Homeland Security
Better Use of Terrorist Watchlist Information and Improvements in Deployment of Passenger Screening Checkpoint Technologies Could Further Strengthen Security
Gao ID: GAO-10-401T January 27, 2010
The December 25, 2009, attempted bombing of flight 253 raised questions about the federal government's ability to protect the homeland and secure the commercial aviation system. This statement focuses on the government's efforts to use the terrorist watchlist to screen individuals and determine if they pose a threat, and how failures in this process contributed to the December 25 attempted attack. This statement also addresses the Transportation Security Administration's (TSA) planned deployment of technologies for enhanced explosive detection and the challenges associated with this deployment. GAO's comments are based on products issued from September 2006 through October 2009 and selected updates in January 2010. For these updates, GAO reviewed government reports related to the December 25 attempted attack and obtained information from the Department of Homeland Security (DHS) and TSA on use of the watchlist and new technologies for screening airline passengers.
The intelligence community uses standards of reasonableness to evaluate individuals for nomination to the consolidated terrorist watchlist. In making these determinations, agencies are to consider information from all available sources. However, for the December 25 subject, the intelligence community did not effectively complete these steps and link available information to the subject before the incident. Therefore, agencies did not nominate the individual to the watchlist or any of the subset lists used during agency screening, such as the "No Fly" list. Weighing and responding to the potential impacts that changes to the nomination criteria would have on the traveling public will be an important consideration in determining what changes may be needed. Also, screening agencies stated that they do not check against all records in the watchlist, partly because screening against certain records may not be needed to support a respective agency's mission or may not be possible because of the requirements of computer programs used to check individuals against watchlist records. In October 2007, GAO reported that not checking against all records may pose a security risk and recommended that DHS and the FBI assess potential vulnerabilities, but they have not completed these assessments. TSA is implementing an advanced airline passenger prescreening program--known as Secure Flight--that could potentially result in the federal government checking passengers against the entire watchlist under certain security conditions. Further, the government lacks an up-to-date strategy and implementation plan--supported by a clearly defined leadership or governance structure--which are needed to enhance the effectiveness of terrorist-related screening and ensure accountability. In the 2007 report, GAO recommended that the Homeland Security Council ensure that a governance structure exists that has the requisite authority over the watchlist process. The council did not comment on this recommendation. As GAO reported in October 2009, since TSA's creation, 10 passenger screening technologies have been in various phases of research, development, procurement, and deployment, including the Advanced Imaging Technology (AIT)--formerly known as the Whole Body Imager. TSA expects to have installed almost 200 AITs in airports by the end of calendar year 2010 and plans to install a total of 878 units by the end of fiscal year 2014. In October 2009, GAO reported that TSA had not yet conducted an assessment of the technology's vulnerabilities to determine the extent to which a terrorist could employ tactics that would evade detection by the AIT. Thus, it is unclear whether the AIT or other technologies would have detected the weapon used in the December 25 attempted attack. GAO's report also noted the problems TSA experienced in deploying another checkpoint technology that had not been tested in the operational environment. Since GAO's October report, TSA stated that it has completed the testing as of the end of 2009. We are currently verifying that all functional requirements of the AIT were tested in an operational environment. Completing these steps should better position TSA to ensure that its costly deployment of AIT machines will enhance passenger checkpoint security.
GAO-10-401T, Homeland Security: Better Use of Terrorist Watchlist Information and Improvements in Deployment of Passenger Screening Checkpoint Technologies Could Further Strengthen Security
This is the accessible text file for GAO report number GAO-10-401T
entitled 'Homeland Security: Better Use of Terrorist Watchlist
Information and Improvements in Deployment of Passenger Screening
Checkpoint Technologies Could Further Strengthen Security' which was
released on January 28, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Statement for the Record:
To the Committee on Homeland Security, House of Representatives:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected on Wednesday,
January 27, 2010:
Homeland Security:
Better Use of Terrorist Watchlist Information and Improvements in
Deployment of Passenger Screening Checkpoint Technologies Could
Further Strengthen Security:
Statement for the Record by Eileen R. Larence:
Director, Homeland Security and Justice Issues:
and:
Stephen M. Lord:
Director, Homeland Security and Justice Issues:
GAO-10-401T:
GAO Highlights:
Highlights of GAO-10-401T, a statement for the record to the Committee
on Homeland Security, House of Representatives.
Why GAO Did This Study:
The December 25, 2009, attempted bombing of flight 253 raised
questions about the federal government‘s ability to protect the
homeland and secure the commercial aviation system. This statement
focuses on the government‘s efforts to use the terrorist watchlist to
screen individuals and determine if they pose a threat, and how
failures in this process contributed to the December 25 attempted
attack. This statement also addresses the Transportation Security
Administration‘s (TSA) planned deployment of technologies for enhanced
explosive detection and the challenges associated with this
deployment. GAO‘s comments are based on products issued from September
2006 through October 2009 and selected updates in January 2010. For
these updates, GAO reviewed government reports related to the December
25 attempted attack and obtained information from the Department of
Homeland Security (DHS) and TSA on use of the watchlist and new
technologies for screening airline passengers.
What GAO Found:
The intelligence community uses standards of reasonableness to
evaluate individuals for nomination to the consolidated terrorist
watchlist. In making these determinations, agencies are to consider
information from all available sources. However, for the December 25
subject, the intelligence community did not effectively complete these
steps and link available information to the subject before the
incident. Therefore, agencies did not nominate the individual to the
watchlist or any of the subset lists used during agency screening,
such as the ’No Fly“ list. Weighing and responding to the potential
impacts that changes to the nomination criteria would have on the
traveling public will be an important consideration in determining
what changes may be needed. Also, screening agencies stated that they
do not check against all records in the watchlist, partly because
screening against certain records may not be needed to support a
respective agency‘s mission or may not be possible because of the
requirements of computer programs used to check individuals against
watchlist records. In October 2007, GAO reported that not checking
against all records may pose a security risk and recommended that DHS
and the FBI assess potential vulnerabilities, but they have not
completed these assessments. TSA is implementing an advanced airline
passenger prescreening program”known as Secure Flight”that could
potentially result in the federal government checking passengers
against the entire watchlist under certain security conditions.
Further, the government lacks an up-to-date strategy and
implementation plan”supported by a clearly defined leadership or
governance structure”which are needed to enhance the effectiveness of
terrorist-related screening and ensure accountability. In the 2007
report, GAO recommended that the Homeland Security Council ensure that
a governance structure exists that has the requisite authority over
the watchlist process. The council did not comment on this
recommendation.
As GAO reported in October 2009, since TSA‘s creation, 10 passenger
screening technologies have been in various phases of research,
development, procurement, and deployment, including the Advanced
Imaging Technology (AIT)”formerly known as the Whole Body Imager. TSA
expects to have installed almost 200 AITs in airports by the end of
calendar year 2010 and plans to install a total of 878 units by the
end of fiscal year 2014. In October 2009, GAO reported that TSA had
not yet conducted an assessment of the technology‘s vulnerabilities to
determine the extent to which a terrorist could employ tactics that
would evade detection by the AIT. Thus, it is unclear whether the AIT
or other technologies would have detected the weapon used in the
December 25 attempted attack. GAO‘s report also noted the problems TSA
experienced in deploying another checkpoint technology that had not
been tested in the operational environment. Since GAO‘s October
report, TSA stated that it has completed the testing as of the end of
2009. We are currently verifying that all functional requirements of
the AIT were tested in an operational environment. Completing these
steps should better position TSA to ensure that its costly deployment
of AIT machines will enhance passenger checkpoint security.
What GAO Recommends:
GAO is not making new recommendations, but has made recommendations in
prior reports to DHS, the Federal Bureau of Investigation (FBI), and
the White House Homeland Security Council to enhance the use of the
watchlist and to TSA related to checkpoint technologies. The agencies
generally agreed and are making some progress, but full implementation
is needed.
View [hyperlink, http://www.gao.gov/products/GAO-10-401T] or key
components. For more information, contact Eileen Larence at (202) 512-
6510 or larencee@gao.gov and Stephen Lord at (202) 512-4379 or
lords@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
We are pleased to submit this statement on the progress federal
agencies have made and the challenges they face in key areas of
terrorism information sharing and the deployment of checkpoint
technologies. The December 25, 2009, attempted bombing of flight 253
has led to increased scrutiny of how the government creates and uses
the consolidated terrorist screening database (the watchlist) to
screen individuals and determine if they pose a security threat, and
highlighted the importance of detecting improvised explosive devices
and other prohibited items on passengers before they board a
commercial aircraft. The White House's initial review of these events
exposed gaps in how intelligence agencies collected, shared, and
analyzed terrorism-related information to determine if the subject--
Umar Farouk Abdulmutallab--posed enough of a threat to warrant placing
him on the watchlist, which could have altered the course of events
that day. To enhance its ability to detect explosive devices and other
prohibited items on passengers, the Transportation Security
Administration (TSA) is evaluating the use of Advanced Imaging
Technology (AIT)--formerly called the Whole Body Imager--as an
improvement over current screening capabilities.
In October 2007, we released a report on the results of our review--
conducted at your request--of how the watchlist is created and
maintained, and how federal, state, and local security partners use
the list to screen individuals for potential threats to the
homeland.[Footnote 1] As a result of that review, we identified
potential vulnerabilities, including ones created because agencies
were not screening against all records in the watchlist. We made a
number of recommendations aimed at addressing these potential
vulnerabilities and helping to enhance the effectiveness of the
watchlist process, which the agencies have not yet fully addressed.
These recommendations--which we discuss later in this statement--are
still important to address and can inform ongoing reviews of the
December 25 attempted terrorist attack.
Also, in January 2005, we designated information sharing for homeland
security a high-risk area because the government faced formidable
challenges in analyzing and disseminating this information in a
timely, accurate, and useful manner.[Footnote 2] Since then, we have
been monitoring and making recommendations to improve the government's
efforts to share terrorism-related information, not only among federal
agencies but also with their state, local, tribal, and private sector
security partners.[Footnote 3] Addressing this high-risk area is
important to help remove barriers that lead to agencies maintaining
information in stove-piped systems, and to hold them accountable to
the Congress and the public for ensuring terrorism information is
shared, is used, and makes a difference. We are continuing to review
federal agencies' efforts to share terrorism-related information and
expect to report the results of this work later this year.[Footnote 4]
In addition, in October 2009, we released a report on TSA's efforts to
deploy checkpoint technologies and the challenges the agency faces in
these efforts.[Footnote 5] We made eight recommendations related to
the research, development, and deployment of these technologies. The
Department of Homeland Security (DHS) agreed with our recommendations
and identified actions planned or under way to implement them. While
DHS is taking steps to address our recommendations related to
conducting risk assessments, the actions DHS reported that TSA had
taken or plans to take do not fully address the intent of the majority
of our recommendations.
This statement for the record discusses (1) the government's efforts
to use the terrorist watchlist to screen individuals and determine if
they pose a threat, as well as how aspects of this process contributed
to the December 25 attempted terrorist attack and (2) TSA's planned
deployment of the AIT for enhanced explosive detection and the
challenges associated with this deployment.
This statement is based on products GAO issued from September 2006
through October 2009.[Footnote 6] In conducting our prior work, we
reviewed documentation obtained from and interviewed officials at the
various departments and agencies with responsibilities for compiling
and using watchlist records. We also reviewed documentation and
obtained information on current checkpoint screening technologies
being researched, developed, and deployed. Our previously published
reports contain additional details on the scope and methodology for
those reviews. In addition, this statement contains selected updates
conducted in December 2009 and January 2010. For the updates, GAO
reviewed government reports and other information related to the
December 25 attempted attack, obtained information from DHS and TSA on
the use of watchlist records and new technologies for screening
airline passengers, and interviewed a senior TSA official. We
conducted our updated work in December 2009 and January 2010 in
accordance with generally accepted government auditing standards.
In Summary:
Because the subject of the December 25 attempted terrorist attack was
not nominated for inclusion on the government's consolidated terrorist
screening database, federal agencies responsible for screening
activities missed several opportunities to identify him and possibly
take action. We have previously reported on a number of issues related
to the compilation and use of watchlist records, such as the potential
security risk posed by not checking against all records on the
watchlist. We also identified the need for an up-to-date strategy and
implementation plan--one that describes the scope, governance,
outcomes, milestones, and metrics, among other things--for managing
the watchlist process across the federal government. Such a strategy
and plan, supported by a clearly defined leadership or governance
structure, can be helpful in removing cultural, technological, and
other barriers--such as those problems that the December 25 attempted
terrorist attack exposed--that inhibit the effective use of watchlist
information.
With regard to the deployment of technology to detect explosives on
passengers, TSA expects to have installed almost 200 AITs in airports
by the end of calendar year 2010, and plans to procure and install a
total of 878 units by the end of fiscal year 2014. While recently
providing GAO with updated information to our October 2009 report, TSA
stated that operational testing for the AIT was completed as of the
end of calendar year 2009. We are in the process of verifying that TSA
tested all of the AIT functional requirements in an operational
environment. Moreover, we previously reported that TSA had not yet
conducted an assessment of the technology's vulnerabilities to
determine the extent to which a terrorist could employ tactics that
would evade detection by the AIT. While we recognize that the AIT
could provide an enhanced detection capability, completing these steps
should better position TSA to have the information necessary to ensure
that moving ahead with a costly deployment of AIT machines will
enhance passenger checkpoint security.
Background:
Terrorist Watchlist Process:
The Terrorist Screening Center (TSC)--administered by the Federal
Bureau of Investigation (FBI)--is responsible for maintaining the U.S.
government's consolidated watchlist and providing it to federal
agencies as well as state, local, and selected foreign partners for
their use in screening individuals. TSC receives the vast majority of
its watchlist nominations and information from the National
Counterterrorism Center (NCTC), which compiles information on known or
suspected international terrorists from executive branch departments
and agencies.[Footnote 7] In addition, the FBI provides TSC with
information on known or suspected domestic terrorists who operate
primarily within the United States. To support agency screening
processes, TSC first determines if each nomination contains specific
minimum derogatory information for inclusion in its terrorist
screening database. TSC then sends applicable records from the
terrorist watchlist to screening agency systems for use in efforts to
deter or detect the movements of known or suspected terrorists. For
instance, applicable TSC records are provided to TSA for use in
prescreening airline passengers; to a U.S. Customs and Border
Protection (CBP) system for use in screening travelers entering the
United States; to a Department of State system for use in screening
visa applicants; and to an FBI system for use by state and local law
enforcement agencies pursuant to arrests, detentions, and other
criminal justice purposes.[Footnote 8]
Airline Passenger Screening Using Checkpoint Screening Technology:
Passenger screening is a process by which screeners inspect
individuals and their property to deter and prevent an act of violence
or air piracy, such as the carrying of any unauthorized explosive,
incendiary, weapon, or other prohibited item on board an aircraft or
into a sterile area.[Footnote 9] Screeners inspect individuals for
prohibited items at designated screening locations. TSA developed
standard operating procedures for screening passengers at airport
checkpoints. Primary screening is conducted on all airline passengers
before they enter the sterile area of an airport and involves
passengers walking through a metal detector and carry-on items being
subjected to X-ray screening. Passengers who alarm the walk-through
metal detector or are designated as selectees--that is, passengers
selected for additional screening--must then undergo secondary
screening, as well as passengers whose carry-on items have been
identified by the X-ray machine as potentially containing prohibited
items.[Footnote 10] Secondary screening involves additional means for
screening passengers, such as by hand-wand; physical pat-down; or, at
certain airport locations, an explosives trace portal (ETP), which is
used to detect traces of explosives on passengers by using puffs of
air to dislodge particles from their bodies and clothing into an
analyzer. Selectees' carry-on items are also physically searched or
screened for explosives, such as by using explosives trace detection
machines.
Assessing Potential Vulnerabilities Related to Not Screening against
All Watchlist Records and Ensuring Clear Lines of Authority over the
Watchlist Process Would Provide for Its More Effective Use:
Agencies Rely upon Standards of Reasonableness in Assessing
Individuals for Nomination to TSC's Watchlist, but Did Not Connect
Available Information on Mr. Abdulmutallab to Determine Whether a
Reasonable Suspicion Existed:
Federal agencies--particularly NCTC and the FBI--submit to TSC
nominations of individuals to be included on the consolidated
watchlist. For example, NCTC receives terrorist-related information
from executive branch departments and agencies, such as the Department
of State, the Central Intelligence Agency, and the FBI, and catalogs
this information in its Terrorist Identities Datamart Environment
database, commonly known as the TIDE database. This database serves as
the U.S. government's central classified database with information on
known or suspected international terrorists. According to NCTC,
agencies submit watchlist nomination reports to the center, but are
not required to specify individual screening systems that they believe
should receive the watchlist record, such as the No Fly list of
individuals who are to be denied boarding an aircraft.[Footnote 11]
NCTC is to presume that agency nominations are valid unless it has
other information in its possession to rebut that position.
To decide if a person poses enough of a threat to be placed on the
watchlist, agencies are to follow Homeland Security Presidential
Directive (HSPD) 6, which states that the watchlist is to contain
information about individuals "known or appropriately suspected to be
or have been engaged in conduct constituting, in preparation for, in
aid of, or related to terrorism."[Footnote 12] HSPD-24 definitively
established the "reasonable suspicion" standard for watchlisting by
providing that agencies are to make available to other agencies all
biometric information associated with "persons for whom there is an
articulable and reasonable basis for suspicion that they pose a threat
to national security."[Footnote 13] NCTC is to consider information
from all available sources and databases to determine if there is a
reasonable suspicion of links to terrorism that warrants a nomination,
which can involve some level of subjectivity. The guidance on
determining reasonable suspicion, which TSC most recently updated in
February 2009, contains specific examples of the types of terrorism-
related conduct that may make an individual appropriate for inclusion
on the watchlist.
The White House's review of the December 25 attempted terrorist attack
noted that Mr. Abdulmutallab's father met with U.S. Embassy officers
in Abuja, Nigeria, to discuss his concerns that his son may have come
under the influence of unidentified extremists and had planned to
travel to Yemen.[Footnote 14] However, according to NCTC, the
information in the State Department's nomination report did not meet
the criteria for watchlisting in TSC's consolidated terrorist
screening database per the government's established and approved
nomination standards. NCTC also noted that the State Department cable
nominating Mr. Abdulmutallab had no indication that the father was the
source of the information. According to the White House review of the
December 25 attempted attack, the U.S. government had sufficient
information to have uncovered and potentially disrupted the attack--
including by placing Mr. Abdulmutallab on the No Fly list--but
analysts within the intelligence community failed to connect the dots
that could have identified and warned of the specific threat.
After receiving the results of the White House's review of the
December 25 attempted attack, the President called for members of the
intelligence community to undertake a number of corrective actions--
such as clarifying intelligence agency roles, responsibilities, and
accountabilities to document, share, and analyze all sources of
intelligence and threat threads related to terrorism, and accelerating
information technology enhancements that will help with information
correlation and analysis. The House Committee on Oversight and
Government Reform has asked us, among other things, to assess
government efforts to revise the watchlist process, including actions
taken related to the December 25 attempted attack.
As part of our monitoring of high-risk issues, we also have ongoing
work--at the request of the Senate Committee on Homeland Security and
Governmental Affairs--that is assessing agency efforts to create the
Information Sharing Environment, which is intended to break down
barriers to sharing terrorism-related information, especially across
federal agencies.[Footnote 15] Our work is designed to help ensure
that federal agencies have a road map that defines roles,
responsibilities, actions, and time frames for removing barriers, as
well as a system to hold agencies accountable to the Congress and the
public for making progress on these efforts. Among other things, this
road map can be helpful in removing cultural, technological, and other
barriers that lead to agencies maintaining information in stove-piped
systems so that it is not easily accessible, similar to those problems
that the December 25 attempted attack exposed. We expect to issue the
results of this work later this year.
By Not Placing Mr. Abdulmutallab on the Consolidated Watchlist or Its
Subsets, the Government Missed Opportunities to Use These
Counterterrorism Tools:
Following the December 25 attempted terrorist attack, questions were
raised as to what could have happened if Mr. Abdulmutallab had been on
TSC's consolidated terrorist screening database. We created several
scenarios to help explain how the watchlist process is intended to
work and what opportunities agencies could have had to identify him if
he was on the watchlist. For example, according to TSC, if a record
from the terrorist screening database is sent to the State
Department's system and the individual in that record holds a valid
visa, TSC would compare the identifying information in the watchlist
record against identifying information in the visa and forward
positive matches to the State Department for possible visa revocation.
If an individual's visa is revoked, under existing procedures, this
information is to be entered into the database CBP uses to screen
airline passengers prior to their boarding, which we describe below.
According to CBP, when the individual checks in for a flight, the on-
site CBP Immigration Advisory Program officers already would have been
apprised of the visa revocation by CBP and they would have checked the
person's travel documents to verify that the individual was a match to
the visa revocation record. Once the positive match was established,
the officers would have recommended that he not be allowed to board
the flight.
Under another scenario, if an individual is on TSC's terrorist
screening database, existing processes provide CBP with the
opportunity to identify the subject of a watchlist record as part of
the checks CBP is to conduct to see if airline passengers are eligible
to be admitted into the country. Specifically, for international
flights departing to or from the United States (but not for domestic
flights), CBP is to receive information on passengers obtained, for
example, when their travel document is swiped. CBP is to check this
passenger information against a number of databases to see if there
are any persons who have immigration violations, criminal histories,
or any other reason for being denied entry to the country, in
accordance with the agency's mission. According to CBP, when it
identifies a U.S. bound passenger who is on the watchlist, it
coordinates with other federal agencies to evaluate the totality of
available information to see what action is appropriate. In foreign
airports where there is a CBP Immigration Advisory Program presence,
the information on a watchlisted subject is forwarded by CBP to
program officers onsite. The officers would then intercept the subject
prior to boarding the aircraft and confirm that the individual is
watchlisted, and when appropriate based on the derogatory information,
request that the passenger be denied boarding.
In a third scenario, if an individual is on the watchlist and is also
placed on the No Fly or Selectee list, when the person checks in for a
flight, the individual's identifying information is to be checked
against these lists. Individuals matched to the No Fly list are to be
denied boarding. If the individual is matched to the Selectee list,
the person is to be subject to further screening, which could include
physical screening, such as a pat-down. The criteria in general that
are used to place someone on either of these two lists include the
following:
* Persons who are deemed to be a threat to civil aviation or national
security and should be precluded from boarding an aircraft are put on
the No Fly list.
* Persons who are deemed to be a threat to civil aviation or national
security but do not meet the criteria of the No Fly list are placed on
the Selectee list and are to receive additional security screening
prior to being permitted to board an aircraft.[Footnote 16]
The White House Homeland Security Council devised these more stringent
sets of criteria for the No Fly and Selectee lists in part because
these lists are not intended as investigative or information-gathering
tools or tracking mechanisms, and TSA is a screening but not an
intelligence agency.[Footnote 17] Rather, the lists are intended to
help ensure the safe transport of passengers and facilitate the flow
of commerce. However, the White House's review of the December 25
attempted terrorist attack raised questions about the effectiveness of
the criteria, and the President tasked the FBI and TSC with developing
recommendations for any needed changes to the nominations guidance and
criteria.
Weighing and responding to the potential impacts that changes to the
nominations guidance and criteria could have on the traveling public
and the airlines will be important considerations in developing such
recommendations. In September 2006, we reported that tens of thousands
of individuals who had similar names to persons on the watchlist were
being misidentified and subjected to additional screening, and in some
cases delayed so long as to miss their flights.[Footnote 18] We also
reported that resolving these misidentifications can take time and,
therefore, affect air carriers and commerce. If changes in criteria
result in more individuals being added to the lists, this could also
increase the number of individuals who are misidentified, exacerbating
these negative effects. In addition, we explained that individuals who
believe that they have been inappropriately matched to the watchlist
can petition the government for action and the relevant agencies must
conduct research and work to resolve these issues. If more people are
misidentified, more people may trigger this redress process,
increasing the need for resources. Finally, any changes to the
criteria or process would have to ensure that watchlist records are
used in a manner that safeguards legal rights, including freedoms,
civil liberties, and information privacy guaranteed by federal law.
Agencies Do Not Screen Individuals against All Records in the
Watchlist, Which Creates Potential Security Vulnerabilities; GAO
Continues to Recommend That Agencies Assess and Address These Gaps:
In reacting to the December 25 attempted terrorist attack, determining
whether there were potential vulnerabilities related to the use of
watchlist records when screening--not only individuals who fly into
the country but also, for example, those who cross land borders--are
important considerations. Screening agencies whose missions most
frequently and directly involve interactions with travelers generally
do not check against all records in the consolidated terrorist
watchlist. In our October 2007 report, we noted that this is because
screening against certain records may not be needed to support a
respective agency's mission or may not be possible because of computer
system limitations, among other things.[Footnote 19]
For example, CBP's mission is to determine if any traveler is eligible
to enter the country or is to be denied entry because of immigration
or criminal violations. As such, CBP's computer system accepts all
records from the consolidated watchlist database that have either a
first name or a last name and one other identifier, such as a date of
birth. Therefore, TSC sends CBP the greatest number of records from
the consolidated watchlist database for its screening. In contrast,
one of the State Department's missions is to approve requests for
visas. Since only non-U.S. citizens and nonlawful permanent residents
apply for visas, TSC does not send the department records on citizens
or lawful permanent residents for screening visa applicants.
Also, the FBI database that state and local law enforcement agencies
use for their missions in checking individuals for criminal histories,
for example, also receives a smaller portion of the watchlist.
According to the FBI, its computer system requires a full first name,
last name, and other identifier, typically a date of birth. The FBI
noted that this is because having these identifiers helps to reduce
the number of times an individual is misidentified as being someone on
the list, and the computer system would not be effective in making
matches without this information. Finally, the No Fly and Selectee
lists collectively contain the lowest percentage of watchlist records
because the remaining ones either do not meet the nominating criteria,
as described above, or do not meet system requirements--that is,
include full names and dates of birth, which TSA stated are required
to minimize misidentifications.
TSA is implementing a new screening program that the agency states
will have the capability to screen an individual against the entire
watchlist.[Footnote 20] Under this program, called Secure Flight, TSA
will assume from air carriers the responsibility of comparing
passenger information against the No Fly and Selectee lists.[Footnote
21] According to the program's final rule, in general, Secure Flight
is to compare passenger information only to the No Fly and Selectee
lists.[Footnote 22] The supplementary information accompanying the
rule notes that this will be satisfactory to counter the security
threat during normal security circumstances. However, the rule
provides that TSA may use the larger set of watchlist records when
warranted by security considerations, such as if TSA learns that
flights on a particular route may pose increased risks. TSA emphasized
that use of the full terrorist screening database is not routine.
Rather, TSA noted that its use is limited to circumstances in which
there is information concerning an increased risk to transportation
security, and the decision to use the full watchlist database will be
based on circumstances at the time. According to TSA, as of January
2010, the agency was developing administrative procedures for
utilizing the full watchlist when warranted.
In late January 2009, TSA began to assume from airlines the watchlist
matching function for a limited number of domestic flights, and has
since phased in additional flights and airlines. TSA expects to assume
the watchlist matching function for all domestic and international
flights departing to and from the United States by December 2010. It
is important to note that under the Secure Flight program, TSA
requires airlines to provide the agency with each passenger's full
name and date of birth to facilitate the watchlist matching process,
which should reduce the number of individuals who are misidentified as
the subject of a watchlist record. We continue to monitor the Secure
Flight program at the Congress's request.
In our October 2007 watchlist report, we recommended that the FBI and
DHS assess the extent to which security risks exist by not screening
against certain watchlist records and what actions, if any, should be
taken in response.[Footnote 23] The agencies generally agreed with our
recommendations but noted that the risks related to not screening
against all watchlist records needs to be balanced with the impact of
screening against all records, especially those records without a full
name and other identifiers. For example, more individuals could be
misidentified, law enforcement would be put in the position of
detaining more individuals until their identities could be resolved,
and administrative costs could increase, without knowing what
measurable increase in security is achieved. While we acknowledge
these tradeoffs and potential impacts, we maintain that assessing
whether vulnerabilities exist by not screening against all watchlist
records--and if there are ways to limit impacts--is critical and could
be a relevant component of the government's ongoing review of the
watchlist process. Therefore, we believe that our recommendation
continues to have merit.
Identifying Additional Screening Opportunities and Determining Whether
There Are Clear Lines of Authority for and Accountability over the
Watchlist Process Would Help Ensure Its Effective Use:
As we reported in October 2007, the federal government has made
progress in using the consolidated terrorist watchlist for screening
purposes, but has additional opportunities to use the list. For
example, DHS uses the list to screen employees in some critical
infrastructure components of the private sector, including certain
individuals who have access to vital areas of nuclear power plants or
transport hazardous materials. However, many critical infrastructure
components are not using watchlist records, and DHS has not finalized
guidelines to support such private sector screening, as HSPD-6
mandated and we previously recommended.[Footnote 24]
In that same report, we noted that HSPD-11 tasked the Secretary of
Homeland Security with coordinating across other federal departments
to develop (1) a strategy for a comprehensive and coordinated
watchlisting and screening approach and (2) a prioritized
implementation and investment plan that describes the scope,
governance, principles, outcomes, milestones, training objectives,
metrics, costs, and schedule of necessary activities.[Footnote 25] We
reported that without such a strategy, the government could not
provide accountability and a basis for monitoring to ensure that (1)
the intended goals for, and expected results of, terrorist screening
are being achieved and (2) use of the watchlist is consistent with
privacy and civil liberties. We recommended that DHS develop a current
interagency strategy and related plans.
According to DHS's Screening Coordination Office, during the fall of
2007, the office led an interagency effort to provide the President
with an updated report, entitled, HSPD-11, An Updated Strategy for
Comprehensive Terrorist-Related Screening Procedures.[Footnote 26] The
office noted that the report was formally submitted to the Executive
Office of the President through the Homeland Security Council and
reviewed by the President on January 25, 2008. Further, the office
noted that it also provided a sensitive version of the report to the
Congress in October 2008. DHS provided us an excerpt of that report to
review, stating that it did not have the authority to share excerpts
provided by other agencies, and we were unable to obtain a copy of the
full report. The information we reviewed only discussed DHS's own
efforts for coordinating watchlist screening across the department.
Therefore, we were not able to determine whether the HSPD-11 report
submitted to the President addressed all of the components called for
in the directive or what action, if any, was taken as a result. We
maintain that a comprehensive strategy, as well as related
implementation and investment plans, as called for by HSPD-11,
continue to be important to ensure effective governmentwide use of the
watchlist process.
In addition, in our October 2007 report, we noted that establishing an
effective governance structure as part of this strategic approach is
particularly vital since numerous agencies and components are involved
in the development, maintenance, and use of the watchlist process,
both within and outside of the federal government. Also, establishing
a governance structure with clearly-defined responsibility and
authority would help to ensure that agency efforts are coordinated,
and that the federal government has the means to monitor and analyze
the outcomes of such efforts and to address common problems
efficiently and effectively. We determined at the time that no such
structure was in place and that no existing entity clearly had the
requisite authority for addressing interagency issues. We recommended
that the Homeland Security Council ensure that a governance structure
was in place, but the council did not comment on our recommendation.
At the time of our report, TSC stated that it had a governance board
in place, comprised of senior-level agency representatives from
numerous departments and agencies. However, we also noted that the
board provided guidance concerning issues within TSC's mission and
authority. We also stated that while this governance board could be
suited to assume more of a leadership role, its authority at that time
was limited to TSC-specific issues, and it would need additional
authority to provide effective coordination of terrorist-related
screening activities and interagency issues governmentwide. In January
2010, the FBI stated that TSC has a Policy Board in place, with
representatives from relevant departments and agencies, that reviews
and provides input to the government's watchlist policy. The FBI also
stated that the policies developed are then sent to the National
Security Council Deputies Committee (formerly the Homeland Security
Council) for ratification. The FBI noted that this process was used
for making the most recent additions and changes to watchlist
standards and criteria. We have not yet been able to determine,
however, whether the Policy Board has the jurisdiction and authority
to resolve issues beyond TSC's purview, such as issues within the
intelligence community and in regard to the nominations process,
similar to the types of interagency issues the December 25 attempted
attack identified. We maintain that a governance structure with the
authority for and accountability over the entire watchlist process,
from nominations through screening, and across the government is
important.
On January 7, 2010, the President tasked the National Security Staff
with initiating an interagency review of the watchlist process--
including the business processes, procedures, and criteria--and the
interoperability and sufficiency of supporting information technology
systems. This review offers the government an opportunity to develop
an updated strategy, related plans, and governance structure that
would provide accountability to the administration, the Congress, and
the American public that the watchlist process is effective at helping
to secure the homeland.
Recent Work Highlights the Importance of Conducting Vulnerability
Assessments and Operational Testing Prior to Deployment of New
Checkpoint Technologies:
While TSA Has Not Yet Deployed Any New Checkpoint Technologies
Nationwide, It Plans to Have Installed Almost 200 AITs by the End of
2010:
As we reported in October 2009, in an effort to improve the capability
to detect explosives at aviation passenger checkpoints, TSA has 10
passenger screening technologies in various phases of research,
development, procurement, and deployment, including the AIT (formerly
Whole Body Imager).[Footnote 27] TSA is evaluating the AIT as an
improvement over current screening capabilities of the metal detector
and pat-downs specifically to identify nonmetallic threat objects and
liquids. The AITs produce an image of a passenger's body that a
screener interprets. The image identifies objects, or anomalies, on
the outside of the physical body but does not reveal items beneath the
surface of the skin, such as implants. TSA plans to procure two types
of AIT units: one type uses millimeter wave and the other type uses
backscatter X-ray technology. Millimeter wave technology beams
millimeter wave radio frequency energy over the body's surface at high
speed from two antennas simultaneously as they rotate around the body.
[Footnote 28] The energy reflected back from the body or other objects
on the body is used to construct a three-dimensional image. Millimeter
wave technology produces an image that resembles a fuzzy photo
negative. Backscatter X-ray technology uses a low-level X-ray to
create a two-sided image of the person. Backscatter technology
produces an image that resembles a chalk etching.[Footnote 29]
As we reported in October 2009, TSA has not yet deployed any new
technologies nationwide. However, as of December 31, 2009, according
to a senior TSA official, the agency has deployed 40 of the millimeter
wave AITs, and has procured 150 backscatter X-ray units in fiscal year
2009 and estimates that these units will be installed at airports by
the end of calendar year 2010. In addition, TSA plans to procure an
additional 300 AIT units in fiscal year 2010, some of which will be
purchased with funds from the American Recovery and Reinvestment Act
of 2009.[Footnote 30] TSA plans to procure and deploy a total of 878
units at all category X through category IV airports.[Footnote 31]
Full operating capability is expected in fiscal year 2014. TSA
officials stated that the cost of the AIT is about $130,000 to
$170,000 per unit, excluding installation costs. In addition, the
estimated training costs are $50,000 per unit.
While TSA stated that the AIT will enhance its explosives detection
capability, because the AIT presents a full body image of a person
during the screening process, concerns have been expressed that the
image is an invasion of privacy. According to TSA, to protect
passenger privacy and ensure anonymity, strict privacy safeguards are
built into the procedures for use of the AIT. For example, the officer
who assists the passenger never sees the image that the technology
produces, and the officer who views the image is remotely located in a
secure resolution room and never sees the passenger. Officers
evaluating images are not permitted to take cameras, cell phones, or
photo-enabled devices into the resolution room. To further protect
passengers' privacy, ways have been introduced to blur the passengers'
images. The millimeter wave technology blurs all facial features, and
the backscatter X-ray technology has an algorithm applied to the
entire image to protect privacy. Further, TSA has stated that the
AIT's capability to store, print, transmit, or save the image will be
disabled at the factory before the machines are delivered to airports,
and each image is automatically deleted from the system after it is
cleared by the remotely located security officer. Once the remotely
located officer determines that threat items are not present, that
officer communicates wirelessly to the officer assisting the
passenger. The passenger may then continue through the security
process. Potential threat items are resolved through a direct physical
pat-down before the passenger is cleared to enter the sterile
area.[Footnote 32] In addition to privacy concerns, the AITs are large
machines, and adding them to the checkpoint areas will require
additional space, especially since the operators are segregated from
the checkpoint to help ensure passenger privacy.
TSA Reports That It Is Taking Steps to Operationally Test AITs but Has
Not Conducted Vulnerability Assessments:
We previously reported on several challenges TSA faces related to the
research, development, and deployment of passenger checkpoint
screening technologies and made a number of recommendations to improve
this process.[Footnote 33] Two of these recommendations are
particularly relevant today, as TSA moves forward with plans to
install a total of 878 additional AITs--completing operational testing
of technologies in airports prior to using them in day-to-day
operations and assessing whether technologies such as the AIT are
vulnerable to terrorist countermeasures, such as hiding threat items
on various parts of the body to evade detection.
First, in October 2009, we reported that TSA had relied on
technologies in day-to-day airport operations that had not been proven
to meet their functional requirements through operational testing and
evaluation, contrary to TSA's acquisition guidance and a knowledge-
based acquisition approach. We also reported that TSA had not
operationally tested the AITs at the time of our review, and we
recommended that TSA operationally test and evaluate technologies
prior to deploying them.[Footnote 34] In commenting on our report, TSA
agreed with this recommendation. A senior TSA official stated that
although TSA does not yet have a written policy requiring operational
testing prior to deployment, TSA is now including in its contracts
with vendors that checkpoint screening machines are required to
successfully complete laboratory tests as well as operational tests.
The test results are then incorporated in the source selection plan.
The official also stated that the test results are now required at key
decision points by DHS's Investment Review Board. While recently
providing GAO with updated information to our October 2009 report, TSA
stated that operational testing for the AIT was completed as of the
end of calendar year 2009. We are in the process of verifying that TSA
has tested all of the AIT's functional requirements in an operational
environment.
Deploying technologies that have not successfully completed
operational testing and evaluation can lead to cost overruns and
underperformance. TSA's procurement guidance provides that testing
should be conducted in an operational environment to validate that the
system meets all functional requirements before deployment. In
addition, our reviews have shown that leading commercial firms follow
a knowledge-based approach to major acquisitions and do not proceed
with large investments unless the product's design demonstrates its
ability to meet functional requirements and be stable.[Footnote 35]
The developer must show that the product can be manufactured within
cost, schedule, and quality targets and is reliable before production
begins and the system is used in day-to-day operations.
TSA's experience with the ETPs, which the agency uses for secondary
screening, demonstrates the importance of testing and evaluation in an
operational environment. The ETP detects traces of explosives on a
passenger by using puffs of air to dislodge particles from the
passenger's body and clothing that the machine analyzes for traces of
explosives. TSA procured 207 ETPs and in 2006 deployed 101 ETPs to 36
airports, the first deployment of a checkpoint technology initiated by
the agency.[Footnote 36] TSA deployed the ETPs even though agency
officials were aware that tests conducted during 2004 and 2005 on
earlier ETP models suggested that they did not demonstrate reliable
performance. Furthermore, the ETP models that were subsequently
deployed were not first tested to prove their effective performance in
an operational environment, contrary to TSA's acquisition guidance,
which recommends such testing. As a result, TSA procured and deployed
ETPs without assurance that they would perform as intended in an
operational environment. TSA officials stated that they deployed the
machines without resolving these issues to respond quickly to the
threat of suicide bombers. In June 2006, TSA halted further deployment
of the ETP because of performance, maintenance, and installation
issues. According to a senior TSA official, as of December 31, 2009,
all but 9 ETPs have been withdrawn from airports and 18 ETPs remain in
inventory. TSA estimates that the 9 remaining ETPs will be removed
from airports by the end of calendar year 2010. In the future, using
validated technologies would enhance TSA's efforts to improve
checkpoint security. Furthermore, retaining existing screening
procedures until the effectiveness of future technologies has been
validated could provide assurances that use of checkpoint technologies
improves aviation security.
Second, as we reported in October 2009, TSA does not know whether its
explosives detection technologies, such as the AITs, are susceptible
to terrorist tactics. Although TSA has obtained information on
vulnerabilities at the screening checkpoint, the agency has not
assessed vulnerabilities--that is, weaknesses in the system that
terrorists could exploit in order to carry out an attack--related to
passenger screening technologies, such as AITs, that are currently
deployed. According to TSA's threat assessment, terrorists have
various techniques for concealing explosives on their persons, as was
evident in Mr. Abdulmutallab's attempted attack on December 25, where
he concealed an explosive in his underwear. However, TSA has not
assessed whether these and other tactics that terrorists could use to
evade detection by screening technologies, such as AIT, increase the
likelihood that the screening equipment would not detect the hidden
weapons or explosives. Thus, without an assessment of the
vulnerabilities of checkpoint technologies, it is unclear whether the
AIT or other technologies would have been able to detect the weapon
Mr. Abdulmutallab used in his attempted attack. TSA is in the process
of developing a risk assessment for the airport checkpoints, but the
agency has not yet completed this effort or clarified the extent to
which this effort addresses any specific vulnerabilities in checkpoint
technology.
TSA officials stated that to identify vulnerabilities at airport
checkpoints, the agency analyzes information such as the results from
its covert testing program. TSA conducts national and local covert
tests, whereby individuals attempt to enter the secure area of an
airport through the passenger checkpoint with prohibited items in
their carry-on bags or hidden on their persons. However, TSA's covert
testing programs do not systematically test passenger and baggage
screening technologies nationwide to ensure that they identify the
threat objects and materials the technologies are designed to detect,
nor do the covert testing programs identify vulnerabilities related to
these technologies. We reported in August 2008 that while TSA's local
covert testing program attempts to identify test failures that may be
caused by screening equipment not working properly or caused by
screeners and the screening procedures they follow, the agency's
national testing program does not attribute a specific cause of a test
failure.[Footnote 37] We recommended, among other things, that TSA
require the documentation of specific causes of all national covert
testing failures, including documenting failures related to equipment,
in the covert testing database to help TSA better identify areas for
improvement. TSA concurred with this recommendation and stated that
the agency will expand the covert testing database to document test
failures related to screening equipment.
In our 2009 report, we also recommended that the Assistant Secretary
for TSA, among other actions, conduct a complete risk assessment--
including threat, vulnerability, and consequence assessment--for the
passenger screening program and incorporate the results into TSA's
program strategy, as appropriate. TSA and DHS concurred with our
recommendation, but have not completed these risk assessments or
provided documentation to show how they have addressed the concerns
raised in our 2009 report regarding the susceptibility of the
technology to terrorist tactics.
Mr. Chairman, this concludes our statement for the record.
Contacts and Acknowledgments:
For additional information on this statement, please contact Eileen
Larence at (202) 512-6510 or larencee@gao.gov or Stephen Lord at (202)
512-4379 or lords@gao.gov.
In addition to the contacts named above, Kathryn Bernet, Carissa
Bryant, Frances Cook, Joe Dewechter, Eric Erdman, Richard Hung, Anne
Laffoon, Linda Miller, Victoria Miller, and Michelle Woods made key
contributions to this statement.
[End of section]
Footnotes:
[1] GAO, Terrorist Watchlist Screening: Opportunities Exist to Enhance
Management Oversight, Reduce Vulnerabilities in Agency Screening
Processes, and Expand Use of the List, [hyperlink,
http://www.gao.gov/products/GAO-08-110] (Washington, D.C.: Oct. 11,
2007).
[2] See GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January
2009), for our most recent update.
[3] See, for example, GAO, Information Sharing: The Federal Government
Needs to Establish Policies and Processes for Sharing Terrorism-
Related and Sensitive but Unclassified Information, [hyperlink,
http://www.gao.gov/products/GAO-06-385] (Washington, D.C.: Mar. 17,
2006); Information Sharing Environment: Definition of the Results to
Be Achieved in Improving Terrorism-Related Information Sharing Is
Needed to Guide Implementation and Assess Progress, [hyperlink,
http://www.gao.gov/products/GAO-08-492] (Washington, D.C.: June 25,
2008); and Information Sharing: Federal Agencies Are Sharing Border
and Terrorism Information with Local and Tribal Law Enforcement
Agencies, but Additional Efforts Are Needed, [hyperlink,
http://www.gao.gov/products/GAO-10-41] (Washington, D.C.: Dec. 18,
2009).
[4] We have three ongoing reviews of terrorism-related information
sharing that are being conducted based on separate requests from your
committee, the House Committee on Oversight and Government Reform, and
the Senate Committee on Homeland Security and Governmental Affairs.
[5] GAO, Aviation Security: DHS and TSA Have Researched, Developed,
and Begun Deploying Passenger Checkpoint Screening Technologies, but
Continue to Face Challenges, [hyperlink,
http://www.gao.gov/products/GAO-10-128 (Washington, D.C.: Oct. 7,
2009).
[6] See GAO, Terrorist Watch List Screening: Efforts to Help Reduce
Adverse Effects on the Public, [hyperlink,
http://www.gao.gov/products/GAO-06-1031] (Washington, D.C.: Sept. 29,
2006); [hyperlink, http://www.gao.gov/products/GAO-08-110]; Aviation
Security: TSA Has Completed Key Activities Associated with
Implementing Secure Flight, but Additional Actions Are Needed to
Mitigate Risks, [hyperlink, http://www.gao.gov/products/GAO-09-292]
(Washington, D.C.: May 13, 2009); and [hyperlink,
http://www.gao.gov/products/GAO-10-128].
[7] By law, NCTC, which is within the Office of the Director of
National Intelligence, serves as the primary organization in the U.S.
government for analyzing and integrating all intelligence pertaining
to terrorism and counterterrorism, except for intelligence pertaining
exclusively to domestic terrorists and domestic counterterrorism. See
50 U.S.C. § 404o(d)(1).
[8] See [hyperlink, http://www.gao.gov/products/GAO-08-110] for
additional details on the compilation and use of terrorist watchlist
records.
[9] Sterile areas are generally located within the terminal where
passengers are provided access to boarding aircraft, and access is
controlled in accordance with TSA requirements.
[10] A nonselectee passenger who alarms the walk-through metal
detector on the first pass is offered a second pass. If the passenger
declines the second pass, the passenger must proceed to additional
screening. If the nonselectee passenger accepts the second pass and
the machine does not alarm, the passenger may generally proceed
without further screening.
[11] As discussed later in this statement, agencies generally do not
use the full terrorist watchlist to screen individuals. Rather, they
generally use subsets of the full list based on each agency‘s mission
and other factors.
[12] The White House, Homeland Security Presidential Directive/HSPD-6,
Subject: Integration and Use of Screening Information (Washington,
D.C., Sept. 16, 2003).
[13] The White House, Homeland Security Presidential Directive/HSPD-
24, Subject: Biometrics for Identification and Screening to Enhance
National Security (Washington, D.C., June 5, 2008).
[14] The White House, Summary of the White House Review of the
December 25, 2009, Attempted Terrorist Attack (Washington, D.C., Jan.
7, 2010).
[15] The Intelligence Reform and Terrorism Prevention Act of 2004, as
amended, defines the Information Sharing Environment as ’an approach
that facilitates the sharing of terrorism and homeland security
information, which may include any method determined necessary and
appropriate for carrying out [section 1016].“ See Pub. L. No. 108-458,
§ 1016(a)(2), 118 Stat. 3638, 3665 (codified as amended at 6 U.S.C. §
485(a)(3)). See also Homeland Security Act of 2002, 6 U.S.C. § 482
(requiring the establishment of procedures for the sharing of homeland
security information, as defined by this section).
[16] Of all of the screening databases that accept watchlist records,
only the No Fly and Selectee lists require certain nomination criteria
or inclusion standards that are narrower than the ’known or
appropriately suspected“ standard of HSPD-6. The most recent guidance
related to the No Fly and Selectee list criteria was issued in
February 2009.
[17] The Homeland Security Council originally was established in 2001
by executive order and subsequently codified into law by the Homeland
Security Act of 2002 for the purpose of more effectively coordinating
the policies and functions of the federal government relating to
homeland security. See Exec. Order No. 13,228; Pub. L. No. 107-296,
tit. IX, 116 Stat. 2135, 2258-59 (codified at 6 U.S.C. §§ 491-496). On
May 26, 2009, the President announced the full integration of White
House staff supporting national security and homeland security into a
new ’National Security Staff“ supporting all White House policy-making
activities relating to international, transnational, and homeland
security matters. The Homeland Security Council was maintained as the
principle venue for interagency deliberations on issues that affect
the security of the homeland, such as terrorism, weapons of mass
destruction, natural disasters, and pandemic influenza.
[18] [hyperlink, http://www.gao.gov/products/GAO-06-1031].
[19] [hyperlink, http://www.gao.gov/products/GAO-08-110].
[20] [hyperlink, http://www.gao.gov/products/GAO-09-292].
[21] Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-15 (codified
at 49 U.S.C. § 44903(j)(2)(C)).
[22] See 73 Fed. Reg. 64,018 (Oct. 28, 2008) (codified at 49 C.F.R.
pt. 1560).
[23] [hyperlink, http://www.gao.gov/products/GAO-08-110].
[24] The identification of critical infrastructure components that are
not using watchlist records for screening is considered Sensitive
Security Information that cannot be disclosed in a public statement.
[25] The White House, Homeland Security Presidential Directive/HSPD-
11, Subject: Comprehensive Terrorist-Related Screening Procedures
(Washington, D.C., Aug. 27, 2004).
[26] DHS established the Screening Coordination Office in July 2006 to
enhance security measures by integrating the department‘s terrorist-
and immigration-related screening efforts, creating unified screening
standards and policies, and developing a single redress process for
travelers.
[27] [hyperlink, http://www.gao.gov/products/GAO-10-128].
[28] According to TSA, this description of the millimeter wave
technology applies only to the machine manufactured by L3 and does not
apply to other millimeter wave technologies that TSA is evaluating,
such as the Smiths millimeter wave AIT.
[29] Research and development of the AIT technology is continuing,
specifically, to develop passive terahertz (THz) and active gigahertz
(GHz) technologies to improve detection performance and reduce
operational costs of commercially available systems.
[30] According to TSA, some of the 300 AIT units to be procured in
fiscal year 2010 will begin to be deployed to airports in the latter
half of fiscal year 2010.
[31] TSA classifies the commercial airports in the United States into
one of five security risk categories (X, I, II, III, and IV). In
general, category X airports have the largest number of passenger
boardings, and category IV airports have the smallest. Categories X,
I, II, and III airports account for more than 90 percent of the
nation‘s air traffic.
[32] TSA stated that it continues to evaluate possible display options
that include a ’stick figure“ or ’cartoon-like“ form to provide
greater privacy protection to the individual being screened while
still allowing the unit operator or automated detection algorithms to
detect possible threats.
[33] [hyperlink, http://www.gao.gov/products/GAO-10-128].
[34] Operational testing refers to testing in an operational
environment in order to verify that new systems are operationally
effective, supportable, and suitable.
[35] GAO, Best Practices: Using a Knowledge-Based Approach to Improve
Weapon Acquisition, [hyperlink,
http://www.gao.gov/products/GAO-04-386SP] (Washington, D.C.: January
2004).
[36] TSA deployed the ETPs from January to June 2006. Since June 2006,
TSA removed all but 9 ETPs from airports because of maintenance issues.
[37] See GAO, Transportation Security: TSA Has Developed a Risk-Based
Covert Testing Program, but Could Better Mitigate Aviation Security
Vulnerabilities Identified Through Covert Tests, [hyperlink,
http://www.gao.gov/products/GAO-08-958] (Washington, D.C.: Aug. 8,
2008).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: