Transportation Security

Terrorist incidents worldwide have highlighted the need for securing mass transit and passenger rail systems. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) is the primary federal entity responsible for securing these systems. GAO was asked to assess (1) the extent to which federal and industry stakeholders have assessed risks to these systems since 2004, and how TSA has used this information to inform its security strategy; (2) key actions federal and industry stakeholders have taken since 2004 and the extent to which federal actions are consistent with TSA's security strategy, and the challenges TSA faces in implementing them; and (3) TSA's reported status in implementing 9/11 Commission Act provisions for mass transit and passenger rail security. GAO reviewed documents including TSA's mass transit and passenger rail strategic plan, and interviewed federal officials and industry stakeholders from 30 systems and Amtrak--representing 75 percent of U.S. mass transit and passenger rail ridership.

Since 2004, federal and industry stakeholders have conducted assessments of individual elements of risk--threat, vulnerability and consequence--for mass transit and passenger rail systems and this information has informed TSA's security strategy; however, TSA has not combined information from these three elements to conduct a risk assessment of these transportation systems. By completing a risk assessment, TSA would have reasonable assurance that it is directing its resources toward the highest priority needs. Further, while TSA's mass transit and passenger rail security strategy contains some information, such as goals and objectives, that is consistent with GAO's prior work on characteristics of a successful national strategy, it could be strengthened by including performance measures to help TSA track progress in securing these systems, among other things. Federal and industry stakeholders have taken several key actions to strengthen the security of mass transit and passenger rail systems since 2004, and while federal actions have been generally consistent with TSA's security strategy, TSA faces coordination challenges, and opportunities exist to strengthen some programs. TSA has deployed surface inspectors to assess industry security programs and worked with DHS to develop security technologies, among other actions. Mass transit and passenger rail systems, including Amtrak, also reported taking actions to increase security, such as implementing passenger and baggage screening programs. Although TSA has taken steps to enhance its efforts, it can further strengthen security programs by, for example, expanding its efforts to obtain and share security technology information with industry. By improving information sharing with industry, TSA can help to ensure that its and industry's limited resources are used more productively to secure mass transit and passenger rail systems. As of March 2009, TSA reported implementing some of the 9/11 Commission Act provisions related to securing mass transit and passenger rail such as developing a strategy for securing transportation, but had missed deadlines, for example, for issuing new regulatory requirements for mass-transit and passenger-rail employee security training. In addition, TSA's progress reports that track its implementation of 9/11 Act provisions lack milestones to guide this effort as called for by project management best practices. Additionally, in some cases, TSA progress reports identify challenges to meeting 9/11 Act provisions, but these reports do not include a plan for addressing these challenges. Until TSA develops a plan with milestones, it will be difficult for TSA to provide reasonable assurance that the act's provisions are being implemented and that a plan is in place for overcoming challenges that arise. Additionally, officials from almost half of the mass transit and passenger rail systems GAO visited reported concerns with the potential costs and the feasibility of implementing pending employee security training requirements.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: