Aviation Security
TSA Has Taken Actions to Improve Security, but Additional Efforts Remain Gao ID: GAO-11-807T July 13, 2011In Process
DHS has completed an initial study to validate the scientific basis of the SPOT program; however, additional work remains to fully validate the program. GAO reported in May 2010 that TSA deployed this program, which uses behavior observation and analysis techniques to identify potentially high-risk passengers, before determining whether there was a scientifically valid basis for using behavior and appearance indicators as a means for reliably identifying passengers who may pose a risk to the U.S. aviation system. TSA officials said that SPOT was deployed in response to potential threats, such as suicide bombers, and was based on scientific research available at the time. GAO recommended in May 2010 that DHS, as part of its study, assess the methodology to help ensure the validity of the SPOT program. DHS concurred and its April 2011 validation study found that SPOT was more effective than random screening to varying degrees. For example, the study found that SPOT was more effective than random screening at identifying individuals who possessed fraudulent documents and individuals who were subsequently arrested. However, DHS's study was not designed to fully validate whether behavior detection can be used to reliably identify individuals in an airport environment who pose a security risk. The study noted that additional work is needed to comprehensively validate the program. TSA officials are assessing the actions needed to address the study's recommendations. In September 2009, GAO reported that since 2004 TSA has taken actions to strengthen airport perimeter and access controls security by, among other things, deploying a random worker screening program; however, TSA has not conducted a comprehensive risk assessment or developed a national strategy. Specifically, TSA had not conducted vulnerability assessments for 87 percent of the approximately 450 U.S. airports regulated by TSA at that time. GAO recommended that TSA develop (1) a comprehensive risk assessment and evaluate the need to assess airport vulnerabilities nationwide and (2) a national strategy to guide efforts to strengthen airport security. DHS concurred and said TSA is developing the assessment and strategy, but has not yet evaluated the need to assess airport vulnerabilities nationwide. GAO reported in July 2011 that TSA revised explosives detection requirements for its explosives detection systems (EDS) used to screen checked baggage in January 2010, but faces challenges in deploying EDS that meet these requirements. Deploying systems that meet the 2010 EDS requirements could be difficult given that TSA did not begin deployment of systems meeting the previous 2005 requirements until 2009. As of January 2011 some of the EDS in TSA's fleet detect explosives at the level established in 2005 while the remaining EDS detect explosives at levels established in 1998. Further, TSA does not have a plan to deploy and operate systems to meet the current requirements and has faced challenges in procuring the first 260 systems to meet these requirements. GAO recommended that TSA, among other things, develop a plan to ensure that EDS are operated at the levels in established requirements. DHS agreed and has outlined actions to do so. GAO has made recommendations in prior work to strengthen TSA's SPOT program, airport security efforts, checked baggage screening efforts. DHS and TSA generally concurred with the recommendations and have actions under way to address them.
GAO-11-807T, Aviation Security: TSA Has Taken Actions to Improve Security, but Additional Efforts Remain
This is the accessible text file for GAO report number GAO-11-807T
entitled 'Aviation Security: TSA Has Taken Actions to Improve
Security, but Additional Efforts Remain' which was released on July
13, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on National Security, Homeland Defense, and
Foreign Operations, Committee on Oversight and Government Reform,
House of Representatives:
For Release on Delivery:
Expected at 9:30 a.m. EDT:
Wednesday, July 13, 2011:
Aviation Security:
TSA Has Taken Actions to Improve Security, but Additional Efforts
Remain:
Statement of Stephen M. Lord, Director:
Homeland Security and Justice Issues:
GAO-11-807T:
GAO Highlights:
Highlights of GAO-11-807T, a testimony before the Subcommittee on
National Security, Homeland Defense, and Foreign Operations, Committee
on Oversight and Government Reform, House of Representatives.
Why GAO Did This Study:
The attempted bombing of Northwest flight 253 in December 2009
underscores the need for effective aviation security programs.
Aviation security remains a daunting challenge with hundreds of
airports, thousands of aircraft, and thousands of flights daily
carrying millions of passengers and pieces of checked baggage. The
Department of Homeland Security‘s (DHS) Transportation Security
Administration (TSA) has spent billions of dollars and implemented a
wide range of aviation security initiatives. Three key layers of
aviation security are (1) TSA‘s Screening of Passengers by Observation
Techniques (SPOT) program designed to identify persons who may pose a
security risk; (2) airport perimeter and access controls security; and
(3) checked baggage screening systems. This testimony provides
information on the extent to which TSA has taken actions to validate
the scientific basis of SPOT, strengthen airport perimeter security
and access controls, and deploy more effective checked baggage
screening systems. This statement is based on prior reports GAO issued
from September 2009 through July 2011 and selected updates in June and
July 2011. GAO analyzed documents on TSA‘s progress in strengthening
aviation security, among other things.
What GAO Found:
DHS has completed an initial study to validate the scientific basis of
the SPOT program; however, additional work remains to fully validate
the program. GAO reported in May 2010 that TSA deployed this program,
which uses behavior observation and analysis techniques to identify
potentially high-risk passengers, before determining whether there was
a scientifically valid basis for using behavior and appearance
indicators as a means for reliably identifying passengers who may pose
a risk to the U.S. aviation system. TSA officials said that SPOT was
deployed in response to potential threats, such as suicide bombers,
and was based on scientific research available at the time. GAO
recommended in May 2010 that DHS, as part of its study, assess the
methodology to help ensure the validity of the SPOT program. DHS
concurred and its April 2011 validation study found that SPOT was more
effective than random screening to varying degrees. For example, the
study found that SPOT was more effective than random screening at
identifying individuals who possessed fraudulent documents and
individuals who were subsequently arrested. However, DHS‘s study was
not designed to fully validate whether behavior detection can be used
to reliably identify individuals in an airport environment who pose a
security risk. The study noted that additional work is needed to
comprehensively validate the program. TSA officials are assessing the
actions needed to address the study‘s recommendations.
In September 2009, GAO reported that since 2004 TSA has taken actions
to strengthen airport perimeter and access controls security by, among
other things, deploying a random worker screening program; however,
TSA has not conducted a comprehensive risk assessment or developed a
national strategy. Specifically, TSA had not conducted vulnerability
assessments for 87 percent of the approximately 450 U.S. airports
regulated by TSA at that time. GAO recommended that TSA develop (1) a
comprehensive risk assessment and evaluate the need to assess airport
vulnerabilities nationwide and (2) a national strategy to guide
efforts to strengthen airport security. DHS concurred and said TSA is
developing the assessment and strategy, but has not yet evaluated the
need to assess airport vulnerabilities nationwide.
GAO reported in July 2011 that TSA revised explosives detection
requirements for its explosives detection systems (EDS) used to screen
checked baggage in January 2010, but faces challenges in deploying EDS
that meet these requirements. Deploying systems that meet the 2010 EDS
requirements could be difficult given that TSA did not begin
deployment of systems meeting the previous 2005 requirements until
2009. As of January 2011 some of the EDS in TSA‘s fleet detect
explosives at the level established in 2005 while the remaining EDS
detect explosives at levels established in 1998. Further, TSA does not
have a plan to deploy and operate systems to meet the current
requirements and has faced challenges in procuring the first 260
systems to meet these requirements. GAO recommended that TSA, among
other things, develop a plan to ensure that EDS are operated at the
levels in established requirements. DHS agreed and has outlined
actions to do so.
What GAO Recommends:
GAO has made recommendations in prior work to strengthen TSA‘s SPOT
program, airport security efforts, checked baggage screening efforts.
DHS and TSA generally concurred with the recommendations and have
actions under way to address them.
View [hyperlink, http://www.gao.gov/products/GAO-11-807T] or key
components. For more information, contact Stephen M. Lord at (202) 512-
8777 or lords@gao.gov.
[End of section]
Chairman Chaffetz, Ranking Member Tierney, and Members of the
Subcommittee:
I appreciate the opportunity to participate in today's hearing to
discuss three key layers of aviation security: (1) the Transportation
Security Administration's (TSA) behavior-based passenger screening
program, (2) airport perimeter and access controls security, and (3)
airport checked baggage screening systems.[Footnote 1] The attempted
terrorist bombing of Northwest flight 253 on December 25, 2009,
provided a vivid reminder that civil aviation remains an attractive
terrorist target and underscores the need for effective passenger
screening. According to the President's National Counterterrorism
Strategy released in June 2011, aviation security and screening is an
essential tool in our ability to detect, disrupt, and defeat plots to
attack the homeland.[Footnote 2]
Securing commercial aviation operations remain a daunting task--with
hundreds of airports, thousands of aircraft, and thousands of flights
daily carrying millions of passengers and pieces of checked baggage.
In the almost 10 years that have passed since TSA assumed
responsibility for aviation security, TSA has spent billions of
dollars and implemented a wide range of initiatives to strengthen the
layers of aviation security. However, risks to the aviation system
remain.
In addition, while airport operators, not TSA, generally retain direct
day-to-day operational responsibility for airport perimeter security
and implementing access controls for secure areas of their airports,
TSA has responsibility for establishing and implementing measures to
improve security in these areas.[Footnote 3] Criminal incidents
involving airport workers using their access privileges to smuggle
weapons and drugs into secure areas and onto planes have heightened
concerns about the risks posed by workers and the security of airport
perimeters and access to secure areas.
My statement today discusses the extent to which TSA has taken actions
to (1) validate the scientific basis of its behavior-based passenger
screening program (referred to as SPOT), (2) strengthen the security
of airport perimeters and access controls, and (3) deploy more
effective checked baggage screening systems.
This statement is based on our prior work issued from September 2009
through July 2011, and includes selected updates conducted from June
2011 through July 2011 on TSA's efforts to implement our prior
recommendations regarding aviation security, including those related
to SPOT and airport perimeters and access to secure areas of airports.
[Footnote 4] For our May 2010 report on SPOT, we reviewed relevant
literature on behavior analysis by subject matter experts.[Footnote 5]
We conducted field site visits to 15 TSA-regulated airports with SPOT
to observe operations and meet with key program personnel.[Footnote 6]
We also interviewed recognized experts in the field, as well as
cognizant officials from other U.S. government agencies that utilize
behavior analysis in their work. For the updates, we analyzed
documentation from TSA on the actions it has taken to implement the
recommendations from our May 2010 report, including efforts to
validate the scientific basis for the program. As part of our efforts
to update this information, we analyzed DHS's April 2011 SPOT
validation study and discussed its findings with cognizant DHS
officials.
For our September 2009 report on TSA efforts to secure airport
perimeters and access controls, we examined TSA documents related to
risk assessments, airport security programs, and risk management. We
also interviewed TSA, airport, and industry association officials and
conducted site visits at nine TSA-regulated airports of varying size.
[Footnote 7] We selectively updated the information in the report on
risk management in July 2011.
For our July 2011 report on checked baggage systems, we compared
requirements for explosives detection systems (EDS) established by TSA
in 2010 and compared them to requirements previously established in
2005 and 1998 to determine how they differed.[Footnote 8] To identify
challenges TSA is experiencing in implementing the current EDS
acquisition, we analyzed documentation from the Electronic Baggage
Screening Program, including the acquisition strategy and risk
management plans. We also interviewed TSA program officials regarding
their approach to the current EDS acquisition, including revisions to
plans and timelines. Our previously published products contain
additional details on the scope and methodology, including data
reliability, for these reviews.
All of our work was conducted in accordance with generally accepted
government auditing standards. These standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis of our findings and conclusions based on
our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives. For new information that was based on work not previously
reported, we obtained TSA views on our findings and incorporated
technical comments where appropriate.
Background:
The Aviation and Transportation Security Act established TSA as the
federal agency with primary responsibility for securing the nation's
civil aviation system, which includes the screening of all passenger
and property transported by commercial passenger aircraft.[Footnote 9]
At the 463 TSA-regulated airports in the U.S., prior to boarding an
aircraft, all passengers, their accessible property, and their checked
baggage are screened pursuant to TSA-established procedures, which
include passengers passing through security checkpoints where they and
their identification documents are checked by transportation security
officers (TSO) and other TSA employees or by private sector screeners
under TSA's Screening Partnership Program.[Footnote 10] Airport
operators, however, are directly responsible for implementing TSA
security requirements, such as those relating to perimeter security
and access controls, in accordance with their approved security
programs and other TSA direction.
TSA relies upon multiple layers of security to deter, detect, and
disrupt persons posing a potential risk to aviation security. These
layers include behavior detection officers (BDOs), who examine
passenger behaviors and appearances to identify passengers who might
pose a potential security risk at TSA-regulated airports;[Footnote 11]
travel document checkers, who examine tickets, passports, and other
forms of identification; TSOs responsible for screening passengers and
their carry-on baggage at passenger checkpoints, using x-ray
equipment, magnetometers, Advanced Imaging Technology, and other
devices; random employee screening; and checked baggage screening
systems.[Footnote 12] Other security layers cited by TSA include,
among others; intelligence gathering and analysis; passenger
prescreening against terrorist watchlists; random canine team searches
at airports; federal air marshals, who provide federal law enforcement
presence on selected flights operated by U.S. air carriers; Visible
Intermodal Protection Response (VIPR) teams; reinforced cockpit doors;
the passengers themselves; as well as other measures both visible and
invisible to the public. Figure 1 shows TSA's layers of aviation
security. TSA has also implemented a variety of programs and
protective actions to strengthen airport perimeters and access to
sensitive areas of the airport, including conducting additional
employee background checks and assessing different biometric-
identification technologies.[Footnote 13] Airport perimeter and access
control security is intended to prevent unauthorized access into
secure areas of an airport--either from outside or within the airport
complex.
Figure 1: TSA's Layers of Security:
[Refer to PDF for image: illustration]
Intelligence:
International Partnerships:
Customs and Border Protection:
Joint Terrorism Task Force:
No-fly List and Passenger Pre-screening[A]:
Crew Vetting:
VIPR:
Canines:
Behavior Detection Officers:
Travel Document Checker:
Checkpoint/Transportation Security Officers:
Checked Baggage:
Transportation Security Inspectors:
Random Employee Screening:
Bomb Appraisal Officers:
Federal Air Marshal Service:
Federal Flight Deck Officers:
Trained Flight Crew:
Law Enforcement Officers:
Hardened Cockpit Door:
Passengers:
Source: TSA.
[A] The No-Fly List is used to identify individuals who are to be
prevented from boarding an aircraft while the Selectee List, another
aspect of passenger prescreening, is used to identify individuals
required to undergo additional screening before being permitted to
board an aircraft. The No Fly and Selectee lists are derived from the
consolidated terrorist watchlist maintained by the Federal Bureau of
Investigation's Terrorist Screening Center.
[End of figure]
According to TSA, each one of these layers alone is capable of
stopping a terrorist attack. TSA states that the security layers in
combination multiply their value, creating a much stronger system, and
that a terrorist who has to overcome multiple security layers to carry
out an attack is more likely to be preempted, deterred, or to fail
during the attempt.
Behavior Detection Program:
TSA has taken actions to validate the science underlying its behavior
detection program, but more work remains. We reported in May 2010 that
TSA deployed SPOT nationwide before first determining whether there
was a scientifically valid basis for using behavior and appearance
indicators as a means for reliably identifying passengers who may pose
a risk to the U.S. aviation system.[Footnote 14] DHS's Science and
Technology Directorate completed a validation study in April 2011 to
determine the extent to which SPOT was more effective than random
screening at identifying security threats and how the program's
behaviors correlate to identifying high-risk travelers.[Footnote 15]
However, as noted in the study, the assessment was an initial
validation step, but was not designed to fully validate whether
behavior detection can be used to reliably identify individuals in an
airport environment who pose a security risk. According to DHS,
further research will be needed to comprehensively validate the
program.
According to TSA, SPOT was deployed before a scientific validation of
the program was completed to help address potential threats to the
aviation system, such as those posed by suicide bombers. TSA also
stated that the program was based upon scientific research available
at the time regarding human behaviors. We reported in May 2010 that
approximately 14,000 passengers were referred to law enforcement
officers under SPOT from May 2004 through August 2008.[Footnote 16] Of
these passengers, 1,083 were arrested for various reasons, including
being illegal aliens (39 percent), having outstanding warrants (19
percent), and possessing fraudulent documents (15 percent). The
remaining 27 percent were related to other reasons for arrest. As
noted in our May 2010 report, SPOT officials told us that it is not
known if the SPOT program has ever resulted in the arrest of anyone
who is a terrorist, or who was planning to engage in terrorist-related
activity. According to TSA, SPOT referred about 50,000 passengers for
additional screening in fiscal year 2010 resulting in about 3,600
referrals to law enforcement officers. These referrals yielded
approximately 300 arrests. Of these 300 arrests, TSA stated that 27
percent were illegal aliens, 17 percent were drug-related, 14 percent
were related to fraudulent documents, 12 percent were related to
outstanding warrants, and 30 percent were related to other offenses.
DHS has requested about $254 million in fiscal year 2012 for the SPOT
program, which would support an additional 350 (or 175 full-time
equivalent) BDOs. If TSA receives its requested appropriation, TSA
will be in a position to have invested about $1 billion in the SPOT
program since fiscal year 2007.
A 2008 report issued by the National Research Council of the National
Academy of Sciences stated that the scientific evidence for behavioral
monitoring is preliminary in nature.[Footnote 17] The report also
noted that an information-based program, such as a behavior detection
program, should first determine if a scientific foundation exists and
use scientifically valid criteria to evaluate its effectiveness before
deployment. The report added that such programs should have a sound
experimental basis and that the documentation on the program's
effectiveness should be reviewed by an independent entity capable of
evaluating the supporting scientific evidence.[Footnote 18]
As we reported in May 2010, an independent panel of experts could help
DHS develop a comprehensive methodology to determine if the SPOT
program is based on valid scientific principles that can be
effectively applied in an airport environment for counterterrorism
purposes. Thus, we recommended that the Secretary of Homeland Security
convene an independent panel of experts to review the methodology of
the validation study on the SPOT program being conducted to determine
whether the study's methodology is sufficiently comprehensive to
validate the SPOT program. We also recommended that this assessment
include appropriate input from other federal agencies with expertise
in behavior detection and relevant subject matter experts.[Footnote
19] DHS concurred and stated that its validation study, completed in
April 2011, included an independent review of the study with input
from a broad range of federal agencies and relevant experts, including
those from academia.
DHS's validation study found that SPOT was more effective than random
screening to varying degrees. For example, the study found that SPOT
was more effective than random screening at identifying individuals
who possessed fraudulent documents and identifying individuals who law
enforcement officers ultimately arrested.[Footnote 20] According to
DHS's study, no other counterterrorism or screening program
incorporating behavior-and appearance-based indicators is known to
have been subjected to such a rigorous, systematic evaluation of its
screening accuracy. However, DHS noted that the identification of such
high-risk passengers was rare in both the SPOT and random tests. In
addition, DHS determined that the base rate, or frequency, of SPOT
behavioral indicators observed by TSA to detect suspicious passengers
was very low and that these observed indicators were highly varied
across the traveling public. Although details about DHS's findings
related to these indicators are sensitive security information, the
low base rate and high variability of traveler behaviors highlights
the challenge that TSA faces in effectively implementing a
standardized list of SPOT behavioral indicators.
In addition, DHS outlined several limitations to the study. For
example, the study noted that BDOs were aware of whether individuals
they were screening were referred to them as the result of identified
SPOT indicators or random selection. DHS stated that this had the
potential to introduce bias into the assessment. DHS also noted that
SPOT data from January 2006 through October 2010 were used in its
analysis of behavioral indicators even though questions about the
reliability of the data exist.[Footnote 21] In May 2010, we reported
weaknesses in TSA's process for maintaining operational data from the
SPOT program database. Specifically, the SPOT database did not have
computerized edit checks built into the system to review the format,
existence, and reasonableness of data. Because of these data-related
issues, we reported that meaningful analyses could not be conducted to
determine if there is an association between certain behaviors and the
likelihood that a person displaying certain behaviors would be
referred to a law enforcement officer or whether any behavior or
combination of behaviors could be used to distinguish deceptive from
nondeceptive individuals. In our May 2010 report, we recommended that
TSA establish controls for this SPOT data. DHS agreed and TSA has
established additional data controls as part of its database upgrade.
However, some of DHS's analysis used SPOT data recorded prior to these
additional controls.
The study also noted that it was not designed to comprehensively
validate whether SPOT can be used to reliably identify individuals in
an airport environment who pose a security risk. The DHS study made
recommendations related to strengthening the program and conducting a
more comprehensive validation of whether the science can be used for
counterterrorism purposes in the aviation environment.[Footnote 22]
Some of these recommendations, such as the need for a comprehensive
program evaluation including a cost-benefit analysis, reiterate
recommendations made in our prior work. As we reported in March 2011,
Congress may wish to consider the study's results in making future
funding decisions regarding the program.[Footnote 23] TSA is currently
reviewing the study's findings and assessing the steps needed to
address DHS's recommendations. If TSA decides to implement the
recommendations in the April 2011 DHS validation study, DHS may be
years away from knowing whether there is a scientifically valid basis
for using behavior detection techniques to help secure the aviation
system against terrorist threats given that the initial study took
about 4 years to complete.
Airport Perimeter and Access Controls:
TSA has taken actions to strengthen airport perimeter and access
controls security, but has not conducted a comprehensive risk
assessment or developed a national strategy for airport security. We
reported in September 2009 that TSA has implemented a variety of
programs and actions since 2004 to improve and strengthen airport
perimeter and access controls security, including strengthening worker
screening and improving access control technology.[Footnote 24] For
example, to better address the risks posed by airport workers, in 2007
TSA implemented a random worker screening program that has been used
to enforce access procedures, such as ensuring workers display
appropriate credentials and do not possess unauthorized items when
entering secure areas. According to TSA officials, this program was
developed to help counteract the potential vulnerability of airports
to an insider attack--an attack from an airport worker with authorized
access to secure areas. TSA has also expanded its requirements for
conducting worker background checks and the population of individuals
who are subject to these checks. For example, in 2007 TSA expanded
requirements for name-based checks to all individuals seeking or
holding airport-issued identification badges and in 2009 began
requiring airports to renew all airport-identification media every 2
years. TSA also reported taking actions to identify and assess
technologies to strengthen airport perimeter and access controls
security, such as assisting the aviation industry and a federal
aviation advisory committee in developing security standards for
biometric access controls.
However, we reported in September 2009 that while TSA has taken
actions to assess risk with respect to airport perimeter and access
controls security, it had not conducted a comprehensive risk
assessment based on assessments of threats, vulnerabilities, and
consequences, as required by DHS's National Infrastructure Protection
Plan (NIPP).[Footnote 25] We further reported that without a full
depiction of threats, vulnerabilities, and consequences, an
organization's ability to establish priorities and make cost-effective
security decisions is limited.[Footnote 26] We recommended that TSA
develop a comprehensive risk assessment, along with milestones for
completing the assessment. DHS concurred with our recommendation and
said it would include an assessment of airport perimeter and access
control security risks as part of a comprehensive assessment for the
transportation sector--the Transportation Sector Security Risk
Assessment (TSSRA). The TSSRA, published in July 2010, included an
assessment of various risk-based scenarios related to airport
perimeter security but did not consider the potential vulnerabilities
of airports to an insider attack--the insider threat--which it
recognized as a significant issue. In July 2011, TSA officials told us
that the agency is developing a framework for insider risk that is to
be included in the next iteration of the assessment, which TSA
expected to be released at the end of calendar year 2011. Such action,
if taken, would meet the intent of our recommendation.
We also recommended that, as part of a comprehensive risk assessment
of airport perimeter and access controls security, TSA evaluate the
need to conduct an assessment of security vulnerabilities at airports
nationwide.[Footnote 27] At the time of our review, TSA told us its
primary measures for assessing the vulnerability of airports to attack
were professional judgment and the collective results of joint
vulnerability assessments (JVA) it conducts with the Federal Bureau of
Investigation (FBI) for select--usually high-risk--airports.[Footnote
28] Our analysis of TSA data showed that from fiscal years 2004
through 2008, TSA conducted JVAs at about 13 percent of the
approximately 450 TSA-regulated airports that existed at that time,
thus leaving about 87 percent of airports unassessed.[Footnote 29] TSA
has characterized U.S. airports as an interdependent system in which
the security of all is affected or disrupted by the security of the
weakest link. However, we reported that TSA officials could not
explain to what extent the collective JVAs of specific airports
constituted a reasonable systems-based assessment of vulnerability
across airports nationwide. Moreover, TSA officials said that they did
not know to what extent the 87 percent of commercial airports that had
not received a JVA as of September 2009--most of which were smaller
airports--were vulnerable to an intentional security breach. DHS
concurred with our recommendation to assess the need for a
vulnerability assessment of airports nationwide. TSA officials also
stated that based on our review they intended to increase the number
of JVAs conducted at Category II, III, and IV airports and that the
resulting data would assist TSA in prioritizing the allocation of
limited resources. Our analysis of TSA data showed that from fiscal
year 2004 through July 1, 2011, TSA conducted JVAs at about 17 percent
of the TSA-regulated airports that existed at that time, thus leaving
about 83 percent of airports unassessed.[Footnote 30] Since we issued
our report in September 2009, TSA had not conducted JVAs at Category
III and IV airports.[Footnote 31] Further, TSA could not tell us to
what extent it has studied the need to conduct JVAs of security
vulnerabilities at airports nationwide.
We also reported in September 2009 that TSA's efforts to enhance the
security of the nation's airports have not been guided by a national
strategy that identifies key elements, such as goals, priorities,
performance measures, and required resources.[Footnote 32] To better
ensure that airport stakeholders take a unified approach to airport
security, we recommended that TSA develop a national strategy for
airport security that incorporates key characteristics of effective
security strategies, such as measurable goals and priorities. DHS
concurred with this recommendation and stated that TSA would implement
it by updating the Transportation Systems-Sector Specific Plan (TS-
SSP), to be released in the summer of 2010.[Footnote 33] In July 2011
TSA officials told us that a pre-publication version of the TS-SSP had
been sent to Congress on June 29, 2011, and that DHS was in the
process of finalizing the TS-SSP for publication, but a specific date
had not been set for public release.
Checked Baggage Screening Systems:
TSA has revised explosives detection requirements for checked baggage
screening systems but faces challenges in deploying equipment that
meet the requirements. Explosives represent a continuing threat to the
checked baggage component of aviation security. TSA deploys EDS and
explosives trace detection (ETD) machines to screen all checked
baggage transported by U.S. and foreign air carriers departing from
TSA-regulated airports in the United States. An EDS uses a computed
tomography X-ray source that rotates around a bag, obtaining a large
number of cross-sectional images that are integrated by a computer
that automatically triggers an alarm when objects with the
characteristic of explosives are detected. An ETD machine is used to
chemically analyze trace materials after a human operator swabs
checked baggage to identify any traces of explosive material. TSA
seeks to ensure that checked baggage screening technology is capable
of detecting explosives through its Electronic Baggage Screening
Program, one of the largest acquisition programs within DHS. Under the
program, TSA certifies and acquires systems used to screen checked
baggage at 463 TSA-regulated airports throughout the United States.
TSA certifies explosives detection-screening technologies to ensure
they meet explosives detection requirements developed in conjunction
with the DHS Science and Technology Directorate along with input from
other agencies, such as the FBI and Department of Defense.
Our July 2011 report addressed TSA's efforts to enhance explosives
detection requirements for checked-baggage screening technologies as
well as TSA's efforts to ensure that currently deployed and newly
acquired explosives detection technologies meet the enhanced
requirements.[Footnote 34] As highlighted in our July 2011 report,
requirements for EDSs were established in 1998 and subsequently
revised in 2005 and 2010 to better address the threats. Currently,
checked baggage screening systems are not operating under the 2010
requirements. As of January 2011, some of the EDS in TSA's fleet are
detecting explosives at the level established by the 2005 requirements
[Footnote 35] Meanwhile, other EDS are configured to meet older
requirements established in 1998, but include software to meet 2005
requirements. The remaining EDS are configured to meet 1998
requirements but lack the software or both the hardware and software
that would enable them to detect at the levels established by the 2005
requirements. TSA plans to implement the revised requirements in a
phased approach spanning several years.[Footnote 36] The first phase,
which includes implementation of the 2005 requirements, is scheduled
to take years to fully implement and deploying EDS that meet 2010
requirements could prove difficult given that TSA did not begin
deployment of EDS meeting 2005 requirements until 2009--4 years later.
We found that TSA did not have a plan to deploy and operate EDS to
meet the most recent requirements and recommended, among other things,
that TSA develop a plan to deploy EDS that meet the current EDS
explosives detection requirements and ensure that new EDS, as well as
those already deployed in airports, be operated at the levels
established in those requirements. In addition, TSA has faced
challenges in procuring the first 260 EDS to meet 2010 requirements.
For example, due to the danger associated with certain explosives, TSA
and DHS encountered challenges safely developing simulants and
collecting data on the explosives' physical and chemical properties
needed by vendors and agencies to develop detection software and test
EDS prior to the current acquisition. Also, TSA's decision to pursue
EDS procurement complicated both the data collection and procurement
efforts, which resulted in a delay of over 7 months for the current
acquisition. We recommended that TSA complete data collection for each
phase of the 2010 EDS requirements prior to pursuing EDS procurements
that meet those requirements to help TSA avoid additional schedule
delays.
Our report also examined other key issues such as the extent to which
TSA's approach to its current EDS acquisition meets best practices for
schedules and cost estimates and included a review of TSA's plans for
potential upgrades of deployed EDSs. The report contained six
recommendations to TSA, including that the agency develop a plan to
ensure that new EDSs, as well as those EDSs currently deployed in
airports, operate at levels that meet revised requirements. DHS
concurred with all of the recommendations and has subsequently
outlined actions to implement them.
Chairman Chaffetz, Ranking Member Tierney, and Members of the
Subcommittee, this concludes my statement. I look forward to answering
any questions that you may have at this time.
GAO Contact and Staff Acknowledgments:
For questions about this statement, please contact Stephen M. Lord at
(202) 512-8777 or lords@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this statement. Individuals making key contributions to this
testimony are David M. Bruno, Glenn Davis, and Steve Morris, Assistant
Directors; Scott Behen; Ryan Consaul; Barbara Guffy; Tom Lombardi;
Lara Miklozek; and Doug Sloane.
[End of section]
Footnotes:
[1] TSA's behavior-based passenger screening program is known as the
Screening of Passengers by Observation Techniques (SPOT) program.
[2] National Strategy for Counterterrorism, (Washington, D.C.: June
28, 2011).
[3] For the purposes of this testimony "secure area" is used generally
to refer to areas specified in an airport security program for which
access is restricted, including the security identification display
areas (SIDA), the air operations areas (AOA), and the sterile areas.
While security measures governing access to such areas may vary, in
general a SIDA is an area in which appropriate identification must be
worn, an AOA is an area providing access to aircraft movement and
parking areas, and a sterile area provides passengers access to
boarding aircraft and where access is generally controlled by TSA or a
private screening entity under TSA oversight. See 49 C.F.R. § 1540.5.
[4] See GAO, Aviation Security: A National Strategy and Other Actions
Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters
and Access Controls, [hyperlink,
http://www.gao.gov/products/GAO-09-399] (Washington, D.C.: Sept. 30,
2009); GAO, Aviation Security: Efforts to Validate TSA's Passenger
Screening Behavior Detection Program Underway, but Opportunities Exist
to Strengthen Validation and Address Operational Challenges,
[hyperlink, http://www.gao.gov/products/GAO-10-763] (Washington, D.C.:
May 20, 2010); and GAO, Aviation Security: TSA Has Enhanced Its
Explosives Detection Requirements for Checked Baggage, but Additional
Screening Actions Are Needed, [hyperlink,
http://www.gao.gov/products/GAO-11-740] (Washington, D.C.: July 11,
2011).
[5] National Research Council, Protecting Individual Privacy in the
Struggle Against Terrorists: A Framework for Assessment (Washington,
D.C.: National Academies Press, 2008). The report's preparation was
overseen by the National Academy of Sciences Committee on Technical
and Privacy Dimensions of Information for Terrorism Prevention and
Other National Goals. Although the report addresses broader issues
related to privacy and data mining, a senior National Research Council
official stated that the committee included behavior detection as a
focus because any behavior detection program could have privacy
implications.
[6] For the purposes of this testimony, the term "TSA-regulated
airport" refers to a U.S. airport operating under a TSA-approved
security program and subject to TSA regulation and oversight. See 49
C.F.R. pt. 1542.
[7] See [hyperlink, http://www.gao.gov/products/GAO-09-399].
[8] See [hyperlink, http://www.gao.gov/products/GAO-11-740].
[9] See Pub. L. No. 107-71, 115 Stat. 597 (2001). For purposes of this
testimony, "commercial passenger aircraft" refers to a U.S. or foreign-
based air carrier operating under TSA-approved security programs with
regularly scheduled passenger operations to or from a U.S. airport.
[10] Private-sector screeners under contract to and overseen by TSA,
and not TSOs, perform screening activities at airports participating
in TSA's Screening Partnership Program. According to TSA, 16 airports
participate in the program as of July 2011. See 49 U.S.C. § 44920.
[11] TSA designed SPOT to provide BDOs with a means of identifying
persons who may pose a potential security risk at TSA-regulated
airports by focusing on behaviors and appearances that deviate from an
established baseline and that may be indicative of stress, fear, or
deception.
[12] Advanced Imaging Technology screens passengers for metallic and
non-metallic threats including weapons, explosives, and other objects
concealed under layers of clothing.
[13] Biometrics are measurements of an individual's unique
characteristics, such as fingerprints, irises, and facial
characteristics, used to verify identity.
[14] See [hyperlink, http://www.gao.gov/products/GAO-10-763].
[15] See DHS, SPOT Referral Report Validation Study Final Report
Volume I: Technical Report, (Washington, D.C.: April 5, 2011). DHS's
study defines high-risk passengers as travelers that knowingly and
intentionally try to defeat the security process including those
carrying serious prohibited items, such as weapons; illegal items;
such as drugs; or fraudulent documents; or those that were ultimately
arrested by law enforcement.
[16] See [hyperlink, http://www.gao.gov/products/GAO-10-763].
[17] Specifically, the report states that the scientific support for
linkages between behavioral and physiological markers and mental state
is strongest for elementary states, such as simple emotions; weak for
more complex states, such as deception; and nonexistent for highly
complex states, such as when individuals hold terrorist intent and
beliefs.
[18] A study performed by the JASON Program Office raised similar
concerns. The JASON Program Office is an independent scientific
advisory group that provides consulting services to the U.S.
government on matters of defense science and technology.
[19] See [hyperlink, http://www.gao.gov/products/GAO-10-763].
[20] The extent to which SPOT is more effective than random at
identifying fraudulent documents and individuals ultimately arrested
by law enforcement officers is deemed sensitive security information
by TSA.
[21] DHS officials stated that this historical SPOT data was not used
in their analysis to determine whether SPOT was more effective than
random screening.
[22] The study made recommendations related to SPOT in three areas:
(1) future validation efforts; (2) comparing SPOT with other screening
programs; and (3) broader program evaluation issues. TSA designated
the specific details of these recommendations sensitive security
information.
[23] See GAO, Opportunities to Reduce Potential Duplication in
Government Programs, Save Tax Dollars, and Enhance Revenue,
[hyperlink, http://www.gao.gov/products/GAO-11-318SP] (Washington,
D.C.: Mar. 1, 2011).
[24] [hyperlink, http://www.gao.gov/products/GAO-09-399].
[25] [hyperlink, http://www.gao.gov/products/GAO-09-399]. DHS
developed the NIPP to guide risk assessment efforts and the protection
of the nation's critical infrastructure, including airports.
[26] See GAO, Transportation Security: Comprehensive Risk Assessments
and Stronger Internal Controls Needed to Help Inform TSA Resource
Allocation, [hyperlink, http://www.gao.gov/products/GAO-09-492]
(Washington, D.C.: Mar. 27, 2009).
[27] [hyperlink, http://www.gao.gov/products/GAO-09-399].
[28] According to TSA officials, JVAs are assessments that teams of
TSA special agents and other officials conduct jointly with the FBI,
generally, as required by law, every 3 years for airports identified
as high risk. See 49 U.S.C. § 44904(a)-(b). See also Pub. L. No. 104-
264, § 310, 110 Stat. 3213, 3253 (1996) (establishing the requirement
that the Federal Aviation Administration (FAA) and the FBI conduct
joint threat and vulnerability assessments). Pursuant to ATSA,
responsibility for conducting JVAs transferred from FAA to TSA. For
more information on this issue, see [hyperlink,
http://www.gao.gov/products/GAO-09-399].
[29] From fiscal years 2004 through 2008 TSA conducted 67 JVAs at a
total of 57 airports; 10 airports received 2 JVAs. TSA classifies the
nation's airports into one of five categories (X, I, II, III, and IV)
based on various factors such as the number of take-offs and landings
annually, the extent of passenger screening at the airport, and other
security considerations. In general, Category X airports have the
largest number of passenger boardings and Category IV airports have
the smallest. According to TSA data, of the 67 JVAs conducted at 57
airports from fiscal years 2004 through 2008, 58--or 87 percent--were
Category X and I airports. Of the remaining 9 assessments, 6 were at
Category II airports, 1 at a Category III airport, and 2 at Category
IV airports. Since our September 2009 report was issued, the number of
TSA-regulated airports has increased from approximately 450 to 463.
[30] From fiscal year 2004 through July 1, 2011, TSA conducted 125
JVAs at 78 airports; 47 airports received more than one JVA during
this time period.
[31] From fiscal year 2009 through July 1, 2011, TSA conducted 58 JVAs
at a total of 56 airports; 2 airports received 2 JVAs. According to
TSA data, of the 58 JVAs conducted, 47--or 88 percent--were at
Category X and I airports; 7--12 percent--were conducted at Category
II airports. TSA officials told us that since our report in September
2009 they have initiated a semi-annual report process that, in part,
included a data analysis of the JVAs conducted at airports for the
prior six months. The semi-annual report focuses on airport perimeter,
terminal, critical infrastructure, airport operations, and airport
services. Beginning in fiscal year 2011 the reports are to be
developed on an annual basis. The reports are also used to direct
future JVA efforts.
[32] [hyperlink, http://www.gao.gov/products/GAO-09-399].
[33] TSA developed the TS-SSP to conform to NIPP requirements, which
required sector-specific agencies to develop strategic risk management
frameworks for their sectors that aligned with NIPP guidance.
[34] See [hyperlink, http://www.gao.gov/products/GAO-11-740].
[35] TSA has designated the number of EDS at the 2005 requirement
level sensitive security information.
[36] The specific details included in the 2010 EDS requirements, such
as the physical characteristics and minimum masses of each of the
explosive types that EDS machines must detect, are classified.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
