Transportation Security
TSA Has Developed a Risk-Based Covert Testing Program, but Could Better Mitigate Aviation Security Vulnerabilities Identified Through Covert Tests Gao ID: GAO-08-958 August 8, 2008The Transportation Security Administration (TSA) uses undercover, or covert, testing to approximate techniques that terrorists may use to identify vulnerabilities in and measure the performance of airport security systems. During these tests, undercover inspectors attempt to pass threat objects through passenger and baggage screening systems, and access secure airport areas. In response to a congressional request, GAO examined (1) TSA's strategy for conducting covert testing of the transportation system and the extent to which the agency has designed and implemented its covert tests to achieve identified goals; and (2) the results of TSA's national aviation covert tests conducted from September 2002 to June 2007, and the extent to which TSA uses the results of these tests to mitigate security vulnerabilities. To conduct this work, GAO analyzed covert testing documents and data and interviewed TSA and transportation industry officials.
TSA has designed and implemented risk-based national and local covert testing programs to achieve its goals of identifying vulnerabilities in and measuring the performance the aviation security system, and has begun to determine the extent to which covert testing will be used in non-aviation modes of transportation. TSA's Office of Inspection (OI) used information on terrorist threats to design and implement its national covert tests and determine at which airports to conduct tests based on the likelihood of a terrorist attack. However, OI did not systematically record the causes of test failures or practices that resulted in higher pass rates for tests. Without systematically recording reasons for test failures, such as failures caused by screening equipment not working properly, as well as reasons for test passes, TSA is limited in its ability to mitigate identified vulnerabilities. OI officials stated that identifying a single cause for a test failure is difficult since failures can be caused by multiple factors. TSA recently redesigned its local covert testing program to more effectively measure the performance of passenger and baggage screening systems and identify vulnerabilities. However, it is too early to determine whether the program will meet its goals since it was only recently implemented and TSA is still analyzing the results of initial tests. While TSA has a well established covert testing program in commercial aviation, the agency does not regularly conduct covert tests in non-aviation modes of transportation. Furthermore, select domestic and foreign transportation organizations and DHS components use covert testing to identify security vulnerabilities in non-aviation settings. However, TSA lacks a systematic process for coordinating with these organizations. TSA covert tests conducted from September 2002 to June 2007 have identified vulnerabilities in the commercial aviation system at airports of all sizes, and the agency could more fully use the results of tests to mitigate identified vulnerabilities. While the specific results of these tests and the vulnerabilities they identified are classified, covert test failures can be caused by multiple factors, including screening equipment that does not detect a threat item, Transportation Security Officers (TSOs), formerly known as screeners, not properly following TSA procedures when screening passengers, or TSA screening procedures that do not provide sufficient detail to enable TSOs to identify the threat item. TSA's Administrator and senior officials are routinely briefed on covert test results and are provided with test reports that contain recommendations to address identified vulnerabilities. However, TSA lacks a systematic process to ensure that OI's recommendations are considered and that the rationale for implementing or not implementing OI's recommendations is documented. Without such a process, TSA is limited in its ability to use covert test results to strengthen aviation security. TSA officials stated that opportunities exist to improve the agency's processes in this area. In May 2008, GAO issued a classified report on TSA's covert testing program. That report contained information that was deemed either classified or sensitive. This version of the report summarizes our overall findings and recommendations while omitting classified or sensitive security information.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-958, Transportation Security: TSA Has Developed a Risk-Based Covert Testing Program, but Could Better Mitigate Aviation Security Vulnerabilities Identified Through Covert Tests
This is the accessible text file for GAO report number GAO-08-958
entitled 'Transportation Security: TSA Has Developed a Risk-Based
Covert Testing Program, but Could Better Mitigate Aviation Security
Vulnerabilities Identified Through Covert Tests' which was released on
August 14, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
August 2008:
Transportation Security:
TSA Has Developed a Risk-Based Covert Testing Program, but Could Better
Mitigate Aviation Security Vulnerabilities Identified Through Covert
Tests:
Transportation Security:
GAO-08-958:
GAO Highlights:
Highlights of GAO-08-958, a report to the Chairman, Committee on
Homeland Security, House of Representatives.
Why GAO Did This Study:
The Transportation Security Administration (TSA) uses undercover, or
covert, testing to approximate techniques that terrorists may use to
identify vulnerabilities in and measure the performance of airport
security systems. During these tests, undercover inspectors attempt to
pass threat objects through passenger and baggage screening systems,
and access secure airport areas. In response to a congressional
request, GAO examined (1) TSA‘s strategy for conducting covert testing
of the transportation system and the extent to which the agency has
designed and implemented its covert tests to achieve identified goals;
and (2) the results of TSA‘s national aviation covert tests conducted
from September 2002 to June 2007, and the extent to which TSA uses the
results of these tests to mitigate security vulnerabilities. To conduct
this work, GAO analyzed covert testing documents and data and
interviewed TSA and transportation industry officials.
What GAO Found:
TSA has designed and implemented risk-based national and local covert
testing programs to achieve its goals of identifying vulnerabilities in
and measuring the performance the aviation security system, and has
begun to determine the extent to which covert testing will be used in
non-aviation modes of transportation. TSA‘s Office of Inspection (OI)
used information on terrorist threats to design and implement its
national covert tests and determine at which airports to conduct tests
based on the likelihood of a terrorist attack. However, OI did not
systematically record the causes of test failures or practices that
resulted in higher pass rates for tests. Without systematically
recording reasons for test failures, such as failures caused by
screening equipment not working properly, as well as reasons for test
passes, TSA is limited in its ability to mitigate identified
vulnerabilities. OI officials stated that identifying a single cause
for a test failure is difficult since failures can be caused by
multiple factors. TSA recently redesigned its local covert testing
program to more effectively measure the performance of passenger and
baggage screening systems and identify vulnerabilities. However, it is
too early to determine whether the program will meet its goals since it
was only recently implemented and TSA is still analyzing the results of
initial tests. While TSA has a well established covert testing program
in commercial aviation, the agency does not regularly conduct covert
tests in non-aviation modes of transportation. Furthermore, select
domestic and foreign transportation organizations and DHS components
use covert testing to identify security vulnerabilities in non-aviation
settings. However, TSA lacks a systematic process for coordinating with
these organizations.
TSA covert tests conducted from September 2002 to June 2007 have
identified vulnerabilities in the commercial aviation system at
airports of all sizes, and the agency could more fully use the results
of tests to mitigate identified vulnerabilities. While the specific
results of these tests and the vulnerabilities they identified are
classified, covert test failures can be caused by multiple factors,
including screening equipment that does not detect a threat item,
Transportation Security Officers (TSOs), formerly known as screeners,
not properly following TSA procedures when screening passengers, or TSA
screening procedures that do not provide sufficient detail to enable
TSOs to identify the threat item. TSA‘s Administrator and senior
officials are routinely briefed on covert test results and are provided
with test reports that contain recommendations to address identified
vulnerabilities. However, TSA lacks a systematic process to ensure that
OI‘s recommendations are considered and that the rationale for
implementing or not implementing OI‘s recommendations is documented.
Without such a process, TSA is limited in its ability to use covert
test results to strengthen aviation security. TSA officials stated that
opportunities exist to improve the agency‘s processes in this area.
In May 2008, GAO issued a classified report on TSA‘s covert testing
program. That report contained information that was deemed either
classified or sensitive. This version of the report summarizes our
overall findings and recommendations while omitting classified or
sensitive security information.
What GAO Recommends:
To ensure that TSA is more fully using the results of covert tests, GAO
recommends that TSA document causes of test failures; as TSA explores
the use of covert testing in non-aviation modes of transportation,
coordinate with transportation organizations that conduct covert tests;
and develop a systematic process to evaluate covert testing
recommendations. DHS and TSA reviewed a draft of this report and
concurred with GAO‘s recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.GAO-08-958]. For more information, contact
Cathleen A. Berrick at (202) 512-3404 or berrickc@gao.gov.
[End of section]
Report to the Chairman, Committee on Homeland Security, House of
Representatives:
Contents:
Letter:
Results in Brief:
Background:
TSA Has a Risk-Based Covert Testing Strategy to Identify
Vulnerabilities and Measure the Performance of Selected Aviation
Security Systems, but Could Strengthen Its Testing Efforts:
TSA Could More Fully Use the Results of Covert Tests to Mitigate
Security Vulnerabilities Identified in the Commercial Aviation System:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Figures:
Figure 1: TSA's Passenger Checkpoint and Checked Baggage Screening
Operations and Equipment:
Figure 2: Diagram of Security Areas at a Typical Commercial Airport:
Abbreviations:
AAR: American Association of Railroads:
AOA: Air Operations Area:
APTA: American Public Transportation Association:
ASAP: Aviation Screening Assessment Program:
ATSA: Aviation and Transportation Security Act:
CBP: Customs and Border Patrol:
DHS: Department of Homeland Security:
DNDO: Domestic Nuclear Detection Office:
DOT: Department of Transportation:
EDS: Explosive Detection System:
ETD: Explosive Trace Detection:
FAA: Federal Aviation Administration:
FSD: Federal Security Director:
IED: Improvised Explosive Device:
IRD: Internal Reviews Division:
OI: Office of Inspection:
OSO: Office of Security Operations:
SIDA: Security Identification Display Area:
STEA: Screener Training Exercises and Assessments:
TSA: Transportation Security Administration:
TSNM: Transportation Sector Network Management:
TSO: Transportation Security Officer:
TS-SSPP: Transportation System Sector Specific Plan:
United States Government Accountability Office:
Washington, DC 20548:
August 8, 2008:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
Dear Mr. Chairman:
The March 2004 bombings of the rail system in Spain, July 2005 bombings
of London's subway system, and August 2006 alleged terror plot to bring
liquid explosives through airport security checkpoints in the United
Kingdom and detonate them on board aircraft bound for the United
States, are striking reminders that transportation systems have
continued to be a target for terrorist attack. After the September 11,
2001 terrorist attacks, the Aviation and Transportation Security Act
(ATSA) was enacted, creating the Transportation Security Administration
(TSA) and mandating that it assume responsibility for security in all
modes of transportation.[Footnote 1] For the last 5 years, TSA has
spent billions of dollars to screen airline passengers and checked
baggage and to implement regulations and initiatives designed to
strengthen the security of commercial aviation. TSA has also taken
action to strengthen the security of surface modes of transportation,
which includes mass transit and passenger rail, freight rail, and
highways. Despite varying levels of progress in these respective areas,
questions remain about the effectiveness of TSA's security programs and
procedures.
One method that can be used to identify and mitigate vulnerabilities,
measure the effectiveness of security programs, and identify needed
changes to training procedures and technologies is undercover, or
covert testing--also known as red team testing--which was advocated by
the President's July 2002 National Strategy for Homeland Security to
identify security vulnerabilities in the nation's critical
infrastructure and to help prepare for terrorist attacks.[Footnote 2]
Regarding aviation security, and in accordance with requirements
established in law, TSA conducts covert testing of passenger and
checked baggage screening operations, as well as airport perimeter
security and access controls, and requires that Transportation Security
Officers (TSO) who fail tests to undergo remedial training.[Footnote 3]
Prior to the creation of TSA, the Federal Aviation Administration (FAA)
was responsible for ensuring compliance with aviation screening
regulations and testing the performance of passenger and checked
baggage systems in detecting threat objects. TSA began conducting
covert testing in commercial aviation in September 2002. Covert testing
is conducted at the national level by TSA's Office of Inspection (OI)
and at the local, or individual airport level by the Office of Security
Operations (OSO)--the division within TSA responsible for overseeing
passenger and checked baggage screening at airports. During these
tests, undercover inspectors attempt to pass threat objects, such as
simulated explosive devices, through airport passenger screening
checkpoints and checked baggage screening systems. Inspectors also
attempt to access secure areas of the airport undetected, such as
through doorways leading to aircraft and the airport's perimeter. The
tests are designed to approximate techniques that terrorists may use in
order to identify vulnerabilities in the people, processes, and
technologies that comprise the aviation security system. With respect
to some non-aviation modes of transportation, specifically mass
transit, passenger rail, and maritime ferries, TSA has initiated pilot
programs designed to test the feasibility of implementing screening of
passengers at a centralized checkpoint, similar to the aviation system.
According to OI officials, during these pilot programs, OI conducted
covert testing to determine if they could pass threat objects through
the passenger screening procedures and equipment that was being tested
in these systems. In addition, TSA's May 2007 Transportation System
Sector Specific Plan (TS-SSP) for mass transit describes TSA's strategy
for securing mass transit and passenger rail, and encourages that
transit and rail agencies should develop covert testing exercises.
We have previously reported on the results of TSA's national and local
aviation covert tests, both of which have identified vulnerabilities in
the aviation security system, and the results of our investigators'
tests of TSA's passenger checkpoint and checked baggage security
systems, which have also identified vulnerabilities. The Department of
Homeland Security (DHS) Office of Inspector General has also conducted
its own covert testing of airport passenger and checked baggage
screening, as well as perimeters and access controls, and has also
identified vulnerabilities in these areas, most recently in March
2007.[Footnote 4]
In light of the security vulnerabilities that covert testing has
identified and concerns regarding the effectiveness of existing
security procedures, you asked that we review TSA's national and local
covert testing programs. In response, on May 13, 2008, we issued a
classified report addressing the following key questions: (1) What is
TSA's strategy for conducting covert testing of the transportation
system, and to what extent has the agency designed and implemented its
covert tests to achieve identified goals? and (2) What have been the
results of TSA's national aviation covert tests conducted from
September 2002 to June 2007, and to what extent does TSA use the
results of these tests to mitigate security vulnerabilities in the
commercial aviation system?
As our May 2008 report contained information that was deemed to be
either classified or sensitive, this version of the report is intended
to generally summarize our overall findings and recommendations while
omitting classified or sensitive security information about TSA's
covert testing processes and the results of TSA's covert tests
conducted from September 2002 to June 2007. As our intent in preparing
this report is to convey, in a publicly available format, the non-
classified, non sensitive results of the classified May 2008 report, we
did not attempt to update the information here to reflect changes that
may have occurred since the publication of the May 2008 report.
To identify TSA's strategy for conducting covert testing of the
transportation system and the extent to which the agency has designed
and implemented tests to achieve its goals, we reviewed applicable
laws, regulations, policies, and procedures for national and local
covert testing. We interviewed TSA OI officials responsible for
conducting national aviation covert tests, and OSO officials
responsible for local aviation covert tests, regarding TSA's strategy
for designing and implementing these tests, including the extent to
which they used threat information to guide their efforts. We also
observed OI inspectors during covert tests at seven airports, including
airports with heavy passenger traffic and those with just a few flights
per day, as well as airports with both TSOs and contract
screeners.[Footnote 5] During these covert tests, we accompanied OI
inspectors during all phases of the test including planning, testing,
and post-test reviews with TSOs and their supervisors. We interviewed
TSOs and their supervisors that were involved in covert tests at each
airport where we observed tests to discuss their experience with the
national and local covert testing programs. We also interviewed the
Federal Security Director (FSD) at each airport where we observed
covert tests to obtain their views of the testing program and the
results of tests at their airports.[Footnote 6] While these seven
airports represent reasonable variations in size and geographic
locations, our observations of OI's covert tests and the perspectives
provided by TSA officials at these airports cannot be generalized
across all commercial airports. However, our observations at the seven
airports provided us with an overall understanding of how OI conducts
covert tests and useful insights provided by TSOs, their supervisors,
and FSDs at these airports. We also reviewed TSA's procedures for
screening passenger and checked baggage to determine how these
procedures are used in designing and implementing national aviation
covert tests. We interviewed OI officials and officials from TSA's
Office of Transportation Sector Network Management (TSNM), which is
responsible for developing security policies for non-aviation modes of
transportation, regarding the extent to which covert testing has been
conducted in non-aviation modes, the applicability of covert testing in
other modes, and future plans for conducting covert testing in other
modes. To understand how entities outside of TSA have used covert
testing in non-aviation modes of transportation, we interviewed
officials from DHS components and organizations that conduct covert
testing, including U.S. Customs and Border Protection, DHS Domestic
Nuclear Detection Office (DNDO), Amtrak, the United Kingdom's
Department for Transport Security (TRANSEC), and transportation
industry associations, such as the American Association of Railroads
and the American Public Transportation Association.
To determine the results of TSA's national covert tests and the extent
to which TSA used the results of these tests to mitigate security
vulnerabilities in the aviation system, we obtained and analyzed a
database of the results of TSA's national covert tests conducted from
September 2002 to June 2007. To determine how TSA gathers covert
testing data, we reviewed the data collection instruments used at the
airports where we observed covert tests, as well as other methods OI
uses to gather covert testing data and observations. We also reviewed
TSA's internal controls for collecting and maintaining the results of
covert tests. We assessed the reliability of TSA's covert testing data
and the systems used to produce the data by interviewing agency
officials responsible for maintaining the database. We determined that
the data were sufficiently reliable for our analysis and the purposes
of this report. We also interviewed OI officials regarding how the
results of covert tests are used in developing their recommendations to
TSA management. We reviewed OI reports on the results of covert tests
completed between March 2003 and June 2007 that were submitted to TSA's
Administrator and OSO to identify OI's recommendations for mitigating
the vulnerabilities identified during covert tests. We further obtained
and analyzed a summary of the actions that OSO had taken to address
OI's recommendations for mitigating vulnerabilities made from March
2003 to June 2007. More detailed information on our scope and
methodology is contained in appendix I.
We conducted this performance audit from October 2006 to May 2008, in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Results in Brief:
TSA has designed and implemented risk-based national and local covert
testing programs to achieve its goals of identifying vulnerabilities in
and measuring the performance of passenger checkpoint and checked
baggage screening systems and airport perimeters and access controls,
and has begun to determine the extent to which covert testing will be
used to identify vulnerabilities and measure the effectiveness of
security practices related to non-aviation modes of transportation. OI
used information on terrorist threats to design and implement its
national covert tests and determine at which airports to conduct tests
based on analyses of risks. However, OI inspectors did not
systematically record specific causes for test failures related to
TSOs, procedures, or screening equipment that did not work properly.
Standards for Internal Control in the Federal Government identify that
information should be recorded and communicated to management and
others in a form and within a time frame that enables them to carry out
their internal control and other responsibilities.[Footnote 7] OI
officials stated that they do not record information on equipment
failures because there is a possibility that the threat item was not
designed properly and therefore should not have set off the alarm, and
identifying a single cause for a test failure is difficult since covert
testing failures can be caused by multiple factors. OI also did not
systematically collect and analyze information on effective screening
practices that may contribute to TSOs' ability to detect threat items,
which could allow TSA to identify actions that may help improve
screening performance across the system. Without systematically
recording reasons for test failures, such as failures caused by
screening equipment not working properly, as well as reasons for test
passes, TSA is limited in its ability to mitigate identified
vulnerabilities. Regarding TSA's local aviation covert testing program,
the agency recently redesigned the program to address the limitations
of the previous program, such as inconsistent structure and frequency
of tests across airports. The new program, called the Aviation
Screening Assessment Program (ASAP), is also risk-based, with tests
being designed to mirror threat items that may be used by terrorists
based on threat information. If implemented effectively, ASAP should
provide TSA with a measure of the performance of passenger and checked
baggage screening systems and help to identify security
vulnerabilities. However, since the program was only recently
implemented, it is too soon to determine whether ASAP will meet its
goals of identifying vulnerabilities and measuring the performance of
passenger and checked baggage screening systems. Furthermore, TSA has
just begun to determine the extent to which covert testing will be used
to identify vulnerabilities and measure the effectiveness of security
practices in non-aviation modes of transportation. While TSA
coordinates with domestic and foreign transportation organizations and
DHS component agencies regarding its security efforts, they do not have
a systematic process in place to coordinate with these organizations
regarding covert testing in non-aviation settings, and opportunities
for TSA to learn from these organizations' covert testing efforts
exist.
TSA's national aviation covert testing program has identified
vulnerabilities in selected aspects of the commercial aviation security
system at airports of all sizes, however, the agency is not fully using
the results of these tests to mitigate identified vulnerabilities. The
specific results of these tests are classified and are presented in our
classified May 2008 report. Although national covert test results
provide only a snapshot of the effectiveness of airport security
screening and cannot be considered a measurement of performance because
the tests were not conducted using the principles of probability
sampling, tests can be used to identify vulnerabilities in the
commercial aviation security system. Covert test failures have been
caused by various factors, including TSOs not properly following TSA
procedures when screening passengers, screening equipment that does not
detect a threat item, and TSA screening procedures that do not provide
sufficient detail to enable TSOs to identify a threat item. Senior TSA
officials, including TSA's Administrator, are routinely briefed on the
results of covert tests and provided with OI reports that describe the
vulnerabilities identified by these tests and recommendations to
correct identified vulnerabilities. However, OSO, the office within TSA
responsible for passenger and checked baggage screening, lacks a
systematic process to ensure that OI's recommendations are considered,
and does not systematically document its rationale for why it did or
did not implement OI's recommendations. From March 2003 through June
2007, OI made 43 recommendations to OSO designed to mitigate
vulnerabilities identified through covert tests. These recommendations
related to providing additional training to TSOs and revising or
clarifying existing TSA screening procedures, such as procedures for
screening passengers and checked baggage. To date, OSO has taken
actions to implement 25 of OI's 43 recommendations. OSO and OI also do
not have a process in place to assess whether the corrective action
implemented mitigated the identified vulnerabilities through follow-up
national or local covert tests. According to OSO officials, TSA has
other methods in place to identify whether corrective actions or other
changes are effective; however, officials did not provide specific
information regarding these methods. For the remaining 18 of OI's 43
recommendations, OSO either took no action to address the
recommendation or it is unclear how the action they took addressed the
recommendation. Moreover, in those cases where OSO took no action to
address OI's recommendation, they did not systematically document their
rationale for why they took no action. Standards for Internal Control
in the Federal Government identify that managers are to promptly
evaluate findings, determine proper actions, and complete these actions
to correct matters. In the absence of a systematic process for
considering OI's recommendations, documenting their decision-making
process, and evaluating whether corrective actions mitigated identified
vulnerabilities, TSA is limited in its ability to use covert testing
results to improve the security of the commercial aviation system.
According to OSO officials, opportunities exist to improve OSO's
internal processes for considering OI's recommendations and documenting
its rationale for implementing or not implementing these
recommendations. OSO senior leadership stated that they were committed
to enhancing its partnership with OI and improving its processes for
ensuring that OI recommendations are communicated to and considered by
the appropriate TSA officials.
To better ensure that TSA is fully using the results of covert tests to
identify and mitigate vulnerabilities in the transportation security
system, we recommended in our May 2008 classified report that the
Secretary of Homeland Security direct the Assistant Secretary for TSA
to develop a systematic process for gathering and analyzing specific
causes of all national aviation covert testing failures, record
information on screening equipment that may not be working properly
during covert tests, and identify effective practices used at airports
that perform well on covert tests. In addition, as TSA explores the use
of covert testing in non-aviation modes of transportation, we
recommended that the agency coordinate with organizations that already
conduct these tests to learn from their experiences. Further, we
recommended that the Secretary of Homeland Security direct the
Assistant Secretary for TSA to develop a systematic process to ensure
that OSO considers all recommendations made by OI as a result of covert
tests and systematically documents their rationale for either
implementing or not implementing these recommendations. Finally, we
recommended that when OSO implements OI's recommendations, they should
evaluate whether the action taken has addressed the vulnerability
identified through the covert tests, which could include the use of
follow-up national or local covert tests or through other means
determined by OSO.
We provided a draft of this report to DHS and TSA for review. DHS, in
its written comments, concurred with the findings and recommendations
in the report. The full text of DHS's comments is included in appendix
II.
Background:
Congress and the Administration have advocated the use of covert or red
team testing in all modes of transportation. Following the terrorist
attacks on September 11, 2001, on November 19, 2001, the President
signed ATSA into law, with the primary goal of strengthening the
security of the nation's commercial aviation system.[Footnote 8] ATSA
created TSA within the Department of Transportation (DOT) as the agency
responsible for securing all modes of transportation. Among other
things, ATSA mandated that TSA assume responsibility for screening
passengers and their property, which includes the hiring, training, and
testing of the screening workforce.[Footnote 9] ATSA also mandated that
TSA conduct annual proficiency reviews and provide for the operational
testing of screening personnel, and that TSA provide remedial training
to any screener who fails such tests. In 2002, the President issued The
National Strategy for Homeland Security that supports developing red
team tactics in order to identify vulnerabilities in security measures
at our Nation's critical infrastructure sectors, including the
transportation sector. In 2007, TSA issued the TS-SSP that outlines its
strategy and associated security programs to secure the transportation
sector.[Footnote 10] While the TS-SSP does not address covert testing
in aviation, it does identify that mass transit and passenger rail
operators should develop covert testing exercises. Moreover, the
Implementing Recommendations of the 9/11 Commission Act of 2007
requires DHS to develop and implement the National Strategy for
Railroad Transportation Security, which is to include prioritized
goals, actions, objectives, policies, mechanisms, and schedules for
assessing the usefulness of covert testing of railroad security
systems.[Footnote 11] Furthermore, the explanatory statement
accompanying Division E of the Consolidated Appropriations Act, 2008
(the DHS Appropriations Act, 2008), directs TSA to be more proactive in
red teaming for all modes of transportation.[Footnote 12] Specifically,
the statement directs approximately $6 million of TSA's appropriated
funds for red team activities to identify potential vulnerabilities and
weaknesses in airports and air cargo facilities, as well as in transit,
rail, and ferry systems.
Prior to the creation of TSA, the Department of Transportation's
Federal Aviation Administration (FAA) monitored the performance of
airport screeners. FAA created the "red team," as it came to be known,
to assess the commercial aviation industry's compliance with FAA
security requirements and to test whether U.S. aviation passenger and
checked baggage screening systems were able to detect explosives and
other threat items. TSA began its covert testing program in September
2002. TSA's covert testing program consists of a nationwide commercial
aviation testing program conducted by OI, and a local commercial
airport testing program implemented by OSO and FSDs at each airport.
TSA's National Covert Testing Program for Commercial Aviation:
OI conducts national covert tests of three aspects of aviation security
at a commercial airport: (1) passenger checkpoint; (2) checked baggage;
and (3) access controls to secure areas and airport perimeters. OI
conducts covert tests by having undercover inspectors attempt to pass
threat objects, such as guns, knives, and simulated improvised
explosive devices (IED), through passenger screening checkpoints and in
checked baggage, and to attempt to access secure areas of the airport
undetected. OI officials stated that they derived their covert testing
protocols and test scenarios from prior FAA red team protocols, but
updated the threat items used and increased the difficulty of the
tests. According to OI officials, they also began conducting tests at
airports on a more frequent basis than FAA. Initially, OI conducted
tests at all of the estimated 450 commercial airports nationwide on a 3-
year schedule, with the largest and busiest airports being tested each
year.[Footnote 13] TSA also began using threat information to make
tests more closely replicate tactics that may be used by terrorists.
The number of covert tests that OI conducts during testing at a
specific airport varies by the size of the airport. The size of the OI
testing teams also varies depending upon the size of the airport being
tested, the number of tests that OI plans to conduct, and the number of
passenger checkpoints and access points to secure areas at a particular
airport. OI testing teams consist of a team leader who observes the
tests and leads post-test reviews with TSOs, and inspectors who
transport threat items through passenger checkpoints and secure airport
areas and record test results. Team leaders usually have previous
federal law enforcement experience, while inspectors often include
program analysts, administrative personnel, and other TSA personnel.
Prior to testing, each team leader briefs their team to ensure that
everyone understands their role, the type of test to be conducted, and
the threat item they will be using. For tests at passenger checkpoints
and in checked baggage, OI uses different IED configurations and places
these IEDs in various areas of each inspector's body and checked
baggage to create different test scenarios. Figure 1 provides an
overview of TSA's passenger checkpoint and checked baggage screening
operations and equipment.
Figure 1: TSA's Passenger Checkpoint and Checked Baggage Screening
Operations and Equipment:
This figure is a visual depiction of TSA's passenger checkpoint and
checked baggage screening operations and equipment.
[See PDF for image]
Source: GAO and Nova Development Corporation.
[End of figure]
According to OI officials, on the day of testing, OI typically notifies
the airport police about one half hour, and the local FSD 5 minutes,
before testing begins and instructs them not to notify the TSOs that
testing is being conducted. OI officials stated that they provide this
notification for security and safety reasons.
Covert Testing Procedures at Passenger Checkpoints:
During passenger checkpoint testing, each team of inspectors carries
threat items through the passenger checkpoint. If the TSO identifies
the threat item during screening, the inspector identifies him or
herself to the TSO and the test is considered a pass. If the TSO does
not identify the threat item, the inspector proceeds to the sterile
area of the airport and the test is considered a failure. For each
test, inspectors record the steps taken by the TSO during the screening
process and test results, and the team leader assigns any requirements
for remedial training as a consequence of a failed test. The specific
types of covert tests conducted by TSA at the passenger checkpoint is
sensitive security information and cannot be described in this report.
Covert Testing Procedures for Checked Baggage:
Covert tests of checked baggage are designed to measure the
effectiveness of the TSOs' ability to utilize existing checked baggage
screening equipment, not to test the effectiveness of the screening
equipment. In covert tests of checked baggage screening, an inspector
poses as a passenger and checks their baggage containing a simulated
threat item at the airline ticket counter. The bag is then screened by
TSOs using one of two checked baggage screening methods. At airports
that have explosive detection systems (EDS), the TSO uses these
machines to screen each bag.[Footnote 14] At airports that do not have
EDS and at airports where certain screening stations do not have EDS,
such as curbside check-in stations, the TSOs use an Explosive Trace
Detection (ETD) machine to screen checked baggage. During the ETD
screening process of both carry-on and checked baggage, TSOs attempt to
detect explosives on passengers' baggage by swabbing the target area
and submitting the swab into the ETD machine for chemical
analysis.[Footnote 15] If the machine detects an explosive substance,
it alarms, and produces a readout indicating the specific type of
explosive detected. The TSO is then required to resolve the alarm by
performing additional screening steps such as conducting a physical
search of the bag or conducting further ETD testing on and X-raying of
footwear. When testing EDS and ETD screening procedures, OI uses fully
assembled objects such as laptop computers, books, or packages.
Whether using EDS or ETD, if the TSO fails to identify the threat item,
the inspectors immediately identify themselves to stop the checked
baggage from being sent for loading onto the aircraft, and the test is
considered a failure. If the TSO identifies the threat item, the
inspectors also identify themselves and the test is considered a pass.
If the OI inspector determines that the test failure was due to the
screening equipment not working correctly, the test is considered
invalid. OI conducts two types of checked baggage covert tests:
* Opaque object: This test is designed to determine if a TSO will
identify opaque objects on the X-ray screen and conduct a physical
search of the checked bag. During these tests, OI inspectors conceal a
threat item that cannot be penetrated by the X-ray and appears on the
EDS screen as an opaque object among normal travel objects within
checked baggage.
* IED in bag: This test is designed to determine if a TSO will identify
an IED during a search of the bag and use proper ETD procedures to
identify it as a threat. During these tests, OI inspectors conceal a
simulated IED within checked baggage. In addition, the IED may be
contained within other objects inside of the bag.
Covert Testing Procedures for Access Controls:
OI inspectors conduct covert tests to determine if they can infiltrate
secure areas of the airport, such as jet ways or boarding doors to
aircraft. Each U.S. commercial airport is divided into different areas
with varying levels of security. Secure areas, security identification
display areas (SIDA), and air operations areas (AOA) are not to be
accessed by passengers, and typically encompass areas near terminal
buildings, baggage loading areas, and other areas that are close to
parked aircraft and airport facilities, including air traffic control
towers and runways used for landing, taking off, or surface
maneuvering. Figure 2 is a diagram of the security areas at a typical
commercial airport.
Figure 2: Diagram of Security Areas at a Typical Commercial Airport:
This figure is a diagram of security areas at a typical commercial
airport.
[See PDF for image]
Source: GAO.
[End of figure]
If inspectors are able to access secure areas of the airport or are not
challenged by airport or airline employees, then the test is considered
a failure. OI conducts four types of covert tests for airport access
controls.
* Access to SIDA: During these tests, OI inspectors who are not wearing
appropriate identification attempt to penetrate the SIDA through access
points, such as boarding gates, employee doors, and other entrances
leading to secure areas to determine if they are challenged by airport
or airline personnel.
* Access to AOA: During these tests, OI inspectors who are not wearing
appropriate identification attempt to penetrate access points leading
from public areas to secured areas of the AOA, including vehicle and
pedestrian gates through the perimeter fence, cargo areas, and general
aviation facilities that provide a direct path to passenger aircraft in
secure areas to determine if they are challenged by airport or airline
personnel.
* Access to Aircraft: During these tests, OI inspectors who are not
wearing appropriate identification or who do not have a valid boarding
pass attempt to penetrate access points past the passenger screening
checkpoint which lead directly to aircraft, including boarding gates,
employee doors, and jet ways to determine if they are challenged by
airport or airline personnel.
* SIDA Challenges: During these tests, OI inspectors attempt to walk
through secure areas of the airport, such as the tarmac and baggage
loading areas, without appropriate identification to determine if they
are challenged by airport personnel. If not challenged, then the test
is considered a failure.
Post-Test Reviews and Analysis:
After testing at the airport is complete, team leaders conduct post-
test reviews with the TSOs, supervisors, and screening managers
involved in the testing. These post-test reviews include a hands-on
demonstration of the threat items used during each test and provide an
opportunity for TSOs to ask questions about the test. According to OI
officials, the purpose of these post-test reviews is to serve as a
training tool for TSOs. Following the post-test review, OI officials
meet with the airport FSD to discuss the test results and any
vulnerabilities identified at the airport. OI also provides the FSD
with the names of each TSO required to undergo remedial
training.[Footnote 16] OI usually completes all aspects of its covert
tests at an airport within several days. After completing tests at each
airport, OI staff document test results on standardized data collection
instruments and meet to discuss the results and identify the actions
that they will recommend to TSA management to address the
vulnerabilities identified by the tests. The airport testing data
collected are then inputted into a database by OI headquarters staff,
who develop reports that summarize the tests results and the
vulnerabilities identified. These reports are then presented to TSA
management, such as the Administrator. OI staff also regularly brief
TSA's Administrator and management, such as the Assistant Administrator
of OSO, on the results of covert tests. Since 2003, when OI completed
its first covert testing report, most of OI's reports contained
specific recommendations aimed at addressing the vulnerabilities
identified during covert testing.
TSA's Local Covert Testing Program for Commercial Aviation:
In February 2004, OSO authorized FSDs to conduct their own testing of
local passenger and checked baggage screening operations at their
airports to serve as a training tool for the TSOs and to measure their
performance. Referred to as Screener Training Exercises and Assessments
(STEA), FSDs conducted these local covert tests using federal
employees, such as TSOs from other local airports and other federal law
enforcement officers, and were given discretion to determine the number
of tests conducted at their airports, the manner with which the tests
were conducted, and the type of tests conducted. OSO considered STEA a
tool for training TSOs in detecting threat items, and issued modular
bomb kits (MBS II kits) containing simulated IEDs to be used during
local testing.[Footnote 17] During STEA tests, staff placed simulated
IEDs in passenger and checked baggage to determine if they would be
detected by TSOs.[Footnote 18] Unlike OI's national covert tests, STEA
tests did not include tests of airport access controls. TSOs that
failed STEA tests were required to undergo remedial training. In May
2005, we reported that TSA officials stated that they had not yet begun
to use data from STEA testing to identify training and performance
needs for TSOs because of difficulties in ensuring that local covert
testing was implemented consistently nationwide.[Footnote 19] For
example, because FSDs had discretion regarding the number of tests
conducted, some airports conducted STEA tests regularly, while others
rarely conducted tests. In addition, we previously reported that FSDs
had difficulty in finding enough staff to help conduct STEA tests on a
consistent basis. OSO officials recognized the limitations of the STEA
program and, as a result, began to re-structure the program in
September 2006. This local covert testing program was renamed the
Aviation Screening Assessment Program (ASAP). ASAP is designed to test
the performance of passenger and checked baggage screening systems and
identify security vulnerabilities at each airport.
In April 2007, OSO began its initial 6-month cycle of ASAP, in which
1,600 tests were conducted in each grouping of airports--Category X (27
airports), category I (55 airports), and Category II through IV (369
airports). OSO compliance inspectors at each airport conduct the tests.
Specific test requirements are distributed to FSDs before the start of
each 6-month cycle. These test requirements stipulate the percentage of
tests to conduct during peak and non-peak passenger screening periods;
the percentage of basic, intermediate, or advanced tests to be
conducted; and specific types of threat items that should be used
during each type of test, such as IEDs or weapons. Following each test,
inspectors are to brief the TSOs, supervisors, and screening managers
involved in the tests on the results and notify the FSD of the results.
With the first cycle of tests initiated in April 2007, TSA officials
plan that any recommendations resulting from ASAP tests will be
submitted to OSO management and other offices within TSA that need to
know the test results. Although the testing requirements, including the
level of frequency and types of tests, will not change during the
initial 6-month cycle to preserve the validity of the test results, TSA
officials plan to analyze the results of the tests and evaluate the
need to revise the structure of the tests or the type of threat items
used after testing is complete. According to OSO officials, the first
cycle of ASAP tests are complete, but the results are still being
analyzed by TSA to determine the overall findings from the tests.
Covert Testing as a Key Component of TSA's Broader Risk Management
Approach:
TSA's national and local aviation covert testing programs contribute to
TSA's broader risk management approach for securing the transportation
sector by applying principles of risk assessment to identify
vulnerabilities in commercial aviation. Risk management is a systematic
and analytical process to consider the likelihood that a threat will
endanger an asset, individual, or function, and to identify actions to
reduce the risk and mitigate the consequences of an attack. Risk
management, as applied in the homeland security context, can help
federal decision-makers determine where and how to invest limited
resources within and among the various modes of transportation. In
recent years, the President, through Homeland Security Presidential
Directives (HSPD), and laws such as the Intelligence Reform and
Terrorism Prevention Act of 2004, have provided that federal agencies
with homeland security responsibilities should apply risk-based
principles to inform their decision making regarding allocating limited
resources and prioritizing security activities.[Footnote 20] The 9/11
Commission recommended that the U.S. government should identify and
evaluate the transportation assets that need to be protected, set risk-
based priorities for defending them, select the most practical and cost-
effective ways of doing so, and then develop a plan, budget, and
funding to implement the effort.[Footnote 21] In 2002, the President
issued The National Strategy for Homeland Security that instructs the
federal government to allocate resources in a balanced way to manage
risk in our border and transportation security systems while ensuring
the expedient flow of goods, services, and people. Further, the
Secretary of DHS has made risk-based decision-making a cornerstone of
departmental policy. In May 2007, TSA issued the TS-SSP and supporting
plans for each mode of transportation that establish a system based
risk management approach for securing the transportation sector.
We have previously reported that a risk management approach can help to
prioritize and focus the programs designed to combat
terrorism.[Footnote 22] A risk assessment, one component of a risk
management approach, consists of three primary elements: a
vulnerability assessment, a threat assessment, and a criticality
assessment. A vulnerability assessment is a process that identifies
weaknesses in physical structures, personnel protection systems,
processes, or other areas that may be exploited by terrorists, and may
suggest options to eliminate or mitigate those weaknesses. TSA uses
both national and local aviation covert testing as a method to identify
and mitigate security vulnerabilities in the aviation sector. A threat
assessment identifies and evaluates threats based on various factors,
including capability and intentions as well as the lethality of an
attack. Criticality assessment evaluates and prioritizes assets and
functions in terms of specific criteria, such as their importance to
public safety and the economy, as a basis for identifying which
structures or processes require higher or special protection from
attack.
TSA Has a Risk-Based Covert Testing Strategy to Identify
Vulnerabilities and Measure the Performance of Selected Aviation
Security Systems, but Could Strengthen Its Testing Efforts:
TSA has designed and implemented risk-based national and local covert
testing programs to achieve its goals of identifying vulnerabilities in
and measuring the performance of passenger checkpoint and checked
baggage screening systems and airport perimeters and access controls,
and has begun to determine the extent to which covert testing will be
used to identify vulnerabilities and measure the effectiveness of
security practices related to non-aviation modes of transportation. OI
used information on terrorist threats to design and implement its
national covert tests and determine at which airports to conduct tests
based on analyses of risks. However, OI inspectors did not
systematically record specific causes for test failures related to
TSOs, procedures, or screening equipment that did work properly. OI
also did not systematically collect and analyze information on
effective screening practices that may contribute to TSOs ability to
detect threat items. Without systematically recording reasons for test
failures, such as failures caused by screening equipment not working
properly, as well as reasons for test passes, TSA is limited in its
ability to mitigate identified vulnerabilities. TSA recently redesigned
its local covert testing program to address limitations in its previous
program. The new program, ASAP, should provide TSA with a measure of
the performance of passenger and checked baggage screening systems and
help to identify security vulnerabilities. Furthermore, TSA has begun
to determine the extent to which covert testing will be used to
identify vulnerabilities and measure the effectiveness of security
practices in non-aviation modes of transportation. While TSA
coordinates with domestic and foreign organizations regarding
transportation security efforts, they do not have a systematic process
in place to coordinate with these organizations regarding covert
testing in non-aviation settings, and opportunities for TSA to learn
from these organizations' covert testing efforts exist.
TSA Uses a Risk-Based Covert Testing Strategy:
OI uses threat assessments and intelligence information to design and
implement national covert tests that meet its goals of identifying
vulnerabilities in passenger checkpoint and checked baggage screening
systems, and airport perimeters and access controls. While OI currently
focuses it covert tests on these three areas of aviation security, it
has recently begun to establish procedures for the testing of air cargo
facilities. According to OI officials, as of March 2008, OI has not yet
conducted any tests of air cargo. In designing its covert tests, OI
works with DHS's Transportation Security Laboratory to create threat
items to be used during covert tests. OI also uses threat information
to replicate tactics that may be used by terrorists. The tactics that
OI uses are all designed to test the capabilities of passenger
checkpoint and checked baggage screening systems to identify where
vulnerabilities exist. The process OI uses to select which airports to
test has evolved since covert testing began in September 2002 to focus
more on those airports determined to be at greater risk of a terrorist
attack. Initially, OI's goals were to conduct covert tests at all
commercial airports, with tests being conducted more frequently at
those airports with the largest number of passenger boardings than
smaller airports with fewer flights. In August 2005, when TSA began
focusing on the most catastrophic threats, OI changed its testing
strategy to utilize a risk-based approach to mitigate those threats.
OI Could Better Identify Vulnerabilities by Recording and Analyzing
Specific Causes of Covert Testing Failures and Passes of National
Covert Tests in Its Testing Database:
OI inspectors record information on the results of national covert
tests on data collection instruments after each test is conducted,
including the extent to which TSOs properly followed TSA screening
procedures and whether the test was passed or failed. After airport
testing is complete, OI headquarters analysts input the covert test
results into a centralized database. While analysts input whether the
test was a pass or a fail and inspectors observations regarding some
tests, they do not systematically capture OI's assessment of the cause
of the test failure and include that information in the
database.[Footnote 23] Test failures could be caused by (1) TSOs not
properly following existing TSA screening procedures, (2) screening
procedures that are not clear to TSOs, (3) screening procedures that
lack sufficient guidance to enable TSOs to identify threat items, and
(4) screening equipment that does not work properly. Moreover, when
inspectors determine the cause of a covert test failure to be due to
screening equipment, such as the walk through metal detector, the hand-
held metal detector, or ETD not alarming in response to a threat item,
OI considers these tests to be invalid. While OI officials stated that
they report instances when equipment may not be working properly to the
airport FSD and officials from the Transportation Security Laboratory,
they do not input that equipment caused the failure in the covert
testing database. TSA management may find this information useful in
identifying vulnerabilities in the aviation system that relate to
screening equipment not working properly. OI officials stated that they
do not record information on equipment failures because there is always
a possibility that the simulated threat item was not designed properly
and therefore should not have set off the alarm. Further, they stated
that DHS's Transportation Security Laboratory is responsible for
ensuring that screening equipment is working properly. However, the
Laboratory does not test screening equipment at airports in an
operational environment. Furthermore, according to OI officials,
identifying a single cause for a test failure may be difficult since
covert testing failures can be caused by multiple factors. However, in
discussions with OI officials about selected individual test results,
inspectors were able in their view, in most of these cases, to identify
the cause they believed contributed most to the test failure. According
to the Standards for Internal Control in the Federal Government,
information should be recorded and communicated to management and
others in a form and within a time frame that enables them to carry out
their internal control and other responsibilities. The Standards
further call for pertinent information to be identified, captured, and
distributed in a form and time frame that permits people to perform
their duties efficiently. By not systematically inputting the specific
causes for test failures in its database, including failures due to
equipment, OI may be limiting its ability to identify trends that
impact screening performance across the aviation security systems
tested.
In addition to not identifying reasons the inspectors believed caused
the test failures, OI officials do not systematically record
information on screening practices that may contribute to covert test
passes. However, OI inspectors occasionally captured information of
effective practices used by TSOs to detect threat items during covert
tests in the data collection instruments used during these tests.
Further, during covert tests that we observed, OI inspectors routinely
discussed with us those practices used during certain tests that they
viewed as effective, such as effective communication between TSOs and
supervisors in identifying threat items. In 2006, OSO officials
requested a TSA internal review of differences in checkpoint screening
operations at three airports to identify whether the airports employed
certain practices that contributed to their ability to detect threat
items during covert tests, among other things. Between June and October
2006, OI's Internal Reviews Division (IRD) reviewed passenger
checkpoint covert test results for each airport, observed airport
operations, interviewed TSA personnel, and reviewed documents and
information relevant to checkpoint operations. IRD's review identified
a number of key factors that may contribute to an airport's ability to
detect threat items. While IRD conducted this one time review of
effective screening practices that may have led to higher test pass
rates, OI does not systematically collect information on those
practices that may lead to test passes. As discussed earlier in this
report, Standards for Internal Control in the Federal Government stated
the need for pertinent information to be identified and captured to
permit managers to perform their duties efficiently. Without collecting
information on effective screening practices that, based on the
inspectors' views, may lead to test passes, TSA managers are limited in
their ability to identify measures that could help to improve screening
performance across the aviation security system.
TSA Redesigned Its Local Covert Testing Program to Address Limitations
of Its Previous Program and to Measure the Performance of Passenger
Checkpoint and Checked Baggage Screening:
In April 2007, TSA initiated its local covert testing program, the
Aviation Screening Assessment Program (ASAP). TSA is planning to use
the results of ASAP as a statistical measure of the performance of
passenger checkpoint and checked baggage screening systems, in addition
as a tool to identify security vulnerabilities. TSA ASAP guidance
applies a standardized methodology for the types and frequency of
covert tests to be conducted in order to provide a national statistical
sample. If implemented as planned, ASAP should provide TSA with a
measure of the performance of passenger and checked baggage screening
systems and help identify security vulnerabilities. According to OSO
officials, the first cycle of ASAP tests were completed, but the
results are still being internally analyzed by TSA to determine the
overall findings from the tests. As a result, it is too soon to
determine whether ASAP will meet its goals of measuring the performance
of passenger and checked baggage screening systems and identifying
vulnerabilities.
Similar to OI's national covert testing program, OSO applies elements
of risk in designing and implementing ASAP tests. Unlike national
covert tests, the ASAP program does not use elements of a risk-based
approach to determine the location and frequency of the tests because,
according to TSA officials, in order to establish a national baseline
against which TSA can measure performance, all airports must be tested
consistently and with the same types of tests. OSO officials plan to
analyze the results of the tests and evaluate the need to revise the
tests or the type of threat items used after the first and second
testing cycle and annually thereafter. Furthermore, OSO officials
stated that they plan to assess the data, including the types of
vulnerabilities identified and the performance of the TSOs in detecting
threat items, and develop recommendations for mitigating
vulnerabilities and improving screening performance. Officials stated
that OSO also plans to conduct follow-up testing to determine whether
vulnerabilities that were previously identified have been addressed or
if recommendations made were effective.
According to TSA's ASAP guidance, individuals conducting the ASAP tests
will be required to identify specific causes for all test failures. In
addition to identifying test failures attributed to TSOs, such as the
TSO not being attentive to their duties or not following TSA screening
procedures, individuals conducting ASAP tests are also required to
identify and record causes for failures related to TSOs, screening
procedures that TSOs said were not clear or lack sufficient detail to
enable them to detect threat items, and screening equipment.
OSO officials further stated that they plan to develop performance
measures for the ASAP tests after the results of the first 6 month
cycle of tests are evaluated. However, officials stated that
performance measures for the more difficult category of tests will not
be developed because these tests are designed to challenge the aviation
security system and the pass rates are expected to be low. Furthermore,
TSA officials stated that the results of ASAP tests will not be used to
measure the performance of individual TSOs, FSDs, or airports, but
rather to measure the performance of the passenger checkpoint and
checked baggage screening system. TSA officials stated that there will
not be a sufficient number of ASAP tests to measure individual TSO,
FSD, or airport performance. We previously reported that TSA had not
established performance measures for its national covert testing
program and that doing so would enable TSA to focus its improvement
efforts on areas determined to be most critical, as 100 percent
detection during tests may not be attainable.[Footnote 24] While TSA
has chosen not to establish performance measures for the national
covert testing program, as stated above, they plan to develop such
measures for only the less difficult ASAP tests.
Covert Testing in Non-Aviation Modes of Transportation:
Since the initiation of TSA's covert testing program in 2002, the
agency has focused on testing commercial aviation passenger
checkpoints, checked baggage, and airport perimeters and access
controls. However, TSA in is the early stages of determining the extent
to which covert testing will be used to identify vulnerabilities and
measure the effectiveness of security practices in non-aviation modes
of transportation. In addition, TSA officials stated that it would be
difficult to conduct covert tests in non-aviation modes because these
modes typically do not have established security screening procedures
to test, such as those in place at airports. Specifically, passengers
and their baggage are not generally physically screened through metal
detectors and X-rays prior to boarding trains or ferries as they are
prior to boarding a commercial aircraft, making it difficult to conduct
tests. OI officials also stated that they do not currently have the
resources necessary to conduct covert tests in both aviation and non-
aviation modes of transportation.
Although OI does not regularly conduct covert tests in non-aviation
modes of transportation, it has conducted tests during three TSA pilot
programs designed to test the feasibility of implementing airport style
screening in non-aviation modes of transportation to include mass
transit, passenger rail, and maritime ferry facilities. In 2004, TSA
conducted a Transit and Rail Inspection pilot program in which
passenger and baggage screening procedures were tested on select
railways.[Footnote 25] TSA also tested similar screening procedures at
several bus stations during the Bus Explosives Screening Technology
pilot in 200[Footnote 26]5. In addition, TSA has also been testing
screening equipment on ferries in the maritime mode through the Secure
Automated Inspection Lanes program.[Footnote 27] According to OI
officials, during these three pilot programs, OI conducted covert
testing to determine if they could pass threat objects through the
piloted passenger screening procedures and equipment. However, these
tests were only conducted on a trial basis during these pilot programs.
While OI has not developed plans or procedures for testing in non-
aviation modes of transportation, the office has begun to explore the
types of covert tests that it might conduct if it receives additional
resources to test in these modes.
In addition to OI, TSA's Office of Transportation Sector Network
Management (TSNM) may have a role in any covert tests that are
conducted in non-aviation modes of transportation. TSNM is responsible
for securing the nation's intermodal transportation system and has
specific divisions responsible for each mode of transportation--mass
transit, maritime, highway and motor carriers, freight rail, pipelines,
commercial airports, and commercial airlines. TSNM is also responsible
for TSA's efforts to coordinate with operators in all modes of
transportation. A TSNM official stated that TSNM has only begun to
consider using covert testing in mass transit. In April 2007, TSA
coordinated with the Los Angeles County Metropolitan Transportation
Authority, Amtrak, and Los Angeles Sheriff's Department during a covert
test of the effectiveness of security measures at Los Angeles' Union
Station. During the test, several individuals carried threat items,
such as simulated IEDs, into the rail system to determine if K-9
patrols, random bag checks, and other random procedures could detect
these items. The official from TSNM's mass transit office stated that
the agency is incorporating the use of covert testing as a component of
the mass transit and passenger rail national exercise program being
developed pursuant to the Implementing Recommendations of the 9/11
Commission Act of 2007. However, TSNM has not developed a strategy or
plan for how covert testing will be incorporated into these various
programs. The TSNM official further stated that he was not aware of
other mass transit or passenger rail operators that are currently
conducting or planning covert testing of their systems. Furthermore,
TSNM does not have a systematic process in place to coordinate with
domestic or foreign transportation organizations to learn from their
covert testing experiences.
The use of covert or red team testing in non-aviation modes of
transportation has been supported in law. The Implementing
Recommendations of the 9/11 Commission Act of 2007 directs DHS to
develop and implement the National Strategy for Railroad Transportation
Security, which is to include prioritized goals, actions, objectives,
policies, mechanisms, and schedules for assessing, among other things,
the usefulness of covert testing of railroad security systems.
Furthermore, the explanatory statement accompanying the Homeland
Security Appropriations Act, 2008, directed TSA to be more proactive in
red teaming for airports and air cargo facilities, as well as in
transit, rail, and ferry systems. Specifically, the statement directed
approximately $6 million of TSA's appropriated amount for red team
activities to identify vulnerabilities in airports and air cargo
facilities, as well as in transit, rail, and ferry systems. Regarding
covert testing of non-aviation modes of transportation, the report of
the House of Representatives Appropriations Committee, which
accompanies its fiscal year 2008 proposal for DHS appropriations,
directed TSA to randomly conduct red team operations at rail, transit,
bus, and ferry facilities that receive federal grant funds to ensure
that vulnerabilities are identified and corrected.[Footnote 28]
DHS has also identified covert, or red team, testing as a priority for
the Department. The President's July 2002 National Strategy for
Homeland Security identified that DHS, working with the intelligence
community, should use red team or covert tactics to help identify
security vulnerabilities in the nation's critical infrastructure, which
includes the transportation sector. The strategy further identifies
that red team techniques will help decision makers view vulnerabilities
from the terrorists' perspective and help to develop security measures
to address these security gaps. In addition, TSA's May 2007 TS-SSP
identified that transit agencies should develop meaningful exercises,
including covert testing, that test the effectiveness of their response
capabilities and coordination with first responders. However, the TS-
SSP does not provide any details on the type of covert testing that
transit agencies should conduct and does not identify that TSA itself
should conduct covert testing in non-aviation modes of transportation.
Select Domestic and Foreign Transportation Organizations and DHS
Component Agencies Use Covert Testing to Identify Vulnerabilities and
Measure System Effectiveness:
Domestic and foreign transportation organizations and DHS component
agencies that we interviewed conduct covert testing to identify and
mitigate vulnerabilities in non-aviation settings that lack the
standardized passenger screening procedures found in the commercial
aviation sector and measure the effectiveness of security measures. Our
previous work on passenger rail security identified foreign rail
systems that use such covert testing to keep employees alert about
their security responsibilities. One of these foreign organizations--
the United Kingdom Department for Transport's Transport Security and
Contingencies Directorate (TRANSEC)--conducts covert testing of
passenger rail and seaports in addition to aviation facilities to
identify vulnerabilities related to people, security processes, and
technologies. According to a TRANSEC official, TRANSEC's non-aviation
covert testing includes testing of the nation's passenger rail system
and the United Kingdom's side of the channel tunnel between the United
Kingdom and France. TRANSEC conducts a number of covert tests to
determine whether employees are following security procedures
established by TRANSEC or the rail operator, whether processes in place
assist employees in identifying threat items, and whether screening
equipment works properly. A TRANSEC official responsible for the
agency's covert testing program stated that these tests are carried out
on a regular basis and are beneficial because, as well as providing
objective data on the effectiveness of people and processes, they
encourage staff to be vigilant with respect to security.
In our September 2005 report on passenger rail security, we recommended
that TSA evaluate the potential benefits and applicability--as risk
analyses warrant and as opportunities permit--of implementing covert
testing processes to evaluate the effectiveness of rail system security
personnel.[Footnote 29] Like TRANSEC in the United Kingdom, TSA has
existing security directives that must be followed by passenger rail
operators that could be tested. TSA generally agreed with this
recommendation. In responding to the recommendation, TSA officials
stated that the agency regularly interacts and communicates with its
security counterparts in foreign countries to share best practices
regarding passenger rail and transit security and will continue to do
so in the future. TSA officials further stated that the agency has
representatives stationed overseas at U.S. embassies that are
knowledgeable about security issues across all modes of transportation.
While TSA coordinates with domestic and foreign organizations regarding
transportation security efforts, they do not have a systematic process
in place to coordinate with these organizations regarding covert
testing in non-aviation modes of transportation, and opportunities for
TSA to learn from these organizations' covert testing efforts exist.
In the United States, Amtrak has conducted covert tests to identify and
mitigate vulnerabilities in their passenger rail system. Amtrak's
Office of Inspector General has conducted covert tests of intercity
passenger rail systems to identify vulnerabilities in the system
related to security personnel and Amtrak infrastructure. The results
from these tests were used to develop security priorities that are
currently being implemented by Amtrak. According to an Amtrak official,
as the security posture of the organization matures, the covert testing
program will shift from identifying vulnerabilities to assessing the
performance of existing rail security measures.
Transportation industry associations with whom we spoke, who
represented various non-aviation modes of transportation, supported the
use of covert testing as a means to identify security vulnerabilities
and to test existing security measures. Officials from the American
Association of Railroads (AAR), which represents U.S. passenger and
freight railroads, and the American Public Transportation Association
(APTA), which represents the U.S. transit industry, stated that covert
testing in the passenger rail and transit industries would help to
identify and mitigate security vulnerabilities and increase employee
awareness of established security procedures. AAR and APTA officials
stated that covert testing might include placing bags and unattended
items throughout a rail station or system to see if employees or law
enforcement personnel respond appropriately and in accordance with
security procedures. AAR and APTA officials further stated that any
testing conducted by TSA would require close coordination with rail
operators to determine what should be tested, the testing procedures to
be used, and the practicality of such testing.
Within DHS, the U.S. Customs and Border Protection (CBP) also conducts
covert testing at land, sea, and air ports of entry in the United
States to test and evaluate CBP's capabilities to detect and prevent
terrorists and illicit radioactive material from entering the United
States. According to CBP officials, the purpose of CBP's covert testing
program is to identify potential technological vulnerabilities and
procedural weaknesses related to the screening and detection of
passengers and containers entering the United States with illicit
radioactive material, and to assess CBP officers' ability to identify
potential threats. As of June 2008, CBP tested and evaluated two land
border crossings on their capabilities to detect and prevent terrorists
and illicit radioactive material from entering the United States. In
addition, CBP covertly and overtly evaluated the nation's 22 busiest
seaports for radiation detection and the effectiveness of the non-
intrusive imaging radiation equipment deployed at the seaports. CBP
officials also stated that the agency is planning to expand testing to
address overseas ports that process cargo bound for the United States.
In addition to CBP, the DHS Domestic Nuclear Detection Office (DNDO)
conducts red team testing to measure the performance of and identify
vulnerabilities in equipment and procedures used to detect nuclear and
radiological threats in the United States and around the world.
According to DNDO officials, the agency uses the results of red team
tests to help mitigate security vulnerabilities, such as identifying
nuclear detection equipment that is not working correctly. DNDO also
uses red team testing to determine if unclassified information exists
in open sources, such as on the internet, which could potentially be
used by terrorists to exploit vulnerabilities in nuclear detections
systems. DNDO's program, according to its officials, provides a means
to assess vulnerabilities that an adversary is likely to exploit, and
to make recommendations to either implement or improve security
procedures.
TSA Could More Fully Use the Results of Covert Tests to Mitigate
Security Vulnerabilities Identified in the Commercial Aviation System:
TSA's national aviation covert testing program has identified
vulnerabilities in select aspects of the commercial aviation security
system at airports of all sizes; however, the agency is not fully using
the results of these tests to mitigate identified vulnerabilities. The
specific results of these tests are classified and are presented in our
classified May 2008 report. Covert test failures can be caused by
various factors, including TSOs not properly following TSA procedures
when screening passengers, screening equipment that does not detect a
threat item, or TSA screening procedures that do not provide sufficient
detail to enable TSOs to identify the threat item. Senior TSA
officials, including TSA's Administrator, are routinely briefed on the
results of covert tests and provided with OI reports that describe the
vulnerabilities identified by these tests and recommendations to
correct identified vulnerabilities. However, OSO lacks a systematic
process to ensure that OI's recommendations are considered, and does
not systematically document its rationale for why it did or did not
implement OI's recommendations. OSO and OI also do not have a process
in place to assess whether the corrective action implemented mitigated
the identified vulnerabilities through follow-up national or local
covert tests, and if covert test results improved. According to OSO
officials, TSA has other methods in place to identify whether
corrective actions or other changes to the system are effective;
however, officials did not provide specific information regarding these
methods. Moreover, in those cases where OSO took no action to address
OI's recommendation, they did not systematically document their
rationale for why they took no action. In the absence of a systematic
process for considering OI's recommendations, documenting their
decision-making process, and evaluating whether corrective actions
mitigated identified vulnerabilities, TSA is limited in its ability to
use covert testing results to improve the security of the commercial
aviation system. OSO senior leadership stated that opportunities exist
to improve the agency's processes in this area.
TSA Covert Test Results Identified Vulnerabilities in the Aviation
Security System:
Between September 2002 and June 2007, OI conducted more than 20,000
covert tests of passenger checkpoints, checked baggage screening
systems, and airport perimeters and access control points collectively
at every commercial airport in the United States regulated by TSA. The
results of these tests identified vulnerabilities in select aspects of
the commercial aviation security system at airports of all sizes. While
the specific results of these tests and the vulnerabilities they
identified are classified, covert test failures can be caused by
multiple factors, including TSOs not properly following TSA procedures
when screening passengers, screening equipment that does not detect a
threat item, or TSA screening procedures that do not provide sufficient
detail to enable TSOs to identify the threat item. TSA cannot
generalize covert test results either to the airports where the tests
were conducted or to airports nationwide because the tests were not
conducted using the principles of probability sampling.[Footnote 30]
For example, TSA did not randomly select times at which tests were
conducted, nor did they randomly select passenger screening checkpoints
within the airports. Therefore, each airport's test results represent a
snapshot of the effectiveness of passenger checkpoint screening,
checked baggage screening, and airport access control systems, and
should not be considered a measurement of any one airport's performance
or any individual TSO's performance in detecting threat objects.
Although the results of the covert tests cannot be generalized to all
airports, they can be used to identify vulnerabilities in the aviation
security system. TSA officials stated that they do not want airports to
achieve a 100 percent pass rate during covert tests because they
believe that high pass rates would indicate that covert tests were too
easy and therefore were not an effective tool to identify
vulnerabilities in the system.
TSA Lacks a Systematic Process to Ensure that Covert Testing
Recommendations Are Considered and Actions Are Taken to Address Them If
Determined Necessary:
After completing its covert tests, OI provides written reports and
briefings on the test results to senior TSA management, including TSA's
Administrator, Assistant Administrator of OSO, and area FSDs. In these
reports and briefings, OI officials provide TSA management with the
results of covert tests, describe the security vulnerabilities
identified during the tests, and present recommendations to OSO that OI
believes will mitigate the identified vulnerabilities. TSA's
Administrator and senior OSO officials stated that they consider the
aviation security system vulnerabilities that OI presents in its
reports and briefings as well as the recommendations made. However, OSO
officials we spoke with stated that they do not have a systematic
process in place to ensure that all of OI's recommendations are
considered or to document their rationale for implementing or not
implementing these recommendations.[Footnote 31] Furthermore, TSA does
not have a process in place to assess whether corrective actions taken
in response to OI's recommendations have mitigated identified
vulnerabilities. Specifically, in those cases where corrective actions
were taken to address OI's recommendation, neither OSO nor OI conducted
follow-up national or local covert tests to determine if the actions
taken were effective. For example, in cases where OI determined that
additional TSO training was needed and OSO implemented such training,
OSO or OI did not conduct follow-up national or local covert testing to
determine if the additional training that was implemented to address
the recommendation helped to mitigate the identified vulnerability.
According to OSO officials, TSA has other methods in place to identify
whether corrective actions or other changes are effective; however,
officials did not provide specific information regarding these methods.
Standards for Internal Control in the Federal Government require that
internal controls be designed to ensure that ongoing monitoring occurs
during the course of normal operations. Specifically, internal controls
direct managers to (1) promptly evaluate and resolve findings from
audits and other reviews, including those showing deficiencies and
recommendations reported by auditors and others who evaluate agencies'
operations, (2) determine proper actions in response to findings and
recommendations from audits and reviews, and (3) complete, within
established time frames, all actions that correct or otherwise resolve
the matters brought to management's attention. The standards further
identify that the resolution process begins when audit or other review
results are reported to management, and is completed only after action
has been taken that (1) corrects identified deficiencies, (2) produces
improvements, or (3) demonstrates the findings and recommendations do
not warrant management action. In the absence of a systematic process
for considering and resolving the findings and recommendations from
OI's covert tests and ensuring that the effectiveness of actions taken
to address these recommendations are evaluated, TSA management is
limited in its ability to mitigate identified vulnerabilities to
strengthen the aviation security system.
OI Made 43 Recommendations to OSO to Mitigate Vulnerabilities
Identified by Covert Tests from March 2003 to June 2007:
While neither OSO nor OI have a systematic process for tracking the
status of OI covert testing recommendations, at our request, OSO
officials provided information indicating what actions, if any, were
taken to address OI's recommendations.[Footnote 32] From March 2003 to
June 2007, OI made 43 recommendations to OSO designed to mitigate
vulnerabilities identified by national covert tests. To date, OSO has
taken actions to implement 25 of these recommendations. For the
remaining 18 of OI's 43 recommendations, OSO either took no action to
address the recommendation, or it is unclear how the action they took
addressed the recommendation. OI did not make any recommendations to
OSO related to screening equipment. The specific vulnerabilities
identified by OI during covert tests and the specific recommendations
made, as well as corrective actions taken by OSO, are classified.
Conclusions:
TSA has developed a risk-based covert testing strategy to identify
vulnerabilities and measure the performance of select aspects of the
aviation security system. OI's national covert testing program is
designed and implemented using elements of a risk-based approach,
including using information on terrorist threats to design simulated
threat items and tactics. However, this program could be strengthened
by ensuring that all of the information from the tests conducted is
used to help identify and mitigate security vulnerabilities. For
example, without a process for recording and analyzing the specific
causes of all national covert test failures, including TSOs not
properly following TSA's existing screening procedures, procedures that
are unclear to TSOs, or screening equipment that is not working
properly, TSA is limited in its ability to identify specific areas for
improvement, such as screening equipment that may be in need of repair
or is not working correctly. Moreover, without collecting and analyzing
information on effective practices used at airports that performed
particularly well on national covert tests, TSA may be missing
opportunities to improve TSO performance across the commercial aviation
security system. TSA has only recently begun to determine the extent to
which covert testing may be used to identify vulnerabilities and
measure the effectiveness of security practices in non-aviation modes
of transportation if it receives additional resources to test in these
modes. Nevertheless, several transportation industry stakeholders can
provide useful information on how they currently conduct covert tests
in non-aviation settings, and systematically coordinating with these
organizations could prove useful for TSA.
National aviation covert tests have identified vulnerabilities in the
commercial aviation security system. However, TSA could better use the
covert testing program to mitigate these vulnerabilities by promptly
evaluating and responding to OI's findings and recommendations. We
recognize that TSA must balance a number of competing interests when
considering whether to make changes to TSO training, screening
procedures, and screening equipment within the commercial aviation
security system, including cost and customer service, in addition to
security concerns. We further recognize that, in some cases, it may not
be feasible or appropriate to implement all of OI's recommendations.
However, without a systematic process in place to consider OI's
recommendations, evaluate whether corrective action is needed to
mitigate identified vulnerabilities, and evaluate whether the
corrective action effectively addressed the vulnerability, OSO is
limited in the extent to which it can use the results of covert tests
to improve the security of the commercial aviation system.
Recommendations for Executive Action:
To help ensure that the results of covert tests are more fully used to
mitigate vulnerabilities identified in the transportation security
system, we recommended in our May 2008 classified report that the
Assistant Secretary of Homeland Security for TSA take the following
five actions:
* Require OI inspectors to document the specific causes of all national
covert testing failures--including documenting failures related to
TSOs, screening procedures, and equipment--in the covert testing
database to help TSA better identify areas for improvement, such as
additional TSO training or revisions to screening procedures.
* Develop a process for collecting, analyzing, and disseminating
information on practices in place at those airports that perform well
during national and local covert tests in order to assist TSA managers
in improving the effectiveness of checkpoint screening operations.
* As TSA explores the use of covert testing in non-aviation modes of
transportation, develop a process to systematically coordinate with
domestic and foreign transportation organizations that already conduct
these tests to learn from their experiences.
* Develop a systematic process to ensure that OSO considers all
recommendations made by OI in a timely manner as a result of covert
tests, and document its rationale for either taking or not taking
action to address these recommendations.
* Require OSO to develop a process for evaluating whether the action
taken to implement OI's recommendations mitigated the vulnerability
identified during covert tests, such as using follow-up national or
local covert tests to determine if these actions were effective.
Agency Comments and Our Evaluation:
We provided a draft of this report to DHS for review and comment. On
April 24, 2008, we received written comments on the draft report, which
are reproduced in full in appendix II. DHS and TSA concurred with the
findings and recommendations, and stated that the report will be useful
in strengthening TSA's covert testing programs. In addition, TSA
provided technical comments, which we incorporated as appropriate.
Regarding our recommendation that OI document the specific causes of
all national covert testing failures related to TSOs, screening
procedures, and equipment in the covert testing database, DHS stated
that TSA's Office of Inspection (OI) plans to expand the covert testing
database to all causes of test failures. DHS further stated that the
specific causes of all OI covert testing failures are documented in
data collection instruments used during covert tests and within a
comment field in the covert testing database when the cause can be
determined. However, TSA acknowledged that covert test failures caused
by screening equipment not working properly are not recorded in the
database in a systematic manner. Documenting test failures caused by
equipment should help OI better analyze the specific causes of all
national covert testing failures and assist TSA management in
identifying corrective actions to mitigate identified vulnerabilities.
Concerning our recommendation that OI develop a process for collecting,
analyzing, and disseminating information on practices in place at those
airports that perform well during national and local covert tests in
order to assist TSA managers in improving the effectiveness of
checkpoint screening operations, DHS stated that it recognizes the
value in identifying factors that may lead to improved screening
performance. TSA officials stated that, while OI or ASAP test results
can be used to establish a national baseline for screening performance
at individual airports, the results are not statistically significant.
As a result, additional assessments would be required to provide a
statistical measure for individual airports. According to DHS, OI plans
to develop a more formal process for collecting and analyzing test
results to identify best practices that may lead to test passes.
Officials stated that when specific screening practices indicate a
positive effect on screening performance, TSA plans to share and
institutionalize best practices in the form of management advisories to
appropriate TSA managers. Developing a more formal process for
collecting and analyzing test results to identify best practices that
may lead to test passes should address the intent of this
recommendation.
In response to our recommendation that TSA develop a process to
systematically coordinate with domestic and foreign transportation
organizations as the agency explores the use of covert testing in non-
aviation modes of transportation to learn from their experiences, DHS
stated that it is taking a number of actions. Specifically, according
to DHS, TSNM has worked closely with transit agencies and internal TSA
covert testing experts during red team testing exercises and is
currently exploring programs in which covert testing may be used to
evaluate the effectiveness of security measures. For example, TSNM is
considering incorporating covert testing as a part of its Intermodal
Security Training and Exercise Program. While considering the use of
covert testing in its programs should help TSA evaluate the
effectiveness of security measures, it is also important that TSA
establish a systematic process for coordinating with domestic and
foreign organizations that already conduct testing in non-aviation
modes of transportation to learn from their experiences.
DHS further stated that it plans to take action to address our
recommendation that the agency develop a systematic process to ensure
that OSO considers all recommendations made by OI as a result of covert
tests in a timely manner, and documents its rationale for either taking
or not taking action to address these recommendations. Specifically,
DHS stated that OSO is coordinating with OI to develop a directive
requiring that OI's covert testing recommendations be formally reviewed
and approved by TSA management, and OSO is establishing a database to
track all OI recommendations and determine what action, if any, has
been taken to address the recommendation. Taking these steps should
address the intent of this recommendation and help TSA to more
systematically record whether OI's covert testing recommendations have
been addressed.
Concerning our recommendation that OSO develop a process to evaluate
whether the action taken to implement OI's recommendations mitigated
the vulnerability identified during covert tests, such as using follow-
up national or local covert tests or information collected through
other methods, to determine if these actions were effective, DHS stated
that OSO established a new program to study various aspects of TSO and
screening performance in 2007 that considers recommendations
originating from OI national covert tests and ASAP tests. According to
DHS, after completing each study, recommendations resulting from this
analysis will be provided to TSA leadership for consideration. DHS
further stated that the results of ASAP tests will also likely be a
focus of these future studies. While these actions should help to
address the intent of this recommendation, it is also important that
OSO assess whether the actions taken to mitigate the vulnerabilities
identified by OI's national covert tests are effective.
As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will send copies of this report
to the Secretary of Homeland Security, Assistant Secretary of DHS for
the Transportation Security Administration, and the Ranking Member of
the Committee on Homeland Security, House of Representatives, and other
interested congressional committees as appropriate. We will also make
this report available at no charge on GAO's Web site [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at (202) 512-3404 or at berrickc@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Other key contributors to this report
were John Hansen, Assistant Director; Chris Currie; Yanina Golburt;
Samantha Goodman; Art James; Wendy Johnson; Thomas Lombardi; and Linda
Miller.
Sincerely yours,
Signed by:
Cathleen A. Berrick:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
This report addresses the following questions: (1) what is the
Transportation Security Administration's (TSA) strategy for conducting
covert testing of the transportation system, and to what extent has the
agency designed and implemented its covert tests to achieve identified
goals? and (2) what have been the results of TSA's national aviation
covert tests conducted from September 2002 to June 2007, and to what
extent does TSA use the results of these tests to mitigate security
vulnerabilities in the commercial aviation system?
To identify TSA's strategy for conducting covert testing of the
transportation system and the extent to which the agency has designed
and implemented its covert tests to achieve identified goals, we
reviewed applicable laws, regulations, policies, and procedures to
determine the requirements for conducting covert testing in the
transportation sector. To assess TSA's strategy specifically in the
aviation covert testing program, we interviewed TSA Office of
Inspection (OI) officials responsible for conducting national covert
tests and Office of Security Operations (OSO) officials responsible for
local covert tests regarding the extent to which information on risks
is included in the design and implementation of tests. We also
interviewed the Transportation Security Officers (TSO), supervisors,
screening managers, and Federal Security Directors (FSD) who
participated in covert tests at each airport where we observed tests to
discuss their experience with the national and local covert testing
programs. We observed OI inspectors during covert tests at seven
airports including airports with heavy passenger traffic and those with
just a few flights per day, as well as airports with both federal and
contract TSOs. During these observations, we accompanied OI inspectors
during all phases of the covert test including planning and
observations, testing, and post test reviews with TSOs, supervisors,
and screening managers. While these seven airports represent reasonable
variations in size and geographic locations, our observations of OI's
covert tests and the perspectives provided by TSA officials at these
airports cannot be generalized across all commercial airports. However,
our observations at the seven airports provided us an overall
understanding of how OI conduct covert tests and useful insights
provided by TSOs, their supervisors, and FSDs at these airports. We
analyzed TSA documents including established protocols for national and
local covert testing, procedures for screening passengers and checked
baggage, and OI covert testing reports issued from 2002 to 2007 to
identify procedures for designing and implementing TSA's covert testing
program. Furthermore, to determine the extent to which TSA met the
goals of the program, we conducted a detailed analysis of the data
collection instrument and methods that OI used to collect covert
testing data for the seven airports where we observed covert tests. We
also assessed the adequacy of TSA's internal controls for collecting
and maintaining the results of covert tests by evaluating TSA's
processes for collecting covert testing data and inputting this data
into its database. In assessing the adequacy of internal controls, we
used the criteria in GAO's Standards for Internal Control in the
Federal Government, GAO/AIMD 00-21.3.1, dated November 1999. These
standards, issued pursuant to the requirements of the Federal Managers'
Financial Integrity Act of 1982 (FMFIA), provide the overall framework
for establishing and maintaining internal control in the federal
government. Also pursuant to FMFIA, the Office of Management and Budget
issued Circular A-123, revised December 21, 2004, to provide the
specific requirements for assessing the reporting on internal controls.
To assess TSA's strategy for conducting covert tests in non-aviation
modes of transportation, we interviewed officials from TSA's Office of
Transportation Sector Network Management (TSNM) regarding the extent to
which TSA has conducted covert testing in non-aviation modes of
transportation, the applicability and potential use of covert testing
in other modes, and their future plans for conducting covert testing in
other modes. To understand how other organizations and federal agencies
have used covert testing in the non-aviation arena, we interviewed
officials from selected federal agencies and organizations that conduct
covert testing including Amtrak, the United Kingdom Department for
Transport Security (TRANSEC), U.S. Customs and Border Protection (CBP),
DHS Domestic Nuclear Detection Office (DNDO), and select transportation
industry associations. We reviewed the president's National Strategy
for Homeland Security and TSA's Transportation Systems Sector Specific
plan, including individual plans for each mode of transportation, to
determine the role and use of covert testing across the transportation
system. We also reviewed the fiscal year 2008 DHS appropriations
legislation, enacted as Division E of the Consolidated Appropriations
Act, 2008, and associated committee reports and statements to identify
any funding allocated to TSA to conduct covert testing in non-aviation
modes.
To determine the results of TSA's national covert tests and the extent
to which TSA used the results of these tests to mitigate security
vulnerabilities in the aviation system, we obtained and analyzed a
database of the results of TSA's national covert tests conducted from
September 2002 to June 2007. We analyzed the test data according to
airport category, threat item, and type of test conducted between
September 2002 and June 2007. We also examined trends in pass and
failure rates when required screening steps were or were not followed
and examined differences in covert test results between private and
federal airports. We assessed the reliability of TSA's covert testing
data by reviewing existing information about the data and the systems
used to produce them, and by interviewing agency officials responsible
for maintaining the database. We determined that the data were
sufficiently reliable for our analysis and the purposes of this report.
TSA provided us with a copy of their covert testing database which
contained a table with one record, or entry, per test for all of the
tests conducted between 2002 and 2007. In order to accurately interpret
the data, we reviewed information provided by OI officials regarding
each of the fields recorded in the database and information about how
they enter test results into the database. We also conducted manual
testing of the data, conducting searches for missing data and outliers.
To further assess the reliability of the data, we reviewed the source
documents used to initially collect the data as well as OI's published
reports. We also interviewed OI officials regarding how the results of
covert tests are used in developing their recommendations to TSA
management. We reviewed OI reports on the results of covert tests
issued between March 2003 and June 2007 that were submitted to TSA's
Administrator and OSO to identify OI's recommendations for mitigating
the vulnerabilities identified during covert tests. We obtained and
analyzed a summary of the actions that OSO had taken to address OI's
recommendations for mitigating vulnerabilities made from March 2003 to
June 2007. We also asked officials to discuss the extent to which OSO
has addressed and implemented recommendations made by OI based on
covert test results, and we analyzed information provided by TSA
regarding the status of each covert testing recommendation made by OI
from 2003 to 2007.
We conducted this performance audit from October 2006 to May 2008, in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on out audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
Homeland Security:
April 24, 2008:
Ms. Cathleen A. Berrick:
Director, Homeland Security and Justice Issues:
Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Ms. Herrick:
Thank you for the opportunity to comment on GAO-08-958 draft report
entitled, TSA Has Developed a Risk-Based Covert Testing Program, but
Could Better Mitigate Aviation Security Vulnerabilities Identified
Through Covert Testing. The findings in the report will be useful in
strengthening our testing programs. This letter replicates the
Department of Homeland Security's response to the classified version of
this report.
As you are well aware through your previous work with us on this topic,
covert testing results are only one of many inputs into our security
evaluation strategy. Given the nonlinear nature of the risks to
transportation security, and our strategy to manage them, the
Transportation Security Administration (TSA) relies upon a wide variety
of input, including intelligence and workforce feedback, to evaluate
and respond to security vulnerabilities.
As your report demonstrates, TSA's Office of Inspection (01) has a very
robust testing program designed to identify systemic vulnerabilities in
transportation security systems. Through the 01 program, subject matter
experts develop and test specific hypotheses regarding potential system
vulnerabilities. These tests are not designed to be performance
measures. Rather, they are evaluations of system vulnerabilities that
can be used to design countermeasures. When viewed in this light, the
qualitative results from these experiments are highly valuable in
analyzing vulnerabilities, with the conclusions from these experiments
informing decisions at the strategic level.
TSA has also recognized the need for a more systematic framework to
accurately assess the effectiveness of our screening process and
identify areas for improvement. In April 2007, TSA therefore
established the Aviation Screening Assessment Program (ASAP) to greatly
expand our internal covert testing, provide statistically sound data to
support operational decisions, and create a framework to systematically
review and report the data. As a result, ASAP runs thousands of covert
tests at hundreds of airports nationwide every six months. The
information produced from these tests provides data necessary to make
more informed decisions on improving the screening process. ASAP
analysis also focuses on particular areas of screening for targeted
improvement including: operations; procedures; technology; training;
and management. Through ASAP, we have established a formal process to
thoroughly assess the screening process and implement appropriate
courses of action addressing concerns revealed through expansive covert
testing. The increased pace of ASAP's testing and review cycles also
permits TSA to evaluate the effectiveness of actions taken in response
to both ASAP and 01 recommendations.
While TSA has utilized the results of 01 covert testing to make
adjustments to the screening process, we do not rely solely on them to
make screening process changes. Rather, it is one of many data points
used in evaluating system vulnerabilities. Nevertheless, we understand
the need for accurate data collection, reporting, and follow-through
from all of our testing programs, and will continue program
improvements in those areas as recommended.
With respect to testing in other modes, TSA values the relationships
that have been fostered with industry stakeholders in non-aviation
modes. These relationships have proven valuable over the years in
establishing necessary protocols for national security. We will
continue to work with our industry partners to obtain lessons learned
and best practices to enable the development of testing protocols in
various modes of transportation to improve security.
The following are TSA's responses to the specific recommendations:
Recommendation 1: Require 01 to document the specific causes of all
national covert testing failures”including documenting failures related
to TSOs, screening procedures, and equipment”in the covert testing
database to help TSA better identify areas for improvement.
Concur: Specific causes of all Office of Inspection (01) covert testing
failures are documented (on testing documents and in the covert testing
database as a comment field) when that cause can be determined. To
date, specific causes of equipment failure have not been recorded in
the database in a uniform manner. OI will expand the covert testing
database to document test failures related to screening equipment.
Recommendation 2: Develop a process for collecting, analyzing, and
disseminating information on practices in place at those airports that
perform well during national and local covert tests in order to assist
TSA managers in improving the effectiveness of checkpoint screening
operations.
Concur: TSA recognizes the value in identifying the elements that lead
to improved performance at the checkpoint. Through the Aviation
Screening Assessment Program (ASAP) TSA has already begun to establish
a national baseline, by detection point, for screening performance.
Using 01 covert testing data or ASAP data alone to draw conclusions as
to which airports are high- and low-performing is not statistically
sound, as additional assessments would be required to provide a
statistical "scorecard" for individual airport locations, but covert
testing data will be used as a data point in these evaluations. 01 will
develop a more formal process to uniformly collect and analyze test
results to identify best practices attributed to test passes. When
specific screening programs or national practices indicate a positive
effect on screening performance, TSA will take steps to share and
institutionalize best practices in the form of management advisories to
appropriate TSA managers. TSA will explore additional means to
effectively disseminate this information.
Recommendation 3: As TSA explores the use of covert testing in non-
aviation modes of transportation, the agency should work closely with
transportation industry stakeholders to develop protocols for
conducting tests and coordinate with domestic and foreign organizations
that already conduct these tests to learn from their experiences.
Concur: TSA has established an excellent rapport with industry
stakeholders to allow a free flow of information sharing. Specifically
in Mass Transit, TSA follows these practices in approaching systems for
"red team" exercises and developing exercise protocols to execute
covert testing. In the covert testing exercises TSA Mass Transit has
participated in, we have worked closely with the transit agencies being
tested, TSA's internal covert testing program experts, as well as those
who have established programs and lessons learned from their on
activities. TSA Mass Transit is currently exploring several programs
where covert testing may be used as a means for evaluating the
effectiveness of various security measures. One example is the I-STEP
(Intermodal Security Training and Exercise Program), where TSA is
working to develop a model table top exercise to foster the use of
similar type exercises around the country. This current effort is
centered on the National Capital Region. In subsequent phases of I-
STEP, when the program culminates in full scale exercises,
opportunities to include covert testing may present themselves.
Another area TSA is exploring is the Visible Intermodal Prevention and
Response (VIPR) team activity in support of mass transit and passenger
rail security. TSA mass transit is looking at ways to enhance the
training and effectiveness of this random, unpredictable deterrence
measure. Covert testing could play an appropriate role in this effort.
As we move forward in working with our transit security partners,
covert testing of VIPR activities, to demonstrative how they integrate
into overall security activities, could be important to our collective
efforts.
These efforts outlined for Mass Transit will be explored in other non-
aviation modes to glean all valuable information concerning lessons
learned and other experiences.
Recommendation 4: Develop a systematic process to ensure that OSO
considers all recommendations made by 01 in a timely manner as a result
of covert tests, and document its rationale for either taking or not
taking action to address these recommendations.
Concur: TSA's Procedures Division is currently coordinating an
Operations Directive with the Office of Inspection to formally approve
the recommendation and review process for handling recommendations made
by 01. In addition the Procedures Division is establishing an access
database to track all incoming recommendations and final outcome for
incorporating the recommendations into the Standard Operating
Procedures.
Recommendation 5: Require OSO to develop a process or use information
collected through other methods, for evaluating whether the action
taken to implement 01's recommendations mitigated the vulnerability
identified during covert tests, such as using follow-up national or
local covert tests to determine if these actions were effective.
Concur: In 2007, the Office of Security Operations established a new
program to study various aspects of Transportation Security Officer
(TSO) and program performance. Topics of the study include, but are not
limited to, recommendations originating from ASAP as well as OI
recommendations. Upon the conclusion of each study, recommendations
resulting from analysis are provided to TSA leadership for adoption.
The program includes:
* Identifying and correlating TSA TSO and/or program data elements,
(i.e., scores for Threat Image Projection, Image Interpretation Test,
Image Mastery Test; Performance Accountability and Standards System,
etc.);
* Conducting related studies, interviews, evaluations, observations,
and surveys;
* Convening best practice focus groups; and:
* Providing recommendations for improved performance, effectiveness
and/or efficiency.
The first study focused on evaluating the effectiveness of the IED
Checkpoint Drills, a nationally implemented program originating from an
OI recommendation, Results of this study are expected FY08 Q3.
Depending upon the nature of the recommendation, ASAP may also be used
to evaluate the national effectiveness of recommendations targeting a
specific detection point.
Once again, DHS and TSA appreciate the work GAO has done in the review
of TSA's covert testing program.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Footnotes:
[1] See Pub. L. No. 107-71, 115 Stat. 597 (2001).
[2] TSA defines a covert test at domestic airports as any test of
security systems, personnel, equipment, and procedures to obtain a
snapshot of the effectiveness of airport passenger security checkpoint
screening, checked baggage screening, and airport access controls to
improve airport performance, safety, and security.
[3] As used in this report and unless otherwise specifically stated,
the term TSO, which ordinarily refers only to the federal screening
workforce, includes the private screening workforce at airports in the
screening partnership program.
[4] Department of Homeland Security Office of Inspector General, Audit
of Access to Airport Secured Areas, OIG-07-35 (March 2007). The results
of TSA's, GAO's, and the DHS Office of Inspector General's covert tests
are all classified and cannot be presented in this report.
[5] In accordance with ATSA, TSA began allowing all commercial airports
to apply to TSA to transition from a federal to a private screening
workforce in November 2004. See 49 U.S.C. § 44920. To support this
effort, TSA created the Screening Partnership Program to allow all
commercial airports an opportunity to apply to TSA for permission to
use qualified private screening contractors and private sector
screeners. Currently, private screening companies provide passenger and
checked baggage screening at 11 airports.
[6] Federal Security Directors (FSD) are the ranking TSA authorities
responsible for leading and coordinating TSA security activities at the
nation's commercial airports. TSA had 122 FSD positions at commercial
airports nationwide, as of January 2008. Although FSDs are responsible
for security at all commercial airports, not every airport has an FSD
dedicated solely to that airport. Most large airports have an FSD
responsible for that airport alone. Other smaller airports are arranged
in a "hub and spoke" configuration, in which an FSD is located at or
near a hub airport but also has responsibility over one or more spoke
airports of the same or smaller size.
[7] GAO, Internal Control: Standards for Internal Control in the
Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November
1999).
[8] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[9] In accordance with ATSA, TSA assumed operational responsibility
from air carriers for screening passengers and checked baggage for
explosives at more than 450 commercial airports by November 19, 2002.
Passenger screening is a process by which authorized personnel inspect
individuals and property at designated screening locations to deter and
prevent carriage of any unauthorized explosive, incendiary, weapon, or
other dangerous item into a sterile area or aboard an aircraft. Sterile
areas are located within the terminal and generally include areas past
the screening checkpoint where passengers wait to board, or into which
passengers deplane from, a departing or arriving aircraft. Checked
baggage screening is a process by which authorized personnel inspect
checked baggage to deter, detect, and prevent the carriage of any
unauthorized object on board an aircraft. The Homeland Security Act of
2002, signed into law on November 25, 2002, transferred TSA from DOT to
DHS. See Pub. L. No. 107-296, § 403, 116 Stat. 2135, 2178.
[10] TSA's TS-SSP describes the security framework that will enable TSA
to prevent and deter acts of terrorism using or against the
transportation system, enhance the resilience of the transportation
system, and improve use of resources for transportation security, among
other things. TS-SSP establishes TSA's strategic approach to securing
the transportation sector in accordance with the National
Infrastructure Protection Plan (NIPP) that obligates each critical
infrastructure and key resources sector, such as transportation sector,
to develop a sector specific plan.
[11] See Pub. L. No. 110-53, § 1511(b), 121 Stat. 266, 426-29. See also
49 U.S.C. § 114(t).
[12] See explanatory statement accompanying Division E of the
Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. E, 121
Stat. 1844 (2007), at 1054.
[13] TSA classifies the commercial airports in the United States into
one of five categories (X, I, II, III, and IV) based on various
factors, such as the total number of takeoffs and landings annually and
other special security considerations. In general, Category X airports
have the largest number of passenger boardings, and category IV
airports have the smallest. TSA periodically reviews airports in each
category and, if appropriate, updates airport categorizations to
reflect current operations. Until August 2005, OI conducted covert
testing at category X airports once per year, category I and II
airports once every 2 years, and category III and IV airports at least
once every 3 years.
[14] EDS machines use specialized X-rays to detect characteristics of
explosives that may be contained in passengers' checked baggage as it
moves along a conveyor belt.
[15] ETD machines can detect chemical residues that may indicate the
presence of explosives on a passenger or within passengers' baggage.
[16] ATSA requires that each TSO who failed a covert test has to
undergo remedial training for the function, such as X-ray screening,
that he or she failed before returning to that function. The TSO can
perform a different function, such as manual or ETD searches, while
undergoing the remedial training.
[17] The MBS II weapons training kits were provided to airports to
address the identified training gap by allowing TSOs to see and feel
the threat objects they were looking for. According to OSO officials,
these kits contained some of the test objects used by OI to conduct
covert testing.
[18] STEA included seven types of tests conducted at the passenger
checkpoint: IED in property disassembled, IED in property assembled,
stimulant on torso, weapon at an angle in property, weapon in property,
weapon on individual, and weapon on inner thigh. There is one type of
STEA test conducted at the checked baggage screening system--assembled
IED in baggage.
[19] GAO, Aviation Security: Enhancements Made in Passenger and Checked
Baggage Screening, but Challenges Remain, GAO-06-371T (Washington,
D.C.: Apr. 4, 2006).
[20] See, e.g., 49 U.S.C. § 114(t).
[21] National Commission on Terrorist Attacks upon the United States,
the 9/11 Commission Report: Final Report of the National Commission on
Terrorist Attacks upon the United States (Washington, D.C.: 2004). The
9/11 Commission was an independent, bipartisan commission created in
late 2002, to prepare a complete account of the circumstances
surrounding the September 11, 2001 terrorist attacks, including
preparedness for and the immediate response to the attacks. The
Commission was also mandated to provide recommendations designed to
guard against future attacks.
[22] GAO, Passenger Rail Security: Enhanced Federal Leadership Needed
to Prioritize and Guide Security Efforts, GAO-05-851 (Washington, D.C.:
Sept. 9, 2005); and GAO, Aviation Security: Federal Efforts to Secure
U.S.-Bound Air Cargo Are in the Early Stages and Could Be Strengthened,
GAO-07-660 (Washington, D.C.: Apr. 30, 2007).
[23] While some test entries recorded in the database include
observations made by inspectors, OI officials told us that these
observations are not intended to identify the reason for a test
failure. Moreover, these observations are not consistently recorded in
the database to allow OI to analyze trends in test outcomes.
[24] GAO, Aviation Security: Screener Training and Performance
Measurement Strengthened, but More Work Remains, GAO-05-457
(Washington, D.C.: May 2, 2005).
[25] The goal of TSA's Transit and Rail Inspection Pilot program was to
evaluate the use of existing and emerging technologies in the rail
environment to screen passengers' carry-on items, checked baggage,
cargo, and parcels for explosives. The pilot was conducted in three
phases. Phase I evaluated the use of screening technologies to screen
passengers and baggage prior to boarding trains at the New Carrollton,
Maryland, train station. Phase II tested screening of checked and
unclaimed baggage and cargo prior to loading on board Amtrak trains at
Union Station in Washington, D.C. Phase III evaluated the use of
screening technologies installed on a rail car to screen passengers and
their baggage while the rail car was in transit on a Shoreline East
commuter rail car.
[26] The Bus Explosives Screening Technology pilot tested emerging and
existing technologies to screen passengers, baggage, and cargo for
explosives prior to boarding buses. The pilot was conducted at the
Greyhound Bus terminal in Washington, D.C.
[27] TSA's Secure Automated Inspection Lanes pilot program tested
portable screening equipment and explosive detection technologies on
maritime ferry passengers to identify traces of explosive residue on
papers and documents carried by passengers.
[28] H.R. Rpt. No. 110-181, at 62-63 (2007), accompanying H.R. 2638,
110th Cong. (as passed by House of Representatives. June 15, 2007).
[29] See GAO-05-851.
[30] A well-designed probability sample would enable failure rates to
be generalized to the airports in which the tests were conducted and to
all airports. In a probability sample, each item in the population
being studied has a known, non-zero probability of being selected.
[31] According to TSA officials, recommendations made as a result of
ASAP tests are provided in a report to senior TSA leadership, who make
the decision whether or not to implement the recommendation, and the
status of each recommendation is tracked in the ASAP database.
[32] OSO officials told us that they did not systematically monitor the
status of OI's recommendations prior to our request.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
