Transportation Worker Identification Credential
Mailing Credentials to Applicants' Residences Would Not Be Consistent with DHS Policy Gao ID: GAO-11-542R April 13, 2011Securing transportation systems and facilities requires balancing security to address potential threats while facilitating the flow of people and goods that are critical to the U.S. economy and necessary for supporting international commerce. As we have previously reported, these systems and facilities are vulnerable and difficult to secure given their size, easy accessibility, large number of potential targets, and proximity to urban areas. To help enhance the security of these systems and facilities, the Maritime Transportation Security Act of 2002 (MTSA) required the Secretary of Homeland Security to prescribe regulations preventing individuals from having unescorted access to secure areas of MTSA-regulated facilities and vessels unless they both possess a biometric transportation security card and are authorized to be in such an area. MTSA further tasked the Secretary with the responsibility to issue biometric transportation security cards to eligible individuals unless the Secretary determines that an applicant poses a security risk warranting denial of the card. The Transportation Worker Identification Credential (TWIC) program is designed to implement these biometric maritime security card requirements. The program requires maritime workers to undergo a background check to obtain a biometric identification card. This card is required for an individual to be eligible for unescorted access to secure areas of vessels and facilities. It is still the responsibility of facility and vessel owners to determine who should be granted access to their facilities or vessels. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) and the United States Coast Guard are responsible for implementing and enforcing the TWIC program. TSA's responsibilities include enrolling TWIC applicants, conducting background checks to assess individuals' potential security threat, and issuing TWICs. In January 2007, TSA contracted out TWIC enrollment center operations to enroll applicants and issue TWICs to approved applicants. This contract expires in June 2012. The Coast Guard is responsible for developing TWIC-related security regulations and ensuring that MTSA-regulated maritime facilities and vessels are in compliance with these regulations. In addition, DHS's Screening Coordination Office (SCO) facilitates coordination among the various DHS components involved in TWIC, such as TSA and the Coast Guard, as well as the United States Citizenship and Immigration Services (USCIS), which, through an interagency agreement, personalizes the credentials and ships them to enrollment centers, and the Federal Emergency Management Agency, which administers grant funds in support of the TWIC program. Section 818(b)(1) of the Coast Guard Authorization Act of 2010 provides that the Comptroller General shall submit a report to the House Committee on Homeland Security and the Senate Committee on Commerce, Science, and Transportation assessing the costs, technical feasibility, and security measures associated with procedures to (1) deliver a transportation security card (i.e., a TWIC) to an approved applicant's place of residence in a secure manner or (2) allow an approved applicant to receive the card at an enrollment center of the individual's choosing..
Starting in February 2009, TSA allowed applicants to designate an enrollment center of their choosing where a TWIC would be activated and issued. However, several factors limit the ability of DHS to mail TWICs to an approved applicant's residence. For example, it would not meet current or proposed NIST guidelines for credential issuance (FIPS 201-1) that require a biometric match be performed before providing the card to the applicant. Such a match must be done in person using information either from the TWIC or the enrollment record. DHS and TSA made a policy decision to align the TWIC program with these guidelines because it used the latest technology, secured critical facilities with the same processes used by federal agencies, and would allow interoperability in an emergency. Should DHS and TSA change their policy that the TWIC program be aligned with FIPS 201-1, TSA and USCIS, the organization that personalizes TWICs for TSA, stated that changes could be made to existing business processes and systems to accommodate such a change but that this would require significant changes to the existing systems and processes used to produce and issue cards. Regarding the cost implications of mailing TWICs to residences, specific program requirements to accomplish this goal would need to be identified before an accurate cost estimate can be made.
GAO-11-542R, Transportation Worker Identification Credential: Mailing Credentials to Applicants' Residences Would Not Be Consistent with DHS Policy
This is the accessible text file for GAO report number GAO-11-542R
entitled 'Transportation Worker Identification Credential: Mailing
Credentials to Applicants' Residences Would Not Be Consistent with DHS
Policy' which was released on April 13, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
Washington, DC 20548:
April 13, 2011:
The Honorable John D. Rockefeller, IV:
Chairman:
The Honorable Kay Bailey Hutchison:
Ranking Member:
Committee on Commerce, Science, and Transportation:
United States Senate:
The Honorable Peter T. King:
Chairman:
The Honorable Bennie G. Thompson:
Ranking Member:
Committee on Homeland Security:
House of Representatives:
Subject: Transportation Worker Identification Credential: Mailing
Credentials to Applicants' Residences Would Not Be Consistent with DHS
Policy:
Securing transportation systems and facilities requires balancing
security to address potential threats while facilitating the flow of
people and goods that are critical to the U.S. economy and necessary
for supporting international commerce. As we have previously reported,
these systems and facilities are vulnerable and difficult to secure
given their size, easy accessibility, large number of potential
targets, and proximity to urban areas.[Footnote 1]
To help enhance the security of these systems and facilities, the
Maritime Transportation Security Act of 2002 (MTSA) required the
Secretary of Homeland Security to prescribe regulations preventing
individuals from having unescorted access to secure areas of MTSA-
regulated facilities and vessels unless they both possess a biometric
transportation security card and are authorized to be in such an area.
[Footnote 2] MTSA further tasked the Secretary with the responsibility
to issue biometric transportation security cards to eligible
individuals unless the Secretary determines that an applicant poses a
security risk warranting denial of the card. The Transportation Worker
Identification Credential (TWIC) program is designed to implement
these biometric maritime security card requirements. The program
requires maritime workers to undergo a background check to obtain a
biometric identification card. This card is required for an individual
to be eligible for unescorted access to secure areas of vessels and
facilities. It is still the responsibility of facility and vessel
owners to determine who should be granted access to their facilities
or vessels.
Within the Department of Homeland Security (DHS), the Transportation
Security Administration (TSA) and the United States Coast Guard are
responsible for implementing and enforcing the TWIC program. TSA's
responsibilities include enrolling TWIC applicants, conducting
background checks to assess individuals' potential security threat,
and issuing TWICs. In January 2007, TSA contracted out TWIC enrollment
center operations to enroll applicants and issue TWICs to approved
applicants. This contract expires in June 2012. The Coast Guard is
responsible for developing TWIC-related security regulations and
ensuring that MTSA-regulated maritime facilities and vessels are in
compliance with these regulations. In addition, DHS's Screening
Coordination Office (SCO) facilitates coordination among the various
DHS components involved in TWIC, such as TSA and the Coast Guard, as
well as the United States Citizenship and Immigration Services
(USCIS), which, through an interagency agreement, personalizes the
credentials and ships them to enrollment centers, and the Federal
Emergency Management Agency, which administers grant funds in support
of the TWIC program.[Footnote 3]
Section 818(b)(1) of the Coast Guard Authorization Act of
2010[Footnote 4] provides that the Comptroller General shall submit a
report to the House Committee on Homeland Security and the Senate
Committee on Commerce, Science, and Transportation assessing the
costs, technical feasibility, and security measures associated with
procedures to (1) deliver a transportation security card (i.e., a
TWIC) to an approved applicant's place of residence in a secure manner
or (2) allow an approved applicant to receive the card at an
enrollment center of the individual's choosing. To meet the mandate,
we analyzed the factors affecting DHS's ability to mail cards to an
enrollment center of choice or an approved applicant's residence, and
the security and cost implications DHS reports are associated with
such actions.
To assess the factors affecting DHS's ability to mail cards to an
approved applicant's residence or enrollment center of choice, we
reviewed existing processes for TWIC production, personalization,
activation, and issuance. We analyzed documentation provided by TSA
regarding TWIC program systems and processes, such as the TWIC User
Manual for Trusted Agents, concept of operations, and statement of
work. We also reviewed information provided by USCIS on its credential
production and personalization process, such as information on the
Secure Mail Initiative.[Footnote 5] We interviewed TSA and USCIS
officials about the feasibility of mailing cards to an applicant's
residence or enrollment center of choice. We also interviewed relevant
officials from the TSA TWIC contractor to discuss the possibility of
modifying the current TWIC card production and mailing processes.
To identify the security implications associated with mailing cards to
an individual's residence or enrollment center of choice, we analyzed
pertinent regulations, policies, and guidance establishing
requirements for secure issuance of credentials.[Footnote 6] We
interviewed officials from TSA and SCO to identify how security
requirements were identified for the TWIC processes and obtain views
on how changes to the TWIC activation and issuance process might
affect security. We interviewed officials from USCIS to obtain
information about their approach to securely mailing other government
credentials to individual residences. We also interviewed officials
from the Department of Commerce's National Institute of Standards and
Technology (NIST) to confirm our understanding of Federal Information
Processing Standards (FIPS) Publication 201-1 requirements and
security standards, and officials from the Coast Guard to identify
what impact the mailing of TWICs might have on compliance and
enforcement.
To determine costs DHS has associated with mailing cards to an
applicant's residence or enrollment center of choice, we analyzed TWIC
program fee requirements as established in the TWIC rule and
supporting regulatory evaluation to understand the costs related to
the current activation and issuance process, and how changes to the
issuance process could influence program fees. We also reviewed GAO's
Cost Estimating and Assessment Guide and DHS's Cost Benefit Analysis
Guidebook to determine the required elements for estimating costs and
DHS requirements for conducting a cost-benefit analysis.[Footnote 7]
We interviewed officials from TSA and USCIS about the cost
implications of mailing cards to an applicant's residence or
enrollment center of choice.
Our work for this report was also informed by ongoing work we are
conducting for your committees and others evaluating the extent to
which TWIC program controls provide reasonable assurance that
unescorted access to secure areas of MTSA-regulated facilities and
vessels is limited to those possessing a legitimately issued TWIC and
who are authorized to be in such an area.[Footnote 8] We expect to
issue a report with the final results from this review later this year.
We conducted this performance audit from February 2011 to April 2011
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Results in Brief:
Starting in February 2009, TSA allowed applicants to designate an
enrollment center of their choosing where a TWIC would be activated
and issued. However, several factors limit the ability of DHS to mail
TWICs to an approved applicant's residence. For example, it would not
meet current or proposed NIST guidelines for credential issuance (FIPS
201-1) that require a biometric match be performed before providing
the card to the applicant. Such a match must be done in person using
information either from the TWIC or the enrollment record. DHS and TSA
made a policy decision to align the TWIC program with these guidelines
because it used the latest technology, secured critical facilities
with the same processes used by federal agencies, and would allow
interoperability in an emergency. Should DHS and TSA change their
policy that the TWIC program be aligned with FIPS 201-1, TSA and
USCIS, the organization that personalizes TWICs for TSA, stated that
changes could be made to existing business processes and systems to
accommodate such a change but that this would require significant
changes to the existing systems and processes used to produce and
issue cards. Regarding the cost implications of mailing TWICs to
residences, specific program requirements to accomplish this goal
would need to be identified before an accurate cost estimate can be
made.
Background:
TWIC History and Purpose:
In November 2001, the Aviation and Transportation Security Act (ATSA)
was enacted, requiring TSA, among other things, to work with airport
operators to strengthen access control points in secured areas and to
consider using biometric access control systems, or similar
technologies, to verify the identities of individuals who seek to
enter a secure airport area.[Footnote 9] In response to ATSA, TSA
established the TWIC program in December 2001.[Footnote 10] In
November 2002, MTSA was enacted and required the Secretary of Homeland
Security to issue a maritime worker identification card that uses
biometrics to control access to secure areas of maritime
transportation facilities and vessels.[Footnote 11] In addition, the
Security and Accountability For Every Port Act of 2006 amended MTSA
and directed the Secretary of Homeland Security, among other things,
to implement the TWIC pilot project to test TWIC use with biometric
card readers.[Footnote 12] Once the pilot has concluded, a report on
the findings of the pilot is expected to inform the development of a
card reader rule on how TWIC will be implemented with biometric card
readers. DHS currently estimates that a notice of proposed rulemaking
will be issued late in 2011 and that the final rule will be
promulgated no earlier than the end of 2012.
In January 2007, a federal regulation (known as the TWIC credential
rule) set a compliance deadline, subsequently extended to April 15,
2009, whereby each maritime worker seeking unescorted access to secure
areas of MTSA-regulated facilities and vessels must possess a TWIC.
[Footnote 13] Currently, TWICs are primarily used as visual identity
cards--or flash passes--where a card is to be visually inspected
before a cardholder enters a secure area of a MTSA-regulated port or
facility. As of March 24, 2011, TSA reported over 1.8 million
enrollments and 1.7 million card activations.[Footnote 14]
Current TWIC Enrollment, Card Production, Activation, and Issuance
Processes:
In January 2007, TSA hired a contractor for the TWIC program. The
contractor was charged with establishing enrollment centers, enrolling
applicants, and activating applicants' TWICs once applicants
successfully passed security threat assessments (background checks).
[Footnote 15] During the enrollment process, transportation workers
are to pay an enrollment fee of up to $132.50;[Footnote 16] provide
biographic information, such as their name, date of birth, and
address; and are to be photographed and fingerprinted by trusted
agents at the enrollment centers.[Footnote 17] Trusted agents are
subcontractors who have been authorized by the federal government to
enroll transportation workers in the TWIC program and issue TWICs.
After TSA determines that a worker has passed the background check,
the worker's information is to be provided to the USCIS-operated
federal card production facility in Corbin, Kentucky, where TWICs are
to be personalized with applicants' information, such as an
applicant's photograph and name. After this step is completed, the
card is to be sent to the appropriate enrollment center for activation
and issuance to the applicant. TWICs remain active for 5 years. Under
the current process, at the end of 5 years, cardholders must apply for
a new card and pay an additional fee.[Footnote 18]
Once a worker's TWIC is personalized, the worker is to be notified and
must return to an enrollment center in person to obtain and activate
his or her card. To activate a card, a trusted agent is to confirm an
individual's identity by reviewing the individual's government-issued
photo identification and matching his or her live fingerprint to the
biometric template stored on the card. The worker is to select a
personal identification number (PIN), which is used to protect the
digital information on the card (i.e., electronic certificates for
applicant identity, digital signing, digital encryption, and card
authorization).[Footnote 19] The worker is to reenter his or her PIN
to accept and agree to TWIC holder responsibilities and confirm that
certain electronic TWIC features are working. Once the PIN is
reentered, the TWIC is to be issued to the worker for use in accessing
MTSA-regulated facilities and vessels. Figure 1 contains an overview
of the TWIC process.
Figure 1: Overview of the TWIC Process:
[Refer to PDF for image: illustration]
(1) Enrollment:
The transportation worker enrolls in the TWIC program by providing
biographical and biometric information, such as a name, address,
fingerprints, and a digital photograph.
(2) Background check:
Terrorism databases and watchlists, criminal history records, and
immigration records will verify the transportation worker's
eligibility for the TWIC program.
(3) Card production:
If the transportation worker successfully passes the background check,
his or her TWIC will be printed at a government printing facility and
shipped to an enrollment center.
(4) Card activation and issuance:
The transportation worker returns to an enrollment center, has his or
her identity confirmed, and selects a personal identification number.
After electronic certificates are added to activate the card, the
worker receives the TWIC.
Source: GAO analysis of TSA information.
[End of figure]
Mailing TWICs to Approved Applicants' Residences Would Not Be
Consistent with DHS Policy and Has Security and Cost Implications:
Applicants Can Pick Up TWICs at the Enrollment Center of Their Choice:
At the program's inception, TSA required TWIC applicants to return to
the same enrollment center where they enrolled to activate and pick up
their TWICs. However, according to TSA officials, starting in February
2009, TSA allowed applicants to designate an enrollment center of
their choosing where the TWIC would be activated and issued.[Footnote
20] The agency spent $187,000 modifying the program to allow
activation and issuance at enrollment centers of applicants' choosing.
[Footnote 21] According to TSA, the procedure was changed to improve
customer service by allowing applicants more flexibility in obtaining
a TWIC. In addition, this change required revisions to the TWIC
information technology system (TWIC system) and operational procedures
for enrollment, which were addressed through a contract modification
and related task order with the contractor.
Mailing TWICs to Approved Applicants' Residences Would Not Be
Consistent with Current DHS and TSA Policy:
Existing DHS and TSA policy does not allow a TWIC to be mailed to an
approved applicant's residence. Under current policy, an applicant
must be physically present to pick up a card. On August 27, 2004, the
President issued Homeland Security Presidential Directive 12 (HSPD-12)
mandating the establishment of a standard for identification of
federal employees and contractors. HSPD-12 requires the use of a
common identification card for access to federally controlled
facilities[Footnote 22] and information systems to help enhance
security, increase efficiency, and reduce security fraud, among other
benefits. In response to HSPD-12, NIST issued the Federal Information
Processing Standards Publication 201 (FIPS 201), Personal Identity
Verification (PIV) of Federal Employees and Contractors, in February
2005 and updated it in March 2006 (FIPS 201-1).[Footnote 23] The
overall goal of FIPS 201-1 is to achieve appropriate security
assurance for individuals seeking physical access to federally
controlled government facilities and electronic access to government
information systems. Although not required to comply with FIPS 201-1,
as a policy decision, DHS and TSA decided to align the TWIC program
with these standards where possible, even though the focus of the
standard is not maritime facilities or vessels and TWIC holders are
not limited to federal employees and contractors. TSA noted in the
2006 TWIC Notice of Proposed Rulemaking that there were benefits to
designing the TWIC program in alignment with FIPS 201-1, including
avoiding obsolescence by using the latest technology, securing
critical facilities with the same process used by federal agencies,
and having interoperability during an emergency.
FIPS 201-1 is currently being revised and, according to a NIST
official, is expected to be superseded by updated guidance in 2012.
According to NIST officials, both the current FIPS 201-1 and the March
2011 draft FIPS 201-2 require an applicant to be physically present to
pick up a card. Specifically, the current FIPS 201-1 and March 2011
draft FIPS 201-2 require that prior to the delivery of the newly
issued personal identity verification card to an applicant, the issuer
perform a biometric match of the applicant against the biometric
included in the card or in the enrollment record. Upon successful
match, the card is released to the applicant. According to NIST
officials, this requirement means that the applicant must be present
to receive the card since this match must be done when the card is
released to the user. They also noted that the requirement for an
applicant to be physically present during card issuance is consistent
with the control objective of the current and March 2011 draft FIPS
201-2 that the cards should only be issued to individuals whose true
identity has been verified and that having the individual present when
the card is issued is key to accomplishing this objective.
If DHS and TSA were to change the current policy of remaining aligned
with FIPS 201-1 card issuance requirements, according to an USCIS
official, it would be possible for USCIS to mail personalized TWICs
directly from the Corbin, Kentucky, facility to individual residences.
For example, beginning December 7, 2010, USCIS used its Secure Mail
Initiative to mail nearly 900,000 permanent residence cards and
employment authorization documents to individual residences. The
Secure Mail Initiative uses U.S. Priority Mail shipping with delivery
confirmation to ensure that the credentials are delivered to the
desired recipient. USCIS officials also stated that they are willing
to work with TSA to personalize and distribute TWICs to individual
residences, to enrollment centers, or to both, if TSA requests that
they do so.
However, according to TSA officials, mailing TWICs to individual
residences rather than enrollment centers would be possible but would
require significant and potentially costly changes to TWIC systems,
processes, regulations, and contracts. TSA officials stated that these
changes would include modifications to the software that operates the
enrollment center workstations and the technology systems used to
collect, store, and transfer TWIC applicant biographic and biometric
information among the various components involved in enrollment,
background checks, card personalization, and card activation and
issuance. As TWICs are currently shipped in batches from the USCIS
facility in Corbin, Kentucky, to approximately 135 enrollment centers,
TSA officials said TSA would have to establish processes and
procedures to manage cards that are undeliverable because of incorrect
or changed addresses. According to program officials, the TWIC program
has had thousands of pieces of correspondence (for example, notices of
threat assessment results and requests for additional information)
returned as undeliverable, as the maritime transportation population
is very mobile. TSA officials said that an additional complication
would be that TSA would also need to integrate the revised TWIC system
with other components, such as the automated notification system and
the Web site that provides card status. TSA officials also said that
such changes to the established TWIC processes would require
comprehensive testing prior to implementation. For example, before the
TWIC program began operations in 2007, TSA went through a technical
evaluation period, which began in 2003, and a 2-year prototype period
(2004-2005) during which the current processes were established,
tested, and modified. TSA believes that a similar effort would be
required before implementing a major business process reengineering to
allow for mailing TWICs to individuals.
TSA officials also said that making this change to the TWIC program
might also require regulatory changes to the portions of the January
2007 TWIC credential rule pertaining to the activation and issuance of
the TWICs. The TWIC credential rule identifies TWIC program
requirements and fees for use of TWIC as a flash pass. TWIC program
officials also noted that the time required to modify the credential
rule would be influenced by several other regulations currently under
development such as a proposed rule on using TWICs with biometric card
readers.
According to TSA officials, mailing TWICs directly to individual
residences would require changes to TSA's program management contract
along with the interagency agreement for card personalization with
USCIS. The contract and agreement reflect the existing approach to
TWIC enrollment, activation, and issuance. TSA officials said they
would have to execute modifications to the TWIC contract and to an
interagency agreement with USCIS for card personalization services.
TSA officials stated that this would require a major effort from the
TWIC program and acquisitions staff that would include defining
requirements, preparing statements of work, reviewing contractor
deliverables, negotiating changes and executing the modifications, and
monitoring the work.
In addition to TSA and DHS's policy to align the TWIC program with
FIPS 201-1 standards, TSA and Coast Guard officials expressed other
security concerns related to mailing TWICs to individual residences.
TSA officials stated that mailing TWICs to approximately 1.7 million
addresses would increase the chances of having a large number of lost
and unaccounted for cards. As TWICs are currently only required to be
used as a flash pass, if TWICs were lost in the mail, delivered to
incorrect addresses, or stolen from mailboxes, then those cards could
be used by individuals who did not undergo a background check to
attempt to obtain unescorted access to secure areas of a MTSA-
regulated facility. Both TSA and Coast Guard officials responsible for
the TWIC program stressed a need to ensure that an authentic TWIC--
activated or unactivated--did not end up in the wrong person's hands
if the credential is not issued in person.
Accurate Cost Estimates for Mailing Cards to Residences Cannot Be Made
without First Identifying Specific Program Requirements:
As we reported in March 2009, high-quality cost estimates, when
developed, generally include defining program characteristics, such as
technology implications, security needs and risk items, as well as
staff requirements.[Footnote 24] According to TSA officials, because
they do not believe that mailing TWICs to individual residences is
advisable from a security standpoint--the change would not allow the
TWIC program to remain aligned with FIPS 201-1--they have not invested
resources in developing a cost estimate. TSA officials further stated
that if DHS directed TSA to deviate from the FIPS 201-1 standard to
allow for an alternative issuance process, the TWIC program would
first need to assess whether it is feasible by comparing the cost of
making this change with the potential security risk associated with
redesigning the current FIPS 201-1-aligned system.
While TSA officials have not developed a specific cost estimate, they
anticipate that it could be costly to reengineer the TWIC production,
personalization, delivery, and activation processes to mail individual
TWICs directly to transportation workers. Costs would include changes
to the TWIC enrollment and issuance processes, the TWIC system, and
processes for mailing the cards. According to TSA, these necessary
changes could result in an increase in the fee that transportation
workers currently pay to obtain their TWICs (currently set at a
maximum of $132.50). According to these officials, because the TWIC
program is required by statute to pay for program costs through user
fees,[Footnote 25] if TSA were to modify the scope of the program, TSA
would need to change the TWIC rule and fees to reflect the
modification. TSA estimates that changes to the TWIC credential rule
could take up to 24 months to execute because the agency would have to
issue and solicit comments on both a proposed and final rule.
According to procurement officials at TSA, if the agency were to allow
TWICs to be mailed to applicants' residences, these changes would be
incorporated as a modification to the next TWIC contract, which will
be awarded before the current contract expires in June 2012. According
to TSA, it has no plans to modify the current contract to allow
mailing of TWICs to transportation workers' residences.
Agency Comments and Our Evaluation:
We requested comments on a draft of this report from the Secretary of
Homeland Security. DHS did not provide written comments to include in
the report. However, on April 7, 2011, TSA's TWIC Program Manager and
USCIS's Integrated Document Production Branch Business Operations
Specialist provided oral technical comments, which we incorporated as
appropriate. Additionally, in e-mails received on April 7, 2011 and
April 8, 2011, respectively, the TSA and USCIS audit liaisons provided
technical comments, which we incorporated as appropriate.
We are sending copies of this report to the Secretary of Homeland
Security, appropriate congressional committees, and other interested
parties. This report also is available at no charge on the GAO Web
site at [hyperlink, http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at (202) 512-4379 or lords@gao.gov. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. Key contributors to this report are
listed in enclosure I.
Signed by:
Stephen M. Lord:
Director, Homeland Security and Justice Issues:
Enclosure:
[End of section]
Enclosure I: GAO Contact and Staff Acknowledgments:
GAO Contact:
Stephen M. Lord, (202) 512-4379 or at lords@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, David Bruno, Assistant
Director; Geoffrey Hamilton; Richard Hung; John C. Martin; Lara
Miklozek; Julie E. Silvers; and Michelle R. Su made key contributions
to this report.
[End of section]
Footnotes:
[1] See GAO, Transportation Worker Identification Credential: Progress
Made in Enrolling Workers and Activating Credentials but Evaluation
Plan Needed to Help Inform the Implementation of Card Readers,
[hyperlink, http://www.gao.gov/products/GAO-10-43] (Washington, D.C.:
Nov. 18, 2009); Transportation Security: DHS Should Address Key
Challenges before Implementing the Transportation Worker
Identification Credential Program, [hyperlink,
http://www.gao.gov/products/GAO-06-982] (Washington, D.C.: Sept. 29,
2006); and Port Security: Better Planning Needed to Develop and
Operate Maritime Worker Identification Card Program, [hyperlink,
http://www.gao.gov/products/GAO-05-106] (Washington, D.C.: Dec. 10,
2004).
[2] Pub. L. No. 107-295, 116 Stat. 2064 (2002). Under United States
Coast Guard regulations, a secure area, in general, is an area over
which the owner/operator has implemented security measures for access
control in accordance with a Coast Guard-approved security plan. For
most maritime facilities, the secure area is generally any place
inside the outermost access control point. For a vessel or outer
continental shelf facility, such as off-shore petroleum or gas
production facilities, the secure area is generally the whole vessel
or facility. Biometrics refers to technologies that measure and
analyze human body characteristics--such as fingerprints, eye retinas
and irises, voice patterns, facial patterns, and hand measurements--
for authentication purposes.
[3] DHS established its Screening Coordination Office (SCO) to
coordinate and harmonize the numerous and disparate credentialing and
screening initiatives within DHS. A card is personalized when the
cardholder's personal information, such as photograph and name, are
added to the card.
[4] Pub. L. No. 111-281, 124 Stat. 2905, 3000 (2010).
[5] USCIS's Secure Mail Initiative utilizes the United States Postal
Service's Priority Mail with Delivery Confirmation service to enhance
accountability and customer service in the delivery of secure
immigration documents to customers. This initiative allows USCIS to
prove when secure documents were mailed, and allows customers to track
their documents through the mailing process.
[6] See, for example, Federal Information Processing Standards (FIPS)
Publication 201-1, Personal Identity Verification (PIV) of Federal
Employees and Contractors (Gaithersburg, Md., March 2006), and
National Institute of Standards and Technology Special Publication 800-
63, Electronic Authentication Guideline (Gaithersburg, Md., April
2006).
[7] See GAO, GAO Cost Estimating and Assessment Guide: Best Practices
for Developing and Managing Capital Program Costs, [hyperlink,
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March
2009), and Department of Homeland Security, Cost Benefit Analysis
Guidebook, Version 2.0 (Washington D.C., February 2006).
[8] The committees that requested the work include the Senate
Committee on Commerce, Science, and Transportation, including the
Subcommittee on Oceans, Atmosphere, Fisheries, and Coast Guard and the
Subcommittee on Surface Transportation and Merchant Marine
Infrastructure, Safety, and Security; the House Committee on
Transportation and Infrastructure, including the Subcommittee on Coast
Guard and Maritime Transportation; and the House Committee on Homeland
Security.
[9] Pub. L. No. 107-71, 115 Stat. 597 (2001).
[10] TSA was transferred from the Department of Transportation to DHS
pursuant to requirements in the Homeland Security Act, enacted on
November 25, 2002 (Pub. L. No. 107-296, 116 Stat. 2135 (2002)).
[11] Prior to TWIC, facilities and vessels administered their own
approaches for controlling access based on the perceived risk at the
facility. These approaches, among others, included requiring people
seeking access to have a reason for entering, facility-specific
identification, and in some cases, a background check. Some ports and
port facilities still maintain their own credentials.
[12] Pub. L. No. 109-347, 120 Stat. 1884 (2006).
[13] 72 Fed. Reg. 3492 (2007).
[14] Prior to issuing a TWIC, each TWIC is activated, or turned on,
after the person being issued the TWIC provides a personal
identification number (PIN).
[15] TSA is to conduct a security threat assessment of each TWIC
applicant. TWIC program threat assessment processes include conducting
a background check to determine whether each TWIC applicant is a
security risk to the United States. These checks, in general, can
include checking criminal history records, immigration status,
terrorism databases and watch lists, and records indicating an
adjudication of lack of mental capacity, among other things. TSA
regulations define "security threat" to mean an individual whom TSA
determines or suspects of posing a threat to national security, to
transportation security, or of terrorism.
[16] The fee for a TWIC is $132.50 and is valid for 5 years. Workers
with current, comparable background checks will pay a reduced fee of
$105.25. If workers are eligible to pay the lower price, their TWICs
will expire 5 years from the date of the comparable credential. The
cost of a replacement TWIC, if the original is lost, stolen, or
damaged, is $60.00.
[17] Under TSA's contract for the TWIC program, the contractor is
responsible for staffing enrollment centers with trained trusted
agents.
[18] On March 15, 2011, H.R. 1105 was introduced in the House of
Representatives with provisions designed to ensure that TWICs held by
certain maritime workers do not expire until DHS issues the final
reader rule or December 31, 2014, whichever is earlier.
[19] This PIN allows for two-factor authentication of the TWIC
holder's identity by confirming something the person has (the TWIC)
and something the person knows (the PIN). Further, MTSA-regulated
facilities and vessels may require TWIC users to use the PIN to unlock
electronic information in a TWIC, such as the TWIC holder's picture.
[20] According to TSA officials, beginning in February 2009,
individuals could call the TWIC Help Desk to request that their TWICs
be sent to an alternate enrollment center for activation and issuance.
In May 2009, TSA added an option where, at the time of enrollment,
individuals could indicate that they would like to pick up their TWICs
from sites other than those at which they enrolled.
[21] TSA has spent an additional $230,000 transferring workers' cards
to alternate enrollment centers for activation and issuance.
[22] Office of Management and Budget implementation guidance on HSPD-
12, in general, defines "federally controlled facilities" to mean (1)
federally owned buildings or leased space, all or any portion of which
is under the jurisdiction, custody, or control of a department or
agency covered by the directive; (2) federally controlled commercial
space shared with nongovernmental tenants (for example, if a
department or agency leased the 10TH floor of a commercial building,
the directive applies to the 10TH floor only; (3) government-owned,
contractor-operated facilities; and (4) facilities under a management
and operating contract, such as for the operation, maintenance, or
support of a government-owned or government-controlled research,
development, special production, or testing establishment.
[23] FIPS 201-1 is currently undergoing a mandatory 5-year review. For
the purposes of this review, we used the current draft version issued
by NIST, which was dated March 2011. This is commonly referred to as
the March 2011 draft FIPS 201-2.
[24] [hyperlink, http://www.gao.gov/products/GAO-09-3SP].
[25] 6 U.S.C. § 469(a).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
