Surface Transportation Security
TSA Has Taken Actions to Manage Risk, Improve Coordination, and Measure Performance, but Additional Actions Would Enhance Its Efforts
Gao ID: GAO-10-650T April 21, 2010
Terrorist attacks on surface transportation facilities in Moscow, Mumbai, London, and Madrid caused casualties and highlighted the vulnerability of such systems. The Transportation Security Administration (TSA), within the Department of Homeland Security (DHS), is the primary federal agency responsible for security of transportation systems. This testimony focuses on the extent to which (1) DHS has used risk management in strengthening surface transportation security, (2) TSA has coordinated its strategy and efforts for securing surface transportation with stakeholders, (3) TSA has measured the effectiveness of its surface transportation security-improvement actions, and (4) TSA has made progress in deploying surface transportation security inspectors and related challenges it faces in doing so. GAO's statement is based on public GAO products issued from January to June 2009, selected updates from September 2009 to April 2010, and ongoing work on pipeline security. For the updates and ongoing work, GAO analyzed TSA's pipeline risk assessment model, reviewed relevant laws and program management documents, and interviewed TSA officials.
DHS has taken actions to implement a risk management approach but could do more to inform resource allocation based on risk across the surface transportation sector--including the mass transit and passenger rail, freight rail, highway, and pipeline modes. For example, in March 2009, GAO reported that TSA had not conducted comprehensive risk assessments to compare risk across the entire transportation sector, which the agency could use to guide investment decisions, and recommended that TSA do so. TSA concurred, and in April 2010 noted planned actions. GAO has also made recommendations to strengthen risk assessments within individual modes, such as expanding TSA's efforts to include all security threats in its freight rail security strategy, including potential sabotage to bridges, tunnels, and other critical infrastructure. DHS concurred and is addressing the recommendations. TSA has generally improved coordination with key surface transportation stakeholders, but additional actions could enhance its efforts. For example, GAO reported in April 2009 that although federal and industry stakeholders have taken steps to coordinate their freight rail security efforts, TSA was not requesting another federal agency's data that could be useful in developing regulations for high-risk rail carriers. GAO recommended that DHS work with its federal partners to ensure that all relevant information, such as threat assessments, is shared. DHS concurred with this recommendation and recently stated that TSA has met with key federal stakeholders regarding sharing relevant assessment information and avoiding duplication. TSA has developed national strategies for each surface transportation mode, but using targeted, outcome-oriented performance measures could enable TSA to better monitor the effectiveness of these strategies and programs that support them. For example, GAO reported in June 2009 that TSA's mass transit strategy identified sectorwide goals, but did not contain measures or targets for program effectiveness. Such measures could help TSA track progress in securing transit and passenger rail systems. GAO also reported in April 2009 that TSA's freight rail security strategy could be strengthened by including targets for three of its four performance measures and revising its approach for the other measure, such as including more reliable baseline data to improve consistency in quantifying results. GAO recommended in both instances that TSA strengthen its performance measures. DHS concurred and noted planned actions. Preliminary findings from GAO's ongoing review of pipeline security show that TSA has taken some actions to monitor progress, but could better measure pipeline security improvements. GAO expects to issue a report by the end of 2010. GAO reported in June 2009 that TSA had more than doubled its surface transportation inspector workforce and expanded the roles and responsibilities of surface inspectors, but faced challenges balancing aviation and surface transportation priorities and had not completed a workforce plan to direct current and future program needs. TSA has initiated but not yet finished a staffing study to identify the optimal size of its inspector workforce.
GAO-10-650T, Surface Transportation Security: TSA Has Taken Actions to Manage Risk, Improve Coordination, and Measure Performance, but Additional Actions Would Enhance Its Efforts
This is the accessible text file for GAO report number GAO-10-650T
entitled 'Surface Transportation Security: TSA Has Taken Actions to
Manage Risk, Improve Coordination, and Measure Performance, but
Additional Actions Would Enhance Its Efforts' which was released on
April 21, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Committee on Commerce, Science, and Transportation, U.S.
Senate:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected at 2:30 p.m. EDT:
Wednesday, April 21, 2010:
Surface Transportation Security:
TSA Has Taken Actions to Manage Risk, Improve Coordination, and
Measure Performance, but Additional Actions Would Enhance Its Efforts:
Statement of Stephen M. Lord, Director: Homeland Security and Justice
Issues:
GAO-10-650T:
GAO Highlights:
Highlights of GAO-10-650T, a testimony before the Committee on
Commerce, Science, and Transportation, U.S. Senate.
Why GAO Did This Study:
Terrorist attacks on surface transportation facilities in Moscow,
Mumbai, London, and Madrid caused casualties and highlighted the
vulnerability of such systems. The Transportation Security
Administration (TSA), within the Department of Homeland Security
(DHS), is the primary federal agency responsible for security of
transportation systems.
This testimony focuses on the extent to which (1) DHS has used risk
management in strengthening surface transportation security, (2) TSA
has coordinated its strategy and efforts for securing surface
transportation with stakeholders, (3) TSA has measured the
effectiveness of its surface transportation security-improvement
actions, and (4) TSA has made progress in deploying surface
transportation security inspectors and related challenges it faces in
doing so. GAO‘s statement is based on public GAO products issued from
January to June 2009, selected updates from September 2009 to April
2010, and ongoing work on pipeline security. For the updates and
ongoing work, GAO analyzed TSA‘s pipeline risk assessment model,
reviewed relevant laws and program management documents, and
interviewed TSA officials.
What GAO Found:
DHS has taken actions to implement a risk management approach but
could do more to inform resource allocation based on risk across the
surface transportation sector”including the mass transit and passenger
rail, freight rail, highway, and pipeline modes. For example, in March
2009, GAO reported that TSA had not conducted comprehensive risk
assessments to compare risk across the entire transportation sector,
which the agency could use to guide investment decisions, and
recommended that TSA do so. TSA concurred, and in April 2010 noted
planned actions. GAO has also made recommendations to strengthen risk
assessments within individual modes, such as expanding TSA‘s efforts
to include all security threats in its freight rail security strategy,
including potential sabotage to bridges, tunnels, and other critical
infrastructure. DHS concurred and is addressing the recommendations.
TSA has generally improved coordination with key surface
transportation stakeholders, but additional actions could enhance its
efforts. For example, GAO reported in April 2009 that although federal
and industry stakeholders have taken steps to coordinate their freight
rail security efforts, TSA was not requesting another federal agency‘s
data that could be useful in developing regulations for high-risk rail
carriers. GAO recommended that DHS work with its federal partners to
ensure that all relevant information, such as threat assessments, is
shared. DHS concurred with this recommendation and recently stated
that TSA has met with key federal stakeholders regarding sharing
relevant assessment information and avoiding duplication.
TSA has developed national strategies for each surface transportation
mode, but using targeted, outcome-oriented performance measures could
enable TSA to better monitor the effectiveness of these strategies and
programs that support them. For example, GAO reported in June 2009
that TSA‘s mass transit strategy identified sectorwide goals, but did
not contain measures or targets for program effectiveness. Such
measures could help TSA track progress in securing transit and
passenger rail systems. GAO also reported in April 2009 that TSA‘s
freight rail security strategy could be strengthened by including
targets for three of its four performance measures and revising its
approach for the other measure, such as including more reliable
baseline data to improve consistency in quantifying results. GAO
recommended in both instances that TSA strengthen its performance
measures. DHS concurred and noted planned actions. Preliminary
findings from GAO‘s ongoing review of pipeline security show that TSA
has taken some actions to monitor progress, but could better measure
pipeline security improvements. GAO expects to issue a report by the
end of 2010.
GAO reported in June 2009 that TSA had more than doubled its surface
transportation inspector workforce and expanded the roles and
responsibilities of surface inspectors, but faced challenges balancing
aviation and surface transportation priorities and had not completed a
workforce plan to direct current and future program needs. TSA has
initiated but not yet finished a staffing study to identify the
optimal size of its inspector workforce.
What GAO Recommends:
GAO has made recommendations to DHS in prior reports to strengthen
surface transportation security. DHS generally concurred with our
recommendations and is making progress in implementing them.
View [hyperlink, http://www.gao.gov/products/GAO-10-650T] or key
components. For more information, contact Steve M. Lord at (202) 512-
4379 or lords@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
I appreciate the opportunity to participate in today's hearing to
discuss key surface transportation security issues. Surface
transportation modes include mass transit, freight rail, pipeline, and
highway systems.[Footnote 1] Terrorist attacks on surface
transportation systems in Moscow, Mumbai, London, and Madrid that
caused significant loss of life and disruption have highlighted the
vulnerability of transportation facilities to terrorist attacks
worldwide.[Footnote 2] While there have been no successful terrorist
attacks against U.S. surface transportation systems to date, securing
these systems is a significant undertaking. In the United States, the
surface transportation system includes more than 100,000 miles of
rail, 600,000 bridges, more than 300 tunnels, and 2 million miles of
pipeline. Securing these systems is further complicated by the number
of private and public stakeholders involved in operating and
protecting the system and the need to balance security with the
expeditious flow of people and goods. Further, surface transportation
systems generally rely on an open architecture that is difficult to
monitor and secure due to its multiple access points, hubs serving
multiple carriers, and, in some cases, lack of access barriers. An
attack on these systems could potentially lead to significant
casualties due to, for example, the high number of daily passengers,
especially during peak commuting hours. In the 2011 budget request for
the Department of Homeland Security's (DHS) Transportation Security
Administration (TSA), $137.6 million of the $8.2 billion total request
is for surface transportation security, while $6.5 billion is
requested for aviation security, including the Federal Air Marshal
Service.[Footnote 3]
My testimony today focuses on the extent to which (1) DHS has used a
risk management framework to guide efforts to strengthen the security
of the surface transportation sector, (2) TSA has coordinated its
strategy and efforts for securing the surface transportation sector
with other federal entities, states, and private-sector stakeholders,
(3) TSA has measured the effectiveness of its surface transportation
security-improvement actions, and (4) TSA has made progress in
deploying surface transportation security inspectors, and what
challenges, if any, it faces in these efforts.
This statement is based on related public GAO reports issued from
January 2009 through June 2009.[Footnote 4] All of this work was
conducted in accordance with generally accepted government auditing
standards, and our previously published products contain additional
details on the scope and methodology for those reviews. In addition,
this statement includes preliminary observations based on ongoing work
assessing the security of the nation's pipeline systems for this
committee. This ongoing work, which will be completed later this year,
is assessing, among other things, TSA's risk assessment efforts and
performance measures for this area of surface transportation. For our
ongoing review of pipeline security, we reviewed relevant laws and
program management and planning documents, including pipeline
performance measures, and interviewed TSA Pipeline Security Division
officials to discuss, among other things, their identification of the
most critical pipeline systems and their development and use of the
pipeline risk assessment model and performance measures. We also
analyzed TSA's pipeline risk assessment model by measuring the
strength of the relationship between the frequency of Corporate
Security Reviews for each pipeline system and that system's ranking
based on risk.[Footnote 5] We determined that the data we analyzed
were sufficiently reliable for the purposes of this statement.
Specifically, we reviewed related documentation, interviewed
knowledgeable agency officials, and tested those data to identify
missing information or outliers. Our ongoing work related to pipeline
security is being conducted in accordance with generally accepted
government auditing standards. In addition, this statement contains
selected updates conducted from September 2009 through April 2010 on
TSA's efforts to implement our previous recommendations regarding
surface transportation security. In conducting these updates, we
obtained new information from TSA regarding the agency's efforts to
enhance its surface transportation inspections and meet legislative
requirements, among other things. We conducted these updates in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings based on our audit objectives.
Background:
TSA is the primary federal agency responsible for overseeing the
security of surface transportation systems, including developing a
national strategy and implementing security programs. However, several
other agencies, including DHS's Federal Emergency Management Agency
(FEMA) and the Department of Transportation's (DOT) Federal Transit
Administration (FTA) and Federal Railroad Administration (FRA), also
play a role in helping to fund and secure these systems. Since it is
not practical or feasible to protect all assets and systems against
every possible terrorist threat, DHS has called for using risk-
informed approaches to prioritize its security-related investments and
for developing plans and allocating resources in a way that balances
security and commerce.[Footnote 6]
In June 2006, DHS issued the National Infrastructure Protection Plan
(NIPP), which established a six-step risk management framework to
establish national priorities, goals, and requirements for Critical
Infrastructure and Key Resources protection so that federal funding
and resources are applied in the most effective manner to deter
threats, reduce vulnerabilities, and minimize the consequences of
attacks and other incidents. The NIPP, updated in 2009, defines risk
as a function of three elements: threat, vulnerability, and
consequence. Threat is an indication of the likelihood that a specific
type of attack will be initiated against a specific target or class of
targets. Vulnerability is the probability that a particular attempted
attack will succeed against a particular target or class of targets.
Consequence is the effect of a successful attack. In May 2007, TSA
issued the Transportation Systems Sector-Specific Plan (TS-SSP), which
documents the risk management process to be used in carrying out the
strategic priorities outlined in the NIPP. As required by Executive
Order 13416, the TS-SSP also includes modal implementation plans or
modal annexes that detail how TSA intends to achieve the sector's
goals and objectives for each of the six transportation modes using
the systems-based risk management approach.[Footnote 7]
To address the objectives and goals laid out in the TS-SSP, TSA uses
various programs to secure transportation systems throughout the
country, including Visible Intermodal Prevention and Response (VIPR)
teams and Surface Transportation Security Inspectors (STSI). VIPR
teams employ a variety of tactics to deter terrorism, including random
high-visibility patrols at mass transit and passenger rail stations
using, among other things, behavior-detection officers, canine
detection teams, and explosive-detection technologies.[Footnote 8]
STSIs, among other things, conduct on-site inspections of U.S. rail
systems--including mass transit, passenger rail, and freight rail
systems--to identify best security practices, evaluate security system
performance, and discover and correct deficiencies and vulnerabilities
in the rail industry's security systems.[Footnote 9]
In August 2007, the Implementing Recommendations of the 9/11
Commission Act (9/11 Commission Act) was signed into law, which
included provisions that task DHS and other public and private
stakeholders with security actions related to surface transportation
security.[Footnote 10] Among other things, these provisions include
mandates for developing and issuing reports on TSA's strategy for
securing public transportation, conducting and updating comprehensive
security assessments for public transportation agencies, and ensuring
that transportation modal security plans include threats,
vulnerabilities, and consequences for transportation infrastructure
assets including mass transit, railroads, highways, and pipelines.
TSA Has Taken Some Actions to Implement a Risk Management Approach but
Could Do More to Inform the Allocation of Resources across the Surface
Transportation Sector:
In March 2009, we reported that TSA has taken some actions called for
by the NIPP's risk management process, but has not conducted
comprehensive risk assessments across aviation and four major surface
transportation modes.[Footnote 11] In 2007, TSA initiated but later
discontinued an effort to conduct a comprehensive risk assessment for
the entire transportation sector, known as the National Transportation
Sector Risk Analysis.[Footnote 12] Consequently, we recommended that
TSA conduct comprehensive risk assessments for the transportation
sector to produce a comparative analysis of risk across the entire
transportation sector, which the agency could use to guide current and
future investment decisions. DHS and TSA concurred with our
recommendation, and in April 2010 TSA identified planned actions,
including integrating the results of risk assessments into a
comparative risk analysis across the transportation sector. TSA
officials stated in April 2010 that the agency has revised its risk
management framework, TS-SSP, and modal annexes. They added that these
documents are undergoing final agency review.
In addition, we have previously reported that while TSA has collected
information related to threat, vulnerability, and consequence within
the surface transportation modes, it has not conducted risk
assessments that integrate these three components for individual
modes. For example, we reported in June 2009 that TSA had not
conducted its own risk assessment of mass transit and passenger rail
systems that combined all three risk elements, as called for by the
NIPP.[Footnote 13] Thus, we recommended that TSA conduct a
comprehensive risk assessment that combines threat, vulnerability, and
consequence. DHS concurred with this recommendation, and in February
2010, DHS officials said that TSA had undertaken a Transportation
Systems Sector Risk Assessment that would incorporate all three
elements of risk. In April 2010, TSA stated that this risk assessment
is under review. Similarly, the Administration's Transborder Security
Interagency Policy Committee (IPC) Surface Transportation
Subcommittee's recently issued Surface Transportation Security
Priority Assessment recognized that assessing transportation assets
and infrastructure and ranking their criticality would help target the
use of limited resources.[Footnote 14] Consequently, this subcommittee
recommended that TSA identify appropriate methodologies to evaluate
and rank surface transportation systems and critical infrastructure.
We have also identified other opportunities to improve TSA's risk
management efforts for surface transportation. For example, in April
2009, we reported that TSA's efforts to assess security threats to
freight rail could be strengthened.[Footnote 15] Specifically, we
noted that while TSA had developed a freight rail security strategy,
the agency had focused almost exclusively on rail shipments of toxic
inhalation hazards (TIH), such as chlorine and anhydrous ammonia,
which can be fatal if inhaled, despite other federal and industry
assessments having identified additional potential security threats,
such as risks to bridges, tunnels, and control centers.[Footnote 16]
We reported that although TSA's focus on TIH has been a reasonable
initial approach given the serious public harm these materials
potentially pose to the public, there are other security threats for
TSA to consider and evaluate as its freight rail strategy matures,
including potential sabotage to critical infrastructure. We
recommended that TSA expand its efforts to include all security
threats in its freight rail security strategy. DHS concurred with this
recommendation and has since reported that TSA has developed a
Critical Infrastructure Risk Tool to measure the criticality and
vulnerability of freight railroad bridges. As of April 2010, the
agency has used this tool to assess 39 bridges, some of which
transverse either the Mississippi or Missouri Rivers, and intends to
assess 22 additional bridges by the end of fiscal year 2010.[Footnote
17]
Further, we reported in June 2009 that the Transit Security Grant
Program (TSGP) risk model includes all three elements of risk, but can
be strengthened by measuring variations in vulnerability.[Footnote 18]
DHS has held vulnerability constant, which limits the model's overall
ability to assess risk and more precisely allocate funds to transit
agencies. We also found that although TSA allocated about 90 percent
of funding to the highest-risk agencies, lower-risk agency awards were
based on other factors in addition to risk, such as project quality.
For example, a lower-risk agency with a high-quality project was more
likely to receive funding than a higher-risk agency with a low-quality
project. We recommended that DHS strengthen its methodology for
determining risk by developing a cost-effective method for
incorporating vulnerability information in its TSGP risk model. DHS
concurred with the recommendation, and in April 2010 TSA stated that
it is reevaluating the risk model for the fiscal year 2011 grant
cycle. Further, TSA is evaluating the feasibility of incorporating an
analysis of the current state of an asset, including its
vulnerability, in determining fiscal year 2011 grant funding.[Footnote
19]
Additionally, we are currently conducting an assessment of TSA's
efforts to help ensure pipeline security; the resulting report will
include an evaluation of the extent to which TSA uses a risk
management approach to help strengthen pipeline security. Our
preliminary observations found that TSA has identified the 100 most-
critical pipeline systems in the United States and produced a pipeline
risk assessment model, consistent with the NIPP. Furthermore, the 9/11
Commission Act requires that risk assessment methodologies be used to
prioritize actions to the highest-risk pipeline assets, and we found
that TSA's stated policy is to consider risk when scheduling Corporate
Security Reviews--assessments of pipeline operators' security plans.
However, we found a weak statistical correlation between a pipeline
system's risk rank and the time elapsed between a first and subsequent
review.[Footnote 20] In addition, we found that among the 15 highest
risk-ranked pipeline systems, the time between a first and second
Corporate Security Review ranged from 1 to 6 years for those systems
that had undergone a second review. Further, as of April 2010, 2
systems among the top 15 had not undergone a second review despite
more than 6 years passing since their first review. TSA officials told
us that although a pipeline system's relative risk ranking is the
primary factor driving the agency's decision of when to schedule a
subsequent Corporate Security Review, it is not the only factor
influencing this decision. They explained they also consider the
geographical proximity of Corporate Security Review locations to each
other in order to reduce travel time and costs, as well as the extent
to which they have worked with pipeline operators through other
efforts, such as their Critical Facility Inspection Program.[Footnote
21] Better prioritizing its reviews based on risk could help TSA
ensure its resources are more efficiently allocated toward the highest-
risk pipeline systems. We expect to issue this report by the end of
this year.
TSA Has Generally Improved Coordination with Key Stakeholders but
Additional Actions Could Enhance Current Efforts to Improve Surface
Transportation Security:
TSA has developed several initiatives to improve coordination with its
federal, state, and private sector stakeholders. However, we have
previously reported that TSA's coordination efforts could be improved.
For example, we reported in April 2009 that federal and industry
stakeholders have taken a number of steps to coordinate their freight
rail security efforts, such as implementing agreements to clarify
roles and responsibilities and participating in various information-
sharing mechanisms.[Footnote 22] However, federal coordination could
be enhanced by more fully leveraging the resources of all relevant
federal agencies, such as TSA and FRA.[Footnote 23] For example, we
reported that TSA was not requesting data on deficiencies in security
plans and training activities collected by FRA, which could be useful
to TSA in developing regulations requiring high-risk rail carriers to
develop and implement security plans. To improve coordination, we
recommended that DHS work with federal partners such as FRA to ensure
that all relevant information, including threat assessments, is
shared. DHS concurred with this recommendation and stated that it
planned to better define stakeholder roles and responsibilities to
facilitate information sharing. Since we issued our report, DHS
reported that TSA continues to share information with security
partners, including meeting with FRA and the DHS Office of
Infrastructure Protection to discuss coordination and develop
strategies for sharing relevant assessment information and avoiding
duplication.[Footnote 24]
In addition, we reported in January 2009 that although several federal
entities, including TSA and the U.S. Coast Guard, have efforts
underway to assess the risk to highway infrastructure, these
assessments have not been systematically coordinated among key federal
partners.[Footnote 25] We further reported that enhanced coordination
with federal partners could better enable TSA to determine the extent
to which specific critical assets had been assessed and whether
potential adjustments in its methodology were necessary to target
remaining critical infrastructure assets. We recommended that to
enhance collaboration among entities involved in securing highway
infrastructure and to better leverage federal resources, DHS establish
a mechanism to systematically coordinate risk assessment activities
and share the results of these activities among the federal partners.
DHS concurred with the recommendation. In February 2010, TSA officials
indicated that the agency had met with other federal agencies that
conduct security reviews of highway structures to identify existing
data resources, establish a data-sharing system among key agencies,
and discuss standards for future assessments.[Footnote 26] The
Administration's Surface Transportation Security Priority Assessment
also highlighted the need for federal entities to coordinate their
assessment efforts. That report included a recommendation to establish
an integrated federal approach that consolidates capabilities in a
unified effort for security assessments, audits, and inspections to
produce more thorough evaluations and effective follow-up actions for
reducing risk, enhancing security, and minimizing burdens on assessed
surface transportation entities.
We also reported in February 2009 that TSA, which has the primary
federal responsibility for ensuring the security of the commercial
vehicle sector, had taken actions to improve coordination with
federal, state, and industry stakeholders with respect to commercial
vehicle security.[Footnote 27] These actions included signing joint
agreements with DOT and supporting the establishment of
intergovernmental and industry councils. However, we also reported
that additional opportunities exist to enhance security by more
clearly defining stakeholder roles and responsibilities. For example,
some state transportation officials stated that DHS and TSA had not
clarified states' roles and responsibilities in securing the
transportation sector or communicated to them TSA's strategy to secure
commercial vehicles, which in some cases has caused delays in
implementing state transportation security initiatives. Industry
stakeholders also expressed concerns with respect to TSA communicating
its strategy, roles, and responsibilities; leveraging industry
expertise; and collaborating with industry representatives.[Footnote
28] As a result, we recommended that TSA establish a process to
strengthen coordination with the commercial vehicle industry,
including ensuring that the roles and responsibilities of industry and
government are fully defined and clearly communicated, and assess its
coordination efforts. DHS concurred with this recommendation and in
April 2010 reported that its TS-SSP Highway Modal Annex is under
review and is expected to delineate methods to enhance communications
and coordination with stakeholders.
Using Targeted, Outcome-Oriented Performance Measures Could Help TSA
Better Monitor Strategy and Program Effectiveness:
In accordance with Executive Order 13416 and requirements of the 9/11
Commission Act, DHS, through TSA, has developed national strategies
for each surface transportation mode.[Footnote 29] However, we have
previously reported the need for TSA to strengthen its evaluation of
the results of its efforts through the use of targeted, measurable,
and outcome-based performance measures. Our prior work has shown that
long-term, action-oriented goals and a timeline with milestones can
help track an organization's progress toward its goals. The NIPP also
provides that DHS should work with its security partners, including
other federal agencies, state and local government representatives,
and the private sector, to develop sector-specific metrics.
Using performance measures and an evaluation of the effectiveness of
surface transportation security initiatives can help provide TSA with
more meaningful information from which to determine whether its
strategies are achieving their intended results, and to target any
needed improvements. For example, in January 2009, we reported that
TSA's completion of a Highway Security Modal Annex was an important
first step in guiding national efforts to protect highway
infrastructure, but it did not include performance goals and measures
with which to assess the program's overall progress toward securing
highway infrastructure.[Footnote 30] As a result, we recommended that
TSA establish a time-frame for developing performance goals and
measures for monitoring the implementation of the annex's goals,
objectives, and activities. Similarly, in June 2009, we reported that
TSA's Mass Transit Modal Annex identified sectorwide goals that apply
to all modes of transportation as well as subordinate objectives
specific to mass transit and passenger rail systems, but did not
contain measures or targets on the effectiveness of operations of the
security programs identified in the annex.[Footnote 31] As a result,
we recommended that TSA should, to the extent feasible, incorporate
performance measures in future annex updates. DHS concurred with both
of these recommendations. In February 2010, TSA indicated that the
updated annex would incorporate performance measures among other
characteristics we recommended, and as of April 2010, the annex is
under review. We will continue to monitor TSA's progress in addressing
these recommendations.
We also reported in April 2009 that three of the four performance
measures in TSA's Freight Rail Modal Annex to the TS-SSP did not
identify specific targets to gauge the effectiveness of federal and
industry programs in achieving the measures or the transportation-
sector security goals outlined in the annex.[Footnote 32] We also
reported that TSA was limited in its ability to measure the effect of
federal and industry efforts on achieving the agency's key performance
measure for the freight rail program, which is to reduce the risk
associated with the transportation of TIH in major cities identified
as high-threat urban areas. This was because the agency was unable to
obtain critical data necessary to consistently calculate cumulative
results for this measure over the time period for which it calculated
them--from 2005 to 2008. In particular, some baseline data needed to
cumulatively calculate results for this measure were historical and
could not be collected. As a result, the agency used a method for
estimating risk for its baseline year that was different than what it
used for calculating results for subsequent years.
Consequently, to help ensure the strategic goals of the modal annex
are met and that TSA is consistently and accurately measuring agency
and industry performance in reducing the risk associated with TIH rail
shipments in major cities, we recommended that TSA ensure that future
updates (1) contain performance measures with defined targets that are
linked to fulfilling goals and objectives; and (2) more systematically
address specific milestones for completing activities and measuring
progress toward meeting identified goals. We further recommended that
TSA take steps to revise the baseline year associated with its TIH
risk reduction performance measure to enable the agency to more
accurately report results for this measure. DHS concurred with these
recommendations and has indicated that it will incorporate them into
future updates of its Freight Rail Modal Annex, which will be designed
to more specifically address goal-oriented milestones and performance
measures. In April 2010, TSA stated that the agency has revised its
modal annexes and that these documents are undergoing final agency
review.
In addition to developing performance measures to assess the success
of its security strategies, we have also identified the need for TSA
to develop or enhance its performance measures for specific programs
such as the TSGP, VIPR program, and pipeline security programs.
Specifically, in June 2009, we reported that the TSGP lacked a plan
and milestones for developing measures to track progress of achieving
program goals.[Footnote 33] While FEMA--which administers the grants--
reported that it was beginning to develop measures to better manage
its portfolio of grants, TSA and FEMA had not collaborated to produce
performance measures for assessing the effectiveness of TSGP-funded
projects, such as how funding is used to help protect critical
infrastructure and the traveling public from possible acts of
terrorism.[Footnote 34] We recommended that TSA and FEMA collaborate
in developing a plan and milestones for measuring the effectiveness of
the TSGP and its administration. DHS concurred with our
recommendation, and in November 2009, FEMA stated that it will take
steps to develop a plan with milestones in coordination with TSA.
Likewise, the Administration's Surface Transportation Security
Priority Assessment discussed the importance of establishing a
measurable evaluation system to determine the effectiveness of surface
transportation security grants and recommended that TSA coordinate
with other federal agencies, including FEMA, to do so.
In June 2009, we reported that TSA had measured the progress of its
VIPR program in terms of the number of VIPR operations conducted, but
had not yet developed measures or targets to report on the
effectiveness of the operations themselves.[Footnote 35] TSA program
officials reported, however, that they were planning to introduce
additional performance measures no later than the first quarter of
fiscal year 2010. They added that these measures would gather
information on, among other things, (1) interagency collaboration by
collecting performance feedback from federal, state, and local
security, law enforcement, and transportation officials prior to and
during VIPR deployments; and (2) stakeholder views on the
effectiveness and value of VIPR deployment. In April 2010, TSA
reported that the VIPR program introduced four performance measures
for fiscal year 2010; these measures will be reported quarterly.
[Footnote 36] TSA has also stated that it has identified performance
targets for these measures, which it will revisit when baseline
program data is available.
As part of our ongoing review of TSA's efforts to help ensure pipeline
security, we are assessing the extent to which TSA has measured
efforts to strengthen pipeline security.[Footnote 37] While our work
has not been completed, our preliminary observations have identified
that TSA has taken actions to measure progress as called for by the
NIPP, but could better measure pipeline security improvements. More
specifically, our preliminary observations have identified that
effective performance measurement data could better inform decision
makers of the extent to which pipeline security programs and
activities have been able to reduce risk and better enable them to
determine funding priorities within and across agencies. Also,
developing additional performance measures--particularly outcome-based
measures--that assess the effects of TSA's efforts in strengthening
pipeline security and are aligned with transportation-sector goals and
pipeline security objectives could better enable TSA to evaluate
security improvements in the pipeline industry. Our upcoming report
that will be issued later this year will provide additional details.
TSA Has More Than Doubled Its Surface Transportation Inspector
Workforce but Faces Challenges in Balancing Priorities and Directing
Current and Future Workforce Needs:
[End of section]
Over the past two years, TSA has reported having more than doubled the
size of its Surface Transportation Security Inspection Program,
expanding the program from 93 inspectors in June 2008 to 201
inspectors in April 2010.[Footnote 38] Inspectors have conducted
baseline security reviews that assess, among other things, the overall
security posture of mass transit and passenger rail agencies and the
implementation of security plans, programs, and measures, and best
practices. However, TSA has not completed a workforce plan to direct
current and future inspection program needs as the program assumes new
responsibilities associated with the implementation of certain
provisions of the 9/11 Commission Act by passenger and freight rail
systems.[Footnote 39]
Since establishing the inspection program in 2005 to identify and
reduce vulnerabilities to passenger rail and ensure compliance with
passenger rail security directives, TSA has expanded the roles and
responsibilities of surface inspectors to include additional surface
transportation modes--including mass transit bus and freight rail--and
participation in VIPR operations. For example, TSA reported that as of
April 2010 its surface inspectors had, among other things, conducted
security assessments of 142 mass transit and passenger rail agencies,
including Amtrak, and over 1,350 site visits to mass transit and
passenger rail stations to complete station profiles, which gather
detailed information on a station's physical security elements,
geography, and emergency points of contact. However, we also reported
that TSA faced challenges in the following areas:[Footnote 40]
* Balancing aviation and surface transportation priorities: We
reported in June 2009 that TSA has reorganized its field unit and
reporting structure since establishing the inspection program, and
surface inspectors raised concerns about its effect. These
reorganizations placed TSA's surface inspectors under the command of
Federal Security Directors and Assistant Federal Security Directors
for Inspections--aviation-focused positions that historically have not
had an active role in conducting surface transportation inspection
duties.[Footnote 41] According to TSA, these changes were designed to
support its pursuit of a multimodal workforce and ensure a more
cohesive and streamlined approach to inspections. However, we noted
that surface inspectors raised concerns that these changes had
resulted in the surface transportation mission being diluted by TSA's
aviation mission. Among these concerns is that the surface inspectors
were being assigned airport-related duties, while aviation inspectors
had been assigned surface responsibilities that had affected
performance in conducting follow-up inspections to determine progress
mass transit and passenger rail systems had made in addressing
previously-identified weaknesses. TSA officials reported that they had
selected their current command structure because Federal Security
Directors were best equipped to make full use of the security network
in their geographical location because they frequently interacted with
state and local law enforcement and mass transit operators, and were
aware of vulnerabilities in these systems.
* Workforce Planning: At the time of our June 2009 report, TSA did not
have a human capital or other workforce plan for its Surface
Transportation Security Inspection Program, but the agency had plans
to conduct a staffing study to identify the optimal workforce size to
address its current and future program needs. TSA reported that it had
initiated a study in January 2009, which, if completed, could provide
TSA with a more reasonable basis for determining the surface inspector
workforce needed to achieve its current and future workload needs.
However, in March 2010, TSA officials told us that while they were
continuing to work on the staffing study, TSA did not have a firm date
for completion.
Mr. Chairman this concludes my statement. I look forward to answering
any questions that you or other members of the committee may have at
this time.
GAO Contact and Staff Acknowledgments:
For further information on this testimony, please contact Steve Lord
at (202) 512-4379 or at lords@gao.gov. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this statement. Individuals making key contributions to this
testimony include Jessica Lucas-Judy, Assistant Director; Jason
Berman; Martene Bryan; Chris Currie; Vanessa Dillard; Chris Ferencik;
Edward George; Dawn Hoff; Jeff Jensen; Valerie Kasindi; Lara Kaskie;
Daniel Klabunde; Nancy Meyer; Jaclyn Nelson; Octavia Parks; Meg
Ullengren; and Lori Weiss.
[End of section]
Footnotes:
[1] The six major transportation modes defined in the Transportation
Security Administration‘s (TSA) Transportation Security Sector
Specific Plan (TS-SSP) are: aviation; maritime; mass transit
(including transit buses, subway and light rail, and passenger rail”
both commuter rail and long-distance); highway; freight rail; and
pipeline.
[2] Subway attacks occurred in Moscow March 29, 2010, in Mumbai on
July 11, 2006, in London on July 7, 2005, and in Madrid on March 11,
2004. Each attack caused dozens of deaths and injuries.
[3] Additional funding is requested for accounts such as
transportation security support, which supports both aviation and
surface transportation security programs. Some of the Federal Air
Marshal Service funding supports nonaviation activities.
[4] GAO, Transportation Security: Key Actions Have Been Taken to
Enhance Mass Transit and Passenger Rail Security, but Opportunities
Exist to Strengthen Federal Strategy and Programs, [hyperlink,
http://www.gao.gov/products/GAO-09-678] (Washington, D.C.: June 2009);
Transit Security Grant Program: DHS Allocates Grants Based on Risk,
but Its Risk Methodology, Management Controls and Grant Oversight Can
Be Strengthened, [hyperlink, http://www.gao.gov/products/GAO-09-491]
(Washington, D.C.: June 2009); Freight Rail Security: Actions Have
Been Taken to Enhance Security, but the Federal Strategy Can Be
Strengthened and Security Efforts Better Monitored, [hyperlink,
http://www.gao.gov/products/GAO-09-243] (Washington, D.C.: Apr. 2009);
Transportation Security: Comprehensive Risk Assessments and Stronger
Internal Controls Needed to Help Inform TSA Resource Allocation,
[hyperlink, http://www.gao.gov/products/GAO-09-492] (Washington, D.C.:
Mar. 2009); Commercial Vehicle Security: Risk-Based Approach Needed to
Secure the Commercial Vehicle Sector, [hyperlink,
http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: Feb. 2009);
Highway Infrastructure: Federal Efforts to Strengthen Security Should
Be Better Coordinated and Targeted on the Nation‘s Most Critical
Highway Infrastructure, [hyperlink,
http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: Jan. 2009).
[5] Corporate Security Reviews are on-site security reviews that TSA‘s
Pipeline Security Division conducts with pipeline operators to develop
a firsthand knowledge of operators‘ security plans and implementation,
establish working relationships with key pipeline security personnel,
and identify and share good security practices.
[6] A risk management approach entails a continuous process of
managing risk through a series of actions, including setting strategic
goals and objectives, assessing risk, evaluating alternatives,
selecting initiatives to undertake, and implementing and monitoring
those initiatives.
[7] The TS-SSP includes modal annexes for Aviation, Maritime, Mass
Transit, Highway Infrastructure and Motor Carrier, Freight Rail, and
Pipeline.
[8] TSA VIPR teams, which TSA has reported using since late 2005, work
with local security and law enforcement officials to secure any mode
of transportation.
[9] STSIs conduct their work by building collaborative working
relationships with freight rail carriers, the mass transit and
passenger rail industry, and applicable local, state, and federal
authorities.
[10] Pub. L. No. 110-53, 121 Stat. 266 (2007).
[11] [hyperlink, http://www.gao.gov/products/GAO-09-492]. The four
major surface transportation modes are mass transit and passenger
rail, freight rail, highway, and pipeline. A comprehensive risk
assessment approach would assess threat, vulnerability, and
consequence to inform the allocation of resources, as called for by
the NIPP and the TS-SSP.
[12] Through this effort, TSA intended to estimate the threat,
vulnerability, and consequence of a range of hypothetical attack
scenarios and integrate these estimates to produce risk scores for
each scenario that could be compared among each of the modes of
transportation. However, officials stated that TSA discontinued this
work due to difficulties in estimating the likelihood of terrorist
threats.
[13] [hyperlink, http://www.gao.gov/products/GAO-09-678]. Although all
levels of government are involved in mass transit and passenger rail
security, the primary responsibility for securing the systems rests
with the mass transit and passenger rail operators. We have reported
that most mass transit and passenger rail systems have made
operational enhancements to their security programs, such as adding
security personnel or transit police. Some of the largest systems have
also implemented varying types of random passenger or baggage
inspection screening programs. Additionally, mass transit agencies
have invested in capital improvements, including upgrading closed-
circuit television systems and installing explosives-detection
equipment and silent alarms.
[14] The White House Transborder Security Interagency Policy Committee
Surface Transportation Subcommittee, Surface Transportation Security
Priority Assessment (March 2010). In making its recommendations, the
subcommittee gathered input from surface-transportation owners and
operators, DHS and DOT, as well as state and local government
representatives.
[15] [hyperlink, http://www.gao.gov/products/GAO-09-243].
[16] Shipments of TIH, especially chlorine, frequently move through
densely populated areas to reach, for example, water treatment
facilities that use these products. We reported that TSA focused on
securing TIH materials for several reasons, including limited
resources and a decision in 2004 to prioritize TIH as a key risk
requiring federal attention. Other federal and industry freight rail
stakeholders agreed that focusing on TIH was a sound initial strategy
because it is a key potential rail security threat and an overall
transportation safety concern.
[17] We have previously reported that certain bridges, such as those
over large rivers, play a key role in the national railroad system
because capacity constraints limit options to reroute trains. As a
result, incidents limiting or preventing their use could negatively
affect the economy by severely delaying rail traffic for significant
periods of time and causing transportation system delays and
disruption.
[18] See [hyperlink, http://www.gao.gov/products/GAO-09-491]. DHS
awards TSGP grant funding to owners and operators of mass transit and
passenger rail systems that have used these funds for a variety of
security purposes, including developing security plans, purchasing or
upgrading security equipment, and providing security training to
transit employees.
[19] Industry entities have also reported undertaking independent
efforts to assess security risks to their systems and operations.
These effects include (1) a 2008 rail industry security assessment
conducted by the Association of American Railroads, which resulted in
the identification and prioritization of over 1,000 rail assets,
including bridges, tunnels, and control centers; and (2) comprehensive
risk assessments that incorporate and combine all three risk elements,
which have been conducted by the National Railroad Passenger
Corporation (Amtrak) and some individual transit systems.
[20] We calculated a simple correlation coefficient to measure the
strength and direction of the linear relationship between systems‘
risk rankings and the time elapsed between TSA‘s first and subsequent
Corporate Security Reviews for pipeline systems. The magnitude of the
correlation coefficient determines the strength of the correlation.
Our preliminary analysis resulted in a weak correlation coefficient
score.
[21] The Pipeline Security Division began inspections under the
Critical Facility Inspection Program in November 2008. The program
involves on-site physical security inspections of each critical
facility of the 100 most-critical pipeline systems.
[22] Some rail industry stakeholders have independently implemented
other types of operational and procedural changes to secure their
hazardous rail shipments, such as making modifications to procedures
for how rail companies manage and schedule trains and railcars. Rail
industry organizations also play a role in disseminating pertinent
information, such as threat communications from DHS and DOT, to their
members.
[23] See [hyperlink, http://www.gao.gov/products/GAO-09-243].
[24] DHS‘s Office of Infrastructure Protection is an organizational
entity within the National Protection and Programs Directorate, whose
mission includes leading the coordinated national effort to reduce the
risk to critical infrastructure and key resources posed by acts of
terrorism.
[25] [hyperlink, http://www.gao.gov/products/GAO-09-57]. The U.S.
Coast Guard is the lead federal agency responsible for the security of
the nation‘s ports and waterways, which may include highway assets
that have a maritime nexus, such as bridges.
[26] In addition to federal efforts, highway-sector stakeholders have
taken a variety of voluntary actions intended to enhance the security
of highway infrastructure. Key efforts include developing security
publications, sponsoring infrastructure security workshops, conducting
research and development activities, and implementing specific
protective measures intended to deter an attack or reduce potential
consequences, such as security patrols, electronic detection systems,
and physical barriers.
[27] [hyperlink, http://www.gao.gov/products/GAO-09-85]. The term
’commercial vehicles“ refers to vehicles used in the commercial
trucking industry (e.g., for-hire and private trucks moving freight,
rental trucks, and trucks carrying hazardous materials) and the
commercial motor coach industry (i.e., intercity, tour, and charter
buses). For the purposes of this statement, we are including them in
the highway infrastructure mode.
[28] Although all levels of government are involved in the security of
commercial vehicles, primary responsibility for securing these
vehicles rests with the individual commercial vehicle companies
themselves. Truck and bus companies have responsibility for the
security of day-to-day operations. As part of these operations, they
ensure that company personnel, vehicles, and terminals”as well as all
of the material and passengers they transport-”are secured.
[29] Strengthening Surface Transportation Security, Exec. Order No.
13416, 71 Fed. Reg. 71033 (Dec. 5, 2006). The primary purpose of
Executive Order 13416 is to strengthen the security of surface
transportation. The executive order requires DHS to assess the
security of each surface transportation mode, and evaluate the
effectiveness and efficiency of current transportation security
initiatives, among other things.
[30] [hyperlink, http://www.gao.gov/products/GAO-09-57].
[31] [hyperlink, http://www.gao.gov/products/GAO-09-678].
[32] [hyperlink, http://www.gao.gov/products/GAO-09-243]. The
transportation-sector goals identified in the Freight Rail Model Annex
include: (1) prevent and deter acts of terrorism against the
transportation system, (2) enhance resiliency of the U.S.
transportation system, and (3) improve the cost-effective use of
resources for transportation security.
[33] [hyperlink, http://www.gao.gov/products/GAO-09-491]. The purpose
of the TSGP is to provide funds to protect critical surface
transportation infrastructure and the traveling public.
[34] In fiscal year 2008, FEMA‘s Grant Programs Directorate became
responsible for administering TSGP grants.
[35] [hyperlink, http://www.gao.gov/products/GAO-09-678].
[36] According to TSA, the four measures introduced in fiscal year
2010 for the VIPR program include: (1) total VIPR asset deployments;
(2) completion percentage at high risk locations; (3) percentage of
national special security events; and (4) percentage of primary
stakeholders with repeat deployments.
[37] TSA has not issued pipeline security regulations, but works with
the pipeline industry to implement suggested security measures to make
pipeline systems more secure. Private companies who own and operate
pipeline systems are responsible for assessing their own specific
security needs and incur the costs associated with implementing
security measures.
[38] TSA intends to hire an additional 179 surface inspectors in
fiscal year 2010. According to TSA, the April 2010 data includes
headquarters staff.
[39] See, for example, Pub. L. No. 110-53, §§ 1512, 1517, 121 Stat.
266, 429-33, 439-41 (2007).
[40] [hyperlink, http://www.gao.gov/products/GAO-09-678].
[41] TSA Federal Security Directors are the ranking TSA authorities
responsible for the leadership and coordination of TSA security
activities at commercial airports regulated by TSA.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: