Maritime Security
DHS Progress and Challenges in Key Areas of Port Security
Gao ID: GAO-10-940T July 21, 2010
Ports, waterways, and vessels handle more than $700 billion in merchandise annually, and an attack on this system could have a widespread impact on global trade and the economy. Within the Department of Homeland Security (DHS), component agencies have responsibility for securing the maritime environment. The U.S. Coast Guard is responsible for protecting, among other things, U.S. economic and security interests in any maritime region. U.S. Customs and Border Protection (CBP) is responsible for keeping terrorists and their weapons out of the United States, securing and facilitating trade, and cargo container security. This testimony discusses DHS and its component agencies' progress, and challenges remaining, regarding (1) strengthening risk management (a strategy to help policymakers make decisions about assessing risks, allocating resources, and acting under conditions of uncertainty), (2) reducing the risk of small-vessel (watercraft less than 300 gross tons used for recreational or commercial purposes) threats, (3) implementing foreign port assessments, and (4) enhancing supply chain security. This statement is based on GAO products issued from December 2005 through June 2010, including selected updates conducted in July 2010.
DHS and its component agencies have strengthened risk management through the development of a risk assessment model to help prioritize limited port security resources. In December 2005, GAO reported that while the Coast Guard had made progress in strengthening risk management by conducting risk assessments, those assessments were limited because they could not compare and prioritize relative risks of various infrastructures across ports. Since that time, the Coast Guard developed a risk assessment model designed to capture the security risk facing different types of targets, and allowing comparisons among targets and at the local, regional, and national levels. The Coast Guard uses the model to help plan and implement its programs and focus security activities where it believes the risks are greatest. DHS and the Coast Guard have developed a strategy and programs to reduce the risks associated with small vessels but they face ongoing challenges. GAO reported from 2007 through 2010 that DHS and the Coast Guard have (1) developed a strategy to mitigate vulnerabilities associated with waterside attacks by small vessels; (2) conducted community outreach to encourage boaters to share threat information; (3) initiated actions to track small vessels; (4) tested equipment for detecting nuclear material on small vessels; and (5) conducted security activities, such as vessel escorts. However, the Coast Guard faces challenges with some of these efforts. For example, vessel tracking systems generally cannot track small vessels and resource constraints limit the Coast Guard's ability to meet security activity goals. DHS and the Coast Guard developed the International Port Security Program in April 2004 to assess the security of foreign ports, but challenges remain in implementing the program. GAO reported in October 2007 that Coast Guard officials stated that there is reluctance by certain countries to allow the Coast Guard to visit their ports due to concerns over sovereignty. Also, the Coast Guard lacks the resources to assist poorer countries. Thus the Coast Guard is limited in its ability to help countries enhance their established security requirements. To overcome this, officials have worked with other federal agencies and international organizations to secure funding for training and assistance to countries that need to strengthen port security efforts. DHS and CBP established the Secure Freight Initiative (SFI) to test the feasibility of scanning 100 percent of U.S.-bound cargo containers, but face challenges expanding the program. In October 2009, GAO reported that CBP has made progress in working with the SFI ports to scan U.S.-bound cargo containers; but because of challenges implementing scanning operations, such as equipment breakdowns, the feasibility of scanning 100 percent of U.S.-bound cargo containers remains largely unproven. At the time, CBP officials expressed concern that they and the participating ports could not overcome the challenges. GAO recommended that DHS conduct a feasibility analysis. DHS concurred with our recommendation, but has not yet implemented it. GAO has made recommendations to DHS in prior reports to strengthen port security. DHS generally concurred.
GAO-10-940T, Maritime Security: DHS Progress and Challenges in Key Areas of Port Security
This is the accessible text file for GAO report number GAO-10-940T
entitled 'Maritime Security: DHS Progress and Challenges in Key Areas
of Port Security' which was released on July 21, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony before the Committee on Commerce, Science, and
Transportation, U.S. Senate:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected at 2:30 p.m. EDT:
Wednesday, July 21, 2010:
Maritime Security:
DHS Progress and Challenges in Key Areas of Port Security:
Statement of Stephen L. Caldwell, Director:
Homeland Security and Justice Issues:
GAO-10-940T:
GAO Highlights:
Highlights of GAO-10-940T, a testimony before the Committee on
Commerce, Science, and Transportation, U.S. Senate.
Why GAO Did This Study:
Ports, waterways, and vessels handle more than $700 billion in
merchandise annually, and an attack on this system could have a
widespread impact on global trade and the economy. Within the
Department of Homeland Security (DHS), component agencies have
responsibility for securing the maritime environment. The U.S. Coast
Guard is responsible for protecting, among other things, U.S. economic
and security interests in any maritime region. U.S. Customs and Border
Protection (CBP) is responsible for keeping terrorists and their
weapons out of the United States, securing and facilitating trade, and
cargo container security. This testimony discusses DHS and its
component agencies‘ progress, and challenges remaining, regarding (1)
strengthening risk management (a strategy to help policymakers make
decisions about assessing risks, allocating resources, and acting
under conditions of uncertainty), (2) reducing the risk of small-
vessel (watercraft less than 300 gross tons used for recreational or
commercial purposes) threats, (3) implementing foreign port
assessments, and (4) enhancing supply chain security. This statement
is based on GAO products issued from December 2005 through June 2010,
including selected updates conducted in July 2010.
What GAO Found:
DHS and its component agencies have strengthened risk management
through the development of a risk assessment model to help prioritize
limited port security resources. In December 2005, GAO reported that
while the Coast Guard had made progress in strengthening risk
management by conducting risk assessments, those assessments were
limited because they could not compare and prioritize relative risks
of various infrastructures across ports. Since that time, the Coast
Guard developed a risk assessment model designed to capture the
security risk facing different types of targets, and allowing
comparisons among targets and at the local, regional, and national
levels. The Coast Guard uses the model to help plan and implement its
programs and focus security activities where it believes the risks are
greatest.
DHS and the Coast Guard have developed a strategy and programs to
reduce the risks associated with small vessels but they face ongoing
challenges. GAO reported from 2007 through 2010 that DHS and the Coast
Guard have (1) developed a strategy to mitigate vulnerabilities
associated with waterside attacks by small vessels; (2) conducted
community outreach to encourage boaters to share threat information;
(3) initiated actions to track small vessels; (4) tested equipment for
detecting nuclear material on small vessels; and (5) conducted
security activities, such as vessel escorts. However, the Coast Guard
faces challenges with some of these efforts. For example, vessel
tracking systems generally cannot track small vessels and resource
constraints limit the Coast Guard‘s ability to meet security activity
goals.
DHS and the Coast Guard developed the International Port Security
Program in April 2004 to assess the security of foreign ports, but
challenges remain in implementing the program. GAO reported in October
2007 that Coast Guard officials stated that there is reluctance by
certain countries to allow the Coast Guard to visit their ports due to
concerns over sovereignty. Also, the Coast Guard lacks the resources
to assist poorer countries. Thus the Coast Guard is limited in its
ability to help countries enhance their established security
requirements. To overcome this, officials have worked with other
federal agencies and international organizations to secure funding for
training and assistance to countries that need to strengthen port
security efforts.
DHS and CBP established the Secure Freight Initiative (SFI) to test
the feasibility of scanning 100 percent of U.S.-bound cargo
containers, but face challenges expanding the program. In October
2009, GAO reported that CBP has made progress in working with the SFI
ports to scan U.S.-bound cargo containers; but because of challenges
implementing scanning operations, such as equipment breakdowns, the
feasibility of scanning 100 percent of U.S.-bound cargo containers
remains largely unproven. At the time, CBP officials expressed concern
that they and the participating ports could not overcome the
challenges. GAO recommended that DHS conduct a feasibility analysis.
DHS concurred with our recommendation, but has not yet implemented it.
What GAO Recommends:
GAO has made recommendations to DHS in prior reports to strengthen
port security. DHS generally concurred.
View [hyperlink, http://www.gao.gov/products/GAO-10-940T] or key
components. For more information, contact Stephen L. Caldwell at (202)
512-8777 or CaldwellS@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
I am pleased to be here today to discuss port security issues and
their related challenges. Ports, waterways, and vessels are part of an
economic engine handling more than $700 billion in merchandise
annually, according to the Department of Homeland Security (DHS), and
an attack on this system could have a widespread impact on global
shipping, international trade, and the global economy. Balancing
security concerns with the need to facilitate the free flow of people
and commerce remains an ongoing challenge for the public and private
sectors alike. Within DHS, component agencies have responsibility for
securing the maritime environment. The U.S. Coast Guard is responsible
for protecting the public, the environment, and U.S. economic and
security interests in any maritime region in which those interests may
be at risk, including America's coasts, ports, and inland waterways.
U.S. Customs and Border Protection (CBP) is responsible for keeping
terrorists and their weapons out of the United States, securing and
facilitating trade, and cargo container security.
Various laws have been enacted since the September 11, 2001 terrorist
attacks to strengthen port security. The Homeland Security Act of 2002
[Footnote 1] charges DHS with establishing a risk management framework
across the federal government to protect the nation's critical
infrastructure and key resources. In addition, much of a new port
security framework was set in place by the Maritime Transportation
Security Act of 2002 (MTSA).[Footnote 2] Enacted in November 2002,
MTSA was designed, in part, to help protect the nation's ports and
waterways from terrorist attacks by requiring a wide range of security
improvements. Among the requirements included in MTSA were (1)
conducting vulnerability assessments for port facilities and vessels;
(2) developing security plans to mitigate identified risks for the
national maritime system, ports, port facilities, and vessels; and (3)
establishing a process to assess foreign ports from which vessels
depart on voyages to the United States. The Security and
Accountability For Every (SAFE) Port Act of 2006 later directed the
Secretary of Homeland Security to, among other things, increase the
security of container cargo bound for the United States by requiring
CBP to establish a pilot program to test the feasibility of scanning
100 percent of U.S.-bound containers at foreign ports.[Footnote 3]
Further, in August 2007, the Implementing Recommendations of the 9/11
Commission Act were enacted and provide, among other things, that by
July 2012, a container loaded on a vessel in a foreign port shall not
enter the United States unless that container is scanned before it is
loaded onto the vessel.[Footnote 4]
My statement today is based on related GAO reports and testimonies
issued from December 2005 through June 2010 addressing risk management
and port security, and also includes selected updates--conducted in
July 2010--to the information provided in these products and on the
actions agencies have taken to address recommendations made in these
products that are also discussed in this statement. These products
include our assessment of the progress that DHS and its component
agencies have made to strengthen port security, the challenges that
remain, and recommendations for improvement.[Footnote 5] The details
on the scope and methodology for those reviews are available in our
published products. The selected updates include a review of (a) the
Coast Guard's and CBP's fiscal year 2011 congressional budget
justification and (b) CBP's fiscal year 2010 Report to Congress on
supply chain security. In particular, my statement addresses the
extent to which DHS and its component agencies have made progress and
face challenges regarding (1) strengthening risk management, (2)
reducing the risk of small-vessel threats,[Footnote 6] (3)
implementing foreign port assessments, and (4) enhancing supply chain
security. We conducted this work in accordance with generally accepted
government auditing standards.
In summary, DHS and its component agencies--the Coast Guard and CBP--
have taken various actions to implement port security legislation and
enhance port security. These efforts include (1) the Coast Guard's
development of a risk assessment model to help prioritize limited
resources; (2) DHS and the Coast Guard's development of a strategy and
programs to reduce the risks associated with small vessels, such as a
community outreach program, vessel tracking systems, and security
operations; (3) the Coast Guard's implementation of the International
Port Security Program to assess security measures in foreign ports;
and (4) CBP's efforts to scan U.S.-bound cargo containers. Although
these initiatives have helped to improve port security, challenges
remain, including resource constraints; the lack of technology to
track and identify small vessels; sovereignty concerns over the
Coast's Guard's visits to foreign ports; and a variety of political,
logistical, and technological barriers to scanning all cargo
containers. We have made recommendations to DHS in prior reports to
help address these challenges, and DHS generally concurred with our
recommendations in these reports.
The Coast Guard Has Made Progress in Improving Its Risk Management:
In December 2005, we reported that risk management, a strategy for
helping policymakers make decisions about assessing risks, allocating
resources, and taking actions under conditions of uncertainty, had
been endorsed by Congress and the President as a way to strengthen the
nation against possible terrorist attacks against ports and other
infrastructure.[Footnote 7] Risk management has long been used in such
areas as insurance and finance, but at the time its application to
domestic terrorism had no precedent. We noted that unlike storms and
accidents, terrorism involves an adversary with deliberate intent to
destroy, and the probabilities and consequences of a terrorist act are
poorly understood and difficult to predict. The size and complexity of
homeland security activities and the number of organizations involved--
both public and private--add another degree of difficulty to the task.
We have examined Coast Guard efforts to implement risk management for
a number of years, noting how the Coast Guard's risk management
framework developed and evolved. In 2005 we reported that of the three
components GAO reviewed--the Coast Guard, the Office for Domestic
Preparedness (this office's function is now within the Federal
Emergency Management Agency), and the Information Analysis and
Infrastructure Protection Directorate (now the National Protection and
Preparedness Directorate)--the Coast Guard had made the most progress
in establishing a foundation for using a risk management approach.
While the Coast Guard had made progress in all five risk management
phases,[Footnote 8] its greatest progress had been made in conducting
risk assessments--that is, evaluating individual threats, the degree
of vulnerability in maritime facilities, and the consequences of a
successful attack.[Footnote 9] However, we reported that those
assessments were limited because they could not compare and prioritize
relative risks of various infrastructures across ports. At the time
the Coast Guard had actions under way to address the challenges it
faced in each risk management phase and we did not make
recommendations in those areas where the Coast Guard had actions well
under way. Several of these actions were based, in part, on briefings
GAO held with agency officials. Our recommendations were designed to
spotlight those areas in which additional steps were most needed to
implement a risk management approach to Coast Guard port security
activities. We recommended that the Coast Guard take action to:
* establish a stronger linkage between local and national risk
assessment efforts--an action that could involve, for example,
strengthening the ties between local assessment efforts, such as area
maritime security plans, and national risk assessment activities; and:
* ensure that procedures for evaluating alternatives and making
management decisions consider the most efficient use of resources--
actions that could entail, for example, refining the degree to which
risk management information is integrated into the annual cycle of
program and budget review.
Since we made those recommendations, both DHS and the Coast Guard have
made progress implementing a risk management approach toward critical
infrastructure protection. In 2006, DHS issued the National
Infrastructure Protection Plan (NIPP), which is DHS's base plan that
guides how DHS and other relevant stakeholders should use risk
management principles to prioritize protection activities within and
across each critical infrastructure sector in an integrated and
coordinated fashion.[Footnote 10] In 2009, DHS updated the NIPP to,
among other things, increase its emphasis on risk management,
including an expanded discussion of risk management methodologies and
discussion of a common risk assessment approach that provided core
criteria for these analyses.[Footnote 11] For its part, the Coast
Guard has made progress assessing risks and integrating the results of
its risk management efforts into resource allocation decisions.
Regarding risk assessments, the Coast Guard transitioned its risk
assessment model from the Port Security Risk Assessment Tool (PS-RAT)
to the Maritime Security Risk Assessment Model (MSRAM). In 2005 we
reported that the PS-RAT was designed to allow ports to prioritize
resource allocations within, not between, ports to address risk most
efficiently. However, the new MSRAM can assess risk across ports and
is used by every Coast Guard unit and assesses the risk--threats,
vulnerabilities, and consequences--of a terrorist attack based on
different scenarios; that is, it combines potential targets with
different means of attack, as recommended by the NIPP. The Coast Guard
uses the model to help implement its strategy and concentrate maritime
security activities when and where relative risk is believed to be the
greatest. According to the Coast Guard, the model's underlying
methodology is designed to capture the security risk facing different
types of targets, allowing comparison between different targets and
geographic areas at the local, regional, and national levels. We have
also reported that the Federal Emergency Management Agency has
included MSRAM results in its Port Security Grant Program guidelines
as one of the data elements included in determining grant awards to
assist in directing grants to the ports of greatest concern or at
highest risk.
With regard to the integration of risk management results into the
consideration of risk mitigation alternatives and the management
selection process, Coast Guard officials stated that the Coast Guard
uses MSRAM to inform allocation decisions, such as the deployment of
local resources and grants. We have also reported that at the national
level, the Coast Guard uses MSRAM results for (1) long-term strategic
resource planning, (2) identifying capabilities needed to combat
future terrorist threats, and (3) identifying the highest-risk
scenarios and targets in the maritime domain. For example, Coast Guard
officials reported that results are used to refine the Coast Guard's
requirements for the number of required vessel escorts and patrols of
port facilities. At the local level, the Captain of the Port[Footnote
12] can use MSRAM as a tactical planning tool. The model can help
identify the highest risk scenarios, allowing the Captain of the Port
to prioritize needs and better deploy security assets.[Footnote 13]
The 2011 Congressional Budget Justification showed that the Coast
Guard uses risk or relative risk to direct resources to the mitigation
of the highest risk. For example, the use of risk management in the
allocation of resources that is specific to port security concerns the
Ports, Waterways, and Coastal Security program. This program has a
performance goal to manage terror-related risk in the U.S. Maritime
Domain to an acceptable level. The Coast Guard uses a program measure
to direct resources to the programs that reduce risk the most based on
the amount invested. Based on the development of the MSRAM assessment
process and the use of risk management analysis results in its
allocation of resources, we believe that the Coast Guard has addressed
the recommendations discussed earlier concerning risk management.
[Footnote 14]
DHS and the Coast Guard Have Taken Several Actions to Address the
Small-Vessel Threat but Challenges Remain in Mitigating the Risk:
In recent years, we reported that concerns had arisen about the
security risks posed by small vessels. In its April 2008 Small Vessel
Security Strategy, DHS identified the four gravest risk scenarios
involving the use of small vessels for terrorist attacks, which
include the use of a small vessel as (1) a waterborne improvised
explosive device, (2) a means of smuggling weapons into the United
States, (3) a means of smuggling humans into the United States, and
(4) a platform for conducting a stand-off attack--an attack that uses
a rocket or other weapon launched at a sufficient distance to allow
the attackers to evade defensive fire.[Footnote 15] According to the
former Commandant of the Coast Guard, small vessels pose a greater
threat than shipping containers for nuclear smuggling.[Footnote 16]
Some of these risks have been shown to be real through attacks
conducted outside U.S. waters, but--as we reported in December 2009--
no small-vessel attacks have taken place in the United States. Many
vessels frequently travel among small vessels that operate with little
scrutiny or notice, and some have suffered waterborne attacks overseas
by terrorist or pirates who operated from small vessels. For example,
at least three cruise ships have been attacked by pirates on small
boats while armed with automatic weapons and rocket propelled
grenades, although the three vessels were able to evade the pirates by
either maneuvering or fighting back.[Footnote 17] Oil tankers have
also been attacked. For example, in October 2002, a small vessel
filled with explosives rammed the side of an oil tanker off the coast
of Yemen.[Footnote 18] The concern about small-vessel attacks is
exacerbated by the fact that some vessels, such as cruise ships, sail
according to precise schedules and preplanned itineraries that could
provide valuable information to terrorists in preparing for and
carrying out an attack against a vessel.
DHS and the Coast Guard have developed a strategy and programs to
reduce the risks associated with small vessels; however, they face
ongoing challenges related to some of these efforts. The following
discusses some of our key findings with regard to reducing the risks
associated with small vessels.
* Small Vessel Security Strategy. DHS released its Small Vessel
Security Strategy in April 2008 as part of its effort to mitigate the
vulnerability of vessels to waterside attacks from small vessels, and
the implementation plan for the strategy is under review. According to
the strategy, its intent is to reduce potential security and safety
risks posed by small vessels through operations that balance
fundamental freedoms, adequate security, and continued economic
stability.[Footnote 19] After review by DHS, the Coast Guard, and CBP,
the draft implementation plan was forwarded to the Office of
Management and Budget in April 2010, but the release of the plan has
not been approved by the Office of Management and Budget.
* Community Outreach. Consistent with the Small Vessel Security
Strategy's goal to develop and leverage strong partnerships with the
small-vessel community, the Coast Guard, as well as other agencies--
such as the New Jersey State Police, have several outreach efforts to
encourage the boating community to share threat information; however,
the Coast Guard program faces resource limitations. For example, the
Coast Guard's program to conduct outreach to the boating community for
their help in detecting suspicious activity, America's Waterway Watch,
lost the funding it received through a Department of Defense readiness
training program for military reservists in fiscal year 2008. Now it
must depend on the activities of the Coast Guard Auxiliary, a
voluntary organization, for most of its outreach efforts. In addition
to America's Waterway Watch, the Coast Guard piloted a regional
initiative--Operation Focused Lens--to increase public awareness of
suspicious activity in and around U.S. ports, and direct additional
resources toward gathering information about the most likely points of
origin for an attack, such as marinas, landings, and boat ramps.
According to Coast Guard officials, the agency views Operation Focused
Lens to be a best practice, and the agency is considering plans to
expand the program or integrate it into other existing programs.
* Vessel Tracking. In December 2009, we reported that the Coast Guard
was implementing two major unclassified systems to track a broad
spectrum of vessels; however, these systems generally could not track
small vessels.[Footnote 20] The Coast Guard and other agencies have
other technology systems, though--including cameras and radars--that
can track small vessels within ports, but these systems were not
installed at all ports or did not always work in bad weather or at
night. Even with systems in place to track small vessels, there was
widespread agreement among maritime stakeholders that it is very
difficult to detect threatening activity by small vessels without
prior knowledge of a planned attack.
* Nuclear Material Detection Efforts. DHS has developed and tested
equipment for detecting nuclear material on small vessels; however,
efforts to use this equipment in a port area have been limited to
pilot programs. DHS is currently conducting 3-year pilot programs to
design, field test, and evaluate equipment and is working with CBP,
the Coast Guard, state, local, tribal officials, and others as they
develop procedures for screening. These pilot programs are scheduled
to end in 2010, when DHS intends to decide the future path of
screening of small vessels for nuclear and radiological materials.
According to DHS officials, initial feedback from federal, state, and
local officials involved in the pilot programs has been positive. DHS
hopes to sustain the capabilities created through the pilot programs
through federal grants to state and local authorities through the port
security grant program.[Footnote 21]
* Security Activities. The Coast Guard also conducts various
activities to provide waterside security including boarding vessels,
escorting vessels into ports, and enforcing fixed security zones,
although they are not always able to meet standards related to these
activities. Through its Operation Neptune Shield, the Coast Guard sets
the standards for local Coast Guard units to meet for some of these
security activities. Although the Coast Guard units may receive some
assistance from other law enforcement agencies in carrying out these
security activities, Coast Guard data indicates that some units are
not able to meet these standards due to resource constraints. However,
the Coast Guard's guidance allows the Captain of the Port the latitude
to shift resources to other priorities when deemed necessary, for
example when resources are not available to fulfill all missions
simultaneously. The planned decommissioning of five Maritime Safety
and Security Teams--a domestic force for mitigating and responding to
terrorist threats or incidents--may continue to strain Coast Guard
resources in meeting security requirements. Although remaining teams
are to maintain readiness to respond to emerging events and are to
continue performing routine security activities, such as vessel
escorts, their ability to support local units in meeting operational
activity goals may be diminished.
The Coast Guard Has a Program in Place to Assess the Security of
Foreign Ports, but Challenges Remain in Implementing the Program:
The security of domestic ports also depends upon security at foreign
ports where cargoes bound for the United States originate. To help
secure the overseas supply chain, MTSA required the Coast Guard to
assess security measures in foreign ports from which vessels depart on
voyages to the United States and, among other things, recommend steps
necessary to improve security measures in those ports. In response,
the Coast Guard established a program, called the International Port
Security Program, in April 2004. Under this program, the Coast Guard
and host nations review the implementation of security measures in the
host nations' ports against established security standards, such as
the International Maritime Organization's International Ship and Port
Facility Security (ISPS) Code.[Footnote 22] Coast Guard teams have
been established to conduct country visits, discuss security measures
implemented, and collect and share best practices to help ensure a
comprehensive and consistent approach to maritime security in ports
worldwide. Subsequently, in October 2006, the SAFE Port Act required
the Coast Guard to reassess security measures at such foreign ports at
least once every 3 years.
As we reported in October 2007, Coast Guard officials told us that
challenges exist in implementing the International Port Security
Program.[Footnote 23] Reluctance by some countries to allow the Coast
Guard to visit their ports due to concerns over sovereignty was a
challenge cited by program officials in completing their first round
of port visits. According to these officials, before permitting Coast
Guard officials to visit their ports, some countries insisted on
visiting and assessing a sample of U.S. ports. The Coast Guard was
able to accommodate their request through the program's reciprocal
visit feature in which the Coast Guard hosts foreign delegations to
visit U.S. ports and observe ISPS Code implementation in the United
States. This subsequently helped gain the cooperation of the countries
in hosting a Coast Guard visit to their own ports. However, as Coast
Guard program officials stated, sovereignty concerns may still be an
issue, as some countries may be reluctant to host a comprehensive
country visit on a recurring basis because they believe the frequency
is too high.
Another challenge program officials cited is having limited ability to
help countries build on or enhance their capacity to implement the
ISPS Code requirements. Program officials stated that while their
visits provide opportunities for them to identify potential areas to
improve or help sustain the security measures put in place, other than
sharing best practices or providing presentations on security
practices, the program does not currently have the resources to
directly assist countries, particularly those that are poor, with more
in-depth training or technical assistance. To overcome this, program
officials have worked with other agencies (e.g., the Departments of
Defense and State) and international organizations (e.g., the
Organization of American States) to secure funding for training and
assistance to countries where port security conferences have been held
(e.g., the Dominican Republic and the Bahamas).
CBP Has Established a Program to Scan U.S.-Bound Cargo Containers, but
Challenges to Expanding the Program Remain:
Another key concern in maritime security is the effort to secure the
supply chain to prevent terrorists from shipping weapons of mass
destruction (WMD) in one of the millions of cargo containers that
arrive at U.S. ports each year. CBP has developed a layered security
strategy to mitigate the risk of an attack using cargo containers.
CBP's strategy is based on a layered approach of related programs that
attempt to focus resources on potentially risky cargo shipped in
containers while allowing other cargo containers to proceed without
unduly disrupting commerce into the United States. The strategy is
based on obtaining advanced cargo information to identify high-risk
containers, utilizing technology to examine the content of containers,
and partnerships with foreign governments and the trade industry. One
of the programs in this layered security strategy is the Secure
Freight Initiative (SFI). In December 2006, in response to SAFE Port
Act requirements, DHS, and the Department of Energy (DOE) jointly
announced the formation of the SFI pilot program to test the
feasibility of scanning 100 percent of U.S.-bound container cargo at
three foreign ports (Puerto Cortes, Honduras; Qasim, Pakistan; and
Southampton, United Kingdom). According to CBP officials, while
initiating the SFI program at these ports satisfied the SAFE Port Act
requirement, CBP also selected the ports of Busan, South Korea; Hong
Kong; Salalah, Oman; and Singapore to more fully demonstrate the
capability of the integrated scanning system at larger, more complex
ports. As of April 2010, SFI has been operational at five of these
seven seaports.
In October 2009, we reported that CBP has made some progress in
working with the SFI ports to scan U.S.-bound cargo containers; but
because of challenges to expanding scanning operations, the
feasibility of scanning 100 percent of U.S.-bound cargo containers at
over 600 foreign seaports remains largely unproven.[Footnote 24] CBP
and DOE have been successful in integrating images of scanned
containers onto a single computer screen that can be reviewed remotely
from the United States. They have also been able to use these initial
ports as a test bed for new applications of existing technology, such
as mobile radiation scanners. However, the SFI ports' level of
participation, in some cases, has been limited in terms of duration
(e.g., the Port of Hong Kong participated in the program for
approximately 16 months) or scope (e.g., the Port of Busan, Korea,
allowed scanning in one of its eight terminals). In addition, the Port
of Singapore withdrew its agreement to participate in the SFI program
and, as of April 2010, the Port of Oman had not begun scanning
operations. Furthermore, since the inception of the SFI program in
October 2007, no participating port has been able to achieve 100
percent scanning. While 54 to 86 percent of the U.S.-bound cargo
containers were scanned at three comparatively low-volume ports that
are responsible for less than 3 percent of container shipments to the
United States, sustained scanning rates above 5 percent have not been
achieved at two comparatively larger ports--the type of ports that
ship most containers to the United States. Scanning operations at the
SFI ports have encountered a number of challenges--including safety
concerns, logistical problems with containers transferred from rail or
other vessels, scanning equipment breakdowns, and poor-quality scan
images. Both we and CBP had previously identified many of these
challenges, and CBP officials are concerned that they and the
participating ports cannot overcome them.[Footnote 25] In October
2009, we recommended that DHS conduct a feasibility analysis of
implementing the 100 percent scanning requirement in light of the
challenges faced.[Footnote 26] DHS concurred with our recommendation.
CBP and DOE spent approximately $100 million through June 2009 on
implementing and operating the SFI program, but CBP has not developed
a comprehensive estimate for future U.S. program costs, or conducted a
cost-benefit analysis that compares the costs and benefits of the 100
percent scanning requirement with other alternatives. The SAFE Port
Act requires CBP to report on costs for implementing the SFI program
at foreign ports, but CBP has not yet estimated total U.S. program
costs because of both the lack of a decision by DHS on a clear path
forward and the unique set of challenges that each foreign port
presents. While uncertainties exist regarding a path forward for the
program, a credible cost estimate consistent with cost estimating best
practices could better aid DHS and CBP in determining the most
effective way forward for SFI and communicating the magnitude of the
costs to Congress for use in annual appropriations. To address this,
in October 2009, we recommended that CBP develop comprehensive and
credible estimates of total U.S. program costs.[Footnote 27] DHS
concurred with our recommendation.
CBP and DOE have paid the majority of SFI costs for operating the SFI
program. The SAFE Port and 9/11 Commission Acts do not address the
issue of who is expected to pay the cost of developing, maintaining,
and using the infrastructure, equipment, and people needed for the 100
percent scanning requirement, but implementing the requirement would
entail costs beyond U.S. government program costs, including those
incurred by foreign governments and private terminal operators, and
could result in higher prices for American consumers. CBP has not
estimated these additional economic costs, though they are relevant in
assessing the balance between improving security and maintaining trade
capacity and the flow of cargo. To address this, in October 2009, we
recommended that DHS conduct a cost-benefit analysis to evaluate the
costs and benefits of achieving 100 percent scanning as well as other
alternatives for enhancing container security.[Footnote 28] Such an
analysis could provide important information to CBP and to Congress to
determine the most effective way forward to enhance container
security. DHS agreed in part with our recommendation that it develop a
cost-benefit analysis of 100 percent scanning, acknowledging that the
recommended analyses would better inform Congress, but stated the
recommendations should be directed to the Congressional Budget Office.
While the Congressional Budget Office does prepare cost estimates for
pending legislation, we think the recommendation is appropriately
directed to CBP. Given its daily interaction with foreign customs
services and its direct knowledge of port operations, CBP is in a
better position to conduct any cost-benefit analysis and bring results
to Congress for consideration.
Senior DHS and CBP officials acknowledge that most, if not all foreign
ports, will not be able to meet the July 2012 target date for scanning
all U.S.-bound cargo. Recognizing the challenges to meeting the
legislative requirement, DHS expects to grant a blanket extension to
all foreign ports pursuant to the statue, thus extending the target
date for compliance with this requirement by 2 years, to July 2014. In
addition, the Secretary of Homeland Security approved the "strategic
trade corridor strategy," an initiative to scan 100 percent of U.S.-
bound containers at selected foreign ports where CBP believes it will
mitigate the greatest risk of WMD entering the United States.
According to CBP, the data gathered from SFI operations will help to
inform future deployments to strategic locations. CBP plans to
evaluate the usefulness of these deployments and consider whether the
continuation of scanning operations adds value in each of these
locations, and potential additional locations that would strategically
enhance CBP efforts. While the strategic trade corridor strategy may
improve container security, it does not achieve the legislative
requirement to scan 100 percent of U.S.-bound containers. According to
CBP, it does not have a plan for full-scale implementation of the
statutory requirement by July 2012 because challenges encountered thus
far in implementing the SFI program indicate that implementation of
100 percent scanning worldwide by the 2012 deadline will be difficult
to achieve. However, CBP has not performed a feasibility analysis of
expanding 100 percent scanning, as required by the SAFE Port Act. To
address this, in October 2009, we recommended that CBP conduct a
feasibility analysis of implementing 100 percent scanning and provide
the results, as well as alternatives to Congress, in order to
determine the best path forward to strengthen container security.
[Footnote 29] DHS concurred with our recommendation.
In DHS's Congressional Budget Justification FY 2011, CBP requested to
decrease the SFI program's $19.9 million budget by $16.6 million.
According to the budget justification, in fiscal year 2011, SFI
operations will be discontinued at three SFI ports--Puerto Cortes,
Honduras; Southampton, United Kingdom; Busan, South Korea--and the SFI
program will be established at the Port of Karachi, Pakistan.
Furthermore, CBP's budget justification did not request any funds to
implement the strategic trade corridor strategy.
Mr. Chairman, this completes my prepared statement. I would be happy
to respond to any questions you or other Members of the Committee may
have at this time.
GAO Contacts and Staff Acknowledgments:
For questions about this statement, please contact Stephen L. Caldwell
at 202-512-9610 or caldwells@gao.gov. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this statement. In addition to the contacts named above, John
Mortin, Assistant Director, managed this review. Jonathan Bachman,
Charles Bausell, Lisa Canini, Frances Cook, Tracey Cross, Andrew
Curry, Anthony DeFrank, Geoff Hamilton, Dawn Hoff, Lara Miklozek,
Stanley Kostyla, Jan Montgomery, and Kendal Robinson made key
contributions to this statement.
[End of section]
Related GAO Products:
Combating Nuclear Smuggling: DHS Has Made Some Progress but Not Yet
Completed a Strategic Plan for Its Global Nuclear Detection Efforts or
Closed Identified Gaps. [hyperlink,
http://www.gao.gov/products/GAO-10-883T]. Washington, D.C.: June 30,
2010.
Maritime Security: Varied Actions Taken to Enhance Cruise Ship
Security, but Some Concerns Remain. [hyperlink,
http://www.gao.gov/products/GAO-10-400]. Washington, D.C.: April 9,
2010.
Coast Guard: Deployable Operations Group Achieving Organizational
Benefits, but Challenges Remain. [hyperlink,
http://www.gao.gov/products/GAO-10-433R]. Washington, D.C.: April 7,
2010.
Critical Infrastructure Protection: Update to National Infrastructure
Protection Plan Includes Increased Emphasis on Risk Management and
Resilience. [hyperlink, http://www.gao.gov/products/GAO-10-296].
Washington, D.C.: March 5, 2010.
Coast Guard: Observations on the Requested Fiscal Year 2011 Budget,
Past Performance, and Current Challenges. [hyperlink,
http://www.gao.gov/products/GAO-10-411T]. Washington, D.C.: February
25, 2010.
Supply Chain Security: Feasibility and Cost-Benefit Analysis Would
Assist DHS and Congress in Assessing and Implementing the Requirement
to Scan 100 Percent of U.S.-Bound Containers. [hyperlink,
http://www.gao.gov/products/GAO-10-12]. Washington, D.C.: October 30,
2009.
Transportation Security: Comprehensive Risk Assessments and Stronger
Internal Controls Needed to Help Inform TSA Resource Allocation.
[hyperlink, http://www.gao.gov/products/GAO-09-492]. Washington D.C.:
March 27, 2009.
Maritime Security: Vessel Tracking Systems Provide Key Information,
but the Need for Duplicate Data Should Be Reviewed. [hyperlink,
http://www.gao.gov/products/GAO-09-337]. Washington, D.C.: March 17,
2009.
Risk Management: Strengthening the Use of Risk Management Principles
in Homeland Security. [hyperlink,
http://www.gao.gov/products/GAO-08-904T]. Washington, D.C.: June 25,
2008.
Supply Chain Security: Challenges to Scanning 100 Percent of U.S.-
Bound Cargo Containers. [hyperlink,
http://www.gao.gov/products/GAO-08-533T]. Washington, D.C., June 12,
2008.
Highlights of a Forum: Strengthening the Use of Risk Management
Principles in Homeland Security. [hyperlink,
http://www.gao.gov/products/GAO-08-627SP]. Washington, D.C.: April 15,
2008.
Maritime Security: Federal Efforts Needed to Address Challenges in
Preventing and Responding to Terrorist Attacks on Energy Commodity
Tankers. [hyperlink, http://www.gao.gov/products/GAO-08-141].
Washington, D.C.: December 10, 2007.
Maritime Security: The SAFE Port Act: Status and Implementation One
Year Later. [hyperlink, http://www.gao.gov/products/GAO-08-126T].
Washington, D.C.: October 30, 2007.
Maritime Security: The SAFE Port Act and Efforts to Secure Our
Nation's Ports. [hyperlink, http://www.gao.gov/products/GAO-08-86T].
Washington, D.C.: October 4, 2007.
Information on Port Security in the Caribbean Basin. [hyperlink,
http://www.gao.gov/products/GAO-07-804R]. Washington, D.C.: June 29,
2007.
Risk Management: Further Refinements Needed to Assess Risks and
Prioritize Protective Measures at Ports and Other Critical
Infrastructure. [hyperlink, http://www.gao.gov/products/GAO-06-91].
Washington, D.C.: December 15, 2005.
[End of section]
Footnotes:
[1] Pub. L. No. 107-296, § 201, 116 Stat. 2135, 2144 (2002).
[2] Pub. L. No. 107-295, 116 Stat. 2064 (2002).
[3] Pub. L. No. 109-347, § 231, 120 Stat. 1884, 1915-16 (2006).
[4] Pub. L. No. 110-53, § 1701(a), 121 Stat. 266, 489-90 (2007). The
law defines scanning to be an examination with both nonintrusive
imaging equipment and radiation detection equipment. In addition,
while the law states that cargo containers are not to enter the United
States unless they were scanned at a foreign port, actual
participation in the program by sovereign foreign governments and
ports is voluntary.
[5] See the list of related GAO products at the end of this statement.
[6] According to DHS's Small Vessel Security Strategy, "small vessels"
are characterized as any watercraft--regardless of method of
propulsion--less than 300 gross tons, and used for recreational or
commercial purposes.
[7] GAO, Risk Management: Further Refinements Needed to Assess Risks
and Prioritize Protective Measures at Ports and Other Critical
Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91]
(Washington, D.C.: Dec. 15, 2005).
[8] The five phases of the risk management framework developed by GAO
are (1) setting strategic goals and objectives, and determining
constraints; (2) assessing the risks; (3) evaluating alternatives for
addressing these risks; (4) selecting the appropriate alternatives;
and (5) implementing the alternatives and monitoring the progress made
and results achieved.
[9] Risk assessment is a function of (1) threat--the likelihood that a
particular asset, system, or network will suffer an attack or an
incident; (2) vulnerability--the likelihood that a characteristic of,
or flaw in, an asset's, system's, or network's design, location,
security posture, process, or operation renders it susceptible to
destruction, incapacitation, or exploitation by terrorist or other
intentional acts, mechanical failures, and natural hazards; and (3)
consequence--the negative effects on public health and safety, the
economy, public confidence in institutions, and the functioning of
government, both direct and indirect, that can be expected if an
asset, system, or network is damaged, destroyed, or disrupted by a
terrorist attack, natural disaster, or other incident.
[10] Critical infrastructure are systems and assets, whether physical
or virtual, so vital to the United States that their incapacity or
destruction would have a debilitating impact on national security,
national economic security, national public health or safety, or any
combination of those matters. Homeland Security Presidential Directive
7 divided up the critical infrastructure in the United States into 17
industry sectors, such as transportation, energy, and communications,
among others. In 2008, DHS established an 18th sector--Critical
Manufacturing.
[11] The framework for the updated NIPP includes six components: (1)
set goals and objectives; (2) identify assets, systems, and networks;
(3) assess risks; (4) prioritize; (5) implement programs; and (6)
measure effectiveness. See GAO, Critical Infrastructure Protection:
Update to National Infrastructure Protection Plan Includes Increased
Emphasis on Risk Management and Resilience, [hyperlink,
http://www.gao.gov/products/GAO-10-296] (Washington, D.C.: Mar. 5,
2010).
[12] The Captain of the Port is the Coast Guard officer designated by
the Commandant of the Coast Guard to enforce within his or her
respective areas port safety and security and marine environmental
protection regulations, including, without limitation, regulations for
the protection and security of vessels, harbors, and waterfront
facilities.
[13] For more information on the use of MSRAM see GAO, Maritime
Security: Varied Actions Taken to Enhance Cruise Ship Security, but
Some Concerns Remain, [hyperlink,
http://www.gao.gov/products/GAO-10-400] (Washington, D.C.: Apr. 9,
2010).
[14] We have work planned for this committee to address a request
concerning port security planning that will include a more detailed
examination of MSRAM.
[15] Department of Homeland Security, Small Vessel Security Strategy
(Washington, D.C., April 2008).
[16] From testimony delivered by Vice Admiral Thad Allen, Chief of
Staff, United States Coast Guard, during a hearing on the Coast Guard
role in border and maritime security, before the Committee on
Appropriations, Subcommittee on Homeland Security, U.S. Senate (Apr.
6, 2006).
[17] For more information on cruise ship security, see [hyperlink,
http://www.gao.gov/products/GAO-10-400].
[18] GAO, Maritime Security: Federal Efforts Needed to Address
Challenges in Preventing and Responding to Terrorist Attacks on Energy
Commodity Tankers, [hyperlink, http://www.gao.gov/products/GAO-08-141]
(Washington, D.C.: December 10, 2007).
[19] The goals of the Small Vessel Security Strategy are to (1)
develop and leverage a strong partnership with the small-vessel
community and public and private sectors; (2) enhance maritime
security and safety; (3) leverage technology to enhance the ability to
detect, determine intent, and when necessary, interdict small vessels;
and (4) enhance coordination, cooperation, and communications between
federal, state, local, and tribal stakeholders, the private sector,
and international partners.
[20] For more information on vessel tracking systems, see GAO,
Maritime Security: Vessel Tracking Systems Provide Key Information,
but the Need for Duplicate Data Should Be Reviewed, [hyperlink,
http://www.gao.gov/products/GAO-09-337] (Washington, D.C.: Mar. 17,
2009).
[21] For more information, see GAO, Combating Nuclear Smuggling: DHS
Has Made Some Progress but Not Yet Completed a Strategic Plan for Its
Global Nuclear Detection Efforts or Closed Identified Gaps,
[hyperlink, http://www.gao.gov/products/GAO-10-883T] (Washington,
D.C.: June 30, 2010).
[22] The International Port Security Program uses the ISPS Code as the
benchmark by which it measures the effectiveness of a country's
antiterrorism measures in a port. The code was developed after the
September 11 attacks and established measures to enhance the security
of ships and port facilities with a standardized and consistent
security framework. The ISPS Code requires facilities to conduct an
assessment to identify threats and vulnerabilities and then develop
security plans based on the assessment. The requirements of this code
are performance-based; therefore compliance can be achieved through a
variety of security measures.
[23] GAO, Maritime Security: The SAFE Port Act: Status and
Implementation One Year Later, [hyperlink,
http://www.gao.gov/products/GAO-08-126T] (Washington, D.C.: Oct. 30,
2007).
[24] GAO, Supply Chain Security: Feasibility and Cost-Benefit Analysis
Would Assist DHS and Congress in Assessing and Implementing the
Requirement to Scan 100 Percent of U.S.-Bound Containers, [hyperlink,
http://www.gao.gov/products/GAO-10-12] (Washington, D.C.: Oct. 30,
2009).
[25] GAO, Supply Chain Security: Challenges to Scanning 100 Percent of
U.S.-Bound Cargo Containers, [hyperlink,
http://www.gao.gov/products/GAO-08-533T] (Washington, D.C.: June 12,
2008).
[26] [hyperlink, http://www.gao.gov/products/GAO-10-12].
[27] [hyperlink, http://www.gao.gov/products/GAO-10-12].
[28] [hyperlink, http://www.gao.gov/products/GAO-10-12].
[29] [hyperlink, http://www.gao.gov/products/GAO-10-12].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: