which we are also examining in
our ongoing review of the CSI program.
C-TPAT Continues to Expand and Mature, but Management Challenges
Remain:
CBP initiated C-TPAT in November 2001 to complement other maritime
security programs as part of the agency's layered security strategy. In
October 2006, the SAFE Port Act formalized C-TPAT into law. C-TPAT is a
voluntary program that enables CBP officials to work in partnership
with private companies to review the security of their international
supply chains and improve the security of their shipments to the United
States. In return for committing to improve the security of their
shipments by joining the program, C-TPAT members receive benefits that
result in the likelihood of reduced scrutiny of their shipments, such
as a reduced number of inspections or shorter wait times for their
shipments. CBP uses information about C-TPAT membership to adjust risk-
based targeting of these members shipments in ATS. As of July 2007, CBP
had certified more than 7,000 companies that import goods via cargo
containers through U.S. seaports--which accounted for approximately 45
percent of all U.S. imports--and validated the security practices of 78
percent of these certified participants.
We reported on the progress of the C-TPAT program in 2003 and 2005 and
recommended that CBP develop a strategic plan and performance measures
to track the program's status in meeting its strategic goals.[Footnote
50] DHS concurred with these recommendations. The SAFE Port Act also
mandated that CBP develop and implement a 5-year strategic plan with
outcome-based goals and performance measures for C-TPAT. CBP officials
stated that they are in the process of updating their strategic plan
for C-TPAT, which was issued in November 2004, for 2007 to 2012. This
updated plan is being reviewed within CBP, but a time frame for issuing
the plan has not been established. We recommended in our March 2005
report that CBP establish performance measures to track its progress in
meeting the goals and objectives established as part of the strategic
planning process.[Footnote 51] Although CBP has since put additional
performance measures in place, CBP's efforts have focused on measures
regarding program participation and facilitating trade and travel. CBP
has not yet developed performance measures for C-TPAT's efforts aimed
at ensuring improved supply chain security, which is the program's
purpose.
In our previous work, we acknowledged that the C-TPAT program holds
promise as part of a layered maritime security strategy. However, we
also raised a number of concerns about the overall management of the
program. Since our past reports, the C-TPAT program has continued to
mature. The SAFE Port Act mandated that actions--similar to ones we had
recommended in our March 2005 report--be taken to strengthen the
management of the program. For example, the act included a new goal
that CBP make a certification determination within 90 days of CBP's
receipt of a C-TPAT application, validate C-TPAT members' security
measures and supply chain security practices within 1 year of their
certification, and revalidate those members no less than once in every
4 years. As we recommended in our March 2005 report, CBP has developed
a human capital plan and implemented a records management system for
documenting key program decisions. CBP has addressed C-TPAT staffing
challenges by increasing the number of supply chain security
specialists from 41 in 2005 to 156 in 2007.
In February 2007, CBP updated its resource needs to reflect SAFE Port
Act requirements, including that certification, validation, and
revalidation processes be conducted within specified time frames. CBP
believes that C-TPAT's current staff of 156 supply chain security
specialists will allow it to meet the act's initial validation and
revalidation goals for 2007 and 2008. If an additional 50 specialists
authorized by the act are made available by late 2008, CBP expects to
be able to stay within compliance of the act's time frame requirements
through 2009. In addition, CBP developed and implemented a centralized
electronic records management system to facilitate information storage
and sharing and communication with C-TPAT partners. This system--known
as the C-TPAT Portal--enables CBP to track and ascertain the status of
C-TPAT applicants and partners to ensure that they are certified,
validated, and revalidated within required time frames. As part of our
ongoing work, we are reviewing the data captured in Portal, including
data needed by CBP management to assess the efficiency of C-TPAT
operations and to determine compliance with its program requirements.
These actions--dedicating resources to carry out certification and
validation reviews and putting a system in place to track the
timeliness of these reviews--should help CBP meet several of the
mandates of the SAFE Port Act. We expect to issue a final report early
next year.
Our 2005 report raised concerns about CBP granting benefits
prematurely--before CBP had validated company practices. Instead of
granting new members full benefits without actual verification of their
supply chain security, CBP implemented three tiers to grant companies
graduated benefits based on CBP's certification and validation of their
security practices. Related to this, the SAFE Port Act codified CBP's
policy of granting graduated benefits to C-TPAT members. Tier 1
benefits--a limited reduction in the score assigned in ATS--are granted
to companies upon certification that their written description of their
security profile meets minimum security criteria. Companies whose
security practices CBP validates in an on-site assessment receive Tier
2 benefits that may include reduced scores in ATS, reduced cargo
examinations, and priority searches of cargo. If CBP's validation shows
sustained commitment by a company to security practices beyond what is
expected, the company receives Tier 3 benefits. Tier 3 benefits may
include expedited cargo release at U.S. ports at all threat levels,
further reduction in cargo examinations, priority examinations, and
participation in joint incident management exercises.
Our 2005 report also raised concerns about whether the validation
process was rigorous enough. Similarly, the SAFE Port Act mandates that
the validation process be strengthened, including setting a year time
frame for completing validations. CBP initially set a goal of
validating all companies within their first 3 years as C-TPAT members,
but the program's rapid growth in membership made the goal
unachievable. CBP then moved to a risk-based approach to selecting
members for validation, considering factors such as a company's having
foreign supply chain operations in a known terrorist area or involving
multiple foreign suppliers. CBP further modified its approach to
selecting companies for validation to achieve greater efficiency by
conducting "blitz" operations to validate foreign elements of multiple
members' supply chains in a single trip. Blitz operations focus on
factors such as C-TPAT members within a certain industry, supply chains
within a certain geographic area, or foreign suppliers to multiple C-
TPAT members. Risks remain a consideration, according to CBP, but the
blitz strategy drives the decision of when a member company will be
validated. In addition to taking these actions to efficiently conduct
validations, CBP has periodically updated the minimum security
requirements that companies must meet to be validated and is conducting
a pilot program of using third-party contractors to conduct validation
assessments. As part of our ongoing work, we are reviewing these
actions, which are required as part of the SAFE Port Act, and other CBP
efforts to enhance its C-TPAT validation process.
CBP Has Played a Key Role in Promoting Global Customs Security
Standards and Initiatives, but Progress with These Efforts Presents New
Challenges for CSI and C-TPAT:
The CSI and C-TPAT programs have provided a model for global customs
security standards, but as other countries adopt the core principles of
CSI and programs similar to C-TPAT, CBP may face new challenges.
Foreign officials within the WCO and elsewhere have observed the CSI
and C-TPAT programs as potential models for enhancing supply chain
security. Also, CBP has taken a lead role in working with members of
the domestic and international customs and trade community on
approaches to standardizing supply chain security worldwide. As CBP has
recognized, and we have previously reported, in security matters the
United States is not self-contained, in either its problems or its
solutions. The growing interdependence of nations requires policymakers
to recognize the need to work in partnerships across international
boundaries to achieve vital national goals.
For this reason, CBP has committed through its strategic planning
process to develop and promote an international framework of standards
governing customs-to-customs relationships and customs-to-business
relationships in a manner similar to CSI and C-TPAT, respectively. To
achieve this, CBP has worked with foreign customs administrations
through the WCO to establish a framework creating international
standards that provide increased security of the global supply chain
while facilitating international trade. The member countries of the
WCO, including the United States, adopted such a framework, known as
the WCO Framework of Standards to Secure and Facilitate Global Trade
and commonly referred to as the SAFE Framework, in June 2005. The SAFE
Framework internationalizes the core principles of CSI in creating
global standards for customs security practices and promotes
international customs-to-business partnership programs, such as C-
TPAT. As of September 11, 2007, 148 WCO member countries had signed
letters of intent to implement the SAFE Framework. CBP, along with the
customs administrations of other countries and through the WCO,
provides technical assistance and training to those countries that want
to implement the SAFE Framework, but do not yet have the capacity to do
so.
The SAFE Framework enhances the CSI program by promoting the
implementation of CSI-like customs security practices, including the
use of electronic advance information requirements and risk-based
targeting, in both CSI and non-CSI ports worldwide. The framework also
lays the foundation for mutual recognition, an arrangement whereby one
country can attain a certain level of assurance about the customs
security standards and practices and business partnership programs of
another country. In June 2007, CBP entered into the first mutual
recognition arrangement of a business-to-customs partnership program
with the New Zealand Customs Service. This arrangement stipulates that
members of one country's business-to-customs program be recognized and
receive similar benefits from the customs service of the other country.
CBP is pursuing similar arrangements with Jordan and Japan, and is
conducting a pilot program with the European Commission to test
approaches to achieving mutual recognition and address differences in
their respective programs. However, the specific details of how the
participating counties' customs officials will implement the mutual
recognition arrangement--such as what benefits, if any, should be
allotted to members of other countries' C-TPAT like programs--have yet
to be determined. As CBP goes forward, it may face challenges in
defining the future of its CSI and C-TPAT programs and, more
specifically, in managing the implementation of mutual recognition
arrangements, including articulating and agreeing to the criteria for
accepting another country's program; the specific arrangements for
implementation, including the sharing of information; and the actions
for verification, enforcement; and, if necessary, termination of the
arrangement.
DNDO Faces Challenges Testing Radiation Detection Equipment:
DHS also has container security programs to develop and test equipment
to scan containers for radiation. Its DNDO was originally created in
April 2005 by presidential directive; but the office was formally
established in October 2006 by Section 501 of the SAFE Port Act. DNDO
has lead responsibility for conducting the research, development,
testing, and evaluation of radiation detection equipment that can be
used to prevent nuclear or radiological materials from entering the
United States. DNDO is charged with devising the layered system of
radiation detection equipment and operating procedures--known as the
"global architecture"--designed to prevent nuclear smuggling at foreign
ports, the nation's borders, and inside the United States.
Much of DNDO's work on radiation detection equipment to date has
focused on the development and use of radiation detection portal
monitors, which are larger-scale equipment that can screen vehicles,
people, and cargo entering the United States. Current portal monitors
detect the presence of radiation but cannot distinguish between benign,
naturally occurring radiological materials such as ceramic tile, and
dangerous materials such as highly enriched uranium. Since 2005, DNDO
has been testing, developing, and planning to deploy the next
generation of portal monitors, known as "Advanced Spectroscopic
Portals" (ASPs), which can not only detect but also identify
radiological and nuclear materials within a shipping container. In July
2006, DNDO announced that it had awarded contracts to three vendors to
develop and purchase $1.2 billion worth of ASPs over 5 years for
deployment at U.S. points of entry.
We have reported a number of times to Congress concerning DNDO's
execution of the ASP program.[Footnote 52] To ensure that DHS'
substantial investment in radiation detection technology yields the
greatest possible level of detection capability at the lowest possible
cost, in March 2006 we recommended that once the costs and capabilities
of ASPs were well understood, and before any of the new equipment was
purchased for deployment, the Secretary of DHS work with the Director
of DNDO to analyze the costs and benefits of deploying ASPs.[Footnote
53] Further, we recommended that this analysis focus on determining
whether any additional detection capability provided by the ASPs was
worth the considerable additional costs. In response to our
recommendation, DNDO issued its cost-benefit analysis in May 2006 and
an updated, revised version in June 2006. According to senior agency
officials, DNDO believes that the basic conclusions of its cost-benefit
analysis showed that the new ASP monitors are a sound investment for
the U.S. government.
However, in October 2006, we concluded that DNDO's cost benefit
analysis did not provide a sound basis for DNDO's decision to purchase
and deploy ASP technology because it relied on assumptions of the
anticipated performance level of ASPs instead of actual test data and
that it did not justify DHS' planned $1.2 billion expenditure.[Footnote
54] We also reported that DNDO did not assess the likelihood that ASPs
would either misidentify or fail to detect nuclear or radiological
material. Rather, it focused its analysis on reducing the time
necessary to screen traffic at border check points and reduce the
impact of any delays on commerce. We recommended that DNDO conduct
further testing of ASPs and the currently deployed portal monitors
before spending additional funds to purchase ASPs. DNDO conducted this
testing of ASPs at the Nevada Test site during February and March 2007.
In September 2007, we testified on these tests, stating that, in our
view, DNDO used biased test methods that enhanced the performance of
the ASPs.[Footnote 55] In particular, DNDO conducted preliminary runs
of almost all the materials and combination of materials that it used
in the formal tests and then allowed ASP contractors to collect test
data and adjust their systems to identify these materials. In addition,
DNDO did not attempt in its tests to identify the limitations of ASPs-
-a critical oversight in its test plan. Specifically, the materials
that DNDO included in its test plan did not emit enough radiation to
hide or mask the presence of nuclear materials located within a
shipping container. Finally, in its tests of the existing radiation
detection system, DNDO did not include a critical standard operating
procedure that officers with CBP use to improve the system's
effectiveness.
It is important to note that, during the course of our work, CBP, DOE,
and national laboratory officials we spoke to voiced concern about
their lack of involvement in the planning and execution of the Nevada
Test Site tests. For example, DOE officials told us that they informed
DNDO in November 2006 of their concerns that the materials DNDO planned
to use in its tests were too weak to effectively mask the presence of
nuclear materials in a container. DNDO officials rejected DOE
officials' suggestion to use stronger materials in the tests because,
according to DNDO, there would be insufficient time to obtain these
materials and still obtain the DHS Secretary's approval for full-scale
production of ASPs by DNDO's self-imposed deadline of June 26, 2007.
Although DNDO has agreed to perform computer simulations to address
this issue, the DNDO Director would not commit at the September
testimony to delaying full-scale ASP production until all the test
results were in.
DOE Continues to Expand Its Megaports Program:
The Megaports Initiative, initiated by DOE's National Nuclear Security
Administration in 2003, represents another component in the efforts to
prevent terrorists from smuggling WMD in cargo containers from overseas
locations. The goal of this initiative is to enable foreign government
personnel at key foreign seaports to use radiation detection equipment
to screen shipping containers entering and leaving these ports,
regardless of the containers' destination, for nuclear and other
radioactive material that could be used against the United States or
its allies. DOE installs radiation detection equipment, such as
radiation portal monitors and handheld radioactive isotope
identification devices, at foreign seaports that is then operated by
foreign government officials and port personnel working at these ports.
Through August 2007, DOE had completed installation of radiation
detection equipment at eight ports: Rotterdam, the Netherlands;
Piraeus, Greece; Colombo, Sri Lanka; Algeciras, Spain; Singapore;
Freeport, Bahamas; Manila, Philippines; and Antwerp, Belgium (Phase I).
Operational testing is under way at four additional ports: Antwerp,
Belgium (Phase II); Puerto Cortes, Honduras; Qasim, Pakistan; and Laem
Chabang, Thailand. Additionally, DOE has signed agreements to begin
work and is in various stages of implementation at ports in 12 other
countries, including the United Kingdom, United Arab Emirates/Dubai,
Oman, Israel, South Korea, China, Egypt, Jamaica, the Dominican
Republic, Colombia, Panama, and Mexico, as well as Taiwan and Hong
Kong. Several of these ports are also part of the Secure Freight
Initiative, discussed in the next section. Further, in an effort to
expand cooperation, DOE is engaged in negotiations with approximately
20 additional countries in Europe, Asia, the Middle East, and Latin
America.
DOE had made limited progress in gaining agreements to install
radiation detection equipment at the highest priority seaports when we
reported on this program in March 2005.[Footnote 56] Then, the agency
had completed work at only two ports and signed agreements to initiate
work at five others. We also noted that DOE's cost projections for the
program were uncertain, in part because they were based on DOE's $15
million estimate for the average cost per port. This per port cost
estimate may not be accurate because it was based primarily on DOE's
radiation detection assistance work at Russian land borders, airports,
and seaports and did not account for the fact that the costs of
installing equipment at individual ports vary and are influenced by
factors such as a port's size, physical layout, and existing
infrastructure. Since our review, DOE has developed a strategic plan
for the Megaports Initiative and revised it's per port estimates to
reflect port size, with per port estimates ranging from $2.6 million to
$30.4 million.
As we earlier reported, DOE faces several operational and technical
challenges specific to installing and maintaining radiation detection
equipment at foreign ports as the agency continues to implement its
Megaports Initiative. These challenges include ensuring the ability to
detect radioactive material, overcoming the physical layout of ports
and cargo-stacking configurations, and sustaining equipment in port
environments with high winds and sea spray.
Secure Freight Initiative Testing Feasibility of Combining Scanning
Technologies:
The SAFE Port Act required that a pilot program--known as the Secure
Freight Initiative (SFI)--be conducted to determine the feasibility of
100 percent scanning of U.S. bound containers. To fulfill this
requirement, CBP and DOE jointly announced the formation of SFI in
December 2006, as an effort to build upon existing port security
measures by enhancing the U.S. government's ability to scan containers
for nuclear and radiological materials overseas and better assess the
risk of inbound containers. In essence, SFI builds upon the CSI and
Megaports programs. The SAFE Port Act specified that new integrated
scanning systems that couple nonintrusive imaging equipment and
radiation detection equipment must be pilot-tested. It also required
that, once fully implemented, the pilot integrated scanning system scan
100 percent of containers destined for the United States that are
loaded at pilot program ports.
According to agency officials, the initial phase of the initiative will
involve the deployment of a combination of existing container scanning
technology--such as X-ray and gamma ray scanners used by host nations
at CSI ports to locate high-density objects that could be used to
shield nuclear materials, inside containers--and radiation detection
equipment. The ports chosen to receive this integrated technology are:
Port Qasim in Pakistan, Puerto Cortes in Honduras, and Southampton in
the United Kingdom. Four other ports located in Hong Kong, Singapore,
the Republic of Korea, and Oman will receive more limited deployment of
these technologies as part of the pilot program. According to CBP,
containers from these ports will be scanned for radiation and other
risk factors before they are allowed to depart for the United States.
If the scanning systems indicate that there is a concern, both CSI
personnel and host country officials will simultaneously receive an
alert and the specific container will be inspected before that
container continues to the United States. CBP officials will determine
which containers are inspected, either on the scene locally or at CBP's
National Targeting Center.
Per the SAFE Port Act, CBP is to report by April 2008 on, among other
things, the lessons learned from the SFI pilot ports and the need for
and the feasibility of expanding the system to other CSI ports. Every 6
months thereafter, CBP is to report on the status of full-scale
deployment of the integrated scanning systems to scan all containers
bound for the United States before their arrival.
New Requirement for 100 Percent Scanning Introduces New Challenges:
Recent legislative actions have updated U.S. maritime security
requirements and may affect overall international maritime security
strategy. In particular, the recently enacted Implementing
Recommendations of the 9/11 Commission Act (9/11 Act) requires, by
2012, 100 percent scanning of U.S.-bound cargo containers using
nonintrusive imaging equipment and radiation detection equipment at
foreign seaports. The act also specifies conditions for potential
extensions beyond 2012 if a seaport cannot meet that deadline.
Additionally, it requires the Secretary of DHS to develop technological
and operational standards for scanning systems used to conduct 100
percent scanning at foreign seaports. The Secretary also is required to
ensure that actions taken under the act do not violate international
trade obligations and are consistent with the WCO SAFE Framework. The
9/11 Act provision replaces the requirement of the SAFE Port Act that
called for 100 percent scanning of cargo containers before their
arrival in the United States, but required implementation as soon as
possible rather than specifying a deadline. While we have not yet
reviewed the implementation of the 100 percent scanning requirement, we
have a number of preliminary observations based on field visits of
foreign ports regarding potential challenges CBP may face in
implementing this requirement:
* CBP may face challenges balancing new requirement with current
international risk management approach. CBP may have difficulty
requiring 100 percent scanning while also maintaining a risk-based
security approach that has been developed with many of its
international partners. Currently, under the CSI program, CBP uses
automated targeting tools to identify containers that pose a risk for
terrorism for further inspection before being placed on vessels bound
for the United States. As we have previously reported, using risk
management allows for reduction of risk against possible terrorist
attack to the nation given resources allocated and is an approach that
has been accepted governmentwide. Furthermore, many U.S. and
international customs officials we have spoken to, including officials
from the World Customs Organization, have stated that the 100 percent
scanning requirement is contrary to the SAFE Framework developed and
implemented by the international customs community, including CBP. The
SAFE Framework, based on CSI and C-TPAT, calls for a risk management
approach, whereas the 9/11 Act calls for the scanning of all containers
regardless of risk.
* United States may not be able to reciprocate if other countries
request it. The CSI program, whereby CBP officers are placed at foreign
seaports to target cargo bound for the United States, is based on a
series of bilateral, reciprocal agreements with foreign governments.
These reciprocal agreements also allow foreign governments the
opportunity to place customs officials at U.S. seaports and request
inspection of cargo containers departing from the United States and
bound for their home country. Currently, customs officials from certain
countries are stationed at domestic seaports and agency officials have
told us that CBP has inspected 100 percent of containers that these
officials have requested for inspection. According to CBP officials,
the SFI pilot, as an extension of the CSI program, allows foreign
officials to ask the United States to reciprocate and scan 100 percent
of cargo containers bound for those countries. Although the act
establishing the 100 percent scanning requirement does not mention
reciprocity, CBP officials have told us that the agency does not have
the capacity to reciprocate should it be requested to do so, as other
government officials have indicated they might when this provision of
the 9/11 Act is in place.
* Logistical feasibility is unknown and may vary by port. Many ports
may lack the space necessary to install additional equipment needed to
comply with the requirement to scan 100 percent of U.S. bound
containers. Additionally, we observed that scanning equipment at some
seaports is located several miles away from where cargo containers are
stored, which may make it time consuming and costly to transport these
containers for scanning. Similarly, some seaports are configured in
such a way that there are no natural bottlenecks that would allow for
equipment to be placed such that all outgoing containers can be scanned
and the potential to allow containers to slip by without scanning may
be possible. Transshipment cargo containers--containers moved from one
vessel to another--are only available for scanning for a short period
of time and may be difficult to access. Similarly, it may be difficult
to scan cargo containers that remain on board a vessel as it passes
through a foreign seaport. CBP officials told us that currently
containers such as these that are designated as high-risk at CSI ports
are not scanned unless specific threat information is available
regarding the cargo in that particular container.
* Technological maturity is unknown. Integrated scanning technologies
to test the feasibility of scanning 100 percent of U.S. bound cargo
containers are not yet operational at all seaports participating in the
pilot program, known as SFI. The SAFE Port Act requires CBP to produce
a report regarding the program, which will include an evaluation of the
effectiveness of scanning equipment at the SFI ports. However, this
report will not be due until April 2008. Moreover, agency officials
have stated that the amount of bandwidth necessary to transmit scanning
equipment outputs to CBP officers for review exceeds what is currently
feasible and that the electronic infrastructure necessary to transmit
these outputs may be limited at some foreign seaports. Additionally,
there are currently no international standards for the technical
capabilities of inspection equipment. Agency officials have stated that
CBP is not a standard setting organization and has limited authority to
implement standards for sovereign foreign governments.
* Resource responsibilities have not been determined. The 9/11 Act does
not specify who would pay for additional scanning equipment, personnel,
computer systems, or infrastructure necessary to establish 100 percent
scanning of U.S. bound cargo containers at foreign ports. According to
the Congressional Budget Office (CBO) in its analysis of estimates for
implementing this requirement, this provision would neither require nor
prohibit the U.S. federal government from bearing the cost of
conducting scans. For the purposes of its analysis, CBO assumed that
the cost of acquiring, installing, and maintaining systems necessary to
comply with the 100 percent scanning requirement would be borne by
foreign ports to maintain trade with the United States. However,
foreign government officials we have spoken to expressed concerns
regarding the cost of equipment. They also stated that the process for
procuring scanning equipment may take years and can be difficult when
trying to comply with changing U.S. requirements. These officials also
expressed concern regarding the cost of additional personnel necessary
to: (1) operate new scanning equipment; (2) view scanned images and
transmit them to the United States; and (3) resolve false alarms. An
official from one country with whom we met told us that, while his
country does not scan 100 percent of exports, modernizing its customs
service to focus more on exports required a 50 percent increase in
personnel, and other countries trying to implement the 100 percent
scanning requirement would likely have to increase the size of their
customs administrations by at least as much.
* Use and ownership of data have not been determined. The 9/11 Act does
not specify who will be responsible for managing the data collected
through 100 percent scanning of U.S.-bound containers at foreign
seaports. However, the SAFE Port Act specifies that scanning equipment
outputs from SFI will be available for review by U.S. government
officials either at the foreign seaport or in the United States. It is
not clear who would be responsible for collecting, maintaining,
disseminating, viewing or analyzing scanning equipment outputs under
the new requirement. Other questions to be resolved include ownership
of data, how proprietary information would be treated, and how privacy
concerns would be addressed.
CBP officials have indicated they are aware that challenges exist. They
also stated that the SFI will allow the agency to determine whether
these challenges can be overcome. According to senior officials from
CBP and international organizations we contacted, 100 percent scanning
of containers may divert resources, causing containers that are truly
high risk to not receive adequate scrutiny due to the sheer volume of
scanning outputs that must be analyzed. These officials also expressed
concerns that 100 percent scanning of U.S.-bound containers could
hinder trade, leading to long lines and burdens on staff responsible
for viewing images. However, given that the SFI pilot program has only
recently begun, it is too soon to determine how the 100 percent
scanning requirement will be implemented and its overall impact on
security.
Agency Comments:
We provided a draft of the information in this testimony to DHS. DHS
provided technical comments, which we incorporated as appropriate.
Mr. Chairman and members of the Committee, this completes my prepared
statement. I will be happy to respond to any questions that you or
other members of the committee have at this time.
GAO Contact and Staff Acknowledgments:
For information about this testimony, please contact Stephen L.
Caldwell, Director, Homeland Security and Justice Issues, at (202) 512-
9610, or caldwells@gao.gov. Contact points for our Office of
Congressional Relations and Public Affairs may be found on the last
page of this statement. Individuals making key contributions to this
testimony include Richard Ascarate, Jonathan Bachman, Jason Bair,
Fredrick Berry, Christine Broderick, Stockton Butler, Steven Calvo,
Frances Cook, Christopher Currie, Anthony DeFrank, Wayne Ekblad,
Christine Fossett, Nkenge Gibson, Geoffrey Hamilton, Christopher
Hatscher, Valerie Kasindi, Monica Kelly, Ryan Lambert, Nicholas Larson,
Daniel Klabunde, Matthew Lee, Gary Malavenda, Robert Rivas, Leslie
Sarapu, James Shafer, Kate Siggerud, and April Thompson.
[End of section]
GAO Related Products:
Combating Nuclear Smuggling: Additional Actions Needed to Ensure
Adequate Testing of Next Generation of Radiation Detection Equipment.
GAO-07-1247T. Washington, D.C.: September 18, 2007.
Department of Homeland Security: Progress Report on Implementation of
Mission and Management Functions. GAO-07-1240T. Washington, D.C.:
September 18, 2007.
Department of Homeland Security: Progress Report on Implementation of
Mission and Management Functions. GAO-07-1081T. Washington, D.C.:
September 6, 2007.
Department of Homeland Security: Progress Report on Implementation of
Mission and Management Functions. GAO-07-454. Washington, D.C.: August
17, 2007.
Homeland Security: Observations on DHS and FEMA Efforts to Prepare for
and Respond to Major and Catastrophic Disasters and Address Related
Recommendations and Legislation. GAO-07-1142T. Washington, D.C.: July
31, 2007.
Information on Port Security in the Caribbean Basin. GAO-07-804R.
Washington, D.C.: June 29, 2007.
Department of Homeland Security: Science and Technology Directorate's
Expenditure Plan. GAO-07-868. Washington, D.C.: June 22, 2007.
Homeland Security: Guidance from Operations Directorate Will Enhance
Collaboration among Departmental Operations Centers. GAO-07-683T.
Washington, D.C.: June 20, 2007.
Department of Homeland Security: Progress and Challenges in
Implementing the Department's Acquisition Oversight Plan. GAO-07-900.
Washington, D.C.: June 13, 2007.
Department of Homeland Security: Ongoing Challenges in Creating an
Effective Acquisition Organization. GAO-07-948T. Washington, D.C.: June
7, 2007.
Homeland Security: Observations on DHS and FEMA Efforts to Prepare for
and Respond to Major and Catastrophic Disasters and Address Related
Recommendations and Legislation. GAO-07-835T. Washington, D.C.: May 15,
2007.
Homeland Security: Management and Programmatic Challenges Facing the
Department of Homeland Security. GAO-07-833T. Washington, D.C.: May 10,
2007.
Maritime Security: Observations on Selected Aspects of the SAFE Port
Act. GAO-07-754T. Washington, D.C.: April 26, 2007.
Transportation Security: DHS Efforts to Eliminate Redundant Background
Check Investigations. GAO-07-756. Washington, D.C.: April 26, 2007.
International Trade: Persistent Weaknesses in the In-Bond Cargo System
Impede Customs and Border Protection's Ability to Address Revenue,
Trade, and Security Concerns. GAO-07-561. Washington, D.C.: April 17,
2007.
Transportation Security: TSA Has Made Progress in Implementing the
Transportation Worker Identification Credential Program, but Challenges
Remain. GAO-07-681T. Washington, D.C.: April 12, 2007.
Customs Revenue: Customs and Border Protection Needs to Improve
Workforce Planning and Accountability. GAO-07-529. Washington, D.C.:
April 12, 2007.
Port Risk Management: Additional Federal Guidance Would Aid Ports in
Disaster Planning and Recovery. GAO-07-412. Washington, D.C.: March 28,
2007.
Combating Nuclear Smuggling: DNDO Has Not Yet Collected Most of the
National Laboratories' Test Results on Radiation Portal Monitors in
Support of DNDO's Testing and Development Programs. GAO-07-347R.
Washington, D.C.: March 9, 2007.
Combating Nuclear Smuggling: DHS's Cost-Benefit Analysis to Support the
Purchase of New Radiation Detection Portal Monitors Was Not Based on
Available Performance Data and Did Not Fully Evaluate All the Monitors'
Costs and Benefits. GAO-07-133R. Washington, D.C.: October 17, 2006.
Transportation Security: DHS Should Address Key Challenges before
Implementing the Transportation Worker Identification Credential
Program. GAO-06-982. Washington, D.C.: September 29, 2006.
Maritime Security: Information-Sharing Efforts Are Improving. GAO-06-
933T. Washington, D.C.: July 10, 2006.
Cargo Container Inspections: Preliminary Observations on the Status of
Efforts to Improve the Automated Targeting System. GAO-06-591T.
Washington, D.C.: March 30, 2006.
Combating Nuclear Smuggling: DHS Made Progress Deploying Radiation
Detection Equipment at U.S. Ports of Entry, but Concerns Remain. GAO-
06-389. Washington: D.C.: March 22, 2006.
Managing for Results: Enhancing Agency Use of Performance Information
for Management Decision Making. GAO-05-927. Washington, D.C.: September
9, 2005.
Combating Nuclear Smuggling: Efforts to Deploy Radiation Detection
Equipment in the United States and in Other Countries. GAO-05-840T.
Washington, D.C.: June 21, 2005.
Container Security: A Flexible Staffing Model and Minimum Equipment
Requirements Would Improve Overseas Targeting and Inspection Efforts.
GAO-05-557. Washington, D.C.: April 26, 2005.
Homeland Security: Key Cargo Security Programs Can Be Improved. GAO-05-
466T. Washington, D.C.: May 26, 2005.
Maritime Security: Enhancements Made, But Implementation and
Sustainability Remain Key Challenges. GAO-05-448T. Washington, D.C.:
May 17, 2005.
Cargo Security: Partnership Program Grants Importers Reduced Scrutiny
with Limited Assurance of Improved Security. GAO-05-404. Washington,
D.C.: March 11, 2005.
Maritime Security: New Structures Have Improved Information Sharing,
but Security Clearance Processing Requires Further Attention. GAO-05-
394. Washington, D.C.: April 15, 2005.
Preventing Nuclear Smuggling: DOE Has Made Limited Progress in
Installing Radiation Detection Equipment at Highest Priority Foreign
Seaports. GAO-05-375. Washington, D.C.: March 30, 2005.
Protection of Chemical and Water Infrastructure: Federal Requirements,
Actions of Selected Facilities, and Remaining Challenges. GAO-05-327.
Washington, D.C.: March 2005.
Homeland Security: Process for Reporting Lessons Learned from Seaport
Exercises Needs Further Attention. GAO-05-170. Washington, D.C.:
January 14, 2005.
Port Security: Better Planning Needed to Develop and Operate Maritime
Worker Identification Card Program. GAO-05-106. Washington, D.C.:
December 2004.
Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. GAO-04-838. Washington,
D.C.: June 2004.
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March
31, 2004.
Container Security: Expansion of Key Customs Programs Will Require
Greater Attention to Critical Success Factors. GAO-03-770. Washington,
D.C.: July 25, 2003.
Footnotes:
[1] Pub. L. No. 109-347, 120 Stat. 1884 (2006).
[2] Pub. L. No. 107-295, 116 Stat. 2064 (2002).
[3] The Implementing Recommendations of the 9/11 Commission Act of 2007
amended a SAFE Port Act provision on scanning all United States bound
containers at foreign ports. See Pub. L. No. 110-53, §1701(a), 121
Stat. 266, 489-90. This amendment is discussed later in this testimony.
[4] A list of related GAO products may be found at the end of this
testimony.
[5] The SAFE Port Act did not define "high-priority ports," but the
Coast Guard identified a number of factors that it used in determining
which ports are high-priority, including risk assessment data, port
criticality ratings, and existing investments in facilities.
[6] The Coast Guard has implemented a new field command structure that
is designed to unify previously disparate Coast Guard units, such as
air stations and marine safety offices, into 35 different integrated
commands, called sectors. At each of these sectors, the Coast Guard has
placed management and operational control of these units and their
associated resources under the same commanding officer.
[7] The Coast Guard shares some responsibilities with the U.S. Navy at
four of these locations. These centers are located in Hampton Roads,
Virginia; Jacksonville, Florida; San Diego, California; and Seattle,
Washington.
[8] See GAO, Maritime Security: New Structures Have Improved
Information Sharing, but Security Clearance Processing Requires Further
Attention, GAO-05-394 (Washington, D.C.: Apr. 15, 2005); Maritime
Security: Enhancements Made, but Implementation and Sustainability
Remain Key Challenges, GAO-05-448T (Washington, D.C.: May 17, 2005);
and Maritime Security: Information-Sharing Efforts Are Improving, GAO-
06-933T (Washington, D.C.: Jul. 10, 2006).
[9] According to the Coast Guard, these multiple interagency partners
include Customs and Border Protection, Immigration and Customs
Enforcement, Department of Defense, the Secure Border Initiative
Network (SBInet) Program Office, and State and local partners. A pilot
interagency operational center located in Charleston, South Carolina,
known as Project Seahawk, is managed by the Department of Justice. It
was created through an appropriation in the fiscal year 2003
Consolidated Appropriations Resolution (Pub. L. No. 108-7, 117 Stat.
11, 53 (2003.)).
[10] See GAO, Maritime Security: Observations on Selected Aspects of
the SAFE Port Act. GAO-07-754T. (Washington, D.C.: Apr. 26, 2007).
[11] See GAO-06-933T and GAO-05-394.
[12] In July 2007, the Coast Guard reported having granted security
clearances to 212 area committee members with a need to know, which is
an improvement from July 2006, when we reported 188 out of 467 members
had received a security clearance to date.
[13] The Coast Guard uses a three-tiered system of Maritime Security
(MARSEC) levels consistent with DHS's Homeland Security Advisory System
(HSAS). MARSEC levels are designed to provide a means to easily
communicate pre-planned scalable responses to increased threat levels.
[14] NVICs provide detailed guidance about enforcement or compliance
with certain Coast Guard safety regulations and programs. NVIC 9-02,
most recently revised on October 27, 2005, detailed requirements for
AMSPs.
[15] The MIRP, one of the eight supporting plans of the National
Strategy for Maritime Security, is intended to facilitate the
restoration of maritime commerce after a terrorist attack or natural
disaster.
[16] DHS released the Strategy to Enhance the International Supply
Chain in July 2007. This strategy contains a plan to speed the
resumption of trade in the event of a terrorist on our ports or
waterways as required in the SAFE Port Act.
[17] All hazards emergency preparedness efforts seek to prepare all
sectors of American society--business, industry and non profit;
territorial, local, and tribal governments, and the general public--for
all hazards the nation may face, i.e., any large-scale emergency event,
including terrorist attacks and natural or accidental disasters.
[18] See GAO, Port Risk Management: Additional Federal Guidance Would
Aid Ports in Disaster Planning and Recovery, GAO-07-412 (Washington,
D.C.: Mar. 28, 2007).
[19] See GAO, Homeland Security: Process for Reporting Lessons Learned
from Seaport Exercises Needs Further Attention, GAO-05-170 (Washington,
D.C.: Jan. 14, 2005); and GAO-07-412.
[20] The International Port Security Program uses the ISPS Code as the
benchmark by which it measures the effectiveness of a country's anti-
terrorism measures in a port. The code was developed after the 9/11
attacks and established measures to enhance the security of ships and
port facilities with a standardized and consistent security framework.
The ISPS code requires facilities to conduct an assessment to identify
threats and vulnerabilities and then develop security plans based on
the assessment. The requirements of this code are performance-based;
therefore compliance can be achieved through a variety of security
measures.
[21] In addition to the Coast Guard visiting the ports of foreign
countries under this program, countries can also make reciprocal visits
to U.S. ports to observe U.S. implementation of the ISPS Code,
obtaining ideas for implementation of the code in their ports and
sharing best practices for security.
[22] See H.R. Conf. Rep. No. 109-699, at 142 (2006).
[23] There are approximately 140 countries that are maritime trading
partners with the United States.
[24] See GAO, Information on Port Security in the Caribbean Basin, GAO-
07-804R, (Washington, D.C.: Jun. 29, 2007).
[25] Requirements for security plans for facilities are found in 33
C.F.R. Part 105, Subpart D.
[26] See GAO, Maritime Security: Substantial Work Remains to Translate
New Planning Requirements into Effective Port Security, GAO-04-838
(Washington, D.C.: Jun. 2004).
[27] See GAO, Managing for Results: Enhancing Agency Use of Performance
Information for Management Decision Making, GAO-05-97 (Washington,
D.C.: Sep. 2005).
[28] See GAO, Port Security: Better Planning Needed to Develop and
Operate Maritime Worker Identification Card Program, GAO-05-106
(Washington, D.C.: December 2004); and Transportation Security: DHS
Should Address Key Challenges before Implementing the Transportation
Worker Identification Credential Program, GAO-06-982 (Washington, D.C.:
Sep. 2006).
[29] See GAO, Transportation Security: TSA Has Made Progress in
Implementing the Transportation Worker Identification Credential
Program, but Challenges Remain, GAO-07-681T (Washington, D.C.: Apr. 12,
2007).
[30] These additional ports include Corpus Christi, TX; Baton Rouge,
LA; Beaumont, TX; Honolulu, HI; Oakland, CA; Tacoma, WA; Chicago/
Calumet, IL; Houston, TX; Port Arthur, TX; Providence, RI; and
Savannah, GA.
[31] The National Commission On Terrorist Attacks Upon the United
States, Final Report of the National Commission On Terrorist Attacks
Upon the United States, Washington, D.C.: Jul. 22, 2004).
[32] TSA determined that the background checks required for the
hazardous materials endorsement (an endorsement that authorizes an
individual to transport hazardous materials for commerce) and the Free
and Secure Trade card (a voluntary CBP program that allows commercial
drivers to receive expedited border processing) satisfy the background
check requirements for TWIC. TSA also determined that an individual
issued a Merchant Mariner Document (issued between February 3, 2003,
and March 26, 2007) was not subject to an additional background check
for TWIC.
[33] The SAFE Port Act required that GAO conduct a study of the
background records checks carried out for DHS that are similar to the
one required of truck drivers to obtain a hazardous material
endorsement. Pub. L. No. 109-347, §105 120 Stat. 1884, 1891 (2006). See
GAO, Transportation Security: Efforts to Eliminate Redundant Background
Check Investigations, GAO-07-756 (Washington, D.C.: Apr. 26, 2007).
[34] The term "harmonize" is used to describe efforts to increase
efficiency and reduce redundancies by aligning the background check
requirements to make the programs more consistent.
[35] Cargo manifests are prepared by the ocean carrier to describe the
contents of a container.
[36] For a summary of these reviews, see GAO, Cargo Container
Inspections: Preliminary Observations on the Status of Efforts to
Improve the Automated Targeting System, GAO-06-591T (Washington, D.C.:
Mar. 30, 2006).
[37] The Comptroller General's internal control standards state that
internal control activities help ensure that management's directives
are carried out. Further, they state that the control objectives should
be effective and efficient in accomplishing the agency's control
objectives. GAO, Standards for Internal Control in the Federal
Government, GAO/AIMD-00-21.3.1, 11 (Washington, D.C.: Nov. 1999).
[38] Smart features include more complex algorithms and real-time
intelligence.
[39] See GAO, International Trade: Persistent Weaknesses in the In-Bond
Cargo System Impede Customs and Border Protection's Ability to Address
Revenue, Trade, and Security Concerns, GAO-07-561, (Washington, D.C.:
Apr. 17, 2007).
[40] In-bond goods must be transported by a carrier covered by a CBP-
approved bond that allows goods that have not yet entered U.S. commerce
to move through the United States. The bond is a contract given to
ensure performance of obligations imposed by law or regulation and
guarantees payment to CBP if these obligations are not performed.
[41] CBP cannot assess the extent of the program because it does not
collect accurate information on the value and volume of in-bond cargo,
and its analysis of existing data is limited to the number of in-bond
transactions.
[42] Although an in-bond form is required for in-bond movement, it does
not have the same level of detail contained in entry documents, and
data from the form are not used to update ATS scores.
[43] Entry information is documentation to declare items arriving in
the United States. Entry information allows CBP to determine what is
included in a shipment, and provides more detail on a container's
contents than manifest information.
[44] These four ports were Los Angeles, Long Beach, Newark, and New
York.
[45] GAO-07-561.
[46] A core element of CSI is the use of technology to scan--to capture
data including images of cargo container contents--high-risk containers
to ensure that examinations can be done rapidly without slowing down
the movement of trade. This technology can include equipment such as
large scale X-ray and gamma ray machines and radiation detection
devices.
[47] See GAO, Container Security: A Flexible Staffing Model and Minimum
Equipment Requirements Would Improve Overseas Targeting and Inspection
Efforts, GAO-05-557 (Washington, D.C.: Apr. 26, 2005) and Container
Security: Expansion of Key Customs Programs Will Require Greater
Attention to Critical Success Factors, GAO-03-770 (Washington, D.C.:
Jul. 2003).
[48] See GAO-05-557.
[49] The WCO is an international organization aimed at enhancing the
effectiveness and efficiency of customs administrations.
[50] See GAO, Cargo Security: Partnership Program Grants Importers
Reduced Scrutiny with Limited Assurance of Improved Security, GAO-05-
404 (Washington, D.C.: Mar. 2005); and GAO-03-770.
[51] See GAO-05-405.
[52] See GAO, Combating Nuclear Smuggling: Additional Actions Needed to
Ensure Adequate Testing of Next Generation Radiation Detection
Equipment, GAO-07-1247T (Washington, D.C.: Sep 18, 2007);Combating
Nuclear Smuggling: DNDO Has Not Yet Collected Most of the National
Laboratories' Test Results on Radiation Portal Monitors in Support of
DNDO's Testing and Development Program, GAO-07-347R (Washington, D.C.:
Mar. 9, 2007); Combating Nuclear Smuggling: DHS's Cost-Benefit Analysis
to Support the Purchase of New Radiation Detection Portal Monitors Was
Not Based on Available Performance Data and Did Not Fully Evaluate All
the Monitors' Cost and Benefits, GAO-07-133R (Washington, D.C.: Oct.
17, 2006); Combating Nuclear Smuggling: DHS Has Made Progress Deploying
Radiation Detection Equipment at U.S. Ports of Entry, but Concerns
Remain, GAO-06-389 (Washington, D.C.: Mar. 22, 2006).
[53] See GAO-06-389.
[54] See GAO-07-133R.
[55] See GAO-07-1247T.
[56] For additional information, see GAO, Preventing Nuclear Smuggling:
DOE Has Made Limited Progress in Installing Radiation Detection
Equipment at Highest Priority Foreign Seaports, GAO-05-375 (Washington,
D.C.: Mar. 31, 2005).
GAO's Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, DC 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, DC 20548:
Public Affairs:
Susan Becker, Acting Manager, BeckerS@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, DC 20548:
