Maritime Security
Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data Gao ID: GAO-08-12 February 14, 2008To help secure the nation's ports against a terrorist attack, federal regulations have required cargo and other maritime facilities to have security plans in place since July 2004. U.S Coast Guard (USCG) guidance calls for an annual inspection to ensure that plans are being followed. Federal law enacted in October 2006 required such facilities to be inspected two times a year--one of which is to be conducted unannounced. The USCG plans to conduct one announced inspection and the other as a less comprehensive unannounced "spot check." GAO examined the extent to which the USCG (1) has met inspection requirements and found facilities to be complying with their plans, (2) has determined the availability of trained personnel to meet current and future facility inspection requirements, and (3) has assessed the effectiveness of its facility inspection program and ensured that program compliance data collected and reported are reliable. GAO analyzed USCG compliance data, interviewed inspectors and other stakeholders in 7 of 35 USCG sectors of varying size, geographic location, and type of waterway.
We could not determine the extent to which the USCG has met inspection requirements because its compliance database does not identify all regulated facilities to establish how many should have been inspected. While the USCG estimates there are about 3,200 facilities requiring inspection, their records indicate 2,126 annual inspections were conducted in 2006. Headquarters officials said field units reported that all required facility inspections were conducted. However, officials also said some inspections may not have been recorded, or were delayed by staff being diverted for natural disasters. The USCG identified deficiencies in about one-third of inspections, mainly for problems with access controls or missing documentation. Over 80 percent of deficiencies identified by the USCG were resolved by facility operators without the USCG applying formal enforcement actions. Although USCG officials believe they have enough trained inspectors to conduct current and future inspections, two additional factors could affect the USCG's estimates of the number of inspectors needed. First, facility inspectors balance security inspections with other competing duties, such as safety or pollution checks, and giving priority to security inspections could affect these other duties, inspectors said. Second, new guidance for spot checks calls for these checks to be more detailed--and perhaps more time-consuming--than some USCG units conducted in the past. For example, the guidance now requires an on-site visit, whereas some units had allowed the check to be a drive-by observation. The effect of the new guidance on resource requirements in these units is unknown. The USCG has not assessed the effectiveness of its facility inspection program. Headquarters guidance gives considerable discretion to local USCG units in deciding how to conduct facility inspections--for example, deciding whether a fine is warranted. The USCG has little or no information, however, on which approaches work better than others and is therefore limited in being able to make informed decisions in guiding the program. Flaws in USCG's database, including missing, duplicate, and inconsistent information, complicate the USCG's ability to conduct such analyses or provide other information for making management decisions.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-12, Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data
This is the accessible text file for GAO report number GAO-08-12
entitled 'Maritime Security: Coast Guard Inspections Identify and
Correct Facility Deficiencies, but More Analysis Needed of Program's
Staffing, Practices, and Data' which was released on March 6, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Committee on Commerce, Science and Transportation, U.S.
Senate:
United States Government Accountability Office:
GAO:
February 2008:
Maritime Security:
Coast Guard Inspections Identify and Correct Facility Deficiencies, but
More Analysis Needed of Program's Staffing, Practices, and Data:
Maritime Security:
GAO-08-12:
GAO Highlights:
Highlights of GAO-08-12, a report to the Committee on Commerce, Science
and Transportation, U.S. Senate.
Why GAO Did This Study:
To help secure the nation‘s ports against a terrorist attack, federal
regulations have required cargo and other maritime facilities to have
security plans in place since July 2004. U.S Coast Guard (USCG)
guidance calls for an annual inspection to ensure that plans are being
followed. Federal law enacted in October 2006 required such facilities
to be inspected two times a year”one of which is to be conducted
unannounced. The USCG plans to conduct one announced inspection and the
other as a less comprehensive unannounced ’spot check.“ GAO examined
the extent to which the USCG (1) has met inspection requirements and
found facilities to be complying with their plans, (2) has determined
the availability of trained personnel to meet current and future
facility inspection requirements, and (3) has assessed the
effectiveness of its facility inspection program and ensured that
program compliance data collected and reported are reliable. GAO
analyzed USCG compliance data, interviewed inspectors and other
stakeholders in 7 of 35 USCG sectors of varying size, geographic
location, and type of waterway.
What GAO Found:
We could not determine the extent to which the USCG has met inspection
requirements because its compliance database does not identify all
regulated facilities to establish how many should have been inspected.
While the USCG estimates there are about 3,200 facilities requiring
inspection, their records indicate 2,126 annual inspections were
conducted in 2006. Headquarters officials said field units reported
that all required facility inspections were conducted. However,
officials also said some inspections may not have been recorded, or
were delayed by staff being diverted for natural disasters. The USCG
identified deficiencies in about one-third of inspections, mainly for
problems with access controls or missing documentation. Over 80 percent
of deficiencies identified by the USCG were resolved by facility
operators without the USCG applying formal enforcement actions.
Although USCG officials believe they have enough trained inspectors to
conduct current and future inspections, two additional factors could
affect the USCG‘s estimates of the number of inspectors needed. First,
facility inspectors balance security inspections with other competing
duties, such as safety or pollution checks, and giving priority to
security inspections could affect these other duties, inspectors said.
Second, new guidance for spot checks calls for these checks to be more
detailed”and perhaps more time-consuming”than some USCG units conducted
in the past. For example, the guidance now requires an on-site visit,
whereas some units had allowed the check to be a drive-by observation.
The effect of the new guidance on resource requirements in these units
is unknown.
The USCG has not assessed the effectiveness of its facility inspection
program. Headquarters guidance gives considerable discretion to local
USCG units in deciding how to conduct facility inspections”for example,
deciding whether a fine is warranted. The USCG has little or no
information, however, on which approaches work better than others and
is therefore limited in being able to make informed decisions in
guiding the program. Flaws in USCG‘s database, including missing,
duplicate, and inconsistent information, complicate the USCG‘s ability
to conduct such analyses or provide other information for making
management decisions.
This figure is a pie chart showing facility deficiencies identified in
2006 by Coast Guard inspections.
All other deficiencies: 30%;
Security measures for access control: 18%;
Facility recordkeeping requirements: 17%%;
Security measures for restricted areas: 14%;
Drill and exercise requirements: 11%;
Facility Security Plan amendment and audit requirements: 10%.
[See PDF for image]
Source: GAO analysis of MISLE data.
[End of figure]
What GAO Recommends:
GAO recommends the USCG reassess the number of inspection staff needed,
compare varying approaches taken by local units in conducting
inspections, and improve its facility compliance data. The Department
of Homeland Security agreed with GAO‘s recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.GAO-08-12]. For more information, contact
Stephen Caldwell at (202) 512-8777, caldwells@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Whether All Facility Inspections Requirements Were Met Is Not Clear,
but Those Conducted Identified Deficiencies with Facility Compliance in
about One-Third of All Inspections:
Data Used in Coast Guard's Assessments of Number of Inspectors Needed
Were Limited and Results Could Be Affected by Additional Factors:
The Coast Guard Has Not Evaluated Its Facility Oversight Program, and
Problems with Data Complicate Its Ability to Do So:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Total Nationwide Facility Deficiencies for 2004, 2005, and
2006 by MTSA Regulatory Citation:
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Related Products:
Tables:
Table 1: Deficiency Narrative Examples in 2006 from Selected Sectors
Visited by GAO in the Top Two Nationwide Deficiency Categories:
Table 2: Top Five Facility Deficiencies Recorded Nationwide in 2006:
Table 3: 2006 Nationwide Enforcement Actions Recorded for Top Five
Deficiencies and All Deficiencies:
Table 4: 2006 Enforcement Actions Recorded in Selected Sectors for Top
Five Recorded Deficiencies:
Table 5: Total Nationwide Facility Deficiencies for 2004-2006 by MTSA
Regulation Citation:
Figures:
Figure 1: Example of Activities Entered into the Coast Guard's MISLE
Database:
Figure 2: Recorded Security Spot Checks Performed by the Coast Guard in
2004, 2005, and 2006 and Number of Facilities Receiving Spot Checks:
Figure 3: Facility Deficiencies Identified in 2006 by Coast Guard
Inspections:
Figure 4: Example of Neighboring Facility Conditions Facilitating Entry
into a MTSA-Regulated Facility:
Figure 5: Examples of Other Inspector Responsibilities--Harbor Patrols
and Cargo Inspections:
Figure 6: Annual Compliance Exam Numbers in Coast Guard's Annual Report
to Congress and GAO Analysis of MISLE Data:
Abbreviations:
DHS: Department of Homeland Security:
FSO: Facility Security Officer:
FSP: Facility Security Plan:
MISLE: Maritime Information for Safety & Law Enforcement:
MTSA: Maritime Transportation Security Act of 2002:
OMB: Office of Management and Budget:
Results Act: Government Performance and Results Act:
SAFE Port Act: Security and Accountability for Every Port Act of 2006:
United States Government Accountability Office:
Washington, DC 20548:
February 14, 2008:
The Honorable Senator Daniel Inouye:
Chairman:
The Honorable Ted Stevens:
Vice Chairman:
Committee on Commerce, Science and Transportation:
United States Senate:
The security of more than 3,200 terminals, chemical plants, factories,
and power plants plays an important role in the protection of our
nation's ports. Ports and waterways represent attractive targets for
terrorist attack, given their importance to the economy, abundance of
specific targets, proximity to large populations, and accessibility by
water and land. To reduce the opportunity for terrorists to exploit
security vulnerabilities, as well as to help minimize the effects of
accidents or natural disasters, facilities are required to implement
security plans to maintain physical, passenger, cargo, and personnel
security and may utilize measures such as fences, security guards, and
monitoring activities using cameras. Efficiently implementing such
plans can reduce the potential for unauthorized entry and help prevent
vulnerabilities from being exploited to kill people, cause
environmental damage, or disrupt transportation systems and the
economy.
Much of the federal framework for port security is contained in the
Maritime Transportation Security Act of 2002 (MTSA).[Footnote 1] MTSA
establishes requirements for various layers of maritime security,
including requiring a national security plan, area security plans, and
facility and vessel security plans. [Footnote 2] The act calls for
various types of facilities to develop and implement a security plan,
and it places federal responsibility for approving and overseeing these
plans with the Department of Homeland Security (DHS). DHS has placed
lead responsibility for this and other MTSA requirements with the U.S.
Coast Guard. Subsequent Coast Guard guidance in 2003-2004 called for
conducting annual on-site inspections to verify a facility's compliance
with its security plan. The guidance also calls for the Coast Guard to
provide additional oversight at any time based on perceived risk.
In 2004 we reviewed the implementation of these and other MTSA
provisions.[Footnote 3] We reported that facility owners and operators
had made progress in developing their security plans but expressed
concerns about challenges the Coast Guard faced in ensuring enough well-
trained inspectors and equipping them with adequate guidance to conduct
thorough, consistent reviews. We reported that the Coast Guard was in
an initial "surge" period during which it had to cope with reviewing
security plans submitted at the time for more than 3,000 facilities and
over 9,000 vessels. We recommended that after this initial 6-month
period, the Coast Guard use the experience to evaluate its initial
compliance strategy and take steps to strength the compliance process
for the long term.
Since 2004, requirements for inspecting maritime facilities have
increased. The Security and Accountability For Every Port Act (SAFE
Port Act), enacted in October 2006, among other things, amended MTSA to
direct the Coast Guard to inspect facility compliance with its approved
facility security plan periodically, but not less than two times per
year, at least one of which shall be an inspection of the facility that
is conducted without notice to the facility.[Footnote 4] Thus, in
effect, under the SAFE Port Act maritime facility inspection
requirements, in addition to an annual inspection, the Coast Guard is
also required to make a second unannounced inspection of each MTSA
facility.[Footnote 5]
You asked us to review the Coast Guard's progress in dealing with these
expanded inspection requirements and developing a sound oversight
strategy. This report addresses the extent to which the Coast Guard:
* has met its maritime facility inspection requirements and has found
facilities to be in compliance with their security plans,
* has determined the availability of trained personnel to meet current
and future facility inspection requirements, and:
* has assessed the effectiveness of its MTSA facility oversight program
and ensured that program compliance data collected and reported are
reliable.
To address these questions, we conducted work at Coast Guard
headquarters and at various ports in seven of the Coast Guard's 35
sectors.[Footnote 6] Within each sector, we interviewed Coast Guard
officials and inspectors, facility security officials at 29 selected
MTSA facilities, and other port stakeholders. We obtained and analyzed
data from 2004-2006 on Coast Guard's facility compliance activities
from the Marine Information for Safety and Law Enforcement (MISLE)
database, which is the agency's primary data system for documenting
facility oversight and other activities. As discussed later in this
report, we identified some problems with the data, and worked with
agency officials to address these problems to the extent possible. To
assess the reliability of the data, we (1) performed electronic testing
for obvious errors in accuracy and completeness;(2) reviewed related
documentation, such as guidance for entering data in MISLE; and (3)
held meetings and exchanged correspondence with Coast Guard information
systems officials to discuss data entry and analysis and ensure correct
identification of specific data fields. We removed 77 records that
Coast Guard indicated to be duplicate records, created a dataset
linking deficiencies and enforcement actions and worked with Coast
Guard to reduce data inconsistencies, and created a new "Sector" field
based on Coast Guard identification of the appropriate sector. Based on
the steps we took to assess data reliability and our work with Coast
Guard officials to resolve problems with the data, we found the data to
be sufficiently reliable to provide a general indication of Coast Guard
compliance activities. We also reviewed a variety of documents, such as
pertinent MTSA provisions, as amended, and their implementing
regulations, Coast Guard circulars, and reports related to port
security. A more detailed description of our scope and methodology is
contained in appendix I.
We conducted this performance audit from May 2006 through February 2008
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Results in Brief:
Although the Coast Guard has conducted thousands of inspections at MTSA
facilities and identified facility deficiencies in about one-third of
those inspections, we could not confirm whether the Coast Guard has
fulfilled its annual compliance exam requirement each year because the
Coast Guard's database cannot identify all regulated facilities in
prior years that the Coast Guard was required to have inspected. Based
on the number of facility security plans approved by the Coast Guard,
officials estimated that about 3,200 facilities require inspection.
Coast Guard compliance records indicate 2,126 annual inspections were
conducted in 2006. Headquarters officials said field units reported
that all required facility annual inspections were conducted, as did
officials in the seven sectors we visited. However, officials also
stated that some inspections conducted may not have been recorded, or
inspections were delayed beyond the end of the year by staff being
diverted for higher-priority missions, such as natural disasters. In
addition to the annual exam, our analysis shows that Coast Guard units
had been performing spot checks prior to the SAFE Port Act's passage,
but not at all facilities. In calendar year 2006, for example, the
Coast Guard conducted about 4,500 spot checks at about 1,200 MTSA
facilities. The top categories of deficiencies, collectively accounting
for about 35 percent of all recorded deficiencies in 2006, were access
controls (such as unlocked gates) and documentation (such as not
recording a security exercise). In over 80 percent of the cases,
deficiencies were resolved by facility operators without the Coast
Guard applying formal action, such as a written warning or fine. Our
analysis showed differences in the extent to which individual Coast
Guard units took formal enforcement actions.
The Coast Guard believes it has sufficient numbers of inspectors to
conduct all required inspections, but additional factors could affect
the Coast Guard's estimates of the number of inspectors needed.
Headquarters officials said their assessments of the number of
inspectors needed were based largely on estimates of such things as
number of facilities and time needed to conduct inspections. Coast
Guard headquarters has not assessed the reliability of these estimates
and our field visits identified two potential factors that were not
taken into account in making these estimates. First, staff assigned to
inspector positions may not be available full time to conduct security
inspections because they have other responsibilities. In all seven
sectors we visited, inspectors said they had other duties--such as
inspecting cargo or monitoring safety and pollution incidents. However,
the Coast Guard does not have data on how inspectors' time is
allocated. In four of these sectors, inspectors reported to us that
meeting the combined responsibilities was a challenge that could affect
their ability to conduct all required inspections. Second, inspection
requirements themselves have recently changed, and these changes could
affect the amount of time needed to complete inspections. Until
recently, the Coast Guard did not have guidance specifying how spot
checks were to be conducted. We found considerable variation among
sectors in the extensiveness of these spot checks. Some units, for
example, counted visual drive-bys as spot checks, while others required
an on-site presence. As our fieldwork was being completed, the Coast
Guard issued guidance calling for a more detailed review than took
place for some spot checks in the past. Coast Guard officials did not
know what effect these new inspection requirements will have on the
inspection workload.
The Coast Guard has not assessed the effectiveness of its facility
oversight program, and flaws in data in MISLE, the Coast Guard's main
database for inspections, limit the Coast Guard's ability to accurately
portray and appropriately target oversight activities. Basic guidance
provided by headquarters officials grants considerable discretion to
local Coast Guard units in deciding how to conduct facility oversight-
-for example, deciding whether a fine is warranted. The Coast Guard has
little or no information, however, on which approaches work better than
others. Our past work has shown that high-performing organizations
continuously assess their performance with information about results
based on their activities. The Coast Guard is limited in its ability to
accurately assess facility oversight activities because its MISLE
database suffers from such problems as missing, duplicate, and
inconsistent compliance activity data. Accurate and complete data are a
key component of any assessment of compliance activities and for
management purposes at both the headquarters and local levels.
Compliance data flaws make it difficult to produce consistent
statistics important for an overall assessment of facility oversight
activities and to conduct critical analyses. For example, officials in
the seven Coast Guard sectors we visited said that although MISLE data
are useful in tracking an individual facility's performance, the data
are of limited use in creating useful and reliable reports across
multiple facilities. At the headquarters level, the Coast Guard is
hampered in evaluating compliance activities, such as comparing the
extent to which various units levy fines or discover various types of
deficiencies. Recent Coast Guard guidance calls for improved MISLE data
entry; however, changes made as a result of the guidance are not yet
known, and the guidance does not address other MISLE compliance data
flaws such as lack of consistency in the data.
We recommend that the Secretary of the Department of Homeland Security
direct the Coast Guard to improve its facility inspection program.
Specifically, we recommend that the Coast Guard be directed to:
* reassess the adequacy of staff to complete required inspections in
light of changing inspection guidance regarding how inspections are
conducted,
* assess the effectiveness of differences in program implementation,
and:
* assess its MISLE compliance data reliability and identify strategies
for more effective use of the data.
The Department of Homeland Security concurred with our recommendations.
Background:
The importance and potential vulnerability of our nation's ports are
well documented. National ports and waterways are responsible for
moving over 99 percent of the volume of overseas cargo, with over $5.5
billion worth of goods moving in and out of U.S. ports every day,
according to the American Association of Port Authorities. With more
than half of the crude oil and all of the liquefied natural gas used in
the country in 2005, any disruption in the flow of commerce could have
major economic consequences. As vital as ports are to the country, they
are susceptible to terrorist acts due to their size and openness--
easily accessible by water and land and are attractive targets given
the proximity of many ports to urban areas and collocation with power
plants, oil refineries, and other energy facilities.
Efforts to address port vulnerabilities face the challenge of having to
consider the impact that an increase in security may have on the
operation of commerce and the impact on maritime facility operators of
costly security requirements. Particularly with "just in time"
deliveries, which rely on the quick movement of goods, steps added to
the process to increase security may have economic
consequences.[Footnote 7] Actions to improve security are undertaken
with the knowledge that total security cannot be bought no matter how
much is spent on it because of the difficulty of anticipating and
addressing all security concerns.
MTSA Establishes Security Measures for Maritime Facilities:
MTSA established a framework to help protect the nation's ports and
waterways from terrorist attacks by mandating a wide range of security
improvements. Among the major requirements included in MTSA were those
related to facilities located in, on, under or adjacent to waters
subject to the jurisdiction of the United States that the Secretary of
DHS believes may be involved in a transportation security
incident.[Footnote 8] MTSA and Coast Guard implementing regulations
establish requirements for owners and operators currently at about
3,200 select port facilities.[Footnote 9] In general, facilities that
receive vessels that carry large or hazardous cargo, vessels subject to
international maritime security standards, selected barges, and
passenger vessels certified to carry more than 150 passengers are
subject to MTSA regulations.
Owners or operators of facilities subject to MTSA regulations (MTSA
facilities) were required, among other things, to designate a Facility
Security Officer (FSO), ensure that a facility security risk assessment
was conducted, and ensure that a facility security plan was approved
and implemented. The basic aim of such plans is to develop measures to
mitigate potential vulnerabilities that could otherwise be exploited to
kill people, cause environmental damage, or disrupt transportation
systems and the economy. Facility Security Plans (FSP) encompass a
range of security activities, such as access controls and security
training to prevent a security incident. MTSA and its regulations set
out requirements that are performance-based rather than requiring
specific procedures or equipment, thus allowing flexibility for meeting
the law's requirements. For example, a facility's plan must include
measures to control access to the facility, but how access should be
specifically controlled is not mandated by MTSA or its implementing
regulations.
The Coast Guard is largely responsible for administering MTSA
requirements. For facilities, in addition to issuing regulations, the
Coast Guard is responsible for review and approval of facility security
plans, ensuring that facilities implement the plans, verifying that
facilities continue to adhere to their plans, and for re-approving
facility security plans periodically, which were established by Coast
Guard regulations as valid for 5 years. The Coast Guard reported that
security plans required for over 3,000 MTSA facilities as of July 1,
2004 were approved, and that it had verified that these plans were in
place by December 31, 2004. With the 5-year approval of facility
security plans complete, the focus shifted to ensuring continued
compliance with security measures that have been implemented.
We reviewed the Coast Guard's early MTSA implementation and identified
short-and long-term challenges to the Coast Guard's May 2004 strategy
for monitoring and overseeing security plan implementation. Key
concerns were how the Coast Guard planned to ensure that enough
inspectors were available, that they would have a training program
sufficient to overcome major differences in inspector experience
levels, and that inspectors would be equipped with adequate guidance to
help conduct thorough, consistent reviews. Further, we reported that
the Coast Guard faced the challenge of ensuring that owners and
operators continue implementing their plans and do not mask security
problems in ways that do not represent the normal course of business.
In this regard, our work has shown that there are options the Coast
Guard could consider beyond regularly scheduled visits, such as
unscheduled, unannounced visits, and covert testing. We recommended
that the Coast Guard evaluate its initial compliance efforts and use
the information to strengthen the compliance process for its long-term
strategy.
MISLE Database Adapted to Capture MTSA Compliance Data:
Coast Guard activities related to MTSA facility security plan approval
and facility oversight are captured in the Coast Guard's MISLE
database. MISLE began operating in December 2001 as the Coast Guard's
primary data system for documenting marine safety and environmental
protection activities. Storage of data on MTSA facility oversight and
that of other Coast Guard activities, such as vessel boardings and
incident response have since been added. The purpose of MISLE is to
provide the capability to collect, maintain, and retrieve information
necessary for the administration, management and documentation of Coast
Guard activities. Data on facilities are entered by inspectors on an
intranet website using dropdown menus and narrative fields related to a
specific compliance activity. The information maintained in MISLE is
varied, as shown by the entry screen reproduced in figure 1.
Figure 1: Example of Activities Entered into the Coast Guard's MISLE
Database:
This figure is a visual picture of individual activities such as vessel
inspection, facility inspection, and vessel boarding entered into the
Coast Guard's MISLE database.
[See PDF for image]
Source: MISLE User's Guide.
[End of figure]
Whether All Facility Inspections Requirements Were Met Is Not Clear,
but Those Conducted Identified Deficiencies with Facility Compliance in
about One-Third of All Inspections:
Limitations in Coast Guard's compliance database preclude it from being
able to document whether all facilities received an annual exam each
year. Coast Guard officials said field units report that they are
meeting their inspection requirements, but inspections may not be
documented in the compliance database, or inspections may have been
delayed by staff being diverted to meet higher-priority needs. The
available data indicate that the Coast Guard also conducted many spot
checks, but prior to the SAFE Port Act's requirement for an annual
unannounced inspection of each facility, these spot checks were
concentrated in about one-third of regulated facilities. The types of
deficiencies identified most often during annual exams and spot checks
fell into five main categories, with the top two categories--not
adhering to facility plans regarding access controls (such as gates and
fences) and lack of documentation (such as no record of drills)
accounting for over a third of deficiencies. Relatively few facilities
in the Coast Guard sectors we visited had many or substantial
deficiencies, and Coast Guard officials provided anecdotal evidence
that security had generally improved over time. The Coast Guard sectors
varied in the extent to which they resolved deficiencies using formal
enforcement actions such as written warnings or fines, although overall
over 80 percent of deficiencies were resolved without formal actions.
Coast Guard Officials Report Annual Exams and Spot Checks Have Been
Conducted, but Extent to Which All Regulated Facilities Have Received
Both Inspections Cannot Be Documented:
Coast Guard officials at headquarters and the sectors we visited
reported MTSA facilities subject to maritime facility inspection
requirements were being inspected. At sectors we visited, Coast Guard
officials based this assessment on data from MISLE supplemented by
knowledge of facilities under their jurisdiction.[Footnote 10] Sector
officials, like headquarters officials, cannot use MISLE to identify
all facilities that were subject to inspection because of flaws in the
MISLE database. Some sectors mentioned that they also maintained local
spreadsheets documenting exams. Headquarters officials said that they
based their assessment on information requested from field units
regarding whether the units were meeting annual exam requirements,
although they acknowledged that there were some situations in which
annual inspections might not have been conducted within the year.
Reasons this official and others cited for some facilities possibly not
receiving an exam during 2006 included the following:
* Inspectors were diverted to a higher-priority mission. Officials said
that activities conducted after Hurricanes Rita and Katrina disrupted
inspection activities in the areas affected by the hurricanes and
diverted Coast Guard resources from other regions. In the Upper
Mississippi River sector, officials similarly reported inspectors being
detailed to respond to floods in North Dakota. One inspector said it
took an additional 6 months to complete on-the-job training needed be
certified as an inspector because of the time she spent detailed away
from the sector.
* MISLE data may not reflect all the annual exams that were conducted.
For example, officials said that an annual compliance exam could have
been conducted while inspectors conducted a pollution inspection, but
the activity was only entered as a pollution inspection. No information
was available to identify annual exams conducted but not recorded.
Definitive information about the extent to which all facilities were
inspected is not available, because the Coast Guard's MISLE database
does not have the capability to document the extent to which MTSA
facilities received an annual inspection for a particular year. The
database can identify which facilities received annual exams in a
particular year, but it cannot identify those facilities that did not
receive exams but should have. Our analysis of MISLE data on the number
of exams reported, however, indicates the total is less than the number
of facilities the Coast Guard believes it is regulating. The Coast
Guard estimates the number of MTSA facilities at about 3,200
nationwide, based on the number of facility security plans currently
approved. Our analysis of MISLE data indicated 2,126 facilities
received exams during 2006.[Footnote 11]
Coast Guard data show that prior to the SAFE Port Act's requirement
that each facility receive an unannounced inspection, Coast Guard units
were conducting unannounced spot checks, but not at every facility.
MISLE data indicate the Coast Guard conducted about 4,500 spot checks
in 2006, covering about 1,200 facilities. The pattern was similar in
2005, the first full year of facility oversight (see fig. 2). The SAFE
Port Act's requirement for each facility to receive two inspections was
not effective until October 2006.
Figure 2: Recorded Security Spot Checks Performed by the Coast Guard in
2004, 2005, and 2006 and Number of Facilities Receiving Spot Checks:
This figure is a bar graph showing recorded security spot checks
performed by the Coast Guard in 2004, 2005, and 2006, and a number of
facilities receiving spot checks. The X axis represents the dates, and
the Y axis represents the number. The white bar represents the number
of security spotchecks in GAO analysis of MISLE data (includes multiple
spotchecks for unique facilities) and number of unique facilities that
received at least one security spotchecks in GAO analysis of MISLE
data.
[See PDF for image]
Source: GAO analysis of Coast Guard MISLE data.
[End of figure]
Coast Guard officials said that, prior to the SAFE Port Act's new
unannounced inspection requirement, units used a combination of risk
and convenience to decide which facilities should receive spot checks.
As a result, some facilities received a number of checks in a year's
time, while others received none. For example, Coast Guard officials at
two sectors said if inspectors are frequently at a facility to examine
arriving vessels, they also have an opportunity to conduct a spot check
of the facility's security measures. Several sectors we visited
mentioned that they had a goal, even before the new requirement took
effect, of spot checking every facility, but officials at these sectors
said the risk-based approach took precedence, leading to numerous
checks at facilities with higher risk.
Given the resources provided in DHS fiscal year 2007 appropriations,
related Coast Guard allocations, and the number of spot checks
conducted in prior years, Coast Guard officials said they expect
sectors to meet--and likely exceed--the spot-check
requirements.[Footnote 12] At sectors we visited where additional
staffing resources (temporary reservists and permanent staff) were in
place, local officials generally agreed with this assessment. At a
sector that did not receive additional permanent staff, however,
officials said they were still determining how to meet the SAFE Port
Act inspection requirements after temporary staff were gone.
Deficiencies Identified in about One-Third of Facilities and Most Were
Addressed without Formal Coast Guard Enforcement Action:
The Coast Guard identified deficiencies in about one-third of the
facilities inspected in 2004-2006, with deficiencies concentrated in a
subset of five deficiency categories, for example, failing to follow
facility security plans for access control. Facilities with many or
substantial deficiencies were relatively few in number, and
deficiencies were identified during both annual exams and spot checks.
The extent to which formal enforcement actions were used was limited
nationally, but varies greatly among Coast Guard sectors. The majority
of deficiencies were addressed by the Coast Guard informally, without
formal enforcement actions.
Facility Deficiencies Were Concentrated in Five Deficiency Categories:
Thirty-six percent of the facilities that the Coast Guard documented as
receiving an annual compliance exam or a spot check in 2006 had at
least one reported deficiency, according to our analysis of information
in MISLE. The previous 2 years were similar, with rates of 30 percent
each year. These figures may not include security weaknesses that are
corrected on the spot. Headquarters and sector officials told us that,
in keeping with Coast Guard policy allowing the practice, inspectors
may choose not to record such deficiencies. For example, a facility
security officer at one oil facility said the Coast Guard gave him a
verbal warning about the failure to display credentials at entrance
gates and maintaining better documentation of security drills conducted
at the facility. Similarly, the security officer at a gypsum facility
said inspectors had suggested more creativity in crafting facility
exercise scenarios (which the facility official said he would try to
do) but inspectors had not recorded a deficiency.
About 70 percent of the 2,500 reported deficiencies identified in 2006
occurred in five categories: access control (such as fences or gates
needing repair), recordkeeping requirements, security for restricted
areas (such as not posting required signs), drill and exercise
requirements, and facility security plan amendment (for example failing
to get approval for changing a security measure) and deficiencies
related to the facility security plan or conducting a facility security
audit. As figure 3 indicates, the two top categories, with over one-
third of the deficiencies, were access control and facility
recordkeeping requirements.[Footnote 13]
Figure 3: Facility Deficiencies Identified in 2006 by Coast Guard
Inspections:
This figure is a pie chart showing facility deficiencies identified in
2006 by Coast Guard inspections.
All other deficiencies: 30%;
Security measures for access control: 18%;
Facility recordkeeping requirements: 17%%;
Security measures for restricted areas: 14%;
Drill and exercise requirements: 11%;
Facility Security Plan amendment and audit requirements: 10%.
[See PDF for image]
Source: GAO analysis of MISLE data.
[End of figure]
Access and documentation were also the most common types of
deficiencies at the sectors we visited. Table 1 provides examples of
deficiencies in these two categories from the sectors we visited. As
the examples illustrate, each category can include a variety of
violations. Similar deficiencies were reported by officials at
facilities we visited within the seven sectors. Examples included not
constructing a new fence after a tornado; not screening vehicles,
persons, and personal effects; leaving a gate unlocked; not completing
exercise requirements; and lack of timeliness in documenting training.
Table 1: Deficiency Narrative Examples in 2006 from Selected Sectors
Visited by GAO in the Top Two Nationwide Deficiency Categories:
Sector: Sector A;
Security measures for access control: Restricted area fence damaged by
storm 1 week prior to inspection. Provide work order for repair prior
to 1 week from date of inspection;
Facility recordkeeping requirements: Show proper documentation of
annual facility security plan audit.
Sector: Sector B;
Security measures for access control: Facility inspectors found an open
gate near the rail that had no security measures in place;
Facility recordkeeping requirements: FSO did not provide certified
letter of annual audit.
Sector: Sector C;
Security measures for access control: Fencing was damaged/pulled away
from posts in several locations diminishing access control;
Facility recordkeeping requirements: Documentation not available on
training for personnel with security duties and personnel without
security duties, and drill and exercise requirements.
Sector: Sector D;
Security measures for access control: Not screening by hand or device
such as x-ray, all unaccompanied baggage prior to loading onto
facility;
Facility recordkeeping requirements: No maintenance, calibration, and
testing of security equipment logs were able to be produced.
Sector: Sector E;
Security measures for access control: No narrative available;
Facility recordkeeping requirements: Drill and exercise records not in
FSP specified format or available for Coast Guard inspection.
Sector: Sector F;
Security measures for access control: Signage describing security
measures is not in place. Put sign describing security measures in
place;
Facility recordkeeping requirements: Facility has no records of
facility personnel with security duties.
Sector: Sector G;
Security measures for access control: FSO greeted inspection team and
granted them access to facility without checking ID;
Facility recordkeeping requirements: No lessons learned were recorded
for the drills.
Source: Coast Guard MISLE data verbatim narrative descriptions of
facility deficiencies.
[End of table]
Our visits to facilities in the seven sectors also disclosed instances
in which a regulated facility's access controls would not prohibit
access from a neighboring facility. We observed four instances in which
a neighboring facility's building or stacked-up materials would
facilitate entry over a regulated facility's perimeter fencing. Figure
4 shows one of those instances.[Footnote 14] After we pointed out these
weaknesses to Coast Guard officials, they assured us that the
weaknesses would be corrected. Coast Guard officials told us that any
vulnerabilities introduced by neighboring facilities (whether the
neighboring facility is a MTSA facility or not) should be identified in
a facility's vulnerability assessment, then addressed in a facility's
security plan.
Figure 4: Example of Neighboring Facility Conditions Facilitating Entry
into a MTSA-Regulated Facility:
This figure is a picture of an example of neighboring facility
conditions facilitating entry into a MTSA-regulated facility.
[See PDF for image]
Source: GAO.
[End of figure]
While about one-third of all facilities had at least one deficiency
identified and recorded during an annual inspection or spot check,
deficiencies in the seven sectors we visited tended to be concentrated
in relatively few facilities. According to MISLE data, five or fewer
facilities accounted for an average of 61 percent of deficiencies in
six of the seven sectors we visited, and 10 or fewer facilities
accounted for an average of 80 percent.[Footnote 15] One facility that
receives passenger vessels in one sector we visited was cited for 12
deficiencies during its annual compliance exam. This facility's
deficiencies related primarily to (1) lack of knowledge about security
procedures or equipment on the part of the security officer or other
personnel and (2) failure to conduct or document security drills and
exercises.
Coast Guard officials at the sectors we visited said they thought
security awareness and procedures had improved in the years since
MTSA's inception. Atlantic Area Coast Guard officials cited MTSA as
making a difference in reducing cargo loss as increased security
procedures lower theft rates. Officials cited qualitative changes such
as the following:
* facilities taking more ownership of their own security and being more
aware of security concerns,
* fewer trespassers on waterfront property and increasing security
awareness among maritime workers,
* decrease in vandalism as a result of additional cameras in port
areas:
* more informed security personnel, and:
* improved communication with facilities regarding break-ins.
Our analysis of the top deficiencies included in the Coast Guard's
database showed that Coast Guard inspectors identified deficiencies
both in spot checks and in annual exams, but spot checks tended to
identify deficiencies related to access control and control over
restricted areas. As table 2 shows, spot checks accounted for 44
percent of all recorded access control deficiencies and 19 percent of
restricted area deficiencies, but no more than 9 percent of the other
most common categories of deficiencies--drills, recordkeeping, and plan
amendment/audits. This may occur because spot checks are sometimes
conducted external to the facility and do not involve checking records,
drills, or plans.[Footnote 16]
Table 2: Top Five Facility Deficiencies Recorded Nationwide in 2006:
Deficiency category: Drill and exercise requirements;
Deficiencies: 269;
Percent identified during annual exam: 92;
Percent identified during spot check: 7;
Percent identified during other activities[A]: 1.
Deficiency category: Facility recordkeeping requirements;
Deficiencies: 418;
Percent identified during annual exam: 94;
Percent identified during spot check: 6;
Percent identified during other activities[A]: 0.
Deficiency category: Security measures for access control;
Deficiencies: 458;
Percent identified during annual exam: 50;
Percent identified during spot check: 44;
Percent identified during other activities[A]: 6.
Deficiency category: Security measures for restricted areas;
Deficiencies: 364;
Percent identified during annual exam: 79;
Percent identified during spot check: 19;
Percent identified during other activities[A]: 2.
Deficiency category: Facility Security Plan amendment and audit;
Deficiencies: 243;
Percent identified during annual exam: 90;
Percent identified during spot check: 9;
Percent identified during other activities[A]: 1.
Deficiency category: U.S. Total for top five deficiencies;
Deficiencies: 1,752;
Percent identified during annual exam: 78;
Percent identified during spot check: 19;
Percent identified during other activities[A]: 3.
Source: GAO analysis of Coast Guard MISLE data.
[A] Includes monitoring of facility security plan exercises and other
oversight activities.
[End of table]
We attempted to compare deficiencies identified during announced or
unannounced annual compliance exams, but until July 2007, activities in
the database were not required to indicate whether an exam was
announced or unannounced. Headquarters officials acknowledged that
there is variation in whether sectors conduct these exams announced or
not, but could not provide information for all sectors that would allow
a comparison.[Footnote 17] Furthermore, the Coast Guard has not
assessed the effectiveness of each approach to establish whether one
approach is more effective in identifying deficiencies.
Informal Enforcement Actions Generally Used for Deficiencies, but Use
Varied among Sectors Visited:
Inspectors told us they generally use Coast Guard guidance in deciding
whether to issue some form of formal enforcement action, taking into
consideration the facility's deficiency history and the risk associated
with the violation. Several Coast Guard sector officials said the Coast
Guard prefers to work cooperatively with facilities to improve security
procedures, instead of taking an adversarial or punitive approach. They
said they often give facilities several weeks during which to fix a
deficiency, instead of issuing an immediate enforcement action.
Most often, a formal enforcement action, such as issuing a letter of
warning, a notice of violation, or a civil penalty such as a fine, is
not applied. Our analysis of MISLE data indicates that inspectors took
one of these formal actions in about 11 percent of recorded
deficiencies in 2004, 19 percent in 2005, and 16 percent in 2006. Table
3 shows what types of enforcement actions were recorded for the top
five deficiencies in 2006 and a total for all deficiencies in 2006.
Based on MISLE data, of the top five deficiencies, access control was
most likely to result in an enforcement action. For this type of
deficiency, formal action occurred 25 percent of the time.
Table 3: 2006 Nationwide Enforcement Actions Recorded for Top Five
Deficiencies and All Deficiencies:
Deficiency category: Security measures for access control;
Deficiencies: 458;
Letter of warning issued: 31;
Notice of violation issued: 57;
Civil penalty issued: 28;
Percent of cases in which enforcement action was issued: 25.
Deficiency category: Facility recordkeeping requirements;
Deficiencies: 418;
Letter of warning issued: 15;
Notice of violation issued: 4;
Civil penalty issued: 7;
Percent of cases in which enforcement action was issued: 6.
Deficiency category: Security measures for restricted areas;
Deficiencies: 364;
Letter of warning issued: 11;
Notice of violation issued: 22;
Civil penalty issued: 5;
Percent of cases in which enforcement action was issued: 10.
Deficiency category: Drill and exercise requirements;
Deficiencies: 269;
Letter of warning issued: 4;
Notice of violation issued: 18;
Civil penalty issued: 6;
Percent of cases in which enforcement action was issued: 10.
Deficiency category: Facility Security Plan amendment and audit;
Deficiencies: 243;
Letter of warning issued: 8;
Notice of violation issued: 9;
Civil penalty issued: 7;
Percent of cases in which enforcement action was issued: 10.
Deficiency category: Total for top five deficiencies;
Deficiencies: 1,752;
Letter of warning issued: 69;
Notice of violation issued: 110;
Civil penalty issued: 53;
Percent of cases in which enforcement action was issued: 13.
Deficiency category: Total for all deficiencies;
Deficiencies: 2,513;
Letter of warning issued: 115;
Notice of violation issued: 181;
Civil penalty issued: 96;
Percent of cases in which enforcement action was issued: 16.
Source: GAO analysis of Coast Guard MISLE data.
[End of table]
Our analysis of MISLE data shows sectors varied in the extent to which
enforcement actions were taken. Coast Guard officials said that sector
management is given discretion to use or not use enforcement actions as
year 2006, the Coast Guard's use of enforcement actions for the top
five nationwide deficiencies in the sectors we visited. Even when the
same deficiency is recorded, the sectors we visited vary greatly in
whether or not they issued an enforcement action. For example, the
first sector shown in the table took no enforcement actions, while the
second sector used enforcement actions in each of the five deficiency
categories. Our analysis could not determine the reasons for these
differences, such as whether the variations reflect different
circumstances faced by sectors, nor could Coast Guard officials explain
the differences.
Table 4: 2006 Enforcement Actions Recorded in Selected Sectors for Top
Five Recorded Deficiencies:
Sector: Drill and exercise requirements: Number of deficiencies;
A: 7;
B: 4;
C: 10;
D: 4;
E: 4;
F: 34;
G: 7;
Total of Selected Sectors: 70.
Sector: Drill and exercise requirements: Percent of cases in which
enforcement action was issued;
A: 0;
B: 100;
C: 60;
D: 75;
E: 75;
F: 15;
G: 0;
Total of Selected Sectors: 30.
Sector: Facility recordkeeping requirements: Number of deficiencies;
A: 7;
B: 16;
C: 8;
D: 2;
E: 8;
F: 58;
G: 19;
Total of Selected Sectors: 118.
Sector: Facility recordkeeping requirements: Percent of cases in which
enforcement action was issued;
A: 0;
B: 31;
C: 13;
D: 100;
E: 38;
F: 5;
G: 0;
Total of Selected Sectors: 12.
Sector: Security measures for restricted access control: Number of
deficiencies;
A: 9;
B: 17;
C: 25;
D: 3;
E: 0;
F: 7;
G: 4;
Total of Selected Sectors: 65.
Sector: Security measures for restricted access control: Percent of
cases in which enforcement action was issued;
A: 0;
B: 41;
C: 40;
D: 67;
E: -;
F: 29;
G: 100;
Total of Selected Sectors: 38.
Sector: Security measures for restricted areas: Number of deficiencies;
A: 18;
B: 7;
C: 3;
D: 0;
E: 0;
F: 12;
G: 0;
Total of Selected Sectors: 40.
Sector: Security measures for restricted areas: Percent of cases in
which enforcement action was issued;
A: 0;
B: 57;
C: 33;
D: -;
E: -;
F: 0;
G: -;
Total of Selected Sectors: 13.
Sector: Facility Security Plan amendment and audit: Number of
deficiencies;
A: 6;
B: 5;
C: 6;
D: 0;
E: 7;
F: 16;
G: 10;
Total of Selected Sectors: 50.
Sector: Facility Security Plan amendment and audit: Percent of cases in
which enforcement action was issued;
A: 0;
B: 60;
C: 0;
D: -;
E: 43;
F: 13;
G: 0;
Total of Selected Sectors: 16.
Source: GAO analysis of Coast Guard MISLE data.
[End of table]
Data Used in Coast Guard's Assessments of Number of Inspectors Needed
Were Limited and Results Could Be Affected by Additional Factors:
The Coast Guard's assessments of the number of inspectors needed to
meet facility inspection requirements were based on limited data, and
since these assessments were conducted, additional factors have arisen
that could also affect the number of inspectors needed. The original
assessment for meeting MTSA requirements and the subsequent assessment
for meeting additional SAFE Port Act requirements were both estimates
that were based on limited information, and the Coast Guard has not
assessed their reliability. Moreover, our field visits identified two
factors that could affect the estimates. One is that persons in
inspector positions have other responsibilities that may compete with
conducting inspections, so that the amount of time available for
inspections may be less than expected. The Coast Guard does not have
data on what portion of inspectors' time is actually available for
conducting inspections. The second factor is that recently issued
guidance for conducting unannounced spot checks may require inspectors
in some locations to spend more time conducting these spot checks than
they had spent in the past. Coast Guard officials do not know what the
effect of the new spot check requirements will be on resources needed.
Coast Guard Believes It Has Sufficient Inspectors, but Its Estimates
Were Based on Limited Data:
Although Coast Guard officials said the number of Coast Guard
inspectors is adequate, their basis for determining the number of
inspectors needed, both for the initial implementation of MTSA and to
meet SAFE Port Act inspection requirements, was limited in several
respects. When we reviewed the approach the Coast Guard used to project
staff needed for meeting MTSA inspection requirements, we found the
Coast Guard did not have a great deal of workload data to use in
estimating the additional staff needed, nor did it have a system in
place for determining how much time its personnel are spending on
specific duties.[Footnote 18] The Coast Guard told us it established
its estimates for the number of inspectors needed using working groups,
panels, and available data, including information about resources in
port security missions since the September 11, 2001, terrorist
attacks.[Footnote 19] The estimates were also based on experience with
environmental and safety inspections, but whether those types of
inspections were analogous was unclear. Further, the Coast Guard could
not provide documentation of the approach it used, limiting its ability
to assess the adequacy of its decision. We determined that the Coast
Guard had a basis for its estimate, but also that its approach stopped
short of providing demonstrable evidence of its validity. The Coast
Guard did not assess how reliable this estimate was in meeting
inspection needs, but officials noted that sector officials could
provide headquarters with feedback on their needs and request
additional staff.
The approach the Coast Guard used for estimating the number of
additional inspectors needed to meet SAFE Port Act requirements had
similar limitations. Coast Guard officials said they also used a
general formula to request funding for personnel to conduct these
additional inspections. They said they had limited time to prepare the
request, and estimated the number needed based on past experience by
looking at the number of inspections currently being conducted and the
current number of inspectors, plus input from Coast Guard area
officials. An additional 39 positions were added with resources
stemming from DHS fiscal year 2007 appropriations.[Footnote 20]
Other than field unit feedback, Coast Guard officials do not currently
have a means for determining whether the deployment of staff to
inspection positions is sufficient. In 2004 we recommended that the
Coast Guard formally evaluate its facility inspection program to look
at the adequacy of security inspection staffing, among other things;
however, Coast Guard has not done so. Officials discussed using an
existing management tool in combination with revised training
requirements and staffing standards to be developed in the future as a
way to measure the adequacy of staffing for specific mission areas, but
as yet had no estimated date for completion of this effort.
Extent to Which Inspectors Are Available for Inspection Duties Is
Unclear:
One factor that may affect the accuracy of the estimates is that
inspectors are also responsible for a variety of other duties, and the
extent to which these inspectors are available to conduct security
inspections is unclear. Coast Guard data indicate that about 600
personnel have been qualified to conduct MTSA facility inspections.
Officials said that as of August 2007 the Coast Guard had 389 MTSA
positions, including the 39 new positions added with resources stemming
from DHS fiscal year 2007 appropriations for unannounced spot checks,
and, most of the positions were filled.[Footnote 21] Besides these
personnel, a July 2007 Commandant message, indicated that Coast Guard
districts were authorized to use reservists on a short-term basis to
meet inspection requirements. In all, 52 reservist positions were
authorized for this purpose.
Our field visits showed that staff assigned to inspector positions were
not necessarily working as inspectors, and those that were conducting
inspections were also performing a number of other mission tasks as
well. Data on the extent to which personnel in inspector positions are
actually conducting facility inspections are not available. Coast Guard
headquarters officials said it was difficult to know the extent to
which an inspector was inspecting MTSA facilities because of the
flexibility in how staff are used.[Footnote 22] Each sector, they said,
determines what is needed for its workload. In all seven sectors we
visited, staff in inspector positions were responsible for tasks other
than facility inspections. Other tasks included responding to pollution
incidents, supervising the handling of explosive cargo, monitoring the
transfer of oil, conducting harbor patrols, boarding vessels, and
conducting inspections of vessels or other matters, such as safety or
environmental concerns (see fig. 5).
Figure 5: Examples of Other Inspector Responsibilities--Harbor Patrols
and Cargo Inspections:
This figure is a combination of two photographs showing examples of
other inspector responsibilities--harbor patrols and cargo inspections.
[See PDF for image]
Source: U.S. Coast Guard.
[End of figure]
At four of the seven sectors we visited, officials said meeting all
mission requirements for which inspectors were responsible was or could
be a challenge, especially after reservists made available for SAFE
Port Act inspections were no longer available.[Footnote 23]
* Officials in one sector said they were meeting inspection
requirements at the expense of other missions, such as inspecting
containers or monitoring the transfer of oil. They said they make a
risk-based judgment call on which activities to undertake.
* In another sector, officials said meeting inspection requirements in
the long term would be difficult. The new inspection requirements
effectively doubled the required number of facility inspections, and
the sector has received only short-term assistance.
* Officials in another sector said available staffing could adequately
cover only part of the sector's area of responsibility.
* In another sector, officials said depending on the long-term
workload, they may be seeking additional inspectors later this year,
after temporary duty staff has left.
Spot Check Guidance May Affect the Sufficiency of Inspectors to Conduct
All Inspections:
A second factor that may affect the reliability of the estimates is
that the Coast Guard based its estimate for the number of inspectors
needed in part on the number of spot checks conducted in the past, but
subsequent spot check guidance may require inspectors to spend more
time on these spot checks than they had previously. After the SAFE Port
Act's passage, Coast Guard officials initially said they did not plan
to issue specific guidance for spot checks, because developing a single
inspection form that encompassed all situations was difficult and
because they had not heard from Captains of the Port that such guidance
was needed. In July 2007, however, the Coast Guard Commandant issued a
message to Coast Guard Area officials that provided some spot check
guidance.[Footnote 24] Among other things, this guidance:
* Defines minimum requirements for security spot checks--for example,
specifying that the inspector must confirm that the facility is
compliant with unique requirements for specific types of facilities
(such as cruise ships) and must provide the facility with documentation
of the inspection.
* Identifies activities that do not meet the requirements for a
security spot check, such as inspections from a vehicle or checks
conducted while performing certain shoreside patrols or facility visits
related to vessel boardings (unless the minimum security spot check
requirements are met during the patrols or boardings).
* Specified codes for documenting facility inspections in the MISLE
database.
Our discussions with sector officials indicated that prior to this
guidance, sectors varied considerably in their interpretation of what
constituted a security check.[Footnote 25] For example, one sector
considered asking facility officials 15 to 30 minutes of knowledge-
based questions as a spot check, while another considered a drive-by
with a stop at the gate a type of spot check. Officials in several
sectors mentioned that spot checks were conducted during other types of
facility visits or missions, such as while escorting a boat, conducting
a waterside patrol, or performing a vessel inspection.[Footnote 26] For
documentation, one sector reported entering a record of all spot checks
conducted, while several others qualified that "official" spot checks
were logged--a drive by or dropping in to check on a few items might
not be recorded. One sector said recording the check or not depended
partly on whether a deficiency was identified during the spot check.
The activities called for in this guidance have potential staffing
implications. Based on our discussion with headquarters officials and
inspectors in all sectors we visited, some of the activities that have
been considered spot checks will no longer be considered adequate, such
as observing facility security procedures from a vehicle while driving
by. Meeting the spot check requirements under the new guidance may thus
require more time from inspectors. This in turn may affect sector
estimates of the level of resources needed to meet inspection
requirements and Coast Guard goals for the number of inspections to be
conducted.[Footnote 27]
In Coast Guard comments on this draft, officials reported a total of
9,403 inspections (spot checks and annual exams) were conducted in
2007, exceeding their internal target of 8,800 inspections. This is an
increase in inspections from prior years. Their comment however, did
not indicate that each facility received a spot check and an annual
exam. Further, since the spot check guidance was not issued until July
of 2007, it is not clear how many of the spot checks were conducted
following the new guidance. Without this information the implications
for staffing are still uncertain.
The Coast Guard Has Not Evaluated Its Facility Oversight Program, and
Problems with Data Complicate Its Ability to Do So:
The Coast Guard has not assessed how its MTSA compliance inspection
program is working. Our work across many types of federal programs
shows that for program planning and performance management to be
effective, federal managers need to use performance information to
identify performance problems and look for solutions, develop
approaches that improve results, and make other important management
decisions. The Coast Guard's ability to assess its compliance program
is complicated by omissions, duplications, and other flaws in the data
it would most likely use in measuring and evaluating the effectiveness
of different monitoring and oversight approaches.
The Coast Guard Has Not Evaluated the Effectiveness of Oversight
Efforts:
In 2004, when we first examined the Coast Guard's efforts to deal with
MTSA requirements, we reported that development of a sound long-term
strategy was a critical step in bringing about effective monitoring and
oversight. Our work assessing such other areas as airport security and
regulatory compliance had identified approaches for ensuring compliance
and strengthening security.[Footnote 28] These approaches included such
steps as unscheduled and unannounced inspections, and inspections on
weekends or after normal working hours. At the time, local Coast Guard
officials said that unscheduled inspections would be a positive
component of a longer-term strategy because informing owners or
operators of annual inspections can allow them to mask security
problems by preparing for inspections in ways that do not represent the
normal course of business. We recommended that, after the initial
"surge" involved in reviewing security plans and conducting the first
round of inspections, the Coast Guard should conduct a formal
evaluation of its efforts and use the evaluation as a means to
strengthen the compliance process for the longer term.
In the 1990s, a statutory management framework for strengthening
government performance and accountability was enacted into law. In
particular, the Government Performance and Results Act (Results Act)
calls for an increased reliance upon program performance information in
assessing program efficiency and effectiveness.[Footnote 29] The
Results Act notes that federal managers are seriously disadvantaged in
their efforts to improve program efficiency and effectiveness because
of insufficient articulation of program goals and inadequate
information on program performance, and that spending decisions and
program oversight are seriously handicapped by insufficient attention
to program performance and results. Although the Results Act's
provisions apply primarily to tracking and reporting performance at the
overall agency level, the same sound management principles apply to
management of individual programs such as the facility compliance
program. In other work, we have identified instances in which agencies
can use performance information to improve programs and results.
[Footnote 30]
In many of its areas of activity, the Coast Guard has devoted extensive
attention to providing sound data on its activities and analyzing what
these data say about what the agency is accomplishing with the
resources it expends. In 2006, for example, we reported that for many
of its non-homeland security programs, the Coast Guard had developed
performance measures that were generally sound and based on reliable
data.[Footnote 31] Further, the Coast Guard was actively engaged in
initiatives to help interpret these performance measures and use them
to link resources to program results.
The Coast Guard has not, however, applied this same approach to the
facility compliance program. Although the Coast Guard agreed with our
recommendation in 2004 that the agency formally evaluate its MTSA
compliance inspection efforts and use the results as a means to
strengthen its long-term strategy for ensuring facility compliance, it
has not conducted such an evaluation, and has no current plans to do
so. In comments submitted after reviewing a draft of this report, the
Coast Guard indicated that facility security program metrics were
discussed during a November 2007 workshop with field personnel. The
comments also indicated that the Coast Guard is developing performance
goals for monthly review by program management.
We asked the Coast Guard to provide documentation of any systematic
effort to assess implementation of its facility compliance program
since July 2004, when the agency initiated the compliance phase of MTSA
facility oversight. Headquarters officials told us that program
managers use MISLE to see the results of inspectors' data entries and
to produce reports, but the Coast Guard's only formal analysis of the
overall success of MTSA implementation was contained in its Annual
Report to Congress.[Footnote 32] The information the 2005 and 2006
reports provide, which includes figures on the number of enforcement
actions and the approximate number of facility security inspections the
Coast Guard conducted (included in the 2005 report only), does not
include an analysis of the program's operations or provide a basis to
determine what, if anything, might be done to improve its operations.
The program metrics and performance goals the Coast Guard indicated it
is developing may provide data useful for future assessments.
A more thorough evaluation of the facility compliance program could
provide information on, for example, the variations we identified
between Coast Guard units in oversight approaches, the advantages and
disadvantages of each approach, and whether some approaches work better
than the others. The Coast Guard has allowed Captains of the Port
considerable discretion in implementing facility oversight program at
the local level, in order to meet differences in local conditions. An
evaluation could also explore the benefits of the variations that have
resulted. For example, an evaluation could shed light on such issues as
the following:
* Conducting annual compliance exams unannounced vs. scheduling them
beforehand. Views we heard from different Coast Guard units varied on
this issue. Coast Guard policy has encouraged the pre-scheduling of
these exams, but some units have decided to conduct them on an
unannounced basis because they believe doing so best captures what
procedures are normally in place. At some units that scheduled the
exams with the facility beforehand, however, Coast Guard officials said
conducting exams unannounced would slow the process, because facility
personnel would be less prepared with information and because officials
with the needed information might be absent entirely. In such
situations, delays might affect the unit's ability to complete its
inspection workload. An evaluation, done with accurate and sufficient
data, could provide information of the effectiveness of various
approaches.
* The type of enforcement action to take when deficiencies are
identified. The available data indicate that Coast Guard units vary
considerably in the extent to which they take formal enforcement
actions, such as fines or written warnings. Headquarters officials told
us that they could not explain the variation or its impact on continued
facility compliance, but that units were allowed to determine actions
taken based on the factors involved. These variations might occur for
several reasons. Inspectors in sectors we visited told us they rely on
Coast Guard guidance and take other factors into consideration, such as
the nature of the deficiency, or history of the facility. They said
that the decision on what enforcement action is taken depends in part
on guidance from the sector's Captain of the Port, and the judgment of
the inspector as to the severity of the incident. For example, an
inspector is given discretion to decide to issue a facility a fine or
written warning at a high-volume port where the consequences for an
incident are high, or to take no formal action because it is in a low-
volume port where facilities are dispersed and the consequences are
less severe. An evaluation, done with accurate and sufficient data,
could analyze such differences as possible criteria for deciding when
formal or informal actions are most appropriate.
* Variation in establishing the applicable MTSA regulation for a
specific deficiency. We observed situations in which different
inspectors cited different MTSA regulations for the same type of
deficiency. For example, deficiencies in which security personnel
lacked required training were classified in two different ways--
sometimes as noncompliance with the regulation requiring security
personnel to be knowledgeable of security-related areas, such as
screening, and other times as noncompliance with regulations related to
the security officer's responsibilities. Similarly, failure to log a
drill or exercise was sometimes categorized as noncompliance with
regulations on drills and exercises and sometimes as a recordkeeping
deficiency. An analysis of the differences would help managers
determine if sectors have varying interpretations, if additional
training is needed for facility inspectors regarding the applicability
of the regulations, or if the regulations themselves could be improved.
The Coast Guard plans to revise its MTSA regulations by 2009, and such
an analysis could be instructive in that effort.
We are not the only independent reviewer to point out the need for such
an evaluation. In 2006, the Office of Management and Budget (OMB)
issued an assessment of Coast Guard performance in meeting goals for
the Ports, Waterways and Coastal Security program, which includes MTSA
facility oversight.[Footnote 33] OMB noted that there have been no
reviews indicating whether or how the program is achieving results. OMB
emphasized the need for the Coast Guard to evaluate the effectiveness
of its program, as well as to develop analytical methods and processes
that provide routine and objective feedback to program managers.
Database Limitations Hinder Compliance Monitoring and Program
Oversight:
As we have reported in other work, performance information must meet
users' needs for completeness, accuracy, and consistency if it is to be
useful.[Footnote 34] Other attributes that affect the usefulness of
performance data include that measures be relevant, accessible, and of
value to decisions made at various organizational levels.[Footnote 35]
In MISLE, however, data and database fields were missing, duplicative,
and inconsistent, with data entry a particular concern. Specific
problems we identified include the following:
* Deficiency data may not be entered at all, or entered twice,
officials said. For example, if a facility corrects a deficiency
immediately, inspectors can decide not to include it in their report.
On the other hand, Coast Guard data analysts acknowledged that there
are duplicate deficiencies and enforcement actions in MISLE for
example, resulting from the same deficiency being recorded at the
sector and subunit levels, or lack of coordination in conducting an
exam so that the activities are entered twice.
* Headquarters officials said that some units are unclear about what to
enter into MISLE, and the biggest challenge to consistent and
comprehensive data is proper data entry. Although inspectors choose
from a standardized pick-list of enforcement action citations, the
selection process is subjective and as we discussed earlier, a
particular violation can fit under multiple citation categories.
* Headquarters officials said that the citation for a deficiency is not
always provided when inspectors enter the activity into MISLE. Not
entering this information means that the Coast Guard has difficulty
showing data on the basis of specific MTSA regulatory deficiencies or
specific enforcement actions. Coast Guard officials voiced varying
opinions about whether the deficiency citation is a required field for
inspectors to enter in MISLE, as well as about what MISLE fields to use
to identify security-related deficiencies and enforcement actions.
While the data themselves may pose problems, so too do the data
fields[Footnote 36] into which the data are placed. Insufficient data
fields in MISLE make it more difficult for the Coast Guard to conduct
critical analyses. We identified two types of analysis that were
limited--comparisons across sectors and analysis by year.
* Although the Coast Guard began reorganizing its field units into
sectors in 2004 and made sectors the primary management unit, data
continues to be entered into MISLE that cannot readily be presented by
sector. This limitation makes assessing oversight performance,
variability, and facility compliance by sector more difficult.[Footnote
37]
* The Coast Guard cannot report the number of facilities it regulated
under MTSA during a particular period. Although MISLE contains a field
to indicate whether a facility is currently regulated by MTSA, it does
not have a field for the facility's activation date. (Vessels regulated
under MTSA do have an activation date.) Without it the Coast Guard
cannot establish the number of facilities that have been regulated, and
is unable to calculate a percentage of MTSA facilities that received
the required annual compliance exam during a particular period. Coast
Guard indicated that this is an area for improvement, but did not
identify a specific remedy or time frame.
Reporting of MTSA Compliance Activities Could Not Be Replicated and Is
Limited in Scope:
Due to MISLE data limitations, we were not able to recreate annual
report statistics provided to Congress on Coast Guard compliance
activities. Furthermore, the annual reports did not provide a
comprehensive picture of Coast Guard compliance activities. The Coast
Guard and Maritime Transportation Act of 2004[Footnote 38] mandated an
annual report from the Coast Guard on the agency's MTSA compliance-
related activities, and so far the agency has issued two reports--one
covering part of 2004 and much of 2005 (July 1, 2004 to November 17,
2005), the second covering all of 2006.[Footnote 39] According to Coast
Guard officials, there is no set format for the report, and the type of
information reported varies by reports. The report for 2004-2005, for
example, includes information about the number of annual compliance
exams conducted, while the report for 2006 does not. Coast Guard
officials said they did not include information about the number of
exams conducted in 2006 as part of an effort to reduce the annual
report's size. While figures were not provided in the annual report,
the Coast Guard agreed that our analysis of MISLE correctly identified
2,126 annual exams recorded for 2006.[Footnote 40]
Using three categories of information (annual exams, spot checks, and
enforcement actions) that the Coast Guard reported for one or more of
those years, we attempted to tie the numbers in the annual reports to
the numbers in the MISLE database. Despite working extensively with
Coast Guard personnel to resolve discrepancies, we were unable to fully
verify the numbers reported in any of these categories. Figure 6 shows,
for the annual compliance exam, the totals for 2004 and 2005 as stated
in the annual report and the totals contained in MISLE. For 2004, the
total shown in the annual report was about 500 more than the total
supported in MISLE, and for 2005, the total shown in the annual report
was about 179 less.[Footnote 41]
Figure 6: Annual Compliance Exam Numbers in Coast Guard's Annual Report
to Congress and GAO Analysis of MISLE Data:
This figure is a combination bar graph showing annual compliance exam
numbers in Coast Guard's annual report to Congress and GAO analysis of
MISLE data. The X axis is the date, and the Y axis is number of annual
exams. The white bar represents the number of estimated annual
compliance exams in Coast Guard's annual report to Congress [A]. The
gray bar represents the number of annual compliance exams in GAO
analysis of MISLE data.
[See PDF for image]
Source: GAO analysis of Coast Guard's annual report to Congress and
MISLE data.
[A] We estimated the Coast Guard's Annual Report Annual compliance exam
figures for 2004 and 2005 from a monthly bar chart without numbers. The
Coast Guard was not able to provide us with precise numbers. A Coast
Guard official informed us that the bar chart was created using MISLE
data as well as sector input due to MISLE query limitations in 2004-
2005 and sector data entry issues in 2004.
[End of figure]
The Coast Guard did not provide annual compliance exam figures in its
2006 Annual Report to Congress.
Coast Guard officials who worked with us to resolve the discrepancies
gave several possible reasons for differences:
* The totals in the annual report included a combination of MISLE data
and other data reported by officials in field units.[Footnote 42]
* The annual report inspection data could have included some safety-
related activities.
* Some of the information in MISLE may have changed between the time
the Coast Guard used the database to prepare numbers for the annual
report and the time the Coast Guard provided the data for us.
We were not able to determine the extent, if any, to which these
factors contributed to the discrepancies. The more significant issue,
however, is not resolving the effect of these three factors, but rather
recognizing the fundamental limitation reflected in being unable to
reconcile differences between the numbers in the annual report with the
numbers in the database. The ability to monitor and oversee a program
is limited if officials cannot rely on the accuracy of the information
they have at hand.
At some sectors we visited, Coast Guard officials voiced similar
concerns about having to rely on MISLE data for assessing trends.
Inspectors in all seven sectors said they use MISLE to track compliance
activities at individual facilities, but several reported that using
MISLE to produce accurate aggregated information and trend data for the
sector was more difficult. Inspectors in four sectors mentioned
creating their own spreadsheets outside MISLE to more easily produce
reports on administrative information (such as facility addresses and
phone numbers), to check for MISLE report errors, and to track
additional information not requested in MISLE. They indicated a variety
of ways in which MISLE could be improved for use, including allowing
MISLE to capture facility-specific security enhancements and weaknesses
and linking MISLE data with information on security vulnerabilities
captured by the maritime security risk assessment model.
A second concern about the annual report compliance data is its limited
scope that does not provide a complete picture of Coast Guard
compliance activities or a relevant context for reviewing them. Annual
compliance exams were not reported in 2006, and the number of
deficiencies identified by Coast Guard oversight was not included in
either the 2005 or 2006 report. Further, the total number of
inspections that the Coast Guard conducted is not provided within the
context of the total number of facilities regulated, and the number of
spot checks is presented without the number of facilities that received
the checks. As we pointed out earlier in this report, some of this
information, such as the number of facilities subject to MTSA
regulation, is not available in MISLE. To the degree that relevant
information is not available or is difficult to extract, decision
makers may not be able to see the Coast Guard's activities in full or
in context.
The annual report's presentation may also under-represent the Coast
Guard's actions in ensuring that facilities comply with security plans.
The annual report presents enforcement actions issued, but does not
report deficiencies identified. As we discussed earlier in this report,
only 16 percent of deficiencies in 2006 resulted in enforcement
actions. Since the Coast Guard prefers a strategy of working with
facilities to improve facility compliance, rather than a punitive
strategy, there are many facility deficiencies that are identified and
corrected without an enforcement action, and therefore are not reported
in the Annual Report. While enforcement actions generally represent the
most severe instances of noncompliance, the extent of the Coast Guard's
activity in identifying deficiencies is not presented.
The Coast Guard Has Taken Some Action to Improve MISLE:
The Coast Guard has acknowledged improvement is needed in MISLE
compliance data and has taken initial steps to reduce some of the
database concerns identified during the course of our review. Coast
Guard officials at all levels we spoke to said problems introduced
during data entry to MISLE were a concern. As we were conducting our
review, the Coast Guard took some steps to improve the data.
* In July 2007, in a message to all units about implementing the SAFE
Port Act maritime facility inspection requirements, the Commandant
mentioned the issue of entering data into MISLE on a timely basis. The
message states, "To minimize the need for frequent data calls and to
ensure an accurate picture of Coast Guard facility inspection
performance, sectors must ensure that MISLE data is entered promptly
and that the activity, subactivity data, and AOR (area of
responsibility) are accurate." The message also details that inspection
records should indicate whether annual exams or spot checks were
performed on an announced or unannounced basis.
* During a 3-day Coast Guard workshop on MTSA and the Transportation
Worker Identification Card held in November 2007, MISLE data entry and
performance measures were discussed, according to an after action
report of the workshop. No action items were detailed that related to
changes in MTSA compliance data.
These initial efforts may help to improve MISLE, but they do not
address all of the concerns we identified. For example, Coast Guard
area officials stated a need for more consistency in how data are
entered across violations, noting that inspection dates are fine, but
the violations are hard to categorize accurately, leading to the
question of whether the data collected is accurate. The steps announced
so far do not involve actions for resolving such inconsistencies.
Further, as we pointed out, MISLE contains duplicate records, and
information is not always complete. The Coast Guard's initial steps do
not include solutions to such problems.
Conclusions:
Since 2004, the Coast Guard has made progress in shifting the
inspection program from one that emphasized putting security procedures
in place to one that focuses on continued facility compliance with
security procedures. Thus far, the Coast Guard's estimates the number
of inspectors has been and will be sufficient to meet inspection
requirements, but the multiple roles of many inspectors and the new
requirements for spot checks at all facilities could affect the
reliability of these estimates. Coast Guard officials currently cannot
document how much of inspectors' time is spent on the facility
enforcement program versus conducting other tasks. New spot check
requirements may pose additional workload requirements, not only
because spot checks must now be conducted of all facilities, but also
because the Coast Guard's recent guidance calls for placing an
inspector inside the facility rather than just driving by. Plans for
adding an additional 25 staff will help meet these needs, but without
considering all factors, the Coast Guard is at additional risk of
inspection requirements not being met.
The Coast Guard gives considerable leeway to sectors and local units in
deciding how to implement requirements, and as this report has shown,
units have gone in somewhat different directions. For example, some
have decided to conduct the annual compliance exam unannounced, while
others announce them in advance, and some use formal enforcement
actions such as written warnings or fines while others do not. The
inspection program's growing maturity heightens the importance of being
able to determine what it is accomplishing and to assess alternative
practices sectors have adopted to ensure facility compliance. Coast
Guard headquarters, however, has not evaluated these various approaches
to determine which ones produce greater results or yield greater
efficiency. Finally, whether establishing that basic inspection
requirements are being met, comparing the various approaches used in
individual sectors, or evaluating other aspects of the facility
compliance program, the Coast Guard is handicapped without complete and
accurate compliance data. Coast Guard officials acknowledge these data
problems, and initiated some improvements; however, efforts have not
yet remedied all problems that have been identified.
Recommendations for Executive Action:
To help ensure that MTSA facility-related inspection requirements are
being implemented effectively, we recommend that the Secretary of
Homeland Security direct the Commandant of the Coast Guard to take the
following three actions:
* Reassess the adequacy of resources for facility inspections, given
changing inspection guidance and the multiple duties of sector
personnel.
* Assess the effectiveness of differences in program implementation by
sector to identify best practices, including the use of unannounced
annual compliance exams and the varying use of enforcement actions.
* Assess MISLE compliance data, including the completeness of the data,
data entry, consistency, and data field problems, and make any changes
needed to more effectively utilize MISLE data.
Agency Comments:
We requested comments on a draft of this report from the Secretary of
DHS and from the Coast Guard. The Department declined to provide
official written comments to include in our report. However, in an e-
mail received January 23, 2008, the DHS liaison stated that DHS
concurred with our recommendations. Written technical comments were
provided by the Coast Guard that were incorporated into the report as
appropriate.
As we agreed with your office, unless you publicly announce the
contents of this report earlier, we plan no further distribution of it
until 30 days from the date of this letter. We will then send copies to
others who are interested and make copies available to others who
request them. In addition, the report will be available at no charge on
GAO's website at [hyperlink, http://www.gao.gov].
If you or your staffs have any questions about this report, please
contact me at (202) 512-9610 or at caldwells@gao.gov. Contact points
for our Office of Congressional Relations and Public Affairs may be
found on the last page of this report. Key contributors to this report
are listed in appendix III.
Signed by:
Stephen L. Caldwell:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objective, Scope, and Methodology:
This report addresses the Coast Guard's implementation of the Maritime
Transportation Security Act of 2002 (MTSA) facility security
requirements, as amended by, among other things, the Security and
Accountability For Every Port Act (SAFE Port Act). Specifically, our
objectives included determining the extent to which the Coast Guard:
* has met its maritime facility inspection requirements under MTSA and
the SAFE Port Act and has found facilities to be in compliance with
their security plans,
* has determined the availability of trained personnel to meet current
and future facility inspection requirements, and:
* has assessed the effectiveness of its MTSA facility oversight program
and ensured that program compliance data collected and reported are
reliable.
To determine whether the Coast Guard has met its inspection
requirements and has found facilities to be in compliance with their
security plans, we analyzed 2004-2006 compliance activity data from the
Coast Guard's Marine Information for Safety and Law Enforcement (MISLE)
database. Over a period of 5 months, we requested and obtained data
from MISLE to document Coast Guard compliance and enforcement
activities related to MTSA facilities from July 1, 2004, the deadline
for facilities to be operating under a Coast Guard-approved facility
security plan, to December 31, 2006. The Coast Guard extracted three
types of data and provided them as data spreadsheets, including:
* Inspections: Annual Compliance Exams, Security Spot Checks, and
Facility Exercise Monitoring at specific MTSA facilities.
* Deficiencies: the number and nature of deficiencies recorded during
the inspections.
* Enforcement Actions: sanctions and remedial actions directed by the
Coast Guard for incurring deficiencies.
To assess the reliability of MISLE data, we (1) performed electronic
testing for obvious errors in accuracy and completeness; (2) reviewed
related documentation, such as MISLE user guides; and (3) held
extensive meetings and exchanged correspondence with Coast Guard
information systems officials to discuss data entry and analysis and
ensure correct identification of specific data fields regarding the
data. When we found discrepancies, we brought these to the Coast
Guard's attention and worked with agency officials to correct them to
the extent possible before conducting our analyses. Given the
discrepancies we identified, we took several steps prior to our
analysis to improve the accuracy and usefulness of the data the Coast
Guard supplied. These included:
* Removing 77 records from facility deficiencies that were "opened in
error," which Coast Guard indicated generally were duplicate records.
* Creating a dataset linking deficiencies and enforcement actions. We
performed several checks on the merged file and worked with the Coast
Guard to reduce data inconsistencies.
* Creating a new "Sector" field based on Coast Guard documentation and
interviews on the new sector breakdowns, and for 2006 consolidated the
existing "Unit" field into the appropriate sector.
Coast Guard data analysts acknowledged that there are duplicate
deficiencies and enforcement actions in MISLE and that MISLE has no
automated process to accurately determine which duplicate activity to
remove--the process would involve looking at individual narratives to
attempt to determine which activity was a duplicate. We used the
following approach to identify duplicates: when we identified
activities that had the same deficiency identification number and
citation, we checked 21 other data fields in MISLE for duplication. If
two or more observations had the same values in all of these fields, we
retained one observation, designating the others as duplicates. Using
this process, we classified 32 of 7,620 total observations, or less
than 1 percent of deficiencies in each year, as duplicative. We chose
to keep the observations in the analyses because it was not clear which
activity to delete because we lacked a more reliable means for
identifying duplicates that were not identical for all fields examined,
and because of the small number of observations our approach
identified.
After conducting the above steps, we determined that the data were
sufficiently reliable to provide a general indication of the magnitude
and relative frequencies of compliance activities. The corrected data
sets were used to analyze national and sector-based Coast Guard MTSA
compliance activities, including inspections, deficiencies, and
enforcement actions. Our report discusses MISLE data problems in more
detail, along with the steps we believe are needed to address them.
To supplement our analysis of MISLE data in understanding the Coast
Guard's progress on inspection requirements, we selected 7 of the Coast
Guard's 35 sectors for more detailed review. We selected sectors that
would provide a range of Coast Guard environments in which MTSA is
being implemented, and to ensure a broad representation of types of
ports, we chose sectors with ports that varied in size, varied in types
of waterway (ocean, river, and lake), and geographic diversity. While
results from these seven sectors cannot be generalized to all Coast
Guard sectors, we determined that the selection of these sites was
appropriate for our design and objectives and that the selection would
provide valid and reliable evidence. In each sector, we interviewed
Coast Guard inspectors responsible for oversight of MTSA facility
plans, facility security officers at MTSA facilities (28 facilities
overall), and other port stakeholders in each port, such as port
authority personnel and facilities adjacent to MTSA facilities. Sectors
we visited included Hampton Roads, Virginia; Honolulu, Hawaii; Lake
Michigan, Michigan; Los Angeles/Long Beach, California; New York/New
Jersey; Seattle, Washington; and Upper Mississippi River, Missouri. We
conducted our visits--as well as some follow-up discussions by phone--
from December 2006 through August 2007.
We also met with the Coast Guard Atlantic and Pacific area officials to
discuss compliance activities, and with headquarters program and
information system officials multiple times to discuss our analysis. We
reviewed relevant sections of the Maritime Transportation Security Act,
the SAFE Port Act, Coast Guard implementing regulations, Navigation and
Vessel Inspection circulars, prior GAO reports, and MISLE
documentation.
To establish whether the Coast Guard has determined the availability of
trained personnel to meet current and future facility inspection
requirements, we summarized data provided by the Coast Guard from its
Direct Access database on the number of personnel trained to conduct
MTSA inspections. Direct Access is the Coast Guard's Human Resource
system, used for a variety of personnel functions. The Coast Guard
provided a spreadsheet of personnel certified with one or more Maritime
Security Qualifications from this database. To assess the reliability
of the spreadsheet data, we looked for obvious errors and
inconsistencies in the data, and requested information from Coast Guard
officials to understand limitations in the data and make corrections
where possible. We identified limitations in the data related to
duplicate entries and certifications not yet entered into the system.
Duplicate entries result, for example, because staff may be listed
twice if they are employed as both a reservist and civilian Coast Guard
employee, or may be listed under a sector and under a pre-sector unit.
We deleted duplicate entries identified by Coast Guard to arrive at the
number of trained personnel, but we were unable to determine how many
certifications had not yet been entered in the system. Given this
limitation, we found the Direct Access data to be sufficiently reliable
to provide only an approximate number of personnel qualified to conduct
MTSA facility inspections.
The Coast Guard provided verbal information on the number of personnel
currently in facility inspection positions. We conducted several
interviews with relevant Coast Guard headquarters managers regarding
the number of inspectors that have been trained, the allocation of
staff to inspection positions, the training provided to current
inspectors, and plans for future training and resources for conducting
facility inspections. We also discussed current and planned guidance
for conducting facility inspections with headquarters officials. In the
seven sectors we visited, we met with facility inspectors to discuss
facility inspector training, the adequacy of inspection resources,
guidance used to conduct inspections, and other inspector
responsibilities. We discussed the consistency of inspections with
facility security officers in facilities located in the seven sectors.
We also reviewed written Coast Guard guidance related to MTSA facility
inspections, such as relevant circulars, memos, and on-line resources,
and documents on planned revisions to facility oversight regulations.
To determine the extent to which the Coast Guard has assessed its MTSA
facility oversight program and ensured that program compliance data is
accurate, we requested the Coast Guard provide documentation of any
evaluation of activities related to facility oversight and reviewed the
two annual reports that the Coast Guard provided. We reviewed Office of
Management and Budget documents and prior GAO reports on assessing
program effectiveness. Our assessment of the accuracy of the Coast
Guard compliance data was based on our reliability assessment of MISLE
data we conducted as part of objective 1. We also discussed the
accuracy and utility of MISLE data with facility inspectors during our
site visits to seven sectors.
We conducted this performance audit from May 2006 through February 2008
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: Total Nationwide Facility Deficiencies for 2004, 2005, and
2006 by MTSA Regulatory Citation:
This appendix summarizes GAO's analysis of deficiencies identified by
Coast Guard facility inspectors nationwide from 2004-2006 based on the
MTSA regulatory citation associated with each deficiency. Facility
security plans are written to meet requirements established by MTSA
regulations, and the deficiency documentation in the Coast Guard's
compliance data includes the citation for the associated MTSA
regulation.
Under a specific citation, in most cases there are a number of sub-
elements. We summarized the deficiency data at the general citation
level because the data collected on facility compliance did not
consistently identify deficiencies at a more detailed level.[Footnote
43]
The data in table 5 is presented based on the frequency the of the
deficiency citation for 2006.
Table 5: Total Nationwide Facility Deficiencies for 2004-2006 by MTSA
Regulation Citation:
MTSA regulation citation: 33CFR105.255; Security measures for access
control;
Citation description: Requires security measures to deter the
introduction of unauthorized dangerous substances and devices, to check
the identity of persons seeking entry, and to identify restricted
areas, among other requirements;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 696;
Number of facility deficiencies for each MTSA regulation citation:
2005: 445;
Number of facility deficiencies for each MTSA regulation citation:
2006: 458.
MTSA regulation citation: 33CFR105.225; Facility recordkeeping
requirements;
Citation description: Requires facility records be kept for 2 years on
measures such as security training, security equipment calibration,
drills and exercises, and security breaches;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 248;
Number of facility deficiencies for each MTSA regulation citation:
2005: 336;
Number of facility deficiencies for each MTSA regulation citation:
2006: 418.
MTSA regulation citation: 33CFR105.260; Security measures for
restricted areas;
Citation description: Requires measures for protection of restricted
areas, such as shore areas, areas with sensitive security information,
and areas with dangerous cargo;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 545;
Number of facility deficiencies for each MTSA regulation citation:
2005: 344;
Number of facility deficiencies for each MTSA regulation citation:
2006: 364.
MTSA regulation citation: 33CFR105.220; Drill and exercise
requirements;
Citation description: Requires quarterly drills and annual exercises to
test personnel performance of security duties and effective
implementation of the facility security plan, for example, a drill of
personnel responses to a security alarm, or an exercise of security
plan communication procedures;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 56;
Number of facility deficiencies for each MTSA regulation citation:
2005: 180;
Number of facility deficiencies for each MTSA regulation citation:
2006: 269.
MTSA regulation citation: 33CFR105.415; Facility Security Plan
amendment and audit;
Citation description: Facility security plan amendments, such as a
change in a security procedure, must be approved by the Coast Guard
following certain procedures, and an annual audit of the plan must be
conducted;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 37;
Number of facility deficiencies for each MTSA regulation citation:
2005: 190;
Number of facility deficiencies for each MTSA regulation citation:
2006: 243.
MTSA regulation citation: 33CFR105.205; Facility Security Officer;
Citation description: Establishes facility security officer
qualifications, such as knowledge of vessel and facility operations,
and other responsibilities, such as ensuring adequate training of
security personnel, and that the plan is exercised, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 167;
Number of facility deficiencies for each MTSA regulation citation:
2005: 114;
Number of facility deficiencies for each MTSA regulation citation:
2006: 152.
MTSA regulation citation: 33CFR105.200; Owner or operator;
Citation description: Requires owner or operator to comply with
facility security requirements such as to identify a facility security
officer, and ensure coordination of shore leave for vessel personnel,
among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 76;
Number of facility deficiencies for each MTSA regulation citation:
2005: 86;
Number of facility deficiencies for each MTSA regulation citation:
2006: 108.
MTSA regulation citation: 33CFR105.210; Facility personnel with
security duties;
Citation description: Requires security personnel to have knowledge in
security-related areas, such as techniques used to circumvent security
procedures, emergency procedures, and relevant security plan
provisions, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 144;
Number of facility deficiencies for each MTSA regulation citation:
2005: 97;
Number of facility deficiencies for each MTSA regulation citation:
2006: 80.
MTSA regulation citation: 33CFR105.250; Security systems and equipment
maintenance;
Citation description: Requires security systems and equipment to be in
good working order, and be properly tested and maintained, among other
things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 63;
Number of facility deficiencies for each MTSA regulation citation:
2005: 68;
Number of facility deficiencies for each MTSA regulation citation:
2006: 53.
MTSA regulation citation: 33CFR105.405; Format and general content of
the Facility Security Plan;
Citation description: Establishes a required structure and content for
the facility plan, such as the order for sections, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 49;
Number of facility deficiencies for each MTSA regulation citation:
2005: 34;
Number of facility deficiencies for each MTSA regulation citation:
2006: 53.
MTSA regulation citation: 33CFR105.215; Security training for all other
facility personnel;
Citation description: Requires certain knowledge for non-security
personnel, for example, the meaning of varying maritime security levels
that apply to them, and emergency procedures.[B];
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 94;
Number of facility deficiencies for each MTSA regulation citation:
2005: 80;
Number of facility deficiencies for each MTSA regulation citation:
2006: 48.
MTSA regulation citation: 33CFR105.245; Declaration of Security;
Citation description: Requires the facility owner or operator, among
other things, to document security procedures for coordinating security
with vessels, such as the transfer of cargo or passengers;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 37;
Number of facility deficiencies for each MTSA regulation citation:
2005: 34;
Number of facility deficiencies for each MTSA regulation citation:
2006: 34.
MTSA regulation citation: 33CFR105.270; Security measures for delivery
of vessel stores and bunkers;
Citation description: Requires that security measures are in place for
the delivery of vessel stores and bunkers, such as requiring material
be inspected before it is accepted;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 42;
Number of facility deficiencies for each MTSA regulation citation:
2005: 17;
Number of facility deficiencies for each MTSA regulation citation:
2006: 33.
MTSA regulation citation: 33CFR105.275; Security measures for
monitoring;
Citation description: Requires security measures be in place that allow
continuous monitoring, for example of the facility and approaches to
it, and monitoring vessels using the facility;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 89;
Number of facility deficiencies for each MTSA regulation citation:
2005: 44;
Number of facility deficiencies for each MTSA regulation citation:
2006: 29.
MTSA regulation citation: 33CFR105.145; Maritime Security Directive;
Citation description: Requires that facility owner or operator must
comply with instructions contained in an applicable maritime security
directive issued by the Coast Guard;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 42;
Number of facility deficiencies for each MTSA regulation citation:
2005: 26;
Number of facility deficiencies for each MTSA regulation citation:
2006: 25.
MTSA regulation citation: 33CFR105.235; Communications;
Citation description: A facility security officer must have the means
to effectively notify facility personnel and others, such as the
police, of changes in security conditions, and effectively communicate
with others, such as the police, and meet certain requirements, such as
having a backup for internal and external communications;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 31;
Number of facility deficiencies for each MTSA regulation citation:
2005: 35;
Number of facility deficiencies for each MTSA regulation citation:
2006: 23.
MTSA regulation citation: 33CFR105.400; Facility Security Plan,
General;
Citation description: Requires a facility plan be developed and
implemented by the facility security officer, and related requirements,
such as the procedures for preventing unauthorized electronic
amendment, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 17;
Number of facility deficiencies for each MTSA regulation citation:
2005: 30;
Number of facility deficiencies for each MTSA regulation citation:
2006: 21.
MTSA regulation citation: 33CFR105.125; Noncompliance;
Citation description: Requires that the Coast Guard be notified if the
facility deviates from procedures outlined in their approved security
plan, and that the facility stop operations or obtain approval to
continue operating;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 29;
Number of facility deficiencies for each MTSA regulation citation:
2005: 15;
Number of facility deficiencies for each MTSA regulation citation:
2006: 18.
MTSA regulation citation: 33CFR105.120; Compliance documentation;
Citation description: After July 1, 2004, documentation of the Coast
Guard-approved facility plan or alternative security plan must be
available to the Coast Guard on request;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 15;
Number of facility deficiencies for each MTSA regulation citation:
2005: 20;
Number of facility deficiencies for each MTSA regulation citation:
2006: 18.
MTSA regulation citation: 33CFR105.280;
Security incident procedures;
Citation description: The owner or operator must ensure that the
facility security officer and security personnel are able to respond to
security breaches, and evacuate the facility, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 26;
Number of facility deficiencies for each MTSA regulation citation:
2005: 10;
Number of facility deficiencies for each MTSA regulation citation:
2006: 17.
MTSA regulation citation: 33CFR105.265; Security measures for handling
cargo;
Citation description: Requires that security measures relating to cargo
handling are implemented, for example to deter tampering, and to ensure
cargo is released only to the correct carrier;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 67;
Number of facility deficiencies for each MTSA regulation citation:
2005: 15;
Number of facility deficiencies for each MTSA regulation citation:
2006: 13.
MTSA regulation citation: 33CFR105.295; Additional requirements--
Certain Dangerous Cargo facilities;
Citation description: Additional requirements for facilities handling
certain dangerous cargo include, for example, all security personnel
must record or report their presence at key patrol points, and parking
and unloading of vehicles is controlled;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 27;
Number of facility deficiencies for each MTSA regulation citation:
2005: 7;
Number of facility deficiencies for each MTSA regulation citation:
2006: 7.
MTSA regulation citation: 33CFR105.140; Alternative Security Program;
Citation description: Sets the criteria for operating under an approved
alternative security plan, for example, if it is appropriate to the
facility and is adopted in its entirety;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 2;
Number of facility deficiencies for each MTSA regulation citation:
2005: 1;
Number of facility deficiencies for each MTSA regulation citation:
2006: 6.
MTSA regulation citation: 33CFR105.230; Maritime Security Level
coordination and implementation;
Citation description: Requires that a facility operate consistent with
the security level established for the port overall, sets time frames
for having higher security level measures in place, and identifies
possible additional security measures at higher security levels;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 28;
Number of facility deficiencies for each MTSA regulation citation:
2005: 8;
Number of facility deficiencies for each MTSA regulation citation:
2006: 5.
MTSA regulation citation: 33CFR105.410; Facility Security Plan
submission and approval;
Citation description: Required that facility security plans be
submitted by December 31, 2003, or within 60 days before beginning
operations, if operations start after the initial deadline, and
outlines the steps for review and approval of the plan;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 12;
Number of facility deficiencies for each MTSA regulation citation:
2005: 4;
Number of facility deficiencies for each MTSA regulation citation:
2006: 3.
MTSA regulation citation: 33CFR105.305; Facility Security Assessment
requirements;
Citation description: Establishes information and analysis requirements
for facility security assessments, such as requiring an "on-scene"
survey of the facility, requiring key security information be included
such as the location of evacuation routes, and that vulnerabilities be
identified, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 9;
Number of facility deficiencies for each MTSA regulation citation:
2005: 0;
Number of facility deficiencies for each MTSA regulation citation:
2006: 3.
MTSA regulation citation: 33CFR105.310; Facility Security Assessment
submission requirements;
Citation description: Requires that the security assessment be
submitted with the facility security plan, allows one assessment be
submitted for multiple facilities, and the assessment must be approved
by the Coast Guard and updated with security plan reapprovals or
revisions;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 6;
Number of facility deficiencies for each MTSA regulation citation:
2005: 0;
Number of facility deficiencies for each MTSA regulation citation:
2006: 2.
MTSA regulation citation: 33CFR105.105; Applicability;
Citation description: Sets the applicability criteria for facilities
subject to MTSA regulations, for example, foreign cargo vessels over a
certain weight;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 2;
Number of facility deficiencies for each MTSA regulation citation:
2005: 4;
Number of facility deficiencies for each MTSA regulation citation:
2006: 2.
MTSA regulation citation: 33CFR105.290; Additional requirements--
cruise ship terminals;
Citation description: Additional cruise ship requirements include for
example, screening all persons, baggage and personal effects for
dangerous substances or devices;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 2;
Number of facility deficiencies for each MTSA regulation citation:
2005: 12;
Number of facility deficiencies for each MTSA regulation citation:
2006: 2.
MTSA regulation citation: 33CFR105.300; Facility Security Assessment,
General;
Citation description: Establishes the assessment as a written document,
that an assessment can cover multiple facilities, and that third
parties with expertise in areas such as contingency planning can be
involved in the assessment;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 0;
Number of facility deficiencies for each MTSA regulation citation:
2005: 0;
Number of facility deficiencies for each MTSA regulation citation:
2006: 2.
MTSA regulation citation: 33CFR105.240; Procedures for interfacing with
vessels;
Citation description: Requires facility owner or operator to ensure
that there are measures for interfacing with vessels at all security
levels;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 4;
Number of facility deficiencies for each MTSA regulation citation:
2005: 4;
Number of facility deficiencies for each MTSA regulation citation:
2006: 1.
MTSA regulation citation: 33CFR105.100; Definitions;
Citation description: Establishes that the definitions in the general
maritime security section apply to the maritime facility section as
well;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 0;
Number of facility deficiencies for each MTSA regulation citation:
2005: 0;
Number of facility deficiencies for each MTSA regulation citation:
2006: 1; see Note.
MTSA regulation citation: 33CFR105.110; Exemptions;
Citation description: Establishes the exemption criteria from maritime
facility requirements, for example, some shipyard facilities are
exempt;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 0;
Number of facility deficiencies for each MTSA regulation citation:
2005: 2;
Number of facility deficiencies for each MTSA regulation citation:
2006: 1.
MTSA regulation citation: 33CFR105.296; Additional requirements--barge
fleeting facilities;
Citation description: Barge fleeting facilities are also required to
designate restricted areas to handle certain dangerous cargoes, and
ensure that a certain number of towing vessels are available for a
given number of barges, among other things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 0;
Number of facility deficiencies for each MTSA regulation citation:
2005: 1;
Number of facility deficiencies for each MTSA regulation citation:
2006: 1.
MTSA regulation citation: 33CFR105.285; Additional requirements--
passenger and ferry facilities;
Citation description: Passenger and ferry facilities are also required
to segregate unchecked persons and personal effects from checked
persons, and screen unaccompanied vehicles before loading, among other
things;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 8;
Number of facility deficiencies for each MTSA regulation citation:
2005: 1;
Number of facility deficiencies for each MTSA regulation citation:
2006: 0.
MTSA regulation citation: 33CFR105.135; Equivalents;
Citation description: Allows facility owner or operator to propose an
equivalent security measure if it is equal or exceeds the effectiveness
of the required measures;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 4;
Number of facility deficiencies for each MTSA regulation citation:
2005: 0;
Number of facility deficiencies for each MTSA regulation citation:
2006: 0.
MTSA regulation citation: 33CFR105.106; Public access areas;
Citation description: Allows the designation of a public access area
within a MTSA facility serving passenger vessels of a certain size,
other than cruise ships;
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 0;
Number of facility deficiencies for each MTSA regulation citation:
2005: 1;
Number of facility deficiencies for each MTSA regulation citation:
2006: 0.
MTSA regulation citation: Total;
Citation description: [Empty];
Number of facility deficiencies for each MTSA regulation citation:
2004[A]: 2,674;
Number of facility deficiencies for each MTSA regulation citation:
2005: 2,265;
Number of facility deficiencies for each MTSA regulation citation:
2006: 2,513.
Source: GAO analysis of Coast Guard compliance data.
Note: Our work identified reliability issues with Coast Guard's data,
such as a lack of consistency and missing information. Given these
concerns, these figures are presented to provide an indication of the
relative frequency that different deficiencies were identified, and not
as a precise measure. As one example, the single deficiency identified
under 33 C.F.R. 105.100 Definitions, was miscoded, based on the
narrative for the deficiency, which indicated the "facility failed to
implement proper security measures for monitoring by neglecting to have
facility personnel on site at all times while a vessel was moored at
the facility."
[A] Facilities were not required to have a facility security plan in
place until July 1, 2004, therefore, the reporting period is from July
1, 2004, to December 31, 2004.
[B] Maritime security levels are set by the Commandant of the Coast
Guard to reflect level of risk to the maritime transportation system, a
higher level reflecting greater risk. Facility security plans
incorporate security measures to be taken at varying maritime security
levels.
[End of table]
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Stephen L. Caldwell, Director, (202) 512-9610 or caldwells@gao.gov:
Acknowledgments:
This report was completed under the direction of Steven Calvo,
Assistant Director. Other key contributors included Geoffrey Hamilton,
Dawn Hoff, Monica Kelly, Dan Klabunde, Rebecca Taylor, Jerome Sandau,
and Stan Stenersen.
[End of section]
GAO Related Products:
Maritime Security: Federal Efforts Needed to Address Challenges in
Preventing and Responding to Terrorist Attacks on Energy Commodity
Tankers. GAO-08-141. Washington, D.C.: Dec. 10, 2007.
Homeland Security: TSA Has Made Progress in Implementing the
Transportation Worker Identification Credential Program, but Challenges
Remain. GAO-08-133T. Washington, D.C.: Oct. 31, 2007.
Maritime Security: The SAFE Port Act: Status and Implementation One
Year Later. GAO-08-126T. Washington, D.C.: Oct. 30, 2007.
Department of Homeland Security: Progress Report on Implementation of
Mission and Management Functions. GAO-07-454. Washington, D.C.: Aug.
17, 2007.
Maritime Security: Information on Port Security in the Caribbean Basin.
GAO-07-804R. Washington, D.C.: June 29, 2007.
Coast Guard: Observations on the Fiscal Year 2008 Budget, Performance,
Reorganization, and Related Challenges. GAO-07-489T. Washington, D.C.:
Apr. 18, 2007.
International Trade: Persistent Weaknesses in the In-Bond Cargo System
Impede Customs and Border Protection's Ability to Address Revenue,
Trade, and Security Concerns. GAO-07-561. Washington, D.C.: Apr. 17,
2007.
Port Risk Management: Additional Federal Guidance Would Aid Ports in
Disaster Planning and Recovery. GAO-07-412. Washington, D.C.: Mar. 28,
2007.
Maritime Security: Public Safety Consequences of a Terrorist Attack on
a Tanker Carrying Liquefied Natural Gas Need Clarification. GAO-07-316.
Washington, D.C.: Feb. 23, 2007.
Transportation Security: DHS Should Address Key Challenges before
Implementing the Transportation Worker Identification Credential
Program. GAO-06-982. Washington, D.C.: Sept. 29, 2006.
Coast Guard: Observations on the Preparation, Response, and Recovery
Missions Related to Hurricane Katrina. GAO-06-903. Washington, D.C.:
July 31, 2006.
Maritime Security: Information Sharing Efforts Are Improving. GAO-06-
933T. Washington, D.C.: July 10, 2006.
Coast Guard: Observations on Agency Performance, Operations, and Future
Challenges. GAO-06-448T. Washington, D.C.: June 15, 2006.
Cargo Container Inspections: Preliminary Observations on the Status of
Efforts to Improve the Automated Targeting System. GAO-06-591T.
Washington, D.C.: Mar. 30, 2006.
Combating Nuclear Smuggling: DHS Has Made Progress Deploying Radiation
Detection Equipment at U.S. Ports-of-Entry, but Concerns Remain. GAO-
06-389. Washington, D.C.: Mar. 22, 2006.
Risk Management: Further Refinements Needed to Assess Risks and
Prioritize Protective Measures at Ports and Other Critical
Infrastructure. GAO-06-91. Washington, D.C.: Dec. 2005.
Combating Nuclear Smuggling: Efforts to Deploy Radiation Detection
Equipment in the United States and in Other Countries. GAO-05-840T.
Washington, D.C.: June 21, 2005.
Homeland Security: Key Cargo Security Programs Can Be Improved. GAO-05-
466T. Washington, D.C.: May 26, 2005.
Maritime Security: Enhancements Made, but Implementation and
Sustainability Remain Key Challenges. GAO-05-448T. Washington, D.C.:
May 17, 2005.
Container Security: A Flexible Staffing Model and Minimum Equipment
Requirements Would Improve Overseas Targeting and Inspection Efforts.
GAO-05-557. Washington, D.C.: Apr. 26, 2005.
Maritime Security: New Structures Have Improved Information Sharing,
but Security Clearance Processing Requires Further Attention. GAO-05-
394. Washington, D.C.: Apr. 15, 2005.
Preventing Nuclear Smuggling: DOE Has Made Limited Progress in
Installing Radiation Detection Equipment at Highest Priority Foreign
Seaports. GAO-05-375. Washington, D.C.: Mar. 31, 2005.
Coast Guard: Observations on Agency Priorities in Fiscal Year 2006
Budget Request. GAO-05-364T. Washington, D.C.: Mar. 17, 2005.
Cargo Security: Partnership Program Grants Importers Reduced Scrutiny
with Limited Assurance of Improved Security. GAO-05-404. Washington,
D.C.: Mar. 11, 2005.
Coast Guard: Station Readiness Improving, but Resource Challenges and
Management Concerns Remain. GAO-05-161. Washington, D.C.: Jan. 31,
2005.
Homeland Security: Process for Reporting Lessons Learned from Seaport
Exercises Needs Further Attention. GAO-05-170. Washington, D.C.:
Jan.14, 2005.
Maritime Security: Better Planning Needed to Help Ensure an Effective
Port Security Assessment Program. GAO-04-1062. Washington, D.C.: Sept.
30, 2004.
Maritime Security: Partnering Could Reduce Federal Costs and Facilitate
Implementation of Automatic Vessel Identification System. GAO-04-868.
Washington, D.C.: July 23, 2004.
Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. GAO-04-838. Washington,
D.C.: June 30, 2004.
Coast Guard: Key Management and Budget Challenges for Fiscal Year 2005
and Beyond. GAO-04-636T. Washington, D.C.: Apr. 7, 2004.
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: Mar.
31, 2004.
Maritime Security: Progress Made in Implementing Maritime
Transportation Security Act, but Concerns Remain. GAO-03-1155T.
Washington, D.C.: Sept. 9, 2003.
Combating Terrorism: Interagency Framework and Agency Programs to
Address the Overseas Threat. GAO-03-165. Washington, D.C.: May 23,
2003.
Combating Terrorism: Actions Needed to Improve Force Protection for DOD
Deployments through Domestic Seaports. GAO-03-15. Washington, D.C.:
Oct. 22, 2002.
Coast Guard: Vessel Identification System Development Needs to Be
Reassessed. GAO-02-477. Washington, D.C.: May 24, 2002.
Coast Guard: Budget and Management Challenges for 2003 and Beyond. GAO-
02-538T. Washington, D.C.: Mar. 19, 2002.
[End of section]
Footnotes:
[1] Pub L. No. 107-295, 116 Stat. 2064 (2002).
[2] In this report, we refer to facilities subject to MTSA regulation
collectively as "MTSA facilities." MTSA also required certain vessels
to have a security plan. Vessel security plans are not discussed in
this report.
[3] GAO, Maritime Security: Substantial Work Remains to Translate New
Planning Requirements into Effective Port Security, GAO-04-838
(Washington, D.C.: June 2004).
[4] Pub. L. No. 109-347, 120 Stat. 1884, 1888 (2006). The act
stipulated that this inspection requirement was subject to the
availability of appropriations. From fiscal year 2007 DHS
appropriations, $4.5 million has been allocated to implement the
unannounced inspection requirement.
[5] In this report we refer to two types of inspections to ensure
facility compliance with their approved security plan. We use the terms
annual compliance exam, or annual exam to indicate a comprehensive
annual inspection of a facility. The annual exam is pre-scheduled with
facilities (announced) unless otherwise indicated. We use the term
security "spot check" adopted by the Coast Guard to refer to an
unannounced inspection of facility compliance less comprehensive than
the annual exam.
[6] Coast Guard completed realignment of its field structure in 2006
into 35 sectors based on existing Captain of the Port boundaries.
Sectors combine legacy Marine Safety Offices, Groups, Vessel Traffic
Services, and some Air Stations into a unified command structure. These
seven sectors were selected to reflect diversity in size, type of
waterway, and geographic location, and facilities were selected to
reflect sector diversity. Information on Coast Guard's inspection
program from these sectors cannot be generalized to all Coast Guard
sectors.
[7] The concern with the cost to facility operators was considered when
MTSA regulations were drafted, and grant funding was made available to
support some facilities with security improvements.
[8] Other MTSA requirements included vulnerability assessments for
ports and vessels, developing a maritime transportation security card
to help control access to secure areas, and establishing a process for
assessing foreign ports from which vessels depart for the United
States.
[9] See, e.g., 33 C.F.R. Chapter 1, Subchapter H. Vessels regulated
under MTSA regulations include for example, specified types of cargo
ships, ferries, and tugs and barges.
[10] Throughout this report, the terms "MISLE," "MISLE data," and
"MISLE database" refer to data from just the MTSA facility compliance
portion of MISLE.
[11] After completion of our analysis, but before this report was
issued, Coast Guard reported identifying an additional 344 annual exams
that were conducted in 2006, and said that they were investigating why
these exams were not previously identified and included in the data GAO
was provided.
[12] This expectation, however, was based on spot checks conducted
prior to Coast Guard guidance (discussed in the following section) that
establishes a more comprehensive review than was the case for some of
the previously conducted spot checks.
[13] These categories correspond to the types of facility
responsibilities cited in the Coast Guard's MTSA regulations. See
appendix II for a more detailed description of deficiencies and the
numbers of deficiencies by category, for 2004, 2005, and 2006.
[14] Coast Guard officials have pointed out that areas may be covered
by surveillance systems that would reduce the risk of entry. In one
location where a building was next to the perimeter, the facility FSO
said cameras were being added (in addition to existing security
patrols) to improve visibility in this area.
[15] In the seventh sector, the top 5 facilities accounted for 18
percent of all deficiencies, and the top 10 accounted for 32 percent.
[16] Recent spot check guidance indicates that less emphasis should be
placed on items that would not change between annual compliance exams,
such as drill/exercise records.
[17] Toward the end of our work, the Coast Guard issued a Commandant's
message requiring information be entered into MISLE regarding whether
the exam was announced or not.
[18] GAO-04-838.
[19] The Coast Guard added 282 positions to local marine safety offices
to meet MTSA facility inspection requirements.
[20] Comments provided by the Coast Guard in January 2008 to a draft of
this report stated that the Coast Guard is receiving an additional 25
facility inspectors positions to increase its ability to meet the SAFE
Port Act mandate. Positions are expected to be filled during the 2008
summer transfer and assignment season.
[21] The Coast Guard provided data on the number of personnel with MTSA
Facility Inspection qualifications. These may include personnel
assigned to other types of positions, such as logistics or a strike
team. Officials noted that personnel may be qualified for a number of
different positions. See appendix I for further discussion.
[22] Officials said inspectors can be assigned elsewhere temporarily,
for a day or placed full-time in non-inspection billets based on sector
needs that match their qualifications (e.g., as a safety inspector or
Marine Science Technician).
[23] All but one of the seven sectors we visited reported receiving
short-term authorizations for reserve personnel to assist with SAFE
Port Act requirements, and all but one was allotted one or more full-
time additional positions. Information from the sectors we visited are
case studies representing variation in types and sizes of ports, but
cannot be generalized to all 35 sectors.
[24] SAFE Port Act, Waterfront Facility Security R 061821Z. U.S. Coast
Guard Commandant message to Coast Guard Area officials, July 2007. The
Coast Guard is also planning other guidance changes such as revising
its MTSA regulations and MTSA implementation circular. Information was
not available from the Coast Guard on specific changes or how theses
changes might affect the need for facility inspectors.
[25] While practices varied considerably for spot checks, the
inspectors and facilities in the sectors we visited generally reported
consistency in the content and process for conducting annual exams
following Coast Guard guidance contained in the circular Implementation
Guidance for the Regulations Mandated by the Maritime Transportation
Security Act of 2002 for Facilities.
[26] Coast Guard headquarters indicated some confusion among inspectors
and that they may be using Operation Neptune Shield guidance where this
type of inspection is acceptable. However, none of the inspectors we
spoke with identified this as a source of guidance to them.
[27] The Coast Guard is also considering changing its MTSA
implementation circular to include SAFE Port Act requirements, among
other things. Coast Guard officials said they expected any revisions to
be published in early 2008. Officials also indicated that the Coast
Guard will be proposing a rule to change the regulations promulgated in
2003 for implementing MTSA. Among other things, the proposed changes
would establish training standards for security personnel, add
regulations related to the reapproval of facility security plans, and
update existing regulations to conform to various requirements in the
SAFE Port Act of 2006. Coast Guard officials said they are behind in
their original schedule for updating the regulations by late 2008, but
the regulations must be completed in time for the reapproval of
facility security plans in 2009.
[28] GAO, Aviation Security: Further Steps Needed to Strengthen the
Security of Commercial Airport Perimeters and Access Controls, GAO-04-
728 (Washington, D.C.: June 4, 2004).
[29] Government Performance and Results Act of 1993, Pub. L. No. 103-
62, 107 Stat. 285 (1993), as amended, requires executive agencies to
develop strategic plans, prepare annual performance plans, measure
progress toward the achievement of the goals, and report annually on
their progress in program performance reports.
[30] See, for example, GAO, Managing for Results: Enhancing Agency Use
of Performance Information for Management Decision Making, GAO-05-927
(Washington, D.C.: September 2005).
[31] GAO, Coast Guard: Non-Homeland Security Performance Measures Are
Generally Sound, but Opportunities for Improvement Exist, GAO-06-816
(Washington, D.C.: August 2006).
[32] Annual Report on Compliance with Security Standards Established
Pursuant to the Maritime Transportation Security Plans. Submitted in
accordance with Title VIII, Section 809(i) of the Coast Guard and
Maritime Transportation Act of 2004.
[33] The Office of Management and Budget uses a Program Assessment
Rating Tool that is consistent with GPRA objectives as a systematic
measure of agency performance across federal programs. The tool asks a
series of questions to assess different program performance aspects.
Agencies respond to the questions with supporting information and OMB
establishes an overall rating for the program. The Ports, Waterways and
Coastal Security Program received an overall rating of moderately
effective (well managed, but needs improvement).
[34] GAO, Results-Oriented Government: GPRA Has Established a Solid
Foundation for Achieving Greater Results, GAO-04-38 (Washington, D.C.:
Mar. 10, 2004).
[35] GAO-05-927.
[36] A data field is a location in a data set where the same
information (such as a facility name) for each case is entered.
[37] GAO's analysis of MISLE data by sector was possible after we
created a sector field and manually distributed data by unit names into
sector designations.
[38] Pub. L. No. 108-293, 118 Stat. 1028 (2004).
[39] Annual Report on Compliance with Security Standards Established
Pursuant to the Maritime Transportation Security Plans. Submitted in
accordance with Title VIII, Section 809(i) of the Coast Guard and
Maritime Transportation Act of 2004. Throughout this section on Coast
Guard's Annual Reports, we used the same reporting periods in our
analysis as was used in Coast Guard's Annual Reports: July 1 - December
31, 2004, January 1 - November 17, 2005, and January 1 - December 31,
2006, although the 2005 Annual Report did not clarify that the
enforcement action data included only part of November 2005.
[40] In October 2007, too late for us to validate as part of this
report, Coast Guard officials indicated that they discovered an
additional 344 annual exams were conducted in 2006 that were not in the
data provided for our analysis. Officials said they were investigating
why the additional 344 exams were not previously identified.
[41] For spot checks and enforcement actions, the differences between
the annual report and MISLE figures were smaller than the differences
we found comparing figures for the annual compliance exam, but we
likewise were unable to determine the reasons for these differences. In
both categories, the figures in the annual reports were higher than the
figures in MISLE.
[42] Coast Guard officials explained that 2004 and 2005 annual report
inspection numbers included field unit input because, at the time,
MISLE queries were unable to relate an inspection type with an
inspection date. Field unit input was also included in the 2004 Annual
Report inspection numbers because, during 2004, Annual Compliance Exams
were sometimes not recorded as inspections, but rather as part of the
initial Facility Security Plan review.
[43] For example, under 33 C.F.R.105.210 Facility personnel responsible
for security duties, there are 13 specific areas that personnel are
required to have knowledge, such as the ability to recognize and detect
dangerous substances and crowd management and control techniques.
However, a number of the narrative descriptions for this deficiency
indicated a general need for security personnel training, rather than
specific training needs.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
