Transportation Security
Transportation Worker Identification Credential: A Status Update Gao ID: GAO-08-1151T September 17, 2008U.S. transportation systems and the estimated 4,000 transportation facilities move over 30 million tons of freight and provide an estimated 1.1 billion passenger trips each day. Since 2001 the Transportation Security Administration (TSA), part of the Department of Homeland Security (DHS) has protected these systems and facilities from terrorist attack. One program TSA utilizes is the Transportation Worker Identification Credential (TWIC) program, through which a common credential is being developed for transportation workers with access to secure areas. Ultimately planned for all transportation sectors, TSA, in cooperation with the U.S. Coast Guard, is initially focusing the TWIC program on the maritime sector. This testimony discusses (1) the progress made in implementing the TWIC program and (2) some of the remaining program challenges. This testimony is based on GAO's September 2006 TWIC report, as well as selected updates and ongoing work. To conduct this work, GAO reviewed program requirements and guidance, documentation on the status of the TWIC program, and interviewed program officials from TSA and the Coast Guard.
Since GAO's 2006 report on the TWIC program, TSA and the Coast Guard have made progress in addressing legislative requirements and implementing and testing the program through a prototype and pilot, as well as addressing GAO recommendations related to conducting additional systems testing. Although GAO has not yet evaluated the effectiveness of TSA's and the Coast Guard's efforts, the two agencies have taken the following actions to continue to implement the TWIC program: In January 2007, TSA and the Coast Guard issued the first rule in federal regulation to govern the TWIC program, setting the requirements for enrolling maritime workers in the TWIC program and issuing TWICs to these workers. The Coast Guard issued complementary guidance in July 2007 to explain how the maritime industry is to comply with these requirements. Enrollment efforts began at the Port of Wilmington, Delaware, in October 2007, and additional enrollments are under way through a contractor. Of the 1.2 million identified TWIC users, 492,928 (41 percent) were enrolled as of September 12, 2008. The TWIC program has initiated its TWIC Reader pilot to test card reader technology for use in controlling access to secure areas of maritime transportation facilities and vessels, and assess the impact of their installation on maritime operations. This pilot is expected to inform the development of a second TWIC rule on implementing access controls in the maritime environment. TSA and the maritime industry continue to face two potential challenges in implementing the TWIC program. TSA and its enrollment contractor continue to face challenges in enrolling and issuing TWICs to a significantly larger population than was done during TWIC program prototype testing. TSA and its enrollment contractor now plan to enroll and issue TWICs to an estimated target population of 1.2 million workers by April 15, 2009, compared to 770,000 workers estimated in January 2007. Over 700,000 additional workers (59 percent of projected enrollees) still need to be enrolled in the program by the April 15, 2009 deadline. TSA and industry stakeholders will need to ensure that TWIC access control technologies perform effectively in the harsh maritime environment and balance security requirements with the flow of maritime commerce. While testing is underway, the lessons learned of the ongoing tests remain to be distilled and used to inform the development of additional regulatory requirements
GAO-08-1151T, Transportation Security: Transportation Worker Identification Credential: A Status Update
This is the accessible text file for GAO report number GAO-08-1151T
entitled 'Transportation Security: Transportation Worker Identification
Credential: A Status Update' which was released on September 19, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Border, Maritime and Global
Counterterrorism, Committee on Homeland Security, House of
Representatives:
United States Government Accountability Office:
GAO:
For Release on Delivery Expected at 10:00 a.m. EDT:
Wednesday, September 17, 2008:
Transportation Security:
Transportation Worker Identification Credential: A Status Update:
Statement of Stephen M. Lord, Acting Director Homeland Security and
Justice Issues:
GAO-08-1151T:
GAO Highlights:
Highlights of GAO-08-1151T, a testimony before the Subcommittee on
Border, Maritime, and Global Counterterrorism, Committee on Homeland
Security, House of Representatives.
Why GAO Did This Study:
U.S. transportation systems and the estimated 4,000 transportation
facilities move over 30 million tons of freight and provide an
estimated 1.1 billion passenger trips each day. Since 2001 the
Transportation Security Administration (TSA), part of the Department of
Homeland Security (DHS) has protected these systems and facilities from
terrorist attack. One program TSA utilizes is the Transportation Worker
Identification Credential (TWIC) program, through which a common
credential is being developed for transportation workers with access to
secure areas. Ultimately planned for all transportation sectors, TSA,
in cooperation with the U.S. Coast Guard, is initially focusing the
TWIC program on the maritime sector.
This testimony discusses (1) the progress made in implementing the TWIC
program and (2) some of the remaining program challenges. This
testimony is based on GAO‘s September 2006 TWIC report, as well as
selected updates and ongoing work. To conduct this work, GAO reviewed
program requirements and guidance, documentation on the status of the
TWIC program, and interviewed program officials from TSA and the Coast
Guard.
What GAO Found:
Since GAO‘s 2006 report on the TWIC program, TSA and the Coast Guard
have made progress in addressing legislative requirements and
implementing and testing the program through a prototype and pilot, as
well as addressing GAO recommendations related to conducting additional
systems testing. Although GAO has not yet evaluated the effectiveness
of TSA‘s and the Coast Guard‘s efforts, the two agencies have taken the
following actions to continue to implement the TWIC program:
* In January 2007, TSA and the Coast Guard issued the first rule in
federal regulation to govern the TWIC program, setting the requirements
for enrolling maritime workers in the TWIC program and issuing TWICs to
these workers. The Coast Guard issued complementary guidance in July
2007 to explain how the maritime industry is to comply with these
requirements.
* Enrollment efforts began at the Port of Wilmington, Delaware, in
October 2007, and additional enrollments are under way through a
contractor. Of the 1.2 million identified TWIC users, 492,928 (41
percent) were enrolled as of September 12, 2008.
* The TWIC program has initiated its TWIC Reader pilot to test card
reader technology for use in controlling access to secure areas of
maritime transportation facilities and vessels, and assess the impact
of their installation on maritime operations. This pilot is expected to
inform the development of a second TWIC rule on implementing access
controls in the maritime environment.
TSA and the maritime industry continue to face two potential challenges
in implementing the TWIC program.
* TSA and its enrollment contractor continue to face challenges in
enrolling and issuing TWICs to a significantly larger population than
was done during TWIC program prototype testing. TSA and its enrollment
contractor now plan to enroll and issue TWICs to an estimated target
population of 1.2 million workers by April 15, 2009, compared to
770,000 workers estimated in January 2007. Over 700,000 additional
workers (59 percent of projected enrollees) still need to be enrolled
in the program by the April 15, 2009 deadline.
* TSA and industry stakeholders will need to ensure that TWIC access
control technologies perform effectively in the harsh maritime
environment and balance security requirements with the flow of maritime
commerce. While testing is underway, the lessons learned of the ongoing
tests remain to be distilled and used to inform the development of
additional regulatory requirements
What GAO Recommends:
GAO has previously recommended that TSA conduct additional testing of
the TWIC program to help ensure that all key components work
effectively. TSA agreed with this recommendation and has taken action
to implement it.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1151T]. For more
information, contact Stephen M. Lord at (202) 512-4379 or
lords@gao.gov.
[End of section]
Madame Chairwoman and Members of the Subcommittee:
Thank you for inviting me to participate in today's hearing on the
status of the Transportation Security Administration's (TSA)
Transportation Worker Identification Credential (TWIC) program. The
TWIC program was created to help protect the nation's transportation
facilities from the threat of terrorism by issuing identification cards
only to workers who are not known to pose a terrorist threat and
allowing these workers unescorted access to secure areas of the
transportation system. Key aspects of the TWIC program include
collecting personal and biometric information, such as fingerprints, to
validate workers' identities; conducting background checks on
transportation workers to ensure that they do not pose a security
threat; and issuing tamper-resistant, biometric credentials, such as
identification cards, for use in granting workers unescorted access to
secure areas. The TWIC program is ultimately intended to support all
modes of transportation. However, TSA, in partnership with the Coast
Guard, is focusing initial implementation on the maritime sector.
The TWIC program was established to respond to the provisions of
several pieces of legislation and subsequent programming decisions. In
the aftermath of the September 11, 2001, terrorist attacks, the
Aviation and Transportation Security Act (ATSA)[Footnote 1] was enacted
in November 2001 and, among other things, requires TSA, an agency
within the Department of Homeland Security (DHS), to work with airport
operators to strengthen access control points in secure areas and
consider using biometric access control systems[Footnote 2] to verify
the identity of individuals who seek to enter a secure airport area. In
response to ATSA, TSA established the TWIC program in December 2001.
Enacted in November 2002, the Maritime Transportation Security Act of
2002 (MTSA)[Footnote 3] required the Secretary of Homeland Security to
issue a maritime worker identification card that uses biometrics to
control access to secure areas of maritime transportation facilities
and vessels. In addition, the Security and Accountability For Every
(SAFE) Port Act of 2006 amended MTSA to direct the Secretary of
Homeland Security to, among other things, implement the TWIC Program at
the 10 highest-risk ports by July 1, 2007.[Footnote 4] TSA's
responsibilities include enrolling TWIC users, conducting security
threat assessments, and processing appeals to adverse TWIC
qualification decisions. The Coast Guard is responsible for developing
maritime security regulations and ensuring that maritime facilities and
vessels are in compliance with these regulations.
We have reported on the status of the development and testing of the
TWIC program several times. Our 2004 report[Footnote 5] identified
challenges that TSA faced in developing regulations and a comprehensive
plan for managing the program, as well as several factors that caused
TSA to miss initial deadlines for issuing TWICs. In September 2006, we
reported[Footnote 6] on challenges TSA encountered during TWIC program
testing and several problems related to contract planning and
oversight. We have since provided updates to this work in April and
October 2007.[Footnote 7]
My testimony today focuses on (1) the progress made since September
2006 in implementing the TWIC program and (2) some of the remaining
challenges that TSA, the Coast Guard, and the maritime industry must
overcome to ensure the successful implementation of the program.
Today's observations are based on our September 2006 TWIC report, which
reflects work conducted at TSA and the Coast Guard, as well as site
visits to transportation facilities that participated in testing the
TWIC program; our subsequent updates to this work issued in April and
October 2007; and our ongoing review of the TWIC program initiated in
July 2008. This current review of the implementation of the TWIC
program will be published in 2009, and is being conducted for the
Senate Committee on Commerce, Science, and Transportation; the House
Committee on Homeland Security; and the House Committee on
Transportation and Infrastructure. As part of our current engagement,
we reviewed program documentation on the status of TWIC implementation;
related guidance provided by the Coast Guard; information from maritime
industry stakeholders, such as TWIC Stakeholder Communication Committee
meeting minutes and reporting by the National Maritime Security
Advisory Committee--an advisory council to DHS. In addition, we
interviewed TWIC program officials from TSA--including the TWIC Program
Director--and the Coast Guard regarding their efforts to implement the
TWIC program and our prior recommendations although we did not
independently assess the effectiveness of these efforts. We requested
and received comments on the draft statement from TSA. We conducted
this work from July 2008 through September 2008 in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
Summary:
Since we reported on the TWIC program in September 2006,[Footnote 8]
progress has been made in implementing the program. Although we have
not yet independently assessed the effectiveness of these efforts, TSA
and the Coast Guard have taken action to address legislative
requirements to implement and test the program as well as our
recommendations related to conducting additional systems testing.
Specifically:
* TSA and the Coast Guard issued the first TWIC rule in January 2007,
which sets forth the requirements for enrolling maritime workers in the
TWIC program and issuing TWICs to these workers. In July 2007 the Coast
Guard issued guidance complementing the January 2007 TWIC rule. This
guidance provides additional context for how the maritime industry is
to comply with this TWIC rule.
* Enrollment efforts have been underway. As of September 12, 2008,
492,928 enrollees, or 41 percent of the anticipated 1.2 million TWIC
users, have enrolled in the TWIC program. Further, 318,738 TWICs have
been activated and issued.
* The TWIC program initiated the TWIC reader pilot to test TWIC access
control technologies and their impact on maritime operations. A second
rule is planned to be issued on the use of TWIC access control
technologies,[Footnote 9] including TWIC readers, for confirming the
identity of the TWIC holder against the biometric information on the
TWIC. However, TSA has not established a date for completing the pilot.
TSA and maritime industry stakeholders face two potential challenges in
implementing the TWIC program.
* As we have previously reported, TSA and its enrollment contractor
continue to face the challenge of enrolling and issuing TWICs to a
significantly larger population of workers than was previously
estimated. TSA and its enrollment contractor now plan to enroll and
issue TWICs to an estimated target population of 1.2 million workers by
April 15, 2009, compared to 770,000 workers estimated in January
2007.[Footnote 10] While 492,928 enrollments (41 percent) out of an
estimated target population of 1.2 million had been processed as of
September 12, 2008, an additional 707,072 workers (59 percent) still
need to be enrolled in the program by the April 15, 2009, deadline.
* As highlighted in our prior work, TSA and industry stakeholders will
need to ensure that TWIC readers perform effectively in the harsh
maritime environment and balance security requirements with the flow of
maritime commerce. However, since testing of how this technology works
in practice and accumulating the lessons learned remains ongoing, TSA
and Coast Guard have yet to incorporate the results of these tests into
the second rule establishing the requirements and time frames for
implementing TWIC access control technologies. Our ongoing work will
assess how the results of this testing is used to inform the
development of a second TWIC rule, and help ensure an appropriate
balance between security and commerce requirements.
Background:
Securing transportation systems and facilities is complicated,
requiring balancing security to address potential threats while
facilitating the flow of people and goods. These systems and facilities
are critical components of the U.S. economy and are necessary for
supplying goods throughout the country and supporting international
commerce. U.S. maritime transportation systems and facilities[Footnote
11] move over 30 million tons of freight and provide approximately 1.1
billion passenger trips each day. The ports of Los Angeles and Long
Beach estimate that they alone handle about 43 percent of the nation's
oceangoing cargo. The importance of these systems and facilities also
makes them attractive targets to terrorists.
These systems and facilities are vulnerable and difficult to secure
given their size, easy accessibility, large number of potential
targets, and proximity to urban areas. A terrorist attack on these
systems and facilities could cause a tremendous loss of life and
disruption to our society. An attack would also be costly. According to
testimony by a Port of Los Angeles official, a 2002 labor dispute that
led to a 10-day shutdown of West Coast port operations cost the
nation's economy an estimated $1.5 billion per day.[Footnote 12] A
terrorist attack at a port facility could have a similar or greater
impact.
One potential security threat stems from those individuals who work in
secure areas of the nation's transportation system, including maritime
transportation facilities, airports, railroad terminals, mass transit
stations, and other transportation facilities. It is estimated that
about 6 million workers, including longshoremen, mechanics, aviation
and railroad employees, truck drivers, and others access secure areas
of the nation's estimated 4,000 transportation facilities each day
while performing their jobs. Some of these workers, such as truck
drivers, regularly access secure areas at multiple transportation
facilities. Ensuring that only workers who are not known to pose a
terrorism security risk are allowed unescorted access to secure areas
is important in helping to prevent an attack.
TWIC Program History:
In the aftermath of the September 11, 2001, terrorist attacks, the TWIC
program was established in December 2001 to mitigate the threat of
terrorists and other unauthorized persons from accessing secure areas
of the entire transportation network, by creating a common
identification credential that could be used by workers in all modes of
transportation.[Footnote 13] As of September 2008 appropriated funds
for the program totaled $103.4 million. Below are a number of key
actions taken with respect to the implementation of the TWIC program.
* November 2002: Enactment of the Maritime Transportation Security Act
of 2002, which required the Secretary of Homeland Security to issue a
maritime worker identification card that uses biometrics to control
access to secure areas of maritime transportation facilities and
vessels.
* August 2004 through June 2005: As part of its prototype testing, TSA-
-through a private contractor--tested the TWIC program at 28
transportation facilities across the country.
* August 2006: TSA decided that the TWIC program would be implemented
in the maritime sector using two separate rules. The first rule covers
use of TWICs as a credential for gaining access to facilities and
vessels. The second rule is planned to address the use of access
control technologies, such as TWIC readers, for confirming the identity
of the TWIC holder against the biometric information on the TWIC.
* October 2006: The SAFE Port Act directed the Secretary of Homeland
Security to, among other things, implement the TWIC program at the 10
highest-risk ports by July 1, 2007, and to conduct a pilot program to
test TWIC access control technologies, such as TWIC readers, in the
maritime environment.
* January 2007: TSA and the Coast Guard issued a rule requiring worker
enrollment and TWIC issuance. TSA also awarded a $70 million contract
to begin enrolling workers and issuing TWICs to workers.
* July 2007: The Coast Guard issued guidance on how the maritime
industry is to comply with the January 2007 TWIC rule and how the Coast
Guard will implement TWIC compliance efforts.
* June 2008: As part of the TWIC reader pilot, TSA issued an agency
announcement calling for biometric card readers to be submitted for
assessment as TWIC readers.
Key Components of the TWIC Program:
The TWIC program includes several key components:
* Enrollment: Transportation workers will be enrolled in the TWIC
program at enrollment centers by providing personal information, such
as name, date of birth, and address, and will be photographed and
fingerprinted. For those workers who are unable to provide quality
fingerprints, TSA is to collect an alternate authentication identifier.
* Background checks: TSA will conduct background checks on each worker
to ensure that individuals do not pose a security threat. These will
include several components. First, TSA will conduct a security threat
assessment that may include, for example, checks of terrorism databases
or watch lists, such as TSA's No-fly and selectee lists. Second, a
Federal Bureau of Investigation criminal history records check will be
conducted to identify if the worker has any disqualifying criminal
offenses. Third, the worker's immigration status and prior
determinations related to mental capacity will be checked. Workers will
have the opportunity to appeal negative results of the threat
assessment or request a waiver in certain circumstances.
* TWIC production: After TSA determines that a worker has passed the
background check, the worker's information is provided to a federal
card production facility where the TWIC will be personalized for the
worker, manufactured, and then sent back to the enrollment center.
* Card issuance: Transportation workers are to be informed when their
TWICs are ready to be picked up at enrollment centers. Once a TWIC has
been activated and issued, workers may present their TWICs to security
officials when they seek to enter a secure area, and in the future may
use biometric card readers to verify identify.
Progress Has Been Made in Implementing the TWIC Program:
Several positive steps have been taken since our September 2006
report[Footnote 14] toward successfully implementing the TWIC program.
One key step was the issuance of the first TWIC rule by TSA and the
Coast Guard in January 2007 establishing requirements for providing
workers and merchant mariners access to maritime transportation
facilities and vessels. To help facilitate the rule's implementation,
in July 2007 the Coast Guard issued complementary guidance to help the
maritime industry comply with the new TWIC regulations and facilitate
the Coast Guard's implementation of TWIC-related compliance efforts. In
addition, enrollment efforts have been under way, and 41 percent of the
estimated 1.2 million people needing TWICs have been enrolled. Finally,
the TWIC program has initiated the TWIC reader pilot and is moving
forward in testing TWIC access control technologies and their impact on
maritime operations. However, TSA has not established time frames for
completing this pilot program, the results of which will be used to
inform the second rulemaking related to TWIC access control
technologies.
TSA and the Coast Guard Issued a TWIC Rule, and Coast Guard Has Issued
Complementary Guidance to Facilitate TWIC's Implementation:
On January 25, 2007, TSA and the Coast Guard issued the first TWIC rule
that, among other things, sets forth the regulatory requirements for
enrolling workers and issuing TWICs to workers in the maritime sector.
Specifically, this TWIC rule provides that workers and merchant
mariners requiring unescorted access to secure areas of maritime
transportation facilities and vessels must enroll in the TWIC program,
undergo a background check, and obtain a TWIC before such access is
granted. In addition, the rule requires owners and operators of MTSA-
regulated maritime transportation facilities and vessels to change
their existing access control procedures to ensure that a merchant
mariner and any other individual seeking unescorted access to a secure
area of a facility or vessel has a TWIC.[Footnote 15] Table 1 describes
the key requirements in the first TWIC rule.
Table 1: Key Requirements in the January 2007 TWIC Rule:
Requirement: Transportation workers;
Description of requirement: Individuals who require unescorted access
to secure areas of maritime transportation facilities and vessels, and
all merchant mariners, must obtain a TWIC before such access is
granted.
Requirement: Fees;
Description of requirement: All workers applying for a TWIC will pay a
fee of $132.50 to cover the costs associated with the TWIC program.
Workers that have already undergone a federal threat assessment
comparable to the one required to obtain a TWIC will pay a reduced fee
of $105.25. The replacement fee for a TWIC will be $60.
Requirement: Access to secure areas of maritime facilities and vessels;
Description of requirement: By no later than April 15, 2009, facilities
and vessels currently regulated under the Maritime Transportation
Security Act must change their current access control procedures to
ensure that any individual or merchant mariner seeking unescorted
access to a secure area has a TWIC.
Requirement: Newly hired workers and escorting procedures;
Description of requirement: Newly hired workers who have applied for,
but have not received, their TWIC, will be allowed access to secure
areas for 30 days as long as they meet specified criteria, such as
passing a TSA name-based background check, and only while accompanied
by another employee with a TWIC. Individuals that need to enter a
secure area but do not have a TWIC must be escorted at all times by
individuals with a TWIC.
Requirement: Background checks;
Description of requirement: All workers applying for a TWIC must
provide certain personal information and fingerprints to TSA so that
they can conduct a security threat assessment, which includes a Federal
Bureau of Investigation fingerprint-based criminal history records
check, and an immigration status check. In order to qualify for a TWIC,
workers must not have been incarcerated or convicted of certain
disqualifying crimes must, have legal presence or authorization to work
in the United States, must have no known connection to terrorist
activity, and cannot have been adjudicated as lacking mental capacity
or have been committed to a mental health facility.
Requirement: Appeals and waiver process;
Description of requirement: All TWIC applicants will have the
opportunity to appeal a background check disqualification through TSA,
or apply to TSA for a waiver of certain disqualifying factors, either
during the application process or after being disqualified for certain
crimes, mental incapacity, or if they are aliens in Temporary Protected
Status. Applicants who apply for a waiver and are denied a TWIC by TSA,
or applicants who are disqualified based on a determination that he or
she poses a security threat, may, after an appeal, seek review by a
Coast Guard administrative law judge.
Requirement: Access control systems;
Description of requirement: The Coast Guard will conduct unannounced
inspections to confirm the identity of TWIC holders using hand-held
biometric card readers (i.e., TWIC readers) to check the biometric on
the TWIC against the person presenting the TWIC. In addition, security
personnel will conduct visual inspections of the TWICs and look for
signs of tampering or forgery when a worker enters a secure area.
Source: GAO analysis of TWIC rule and TSA information.
[End of table]
The January 2007 TWIC rule does not currently require owners and
operators of maritime transportation facilities and vessels to employ
TWIC readers to verify the biometric feature (e.g., TWIC holder's
fingerprints) of the TWIC. These requirements are to be issued under a
second rule at a later date. As a result, the TWIC will initially serve
as a visual identity badge (i.e., a "flash pass") until the new rule
requires that TWIC access control technologies, such as TWIC readers,
be installed to verify the credentials when a worker enters a secure
area. According to TSA, during initial implementation, workers will
present their TWICs to authorized security personnel, who will compare
each TWIC holder to his or her photo and inspect the card for signs of
tampering. In addition, the Coast Guard will verify TWICs when
conducting vessel and facility inspections and during spot checks using
handheld TWIC readers to ensure that credentials are valid.
On July 2, 2007, the Coast Guard also issued some supplementary
guidance to help facilitate implementation of the January 2007 TWIC
rule. Among other issues, the Coast Guard's Navigation and Vessel
Inspection Circular (NVIC) Number 03-07 is designed to clarify the TWIC
enrollment and issuance process, the waiver and application process,
and approaches for enforcing TWIC program compliance. For instance,
with regard to TWIC enrollment, the NVIC provides guidance on applying
for appeals to disqualification decisions. The NVIC also provides
guidance for escorting non-TWIC holders in secure areas. Under current
procedures, one TWIC holder is allowed to escort 10 non-TWIC holders in
secure areas of a facility.
TWIC Enrollment Efforts Are Progressing:
As we reported in October 2007,[Footnote 16] following the issuance of
the first TWIC rule in January 2007, TSA awarded a $70 million contract
to a private contractor to enroll the then estimated 770,000 workers
required to obtain TWICs. Since our last update, enrollment in the TWIC
program has progressed. TSA began enrolling and issuing TWICs to
workers at the Port of Wilmington, Delaware, on October 16, 2007. Since
then, 148 of 149 enrollment centers have been opened to meet TWIC
enrollment demand, with the remaining center scheduled to be opened by
September 17, 2008. Additionally, according to TSA, mobile centers have
been deployed on an as-needed basis. As of September 12, 2008, TSA
reports 492,928 enrollments and 318,738 TWICs activated and issued. All
maritime workers are expected to hold TWICs by the January 2007 TWIC
rule's revised compliance deadline of April 15, 2009.
TWIC Reader Pilot Has Been Initiated to Test TWIC-Related Access
Control Technologies:
In response to our recommendation,[Footnote 17] and as required by the
Safe Port Act,[Footnote 18] TSA has initiated a pilot, known as the
TWIC reader pilot, to test TWIC-related access control technologies.
This pilot is intended to test the business processes, technology, and
operational impacts resulting from the deployment of TWIC readers at
secure areas of the marine transportation system. As such, the pilot is
expected to test the viability of existing biometric card readers for
use in reading TWICs within the maritime environment. It will also test
the technical aspects of connecting existing access control systems at
maritime transportation facilities and vessels to TWIC readers and
databases containing the required biometric information, for confirming
the identity of the TWIC holder against the biometric information on
the TWIC. After the pilot has concluded, the results are expected to
inform the development of the second rule requiring the deployment of
TWIC readers for use in controlling access in the maritime environment.
However, at this time, TSA officials do not yet have a date established
for the completion of this pilot. Further, time frames for completing
the second rule are not set.
The TWIC reader pilot consists of three assessments with the results of
each assessment intended to inform subsequent assessments. This testing
is currently under way, and we will analyze the test results as part of
our ongoing work. The three assessments are as follows:
* Initial technical testing: This assessment is laboratory-based and is
designed to determine if selected biometric card readers meet TWIC card-
reader specifications.[Footnote 19] These specifications include
technical and environmental requirements deemed necessary for use in
the harsh maritime environment. At the completion of initial technical
testing, a formal test report will be developed to prioritize all
problems with readers based on their potential to adversely impact the
maritime transportation facility or vessel. Based on this assessment,
readers with problems that would severely impact maritime operations
are not to be recommended for use in the next phase of testing. At this
time, TSA is conducting the initial technical testing portion of the
TWIC reader pilot. As part of this assessment, in June 2008, TSA issued
an announcement calling for biometric card readers to be submitted for
assessment as TWIC readers. According to the TWIC Program Director, an
initial round of TWIC reader testing has been completed and a second
round of testing has been initiated. This is expected to provide a
broader range of readers to be used as part of subsequent assessments.
* Early operational assessment: This assessment is to evaluate the
impact of TWIC reader implementation on the flow of commerce. Key
results to be achieved as part of this assessment include obtaining
essential data to inform development of the second rule, assessing
reader suitability and effectiveness, and further refining reader
specifications. As part of this process, maritime transportation
facilities and vessels participating in the pilot are to select the
readers they plan to test and install, and test readers as part of the
test site's normal business and operational environment. In preparation
for the early operational assessment segment of this pilot, the TWIC
Program Director stated that program staff have started working with
pilot participants to review test plans and expect to initiate the
early operational assessment portion of the pilot in early 2009. As
part of this pilot, TSA is partnering with maritime transportation
facilities at five ports as well as three vessel operators.[Footnote
20] TSA's objective is to include pilot test participants that are
representative of a variety of maritime transportation facilities and
vessels in different geographic locations and environmental conditions.
* System test and evaluation: Building on the results of the initial
technical testing and the early operational assessment, the system test
and evaluation is intended to evaluate the full impact of maritime
transportation facility and vessel operators complying with a range of
requirements anticipated to be included in the second TWIC rule, such
as TWIC reader effectiveness, suitability, and supportability. In
addition, this evaluation is expected to establish a test protocol for
evaluating readers prior to acquiring them for official TWIC
implementation.
Our ongoing review of the TWIC program will provide additional details
on the results of the TWIC reader pilot and how these results helped
inform the anticipated second TWIC rule.
TSA and Maritime Industry Stakeholders Face Two Potential Challenges in
Implementing the TWIC Program:
TSA and maritime industry stakeholders face two potential challenges in
ensuring that the TWIC program will be implemented successfully. TSA
and its enrollment contractor are planning to enroll and issue TWICs to
a significantly larger population of workers than was originally
estimated. Specifically, TSA estimates that it will need to issue TWICs
to 1.2 million workers by April 15, 2009.[Footnote 21] This target
population is significantly larger than the estimated target population
identified in the January 2007 rule. Further, TSA and maritime industry
stakeholders also face challenges in ensuring that TWIC access control
technologies, such as biometric card readers, work effectively in the
harsh maritime environment and ensuring that security requirements are
balanced with the flow of commerce. However, since TSA is still testing
this technology and accumulating the lessons learned from this testing,
it is unclear how effectively this technology works in practice. These
testing results will be used to help inform the development of the
second rule establishing the requirements and time frames for
implementing TWIC access control technologies. Our ongoing work will
assess how the results of this testing are used to inform the
development of the second rule and help ensure an appropriate balance
between security and commerce.
Increase in estimated target population one of Several Issues
Identified During the Initial Enrollment Process:
In September 2006 we reported[Footnote 22] that TSA faced the challenge
of enrolling and issuing TWICs in a timely manner to a significantly
larger population of workers than was done during the TWIC prototype
test, which was conducted from August 2004 through June 2005. Since
then, steps have been taken to improve the enrollment and TWIC issuance
process. For example, according to TSA officials, the TWIC enrollment
systems were tested to ensure that they would work effectively and be
able to handle the full capacity of enrollments during implementation.
Despite these positive steps, there have been issues associated with
the TWIC enrollment process. As documented in TWIC program
documentation, enrollment issues include miscommunication about the
wait time for TWICs to be available, such as enrollees being told that
TWICs would be available in 10 to 30 days rather than 6 to 8 weeks. In
addition, help desk issues existed, such as approximately 70 percent of
calls placed to the help desk being abandoned and call wait times
reported to be as long as 20 minutes when they were planned for 3
minutes. According to TSA officials, actions have been taken to address
these problems.
Additionally, in July 2008, the National Maritime Security Advisory
Committee--chartered to advise, consult with, report to, and make
recommendations to the Secretary of the Department of Homeland Security
on matters relating to maritime security--reported[Footnote 23] on
several unresolved problems, which it contends help to foster an
unfavorable sentiment among stakeholders.[Footnote 24] Among other
issues, the committee report noted:
* poor communication and outreach regarding the trucking and merchant
mariner communities, and whether these communities are fully aware of
TWIC program requirements, and:
* technical issues whereby biometric scanning equipment did not
accurately record and process enrollee fingerprint templates.
TWIC program management disputed the National Maritime Security
Advisory Committee's findings, stating that some of the findings in the
report are outdated or inaccurate. For instance, according to the TWIC
Program Director, the fingerprint rejection rates for the program are
within acceptable standards as defined in the contract and are
consistent with other government experiences. Moreover, the Program
Director noted that to be helpful, the committee needs to prioritize
the issues it identified. TSA plans to meet with the committee on
September 18, 2008 to respond to the report.
Nevertheless, TWIC program management and the contractor report that
they have taken action to remediate several of the problems identified
above. For example, to address the issues related to the help desk,
TWIC program management reports that it worked with its contractor to
add additional resources at the help desk to meet call volume demand.
Similarly, to counter the lack of access or parking at enrollment
centers at the Port of Los Angeles, TSA's contractor opened an
additional enrollment facility with truck parking access as well as
extended operating hours.
Additional Steps Are Being Taken to Clarify Final Enrollment Figures
and Address Enrollment Challenges:
To help meet the challenge of enrolling and issuing TWICs to an
estimated 1.2 million workers by April 15, 2009, TSA and the Coast
Guard are working to update estimates for the number of people
requiring TWICs. TWIC program management does not have a precise
estimate of the total number and location of potential enrollees. For
instance, while the January 2007 TWIC rule identifies that 770,000 TWIC
enrollments were anticipated, that number has been revised to
approximately 1.2 million--nearly double the original estimate.
According to the TWIC Program Director, it is difficult to know how
many individuals will enroll in the program as no association, port
owner, or government agency previously tracked this information. The
Program Director also told us that some anticipated enrollees may have
been double counted. Therefore, the number of enrollees that actually
enroll may be fewer than the estimated 1.2 million. As part of an
effort to develop better enrollee estimates, TSA reports that it is
currently completing a contingency analysis in coordination with the
Coast Guard that will better identify the size of its target enrollee
population at major ports. For example, in preparation for meeting
enrollment demands at the Port of Houston, TWIC program officials are
updating prior estimates of maritime workers requiring TWICs for access
to this port's facilities. To better meet possible short-term spikes in
enrollment application demand--such as in final weeks before individual
ports must meet final TWIC enrollment requirements--the TWIC program is
promoting the use of mobile enrollment centers whereby temporary
centers are set up to help enroll employees for TWICs.
However, given that 492,928 enrollments (41 percent) out of an
estimated target population of 1.2 million had been processed as of
September 12, 2008, an additional 707,072 workers (59 percent) still
need to be enrolled in the program by the April 15, 2009 deadline.
Further, assuming the current rate of enrollment, there will be an
estimated shortfall of 393,391 TWIC enrollees in April 2009. As such,
meeting final enrollment and TWIC issuance requirements by April 15,
2009, could pose a challenge. We will continue to monitor these efforts
as part of our ongoing engagement.
TSA and Industry Stakeholders Taking Steps to Ensure That TWIC Access
Control Technologies Work Effectively in a Harsh Maritime Environment:
In our September 2006 report,[Footnote 25] we noted that TSA and
maritime industry stakeholders faced significant challenges in ensuring
that TWIC access control technologies, such as biometric card readers,
work effectively in the maritime sector. Few facilities that
participated in the TWIC prototype tested the use of biometric card
readers. As a result, TSA obtained limited information on the
operational effectiveness of biometric card readers for use with TWICs,
particularly when individuals use these readers outdoors in the harsh
maritime environment, where they can be affected by dirt, salt, wind,
and rain. In addition, TSA did not test the use of biometric card
readers on vessels, although they will be required on vessels in the
future. Further, industry stakeholders with whom we spoke were
concerned about:
* the costs of implementing and operating TWIC access control systems,
* linking card readers to their local access control systems, and:
* how biometric card readers would be implemented and used on vessels.
Because of comments received from maritime industry stakeholders prior
to issuing its January 2007 TWIC rule, TSA and Coast Guard excluded all
access control requirements from this rule. Instead, TSA and Coast
Guard now plan to issue a second TWIC rule pertaining to access control
requirements, such as TWIC readers.
In our September 2006 report, we noted[Footnote 26] that TSA and
industry stakeholders will need to consider the security benefits of
the TWIC program and the impact the program could have on maritime
commerce. According to TSA, if implemented effectively, the security
benefits of the TWIC program in preventing a terrorist attack could
save lives and avoid a costly disruption in maritime commerce.
Alternatively, if key components of the TWIC program, such as biometric
card readers, do not work effectively, they could slow the daily flow
of commerce.
Our September 2006 report[Footnote 27] also recommended that TSA
conduct additional testing to ensure that TWIC access control
technologies work effectively and that the TWIC program balances the
security benefits of the program with the impact that it could have on
the flow of maritime commerce. In response to our recommendation and to
address SAFE Port Act requirements,[Footnote 28] TSA has initiated a
TWIC reader pilot that, as previously discussed, includes an assessment
of card readers against TWIC technical and environmental
specifications. In addition, the pilot will include testing at various
maritime transportation facilities and vessels to assess the
performance of biometric card readers as well as the impact TWIC use
will have on operations when used as part of existing maritime
transportation facility and vessel access control systems. The results
of this pilot are to be used to help develop the second TWIC rule on
TWIC access control technologies, such as TWIC readers. However, as
discussed earlier, this testing is still under way and TSA has not
established a date for completing the pilot program. Moreover, a date
has not been set for issuing the second TWIC rule on the requirements
and time frames for implementing the TWIC access control technology.
Our ongoing work will assess how the lessons learned from the testing
are used to inform the development of the second rule and help ensure
an appropriate balance between security and commerce.
Concluding Observations:
Addressing the issue of maritime security is a major challenge given
the size and complexity of the maritime transportation network. Since
we first reported on the TWIC program in December 2004, [Footnote 29]
TSA has made progress toward implementing the program, including
issuing a TWIC rule, enrolling some workers in the program, and
conducting additional testing at several key maritime transportation
facilities and vessels. While the additional testing that TSA reports
conducting and the actions it has taken should help address the
challenges that we have previously identified, the effectiveness of
these efforts will not be clear until the program further matures. TSA
still faces the challenges of clarifying the size of its target
enrollee population and ensuring that the lessons learned from the
ongoing TWIC pilot are distilled and used to inform the development of
additional regulatory requirements. Given the looming April 2009
enrollment deadline and that more than 700,000 workers still need to be
enrolled in the program, a late enrollment surge could potentially
impact maritime security and trade. Successfully addressing these
challenges will help ensure that TWIC meets the goal of establishing an
interoperable security network based on a common identification
credential.
Madame Chairwoman, this concludes my statement. I would be pleased to
answer any questions that you or other members of the subcommittee may
have at this time.
Contacts and Acknowledgments:
For further information on this testimony, please contact Stephen M.
Lord at (202) 512-4379 or at lords@gao.gov. Individuals making key
contributions to this testimony include Cathleen Berrick, David Bruno,
Chris Currie, Joseph Cruz, Lemuel Jackson, Sally Williamson, Geoffrey
Hamilton, and Julie Silvers.
[End of section]
Footnotes:
[1] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[2] A biometric access control system consists of technology that
determines an individual's identity by detecting and matching unique
physical or behavioral characteristics, such as fingerprint or voice
patterns, as a means of verifying personal identity.
[3] Pub. L. No. 107-295, 116 Stat. 2064 (2002).
[4] Pub. L. No. 109-347, 120 Stat. 1884 (2006).
[5] GAO, Port Security: Better Planning Needed to Develop and Operate
Maritime Worker Identification Card Program, GAO-05-106 (Washington,
D.C.: Dec. 10, 2004).
[6] GAO, Transportation Security: DHS Should Address Key Challenges
before Implementing the Transportation Worker Identification Credential
Program, GAO-06-982 (Washington, D.C.: Sept. 29, 2006).
[7] GAO, Transportation Security: TSA Has Made Progress in Implementing
the Transportation Worker Identification Credential, but Challenges
Remain, GAO-07-681T (Washington, D.C.: Apr. 12, 2007), and GAO,
Transportation Security: TSA Has Made Progress in Implementing the
Transportation Worker Identification Credential Program, but Challenges
Remain, GAO-08-133T (Washington, D.C.: Oct. 31, 2007).
[8] GAO-06-982.
[9] With regard to TWICs, access control technologies include, for
example, card readers capable of reading TWICs, existing systems for
controlling access at maritime transportation facilities and vessels,
the TWIC database containing biometric information, and the interface
between existing access control systems and the TWIC database.
[10] The January 2007 TWIC rule established that all maritime workers
were expected to hold TWICs by September 25, 2008; however, the final
compliance date has been extended from September 25, 2008 to April 15,
2009, pursuant to 73 Fed. Reg. 25562.
[11] For the purposes of this report, the term maritime transportation
facilities refers to seaports, inland ports, offshore facilities, and
facilities located on the grounds of ports.
[12] Testimony of the Director of Homeland Security, Port of Los
Angeles, before the United States Senate Committee on Commerce,
Science, and Transportation, May 16, 2006.
[13] TSA was transferred from the Department of Transportation to DHS
pursuant to requirements in the Homeland Security Act of 2002 (Pub. L.
No. 107-296, 116 Stat. 2135 (2002)).
[14] GAO-06-982.
[15] Persons not required to obtain or possess TWICs before accessing
secure areas include, for example, federal officials with specified
types of credentials, state or local law enforcement officials, and
state or local emergency responders.
[16] GAO-08-133T.
[17] GAO-06-982.
[18] Pub. L. No. 109-347, 120 Stat. 1884, 1889-90 (2006).
[19] TWIC Card Reader Specifications were first published in September
of 2007 and last updated on May 30, 2008.
[20] Port test participants include the port authorities of Los
Angeles, Long Beach, Brownsville, New York, and New Jersey. In
addition, vessel operation participants include the Staten Island Ferry
in Staten Island, New York; Magnolia Marine Transports in Vicksburg,
Mississippi; and Watermark Cruises in Annapolis, Maryland.
[21] As previously noted, the final compliance date has been extended
from September 25, 2008, to April 15, 2009 (73 Fed. Reg. 25562 (May 7,
2008)).
[22] GAO-06-982.
[23] National Maritime Security Advisory Committee, TWIC Working Group,
Discussion Items, as amended July 30, 2008.
[24] The National Maritime Security Advisory Committee was established
under the authority of the Maritime Transportation Security Act of 2002
to provide advice and make recommendations to the Secretary of Homeland
Security via the Commandant of the Coast Guard on national maritime
security matters.
[25] GAO-06-982.
[26] GAO-06-982.
[27] GAO-06-982.
[28] The SAFE Port Act requires TSA to issue a final rule containing
the requirements for installing and using TWIC access control
technologies no later than two years after the initiation of the pilot.
[29] GAO-05-106.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
