Aviation Security
A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls Gao ID: GAO-09-399 September 30, 2009Incidents of airport workers using access privileges to smuggle weapons through secured airport areas and onto planes have heightened concerns regarding commercial airport security. The Transportation Security Administration (TSA), along with airports, is responsible for security at TSA-regulated airports. To guide risk assessment and protection of critical infrastructure, including airports, the Department of Homeland Security (DHS) developed the National Infrastructure Protection Plan (NIPP). GAO was asked to examine the extent to which, for airport perimeters and access controls, TSA (1) assessed risk consistent with the NIPP; (2) implemented protective programs, and evaluated its worker screening pilots; and (3) established a strategy to guide decision making. GAO examined TSA documents related to risk assessment activities, airport security programs, and worker screening pilots; visited nine airports of varying size; and interviewed TSA, airport, and association officials.
Although TSA has implemented activities to assess risks to airport perimeters and access controls, such as a commercial aviation threat assessment, it has not conducted vulnerability assessments for 87 percent of the nation's approximately 450 commercial airports or any consequence assessments. As a result, TSA has not completed a comprehensive risk assessment combining threat, vulnerability, and consequence assessments as required by the NIPP. While TSA officials said they intend to conduct a consequence assessment and additional vulnerability assessments, TSA could not provide further details, such as milestones for their completion. Conducting a comprehensive risk assessment and establishing milestones for its completion would provide additional assurance that intended actions will be implemented, provide critical information to enhance TSA's understanding of risks to airports, and help ensure resources are allocated to the highest security priorities. Since 2004, TSA has taken steps to strengthen airport security and implement new programs; however, while TSA conducted a pilot program to test worker screening methods, clear conclusions could not be drawn because of significant design limitations and TSA did not document key aspects of the pilot. TSA has taken steps to enhance airport security by, among other things, expanding its requirements for conducting worker background checks and implementing a worker screening program. In fiscal year 2008 TSA pilot tested various methods to screen airport workers to compare the benefits, costs, and impacts of 100 percent worker screening and random worker screening. TSA designed and implemented the pilot in coordination with the Homeland Security Institute (HSI), a federally funded research and development center. However, because of significant limitations in the design and evaluation of the pilot, such as the limited number of participating airports--7 out of about 450--it is unclear which method is more cost-effective. TSA and HSI also did not document key aspects of the pilot's design, methodology, and evaluation, such as a data analysis plan, limiting the usefulness of these efforts. A well-developed and well-documented evaluation plan can help ensure that pilots generate needed performance information to make effective decisions. While TSA has completed these pilots, developing an evaluation plan for future pilots could help ensure that they are designed and implemented to provide management and Congress with necessary information for decision making. TSA's efforts to enhance the security of the nation's airports have not been guided by a unifying national strategy that identifies key elements, such as goals, priorities, performance measures, and required resources. For example, while TSA's various airport security efforts are implemented by federal and local airport officials, TSA officials said that they have not identified or estimated costs to airport operators for implementing security requirements. GAO has found that national strategies that identify these key elements strengthen decision making and accountability; in addition, developing a strategy with these elements could help ensure that TSA prioritizes its activities and uses resources efficiently to achieve intended outcomes.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-09-399, Aviation Security: A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls
This is the accessible text file for GAO report number GAO-09-399
entitled 'Aviation Security: A National Strategy and Other Actions
Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters
and Access Controls' which was released on October 1, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
September 2009:
Aviation Security:
A National Strategy and Other Actions Would Strengthen TSA's Efforts to
Secure Commercial Airport Perimeters and Access Controls:
GAO-09-399:
GAO Highlights:
Highlights of GAO-09-399, a report to congressional requesters.
Why GAO Did This Study:
Incidents of airport workers using access privileges to smuggle weapons
through secured airport areas and onto planes have heightened concerns
regarding commercial airport security. The Transportation Security
Administration (TSA), along with airports, is responsible for security
at TSA-regulated airports. To guide risk assessment and protection of
critical infrastructure, including airports, the Department of Homeland
Security (DHS) developed the National Infrastructure Protection Plan
(NIPP). GAO was asked to examine the extent to which, for airport
perimeters and access controls, TSA (1) assessed risk consistent with
the NIPP; (2) implemented protective programs, and evaluated its worker
screening pilots; and (3) established a strategy to guide decision
making. GAO examined TSA documents related to risk assessment
activities, airport security programs, and worker screening pilots;
visited nine airports of varying size; and interviewed TSA, airport,
and association officials.
What GAO Found:
Although TSA has implemented activities to assess risks to airport
perimeters and access controls, such as a commercial aviation threat
assessment, it has not conducted vulnerability assessments for 87
percent of the nation‘s approximately 450 commercial airports or any
consequence assessments. As a result, TSA has not completed a
comprehensive risk assessment combining threat, vulnerability, and
consequence assessments as required by the NIPP. While TSA officials
said they intend to conduct a consequence assessment and additional
vulnerability assessments, TSA could not provide further details, such
as milestones for their completion. Conducting a comprehensive risk
assessment and establishing milestones for its completion would provide
additional assurance that intended actions will be implemented, provide
critical information to enhance TSA‘s understanding of risks to
airports, and help ensure resources are allocated to the highest
security priorities.
Since 2004, TSA has taken steps to strengthen airport security and
implement new programs; however, while TSA conducted a pilot program to
test worker screening methods, clear conclusions could not be drawn
because of significant design limitations and TSA did not document key
aspects of the pilot. TSA has taken steps to enhance airport security
by, among other things, expanding its requirements for conducting
worker background checks and implementing a worker screening program.
In fiscal year 2008 TSA pilot tested various methods to screen airport
workers to compare the benefits, costs, and impacts of 100 percent
worker screening and random worker screening. TSA designed and
implemented the pilot in coordination with the Homeland Security
Institute (HSI), a federally funded research and development center.
However, because of significant limitations in the design and
evaluation of the pilot, such as the limited number of participating
airports”7 out of about 450”it is unclear which method is more cost-
effective. TSA and HSI also did not document key aspects of the pilot‘s
design, methodology, and evaluation, such as a data analysis plan,
limiting the usefulness of these efforts. A well-developed and well-
documented evaluation plan can help ensure that pilots generate needed
performance information to make effective decisions. While TSA has
completed these pilots, developing an evaluation plan for future pilots
could help ensure that they are designed and implemented to provide
management and Congress with necessary information for decision making.
TSA‘s efforts to enhance the security of the nation‘s airports have not
been guided by a unifying national strategy that identifies key
elements, such as goals, priorities, performance measures, and required
resources. For example, while TSA‘s various airport security efforts
are implemented by federal and local airport officials, TSA officials
said that they have not identified or estimated costs to airport
operators for implementing security requirements. GAO has found that
national strategies that identify these key elements strengthen
decision making and accountability; in addition, developing a strategy
with these elements could help ensure that TSA prioritizes its
activities and uses resources efficiently to achieve intended outcomes.
What GAO Recommends:
GAO recommends, among other things, that TSA develop a comprehensive
risk assessment of airport security, and milestones for its completion;
an evaluation plan for any future airport security pilot programs; and
a national strategy for airport security that includes key
characteristics, such as goals and priorities. DHS reviewed a draft of
this report and concurred with these recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-09-399] or key
components. For more information, contact Steve Lord at (202) 512-4379
or lords@gao.gov.
[End of section]
Contents:
Letter:
Background:
TSA Has Taken Steps to Assess Threats and Vulnerabilities for Airport
Security, but Has Not Conducted a Comprehensive Risk Assessment to Help
Identify Priorities and Allocate Resources:
TSA Has Taken a Variety of Protective Actions to Strengthen Airport
Security, but Did Not Follow Accepted Practices in Developing Its
Worker Screening Pilot Program; Additionally, Issues Remain regarding
Worker Security, Technology, and Other Initiatives:
A National Strategy for Airport Security Could Help Ensure Program
Effectiveness, Inform Cost and Resource Decisions, Ensure
Collaboration, and Increase Accountability:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: TSA Actions to Address Selected Statutory Requirements for
Airport Security:
Appendix III: TSA Also Uses Compliance Inspections and Covert Testing
to Detect Possible Airport Security Vulnerabilities:
Appendix IV: Costs for Airport Security:
Appendix V: TSA Worker Screening Pilot Program:
Appendix VI: Additional TSA Efforts to Improve General Airport
Security:
Appendix VII: Alternative Methods Available to Assist TSA in Assessing
the Effectiveness of Its Actions to Strengthen Airport Security:
Appendix VIII: Comments from the Department of Homeland Security:
Appendix IX: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Protective Actions TSA Has Taken since 2004 to Strengthen
Airport Security:
Table 2: Requirements Relating to Airport Perimeter and Access Control
Security Imposed through Security Directives and Emergency Amendments:
Table 3: TSA Actions since 2004 to Address Relevant ATSA Requirements
through May 2009:
Table 4: Summary of TSA-Identified Costs Related to Airport Security,
Fiscal Years 2004-2008:
Table 5: Summary of Explanatory Text Directing the Worker Screening
Pilot Program:
Figures:
Figure 1: Commercial Airport Areas Typically Have Varying Levels of
Security:
Figure 2: Total Number of TSA-Reported Security Breaches from Fiscal
Years 2004 through 2008:
Figure 3: NIPP Risk Management Framework:
Abbreviations:
AACPP: Airport Access Control Pilot Program:
ACIS: Aviation Credential Interoperability Solution:
ADASP: Aviation Direct Access Screening Program:
ADRA: air domain risk assessment:
APS: Airport Perimeter Security:
ASP: Airport Security Program:
AOA: air operations area:
ATSA: Aviation and Transportation Security Act:
CHRC: criminal history records check:
DHS: Department of Homeland Security:
FAA: Federal Aviation Administration:
FBI: Federal Bureau of Investigation:
FSD: federal security director:
GPRA: Government Performance and Results Act:
HSI: Homeland Security Institute:
HSPD: Homeland Security Presidential Directive:
NIPP: National Infrastructure Protection Plan:
JVA: joint vulnerability assessment:
OIG: Office of Inspector General:
OMB: Office of Management and Budget:
SIDA: security identification display area:
SPOT: Screening of Passengers by Observation Techniques:
STA: security threat assessment:
TSA: Transportation Security Administration:
TSOB: Transportation Security Oversight Board:
TS-SSP: Transportation Systems-Sector Specific Plan:
VIPR: Visible Intermodal Prevention and Response:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
September 30, 2009:
Congressional Requesters:
Recent criminal incidents involving airport workers using their access
privileges to smuggle weapons and drugs into secured areas of
commercial airports and onto planes has heightened concerns about the
risks posed by workers and the security of airport perimeters and
access to secured areas.[Footnote 1] Moreover, the Transportation
Security Administration (TSA), the agency primarily responsible for
securing the nation's civil aviation system,[Footnote 2] has identified
workers with access to secured airport areas as one of the greatest
potential threats to aviation and highlighted the need to keep airport
perimeters secure.[Footnote 3] Pursuant to the Aviation and
Transportation Security Act (ATSA), which was signed into law shortly
after the terrorist attacks of September 11, 2001, TSA assumed primary
responsibility for implementing and overseeing security operations
within the nation's civil aviation system.[Footnote 4] This includes
overseeing U.S. airport operator efforts to maintain and improve the
security of perimeters and the access controls, as well as implementing
measures to reduce risks posed by workers at the nation's commercial
airports.[Footnote 5] While airport operators, not TSA, generally
retain direct day-to-day operational responsibility for these areas of
security, TSA is responsible for establishing and implementing measures
to improve the security of airport perimeters and access controls to
secured areas within the airports and to reduce the security risks
posed by airport workers.
In 2004 we reported that TSA had taken steps to enhance the security of
airport perimeters and access controls, but that it faced challenges in
identifying security weaknesses of the commercial airport system,
prioritizing funding to address the most critical security needs, and
taking steps to reduce the risks posed by airport workers.[Footnote 6]
We recommended, among other things, that TSA determine if and when
additional security requirements are needed to reduce the risks posed
by airport workers. TSA generally concurred with our findings and
recommendations and has taken steps to address these recommendations.
Since it is not feasible to protect all assets and systems against
every possible threat, the Department of Homeland Security (DHS) has
called for using a risk management approach to prioritize its
investments, develop plans, and allocate resources in a risk-informed
way that balances security and commerce.[Footnote 7] Risk management
calls for a cost-effective use of resources and focuses on developing
and implementing protective actions that offer the greatest mitigation
of risk for any given expenditure. A risk management approach entails a
continual process of managing risk through a series of actions,
including setting goals and objectives, assessing risk, evaluating
alternatives, selecting initiatives to undertake, and implementing and
monitoring those initiatives. In 2009 DHS updated the National
Infrastructure Protection Plan (NIPP), which names TSA as the primary
federal agency responsible for coordinating critical infrastructure
protection efforts within the transportation sector and establishes a
risk management framework to guide security decisions.[Footnote 8]
To respond to the threat posed by airport workers, the Explanatory
Statement accompanying the DHS Appropriations Act, 2008, directed that
TSA use $15 million of its appropriation to conduct a pilot program to
help identify the potential costs and benefits of 100 percent worker
screening and other worker screening methods.[Footnote 9] TSA worked
with airport stakeholders to develop the program, and in May 2008 began
to test various methods of screening workers--including 100 percent
worker screening--at seven airports located throughout the nation. TSA
issued a final report on the results of the pilot program in July 2009.
[Footnote 10]
You requested that we examine TSA's actions since 2004 to strengthen
the security of commercial airport perimeters and access to secured
airport areas. This report evaluates to what extent TSA has:
* assessed the risk to airport security consistent with the NIPP risk
management framework;
* implemented protective programs to strengthen airport security, and
evaluated its worker screening pilot program; and:
* established a national strategy to guide airport security decision
making.
To conduct our review, we examined documents related to TSA's risk
assessment and security activities and programs with regard to airport
security, such as TSA's Civil Aviation Threat Assessment. We also
reviewed documents related to TSA's airport perimeter and access
controls security-related programs, such as standard operating
procedures for the Aviation Direct Access Screening Program (TSA's
random worker screening program), as well as relevant laws,
presidential directives, and TSA management directives. We compared
this information with criteria in DHS's NIPP, the Transportation
Systems Sector-Specific Plan (TS-SSP),[Footnote 11] TSA's risk
management methodology, and our prior work on risk management.[Footnote
12] We relied on TSA to identify its risk assessment activities for
airport security, and we examined how these individual threat and
vulnerability assessment activities addressed the security of airport
perimeter and access controls. Because of the scope of our work, we did
not assess the extent to which each of these activities met the NIPP
core criteria for individual threat and vulnerability assessments;
however, we examined the extent to which the various types of
assessment activities TSA identified, taken together, met the NIPP
criteria for completing a comprehensive risk assessment that combines
threat, vulnerability, and consequence assessments. We also compared
TSA's approach to securing the nation's airport perimeters and access
to secured areas with guidance on security strategies and planning that
we previously reported.[Footnote 13] We obtained data from TSA
officials on vulnerability assessment activities and, by obtaining
information on the processes used to schedule and track these
activities, determined the data were sufficiently reliable for the
purposes of this report. To better understand how TSA has used this
information, we interviewed TSA officials responsible for risk
management and security programs related to airport perimeters and
access controls. We also collected TSA data on security breaches--any
violations of security requirements--at commercial airports; however,
TSA could not distinguish the number of breaches related only to
airport perimeter and access control security from other types of
breaches. By obtaining information on the processes used to collect,
tabulate, and assess these data, we determined that the data were
sufficiently reliable to present contextual information regarding all
breaches to secured areas (including the airport perimeter).
In addition, we asked TSA to identify agency-led activities and
programs for strengthening airport security, as well as procedures for
developing and issuing airport perimeter and access control security
requirements through security directives. We then assessed and
summarized the program information, operations directives, and standard
operating procedures provided by TSA to determine if the agency
addressed relevant statutory requirements and recommendations from our
2004 report.[Footnote 14] We also evaluated TSA's final report on its
worker screening pilot program, including conclusions and limitations
cited by the contractor--the Homeland Security Institute (HSI)--TSA
hired to assist with the pilot's design, implementation, and
evaluation.[Footnote 15] Further, we analyzed TSA and HSI's
documentation of the pilot program's methodology and implementation,
and compared it to criteria in standards for internal control in the
federal government and our previous work on pilot program development
and evaluation.[Footnote 16] At our request, TSA identified 25 security
directives and emergency amendments that imposed requirements related
to airport perimeter and access control security, which we examined to
identify specific areas of regulation. To obtain additional information
on TSA's efforts to strengthen airport security, we interviewed
officials from the two industry associations that support commercial
airport operators and their personnel,[Footnote 17] and conducted site
visits at 9 of approximately 450 U.S. commercial airports. During these
visits we toured airport facilities and interviewed federal security
directors (FSD) and airport security coordinators.[Footnote 18] We
selected these airports based on several factors, including airport
size, category,[Footnote 19] geographical dispersion, and technological
initiatives related to airport perimeter and access control security
(such as infrared intrusion detection systems). In addition, we
conducted interviews with officials from four airports that had
voluntarily implemented or were considering implementing additional
worker screening methods.[Footnote 20] While the experiences of these
officials and airports cannot be generalized to all airports and
security officials, they provided insight into how security efforts
were chosen and developed. A more detailed discussion of our scope and
methodology is contained in appendix I.
We conducted this performance audit from May 2007 through September
2009 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
Background:
Airport Security Roles and Responsibilities:
On February 17, 2002, pursuant to ATSA, TSA assumed responsibility for
the security of the nation's civil aviation system from the Federal
Aviation Administration (FAA), including FAA's existing aviation
security programs, plans, regulations, orders, and directives covering
airports, air carriers, and other related entities. Among other things,
ATSA directs TSA to improve the security of airport perimeters and the
access controls leading to secured areas, and take measures to reduce
the security risks posed by airport workers. (See appendix II for more
specific details on ATSA requirements and TSA's actions to address
these requirements.) TSA has 158 FSDs who oversee the implementation
of, and adherence to, TSA requirements at the approximately 450
commercial airports nationwide. As part of TSA's oversight role, it
also conducts compliance inspections,[Footnote 21] covert testing,
[Footnote 22] and vulnerability assessments to analyze and improve
security. (See appendix III for information on how TSA uses compliance
inspections and covert testing to identify possible airport security
vulnerabilities.)
In general, TSA funds its perimeter and access control security-related
activities out of its annual appropriation and in accordance with
direction set forth in congressional committee reports. For example,
the Explanatory Statement accompanying the DHS Appropriations Act,
2008, directed that TSA allocate $15 million of its appropriation to a
worker screening pilot program. TSA does not track the amount of funds
spent in total for perimeter and access controls because related
efforts and activities can be part of broader security programs that
also serve other aspects of aviation security. In addition, airports
may receive federal funding for perimeter and access control security,
such as through federal grant programs or TSA pilot programs. (For more
information on such airport security costs and funding, see appendix
IV.)
Airport operators have direct responsibility for day-to-day aviation
operations, including, in general, the security of airport perimeters,
access controls, and workers, as well as for implementing TSA security
requirements. Airport operators implement security requirements in
accordance with their TSA-approved security programs.[Footnote 23]
Elements of a security program may include, among other things,
procedures for performing background checks on airport workers,
applicable training programs for these workers, and procedures and
measures for controlling access to secured airport areas. Security
programs may also be required to describe the secured areas of the
airport, including a description and map detailing boundaries and
pertinent features of the secured areas, and the measures used to
control access to such areas.[Footnote 24]
Commercial airports are generally divided into designated areas that
have varying levels of security, known as secured areas, security
identification display areas (SIDA), air operations areas (AOA), and
sterile areas.[Footnote 25] Sterile areas, located within the terminal,
are where passengers wait after screening to board departing aircraft.
Access to sterile areas is controlled by TSA screeners at security
checkpoints, where they conduct physical screening of passengers and
their property.[Footnote 26] Airport workers may access the sterile
area through the security checkpoint or through other access points
secured by the airport operator in accordance with its security
program. The SIDA and the AOA are not to be accessed by passengers, and
typically encompass baggage loading areas, areas near terminal
buildings, and other areas close to parked aircraft and airport
facilities, as illustrated in figure 1.
Figure 1: Commercial Airport Areas Typically Have Varying Levels of
Security:
[Refer to PDF for image: illustration]
Commercial Airport Areas: the illustration identifies the following:
Security identification display area;
Air operations area (AOA);
Sterile area.
Source: GAO.
Notes: This figure shows airport security areas designated in
accordance with TSA requirements. Pursuant to 49 C.F.R. § 1542.205,
each airport area defined as a secured area in a security program must
be a SIDA, though other areas of the airport may also be designated as
SIDAs by the airport operator. For example, some airport operators
designate all AOAs as SIDAs.
[End of figure]
Securing access to the sterile area from other secured areas--such as
the SIDA--and security within the area, is the responsibility of the
airport operator, in accordance with its security program. Airport
perimeter and access control security is intended to prevent
unauthorized access into secured areas--either from outside the airport
complex or from within the airport's sterile area. Individual airport
operators determine the boundaries for each of these areas on a case-
by-case basis, depending on the physical layout of the airport and in
accordance with TSA requirements. As a result, some of these areas may
overlap. Within these areas, airport operators are responsible for
safeguarding their airfield barriers, preventing and detecting
unauthorized entry into secured areas, and conducting background checks
of workers with unescorted access to secured areas.
Methods used by airports to control access through perimeters or into
secured areas vary because of differences in the design and layout of
individual airports, but all access controls must meet minimum
performance standards in accordance with TSA requirements. These
methods typically involve the use of one or more of the following:
pedestrian and vehicle gates, keypad access codes using personal
identification numbers, magnetic stripe cards and readers, turnstiles,
locks and keys, and security personnel.
According to TSA officials, airport security breaches occur within and
around secured areas at domestic airports (see figure 2 for the number
of security breaches reported by TSA from fiscal year 2004 through
fiscal year 2008). While some breaches may represent dry runs by
terrorists or others to test security or criminal incidents involving
airport workers, most are accidental.[Footnote 27] TSA requires FSDs to
report security breaches that occur both at the airports for which they
are responsible and on board aircraft destined for their airports. TSA
officials said that they review security breach data and report them to
senior management as requested, and provide data on serious breaches to
senior management on a daily basis, as applicable.
Figure 2: Total Number of TSA-Reported Security Breaches from Fiscal
Years 2004 through 2008:
[Refer to PDF for image: vertical bar graph]
Fiscal year: 2004;
Number of security breaches: 1,442.
Fiscal year: 2005;
Number of security breaches: 2,073.
Fiscal year: 2006;
Number of security breaches: 2,258.
Fiscal year: 2007;
Number of security breaches: 2,758.
Fiscal year: 2008;
Number of security breaches: 2,819.
Source: GAO analysis of TSA data.
Notes: Because these data include security breaches that occurred
within any type of secured area, including sterile areas frequented by
passengers, they are not specific to perimeter and access controls and
cannot be analyzed to identify trends related to breaches solely
related to perimeter and access control security. At the time of our
review, TSA officials told us that they were unable to identify how
much of the increase in breaches could be specifically related to
airport workers or to the security of airport perimeters and access
controls. Finally, the data are based on total breaches and have not
been adjusted to reflect potential issues that could influence how the
data are interpreted, such as annual increases in passenger volume,
changes in the number of commercial airports, or significant variations
in the number of breaches at individual airports.
[End of figure]
According to a TSA official, the increase in known breaches from fiscal
years 2004 through 2005 reflects a change in the requirements for
reporting security breaches that TSA issued in December 2005.[Footnote
28] This change provided more specific instructions to FSDs on how to
categorize different types of security incidents. Regarding increases
in security breaches from fiscal years 2005 through 2008, TSA officials
said that while they could not fully explain these increases, there
could be several reasons to account for this growth. For example,
according to TSA officials, changes in TSA management often trigger
increases in specific types of breaches reported, such as since 2004,
when the priorities of the new Administrator resulted in an increase in
the reporting of restricted items. TSA officials also stated that a
report of a security breach at a major U.S. airport is likely to cause
security and law enforcement officials elsewhere to subsequently raise
the overall awareness of security requirements for a period of time. In
addition, TSA noted that certain inspections conducted by TSA officials
tend to produce heightened awareness by federal and airport employees
whose perimeter security and access control procedures are being
inspected for compliance with regulations.
Risk Management Approach Can Help Guide Homeland Security Efforts:
Risk management is a tool for informing policymakers' decisions about
assessing risks, allocating resources, and taking actions under
conditions of uncertainty. We have previously reported that a risk
management approach can help to prioritize and focus the programs
designed to combat terrorism.[Footnote 29] Risk management, as applied
in the transportation security context, can help federal decision
makers determine where and how to invest limited resources within and
among the various modes of transportation.[Footnote 30] In accordance
with Homeland Security Presidential Directive (HSPD) 7, the Secretary
of Homeland Security designated TSA as the sector-specific agency for
the transportation security sector, requiring TSA to identify,
prioritize, and coordinate the protection of critical infrastructure
and key resources within this sector and integrate risk management
strategies into its protective activities.[Footnote 31] In June 2006,
in accordance with HSPD-7 and the Homeland Security Act of 2002, DHS
released the NIPP, which it later updated in 2009. The NIPP developed a
risk management framework for homeland security. In accordance with the
NIPP, TSA developed the TS-SSP to govern its strategy for securing the
transportation sector, as well as annexes for each mode of
transportation, including aviation. The NIPP and TS-SSP set forth risk
management principles, including a comprehensive risk assessment
process for considering threat, vulnerability, and consequence
assessments to determine the likelihood of terrorist attacks and the
severity of the impacts. Figure 3 illustrates the interrelated
activities of the NIPP's risk management framework.
Figure 3: NIPP Risk Management Framework:
[Refer to PDF for image: illustration]
NIPP Risk Management Framework:
Step 1: Set security goals;
Step 2: Identify assets,systems, networks,and functions;
Step 3: Assess risks (consequences, vulnerabilities, and threats);
Step 4: Prioritize;
Step 5: Implement protective programs;
Step 6: Measure effectiveness.
Sources: GAO presentation of DHS information.
[End of figure]
* Set security goals: Define specific outcomes, conditions, end points,
or performance targets that collectively constitute an effective
protective posture.
* Identify assets, systems, networks, and functions: Develop an
inventory of the assets, systems, and networks that constitute the
nation's critical infrastructure, key resources, and critical
functions. Collect information pertinent to risk management that takes
into account the fundamental characteristics of each sector.
* Assess risks: Determine risk by combining potential direct and
indirect consequences of a terrorist attack or other hazards (including
seasonal changes in consequences and dependencies and interdependencies
associated with each identified asset, system, or network), known
vulnerabilities to various potential attack vectors, and general or
specific threat information.[Footnote 32]
* Prioritize: Aggregate and analyze risk assessment results to develop
a comprehensive picture of asset, system, and network risk; establish
priorities based on risk; assess the mitigation of risk for each
proposed activity based on a specific investment; and determine
protection and business continuity initiatives that provide the
greatest mitigation of risk.
* Implement protective programs: To reduce or manage identified risk,
select sector-appropriate protective actions or programs that offer the
greatest mitigation of risk for any given resource/expenditure/
investment. Secure the resources needed to address priorities.
* Measure effectiveness: Use metrics and other evaluation procedures at
the national and sector levels to measure progress and assess the
effectiveness of the national Critical Infrastructure and Key Resources
Protection Program in improving protection, managing risk, and
increasing resiliency.[Footnote 33]
Within the risk management framework, the NIPP also establishes core
criteria for risk assessments. According to the NIPP, risk assessments
are a qualitative determination, a quantitative determination, or both
of the likelihood of an adverse event occurring and are a critical
element of the NIPP risk management framework. Risk assessments also
help decision makers identify and evaluate potential risks so that
countermeasures can be designed and implemented to prevent or mitigate
the potential effects of the risks. The NIPP characterizes risk
assessment as a function of three elements:
* Threat: The likelihood that a particular asset, system, or network
will suffer an attack or an incident. In the context of risk associated
with a terrorist attack, the estimate of this is based on the analysis
of the intent and the capability of an adversary; in the context of a
natural disaster or accident, the likelihood is based on the
probability of occurrence.
* Vulnerability: The likelihood that a characteristic of, or flaw in,
an asset's, system's, or network's design, location, security posture,
process, or operation renders it susceptible to destruction,
incapacitation, or exploitation by terrorist or other to intentional
acts, mechanical failures, and natural hazards.
* Consequence: The negative effects on public health and safety, the
economy, public confidence in institutions, and the functioning of
government, both direct and indirect, that can be expected if an asset,
system, or network is damaged, destroyed, or disrupted by a terrorist
attack, natural disaster, or other incident.
Information from the three elements used in assessing risk--threat,
vulnerability, and consequence--can lead to a risk characterization and
provide input for prioritizing security goals.
TSA Has Taken Steps to Assess Threats and Vulnerabilities for Airport
Security, but Has Not Conducted a Comprehensive Risk Assessment to Help
Identify Priorities and Allocate Resources:
While TSA has taken steps to assess risk, it has not conducted a
comprehensive risk assessment based on assessments of threats,
vulnerabilities, and consequences. TSA officials reported that they
have identified threats to airport security as part of an overall
assessment of threats to the civil aviation system. While TSA has
conducted vulnerability assessment activities at select airports, it
has not analyzed whether the select assessments reflect the overall
vulnerability of airport security nationwide. Further, TSA has not yet
assessed the consequences of an attack against airport perimeter and
access control security.
TSA Has Taken Steps to Assess Risk, but a Comprehensive Risk Assessment
Would Identify Priorities and Inform Resource Allocation:
According to the NIPP, risk assessments are to be documented,
reproducible (so that others can verify the results), defensible
(technically sound and free of significant errors), and complete. The
NIPP maintains that these qualities are necessary to risk assessments
so they can be used to support national-level, comparative risk
assessment, planning, and resource prioritization. For a risk
assessment to be considered complete, the NIPP states that it must
specifically assess threat, vulnerability, and consequence; after these
three components have been assessed, they are to be combined to produce
a risk estimate.[Footnote 34] According to the NIPP, comprehensive risk
assessments are necessary for determining which assets or systems face
the highest risk for prioritizing risk mitigation efforts and the
allocation of resources and for effectively measuring how security
programs reduce risks.
In March 2009 we reported that a lack of information that fully depicts
threats, vulnerabilities, and consequences limits an organization's
ability to establish priorities and make cost-effective security
measure decisions.[Footnote 35] TSA officials told us that they have
not completed a comprehensive risk assessment for airport security,
although they said that they have prepared and are currently reviewing
a draft of a comprehensive, scenario-based air domain risk assessment
(ADRA), which officials said is to serve as a comprehensive risk
assessment for airport security.[Footnote 36] According to officials,
the ADRA is to address all three elements of risk for domestic
commercial aviation, general aviation, and air cargo.[Footnote 37]
However, TSA has not released it as originally planned for in February
2008. As of May 2009 TSA officials had not provided revised dates for
when the agency expects to finalize the ADRA, and they could not
provide documentation to demonstrate to what extent the ADRA will
address all three components of risk for airport perimeter and access
control security. As a result, it is not clear whether the ADRA will
provide the risk analysis needed to inform TSA's decisions and planning
for airport perimeter and access control security.[Footnote 38]
Standard practices in program management call for documenting the scope
of the program and milestones (i.e., time frames) to ensure results are
achieved.[Footnote 39] Conducting a comprehensive risk assessment for
airport security and documenting milestones for its implementation
would help ensure that TSA's intended actions will be implemented, and
would allow TSA to more confidently ensure that its investments in
airport security are risk informed and allocated toward the highest-
priority risks.
TSA Uses a Variety of Products to Assess Threat to Airport Security:
A threat assessment is the identification and evaluation of adverse
events that can harm or damage an asset.[Footnote 40] TSA uses several
products to identify and assess potential threats to airport security,
such as daily intelligence briefings, weekly suspicious incident
reports, and situational awareness reports,[Footnote 41] all of which
are available to internal and external stakeholders. TSA also issues an
annual threat assessment of the U.S. civil aviation system, which
includes an assessment of threats to airport perimeter and access
control security. According to TSA officials, these products
collectively form TSA's assessment of threats to airport perimeter and
access control security. TSA's 2008 Civil Aviation Threat Assessment
cites four potential threats related to perimeter and access control
security, one of which is the threat from insiders--airport workers
with authorized access to secured areas.[Footnote 42] The 2008
assessment characterized the insider threat as "one of the greatest
threats to aviation,"[Footnote 43] which TSA officials explained is
meant to reflect the opportunity insiders have to do damage, as well as
the vulnerability of commercial airports to an insider attack, which
these officials stated as being very high.[Footnote 44] As of May 2009,
TSA had no knowledge of a specific plot by terrorists or others to
breach the security of any domestic commercial airport. However, TSA
has also noted that airports are seen as more accessible targets than
aircraft, and that airport perimeters may become more desirable targets
as terrorists look for new ways to circumvent aviation security.
Intelligence is necessary to inform threat assessments. As we reported
in March 2009,[Footnote 45] TSA has not clarified the levels of
uncertainty--or varying levels of confidence--associated with the
intelligence information it has used to identify threats to the
transportation sector and guide its planning and investment decisions.
Both Congress and the administration have recognized uncertainty
inherent in intelligence analysis, and have required analytic products
within the intelligence community to properly caveat and express
uncertainties or confidence in resulting conclusions or judgments.
[Footnote 46] As a result, the intelligence community and the
Department of Defense have adopted this practice in reporting threat
intelligence. Since TSA does not assign confidence levels to its
analytic judgments, it is difficult for TSA to correctly prioritize its
tactics and investments based on uncertain intelligence. In March 2009
we recommended that TSA work with the Director of National Intelligence
to determine the best approach for assigning uncertainty or confidence
levels to analytic intelligence products and apply this approach.
[Footnote 47] TSA agreed with this recommendation and said that it has
begun taking action to address it.
Additional Analysis Could Help Inform TSA's Assessment Activities for
Airport Security Vulnerabilities:
Analyzing the Extent to Which Joint Vulnerability Assessments Provide
an Assessment of Nationwide Vulnerabilities Could Strengthen TSA's
Ability to Mitigate Risk:
The NIPP requires that a risk assessment include a comprehensive
assessment of vulnerabilities in assets or systems, such as a physical
design feature or type of location, that make them susceptible to a
terrorist attack.[Footnote 48] As we reported in June 2004,[Footnote
49] these assessments are intended to facilitate airport operators'
efforts to comprehensively identify and effectively address perimeter
and access control security weaknesses. TSA officials told us that
their primary measures for assessing the vulnerability of commercial
airports to attack are the collective results of joint vulnerability
assessments (JVA) and professional judgment. TSA officials said that
the agency plans to expand the number of JVAs conducted in the future
but, as of May 2009, did not have a plan for doing so.
According to TSA officials, JVAs are assessments that teams of TSA
special agents and other officials conduct jointly with the Federal
Bureau of Investigation (FBI) and, as required by law, are generally
conducted every 3 years for airports identified as high risk.[Footnote
50] In response to our 2004 recommendation that TSA establish a
schedule and analytical approach for completing vulnerability
assessments for evaluating airport security, TSA developed criteria to
select and prioritize airports as high-risk for assessment.[Footnote
51] TSA officials stated that in addition to assessing airports
identified as high risk, the agency has also assessed the vulnerability
of other airports at the request of FSDs. According to TSA's TS-SSP,
after focusing initially on airports deemed high risk, JVAs are to be
conducted at all commercial airports. TSA officials stated that JVA
teams assess all aspects of airport security and operations, including
fuel, cargo, catering, general aviation, terminal area and law
enforcement operations, and the controls that limit access to secured
areas and the integrity of the airport perimeter. However, officials
emphasized that a JVA is not intended to be a review of an airport's
compliance with security requirements and teams do not impose penalties
for noncompliance. From fiscal years 2004 through 2008, TSA conducted
67 JVAs at a total of 57 airports[Footnote 52]--about 13 percent of the
approximately 450 commercial airports nationwide. In 2007 TSA officials
conducted a preliminary analysis of the results of JVAs conducted at 23
domestic airports during fiscal years 2004 and 2005, and found 6 areas
in which 20 percent or more of the airports assessed were identified as
vulnerable. Specific vulnerabilities included the absence of blast
resistant glass in terminal windows, lack of bollards/barriers in front
of terminals, lack of blast resistant trash receptacles, and
insufficient electronic surveillance of perimeter lines and access
points. As of May 2009 TSA officials said that the agency had not
finalized this analysis and, as of that date, did not have plans to do
so. TSA officials also told us that they have shared the results of JVA
reports with TSA's Office of Security Technology to prioritize the
distribution of relevant technology to those airports with
vulnerabilities that these technologies could strengthen.
TSA characterizes U.S. airports as a system of interdependent hubs and
links (spokes) in which the security of all is affected or disrupted by
the security of the weakest one. The interdependent nature of the
system necessitates that TSA protect the overall system as well as
individual assets.[Footnote 53] TSA maintains that such a "systems-
based approach" allows it to focus resources on reducing risks across
the entire system while maintaining cost-effectiveness and efficiency.
TSA officials could not explain to what extent the collective JVAs of
specific airports constitute a reasonable systems-based assessment of
vulnerability across airports nationwide or whether the agency has
considered assessing vulnerabilities across all airports. Although TSA
has conducted JVAs at each category of airport, 58 of the 67 were at
the largest airports.[Footnote 54] According to TSA data, 87 percent of
commercial airports--most of the smaller Category II, III, and IV
airports--have not received a JVA.[Footnote 55] TSA officials said that
because they have not conducted JVAs for these airports, they do not
know how vulnerable they are to an intentional security breach. In 2004
we reported that TSA intended to compile baseline data on airport
security vulnerabilities to enable it to conduct a systematic analysis
of airport security vulnerabilities nationwide.[Footnote 56] At that
time TSA officials told us that such analysis was essential since it
would allow the agency to determine the adequacy of security policies
and help TSA and airport operators better direct limited resources.
According to TSA officials, conducting JVAs at all airports would allow
them to compile national baseline data on perimeter and access control
security vulnerabilities. As of May 2009, however, TSA officials had
not yet completed a nationwide vulnerability assessment, evaluated
whether the current approach to JVAs would provide the desired systems-
based approach to assessing airport security vulnerabilities, or
explained why a nationwide assessment or evaluation has not been
conducted. In subsequent discussions, TSA officials told us that based
on our review they intend to increase the number of JVAs conducted at
airports that are not categorized as high risk--primarily Category II,
III, and IV airports. According to officials, the resulting data are to
assist TSA in prioritizing the allocation of limited resources.
However, TSA officials could not tell us how many additional airports
they plan to assess in total or within each category, the analytical
approach and time frames for conducting these assessments, and to what
extent these additional assessments, in combination with past JVAs,
will constitute a reasonable systems-based assessment of vulnerability
across airports nationwide. Standard practices for program management
call for establishing a management plan and milestones to meet stated
objectives and achieve results.[Footnote 57] It is also unclear to what
extent the ADRA, when it is completed, will represent a systems-based
vulnerability assessment, an assessment of airports nationwide, or
both. Given that TSA officials believe that the vulnerability of
airports to an insider attack is very high and the security of airports
is interconnected, this vulnerability would extend throughout the
nationwide system of airports. Evaluating the extent to which the
agency's current approach assesses systems-based vulnerabilities,
including the vulnerabilities of smaller airports, would better
position TSA to provide reasonable assurance that it is identifying and
addressing the areas of greatest vulnerability and the spectrum of
vulnerability across the entire airport system. Further, should TSA
decide to conduct a nationwide assessment of airport vulnerability,
developing a plan that includes milestones for completing the
assessment would help TSA ensure that it takes the necessary actions to
accomplish desired objectives within reasonable time frames.
TSA Could Strengthen Its Understanding of Risks by Considering
Vulnerability Assessment Activities Conducted by Airport Operators:
According to the NIPP, DHS and lead security agencies, such as TSA, are
to seek to use information from the risk assessments of security
partners, whenever possible, to contribute to an understanding of
sector and national risks. Moreover, the NIPP states that DHS and lead
agencies are to work together to assist security partners in providing
vulnerability assessment tools that may be used as part of self-
assessment processes, and provide recommendations regarding the
frequency of assessments, particularly in light of emergent threats.
According to the NIPP, stakeholder vulnerability assessments may serve
as a basis for developing common vulnerability reports that can help
identify strategic needs and more fully investigate interdependencies.
However, TSA officials could not explain to what extent they make use
of relevant vulnerability assessments conducted independently by
airport operators to contribute to the agency's understanding of
airport security risks, or have worked with security partners to help
ensure that tools are available for airports to conduct self-assessment
processes of vulnerability. Officials from two prominent airport
industry associations estimated that the majority of airports,
particularly larger airports, have conducted vulnerability assessments,
although they could not give us a specific number. In addition,
officials from 8 of the 10 airports whom we interviewed on this issue
told us that their airports had conducted vulnerability assessment
activities.[Footnote 58] Some of these analyses could be useful to TSA
in conducting a systematic analysis of airport security vulnerabilities
nationwide. By taking advantage, to the extent possible, of existing
vulnerability assessment activities conducted by airport operators, TSA
could enrich its understanding of airport security vulnerabilities and
therefore better inform federal actions for reducing airport
vulnerabilities.
TSA Has Not Conducted a Consequence Assessment for Airport Security:
According to TSA officials, the agency has not assessed the
consequences of a successful attack against airport perimeters or a
breach to secured areas within airports, even though the NIPP asserts
that the potential consequence of an incident is the first factor to be
considered in developing a risk assessment. According to the NIPP, risk
assessments should include consequence assessments that evaluate
negative effects to public health and safety, the economy, public
confidence in national economic and political institutions, and the
functioning of government that can be expected if an asset, system, or
network is damaged, destroyed, or disrupted by a terrorist attack.
Although TSA officials agree that a consequence assessment for airport
security is needed, and have stated that the ADRA is intended to
provide a comprehensive consequence assessment based on risk scenarios,
the agency has not provided additional details as to what the
assessment will include, the extent to which it will assess consequence
for airport security, or when it will be completed. Standard management
practices call for documenting milestones (i.e., time frames) to ensure
that results are achieved.[Footnote 59] TSA officials have agreed that
a consequence assessment for airport perimeter and access controls
security is an important element in assessing risk to airport security.
In addition, TSA officials commented that although the immediate
consequences of a breach of airport security would likely be limited,
such an event could be the first step in a more significant attack
against an airport terminal or aircraft, or an attempt to use an
aircraft as a weapon. Conducting a consequence assessment could help
TSA in developing a comprehensive risk assessment and increase its
assurance that the resulting steps it takes to strengthen airport
security will more effectively reduce risk and mitigate the
consequences of an attack on individual airports and the aviation
system as a whole.
TSA Has Taken a Variety of Protective Actions to Strengthen Airport
Security, but Did Not Follow Accepted Practices in Developing Its
Worker Screening Pilot Program; Additionally, Issues Remain regarding
Worker Security, Technology, and Other Initiatives:
TSA has implemented a variety of programs and protective actions to
strengthen airport security, from additional worker screening to
assessing different technologies. For example, consistent with the
Explanatory Statement, TSA piloted several methods to screen workers
accessing secured areas, but clear conclusions could not be drawn
because of significant design limitations, and TSA did not develop or
document an evaluation plan to guide design and implementation of the
pilot. Further, while TSA has strengthened other worker security
programs, assessed various technologies, and added to programs aimed at
improving general airport security, certain issues, such as whether
security technologies meet airport needs, have not been fully resolved.
TSA Has Taken a Variety of Protective Actions to Improve and Strengthen
the Security of Commercial Airports since 2004:
TSA has taken a variety of protective actions to improve and strengthen
the security of commercial airports through the development of new
programs or by enhancing existing efforts. Since we last reported on
airport perimeter and access control security in June 2004,[Footnote
60] TSA has implemented efforts to strengthen worker screening and
security programs, improve access control technology, and enhance
general airport security by providing an additional security presence
at airports. According to TSA, each of its security actions--or layers-
-is capable of stopping a terrorist attack, but when used in
combination (what TSA calls a layered approach), a much stronger system
results.[Footnote 61] To better address the risks posed by airport
workers, TSA, in accordance with the Explanatory Statement accompanying
the DHS Appropriations Act, 2008, initiated a worker screening pilot
program to assess various types of screening methods for airport
workers.[Footnote 62] TSA also implemented a random worker screening
program and is currently working to apply its screening procedures
consistently across airports. In addition, TSA has expanded its
requirements for conducting worker background checks. TSA has also
taken steps, such as implementing two pilot programs, to identify and
assess technologies to strengthen the security of airport perimeters
and access controls to secured areas. Further, TSA has taken steps to
strengthen general airport security processes. For example, TSA has
developed a program in which teams of TSA officials, law enforcement
officers, and airport officials temporarily augment airport security
through various actions such as randomly inspecting workers, property,
and vehicles and patrolling secured areas. Table 1 lists the actions
TSA has taken since 2004 to strengthen airport security.[Footnote 63]
Table 1: Protective Actions TSA Has Taken since 2004 to Strengthen
Airport Security:
Type of security: Worker screening pilot test;
TSA program/action: Pilot program;
Description: From May to July 2008, TSA implemented a worker screening
pilot program at seven airports that was designed to assess various
methods for screening airport workers before they enter secured areas.
Three airports tested 100 percent worker screening, and four airports
tested a variety of enhanced screening methods, such as random targeted
physical inspections.
Type of security: Worker security programs;
TSA program/action: Aviation Direct Access Screening Program (ADASP);
Description: Implemented in March 2007, ADASP is an airport worker
screening program that is used to enforce access procedures, such as
ensuring workers display appropriate credentials and do not possess
unauthorized items when entering secure areas. Conducted on an
unpredictable basis, ADASP varies in duration and can include temporary
worker screening checkpoints, vehicle screening checkpoints, or both.
Type of security: Worker security programs;
TSA program/action: Worker background checks;
Description: TSA has expanded requirements for background checks and
the population of individuals who are subject to these checks;
* In July 2004 TSA expanded security threat assessments (STA), which
are name-based background checks, to require applicants who would be
working in a SIDA or sterile area to submit biographical information,
such as date of birth. In 2005 TSA began to require that STAs include a
citizenship check. TSA subsequently required STAs for all workers
seeking or holding airport-issued identification badges or credentials;
* In July 2004 TSA enhanced criminal history records checks (CHRC),
which are fingerprint-based background checks, for individuals working
in a SIDA or sterile area by requiring applicants seeking unescorted
access authority to successfully complete a CHRC. In June 2009, among
other things, TSA required airports to renew all airport-identification
media every 2 years and to require workers to resubmit biographical
information in the event of certain changes.
Type of security: Security technology;
TSA program/action: Biometric access control initiatives;
Description: TSA has taken steps to respond to statutory requirements
related to biometric worker credentialing;
* TSA has assisted the aviation industry and a federal aviation
advisory committee in developing security standards for biometric
access controls;
* TSA is in the early stages of developing the Aviation Credential
Interoperability Solution program, a standardized credentialing system.
Airports will use biometrics to verify the identities of workers and
confirm their access privileges before granting them entry to secured
areas.
Type of security: Security technology;
TSA program/action: Technology pilot programs;
Description: TSA has established two statutorily directed pilot
programs to assess airport security technology:
* In 2004 TSA initiated the Airport Access Control Pilot Program to
test, assess, and provide information on new and emerging technologies.
TSA issued a final report on the pilots in December 2006, but officials
said that a second round of pilots would be needed for program
evaluation;
* In 2006 TSA initiated the Airport Perimeter Security pilot project to
identify and mitigate existing perimeter security vulnerabilities using
commercially available technology. This project was scheduled to
conclude in December 2007, and five of the six pilots have been
completed.
Type of security: General airport security;
TSA program/action: Security directive requirements;
Description: TSA uses security directives to impose requirements for
strengthening airport security. Since 2004, requirements implemented
through security directives were expanded in the area of airport
perimeter and access control security. TSA may decide to impose
security directive requirements on airport operators through security
directives if it determines that such security measures are needed to
respond to general or specific threats against the civil aviation
system.[A]
Type of security: General airport security;
TSA program/action: Visible Intermodal Prevention and Response (VIPR)
program;
Description: Established in December 2005, VIPR uses teams of TSA
officials--such as transportation security inspectors, behavior
detection officers, bomb appraisal officers, canine handlers, and
federal air marshals--and local law enforcement and airport officials
to temporarily augment security. VIPR teams perform various functions,
including randomly inspecting workers, property, and vehicles, as well
as patrolling secure areas across all modes of transportation,
including the aviation sector.
Type of security: General airport security;
TSA program/action: Screening of Passengers by Observation Techniques
(SPOT) program;
Description: Piloted in 2004 and incrementally expanded as a nationwide
program starting in October 2006, SPOT is a screening program in which
behavior detection officers use behavior observation and analysis
techniques to identify individuals who could pose a security threat.
Type of security: General airport security;
TSA program/action: Law Enforcement Officer Reimbursement Program[B];
Description: Initiated in April 2002, the Law Enforcement Officer
Reimbursement Program was established to provide partial reimbursement
for law enforcement presence in support of the passenger screening
checkpoint. In June 2003 the program was expanded so officers may also
patrol the perimeter, be stationed at access points to assist with
worker and passenger screening, or both.
Source: GAO analysis of TSA actions.
[A] Pursuant to 49 C.F.R. part 1542.303, TSA may issue a security
directive setting forth requirements when it determines that additional
security measures are necessary to respond to a threat assessment or a
specific threat against civil aviation. Each airport operator must
comply with an applicable security directive within the time prescribed
by the security directive.
[B] Pursuant to 49 U.S.C. § 44903(c) and 49 C.F.R. § 1542.215, a
commercial airport must maintain a law enforcement presence and
capability at the airport in the number and manner adequate to support
its security program and other security functions at the airport.
According to TSA officials, as part of the Law Enforcement Officer
Reimbursement Program, a reimbursable cooperative agreement is
negotiated between TSA and the respective airport operator to reimburse
the operator for funds expended on law enforcement efforts per the
terms of the cooperative agreement. See 49 C.F.R. § 1542.219.
[End of table]
TSA Has Pilot Tested Various Worker Screening Methods, but Significant
Program Limitations and Lack of a Sound Evaluation Plan May Limit the
Usefulness of the Results:
From May through July 2008 TSA piloted a program to screen 100 percent
of workers at three airports and to test a variety of enhanced
screening methods at four other airports.[Footnote 64] (See appendix V
for more detailed information on the pilot program, including locations
and types of screening methods used.) According to TSA, the objective
of the pilot was to compare 100 percent worker screening and enhanced
random worker screening based on (1) screening effectiveness, (2)
impact on airport operations, and (3) cost considerations. TSA
officials hired a contractor--HSI, a federally funded research and
development center--to assist with the design, implementation, and
evaluation of the data collected.[Footnote 65] In July 2009 TSA
released a report on the results of the pilot program, which included
HSI's findings.[Footnote 66] HSI concluded that random screening is a
more cost-effective approach because it appears "roughly" as effective
in identifying contraband items--or items of interest--at less cost
than 100 percent worker screening. However, HSI also emphasized that
the pilot program "was not a robust experiment" because of limitations
in the design and evaluation, such as the limited number of
participating airports, which led HSI to identify uncertainties in the
results. Given the significance of these limitations, we believe that
it is unclear whether random worker screening is more or less cost-
effective than 100 percent worker screening.
Specifically, HSI identified what we believe to be significant
limitations related to the design of the pilot program and the
estimation of costs and operational effects. Limitations related to
program design include (1) a limited number of participating airports,
(2) the short duration of screening operations (generally 90 days), (3)
the variety of screening techniques applied, (4) the lack of a
baseline, and (5) limited evaluation of enhanced methods.[Footnote 67]
For example, HSI noted that while two of the seven pilot airports
performed complete 100 percent worker screening, neither was a Category
X airport; a third airport--a Category X--performed 100 percent
screening at certain locations for limited durations.[Footnote 68] HSI
also reported that the other four pilot airports used a range of tools
and screening techniques--magnetometers,[Footnote 69] handheld metal
detectors, pat-downs--which reduced its ability to assess in great
detail any one screening process common to all the pilot airports. In
addition, HSI cited issues regarding the use of baseline data for
comparison of screening methods. HSI attempted to use previous Aviation
Direct Access Screening Program (ADASP) screening data for comparison,
but these data were not always comparable in terms of how the screening
was conducted. In addition, HSI identified a significant limitation in
generalizing pilot program results across airports nationwide, given
the limited number and diversity of the pilot airports. HSI noted that
because these airports were chosen based on geographic diversity and
size, other unique airport factors that might affect worker screening
operations--such as workforce size and the number and location of
access points--may not have been considered.
HSI also recognized what we believe to be significant limitations in
the development of estimates of the costs and operational effects of
implementing 100 percent worker screening and random worker screening
nationwide.[Footnote 70] HSI's characterization of its cost estimates
as "rough order of magnitude"--or imprecise--underscores the challenge
of estimating costs for the entire airport system in the absence of
detailed data on individual airports nationwide and in light of the
limited amount of information gleaned from the pilot on operational
effects and other costs. HSI noted that the cost estimates do not
include costs associated with operational effects, such as longer wait
times for workers, and potentially costly infrastructure modifications,
such as construction of roads and shelters to accommodate vehicle
screening. HSI developed high-and low-cost estimates based on current
and optimal numbers of airport access points and the amount of
resources (personnel, space, and equipment) needed to conduct 100
percent and random worker screening. According to these estimates, the
direct cost--including personnel, equipment, and other operation needs--
of implementing 100 percent worker screening would range from $5.7
billion to $14.9 billion for the first year, while the direct costs of
implementing enhanced random worker screening would range from $1.8
billion to $6.6 billion.
HSI noted that the random worker screening methods applied in the
worker screening pilot program were a "significant step" beyond TSA's
ongoing worker screening program--ADASP--which the agency characterizes
as a "random" worker screening program. For the four pilot airports
that applied random screening methods, TSA and airport associations
agreed to screen a targeted 20 percent of workers who entered secured
areas each day.[Footnote 71] TSA officials also told us that this 20
percent threshold was significantly higher than that applied through
ADASP, although officials said that they do not track the percentage of
screening events processed through ADASP. TSA officials told us that
they do not have sufficient resources to track this information.
In addition to the limitations recognized by HSI, TSA and HSI did not
document key aspects of the design and implementation of the pilot
program. For example, while they did develop and document a data
collection plan that outlined the data requirements, sources, and
collection methods to be followed by the seven pilot airports in order
to evaluate the program's costs, benefits, and impacts, they did not
document a plan for how such data would be analyzed to formulate
results. Standards for Internal Control for the Federal Government
states that significant events are to be clearly documented and the
documentation should be readily available for examination to inform
management decisions.[Footnote 72] In addition, in November 2008, based
in part on our guide for designing evaluations,[Footnote 73] we
reported that pilot programs can more effectively inform future program
rollout when an evaluation plan is developed to guide consistent
implementation of the pilot and analysis of the results.[Footnote 74]
At minimum, a well-developed, sound evaluation plan contains several
key elements, including measurable objectives, standards for pilot
performance, a clearly articulated methodology, detailed data
collection methods, and a detailed data analysis plan.[Footnote 75]
Incorporating these elements can help ensure that the implementation of
a pilot generates performance information needed to make effective
management decisions. While TSA and HSI completed a data collection
plan, and generally defined specific measurable objectives for the
pilot program, they did not address other key elements that
collectively could have strengthened the effectiveness of the pilot
program and the usefulness of the results:
* Performance standards. TSA and HSI did not develop and document
criteria or standards for determining pilot program performance, which
are necessary for determining to what extent the pilot program is
effective.
* Clearly articulated evaluation methodology. TSA and HSI did not fully
articulate and document the methodology for evaluating the pilot
program. Such a methodology is to include plans for sound sampling
methods, appropriate sample sizes, and comparing the pilot results with
ongoing efforts. TSA and HSI documented relevant elements, such as
certain sampling methods and sample sizes, in both its overall data
collection plan for the program and in individual pilot operations
plans for each airport implementing the pilot. However, while officials
stated that the seven airports were selected to obtain a range of
physical size, worker volume, and geographical dispersion information,
they did not document the criteria they used in this process, and could
not explain the rationale used to decide which screening methods would
be piloted by the individual airports. Because the seven airports
tested different screening methods, there were differences in the
design of the individual pilots as well as in the type and frequency of
the data collected. While design differences are to be expected given
that the pilot program was testing disparate screening methods, there
were discrepancies in the plans that limited HSI's ability to compare
methods across sites. For example, those airports that tested enhanced
screening methods--as opposed to 100 percent worker screening--used
different rationales to determine how many inspections would be
conducted each day. TSA officials said that this issue and other
discrepancies and points of confusion were addressed through oral
briefings with the pilot airports, but said that they did not provide
additional written instructions to the airports responsible for
conducting the pilots. TSA and HSI officials also did not document how
they would address deviations from the piloted methods, such as workers
who avoided the piloted screening by accessing alternative entry
points, or suspension of the pilot because of excessive wait times for
workers or passengers (some workers were screened through passenger
screening checkpoints). Further, TSA and HSI officials did not develop
and document a plan for comparing the results of the piloted worker
screening methods with TSA's ongoing random worker screening program to
determine whether the piloted methods had a greater impact on reducing
insider risk than ongoing screening efforts.
* Detailed data analysis. Although the agreement between TSA and HSI
also called for the development of a data analysis plan, neither HSI
nor TSA developed an analysis plan to describe how the collected data
would be used to track the program's performance and evaluate the
effectiveness of the piloted screening methods, including 100 percent
worker screening. For example, HSI used the number of confiscated items
as a means of comparing the relative effectiveness of each screening
method.[Footnote 76] However, HSI reported that the number of items
confiscated during pilot operations was "very low" at most pilot
airports, and some did not detect any.[Footnote 77] Based on these
data, HSI concluded that random worker screening appeared to be
"roughly" as effective in identifying confiscated items as 100 percent
worker screening. However, it is possible that there were few or no
contraband items to detect, as workers at the pilot airports were
warned in advance when the piloted screening methods would be in effect
and disclosure signs were posted at access points.[Footnote 78] As a
result, comparing the very low rate--and in some cases, nonexistence--
of confiscated items across pilots, coupled with the short assessment
period, may not fully indicate the effectiveness of different screening
methods at different airports. If a data analysis plan had been
developed during pilot design, it could have been used to explain how
such data would be analyzed, including how HSI's analysis of the
pilots' effectiveness accounted for the low confiscation rates.
Because of the significance of the pilot program limitations reported
by HSI, as well as the lack of documentation and detailed information
regarding the evaluation of the program, the reliability of the
resulting data and any subsequent conclusions about the potential
impacts, costs, benefits, and effectiveness of 100 percent worker
screening and other screening methods cannot be verified. For these
reasons, it would not be prudent to base major policy decisions
regarding worker screening solely on the results of the pilot program.
HSI reported that the wide variation--such as size, traffic flow, and
design--of U.S. commercial airports makes it difficult to generalize
the seven pilot results to all commercial airports. While we agree it
is difficult to generalize the results of such a small sample to an
entire population, a well-documented and sound evaluation plan could
have helped ensure that the pilot program generated the data and
performance information needed to draw reasonable conclusions about the
effectiveness of 100 percent worker screening and other methods to
inform nationwide implementation. Incorporating these elements into an
evaluation plan when designing future pilots could help ensure that
TSA's pilots generate the necessary data for making management
decisions and that TSA can demonstrate that the results are reliable.
TSA Has Taken Steps to Strengthen Worker Security Programs, but Issues
Remain:
Aviation Direct Access Screening Program:
According to TSA officials, FSDs and others in the aviation community
have long recognized the potential for insiders to do harm from within
an airport.[Footnote 79] TSA officials said that they developed ADASP--
a random worker screening program--to counteract the potential
vulnerability of airports to an insider attack. According to TSA
officials, ADASP serves as an additional layer of security and as a
deterrent to workers who seek to smuggle drugs or weapons or to do
harm. According to senior TSA officials, FSDs decide when and how to
implement ADASP, including the random screening of passengers at the
boarding gate or workers at SIDA access points to the sterile area.
[Footnote 80]
TSA officials said that ADASP was initially developed as a pilot
project at one airport in March 2005 to deter workers from breaching
access controls and procedures for secured areas at that particular
airport.[Footnote 81] According to officials, after concluding that the
pilot was successful in deterring airport workers from bringing
restricted items into secured areas, TSA began implementing ADASP on a
nationwide voluntary basis in August 2006 using existing resources. In
March 2007, in response to several incidents of insider criminal
activity, TSA directed that ADASP be conducted at all commercial
airports nationwide. For example, on March 5, 2007, two airline
employees smuggled 14 firearms and 8 pounds of marijuana on board a
commercial airplane at Orlando International Airport (based on
information received through an anonymous tip, the contraband was
confiscated when the plane landed in San Juan, Puerto Rico).
In its October 2008 report, the DHS Office of the Inspector General
(OIG) found that ADASP was being implemented in a manner that allowed
workers to avoid being screened, and that the program had been applied
inconsistently across airports.[Footnote 82] For example, at most of
the seven airports the DHS OIG visited, ADASP screening stations were
set up in front of worker access points, which allowed workers to
identify that ADASP was being implemented and potentially choose
another entry and avoid being screened. However, at another airport,
the screening location was set up behind the access point, which
prevented workers from avoiding being screened. ADASP standard
operating procedures allow ADASP screening locations to be set up in
front of or behind direct access points as long as there is signage
alerting workers that ADASP screening is taking place. However, the DHS
OIG found that the location of the screening stations--either in front
of or behind direct access points--affected whether posted signs were
visible to workers. The DHS OIG recommended that TSA apply consistent
ADASP policies and procedures at all airports, and establish an ADASP
working group to consider policy and procedure changes based on an
accumulation of best practices across the country. TSA agreed with the
DHS OIG's recommendations, and officials stated that they have begun to
take action to address them.
Expanded Worker Background Checks:
Since April 2004, and in response to our prior recommendation,[Footnote
83] TSA has taken steps to enhance airport worker background checks.
TSA background checks are composed of security threat assessments
(STA), which are name-based records checks against various terrorist
watch lists, and criminal history record checks (CHRC), which are
fingerprint-based criminal records checks. TSA requires airport workers
to undergo both STAs and CHRCs before being granted unescorted access
to secured areas in which they perform their duties.[Footnote 84]
In July 2004 TSA expanded STA requirements by requiring workers in
certain secured areas to submit current biographical information, such
as date of birth. TSA further augmented STAs in 2005 to include a
citizenship check to identify individuals who may be subject to
coercion because of their immigration status or who may otherwise pose
a threat to transportation security. In 2007 TSA expanded STA
requirements beyond workers with sterile area or SIDA access to apply
to all individuals seeking or holding airport-issued identification
badges or credentials. Finally, in June 2009 TSA began requiring
airport operators to renew all airport identification media every 2
years, deactivate expired media and require workers to resubmit
biographical information in the event of certain changes, and expand
the STA requirement to include individuals with unescorted access to
the AOA, among other things.
TSA has taken steps to strengthen its background check requirements and
is considering additional actions to address certain statutory
requirements and issues that we identified in 2004.[Footnote 85] For
example, TSA is considering revising its regulation listing the
offenses that if a conviction occurred within 10 years of applying for
this access, would disqualify a person from receiving unescorted access
to secured areas. TSA officials told us that TSA and industry
stakeholders are considering whether some disqualifying offenses may
warrant a lifelong ban.[Footnote 86] In addition, while TSA has not yet
specifically addressed a statutory provision requiring TSA to require,
by regulation, that individuals with regularly escorted access to
secured airport areas undergo background checks,[Footnote 87] TSA
officials told us that they believe the agency's existing measures
address the potential risk presented by such workers. They also said
that it would be challenging to identify the population of workers who
require regularly escorted access because such individuals--for
example, construction workers--enter airports on an infrequent and
unpredictable basis.
TSA Has Taken Steps to Improve Security Technology, but the Extent to
Which TSA Has Addressed Airport Technology Needs Is Unclear:
Biometric Access Control Initiatives:
Since 2004, TSA has taken some steps to develop biometric worker
credentialing;[Footnote 88] however, it is unclear to what extent TSA
plans to address statutory requirements regarding biometric technology,
such as developing or requiring biometric access controls at commercial
airports in consultation with industry stakeholders.[Footnote 89] For
instance, in October 2008 the DHS OIG reported that TSA planned to
mandate phased-in biometric upgrades for all airport access control
systems to meet certain specifications.[Footnote 90] However, as of May
2009, according to TSA officials, the agency had not made a final
decision on whether to require airports to implement biometric access
controls, but it intends to pursue a combination of rule making and
other measures to encourage airports to voluntarily implement biometric
credentials and control systems.[Footnote 91] While TSA officials said
that the agency issued a security directive in December 2008 that
encourages airports to implement biometric access control systems that
are aligned with existing federal identification standards,[Footnote
92] TSA officials also reported the need to ensure that airports
incorporate up-to-date standards. These officials also said that TSA is
considering establishing minimum requirements to ensure consistency in
data collection, card information configuration, and biometric
information. Airport operators and industry association officials have
called for a consensus-based approach to developing biometric
technology standards for airports, and have stressed the need for
standards that allow for flexibility and consider the significant
investment some airports have already made in biometric technology.
Airport operators have also expressed a reluctance to move forward with
individual biometric projects because of concerns that their
enhancements will not conform to future federal standards.
Although TSA has not decided whether it will mandate biometric
credentials and access controls at airports, it has taken steps to
assess and develop such technology in response to stakeholder concerns
and statutory requirements. For example, TSA officials said the agency
has assisted the aviation industry and RTCA, Inc., a federal aviation
advisory committee, in developing recommended security standards for
biometric access controls, which officials said provide guidelines for
acquiring, designing, and implementing access control systems.[Footnote
93] TSA officials also noted that the agency has cooperated with the
Biometric Airport Security Identification Consortium, or BASIC--a
working group of airport operators and aviation association
representatives--which has developed guidance on key principles that it
believes should be part of any future biometric credential and access
control system. In addition, TSA is in the early stages of developing
the Aviation Credential Interoperability Solution (ACIS) program.
[Footnote 94] ACIS is conceived as a credentialing system in which
airports use biometrics to verify the identities and privileges of
workers who have airport-or air carrier-issued identification badges
before granting them entry to secured areas. According to TSA, ACIS
would provide a trusted biometric credential based on smart card
technology (about the size of a credit card, using circuit chips to
store and process data) and specific industry standards, and establish
standard airport processes for enrollment, card issuance, vetting, and
the management of credentials. Although these processes would be
standardized nationwide, airports would still be individually
responsible for determining access authority. According to TSA
officials, the agency is seeking to build ACIS on much of the airports'
existing infrastructure and systems and has asked industry stakeholders
for input on key considerations, including the population of workers
who would receive the credential, program policies, process, technology
considerations, operational impacts, and concerns regarding ACIS.
However, as of May 2009, TSA officials could not explain the status of
ACIS or provide additional information on the possible implementation
of the program since the agency released the specifications for
industry comment in April 2008. As a result, it is unclear when and how
the agency plans to address the requirements of the Intelligence Reform
and Terrorism Prevention Act, including establishing minimum standards
for biometric systems and determining the best way to incorporate these
decisions into airports' existing practices and systems. As of May 2009
TSA officials had not provided any further information, such as
scheduled milestones, on TSA's plans to implement biometric technology
at airports. Standard practices in program management suggest that
developing scheduled milestones can help define the scope of the
project, achieve key deliverables, and communicate with key
stakeholders.[Footnote 95] In addition, until TSA communicates its
decision on whether it plans to mandate--such as through a rule making--
or collaboratively implement biometric access controls at airports, and
what approach is best--be it ACIS or another system--operators may be
hesitant to upgrade airport security in this area. As we reported in
2004, airport operators do not want to run the risk of installing
costly technology that may not comply with future TSA requirements and
standards.[Footnote 96] Developing milestones for implementing a
biometric system could help ensure that TSA addresses statutory
requirements. In addition, such milestones will provide airports and
the aviation industry with the scheduling information needed to plan
future security improvements and expenditures.
Technology Pilot Programs:
In addition to biometric technology efforts, TSA has also initiated
efforts to assess other airport perimeter and access control
technology. Pursuant to ATSA, TSA established two pilot programs to
assess perimeter and access control security technology, the Airport
Access Control Pilot Program (AACPP) in 2004 and the Airport Perimeter
Security (APS) pilot program in 2006.[Footnote 97] AACPP piloted
various new and emerging airport security technologies, including
biometrics. TSA issued the final report on AACPP in December 2006, but
did not recommend any of the piloted technologies for full-scale
implementation. TSA officials said that a second round of pilot
projects would be necessary to allow time for project evaluation and
limited deployments, but as of May 2009 TSA officials said that details
for this second round were still being finalized. The purpose of the
APS pilot, according to TSA officials, is to identify and mitigate
existing airport perimeter security vulnerabilities using commercially
available technology.[Footnote 98] APS was originally scheduled to be
completed in December 2007, but according to TSA officials, though five
of the six pilot projects have been completed, the remaining pilot has
been delayed because of problems with the acquisition process.
According to TSA officials, the final pilot project is to be completed
by October 2009.
TSA officials told us that the agency has also taken steps to provide
some technical and financial support to small-and medium-sized airports
through AACPP and the APS pilot program, as both tested technologies
that could be suitable for airports of these sizes. TSA officials also
stated that smaller airports could potentially benefit from the
agency's efforts to test the Virtual Perimeter Monitoring System, which
was developed by the U.S. Navy and is being installed and evaluated at
four small airports. Further, officials noted that TSA has also
provided significant funding to support cooperative agreements for the
deployment of law enforcement officers at airports--including Category
II, III, and IV airports--to help defray security costs. However,
according to TSA officials, as of May 2009 TSA had not yet developed a
plan, or a time frame for developing a plan, to provide technical
information and funding to small-and medium-sized airports, as required
by ATSA.[Footnote 99] According to TSA officials, funds had not been
appropriated or specifically directed to develop such a plan, and TSA's
resources and management attention have been focused on other statutory
requirements for which it has more direct responsibility and deadlines,
including passenger and baggage screening requirements. (For a summary
of TSA actions to address certain statutory requirements for airport
security technology, see appendix II.)
TSA Has Taken Action to Improve General Airport Security, but Concerns
Exist regarding Implementation of Security Requirements Established by
Security Directives:
TSA has taken actions to improve general airport security by
establishing programs and requirements. For example, TSA has augmented
access control screening and general airport security by increasing the
presence of transportation security officers and law enforcement
officials through the Screening of Passengers by Observation Techniques
(SPOT) program and the Law Enforcement Officer Reimbursement Program.
In addition, it uses the Visible Intermodal Prevention and Response
(VIPR) program, which is used across the transportation sector, to
augment airport security efforts. (For more information on these TSA
programs, see appendix VI.)
TSA uses a variety of regulatory mechanisms for imposing requirements
within the transportation sector. In the aviation environment, TSA uses
the security directive as one of its regulatory tools for imposing
requirements to strengthen the security of civil aviation, including
security at the nation's commercial airports.[Footnote 100] Pursuant to
TSA regulation, the agency may decide to use security directives to
impose requirements on airport operators if, for example, it determines
that additional security measures are needed to respond to general or
specific threats against the civil aviation system.[Footnote 101] As of
March 2009 TSA identified 25 security directives or emergency
amendments in effect that related to various aspects of airport
perimeter and access control security. As shown in table 2, TSA imposed
requirements through security directives that address areas such as
worker and vehicle screening, criminal history record checks, and law
enforcement officer deployments.
Table 2: Requirements Relating to Airport Perimeter and Access Control
Security Imposed through Security Directives and Emergency Amendments:
Number of relevant security directives or emergency amendments;
U.S. airports: 8;
U.S. air carriers: 7;
Foreign air carriers: 10;
Total: 25.
Areas of regulation addressed:
Access control;
U.S. airports: 6;
U.S. air carriers: 1;
Foreign air carriers: 5;
Total: 12.
Worker screening;
U.S. airports: 3;
U.S. air carriers: 3;
Foreign air carriers: 3;
Total: 9.
Vehicle screening;
U.S. airports: 3;
U.S. air carriers: 0;
Foreign air carriers: 1;
Total: 4.
Criminal history record check;
U.S. airports: 2;
U.S. air carriers: 1;
Foreign air carriers: 1;
Total: 4.
Security threat assessment;
U.S. airports: 1;
U.S. air carriers: 2;
Foreign air carriers: 3; Total: 6.
No-Fly/Selectee lists[A];
U.S. airports: 3;
U.S. air carriers: 4;
Foreign air carriers: 2; Total: 9.
Law enforcement officer deployment;
U.S. airports: 4;
U.S. air carriers: 0;
Foreign air carriers: 1; Total: 5.
Airport badging;
U.S. airports: 3;
U.S. air carriers: 1;
Foreign air carriers: 3; Total: 7.
Other/miscellaneous;
U.S. airports: 5;
U.S. air carriers: 2;
Foreign air carriers: 5; Total: 12.
Source: GAO analysis of TSA security directives and emergency
amendments issued to U.S. airport and aircraft operators and foreign
air carriers in accordance with 49 C.F.R. parts 1542 (airport
security), 1544 (aircraft operator security), and 1546 (foreign air
carrier security).
Note: The 25 security directives and emergency amendments may address
other areas of security in addition to those related to airport
perimeter and access control security.
[A] The No-Fly and Selectee lists contain the names of individuals with
known or suspected links to terrorism who may pose a threat to the
civil aviation system. In general, passengers identified as a match to
the No-Fly list are prohibited from boarding a commercial flight, while
those matched to the Selectee list are required to undergo additional
screening.
[End of table]
According to TSA officials, security directives enable the agency to
respond rapidly to immediate or imminent threats and provide the agency
with flexibility in how it imposes requirements on airport operators.
This function is especially relevant given the adaptive, dynamic nature
of the terrorist threat. Moreover, according to TSA, imposing
requirements through security directives is less time consuming than
other processes, such as the lengthier notice-and-comment rule making
process, which generally provides opportunity for more stakeholder
input, requires cost-benefit analysis,[Footnote 102] and provides the
regulated entities with more notice before implementation and
enforcement.[Footnote 103]
Officials from two prominent aviation associations and eight of nine
airports we visited identified concerns regarding requirements
established through security directive[Footnote 104]:
* Officials from the two aviation associations noted inconsistencies
between requirements established through separate security directives.
For example, they noted that the requirements for airport-issued
identification badges are different from those for badges issued by an
air carrier. Workers employed by the airport, air carrier, or other
entities who apply for an airport identification badge granting
unescorted access to a secured area are required to undergo an
immigration and citizenship status check, whereas workers who apply
through an air carrier, which can grant similar unescorted access
rights, are not.[Footnote 105] Both airport and air carrier workers can
apply to an airport operator for airport-issued identification badges,
but only air carrier workers can apply to their aircraft operator
(employer) for an air carrier-issued identification badge. TSA
officials told us that the agency plans to address this inconsistency--
which has been in effect since December 2002--and is working on a time
frame for doing so.
* Airport operator officials from eight of the nine airports we visited
and officials from two industry associations expressed concern that
requirements established through security directives related to airport
security are often issued for an indefinite time period. Our review of
25 airport security directives and emergency amendments showed that all
except one were issued with no expiration date. The two aviation
industry associations have expressed concerns directly to TSA that
security directive requirements should be temporary and include
expiration dates so that they can be periodically reviewed for
relevancy.[Footnote 106]
According to senior officials, TSA does not have internal control
procedures for monitoring and coordinating requirements established
through security directives related to airport perimeter and access
control security. In November 2008 TSA officials told us that the
agency had drafted an operations directive that documents procedures
for developing, coordinating, issuing, and monitoring civil aviation
security directives. According to officials, this operations directive
also is to identify procedures for conducting periodic reviews of
requirements imposed through security directives. However, while TSA
officials told us that they initially planned to issue the operations
directive in April 2009, in May 2009 they said that they were in the
process of adopting the recommendations of an internal team
commissioned to review and identify improvements to TSA's policy review
process, including the proposed operations directive. In addition, as
of May 2009, officials did not have an expected date for finalizing the
directive. TSA officials explained that because the review team's
recommendations will require organizational changes and upgrades to
TSA's information technology infrastructure, it will take a significant
amount of time before an approved directive can be issued. As a result,
it is unclear to what extent the operations directive will address
concerns expressed by aviation operators and industry stakeholders.
Standard practices in program management call for documented milestones
to ensure that results are achieved.[Footnote 107] Establishing
milestones for implementing guidance to periodically review airport
security requirements imposed through security directives would help
TSA formalize review of these directives within a time frame authorized
by management.
In addition to the stakeholder issues previously discussed,
representatives from two prominent aviation industry associations have
expressed concern that TSA has not issued security directives in
accordance with the law. Specifically, these representatives noted that
the Transportation Security Oversight Board (TSOB) has not reviewed
TSA's airport perimeter and access control security directives in
accordance with a provision set forth in ATSA.[Footnote 108] This
provision, as amended, establishes emergency procedures by which TSA
may immediately issue a regulation or security directive to protect
transportation security, and provides that any such regulation or
security directive is subject to review by the TSOB.[Footnote 109] The
provision further states that any regulation or security directive
issued pursuant to this authority may remain in effect for a period not
to exceed 90 days unless ratified or disapproved by the TSOB. According
to TSA officials, the agency has not issued security directives related
to airport perimeter and access control security under this emergency
authority. Rather, officials explained, the agency has issued such
security directives (and all aviation-related security directives) in
accordance with its aviation security regulations governing airport and
aircraft operators, which predate ATSA and the establishment of
TSA.[Footnote 110] FAA implemented regulations--promulgated through the
notice-and-comment rule making process--establishing FAA's authority to
issue security directives to impose requirements on U.S. airport and
aircraft operators. With the establishment of TSA, FAA's authority to
regulate civil aviation security, including its authority to issue
security directives, transferred to the new agency. TSA does not
consider ATSA to have altered this existing authority.
A National Strategy for Airport Security Could Help Ensure Program
Effectiveness, Inform Cost and Resource Decisions, Ensure
Collaboration, and Increase Accountability:
Although TSA has developed a variety of individual protective actions
to mitigate identified airport security risks, it has not developed a
unified national strategy aimed at enhancing airport perimeter and
access control security. Through our prior work on national security
planning, we have identified characteristics of effective security
strategies,[Footnote 111] several of which are relevant to TSA's
numerous efforts to enhance perimeter and access control security. For
example, TSA has not developed goals and objectives for related
programs and activities, prioritized protective security actions, or
developed performance measures to assess the results of its perimeter
and access control security efforts beyond tracking outputs (the level
of activity provided over a period of time). Further, although TSA has
identified some cost information that is used to inform programmatic
decision making, it has not fully assessed the costs and resources
necessary to implement its airport security efforts. Finally, TSA has
not fully outlined how activities are to be coordinated among
stakeholders, integrated with other aviation security priorities, or
implemented within the agency.[Footnote 112]
Leading Practices Show That Strategies Help Guide Decision Making and
Increase Accountability:
Developing a strategy to accomplish goals and desired outcomes helps
organizations manage their programs more effectively and is an
essential mechanism to guide progress in achieving desired results.
Strategies are the starting point and foundation for defining what an
agency seeks to accomplish, and we have reported that effective
strategies provide an overarching framework for setting and
communicating goals and priorities and allocating resources to inform
decision making and help ensure accountability.[Footnote 113] Moreover,
a strategy that outlines security goals, as well as mechanisms and
measures to achieve such goals, and that is understood and available to
all relevant stakeholders strengthens implementation of and
accountability to common principles.
A national strategy to guide and integrate the nation's airport
security activities could strengthen decision making and accountability
for several reasons. First, TSA has identified airport perimeter and
access control security--particularly the mitigation of risks posed by
workers who have unescorted access to secured areas--as a top
priority.[Footnote 114] Historically, TSA has recognized the importance
of developing strategies for high-priority security programs involving
high levels of perceived risk and resources, such as air cargo security
and the SPOT program. Second, in security networks that rely on the
cooperation of all security partners--in this case TSA, airport
operators, and air carriers--strategies can provide a basis for
communication and mutual understanding between security partners that
is fundamental for such integrated protective programs and activities.
In addition, because of the mutually dependent roles that TSA and its
security partners have in airport security operations, TSA's ability to
achieve results depends on the ability of all security partners to
operate under common procedures and achieve shared security goals.
Finally, officials from two prominent industry organizations that
represent the majority of the nation's airport operators said that the
industry would significantly benefit from a TSA-led strategy that
identified long-term goals for airport perimeter and access control
security. In addition to providing a unifying framework, a strategy
that clearly identifies milestones, developed in cooperation with
industry security partners, could make it easier for airport operators
to plan, fund, and implement security enhancements that according to
industry officials can require intensive capital improvements.
While TSA has taken steps to assess threat and vulnerability related to
airport security and developed a variety of protective actions to
mitigate risk, TSA has not developed a unifying strategy to guide the
development, implementation, and assessment of these varied actions and
those of its security partners. TSA officials cited three reasons why
the agency has not developed a strategy to guide national efforts to
enhance airport security. First, TSA officials cited a lack of
congressional emphasis on airport perimeter and access control security
relative to other high-risk areas, such as passenger and baggage
screening. Second, these officials noted that airport operators, not
TSA, have operational responsibility for airport security. Third, they
cited a lack of resources and funding.
While these issues may present challenges, they should be considered in
light of other factors. First, Congress has long recognized the
importance of airport security, and has contributed to the
establishment of a variety of requirements pertaining to this issue.
[Footnote 115] For example, the appropriations committees, through
reports accompanying DHS's annual appropriations acts, have directed
TSA to focus its efforts on enhancing several aspects of airport
perimeter and access control security.[Footnote 116] Moreover,
developing a strategy that clearly articulates the risk to airport
security and demonstrates how those risks can be addressed through
protective actions could help inform decision making. Second, though we
recognize that airport operators, not TSA, generally have operational
responsibility for airport perimeter and access control security, TSA-
-as the regulatory authority for airport security and the designated
lead agency for transportation security--is responsible for
identifying, prioritizing, and coordinating protection efforts within
aviation, including those related to airport security. TSA currently
exercises this authority by ensuring compliance with TSA-approved
airport operator security programs and, pursuant to them, by issuing
and ensuring compliance with requirements imposed through security
directives or other means. Finally, regarding resource and funding
constraints, federal guidelines for strategies and planning include
linking program activities and anticipated outcomes with expected
program costs.[Footnote 117] In this regard, a strategy could
strengthen decision making to help allocate limited resources to
mitigate risk, which is a cornerstone of homeland security policy.
Additionally, DHS's risk management approach recognizes that resources
are to be focused on the greatest risks, and on protective activities
designed to achieve the biggest reduction in those risks given the
limited resources at hand. The NIPP risk management framework provides
guidance for agencies to develop strategies and prioritize activities
to those ends.
A strategy helps to link individual programs to specific performance
goals and describe how the programs will contribute to the achievement
of those goals. A national strategy could help TSA, airport operators,
and industry stakeholders in aligning their activities, processes, and
resources to support mission-related outcomes for airport perimeter and
access control security, and, as a result, in determining whether their
efforts are effective in meeting their goals for airport security.
TSA Has Not Identified Security Goals or Priorities or Fully Assessed
the Effectiveness of Its Actions to Strengthen Airport Security:
Our previous work has identified that an essential characteristic of
effective strategies is the setting of goals, priorities, and
performance measures. This characteristic addresses what a strategy is
trying to achieve and the steps needed to achieve and measure those
results. A strategy can provide a description of an ideal overall
outcome, or "end-state," and link individual programs and activities to
specific performance goals, describing how they will contribute to the
achievement of the end-state. The prioritization of programs and
activities, and the identification of milestones and performance
measures, can aid implementing parties in achieving results according
to specific time frames, as well as enable effective oversight and
accountability. The NIPP also calls for the development of goals,
priorities, and performance measures to guide DHS components, including
TSA, in achieving a desired end-state.
Goals:
Security goals allow stakeholders to identify the desired outcomes that
a security program intends to achieve and that all security partners
are to work to attain. Defining goals and desired outcomes, in turn,
enables stakeholders to better guide their decision making to develop
protective security programs and activities that mitigate risks. The
NIPP also states that security goals should be used in the development
of specific protective programs and considered for distinct assets and
systems. However, according to TSA officials, the agency has not
developed goals and objectives for airport security, including specific
targets or measures related to the effectiveness of security programs
and activities.[Footnote 118] TSA officials told us that the agency
sets goals for aviation security as a whole but has not set goals and
objectives for the airport perimeter and access control security area.
Developing a baseline set of security goals and objectives that
consider, if not reflect, the airport perimeter and access control
security environment would help provide TSA and its security partners
with the fundamental tools needed to define outcomes for airport
perimeter and access control security. Furthermore, a defined outcome
that all security partners can work toward will better position TSA to
provide reasonable assurance that it is taking the most appropriate
steps for ensuring airport security.
Priorities:
Our past work has also shown that the identification of program
priorities in a strategy aids implementing parties in achieving
results, which enables more effective oversight and accountability.
Although TSA has implemented protective programs and activities that
address risks to airport security, according to TSA officials it has
not prioritized these activities nor has it yet aligned them with
specific goals and objectives. TSA officials told us that in keeping
with legislative mandates, they have focused agency resources on
aviation security programs and activities that were of higher priority,
such as passenger and baggage screening and air cargo security.
Identifying priorities related to airport perimeter and access control
security could assist TSA in achieving results within specified time
frames and limited resources because it would allow the agency to
concentrate on areas of greatest importance.
Performance Measures:
In addition to our past work on national strategies, the NIPP and other
federal guidance require agencies to assess whether their efforts are
effective in achieving key security goals and objectives so as to help
drive future investment and resource decisions and adapt and adjust
protective efforts as risks change.[Footnote 119] Decision makers use
performance measurement information, including activity outputs and
descriptive information regarding program operations, to identify
problems or weaknesses in individual programs, identify factors causing
the problems, and modify services or processes to try to address
problems.[Footnote 120] Decision makers can also use performance
information collectively, and, according to the NIPP, examine a variety
of data to provide a holistic picture of the health and effectiveness
of a security approach from which to make security improvements.
[Footnote 121] If significant limitations on performance measures
exist, the strategy might address plans to obtain better data or
measurements, such as national standards or indicators of preparedness.
TSA officials told us that TSA has not fully assessed the effectiveness
of its protective activities for airport perimeters and secured areas,
but they said that the agency has taken some steps to collect certain
performance data for some airport security programs and activities to
help inform programmatic decision making. For example, TSA officials
told us that they require protective programs, such as ADASP and VIPR,
to report certain output data and descriptive program information,
which officials use to inform administrative or programmatic decisions.
For ADASP, TSA requires FSDs to collect information on, among other
things, the number of workers screened, vehicles inspected, and
prohibited items surrendered. TSA officials said that they use these
descriptive and output data to inform programmatic decisions, such as
determining the number of staff days needed to support ADASP operations
nationwide. However, TSA was not able to provide documentation on how
such analysis has been conducted. For VIPR, officials said that they
require team members to complete after-action reports that include data
on the number of participants, locations, and types of activities
conducted. TSA officials said that they are analyzing and categorizing
this descriptive and output information to determine trends and
identify areas of success and failure, which they will use to improve
future operations, though they did not provide us with examples of how
they have done this. TSA officials also told us that they require SPOT
to report descriptive operations data and situational report
information, which are to be used to assign necessary duties and
correct problems with program implementation. However, TSA officials
could not tell us how they use these descriptive and output data to
inform program development and administrative decisions. While the use
of descriptive and output data to inform program development and
administration is both appropriate and valuable, leading management
practices emphasize that successful performance measurement focuses on
assessing the results of individual programs and activities.[Footnote
122]
TSA officials also told us that while they recognize the importance of
assessing the effectiveness of airport security programs and activities
in reducing known threats, it is difficult to do so because the primary
purpose of these activities is deterrence. Assessing the deterrent
benefits of a program is inherently challenging because it involves
determining what would have happened in the absence of an intervention,
or protective action, and it is often difficult to isolate the impact
of the individual program on behavior that may be affected by multiple
other factors. Because of this difficulty, officials told us that they
have instead focused their efforts on assessing the extent to which
each airport security activity supports TSA's overall layered approach
to security. We recognize that assessing the effectiveness of
deterrence-related activities is challenging and that it continues to
be the focus of ongoing analytic effort and policy review. For example,
a January 2007 report by the Department of Transportation addressed
issues related to measuring deterrence in the maritime sector,[Footnote
123] and a February 2007 report by the RAND Corporation acknowledged
the challenges associated with measuring the benefits of security
programs aimed at reducing terrorist risk.[Footnote 124] However, as a
feature of TSA's layered security approach, many of its airport
activities address other aspects of security in addition to deterrence.
Like other homeland security efforts, TSA's airport security activities
also seek to limit the potential for attack, safeguard critical
infrastructure and property, identify wrongdoing, and ensure an
effective and efficient response in the event of an attack; the desired
outcome of its efforts is to reduce the risk of an attack. Deterrence
is an inherent benefit of any protective action, and methods designed
to detect wrongdoing and measures taken to safeguard critical
infrastructure and property, for example, also help deter terrorist
attacks. There are a number of activities that TSA has implemented that
seek to reduce this risk, such as requiring security threat assessments
for all airport workers. Some of these activities serve principally to
deter, such as ADASP, while others are more focused on safeguarding
critical infrastructure and property, such as conducting compliance
inspections of aviation security regulations or installing perimeter
fencing. Some activities serve multiple purposes, such as VIPR, which
seeks to provide a visual deterrent to terrorist or other criminal
activity, but also seeks to safeguard critical infrastructure in
various modes of transportation. Examining the extent to which its
activities have effectively addressed these various purposes would
enable TSA to more efficiently implement and manage its programs.
There are several methods available that TSA could explore to gain
insight on the extent to which its security activities have met their
desired purpose and to ultimately improve program performance. For
example, TSA could work with stakeholders, such as airport operators
and other security partners, to identify and share lessons learned and
best practices across airports to better tailor its efforts and
resources and continuously improve security. TSA could also use
information gathered through covert testing or compliance inspections--
such as noncompliance or security breaches--to make adjustments to
specific security activities and to identify which aspects require
additional investigation. In addition, TSA could develop proxy
measures--indirect measures or signs that approximate or represent the
direct measure--to show how security efforts correlate to an improved
security outcome. Appendix VII provides a complete discussion on these
methods, as well as information on other alternatives TSA could
explore.
TSA Has Identified Costs for Some Airport Security Activities, but Has
Not Fully Identified Costs and Resource Needs, and Has Generally Not
Conducted Cost-Benefit Analysis to Prioritize and Allocate Resources
for Airport Security Activities:
Our prior work shows that effective strategies address costs,
resources, and resource allocation issues. Specifically, effective
strategies address the costs of implementing the individual components
of the strategy, the sources and types of resources needed (such as
human capital or research and development), and where those resources
should be targeted to better balance risk reductions with costs.
[Footnote 125] Effective strategies may also address in greater detail
how risk management will aid implementing parties in prioritizing and
allocating resources based on expected benefits and costs. Our prior
work found that strategies that provide guidance on costs and needed
resources help implementing parties better allocate resources according
to priorities, track costs and performance, and shift resources as
appropriate.
Costs and Resources:
Statutory requirements and federal cost accounting standards also
stress the benefits of developing and reporting on the cost of federal
programs and activities, as well as using that information to more
effectively allocate resources and inform program management decisions.
[Footnote 126] TSA has identified the costs and resources it needs for
some specific activities and programs that exclusively support airport
security, such as JVAs of selected commercial airports. However, for
programs that serve airport security as well as other aspects of
aviation security, TSA has not identified the costs and resources
devoted to airport security. For example, TSA has identified its
expenditures for compliance inspections and other airport security-
related programs and activities, which collectively totaled nearly $850
million from fiscal years 2004 through 2008. However, TSA has not
identified what portion of these funds was directly allocated for
airport security activities versus other aviation security activities,
such as passenger screening. (For a more detailed discussion of airport
security costs, see appendix IV.) Further, TSA has not fully identified
the resources it needs to mitigate risks to airport perimeter and
access control security. According to TSA officials, identifying
collective agency costs and resource needs for airport security
activities is challenging because airport security is not a separately
funded TSA program, and many airport security activities are part of
broader security programs. However, without attempting to identify
total agency costs, it will be difficult for TSA to identify costs
associated with individual security activities, and therefore it will
be hindered in determining the resources it needs to sustain desired
activity levels and realize targeted results. While TSA officials told
us that they are starting to identify costs for airport security
activities and plan to complete this effort by the end of 2009, they
could provide no additional information to illustrate their approach
for doing so. As a result, it is unclear what costs the agency will
identify, and to what extent TSA will be able to identify costs for
specific security activities in order to identify the resources it
needs to sustain desired activity levels and realize targeted results.
TSA officials also told us that they have not yet identified or
estimated costs to the aviation industry for implementing airport
security requirements, such as background checks for their workers, or
capital costs--such as construction and equipment--that airport
operators incur to enhance the security of their facilities.[Footnote
127] According to these officials, the agency does not have the
resources and funds to collect cost information from airport operators.
However, TSA officials could not tell us how and to what extent they
had assessed the resources and funds needed to collect this information
or whether they had explored other options for collecting cost data,
such as working with industry associations to survey airport operators.
Estimating general cost information on the types and levels of
resources needed for desired outcomes would provide TSA and other
stakeholders with valuable information with which to make informed
resource and investment decisions, including decisions about future
allocation needs, to mitigate risks to airport security.
Prioritizing and Allocating Resources:
According to our previous work on effective national strategies, as
well as NIPP guidance, risk management focuses security efforts on
those activities that bring about the greatest reduction in risk given
the resources used.[Footnote 128] According to federal guidance,
employing systematic cost-benefit analysis helps ensure that agencies
choose the security priorities that most efficiently and effectively
mitigate risk for the resources available. The Office of Management and
Budget (OMB) cites cost-benefit analysis as one of the key principles
to be considered when an agency allocates resources for capital
expenditures because it provides decision makers with a clear
indication of the most efficient alternative.[Footnote 129] DHS's Cost-
Benefit Analysis Guidebook also states that cost-benefit analysis
identifies the superior financial solution among competing
alternatives, and that it is a proven management tool to support
planning and managing costs and risks.[Footnote 130] While TSA has made
efforts to consider costs for some airport security programs, it has
not used cost-benefit analysis to allocate or prioritize resources
toward the most cost-effective alternative actions for mitigating risk.
[Footnote 131]
According to TSA officials, certain factors have limited TSA's ability
to conduct cost-benefit analysis, such as resource constraints and the
need to take immediate action to address new and emerging security
threats. However, officials could not demonstrate that they had
attempted to conduct cost-benefit analysis for programs and activities
related to airport security within the constraints of current
resources, or explain how, or to what extent, they had assessed the
resources that would be needed to conduct cost-benefit analysis.
Further, TSA officials could not cite a situation in which the need to
take immediate action--outside of issuing security directives--in
response to a threat prevented them from conducting cost-benefit
analysis.[Footnote 132] TSA officials agreed that conducting cost-
benefit analysis is beneficial, but also said that it is not always
practical because of the difficulty in quantifying the benefits of
deterrence-based activities. Because of this challenge, officials said
that they have used professional judgment, past experience, law
enforcement principles, and intelligence information to evaluate
alternative airport security activities to mitigate risks.[Footnote
133] While TSA's approach to identifying security actions includes
accepted risk reduction decision-making tools, such as professional
judgment, it does not provide a means to fully weigh the benefits
versus the costs of implementing alternative actions. However, despite
the challenges TSA cited to developing cost-benefit analysis, TSA
officials told us that as of January 2009, the agency was in the early
stages of investigating costs and benefits related to airport perimeter
access control. According to these officials, TSA plans to initially
focus on developing cost estimates associated with improving access
control, a process the agency expects to complete by the end of 2009.
However, because TSA officials did not explain how they expect to
identify and estimate these costs and how, in the future, they plan to
identify and estimate benefits for alternative actions, especially
those actions that focus on deterrence, it is not yet clear to what
extent TSA's efforts will constitute cost-benefit analysis.
The use of systematic cost-benefit analysis when considering future
airport security measures would help TSA to choose the most cost-
effective security options for mitigating risk. We recognize the
difficulties in quantifying the benefits of deterrence-based
activities, but there are alternatives that TSA could pursue to assess
benefits, such as examining the extent to which its activities address
other purposes besides deterrence. Moreover, OMB recognizes that in
some circumstances--such as when data are insufficient--costs and
benefits cannot be quantified, in which case costs and benefits are to
be assessed in qualitative terms.[Footnote 134] By exploring ways to
identify expected costs associated with alternatives, and balancing
these with estimated security benefits, TSA can more fully ensure that
it is efficiently allocating and prioritizing its limited resources, as
well as those of individual airports, in a way that maximizes the
effectiveness of its airport security efforts.
TSA Has Collaborated with Stakeholders regarding Airport Security
Activities, but Has Not Always Fully Coordinated or Integrated Airport
Security with Other Aspects of Aviation Security:
Our prior work shows that effective national strategies address how to
coordinate efforts and resolve conflicts among stakeholders, address
ways in which each strategy relates to the goals of other strategies,
and devise plans for implementing the strategies.[Footnote 135] Because
the responsibility for airport perimeter and access control security
involves multiple stakeholders, including federal entities, individual
airport operators, air carriers, and industry organizations,
coordination among stakeholders is critical. In such an environment,
the implementation of security activities is strengthened when a
strategy addresses how federal efforts will coordinate and integrate
with other federal and private sector initiatives, relate to the goals
and objectives of other strategies and plans, and be implemented and
coordinated by relevant parties.
Coordination:
Representatives from industry associations told us that while TSA has
collaborated with industry stakeholders on the development of multiple
airport security activities and initiatives, the agency has not always
fully coordinated the development and implementation of specific
security activities and initiatives. For example, although TSA has
worked with the industry in the development of some aspects of airport
security technology, such as biometrics, industry association officials
told us that the agency has not yet recommended specific technology
based on the results of technology-based pilot programs it completed
over 2 years ago in 2007. These officials also noted that TSA did not
fully coordinate with the industry in its decision to impose stronger
requirements on worker credentialing practices in the wake of security
incidents at individual airports. TSA officials said that they have
worked closely with industry stakeholders in addressing airport
security issues, and have established working groups to continue to
coordinate on issues such as biometric access control security. Our
prior work found that a strategy should provide both direction and
guidance to government and private entities so that missions and
contributions can be more appropriately coordinated.[Footnote 136]
Integration and Implementation:
TSA has not demonstrated how it relates the activities of airport
security to the goals, objectives, and activities of TSA's other
aviation security strategies, such as passenger screening, air cargo
screening, and baggage screening. In addition, TSA has not identified
how these various security areas are coordinated at the national level.
For example, TSA officials told us that some security efforts, such as
the random worker screening program and roving security response teams,
[Footnote 137] are used to address multiple security needs, such as
both passenger and worker screening, but could not identify the extent
to which program resources are planned for and applied between
competing security needs. TSA officials said that decisions to allocate
random worker screening resources between passenger and worker
screening are made at the local airport level by FSDs. However, a clear
understanding of how TSA's needs and goals for airport security align
with those of its other security responsibilities would enable the
agency to better coordinate its programs, gauge the effectiveness of
its actions, and allocate resources to its highest-priority needs.
Finally, it is not clear to what extent TSA has coordinated airport
security activities within the agency, the responsibilities for which
are spread among multiple offices. TSA officials explained that agency
efforts to enhance and oversee airport perimeter and access control
security are spread across multiple programs within five TSA component
offices. No one office or program has responsibility for coordinating
and integrating actions that affect the numerous aspects of perimeter
and access control security, including operations, technology,
intelligence, program policy, credentialing, and threat assessments.
TSA officials agreed that the diffusion of responsibilities across
offices can present coordination challenges. Developing an overarching,
integrated framework for coordinating actions between implementing
parties could better position TSA to avoid unnecessary duplication,
overlap, and conflict in the implementation of these actions. According
to our past work, strategies that provide guidance to clarify and link
the roles, responsibilities, and capabilities of the implementing
parties can foster more effective implementation and accountability.
Conclusions:
Commercial airports facilitate the movement of millions of passengers
and tons of goods each week and are an essential link in the nation's
transportation network. Given TSA's position that the interconnected
commercial airport network is only as strong as its weakest asset,
determining vulnerability across this network is fundamental to
determining the actions and resources that are necessary to reasonably
protect it. Evaluating whether existing, select vulnerability
assessments reflect the network of airports will help TSA ensure that
its actions strengthen the whole airport system. If TSA finds that
additional assessments are needed to identify the extent of
vulnerabilities nationwide, then developing a plan with milestones for
conducting those assessments, and leveraging existing available
assessment information from stakeholders, would help ensure the
completion of these assessments and that intended results are achieved.
In addition, although the consequences of a successful terrorist breach
in airport security have not been assessed, based on the past events,
the potential impact on U.S. assets, safety, and public morale could be
profound. For this reason, assessing the likely consequences of an
attack is an essential step in assessing risks to the nation's
airports. Further, a comprehensive risk assessment that combines
threat, vulnerability, and consequence would help TSA determine which
risks should be addressed--and to what degree--and would help guide the
agency in identifying the necessary resources for addressing these
risks. Moreover, documenting milestones for completing the risk
assessment would help ensure its timely completion.
Implementing and evaluating a pilot program can be challenging,
especially given the individual characteristics of the sites involved
in the worker screening pilot, such as the variation in airport size,
traffic flows, and layouts. However, a well-developed and documented
evaluation plan, with well-defined and measurable objectives and
standards as well as a clearly articulated methodology and data
analysis plan, can help ensure that a pilot program is implemented and
evaluated in ways that generate reliable information to inform future
program development decisions. By making such a plan a cornerstone of
future pilot programs, TSA will be better able to ensure that the
results of those pilot programs will produce the reliable data
necessary for making the best program and policy decisions.
Integrating biometric technology into existing airport access control
systems will not be easy given the range of technologies available, the
number of stakeholders involved, and potential differences in the
biometric controls already in use at airports. Yet Congress, the
administration, and the aviation industry have emphasized the need to
move forward in implementing such technology to better control access
to sensitive airport areas. But until TSA decides whether, when, and
how it will mandate biometric access controls at airports, individual
airport operators will likely continue to delay investing in
potentially costly technology in case it does not comply with future
federal standards. Establishing milestones for addressing requirements
would not only provide airports with the necessary information to
appropriately plan future security upgrades, but give all stakeholders
a road map by which they can anticipate future developments.
TSA uses security directives as a means for establishing additional
security measures in response to general or specific threats against
the civil aviation system, including the security of airport perimeters
and the controls that limit access to secured airport areas. Just as it
is important that federal agencies have flexible mechanisms for
responding to the adaptive, dynamic nature of the terrorist threat, it
is also important that requirements remain consistent with current
threat information. Establishing milestones for periodically reviewing
airport perimeter and access control requirements imposed through
security directives would help provide TSA and stakeholders with
reasonable assurance that TSA's personnel will review these directives
within a time frame authorized by management.
TSA, along with industry partners, has taken a variety of steps to
implement protective measures to strengthen airport security, and many
of these efforts have required numerous stakeholders to implement a
range of activities to achieve desired results. These various actions,
however, have not been fully integrated and unified toward achieving
common outcomes and effectively using resources. A national risk-
informed strategy--that establishes measurable goals, priorities, and
performance measures; identifies needed resources; and is aligned and
integrated with related security efforts--would help guide decision
making and hold all public and private security partners accountable
for achieving key shared outcomes within available resources. Moreover,
a strategy that identifies these key elements would allow TSA to better
articulate its needs--and the challenge of meeting those needs--to
industry stakeholders and to Congress. Furthermore, balancing estimated
costs against expected security benefits, and developing measures to
assess the effectiveness of security activities, would help TSA provide
reasonable assurance that it is properly allocating and prioritizing
its limited resources, or those of airports, in a way that maximizes
the effectiveness of its airport security efforts.
Recommendations for Executive Action:
To help ensure that TSA's actions in enhancing airport security are
guided by a systematic risk management approach that appropriately
assesses risk and evaluates alternatives, and that it takes a more
strategic role in ensuring that government and stakeholder actions and
resources are effectively and efficiently applied across the nationwide
network of airports, we recommend that the Assistant Secretary of TSA
work with aviation stakeholders to implement the following five
actions:
* Develop a comprehensive risk assessment for airport perimeter and
access control security, along with milestones (i.e., time frames) for
completing the assessment, that (1) uses existing threat and
vulnerability assessment activities, (2) includes consequence analysis,
and (3) integrates all three elements of risk--threat, vulnerability,
and consequence.
- As part of this effort, evaluate whether the current approach to
conducting JVAs appropriately and reasonably assesses systems
vulnerabilities, and whether an assessment of security vulnerabilities
at airports nationwide should be conducted.
- If the evaluation demonstrates that a nationwide assessment should be
conducted, develop a plan that includes milestones for completing the
nationwide assessment. As part of this effort, leverage existing
assessment information from industry stakeholders, to the extent
feasible and appropriate, to inform its assessment.
* Ensure that future airport security pilot program evaluation and
implementation efforts include a well-developed and well-documented
evaluation plan that includes:
- measurable objectives,
- criteria or standards for determining program performance,
- a clearly articulated methodology,
- a detailed data collection plan, and:
- a detailed data analysis plan.
* Develop milestones for meeting statutory requirements, in
consultation with appropriate aviation industry stakeholders, for
establishing system requirements and performance standards for the use
of biometric airport access control systems.
* Develop milestones for establishing agency procedures for reviewing
airport perimeter and access control requirements imposed through
security directives.
* To better ensure a unified approach among airport security
stakeholders for developing, implementing, and assessing actions for
securing airport perimeters and access to controlled areas, develop a
national strategy for airport security that incorporates key
characteristics of effective security strategies, including the
following:
- Measurable goals, priorities, and performance measures. TSA should
also consider using information from other methods, such as covert
testing and proxy measures, to gauge progress toward achieving goals.
- Program cost information and the sources and types of resources
needed. TSA should also identify where those resources would be most
effectively applied by exploring ways to develop and implement cost-
benefit analysis to identify the most cost-effective alternatives for
reducing risk.
- Plans for coordinating activities among stakeholders, integrating
airport security goals and activities with those of other aviation
security priorities, and implementing security activities within the
agency.
Agency Comments and Our Evaluation:
We provided a draft of our report to DHS and TSA on August 3, 2009, for
review and comment. On September 24, 2009, DHS provided written
comments, which are reprinted in appendix VIII. In commenting on our
report, DHS stated that it concurred with all five recommendations and
identified actions planned or under way to implement them.
In its comments to our draft report, DHS stated that the Highlights
page of our report includes a statement that is inaccurate. We
disagree. Specifically, DHS contends that it is not accurate to state
that TSA "has not conducted vulnerability assessments for 87 percent of
the nation's 450 commercial airports" because this statement does not
recognize that TSA uses other activities to assess airport
vulnerabilities, and that these activities are conducted for every
commercial airport. For example, DHS stated that (1) every commercial
airport must have a TSA-approved ASP, which is to cover personnel,
physical, and operational security measures; (2) each ASP is reviewed
on a regular basis by a FSD; and (3) such FSD reviews "include a review
of security measures applied at the perimeter." As we noted in our
report, TSA identified JVAs, along with professional judgment, as the
agency's primary mechanism for assessing airport security
vulnerabilities in accordance with NIPP requirements. Moreover, it is
not clear to what extent the FSD reviews and other activities TSA cites
in its comments address airport perimeter and access control
vulnerabilities or to what extent such reviews have been applied
consistently on a nationwide basis, since TSA has not provided us with
any documentary evidence regarding these or other reviews. Finally, in
meeting with TSA, its officials acknowledged that because they have not
conducted a joint vulnerability assessment for 87 percent of commercial
airports, they do not know how vulnerable these airports are to an
intentional breach in security or an attack. Thus, we consider the
statement on our Highlights page to be accurate.
TSA also stated that "as provided in our draft report" the foundation
of TSA's national strategy is its individual layers--or actions--of
security, which, when combined, generate an exponential increase in
deterrence and detection capability. However, we did not evaluate TSA's
layered approach to security or the extent to which this approach
provides increased deterrence and detection capabilities.
Regarding our first recommendation that TSA develop a comprehensive
risk assessment for airport perimeter and access control security, DHS
stated that TSA will develop such an assessment through its ongoing
efforts to conduct a comprehensive risk assessment for the
transportation sector. TSA intends to provide the results of the
assessment to Congress by January 2010. According to DHS, the aviation
domain portion of the sector risk assessment is to address, at the
national level, nine airport perimeter and access control security
scenarios. It also stated that the assessment is to integrate all three
elements of risk--threat, vulnerability and consequence--and will rely
on existing assessment activities, including JVAs. In developing this
assessment, it will be important that TSA evaluate whether its current
approach to conducting JVAs, which it identifies as one element of its
risk assessment efforts, appropriately assesses vulnerabilities across
the commercial airport system, and whether additional steps are needed.
Since TSA has repeatedly stated the need to develop baseline data on
airport security vulnerabilities to enable it to conduct systematic
analysis of vulnerabilities on a nationwide basis, TSA could also
benefit from exploring the feasibility of leveraging existing
assessment information from industry stakeholders to inform this
assessment.
DHS also agreed with our second recommendation that a well-developed
and well-documented evaluation plan should be part of TSA's efforts to
evaluate and implement future airport security pilot programs. In
addition, DHS concurred with our third recommendation that TSA develop
milestones for meeting statutory requirements for establishing system
requirements and performance standards for the use of biometric airport
access control systems. DHS noted that while mandatory use of such
systems is not required by statute, TSA is still considering whether it
will mandate the use of biometric access control systems at airports,
and in the meantime it will continue to encourage airport operators to
voluntarily utilize biometrics in their access control systems. We
agree that mandatory use of biometric access control systems is not
required by statute, but establishing milestones would help guide TSA's
continued work with the airport industry to develop and refine existing
biometric access control standards. In regard to our fourth
recommendation that TSA develop milestones for establishing agency
procedures for reviewing airport security requirements imposed through
security directives, DHS concurred that milestones are necessary.
Finally, in regard to our fifth recommendation that TSA develop a
national strategy for airport security that incorporates key
characteristics of effective security strategies, DHS concurred and
stated that TSA will develop a national strategy by updating the TS-
SSP. DHS stated that TSA intends to solicit input on the plan from its
Sector Coordinating Council, which represents key private sector
stakeholders from the transportation sector, before releasing the
updated TS-SSP in the summer of 2010. However, given that the TS-SSP is
to focus on detailing how the NIPP framework will apply to the entire
transportation sector, it may not be the most appropriate vehicle for
developing a national strategy that addresses the various management
issues specific to airport security that we identified in our report. A
more effective approach might be to issue the strategy as a stand-alone
plan, in keeping with the format TSA has used for its air cargo,
passenger checkpoint screening, and SPOT strategies. A stand-alone
strategy might better facilitate key stakeholder involvement, focus
attention on airport security needs, and allow TSA to more thoroughly
address relevant challenges and goals. But irrespective of the format,
it will be important that TSA fully address the key characteristics of
an effective strategy, as identified in our report. The intent of a
national strategy is to provide a unifying framework that guides and
integrates stakeholder activities toward desired results, which may be
best achieved when planned efforts are clear and sustainable, and
transparent enough to ensure accountability. Thus, it is important that
the strategy fully incorporate the following characteristics: (1)
measurable goals, priorities, and performance measures; (2) program
cost information, including the sources and types of resources needed;
and (3) plans for coordinating activities among stakeholders,
integrating airport security goals and activities with those of other
aviation security priorities, and implementing security activities
within the agency.
TSA also provided us with technical comments, which we considered and
incorporated in the report where appropriate.
We are sending copies of this report to the Secretary of Homeland
Security, the Secretary of Transportation, the Assistant Secretary of
the Transportation Security Administration, appropriate congressional
committees, and other interested parties. The report also is available
at no charge on the GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staff have any further questions about this report or
wish to discuss these matters further, please contact me at (202) 512-
4379 or lords@gao.govberrickc@gao.gov. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this report. Key contributors to this report are listed in
appendix IX.
Signed by:
Stephen M. Lord:
Director, Homeland Security and Justice Issues:
List of Requesters:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
The Honorable John D. Rockefeller, IV:
Chairman:
Committee on Commerce, Science, and Transportation:
United States Senate:
The Honorable Loretta Sanchez:
Chairwoman:
Subcommittee on Border, Maritime and Global Counterterrorism:
Committee on Homeland Security:
House of Representatives:
The Honorable Jane Harman:
Chairwoman:
Subcommittee on Intelligence, Information Sharing and Terrorism Risk
Assessment:
Committee on Homeland Security:
House of Representatives:
The Honorable Sheila Jackson-Lee:
Chairwoman:
Subcommittee on Transportation Security and Infrastructure Protection:
Committee on Homeland Security:
House of Representatives:
The Honorable Donna M. Christensen:
The Honorable Peter A. DeFazio:
The Honorable Norman D. Dicks:
The Honorable Bob Etheridge:
The Honorable James R. Langevin:
The Honorable Zoe Lofgren:
The Honorable Nita Lowey:
The Honorable Ed Markey:
The Honorable Kendrick B. Meek:
The Honorable Eleanor Holmes Norton:
The Honorable Bill Pascrell, Jr.
House of Representatives:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
This report evaluates to what extent the Transportation Security
Administration (TSA) has:
* assessed the risk to airport security consistent with the National
Infrastructure Protection Plan's (NIPP) risk management framework;
* implemented protective programs to strengthen airport security, and
evaluated its worker screening pilot program; and:
* established a national strategy to guide airport security decision
making.
To evaluate the extent to which TSA has assessed risks for airport
perimeter and access control security efforts, we relied on TSA to
identify risk assessment activities for these areas, and we then
examined documentation for these activities, such as TSA's 2008 Civil
Aviation Threat Assessment, and interviewed TSA officials responsible
for conducting assessment efforts. We examined the extent to which TSA
generally conducted activities intended to assess threats,
vulnerabilities, and consequences to the nation's approximately 450
airports. We also reviewed the extent to which TSA's use of these three
types of assessments met the NIPP criteria for completing a
comprehensive risk assessment. However, while we assessed the extent to
which the individual threat and vulnerability assessment activities
that TSA identified addressed the area of airport perimeter and access
controls, the scope of our work did not include individual evaluations
of these activities to determine whether they were consistent with the
NIPP criteria for conducting threat and vulnerability assessments. In
addition, we reviewed and summarized critical infrastructure and
aviation security requirements set out by Homeland Security
Presidential Directives 7 and 16, the Aviation and Transportation
Security Act (ATSA),[Footnote 138] and other statutes and related
materials. We also examined the individual threat and vulnerability
assessment activities and discussed them with senior TSA and program
officials, to evaluate how TSA uses this information to set goals and
inform its decision making. We compared this information with the NIPP,
TSA's Transportation Security Sector-Specific Plan, and our past
guidance and reports on recommended risk management practices.[Footnote
139] In addition, we obtained and analyzed data from TSA regarding
joint vulnerability assessments, which are conducted with the Federal
Bureau of Investigation (FBI), to determine the extent to which TSA has
used this information to assess risk to airport perimeter and access
control security. We also obtained information on the processes used to
schedule and track these activities to determine the reliability with
which these data were collected and managed, and we determined that the
data were sufficiently reliable for the purposes of this report. We
interviewed TSA and FBI officials responsible for conducting joint
vulnerability assessments to discuss the number conducted by TSA since
2004, the scope of these assessments, and how they are conducted.
In addition, we interviewed selected TSA officials responsible for risk
management and security programs related to airport perimeter and
access control to clarify the extent to which TSA has assessed risk in
these areas. We selected these officials based upon their relevant
expertise with TSA's risk management efforts and its airport perimeter
and access control efforts. We also analyzed TSA data on security
breaches by calculating the total number of security breaches from
fiscal years 2004 through 2008. To determine that the data were
sufficiently reliable to present contextual information regarding all
breaches to secured areas (including airport perimeters) in this
report, we obtained information on the processes used to collect,
tabulate, and assess these data, and discussed data quality control
procedures with appropriate officials and found that the data were
sufficiently reliable for this purpose. Because the data include
security breaches that occurred within any type of secured areas,
including passenger-related breaches, they are not specific to
perimeter and access control security. In addition, the data have not
been adjusted to reflect potential issues that could also influence or
skew the number of overall breaches, such as annual increases in the
number of passengers or specific incidences occurring within individual
airports that account for more breaches than others. Furthermore,
because TSA does not require its inspectors to enter a description of
the breach when documenting an incident, and general reports on breach
data do not show much variation between incidences unless a report
includes a description of the breach, we did not ask TSA for
descriptive information on breaches that occurred.
To evaluate the extent to which TSA has implemented protective programs
to strengthen airport security consistent with the NIPP risk management
framework, we asked TSA to identify agency-led activities and programs
for strengthening airport security. For the purposes of this report, we
categorized TSA's responses into four main areas of effort: (1) worker
screening pilot program, (2) worker security programs, (3) technology,
and (4) general airport security. To determine the extent to which TSA
evaluated its worker screening pilot program, we analyzed TSA's final
report on it worker screening pilot program, including conclusions and
limitations cited by the contractor--the Homeland Security Institute
(HSI)--TSA hired to assist with the pilot's design, implementation, and
evaluation.[Footnote 140] We also reviewed standards for internal
control in the federal government and our previous work on pilot
program development and evaluation to identify accepted practices for
ensuring reliable results, including key features of a sound evaluation
plan.[Footnote 141] Further, we analyzed TSA and HSI's documentation of
the worker screening pilot program methodology to determine whether TSA
and HSI had documented their plans for conducting the program, whether
each pilot was carried out in a consistent manner, and if participating
airports were provided with written requirements or guidance for
conducting the pilots. To evaluate TSA's efforts for its worker
security programs, we assessed and summarized relevant program
information, operations directives, and standard operating procedures
for the Aviation Direct Access Screening Program (ADASP) and enhanced
background checks. We also informed this assessment with recent work by
the Department of Homeland Security's (DHS) Office of the Inspector
General (OIG) regarding worker screening.[Footnote 142] We reviewed the
DHS OIG's methodology and analysis to determine whether its findings
were reliable for use in our report. We analyzed TSA's documentation of
its background checks to determine if TSA sufficiently addressed
relevant ATSA requirements and recommendations from our 2004 report on
airport security.[Footnote 143] We also interviewed TSA officials
responsible for worker background checks to determine the agency's
efforts to develop a plan to meet outstanding ATSA requirements.
With respect to perimeter and access control technology, we reviewed
and summarized TSA documentation and evaluations of the Airport Access
Control Pilot Program (AACPP), documentation related to the Airport
Perimeter Security (APS) pilot program, and the dissemination of
information regarding technology to airports. We interviewed officials
with the DHS Directorate for Science and Technology, the National Safe
Skies Alliance, and RTCA, Inc., regarding research, development, and
testing efforts, and challenges and potential limitations of applicable
technologies to airport perimeter and access control security. We
selected these entities because of their role in the development of
such technology. We also interviewed TSA Headquarters officials to
obtain views on the nature and scope of technology-related efforts and
other relevant considerations, such as how they addressed relevant ATSA
requirements and recommendations from our 2004 report, or how they plan
to do so. With regard to TSA's efforts for general airport security, we
examined TSA's procedures for developing and issuing airport perimeter
and access control requirements through security directives and other
methods, and analyzed the extent to which TSA disseminated security
requirements to airports through security directives. At our request,
TSA identified 25 security directives and emergency amendments that
imposed requirements related to airport perimeter and access control
security, which we examined to identify specific areas of regulation.
In addition, we assessed and summarized relevant program information
and documentation, such as operations directives, for other programs
identified by TSA, such as the Visible Intermodal Prevention and
Response (VIPR) program, Screening of Passengers by Observation
Techniques (SPOT) program, and the Law Enforcement Officer
Reimbursement Program.
To evaluate the extent to which TSA established a national strategy to
guide airport security decision making, we considered guidance on
effective characteristics for security strategies and planning that we
previously reported, Government Performance and Results Act (GPRA)
requirements,[Footnote 144] and generally accepted strategic planning
practices for government agencies. In order to evaluate TSA's approach
to airport security, we reviewed TSA documents to identify major
security goals and subordinate objectives for airport perimeter and
access control security, and relevant priorities, goals, objectives,
and performance measures. We also analyzed relevant program
documentation, including budget, cost, and performance information,
including relevant information TSA developed and maintains for the
Office of Management and Budget's Performance Assessment Rating Tool.
We compared TSA's approach with criteria identified in NIPP, other DHS
guidance, GPRA, and other leading practices in strategies and planning.
We also interviewed relevant TSA program and budget officials, Federal
Aviation Administration (FAA) officials, and selected aviation industry
officials regarding the cost of airport perimeter and access control
security for fiscal years 2004 through 2008.
To determine the extent to which TSA collaborated with stakeholders on
airport security activities, and to obtain their insights on airport
security operations, costs, and regulation, we interviewed industry
officials from the Airports Council International-North America--whose
commercial airport members represent 95 percent of domestic airline
passenger and air cargo traffic in North America--and from the American
Association of Airport Executives--whose members represent 850 domestic
airports.[Footnote 145] We selected these industry associations based
on input from TSA and from industry stakeholders, who identified the
two associations representing commercial airport operators. We also
attended aviation association conferences at which industry officials
presented information on national aviation security policy and
operations, and we conducted a group discussion with 17 officials
representing various airport and aircraft operators and aviation
associations to obtain their views regarding key issues affecting
airport security. While the views expressed by these industry, airport,
and aircraft operator officials cannot be generalized to all airport
industry associations and operators, these interviews provided us with
additional perspectives on airport security and an understanding of the
extent to which TSA has worked and collaborated with airport
stakeholders.
We also conducted site visits at nine U.S. commercial airports--Orange
County John Wayne Airport, Washington-Dulles International Airport,
Miami International Airport, Orlando International Airport, John F.
Kennedy International Airport, Westchester County Airport, Logan
International Airport, Barnstable Municipal Airport, and Salisbury/
Wicomico County Regional Airport. During these visits we observed
airport security operations and discussed issues related to perimeter
and access control security with airport officials and on-site TSA
officials, including federal security directors (FSD). We selected
these airports based on several factors, including airport category,
size, and geographical dispersion; whether they faced problems with
perimeter and access control security; and the types of technological
initiatives tested or implemented. Because we selected a nonprobability
sample of airports to visit, those results cannot be generalized to
other U.S. commercial airports; however, the information gathered
provides insight into TSA and airport programs and procedures. In
addition, at Miami International Airport and John F. Kennedy
International Airport we conducted separate interviews with airport
officials to discuss their ongoing, or anticipated, efforts to
implement additional worker screening methods at their respective
airports. We also conducted telephone interviews with airport officials
and FSDs from four airports that had implemented, or planned to
implement, various forms of 100 percent screening of airport workers to
discuss their efforts. These were Cincinnati/Northern Kentucky
International Airport, Dallas/Fort Worth International Airport, Denver
International Airport, and Phoenix Sky Harbor International Airport.
While the views of the officials we spoke with regarding additional
worker screening methods cannot be generalized to all airport security
officials, they provided insight into how airport security programs
were chosen and developed. We also conducted an additional site visit
at Logan International Airport to observe TSA's implementation of
various worker screening methods as part of the agency's worker
screening pilot program. While the experiences of this pilot location
cannot be generalized to all airports participating in the pilot, we
chose this airport based on airport category and the variety of worker
screening methods piloted at this location.
We conducted this performance audit from May 2007 through September
2009 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
[End of section]
Appendix II: TSA Actions to Address Selected Statutory Requirements for
Airport Security:
TSA has taken steps since 2004 to address some of the requirements
related to airport perimeter and access control security prescribed by
ATSA.[Footnote 146] The related ATSA requirements, and TSA's actions as
of May 2009 to address these requirements, are summarized in table 3.
Table 3: TSA Actions since 2004 to Address Relevant ATSA Requirements
through May 2009:
Requirement for evaluating airport access controls:
ATSA requirements related to airport perimeter and access control
security:
TSA shall, on an ongoing basis, accept and test for compliance with
access control requirements, report annually on the findings of the
assessments, and assess the effectiveness of penalties in ensuring
compliance with security procedures and take any other appropriate
enforcement actions when noncompliance is found. See 49 U.S.C. §
44903(g)(2)(D);
TSA actions taken in response: The agency has established schedules and
developed an analytical approach for completing compliance inspections.
In doing so, TSA developed inspection prompts that target critical
areas of the airport. TSA officials told us that the agency has not
developed measures to assess the effectiveness of its penalties, but
believes that its current approach of requiring documentation of issues
and prompt corrective action by the operator upon the discovery of
noncompliance results in acceptable performance.
Requirements for strengthening the security of airport perimeters and
access controls:
ATSA requirements related to airport perimeter and access control
security: Within 6 months after enactment of ATSA (enacted Nov. 19,
2001), TSA shall recommend to airport operators commercially available
measures or procedures to prevent access to secure airport areas by
unauthorized persons. As part of the assessment, TSA shall review the
effectiveness of biometrics systems currently in use, increased
surveillance at access points, card-or key-based access systems, and
emergency exit systems, as well as specifically targeting the
elimination of "piggybacking," where one person follows another through
an access point. The assessment shall include a 12-month deployment
strategy for currently available technology at all Category X--
generally the largest and busiest--airports. Not later than 18 months
after enactment, the Secretary of Transportation was to conduct a
review of reductions in unauthorized access at Category X airports. See
49 U.S.C. § 44903(j)(1)[A];
TSA actions taken in response: TSA officials said that in an effort to
assist aviation stakeholders in determining the effectiveness of access
control technologies, TSA has provided information to airports on
available technology through (1) AACPP, a pilot program designed to
test new and emerging access controls technology, and (2) a list of
biometric products that meet standards set by TSA. However, TSA
officials also stated that while the agency has not yet recommended
commercially available measures or a deployment strategy, it plans to
implement a second phase of AACPP, which may result in recommended
technologies.
ATSA requirements related to airport perimeter and access control
security: TSA shall establish pilot programs in no fewer than 20
airports to test and evaluate technology for providing access control
and security protections for closed or secure areas. See 49 U.S.C. §
44903(c)(3);
TSA actions taken in response: In 2003 TSA established AACPP, as
described above. In December 2006, TSA issued a final report that
summarized the results of the 20 pilot projects involved in the
program.
ATSA requirements related to airport perimeter and access control
security: TSA shall develop a plan to provide technical support and
financial assistance to airports with less than 1 percent of the total
annual enplanements for the most recent calendar year for which data
are available, to enhance security operations and to defray the costs
of such enhancements. See Pub. L. No. 107-71, § 106(b)(1), 115 Stat.
571, 609;
TSA actions taken in response: According to TSA officials, the agency
has in part met this requirement by providing technical assistance
through AACPP, the APS pilot program, and the Law Enforcement Officer
Reimbursement Program. However, officials explained that as of May 2009
the agency had not yet developed a plan to provide technical
information and funding to small-and medium-sized airports, because TSA
has not been specifically directed to obligate funding for this
purpose, and that its resources and management attention have focused
on requirements for which it has direct responsibility and deadlines,
including passenger and baggage screening.
Requirements for reducing the risks posed by airport workers:
ATSA requirements related to airport perimeter and access control
security: TSA shall, as part of the employment investigation for
escorted or unescorted access to aircraft or secured areas of an
airport, include a review of available law enforcement databases and
records of other government and international agencies, to the extent
determined practicable. See 49 U.S.C. § 44936;
TSA actions taken in response: While TSA requires background checks--
which include fingerprint and name-based checks--on all workers with
unescorted access to secured airport areas, it does not require such
checks for workers who have regularly escorted access. According to TSA
officials, it is not necessary to conduct checks on workers who have
regularly escorted access because the agency has taken other steps that
adequately address the threat that may be posed by regularly escorted
workers, such as random screening. In addition, in October 2007, TSA
issued a security directive that contained a requirement limiting the
number of workers who can escort nonauthorized workers. TSA officials
also stated that airports typically seal off or isolate the area where
workers with escorted access are located.
ATSA requirements related to airport perimeter and access control
security: TSA shall require scheduled passenger carriers, and airports
operating under TSA-approved security programs, to develop security
awareness training programs for airport employees; ground crews; gate,
ticket, and curbside agents of the air carriers; and other individuals
employed at such airports. See Pub. L. No. 107-71, § 106(e), 115 Stat.
571, at 610;
TSA actions taken in response: According to TSA officials, this
requirement is addressed through a security directive that requires
airports to implement a security awareness plan to keep employees,
contractors, and new hires informed of the increased threat to airport
security and their individual security responsibilities. Workers must
report suspicious items or activities that come to their attention at
the airport to the appropriate official, in accordance with local
procedures. In addition, according to TSA officials, TSA-approved
aircraft operator programs should contain specific and detailed
requirements for initial and recurrent security training of aircraft
workers.
ATSA requirements related to airport perimeter and access control
security: TSA shall require vendors having direct access to the
airfield and aircraft to develop their own security programs. See 49
U.S.C. § 44903(h)(4)(D);
TSA actions taken in response: According to TSA officials, this
requirement is addressed through the airport security program plans
that airport operators are required by law and regulation to develop;
these plans are to include vendor operations. Further, TSA officials
noted that airport security directives require vendor workers who have
access to a secured area to undergo fingerprint-based criminal history
background checks. In addition, according to officials, airports are
required to inspect all vendor deliveries, vendor employees, and
delivery personnel. TSA officials noted that the agency can assist
airports in these efforts by screening employees though ADASP.
ATSA requirements related to airport perimeter and access control
security: TSA shall require, as soon as practicable after enactment,
screening or inspection of all persons, vehicles, equipment, goods, and
property before they enter secured areas of airports operating under
TSA-approved security programs. See 49 U.S.C. § 44903(h)(4)(A);
TSA actions taken in response: TSA officials stated that the agency has
met this requirement through collective airport security activities,
such as airport worker background checks and the random screening of
airport workers and vehicles.
Sources: Pub. L. No. 107-71, §§ 106, 136, 138, 115 Stat. 597, 608-10,
36-37, 39-41 (2001), and GAO summary and analysis of TSA actions taken.
[A] Pursuant to the Homeland Security Act of 2002, TSA transferred from
the Department of Transportation to the newly established DHS. See Pub.
L. No. 107-296, § 403, 116 Stat. 2135, 2178 (2002).
[End of table]
[End of section]
Appendix III: TSA Also Uses Compliance Inspections and Covert Testing
to Detect Possible Airport Security Vulnerabilities:
TSA officials told us that they use the results of compliance
inspections and covert testing to augment their assessment of potential
vulnerabilities in airport security. Compliance inspections examine a
regulated entity's--such as an airport operator or air carrier--
adherence to federal regulations, which TSA officials say they use to
determine if airports adequately address known threats and
vulnerabilities.[Footnote 147] According to TSA, while regulatory
compliance is just one dimension of airport security, compliance with
federal requirements allows TSA to determine the general level of
security within an airport. As a result, according to TSA, compliance
with regulations suggests less vulnerability within an airport and,
conversely, failure to meet critical compliance rates suggests the
likelihood of a larger problem within an airport and helps the agency
identify and assess vulnerabilities. TSA allows its inspectors to
conduct compliance inspections based on observations of various
activities, such as ADASP, VIPR, and local covert testing, and to
conduct additional inspections based on vulnerabilities identified
through assessments or the results of regular inspections.
Covert tests are any test of security systems, personnel, equipment,
and procedures to obtain a snapshot of the effectiveness of that
security measure, and they are used to improve airport performance,
safety, and security. TSA officials stated that covert testing assists
the agency in identifying airport vulnerabilities because such tests
are designed based on threat assessments and intelligence to
approximate techniques that terrorists may use to exploit gaps in
airport security. TSA conducts four types of covert tests for airport
access controls:
* Access to security identification display areas (SIDA): TSA
inspectors not wearing appropriate identification attempt to penetrate
SIDA access points, such as boarding gates, employee doors, and other
entrances.
* Access to air operations areas (AOA): TSA inspectors not wearing
appropriate identification attempt to penetrate AOA via access points
from public areas, such as perimeter gates and cargo areas.
* Access to aircraft: TSA inspectors not wearing appropriate
identification (or not carrying valid boarding passes) attempt to
penetrate passenger access points that lead to aircraft from sterile
areas, such as boarding gates, employee doors, and jet ways.
* SIDA challenges: Once inside a SIDA, TSA inspectors attempt to walk
around these areas, such as the tarmac and baggage loading areas,
without displaying appropriate identification.
TSA also requires FSDs to conduct similar, locally controlled tests of
access controls to ensure compliance and identify possible
vulnerabilities with airport security. These tests are selected by the
FSDs and based on locally identified risks and can include challenging
procedures in the secure area, piggybacking (following authorized
airport workers into secured areas), and attempting to access an
aircraft from sterile area.
According to TSA officials, the agency uses the results of its covert
tests to inform decision making for airport security, but officials
could not provide examples of how this information has specifically
informed past decisions.[Footnote 148]
[End of section]
Appendix IV: Costs for Airport Security:
Various TSA offices and programs contribute to the overall operations
and costs of airport perimeter and access control security. According
to TSA officials, the agency does not develop a cost estimate specific
to perimeter and access control security because such efforts are often
part of broader security activities or related programs--for example,
VIPR and SPOT are also used for passenger screening. As a result, it is
difficult to identify what percentage of program costs has been
expended on airport perimeter and access control security activities.
At our request, TSA officials identified the estimated spending related
to perimeter and access control security programs from fiscal years
2004 through 2008 (see table 4).[Footnote 149]
Table 4: Summary of TSA-Identified Costs Related to Airport Security,
Fiscal Years 2004-2008 (Present year dollars in millions):
Program/office: Office of Law Enforcement/Federal Air Marshal Service;
Joint Vulnerability Assessment Program;
Present year dollars in millions: FY04: $0.03;
Present year dollars in millions: FY05: $0.08;
Present year dollars in millions: FY06: $0.06;
Present year dollars in millions: FY07: $0.10;
Present year dollars in millions: FY08: $0.08;
Present year dollars in millions: Total: $0.35.
Program/office: Office of Law Enforcement/Federal Air Marshal Service;
Law Enforcement Reimbursement Program;
Present year dollars in millions: FY04: $64.24;
Present year dollars in millions: FY05: $63.61;
Present year dollars in millions: FY06: $67.36;
Present year dollars in millions: FY07: $66.22;
Present year dollars in millions: FY08: $66.90;
Present year dollars in millions: Total: $328.33.
Program/office: Office of Security Operations: ADASP[A];
Present year dollars in millions: FY04: N/A;
Present year dollars in millions: FY05: N/A;
Present year dollars in millions: FY06: N/A;
Present year dollars in millions: FY07: $38.00;
Present year dollars in millions: FY08: $70.60;
Present year dollars in millions: Total: $108.60.
Program/office: Office of Security Operations: SPOT[B];
Present year dollars in millions: FY04: N/A;
Present year dollars in millions: FY05: N/A;
Present year dollars in millions: FY06: $5.01;
Present year dollars in millions: FY07: $21.46;
Present year dollars in millions: FY08: $87.07;
Present year dollars in millions: Total: $113.54.
Program/office: Office of Security Operations: VIPR;
Present year dollars in millions: FY04: N/A;
Present year dollars in millions: FY05: N/A;
Present year dollars in millions: FY06: N/A;
Present year dollars in millions: FY07: $$1.94;
Present year dollars in millions: FY08: NSI[C];
Present year dollars in millions: Total: NSI.
Program/office: Office of Security Operations: Compliance Inspections;
Present year dollars in millions: FY04: N/A;
Present year dollars in millions: FY05: $68.34;
Present year dollars in millions: FY06: $70.65;
Present year dollars in millions: FY07: $74.30;
Present year dollars in millions: FY08: $75.70;
Present year dollars in millions: Total: $288.99.
Program/office: Office of Transportation Threat Assessment and
Credentialing;
Present year dollars in millions: FY04: N/A;
Present year dollars in millions: FY05: N/A;
Present year dollars in millions: FY06: $2.00;
Present year dollars in millions: FY07: $2.00;
Present year dollars in millions: FY08: $2.00;
Present year dollars in millions: Total: $6.00.
Program/office: Office of Intelligence Special Operations Covert Test
Program;
Present year dollars in millions: FY04: $0.18;
Present year dollars in millions: FY05: $0.15;
Present year dollars in millions: FY06: $0.06;
Present year dollars in millions: FY07: $0.12;
Present year dollars in millions: FY08: $0.05;
Present year dollars in millions: Total: $0.56.
Program/office: Office of Transportation Sector Network Management[D];
Present year dollars in millions: FY04: N/A;
Present year dollars in millions: FY05: N/A;
Present year dollars in millions: FY06: NSI;
Present year dollars in millions: FY07: NSI;
Present year dollars in millions: FY08: NSI;
Present year dollars in millions: Total: NSI.
Total Identified Costs
Total: $846.37.
Source: GAO summary of TSA data.
Legend: N/A = not applicable;
NSI = not separately identified.
Notes: This table includes funds either obligated or expended by TSA
for programs and activities related to airport perimeter and access
control security (figures rounded to the nearest one hundredth).
However, many of these programs and activities also include efforts
that apply to other areas of aviation security. For example, compliance
inspections are used to assess the extent to which airports comply with
perimeter and access control requirements, as well as to assess the
extent to which air carriers comply with other TSA regulations. Because
of rounding, numbers may not add to totals.
[A] The ADASP fiscal year 2007 figure is an estimate based upon ADASP
staff days allocated to all commercial airports calculated by using the
average cost of 1 staff day devoted to ADASP activities.
[B] Cost figures for SPOT are TSA's estimates of expenditures for the
respective fiscal years; they do not reflect allocations. TSA allotted
$40.8 million to SPOT activities for fiscal year 2007 and $144.1
million for fiscal year 2008. According to TSA officials, approximately
$80 million that the agency initially allotted for SPOT activities in
fiscal years 2007 and 2008 was not spent on the program, but was
expended for general transportation security officer performance,
compensation, and benefits.
[C] NSI indicates that the specific costs for these programs were
unknown because the activities were elements of a larger program and
could not be separately identified by TSA. For example, in fiscal year
2008 TSA was allocated $20 million for VIPR, but the amount to be
applied to airport perimeter and access controls security was not
separately identified.
[D] TSA officials said that they did not track and could not separately
identify the estimated costs for perimeter and access control-related
activities conducted by the Office of Transportation Sector Network
Management in fiscal years 2006 through 2008 because such activities
are part of normal staff hour and contractor support costs. According
to TSA officials, such activities include those related to SIDA II, the
APS pilot program, and security directive development and
implementation.
[End of table]
Airports can receive funding for purposes related to perimeter and
access control security via grants awarded through FAA's Airport
Improvement Program. TSA officials also told us that the agency
generally does not collect or track cost information for airport
security efforts funded through the Airport Improvement Program.
[Footnote 150] This program is one of the principal sources of funding
for airport capital improvements in the United States, providing
approximately $3 billion in grants annually to enhance airport
capacity, safety, and environmental protection, as well as perimeter
security. According to FAA officials, many factors are considered when
awarding grants to airports for perimeter security enhancements,
although security projects required by statute or regulation receive
the highest priority. Projects that receive funding have included
computerized access controls for ramps, infrastructure improvements to
house central computers, surveillance systems, and perimeter fencing.
According to FAA, more than $365 million in airport perimeter and
access control-related grants were provided through the Airport
Improvement Program for fiscal years 2004 through 2008.
TSA officials also told us that the agency does not track funds spent
by individual airport operators to enhance or maintain perimeter and
access control security. In 2009 the Airports Council International-
North America--an aviation industry association--surveyed commercial
airports regarding the funding needed for airport capital projects from
2009 to 2013. As part of this effort, the association surveyed airport
operators on the amount of funds they planned to expend on airport
security as a percentage of their overall budgets.[Footnote 151] The
association reported that planned airport operator spending on airport
security, as a percentage of total spending, ranged from 3.8 percent
(about $2 billion) for large hub airports to 3.9 percent (about $230
million) for small hub airports.[Footnote 152] The association surveys
did not include information on the types of security projects
undertaken by airports. However, during our site visits we obtained
data from selected airport operators on the costs of perimeter and
access control security projects they had recently concluded or
estimated costs for projects in progress. Examples of airport spending
on perimeter and access control security include:
* $30 million to install a full biometric access system;
* $6.5 million to install an over 8,000-foot-long blast/crash resistant
wall along the airport perimeter;
* $8 million to install over 680 bollards in front of passenger
terminals and vehicle access points; and:
* $3 million to develop and install an infrared intrusion detection
system.
[End of section]
Appendix V: TSA Worker Screening Pilot Program:
From May through July 2008 TSA implemented worker screening pilots at
seven airports in accordance with the Explanatory Statement
accompanying the DHS Appropriations Act, 2008 (see table 5 for a
summary of text directing the worker screening pilot program). At three
airports, TSA conducted 100 percent worker screening--inspections of
all airport workers and vehicles entering secure areas; at four others
TSA randomly screened 20 percent of workers and tested other enhanced
security measures. Screening of airport workers was to be done at
either the airport perimeter or the passenger screening checkpoints.
TSA was directed to collect data on the methods it utilized, and
evaluate the benefits, costs, and impacts of 100 percent worker
screening to determine the most effective and cost-efficient method of
addressing and deterring potential security risks posed by airport
workers.
Table 5: Summary of Explanatory Text Directing the Worker Screening
Pilot Program:
Categories: Funding;
Explanatory text: $15,000,000.
Categories: Duration;
Explanatory text: TSA shall screen all airport workers at three
airports for no less than 90 days.
Categories: Implementation;
Explanatory text: Undertake other screening methods at up to four
additional airports.
Categories: Alternatives;
Explanatory text: Other methods to enhance screening could include
physical inspections, behavioral recognition, biometric access
controls, cameras, and body imaging.
Categories: Data collection;
Explanatory text: TSA shall collect data on the benefits, costs, and
impacts of 100 percent airport worker screening as well as on the other
methods utilized.
Categories: Reporting results;
Explanatory text: TSA shall report to the Committees on Appropriations
of the Senate and House of Representatives on (1) the results of the
pilots, including the average wait times at screening checkpoints for
passengers and workers; (2) the estimated cost of the infrastructure
and personnel necessary to implement a screening program for airport
workers at all U.S. commercial service airports in order to meet a 10-
minute standard for processing passengers and workers through screening
checkpoints; (3) the ways in which the current methods for screening
airport workers could be strengthened; and (4) the impact of screening
airport workers on other security-related duties at airports; TSA shall
provide an interim briefing to the committees on the progress and
results of these pilots not later than September 1, 2008.
Source: Explanatory Statement accompanying Division E of the
Consolidated Appropriations Act, 2008; Pub. L. No. 110-161, 121 Stat.
1844, 2042 (2007), at 1048.
[End of table]
The enhanced measures that TSA tested at the four airports not
implementing 100 percent screening are summarized below:
* Employee training: TSA provided a security awareness training video,
which all SIDA badgeholders were required to complete. According to
TSA, the training intended reduce security breaches by increasing
workers' understanding of their security responsibilities and awareness
of threats and abnormal behaviors.
* Behavioral recognition training: TSA provided funding to
participating airports to teach select law enforcement officers and
airport personnel to identify potentially high-risk individuals based
on their behavior. A condensed version of the SPOT course, this
training was intended to equip personnel with skills to enhance
existing duties, according to TSA officials.
* Targeted physical inspections: TSA conducted random inspections of
vehicles and individuals entering the secured areas of airports to
increase the coverage of ADASP. Inspections consisted of bag, vehicle,
and identification checks; scanning bottled liquids; and random
security sweeps of specific airport areas.
* Deployment of technology: TSA employed additional technology at
selected airports to assist with the screening of employees, such as
walk-through and handheld metal detectors, bottled liquid scanners, and
explosive detection systems. TSA also tested biometric access control
systems at selected airports.
[End of section]
Appendix VI: Additional TSA Efforts to Improve General Airport
Security:
VIPR:
According to TSA, VIPR operations augment existing airport security
activities, such as ADASP, and provide a visual deterrent to terrorist
or other criminal activity. VIPR was first implemented in 2005, and
according to TSA officials, VIPR operations are deployed through a risk-
based approach and in response to specific intelligence information or
known threats. In a VIPR operation, TSA officials, including
transportation security officers and inspectors, behavioral detection
officers, bomb appraisal officers, and federal air marshals work with
local law enforcement and airport officials to temporarily enhance
aviation security. According to TSA officials, VIPR operations for
perimeter and access control security can include random inspections of
individuals, property, and vehicles, as well as patrols of secured
areas and random checks to ensure that employees have the proper
credentials. TSA officials told us that although they do not know how
many VIPR deployments have specifically addressed airport perimeter and
access control security, from March 2008 through April 2009 TSA
performed 1,042 commercial and general aviation airport or cargo VIPR
operations. According to TSA officials, the majority of these
operations involved the observation and patrolling of secured airport
areas and airport perimeters. As of May 2009 TSA officials also said
that the agency is in the process of enhancing its VIPR database to
more accurately capture and track specific operational objectives, such
as enhancing the security of airport perimeters and access controls,
and developing an estimated time frame for completing this effort.
[Footnote 153]
SPOT:
Since 2004 TSA has used SPOT--a passenger screening program in which
behavior detection officers observe and analyze passenger behavior to
identify potentially high-risk individuals--to determine if an
individual or individuals may pose a risk to aircraft or airports.
Although SPOT was originally designed for passenger screening, TSA
officials stated that FSDs can also use behavior detection officers to
assess worker behavior as they pass through the passenger checkpoint,
as part of random worker screening operations or as part of VIPR teams
deployed at an airport. However, TSA officials could not determine how
often behavior detection officers have participated in random worker
screening or VIPR operations, or identify which airports have used
behavior detection officers for random worker screening. According to
TSA officials, the agency is in the process of redesigning its data
collection efforts and anticipates that it will be able to more
accurately track this information in the future, though officials did
not provide a time frame for doing so. TSA officials also told us that
when participating in random worker screening, behavior detection
officers observe workers for suspicious behavior as they are being
screened and may engage workers in casual conversation to assess
potential threats. According to TSA officials, the agency has provided
behavior detection training to law enforcement personnel as part of its
worker screening pilot program, as well as to selected airport security
and operations personnel at more than 20 airports.[Footnote 154] We
currently have ongoing work assessing SPOT, and will issue a report on
this program at a later date.
Law Enforcement Officer Reimbursement Program:
TSA undertakes efforts to facilitate the deployment of law enforcement
personnel authorized to carry firearms at airport security checkpoints,
and in April 2002, the Law Enforcement Officer Reimbursement Program
was established to provide partial reimbursement for enhanced, on-site
law enforcement presence in support of the passenger screening
checkpoints. Since 2004, the program has expanded to include law
enforcement support along the perimeter and to assist with worker
screening. According to TSA, the program is implemented through a
cooperative agreement process that emphasizes the ability of both
parties to identify and agree as to how law enforcement officers will
support the specific security requirements at an airport. For example,
the FSD, in consultation with the airport operator and local law
enforcement, may determine that rather than implementing fixed-post
stationing of law enforcement officers, it may be more appropriate to
implement flexible stationing of law enforcement officers. TSA may also
provide training or briefings on an as-needed basis on relevant
security topics, including improvised explosive device recognition,
federal criminal statutes pertinent to aviation security, and
procedures and processes for armed law enforcement officers. Awards
made under the reimbursement program are subject to the availability of
appropriated funds, among other things, and are to supplement not
supplant state and local funding. According to TSA officials, however,
no applicant has been denied funds based on lack of appropriated funds.
[End of section]
Appendix VII: Alternative Methods Available to Assist TSA in Assessing
the Effectiveness of Its Actions to Strengthen Airport Security:
Program evaluation methods exist whereby TSA could attempt to assess
whether its activities are meeting intended objectives. These methods
center on reducing the risk of both external and internal threats to
the security of airport perimeters and access controls, and seek to use
information and resources available to help capture pertinent
information.
First, recognizing that there are challenges associated with measuring
the effectiveness of deterrence-related activities, the NIPP's Risk
Management Framework provides mechanisms for qualitative feedback that
although not considered a metric, could be applied to augment and
improve the effectiveness and efficiency of protective programs and
activities. For example, working with stakeholders--such as airport
operators and other security partners--to identify and share lessons
learned and best practices across airports could assist TSA in better
tailoring its efforts and resources and continuously improving
security. Identifying a range of qualitative program information--such
as information gathered through vulnerability assessment activities or
compliance inspections--could also allow TSA to determine whether
activities are effective. As discussed in appendix III, compliance
inspections and covert tests could be used to identify noncompliance
with regulations or security breaches within designated secured areas.
For example, TSA could use covert tests to determine if transportation
security officers are following TSA procedures when screening airport
workers or whether certain worker screening procedures detect
prohibited items. However, in order to improve the usefulness of this
technique, we previously recommended to TSA that the agency develop a
systematic process for gathering and analyzing specific causes of all
covert testing failures, record information on processes that may not
be working properly during covert tests, and identify effective
practices used at airports that perform well on covert tests.[Footnote
155]
Second, as TSA has already begun to do with some activities, it could
use data it already collects to identify trends and establish baseline
data for a future comparison of effectiveness.[Footnote 156] For
example, a cross-sectional analysis of the number of workers caught
possessing prohibited items at specific worker screening locations over
time, while controlling for variables such as increased law enforcement
presence or airport size, could provide insights into what type of
security activities help to reduce the possession of prohibited items.
Similarly, an examination of airport workers apprehended, fired, or
referred to law enforcement while on the job could provide insights
into the quality of worker background checks and security threat
assessments. Essentially, the these types of analyses provide a useful
context for drawing conclusions about whether certain security
practices are reasonable and appropriate given certain conditions and,
gradually, with the accumulation of relevant data, should allow TSA to
start identifying cause-and-effect relationships.
Third, according to the Office of Management and Budget (OMB), the use
of proxy measures may also allow TSA to determine how well its
activities are functioning. Proxy measures are indirect measures or
indicators that approximate or represent the direct measure. TSA could
use proxy measures to address deterrence, other security goals as
identified above, or a combination of both. According to OMB, proxy
measures are to be correlated to an improved security outcome, and the
program should be able to demonstrate--for example, through the use of
modeling--how the proxies tie to the eventual outcome. The Department
of Transportation has also highlighted the need for proxy measures when
assessing maritime security efforts pertaining to deterrence. For
example, according to the Department of Transportation, while a direct
measure of access to seaports might be the number of unauthorized
intruders detected, proxy measures for seaport access may include
related information on gates and guards--combined with crime statistics
relating to unauthorized entry in the area of the port--to support a
broader view of port security. In terms of aviation security, because
failure to prevent a worker from placing a bomb on a plane could be
catastrophic, proxy measures may include information on access
controls, worker background checks, and confiscated items. Proxy
measures could also include information on aircraft operators' efforts
to secure the aircraft. In using a variety of proxy measures, failure
in any one of the identified measures could provide an indication on
the overall risk to security.
Lastly, the use of likelihood, or "what-if scenarios," which are used
to describe a series of steps leading to an outcome, could allow TSA to
assess whether potential activities and efforts effectively work
together to hypothetically achieve a positive outcome. For example, the
development of such scenarios could help TSA to consider whether an
activity's procedures could be modified in response to identified or
projected changes in terrorist behaviors, or if an activity's ability
to reduce or combat a threat is greater if used in combination with
other activities.
[End of section]
Appendix VIII: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
September 24, 2009:
Mr. Steve Lord:
Director:
Homeland Security & Justice:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Lord:
Thank you for the opportunity to comment on the draft report: "Aviation
Security-A National Strategy and Other Actions Would Strengthen TSA's
Efforts to Secure Commercial Airport Perimeters and Access Controls"
(GAO-09-399SU). The Transportation Security Administration (TSA)
appreciates the U.S. Government Accountability Office's (GAO) work in
planning, conducting, and issuing this report.
As provided in the draft report, the foundation of TSA's national
strategy is that each of the Agency's security actions serves as a
layer. When the layers are used in a combined approach, there is an
exponential increase in deterrence and detection capability. As the GAO
is aware, TSA provides regulatory oversight of U.S. commercial airport
operator security programs, of which access control and perimeter
security are components. TSA does not directly fund or provide
perimeter security or access controls for commercial airports. As the
Agency continually enhances the layers of security specific to
commercial airports, we rely on strategic partnerships with our
stakeholders, including individual airports and their professional
associations, to ensure we obtain their understanding and support of
TSA efforts toward development of biometric access control systems,
perimeter security improvements, employee screening, security
directives, and risk assessment methodologies. Our commitment to
ongoing communication and collaboration with the airport industry
continues to assist TSA in enhancing the security of our Nation's
commercial airports allowing the Agency to achieve continued progress
toward Congressional requirements.
In support of our overarching national strategy and our commitment to
work in partnership with the airport industry, TSA utilizes several
risk assessment and methodology tools, including the National
Infrastructure Protection Plan (NIPP) and the Transportation Systems
Sector-Specific Plan (TS-SSP), which support TSA requirements as
pertains to the Homeland Security Presidential Directive (HSPD) -7 and
the Homeland Security Act of 2002. As GAO acknowledged in the draft
report, the NIPP characterizes risk as a function of threat,
vulnerability, and consequence (TVC). In support of the NIPP, the TSA
also utilizes the Aviation Domain Risk Analysis (ADRA) and Joint
Vulnerability Assessments (JVAs).
Specific to framing the Agency's approach to U.S. commercial airport
access control and perimeter security, we rely on three products: daily
intelligence briefings, weekly suspicious incident reports, and
situational awareness reports. These specific products are shared with
internal and external stakeholders, which affirm our ongoing commitment
to work in collaboration and partnership with the commercial airport
industry. TSA agrees with GAO in that continued collaboration with our
airport industry stakeholders and improvements to risk assessment
processes will better focus the Agency's National strategy for U.S.
commercial airport security. Since its inception, the Agency has made
significant progress toward enhancing airport access control and
perimeter security systems, as well as strengthening our risk
assessment methodologies and tools.
We would like to specifically address a comment we feel is inaccurate.
In the Highlights summary, GAO states that TSA "has not conducted
vulnerability assessments for 87 percent of the Nation's approximately
450 commercial airports." While the full report correctly addresses the
scope of joint vulnerability assessments, it is not accurate to expand
the issue to all types of assessments and all airports. As GAO is
aware, every TSA regulated commercial service airport must have a TSA-
approved Airport Security Program (ASP) covering personnel, physical
and operational security measures. The ASP is reviewed on a regular
basis by TSA's Federal Security Directors, including a review of
security measures applied at the perimeter. In addition, a wide array
of TSA activity takes place at airports to expose and reduce
vulnerability beyond the use of joint vulnerability assessments, the
gold standard for perimeter assessments. This statement as written
excludes this activity and inaccurately describes the state of security
at our commercial service airports.
In conclusion, TSA will continue to work in collaboration with our
commercial airport stakeholders and refine our risk assessment
methodologies and tools so that the Agency may better support its
established national strategy. Our ongoing progress demonstrates our
commitment to continuous improvement to ensure the security of the
traveling public and commercial airports.
In support of this, the Agency concurs with all of the GAO's
recommendations and offers the following responses to the specific
recommendations.
Recommendation 1: Develop a comprehensive risk assessment for airport
perimeter and access control security, along with milestones (i.e.,
time frames) for completing the assessment that (1) uses existing
threat and vulnerability assessment activities, (2) includes
consequence analysis, and (3) integrates all three elements of risk-
threat, vulnerability, and consequence.
* As part of this effort, evaluate whether the current approach to
conducting Joint Vulnerability Assessments appropriately and reasonably
assesses systems vulnerabilities, and whether an assessment of security
vulnerabilities at airports nationwide should be conducted.
* If the evaluation demonstrates that a nationwide assessment should be
conducted, TSA should develop a plan that includes milestones for
completing the nationwide assessment. As part of this effort, TSA
should also leverage existing assessment information from industry
stakeholders, to the extent feasible and appropriate, to inform its
assessment.
Concur: The Transportation Security Administration (TSA) will
accomplish this task by conducting a comprehensive risk assessment that
addresses security across the sector, including the aviation domain.
Within that mode, this risk assessment will address nine access
control/perimeter security scenarios. TSA is using the Transportation
Sector Security Risk Assessment tool to conduct the assessment, and the
assessment is being scoped at the national level. TSA began this
assessment in early 2009. The assessment relies on existing
assessments, to include Joint Vulnerability Assessments (JVAs), which
are intended to provide one of several perspectives in an overall risk
assessment. The assessment also includes consequence analysis and
integrates all three risk elements. TSA anticipates providing the
results of this assessment to Congress by January 2010. TSA notes that
JVAs are intended to provide one component of the overall risk
assessment. JVAs alone are not intended to provide a complete and/or
full risk assessment of our Nation's airports.
Recommendation 2: Ensure that future airport security pilot program
evaluation and implementation efforts include a well-developed and
documented evaluation plan that includes:
* measureable objectives,
* criteria or standards for determining program performance,
* a clearly articulated methodology,
* a detailed data collection plan, and,
* a detailed analysis plan.
Concur: TSA concurs with the GAO recommendation for future pilot
programs involving airport perimeter and access control systems.
Recommendation 3: Develop milestones for meeting statutory
requirements, in consultation with appropriate aviation industry
stakeholders, for establishing system requirements and performance
standards for the use of biometric airport access control systems.
Concur: Although the mandatory use of biometric airport access control
systems is not required by statute, TSA is still considering whether or
not it will mandate the use of biometric airport access control
systems. In the interim, TSA continues to encourage airport operators,
via voluntary measures, to utilize biometrics in their credentialing
and access control systems. As to establishing milestones, TSA will
continue to work in collaboration with the airport industry toward the
continued development and refinement of existing biometric airport
access control standards. As noted in the draft report, TSA did work in
collaboration with the industry, specific to development of biometric
access control standards, which resulted in the publication of RTCA DO-
230B, titled Integrated Security System Standard_ for Airport Access
Control, dated June 19, 2008.
Recommendation 4: Develop milestones for establishing agency procedures
for reviewing airport perimeter and access control requirements imposed
through security directives.
Concur: Milestones for establishing Agency procedures for reviewing
airport perimeter and access control requirements imposed through
security directives (SDs) are necessary. However, TSA must maintain its
flexibility in processing those SDs, as some of the security issues
addressed in these documents have greater implications than others. TSA
has issued SDs as a means to immediately mitigate risk in the aviation
sector. Over the years, there have been risks that have arisen that
required action in a manner quicker than the rule making process would
allow. For example, the issuance of an SD limiting liquids, gels, and
aerosols in commercial airport sterile areas, issued in August 2006,
was developed as a result of intelligence revealing a direct and
immediate threat to the traveling public. Unfortunately, that threat,
like others, has not gone away, hence the need to sustain the SD. In
more recent times, an SD was issued in December of 2008 on the subject
of airport employee badging procedures. This directive had the U.S.
Department of Homeland Security level impetus and was issued as a
result of significant security issues identified nationwide at
commercial airports. This SD was coordinated with industry through a
non-disclosure procedure and reviewed before it was issued. In this
instance, there was ample time to allow for that level of coordination.
The SD issuance procedures include an internal TSA review and an
evaluation of TSA's legal authority to issue SDs. The procedure also
takes into consideration the industry's ability to carry out the
security measures to mitigate the threat while continuing operations
and meeting the needs of the public. SDs are revised as necessary, and
reflective of changed conditions and/or airport stakeholder feedback.
Recommendation 5: To better ensure a unified approach among airport
security stake holders for developing, implementing, and assessing
actions for securing airport perimeters and access to controlled areas,
TSA should develop a national strategy for airport security that
incorporates key characteristics of effective security strategies,
including:
* Measurable goals, priorities, and performance measures. TSA should
also consider using information from other methods, such as covert
testing and proxy measures, to gauge progress toward achieving goals.
* Program cost information and the sources and types of resources
needed TSA should also identify where those resource would be most
effectively applied by exploring ways to develop and implement cost-
benefit analysis to identify the most cost-effective alternatives for
reducing risk.
* Plans for coordinating activities among stakeholders, integrating
airport security goals and activities with those of other aviation
security priorities, and implementing security activities within the
agency.
Concur: TSA will accomplish this task by updating the Transportation
Systems Sector Specific Plan, a document which subsumes the National
Strategy for Transportation Security, which, in turn, includes airport
security within its scope. This plan includes measurable goals,
priorities, and performance measures, as well as cost information. TSA
will socialize the document with its Sector Coordinating Councils (SCC)
while it is in draft form, and will receive SCC concurrence before
finalizing the document. TSA expects to release this updated document
in the summer of 2010.
An example of TSA's efforts to work toward a national strategy is the
Compliance and Enforcement Program supported by the Transportation
Security Inspection (TSI) function. Inspections of commercial airports
are conducted on a regular basis and are based on Title 49, Code of
Federal Regulations (CFR), Part 1542, which outlines the security
measures a commercial airport must implement for Federal compliance. To
ensure compliance and to provide a foundation for our national
strategy. TSA has initiated several mechanisms to airport security
goals and activities with those of other security priorities, as well
as implementing security activities within the Agency. TSA Headquarters
(HQ) accomplishes this by holding monthly teleconferences with
commercial airport representatives and airport associations in which
perimeter and access to controlled areas is often discussed. In
addition, it manages an industry web board on which guidance and
direction are posted in a timely manner.
Another example of coordination would be the management of a commercial
airport electronic mailbox that allows for the submission of questions
directly to HQ. On the local level, each federal Security Director has
a stakeholder manager or liaison on staff to ensure coordination of
security activities.
Thank you for the opportunity to provide comments to the draft report.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix IX: GAO Contact and Staff Acknowledgments:
GAO Contact:
Stephen M. Lord (202) 512-4379 or lords@gao.gov:
Acknowledgments:
In addition to the contact named above, Steve Morris, Assistant
Director, and Barbara Guffy, Analyst-in-Charge, managed this
assignment. Scott Behen, Valerie Colaiaco, Dorian Dunbar, Christopher
Keisling, Matthew Lee, Sara Margraf, Spencer Tacktill, Fatema Wachob,
and Sally Williamson made significant contributions to the work. Chuck
Bausell, Jr. provided expertise on risk management and cost-benefit
analysis. Virginia Chanley and Michele Fejfar assisted with design,
methodology, and data analysis. Thomas Lombardi provided legal support;
Elizabeth Curda and Anne Inserra provided expertise on performance
measurement; and Pille Anvelt developed the report's graphics.
[End of section]
Footnotes:
[1] See, for example, Department of Homeland Security, Office of the
Inspector General, TSA's Security Screening Procedures for Employees at
Orlando International Airport and the Feasibility of 100 Percent
Employee Screening (Revised for Public Disclosure), OIG-09-05
(Washington, D.C., Oct. 28, 2008).
[2] In general, civil aviation includes all nonmilitary aviation
operations, including scheduled and chartered air carrier operations,
cargo operations, and general aviation, as well as the airports
servicing these operations (including commercial airports).
[3] Access controls can include security measures such as pedestrian
and vehicle gates, keypad access codes that use personal identification
numbers, magnetic stripe cards and readers, fingerprint readers or
other biometric technology, turnstiles, locks and keys, and security
personnel.
[4] See Pub. L. No. 107-71, 115 Stat. 597 (2001).
[5] In this report, "airport workers" refers to any individuals
employed at an airport who require access to areas not otherwise
accessible by the general traveling public, including individuals
directly employed by the airport operator as well as individuals
employed by retail, air carrier, maintenance, custodial, or other
entities operating on airport property. In addition, "airport security"
refers specifically to airport perimeter and access control security,
which we use interchangeably, and "commercial airport" refers to a U.S.
airport operating under a TSA-approved security program that services
air carriers with regularly scheduled passenger operations.
[6] GAO, Aviation Security: Further Steps Needed to Strengthen the
Security of Commercial Airport Perimeters and Access Controls,
[hyperlink, http://www.gao.gov/products/GAO-04-728] (Washington, D.C.:
June 4, 2004).
[7] In the context of risk management, "risk-based" and "risk-informed"
are often used interchangeably to describe the related decision-making
processes. However, according to the DHS Risk Lexicon, risk-based
decision making uses the assessment of risk as the primary decision
driver, while risk-informed decision making may consider other relevant
factors in addition to risk assessment information. Because it is an
acceptable DHS practice to use other information in addition to risk
assessment information to inform decisions, we have used "risk-
informed" throughout this report.
[8] The NIPP provides a unifying structure for the integration of a
range of efforts for the protection and resilience of the nation's
critical infrastructure and key resources.
[9] Explanatory Statement accompanying Division E of the Consolidated
Appropriations Act, 2008, Pub. L. No. 110-161, 121 Stat. 1844, 2042
(2007). The Statement refers to these pilot projects as airport
employee screening pilots. However, for the purposes of this report, we
use "worker screening" to refer to the screening of all individuals who
work at the airport and require access beyond public areas, such as
vendor, airport, air carrier, and maintenance employees. According to
TSA, it expended about $8 million to design, implement, and evaluate
this pilot program.
[10] Transportation Security Administration, Airport Employee Screening
Pilot Program Study: Fiscal Year 2008 Report to Congress (Washington,
D.C., July 7, 2009).
[11] TSA developed the TS-SSP to conform to NIPP requirements, which
required TSA and other sector-specific agencies to develop strategic
risk management frameworks for their sectors that aligned with NIPP
guidance.
[12] GAO, Risk Management: Further Refinements Needed to Assess Risks
and Prioritize Protective Measures at Ports and Other Critical
Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91]
(Washington, D.C.: Dec. 15, 2005); Risk Management: Strengthening the
Use of Risk Management Principles in Homeland Security, [hyperlink,
http://www.gao.gov/products/GAO-08-904T] (Washington, D.C.: June 25,
2008); and Transportation Security: Comprehensive Risk Assessments and
Stronger Internal Controls Needed to Help Inform TSA Resource
Allocation, [hyperlink, http://www.gao.gov/products/GAO-09-492]
(Washington, D.C.: Mar. 27, 2009).
[13] In prior work we identified a set of desirable characteristics to
aid responsible parties in further developing and implementing national
strategies--and to enhance their usefulness in resource and policy
decisions and to better ensure accountability. For a more detailed
discussion of these characteristics, see GAO, Combating Terrorism:
Evaluation of Selected Characteristics in National Strategies Related
to Terrorism, [hyperlink, http://www.gao.gov/products/GAO-04-408T]
(Washington, D.C.: Feb. 3, 2004).
[14] [hyperlink, http://www.gao.gov/products/GAO-04-728].
[15] Transportation Security Administration, Airport Employee Screening
Pilot Program Study: Fiscal Year 2008 Report to Congress.
[16] See GAO, Internal Control: Standards for Internal Controls in the
Federal Government, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.:
November 1999), and Tax Administration: IRS Needs to Strengthen Its
Approach for Evaluating the SRFMI Data-Sharing Pilot Program,
[hyperlink, http://www.gao.gov/products/GAO-09-45] (Washington, D.C.:
Nov. 7, 2008).
[17] According to these industry associations, their combined
membership includes thousands of airport management personnel, and
represents approximately 95 percent of domestic airline passenger and
air cargo traffic in North America.
[18] FSDs are the ranking TSA authorities responsible for leading and
coordinating TSA security activities at the nation's more than 450
commercial airports.
[19] TSA classifies the nation's approximately 450 commercial airports
into one of five categories (X, I, II, III, and IV) based on various
factors, such as the number of take-offs and landings annually, the
extent of passenger screening at the airport, and other security
considerations. In general, Category X airports have the largest number
of passenger boardings, and Category IV airports have the smallest.
[20] We also discussed with airport officials additional employee
screening methods that had been implemented at two of the airports we
visited.
[21] On an ongoing basis, TSA must assess and test for compliance with
access control requirements. See 49 U.S.C. § 44903(g)(2)(D).
[22] Covert tests are any test of security systems, personnel,
equipment, and procedures to obtain a snapshot of the effectiveness of
airport passenger security checkpoint screening, checked baggage
screening, and airport access controls to improve airport performance,
safety, and security.
[23] Most commercial airports discussed in this report, which are those
servicing domestic and foreign air carriers with regularly scheduled
passenger operations, operate under "complete" security programs. See
49 C.F.R. § 1542.103(a). "Supporting" and "partial" security programs
generally apply to airports servicing smaller air carrier operations
and contain fewer requirements. See § 1542.103(b), (c). In general,
security programs may be amended, with TSA approval, provided that the
proposed amendment provides the requisite level of security, among
other things. See § 1542.105.
[24] See § 1542.103(a).
[25] For the purposes of this report "secured area" is used generally
to refer to areas specified in an airport security program that require
restricted access, including the SIDA, the AOA, and the sterile area.
While security measures governing access to such areas may vary, in
general a SIDA is an area in which appropriate identification must be
worn, an AOA is an area providing access to aircraft movement and
parking areas, and a sterile area provides passengers access to
boarding aircraft and is an area to which access is generally
controlled by TSA or a private screening entity under TSA oversight.
See 49 C.F.R. § 1540.5.
[26] At airports participating in TSA's Screening Partnership Program
(SPP), employees of private companies under contract to TSA perform
screening operations, with TSA oversight. See 49 U.S.C. § 44920. For
more information on the SPP, see GAO, Aviation Security: TSA's Cost and
Performance Study of Private-Sector Airport Screening, [hyperlink,
http://www.gao.gov/products/GAO-09-27R] (Washington, D.C: Jan. 9,
2009).
[27] According to a TSA official, a breach of security does not
necessarily mean that a threat existed or was successful. The
significance of a breach must be considered in light of several
factors, including the intent of the perpetrator and whether existing
security measures and procedures successfully responded to, and
mitigated against, the breach so that no harm to persons, facilities,
or other assets resulted.
[28] Transportation Security Administration, Reporting Security
Incidents Via PARIS, Operations Directive OD-400-18-1 (Washington,
D.C., Dec. 16, 2005). According to TSA officials, these reporting
requirements (1) allow FSDs to better distinguish between different
types of security breaches and other incidences, (2) reflect changes in
data collection methods, and (3) provide for greater accuracy in the
reporting of security incidences.
[29] See [hyperlink, http://www.gao.gov/products/GAO-09-492], and GAO,
Commercial Vehicle Security: Risk-Based Approach Needed to Secure the
Commercial Vehicle Sector, [hyperlink,
http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: Feb. 27,
2009); Highway Infrastructure: Federal Efforts to Strengthen Security
Should Be Better Coordinated and Targeted on the Nation's Most Critical
Highway Infrastructure, [hyperlink,
http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: Jan. 30,
2009); Passenger Rail Security: Enhanced Federal Leadership Needed to
Prioritize and Guide Security Efforts, [hyperlink,
http://www.gao.gov/products/GAO-07-225T] (Washington, D.C.: Jan. 18,
2007); and Transportation Security: Systematic Planning Needed to
Optimize Resources, [hyperlink,
http://www.gao.gov/products/GAO-05-357T] (Washington, D.C.: Feb. 15,
2005).
[30] "Modes of transportation" refers to the different means that are
used to transport people or cargo. There are six modes of
transportation: aviation, maritime, mass transit, highway, freight
rail, and pipeline.
[31] HSPD-7 specifically directed the Departments of Transportation and
Homeland Security to collaborate on all matters relating to
transportation security and transportation infrastructure protection.
[32] In the context of the NIPP, risk is the potential for an unwanted
outcome resulting from an incident, event, or occurrence, as determined
by its likelihood and the associated consequences. The NIPP framework
calls for risk to be assessed from any scenario as a function of
threat, vulnerability, and consequence. Once the three components of
risk have been assessed, they must be integrated into a defensible
model to produce a risk estimate. The NIPP allows an agency to
determine whether to assess the risk to an asset, system, network, or
function, depending on the characteristics of the infrastructure being
examined. TSA has adopted a systems-based approach to risk assessment.
[33] According to the NIPP, the national Critical Infrastructure and
Key Resources Protection Program is designed to reduce the
vulnerability of critical infrastructure and key resources in order to
deter and mitigate terrorist attacks. The program identifies,
prioritizes, and coordinates the protection of critical infrastructure
and key resources with an emphasis on those that could be exploited to
cause catastrophic health effects or mass casualties, which would be
comparable to those resulting from a weapon of mass destruction.
[34] As updated in 2009, the NIPP states that to be complete a risk
assessment is to assess threat, vulnerability, and consequence for
every defined risk scenario. However, because the original 2006 version
of the NIPP described risk assessments that included all three
components as "credible," our previous reports use this term rather
than "complete" (e.g., see GAO-09-492).
[35] See [hyperlink, http://www.gao.gov/products/GAO-09-492].
[36] The ADRA is part of TSA's effort to meet the requirements of HSPD-
16, National Strategy for Aviation Security, which assigned roles and
responsibilities to federal stakeholders, including the Secretaries of
Homeland Security, State, Defense, Commerce, Energy, and
Transportation; the Attorney General; and the Director of National
Intelligence, and called for coordination with state, local, and tribal
governments and the private sector, to optimize and integrate
governmentwide aviation security efforts.
[37] Commercial aviation includes that sector of the nation's civil
aviation system that provides for the transportation of individuals by
scheduled or chartered operations for a fee, including air carriers and
airports. General aviation encompasses all civil aviation other than
commercial and military operations, including flight operations such as
personal/family transportation, emergency services, wildlife and land
surveys, traffic reporting, agricultural aviation, firefighting, and
law enforcement. Air cargo is defined as cargo carried on passenger and
all-cargo aircraft.
[38] The ADRA is to have three parts: (1) assessments of over 130
terrorist attack scenarios and the extent to which they pose a threat,
(2) assessments of known vulnerabilities through which these terrorist
attacks could be carried out, and (3) assessments of the consequences
of the attack scenarios. TSA officials stated that the primary source
for the scenarios included professional judgment of subject matter
experts, intelligence information on potential threats, and other
information.
[39] The Project Management Institute, The Standard for Program
Management© (Newtown Square, Penn., 2006).
[40] For the purposes of estimating risk, according to the NIPP, the
threat of an intentional adverse event is generally estimated as the
likelihood of such an event; in the case of terrorist attacks, the
likelihood is estimated based on the intent and capability of the
adversary.
[41] Daily intelligence briefings include a 24-hour snapshot of
transportation-related intelligence based on TSA operational reports
and other sources. These briefings are used internally by TSA and by
other agencies. TSA also provides weekly analysis of suspicious
activities and surveillance directed against all transportation modes,
which it disseminates within the agency and to other law enforcement
agencies. In addition, TSA provides in-depth analysis on specific
topics within transportation modes, which may be used to provide
situational awareness of an ongoing or recent event.
[42] Transportation Security Administration, Civil Aviation Threat
Assessment (Washington, D.C., Dec. 30, 2008). The other three threat
types discussed in the 2008 assessment are the threat from standoff
weapons (such as antitank weapons), which pose a threat to the AOA; the
threat from outside the airport perimeter; and the threat of a
perimeter breach, which terrorists may see as an attractive target.
[43] TSA's 2007 Threat Assessment also included this conclusion of the
insider threat, and the 2006 Threat Assessment characterized the
insider threat as "very dangerous." According to the 2008 assessment,
the insider is considered extremely difficult to counter because of the
individual's position of trust.
[44] According to TSA officials, the risk that insiders will do damage
to an airport or aircraft--which they refer to as insider risk--is
perceived as both a threat and vulnerability.
[45] [hyperlink, http://www.gao.gov/products/GAO-09-492].
[46] See Pub. L. No. 108-458, § 1019, 118 Stat. 3638, 3671-72 (2004)
(requiring the Director of National Intelligence to assign an
individual or entity with responsibility for ensuring that finished
intelligence products produced by any element or elements of the
intelligence community, which includes the Federal Bureau of
Investigation, Central Intelligence Agency, and Defense Intelligence
Agency, are timely, objective, independent of political consideration,
and employ the standards of proper analytic tradecraft). See also
Intelligence Community Directive 203 (June 2007) (establishing the
Intelligence Community Analytic Standards). The directive provides that
each analytic product "properly caveats and expresses uncertainties or
confidence in analytic judgments. Analytic products should indicate
both the level of confidence in analytic judgments and explain the
basis for ascribing it. Sources of uncertainty--including information
gaps and significant contrary reporting--should be noted and linked
logically and consistently to confidence levels in judgments. As
appropriate, products should also identify indicators that would
enhance or reduce confidence or prompt revision of existing judgments."
[47] [hyperlink, http://www.gao.gov/products/GAO-09-492.
[48] The NIPP states that this analysis is to also take into
consideration factors such as protective measures that are in place
that may reduce the risk of an attack, and is to include estimates of
the likelihood of success for each attack scenario.
[49] [hyperlink, http://www.gao.gov/products/GAO-04-728].
[50] TSA and the FBI are to conduct joint threat and vulnerability
assessments at each high-risk U.S. airport at least every 3 years. See
49 U.S.C. § 44904(a)-(b). See also Pub. L. No. 104-264, § 310, 110
Stat. 3213, 3253 (1996) (establishing the requirement that FAA and the
FBI conduct joint threat and vulnerability assessments). Pursuant to
ATSA, responsibility for conducting the joint assessments transferred
from FAA to TSA. According to FBI officials, the agency's role in JVAs
is to develop a national-level threat assessment for each selected
airport and provide it to TSA for comparison with the TSA vulnerability
assessment, to identify areas of imminent vulnerability.
[51] See GAO-04-728. TSA's criteria give first priority to airports
identified as critical infrastructure by DHS's Office of Infrastructure
Protection. Second priority is given to airports that are to support a
National Security Special Event, such as the Republican or Democratic
National Conventions, or an event of national significance (e.g., the
Super Bowl). Third priority is given to airports whose FSDs have
requested a JVA, or those that TSA Headquarters has identified as
needing a JVA. According to TSA officials, FSD requests are usually
prompted by changes in airport environment--such as construction--while
TSA headquarters requests are in response to specific threats, such as
those identified by TSA.
[52] From fiscal years 2004 through 2008, 10 airports received 2 JVAs.
[53] Transportation Security Administration, "Our Security Strategy:
Systems-Based Perspective." TSA characterizes transportation systems as
being subject to "cascading failures," where small changes in one part
of the system can sometimes lead to large consequences. This is of
particular concern in systems like the airport network, which are
highly interconnected and interdependent. In the past, terrorists have
sought to inflict maximum damage relative to their efforts by attacking
parts of the aviation system that would lead to cascading failure.
[54] Of the 67 JVAs conducted at 57 airports from fiscal years 2004
through 2008, 58--or 87 percent--were for Category X and I airports. Of
the remaining 9 assessments, 6 were at Category II airports, 1 at a
Category III airport, and 2 at Category IV airports.
[55] The category designation of some airports has changed since they
received a JVA; in these cases, we used the category designation
assigned at the time of the JVA. For the total number of airports in
each category, we used TSA data as of June 1, 2009.
[56] See [hyperlink, http://www.gao.gov/products/GAO-04-728]. We also
reported that according to TSA this baseline analysis would allow the
agency to determine minimum standards and the adequacy of airport
security policies.
[57] Project Management Institute, A Guide to the Project Management
Body of Knowledge (PMBOK® Guide), Third Edition (Newtown Square, Penn.,
2006).
[58] We discussed this issue with officials from seven Category X
airports, one Category I airport, one Category II airport, and one
Category III airport; however, we did not obtain documentation to
verify this information.
[59] Project Management Institute, The Standard for Program
Management©.
[60] [hyperlink, http://www.gao.gov/products/GAO-04-728].
[61] Many of TSA's security layers have direct application to airport
perimeter and access control security, while some layers apply to other
aspects of aviation security, such as hardened cockpit doors, and also
to the security of other modes of transportation, such as rail and mass
transit. In commenting on a draft of this report, TSA officials noted
that in December 2008 the agency implemented "Playbook," a program that
authorizes FSDs to carry out variable and unpredictable combinations of
operations--or security layers--to address the threat environment at
airports. TSA officials consider this program to be an additional layer
of security, which is applied to all areas of an airport.
[62] Specifically, the Explanatory Statement directed TSA to pilot
various methods for screening airport employees at seven airports, and
that all employees be screened at three of the selected airports.
[63] TSA officials told us that the agency has two additional
initiatives in development that are intended to strengthen airport
security. The first, called SIDA II, is intended to reassess the
security of airport secured areas and has been under development for 3
years. The second initiative was the "5-Point Plan" intended to
mitigate risks posed by airport workers with enhanced screening
measures. However, this initiative was conceived before TSA was
directed to implement the worker screening pilot projects, and TSA
officials said that the agency is waiting to reassess this effort after
the results of the pilot projects are finalized.
[64] The Explanatory Statement specifically directed TSA to pilot
various methods to screen airport employees (referred to in this report
as workers) at a total of seven airports, including 100 percent
screening of airport employees at three of the airports for not less
than 90 days. At two airports TSA conducted 100 percent worker
screening at the passenger screening checkpoint, and one airport
conducted 100 percent screening at specifically designated access
points in combination with biometric access controls. The enhanced
screening methods conducted at four other airports consisted of
employee security awareness training, behavioral recognition training,
random targeted physical inspections of vehicles and airport workers,
new technology, and enhancement of security threat assessment
background data checks.
[65] The Secretary of Homeland Security established HSI pursuant to
section 312 of the Homeland Security Act of 2002. See 6 U.S.C. § 192.
[66] Transportation Security Administration, Airport Employee Screening
Pilot Program Study: Fiscal Year 2008 Report to Congress.
[67] Transportation Security Administration, Airport Employee Screening
Pilot Program Study: Fiscal Year 2008 Report to Congress.
[68] This airport did not perform complete 100 percent worker screening
because of resource constraints.
[69] A magnetometer is an instrument used to detect prohibited
materials.
[70] Transportation Security Administration, Airport Employee Screening
Pilot Program Study: Fiscal Year 2008 Report to Congress.
[71] HSI reported that for those airports conducting random worker
screening, it was difficult to determine the number of unique
individuals screened; for the purposes of the pilot analysis, HSI used
the number of screening "events" as a rough proxy for the number of
workers screened.
[72] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1].
Internal control activities are an integral part of an entity's
planning, implementing, reviewing, and accountability for stewardship
of government resources and achieving effective results.
[73] GAO, Designing Evaluations, [hyperlink,
http://www.gao.gov/products/GAO/PEMD-10.1.4] (Washington, D.C.: May
1991).
[74] [hyperlink, http://www.gao.gov/products/GAO-09-45].
[75] Specifically, GAO-09-45 reported that a sound, well-developed and
documented evaluation plan includes, at minimum, (1) well-defined,
clear, and measurable objectives; (2) criteria or standards for
determining pilot program performance; (3) clearly articulated
methodology, including sound sampling methods, determination of
appropriate sample size for the evaluation design, and a strategy for
comparing the pilot results with other efforts; (4) a clear plan that
details the type and source of data necessary to evaluate the pilot,
methods for data collection, and the timing and frequency of data
collection; and (5) a detailed data analysis plan to track the
program's performance and evaluate the final results of the project.
[76] HSI defined confiscated items, or "items of interest," as those
which TSA did not allow to pass through screening and the possession of
which resulted in legal action, disciplinary action, or both against
the worker.
[77] HSI reported that seven items of interest were confiscated.
[78] HSI reported that the incident rate--the number of items of
interest confiscated compared to the number of workers screened--at
both 100 percent and random worker screening airports was less than
during the previous 3 months of screening under ADASP, TSA's random
screening program.
[79] TSA officials said that although FSDs and others had long
recognized the threat posed by airport workers, it was considered a
"known and accepted risk." According to these officials, when FSDs
raised concerns about the insider threat before 2005, they were told
that background checks performed on airport workers were a sufficient
safeguard against insider risk.
[80] According to TSA officials, although practices for scheduling
ADASP operations vary by airport location, usually FSDs judgmentally
schedule them on a staggered and unpredictable basis, varying the time
of day, location, and duration. Transportation Security Officers (TSO)
typically screen each worker who enters the secured area during these
operations, along with property, vehicles, or both, but they may
instead decide to screen workers according to a predetermined pattern,
such as every second worker. Under TSA procedures, screening locations
do not need to cover all access points within an airport, and workers
may use alternative entry points to avoid ADASP screenings.
[81] TSA officials also told us that from 2001 through 2006, some
airports conducted random worker screening activities similar to ADASP.
[82] Department of Homeland Security, Office of the Inspector General,
TSA's Security Screening Procedures for Employees at Orlando
International Airport and the Feasibility of 100 Percent Employee
Screening.
[83] See [hyperlink, http://www.gao.gov/products/GAO-04-728]. We
recommended that TSA determine if and when additional security
requirements are needed to reduce the risk posed by airport workers,
such as additional background check information.
[84] In accordance with 49 U.S.C. § 44936, TSA requires airports and
air carriers to conduct fingerprint-based records checks for all
workers seeking unescorted access to secured areas (which may or may
not include the AOA). See 49 C.F.R. §§1542.209, and1544.229. However,
TSA requires only STAs for airport workers who apply for unescorted
access to an AOA that is not designated as a SIDA.
[85] See GAO-04-728. One issue we raised in 2004 was that of recurrent
background checks, and in October 2008, the DHS OIG recommended that
TSA mandate recurrent CHRCs and financial records checks for workers
with unescorted access to secured areas (see Department of Homeland
Security, Office of the Inspector General, TSA's Security Screening
Procedures for Employees at Orlando International Airport and the
Feasibility of 100 Percent Employee Screening). TSA stated that it is
working on standards for recurrent CHRCs. However, TSA officials said
that they do not have evidence that financial problems are a predictor
of terrorist activity, so the agency does not plan to require financial
records checks.
[86] See 49 C.F.R. § 1542.209(d) (listing 28 offenses that if resulting
in a conviction or a verdict of not guilty by reason of insanity within
10 years before the individual applies for unescorted access authority
or while the individual has unescorted access authority, would
disqualify or revoke that individual's access authority). See also 49
U.S.C. § 44936(b).
[87] See 49 U.S.C. § 44936(a)(1)(B)(iii).
[88] Biometrics are measurements of an individual's unique
characteristics, such as fingerprints, irises, and facial
characteristics, used to verify identity.
[89] Among other things, the Intelligence Reform and Terrorism
Prevention Act of 2004 directed TSA, in consultation with
representatives of the aviation industry, the biometric identifier
industry, and the National Institute of Standards and Technology, to
establish, at a minimum, (1) comprehensive technical and operational
system requirements and performance standards for the use of biometric
identifier technology in airport access control systems, (2) a list of
products and vendors that meet these requirements, (3) procedures for
implementing biometric identifier systems, and (4) best practices for
effectively incorporating biometric identifier technology into airport
access control systems, including a process to best utilize existing
systems and infrastructure. See Pub. L. No. 108-458, § 4011, 118 Stat.
3638, 3712-14 (2004) (codified at 49 U.S.C. § 44903(h)(5)). ATSA also
addressed the use of biometric technology to strengthen access control
points in secured areas to ensure the security of passengers and
aircraft and to consider the deployment of biometric or similar
technologies. See 49 U.S.C. § 44903(g)(2)(G), (h)(4)(E).
[90] Department of Homeland Security, Office of the Inspector General,
TSA's Security Screening Procedures for Employees at Orlando
International Airport and the Feasibility of 100 Percent Employee
Screening. In this report the DHS OIG recommended that TSA alter
regulatory requirements to mandate a phasing in of biometric access
controls; according to the report, TSA agreed with this recommendation.
[91] Rule making is a process used by federal agencies to develop,
impose, and oversee requirements, and generally affords the regulated
entities and other interested parties the opportunity to participate in
the process, for example, through public hearings or comment periods.
See generally 5 U.S.C. § 553.
[92] The security directive provides that TSA encourages the
implementation and use of airport biometric access control systems
aligned with Federal Information Processing Standards 201, "Personal
Identity Verification (PIV) of Federal Employees and Contractors."
(National Institute of Standards and Technology, March 2006.)
[93] RTCA, Inc., Integrated Security System Standards for Airport
Access Control, DO 230-B (Washington, D.C., June 19, 2008). These
standards provide guidelines for procuring, designing, and implementing
access control systems, including testing and evaluating system
performance. They also identify, among other things, requirements for
physical access controls, video surveillance, security operating
centers, intrusion detection, and communications infrastructure. (RTCA,
Inc., was formerly known as the Radio Technical Commission for
Aeronautics.)
[94] In May 2008, TSA issued ACIS technical specifications to the
airport industry, which describe the ACIS system components and
requirements, for comment; according to TSA officials, these
specifications also discuss many of the technical issues that the
agency will consider in establishing standards. As of May 2009, funds
had not been appropriated or directed specifically to this initiative,
and TSA officials could not provide further information as to the
implementation of ACIS.
[95] Project Management Institute, The Standard for Program
Management©, and A Guide to the Project Management Body of Knowledge
(PMBOK® Guide).
[96] [hyperlink, http://www.gao.gov/products/GAO-04-728].
[97] According to TSA officials, the agency established AACPP and APS
in response to provisions originally enacted through ATSA. See Pub. L.
No.107-71 § 106(d), 115 Stat. at 610 (codified at 49 U.S.C. §
44903(c)(3)).
[98] The Conference Report accompanying the DHS Appropriations Act,
2006, Pub. L. No. 109-90, 119 Stat. 2064 (2005), allocated $5 million
for competitive awards to airports to enhance perimeter security. See
H.R. Conf. Rep. No. 109-241, at 54 (2005).
[99] See Pub. L. No. 107-71 § 106(b), 115 Stat. at 609.
[100] According to TSA officials, security directives have been the
primary means by which the agency imposes security requirements on
commercial airports, in addition to measures implemented through the
airport operators' TSA-approved security programs. For this reason, we
focused our review on requirements related to perimeter and access
control security established through security directives. TSA may also
impose requirements by amending air carrier security programs and more
immediately by issuing emergency amendments to such programs. See,
e.g., 49 C.F.R. § 1542.105(d).
[101] See 49 C.F.R. § 1542.303.
[102] TSA officials told us that although they have not performed cost-
benefit analysis when developing perimeter and access control security
requirements through security directives, they have considered relevant
costs as well as security benefits. However, they could not provide
documentation or examples of instances in which they had considered
relevant costs as well as security benefits.
[103] Consistent with TSA regulation and as provided for in TSA-issued
security directives and emergency amendments, TSA provides regulated
entities with an option to request permission to use alternative
measures in place of those more specifically imposed by a security
directive or emergency amendment. See, e.g., 49 C.F.R § 1542.303(d).
For example, from September 2003 through December 2008 TSA received 42
requests for alternatives to requirements imposed through security
directives and emergency amendments--TSA officials approved 32 of these
requests and denied 9, with 1 remaining pending as of December 2008.
(These data do not include the period from August 16, 2006, through
September 30, 2006; TSA did not provide data for this period.)
[104] These concerns represent the views of airport operators and
industry officials we contacted. We did not independently verify their
statements.
[105] This assumes that access privileges for airport and air carrier
workers apply to the same or comparable secured areas.
[106] Our review of the 25 security directives and emergency
amendments, however, shows that many of the directives and emergency
amendments have been amended one or more times since issuance.
[107] Project Management Institute, The Standard for Program
Management©.
[108] See Pub. L. No. 107-71, § 101(a), 115 Stat. at 600-01 (codified
as amended at 49 U.S.C. § 114(l)).
[109] The TSOB is responsible for, among other things, reviewing and
either ratifying or disapproving any regulation or security directive
issued by TSA under § 114(l)(2) within 30 days after the date of
issuance. See 49 U.S.C. § 115. The TSOB, which is composed of seven
cabinet-level members or their designees--the Secretary of Homeland
Security (who serves as the chairperson), the Secretary of
Transportation, the Attorney General, the Secretary of Defense, the
Secretary of the Treasury, the Director of the Central Intelligence
Agency, and one member appointed by the President to represent the
National Security Council--is to meet at least quarterly, though DHS
could not tell us the number of times the TSOB has met since it was
established.
[110] See, e.g., 49 C.F.R. §§ 1542.303 (authorizing the issuance of
security directives to airport operators) and 1544.305 (authorizing the
issuance of security directives to air carriers). FAA possessed and
exercised the same authority when it was responsible for aviation
security, before the creation of TSA. See 66 Fed. Reg. 37,274 (July 17,
2001) (establishing FAA's authority to issue security directives to
airport operators) and 54 Fed. Reg. 28,982 (July 10, 1989)
(establishing FAA's authority to issue security directives to aircraft
operators). As interpreted by TSA, ATSA intended to give the agency
more robust authority to take action in response to emerging threats
across all modes of transportation, and in doing so it did not intend
to alter (or limit) TSA's existing authority as transferred from FAA.
[111] See [hyperlink, http://www.gao.gov/products/GAO-04-408T], and
GAO, Rebuilding Iraq: More Comprehensive National Strategy Needed to
Help Achieve U.S. Goals, [hyperlink,
http://www.gao.gov/products/GAO-06-788] (Washington, D.C.: July 11,
2006).
[112] Another recommended characteristic of effective strategies is
"risk assessment." However, because we provided details earlier in our
report on the steps TSA has taken to assess risks to airport security,
we do not discuss risk assessment as a separate characteristic here,
rather focusing on risk assessment as one of the many actions that
could be aided with the development of an overarching strategy.
[113] GAO, Agencies' Strategic Plans Under GPRA: Key Questions to
Facilitate Congressional Review, [hyperlink,
http://www.gao.gov/products/GAO/GGD-10.1.16], Version 1 (Washington,
D.C.: May 1997), and [hyperlink,
http://www.gao.gov/products/GAO-04-408T].
[114] For each transportation mode TSA has identified areas it plans to
target for reducing risk to the maximum extent possible. TSA's fiscal
year 2009 focus for commercial airports is high-risk airports and
airport workers. It is not clear, however, what actions TSA has taken,
or plans to take, to achieve this reduction in risk. As of March 2009
TSA had not provided documentation on the details of its plans. We have
previously reported that TSA's approach to identifying high-risk focus
areas is not based on criteria established in the NIPP, and recommended
that TSA work with DHS to validate its risk management approach by
establishing a plan and time frame for assessing the appropriateness of
its approach (see [hyperlink, http://www.gao.gov/products/GAO-09-492]).
[115] For example, ATSA contained a variety of provisions addressing
risks posed by airport workers, such as amending requirements related
to TSA background checks of workers with access to secured areas,
mandating that TSA establish a pilot program to test and evaluate
access control protections for secured areas, and establishing an
ongoing requirement that TSA assess and test airport operator
compliance with access control requirements and report annually on its
findings. See, e.g., 49 U.S.C. §§ 44903(c)(3), (g)(2)(D),
44936(a)(1)(B)(iii), (a)(1)(C)(i). Appendix II provides a list of
related ATSA provisions and TSA's efforts to address these
requirements.
[116] For example, of amounts appropriated to TSA through Division E of
the Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. E,
121 Stat. 1844, 2042 (2007), the accompanying Explanatory Statement
directed $37 million of its appropriation for, among other things,
airport worker screening.
[117] Office of Management and Budget Circular No. A-11, Part 6,
Preparation and Submission of Strategic Plans, Annual Performance
Plans, and Annual Program Performance Reports (June 2005).
[118] TSA has documented, measurable goals for two specific activities--
compliance inspections (95 percent compliance rate for airports with
respect to leading security indicators) and security threat assessments
(100 percent assessment of workers who have airport-issued badges).
[119] Internal control standards and the Government Performance and
Results Act of 1993 also call for agencies to have measures and
indicators linked to mission, goals, and objectives to allow for
comparisons to be made among different sets of data (for example,
desired performance against actual performance), so that corrective
actions can be taken if necessary. See, generally, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-21.3.1], Pub. L. No. 103-62,
107 Stat. 285 (1993); and Office of Management and Budget Circular No.
A-11, Part 6, Preparation and Submission of Strategic Plans, Annual
Performance Plans, and Annual Program Performance Reports (Washington,
D.C.: June 2005).
[120] Performance measurement is the ongoing monitoring and reporting
of program accomplishments and progress toward preestablished goals.
[121] According to the NIPP, there are three types of performance
measures: descriptive measures, which generally describe sector
resources and activities, but do not reflect performance; output
measures, which are used to measure whether specific activities are
performed as planned, track the progression of a task, or report on the
output of a process; and outcome measures, which track progress toward
an intended goal by beneficial results rather than level of activity.
[122] See S. Rep. No. 103-58 (1993) (accompanying the Government
Performance and Results Act).
[123] The Department of Transportation, Assessment of Performance
Measures for Security of Maritime Transportation Network, Port Security
Metrics: Proposed Measurement of Deterrence Capability (Washington,
D.C., January 2007).
[124] Brian A. Jackson, Assessing the Benefits of Homeland Security
Efforts Deployed Against a Dynamic Terrorist Threat (Santa Monica,
Calif.: Rand Corporation, February 2007).
[125] [hyperlink, http://www.gao.gov/products/GAO-04-408T].
[126] See Chief Financial Officers Act of 1990, Pub. L. No. 101-576,
104 Stat. 2838 (1990); The Statement of Federal Financial Accounting
Standards No. 4, Managerial Cost Accounting Concepts and Standards for
the Federal Government; the Joint Financial Management Improvement
Program, Framework for Federal Financial Management Systems; and the
Federal Financial Management Improvement Act of 1996, Pub. L. No. 104-
208, Div. A., tit. VIII, 110 Stat. 3009, 3009-389 (1996).
[127] In November 2008 TSA officials stated that the agency plans to
hire a contractor in 2009 to develop relevant cost data for the
background checks program.
[128] [hyperlink, http://www.gao.gov/products/GAO-04-408T].
[129] See OMB Circular No. A-11, Preparation, Submission, and Execution
of the Budget (July 2007); OMB Circular No. A-94, Guidelines and
Discount Rates for Benefit-Cost Analysis of Federal Programs; and OMB
Circular No. A-4, Regulatory Analysis (September 2003). According to
federal guidance, cost-benefit analysis is a systematic method for
assessing the desirability of alternative projects or policies by
combining estimated costs with benefits. The goal of cost-benefit
analysis is to promote efficient resource allocation through well-
informed decision making, and it is considered a proven management tool
that assists in planning a project and managing costs and risks.
[130] Department of Homeland Security, Cost-Benefit Analysis Guidebook,
Version 2.0 (Washington, D.C., February 2006).
[131] In 2007, TSA worked with the United States Commercial Aviation
Partnership to evaluate the cost and operational impacts of several
proposed worker screening alternatives, including 100 percent worker
screening. However, this evaluation focused solely upon the economic
and operational impacts of these alternatives and did not evaluate
benefits to security. TSA has also conducted a congressionally directed
pilot program to help better identify the potential costs and benefits
of 100 percent worker screening as an alternative to random worker
screening. Based on the results of this pilot program, TSA concluded
that random screening is a more cost-effective approach than 100
percent worker screening because it appeared "roughly" as effective in
identifying contraband items at less cost. However, because of the
significant limitations related to the design and evaluation of the
pilot program, we believe that it is unclear based on the program
results whether random worker screening is more or less cost-effective
than 100 percent worker screening.
[132] According to TSA officials, in the event of an immediate or
imminent threat the agency uses security directives to impose
requirements on airport operators, which does not require TSA to
conduct cost-benefit analysis. However, officials told us that even in
these circumstances they have considered relevant costs as well as
benefits to proposed requirements, although they could not provide
documentation or relevant examples.
[133] For example, TSA officials said that they used professional
judgment to determine that ADASP was the most appropriate security
action to mitigate the insider risk, and did not study alternatives to
random screening, such as 100 percent worker screening, or assess
whether random screening was the most cost-effective option. Officials
said that at the time they developed ADASP, staffing and budget options
made 100 percent worker screening an unrealistic option. TSA officials
also said that they used a similar approach to develop SPOT, in that
they did not use cost-benefit analysis to compare the advantages and
costs of other alternative programs.
[134] See OMB Circular No. A-4. Examples of qualitative measures cited
by OMB include the costs and benefits of privacy protection.
[135] [hyperlink, http://www.gao.gov/products/GAO-04-408T].
[136] [hyperlink, http://www.gao.gov/products/GAO-04-408T].
[137] These programs--ADASP and VIPR--are discussed in more detail
later in this report.
[138] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[139] [hyperlink, http://www.gao.gov/products/GAO-06-91], [hyperlink,
http://www.gao.gov/products/GAO-08-904T], and [hyperlink,
http://www.gao.gov/products/GAO-09-492].
[140] Transportation Security Administration, Airport Employee
Screening Pilot Program Study: Fiscal Year 2008 Report to Congress.
[141] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and
[hyperlink, http://www.gao.gov/products/GAO-09-45].
[142] Department of Homeland Security, Office of the Inspector General,
TSA's Security Screening Procedures for Employees at Orlando
International Airport and the Feasibility of 100 Percent Employee
Screening.
[143] [hyperlink, http://www.gao.gov/products/GAO-04-728].
[144] Pub. L. No. 103-62, 107 Stat. 285 (1993).
[145] According to the Airports Council International-North America, it
represents over 400 aviation-related businesses and approximately 190
governing bodies of more than 400 commercial and general aviation
airports in the United States and Canada; collectively, its members
enplane about 95 percent of the domestic and nearly 100 percent of
international airline passenger and cargo traffic in North America.
According to the American Association of Airport Executives, it is the
world's largest professional organization for airport executives, with
members representing approximately 850 commercial and general aviation
airports and the companies and organizations that support airports.
[146] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[147] For example, pursuant to ATSA, TSA shall, on an ongoing basis,
accept and test for compliance with access control requirements, report
annually on the findings of the assessments, assess the effectiveness
of penalties in ensuring compliance with security procedures, and take
any other appropriate enforcement actions when noncompliance is found.
See 49 U.S.C. § 44903(g)(2)(D).
[148] See GAO, Transportation Security: TSA Has Developed a Risk-Based
Covert Testing Program, but Could Better Mitigate Aviation Security
Vulnerabilities Identified Through Covert Tests, [hyperlink,
http://www.gao.gov/products/GAO-08-958] (Washington, D.C.: Aug. 8,
2008). TSA conducts national covert tests of three aspects of aviation
security at a commercial airport: (1) passenger checkpoint, (2) checked
baggage, and (3) access controls to secure areas and airport
perimeters.
[149] In addition to the costs in table 4, TSA officials identified a
total of $49.2 million in estimated costs from fiscal years 2003
through 2008 related to pilot programs specific to airport security:
$19.6 million to AACPP for fiscal years 2003 through 2005, $16.9
million for the Airport Terminal Security Grant Program for fiscal
years 2004 and 2005, $5.0 million for the APS pilot program in fiscal
year 2006, and $7.7 million for the worker screening pilot program in
fiscal year 2008.
[150] TSA assumed primary responsibility for aviation security from FAA
in February 2002; FAA-administered Airport Improvement Program grants
are available to airports for limited security purposes. According to
TSA officials, TSA monitors $5 million of this funding awarded annually
to the National Safe Skies Alliance (a nonprofit membership consortium
that tests airport security equipment, systems, and processes at
airports throughout the United States and abroad). FAA provides not
less than $5 million each fiscal year for this grant. According to FAA
and TSA officials, the National Safe Skies Alliance uses these funds to
test innovative security systems and technology.
[151] Airports Council International-North America, Airport Capital
Development Cost Survey 2009-2013 (Washington, D.C., February 2009).
[152] In 2007, for the period 2007 through 2011, the association
reported that airport operator spending ranged from 6.6 percent (about
$3 billion) for large hub airports to 4.8 percent (about $300 million)
for small hub airports. The Airports Council International-North
America used its own survey data and FAA National Plan Integrated
Airport System data to develop these estimates. Past GAO work explains
the differences between the association's survey estimates and FAA's
data. See GAO, Airport Finance: Preliminary Analysis of Proposed
Changes in the Airport Improvement Program May Not Resolve Funding
Needs for Smaller Airports, [hyperlink,
http://www.gao.gov/products/GAO-07-617T] (Washington, D.C.: Mar. 28,
2007).
[153] TSA uses VIPR to augment security in transportation areas other
than aviation. As discussed in our June 2009 report on mass transit and
passenger rail security we found that opinions regarding VIPR's
additional security value and effectiveness for that mode were varied
among municipal transit agency officials (see GAO, Transportation
Security: Key Actions Have Been Taken to Enhance Mass Transit and
Passenger Rail Security, but Opportunities Exist to Strengthen Federal
Strategy and Programs, [hyperlink,
http://www.gao.gov/products/GAO-09-678] (Washington, D.C.: June 24,
2009)). For example, some officials told us that they welcomed the
additional manpower of VIPR teams, while others reported that deploying
VIPR for a single day did not significantly enhance security. While
airport operators did not raise such issues to us, lessons learned from
TSA's application of VIPR in other modes of transportation can inform
its use in airport security. TSA officials agreed that VIPR has
experienced challenges and said that they have taken steps to address
these issues, such as providing information to help agencies customize
VIPR operations to their needs.
[154] For fiscal year 2008, TSA has allocated approximately $100
million to expand SPOT beyond fiscal year 2007 levels, resulting in a
total program cost of approximately $140 million for fiscal year 2008.
According to agency officials, as of April 2009 TSA had stationed
approximately 2,836 behavior detection officers at all Category X, I,
and II airports and one Category III airport; no SPOT teams had been
assigned to Category IV airports.
[155] [hyperlink, http://www.gao.gov/products/GAO-08-958].
[156] Analyzing trends over time allows agencies to establish a
baseline for security activities. Examining trends can assist in
identifying what specific security measures in place allowed for
certain security breaches to occur or increase.
[157] Office of Management and Budget, Performance Measure Challenges
and Strategies (Washington, D.C., June 18, 2003).
[158] Department of Transportation, Assessment of Performance Measures
for Security of Maritime Transportation Network, Port Security Metrics:
Proposed Measurement of Deterrence Capability.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
