Aviation Security
TSA Has Made Progress, but Additional Efforts Are Needed to Improve Security Gao ID: GAO-11-938T September 16, 2011The attempted bombing of Northwest flight 253 in December 2009 underscores the need for effective aviation security programs. Aviation security remains a daunting challenge with hundreds of airports and thousands of flights daily carrying millions of passengers and pieces of checked baggage. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has spent billions of dollars and implemented a wide range of aviation security initiatives. Two key layers of aviation security are (1) TSA's Screening of Passengers by Observation Techniques (SPOT) program designed to identify persons who may pose a security risk; and (2) airport perimeter and access controls security. This testimony provides information on the extent to which TSA has taken actions to validate the scientific basis of SPOT and strengthen airport perimeter security. This statement is based on prior products GAO issued from September 2009 through September 2011 and selected updates in August and September 2011. To conduct the updates, GAO analyzed documents on TSA's progress in strengthening aviation security, among other things.
DHS completed an initial study in April 2011 to validate the scientific basis of the SPOT program; however, additional work remains to fully validate the program. In May 2010, GAO reported that TSA deployed this program, which uses behavior observation and analysis techniques to identify potentially high-risk passengers, before determining whether there was a scientifically valid basis for using behavior and appearance indicators as a means for reliably identifying passengers who may pose a risk to the U.S. aviation system. TSA officials said that SPOT was deployed in response to potential threats, such as suicide bombers, and was based on scientific research available at the time. TSA is pilot testing revised program procedures at Boston-Logan airport in which behavior detection officers will engage passengers entering screening in casual conversation to help determine suspicious behaviors. TSA plans to expand this pilot program in the fall of 2011. GAO recommended in May 2010 that DHS, as part of its validation study, assess the methodology to help ensure the validity of the SPOT program. DHS concurred and stated that the study included an independent review with a broad range of agencies and experts. The study found that SPOT was more effective than random screening to varying degrees. However, DHS's study was not designed to fully validate whether behavior detection can be used to reliably identify individuals in an airport environment who pose a security risk. The study also noted that additional work was needed to comprehensively validate the program. TSA officials are assessing the actions needed to address the study's recommendations but do not have time frames for completing this work. In September 2009 GAO reported that since 2004 TSA has taken actions to strengthen airport perimeter and access controls security by, among other things, deploying a random worker screening program; however, TSA had not conducted a comprehensive risk assessment or developed a national strategy. Specifically, TSA had not conducted vulnerability assessments for 87 percent of the approximately 450 U.S. airports regulated for security by TSA in 2009. GAO recommended that TSA develop (1) a comprehensive risk assessment and evaluate the need to conduct airport vulnerability assessments nationwide and (2) a national strategy to guide efforts to strengthen airport security. DHS concurred and TSA stated that the Transportation Sector Security Risk Assessment, issued in July 2010, was to provide a comprehensive risk assessment of airport security. However, this assessment did not consider the potential vulnerabilities of airports to an insider attack--an attack from an airport worker with authorized access to secure areas. In August 2011, TSA reported that transportation security inspectors conduct vulnerability assessments annually at all commercial airports, including an evaluation of perimeter security. GAO has not yet assessed the extent to which inspectors consistently conduct vulnerability assessments. TSA also updated the Transportation Systems-Sector Specific Plan, which summarizes airport security program activities. However, the extent to which these activities were guided by measurable goals and priorities, among other things, was not clear. Providing such additional information would better address GAO's recommendation. GAO has made recommendations in prior work to strengthen TSA's SPOT program and airport perimeter and access control security efforts. DHS and TSA generally concurred with the recommendations and have actions under way to address them.
GAO-11-938T, Aviation Security: TSA Has Made Progress, but Additional Efforts Are Needed to Improve Security
This is the accessible text file for GAO report number GAO-11-938T
entitled 'Aviation Security: TSA Has Made Progress, but Additional
Efforts Are Needed to Improve Security' which was released on
September 16, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Oversight, Investigations, and Management,
Committee on Homeland Security, House of Representatives:
For Release on Delivery:
Expected at 9:30 a.m. EDT:
Friday, September 16, 2011:
Aviation Security:
TSA Has Made Progress, but Additional Efforts Are Needed to Improve
Security:
Statement of Stephen M. Lord, Director:
Homeland Security and Justice Issues:
GAO-11-938T:
GAO Highlights:
Highlights of GAO-11-938T, a testimony before the Subcommittee on
Oversight, Investigations, and Management, Committee on Homeland
Security, House of Representatives.
Why GAO Did This Study:
The attempted bombing of Northwest flight 253 in December 2009
underscores the need for effective aviation security programs.
Aviation security remains a daunting challenge with hundreds of
airports and thousands of flights daily carrying millions of
passengers and pieces of checked baggage. The Department of Homeland
Security‘s (DHS) Transportation Security Administration (TSA) has
spent billions of dollars and implemented a wide range of aviation
security initiatives. Two key layers of aviation security are (1)
TSA‘s Screening of Passengers by Observation Techniques (SPOT) program
designed to identify persons who may pose a security risk; and (2)
airport perimeter and access controls security. This testimony
provides information on the extent to which TSA has taken actions to
validate the scientific basis of SPOT and strengthen airport perimeter
security. This statement is based on prior products GAO issued from
September 2009 through September 2011 and selected updates in August
and September 2011. To conduct the updates, GAO analyzed documents on
TSA‘s progress in strengthening aviation security, among other things.
What GAO Found:
DHS completed an initial study in April 2011 to validate the
scientific basis of the SPOT program; however, additional work remains
to fully validate the program. In May 2010, GAO reported that TSA
deployed this program, which uses behavior observation and analysis
techniques to identify potentially high-risk passengers, before
determining whether there was a scientifically valid basis for using
behavior and appearance indicators as a means for reliably identifying
passengers who may pose a risk to the U.S. aviation system. TSA
officials said that SPOT was deployed in response to potential
threats, such as suicide bombers, and was based on scientific research
available at the time. TSA is pilot testing revised program procedures
at Boston-Logan airport in which behavior detection officers will
engage passengers entering screening in casual conversation to help
determine suspicious behaviors. TSA plans to expand this pilot program
in the fall of 2011. GAO recommended in May 2010 that DHS, as part of
its validation study, assess the methodology to help ensure the
validity of the SPOT program. DHS concurred and stated that the study
included an independent review with a broad range of agencies and
experts. The study found that SPOT was more effective than random
screening to varying degrees. However, DHS‘s study was not designed to
fully validate whether behavior detection can be used to reliably
identify individuals in an airport environment who pose a security
risk. The study also noted that additional work was needed to
comprehensively validate the program. TSA officials are assessing the
actions needed to address the study‘s recommendations but do not have
time frames for completing this work.
In September 2009 GAO reported that since 2004 TSA has taken actions
to strengthen airport perimeter and access controls security by, among
other things, deploying a random worker screening program; however,
TSA had not conducted a comprehensive risk assessment or developed a
national strategy. Specifically, TSA had not conducted vulnerability
assessments for 87 percent of the approximately 450 U.S. airports
regulated for security by TSA in 2009. GAO recommended that TSA
develop (1) a comprehensive risk assessment and evaluate the need to
conduct airport vulnerability assessments nationwide and (2) a
national strategy to guide efforts to strengthen airport security. DHS
concurred and TSA stated that the Transportation Sector Security Risk
Assessment, issued in July 2010, was to provide a comprehensive risk
assessment of airport security. However, this assessment did not
consider the potential vulnerabilities of airports to an insider
attack-”an attack from an airport worker with authorized access to
secure areas. In August 2011, TSA reported that transportation
security inspectors conduct vulnerability assessments annually at all
commercial airports, including an evaluation of perimeter security.
GAO has not yet assessed the extent to which inspectors consistently
conduct vulnerability assessments. TSA also updated the Transportation
Systems-Sector Specific Plan, which summarizes airport security
program activities. However, the extent to which these activities were
guided by measurable goals and priorities, among other things, was not
clear. Providing such additional information would better address
GAO‘s recommendation.
What GAO Recommends:
GAO has made recommendations in prior work to strengthen TSA‘s SPOT
program and airport perimeter and access control security efforts. DHS
and TSA generally concurred with the recommendations and have actions
under way to address them.
View [hyperlink, http://www.gao.gov/products/GAO-11-938T]. For more
information, contact Stephen M. Lord at (202) 512-8777 or
lords@gao.gov.
[End of section]
Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee:
I appreciate the opportunity to participate in today's hearing at
Boston-Logan International Airport to discuss two key layers of
aviation security: the Transportation Security Administration's (TSA)
behavior-based passenger screening program and airport perimeter and
access controls.[Footnote 1] The attempted terrorist bombing of
Northwest flight 253 on December 25, 2009, provided a vivid reminder
that civil aviation remains an attractive terrorist target and
underscores the need for effective passenger screening. According to
the President's National Counterterrorism Strategy released in June
2011, aviation security and screening is an essential tool in the
ability to detect, disrupt, and defeat plots to attack the homeland.
[Footnote 2]
Securing commercial aviation operations remain a daunting task--with
hundreds of airports, thousands of aircraft, and thousands of flights
daily carrying millions of passengers and pieces of checked baggage.
In the almost 10 years that have passed since TSA assumed
responsibility for aviation security, TSA has spent billions of
dollars and implemented a wide range of initiatives to strengthen the
layers of aviation security. For fiscal year 2011, TSA had about
54,800 personnel and its budget authority was about $7.7 billion.
However, risks to the aviation system remain. Earlier this month, we
reported on the progress made in securing the aviation system in the
10 years since the September 11, 2001, attacks and the work that still
remains.[Footnote 3]
In addition, while airport operators, not TSA, generally retain direct
day-to-day operational responsibility for airport perimeter security
and implementing access controls for secure areas of their airports,
TSA has responsibility for establishing and implementing measures to
improve security in these areas.[Footnote 4] Criminal incidents
involving airport workers using their access privileges to smuggle
weapons and drugs into secure areas and onto planes have heightened
concerns about the risks posed by workers and the security of airport
perimeters and access to secured areas.
My statement today discusses the extent to which TSA has taken actions
to (1) validate the scientific basis of its behavior-based passenger
screening program (referred to as SPOT) and (2) strengthen the
security of airport perimeters and access controls.
This statement is based on our prior products issued from September
2009 through September 2011, and includes selected updates conducted
in August and September 2011 on TSA's efforts to implement our prior
recommendations regarding SPOT and airport perimeters and access to
secure areas of airports.[Footnote 5] For our May 2010 report on SPOT,
we reviewed relevant literature on behavior analysis by subject matter
experts.[Footnote 6] We conducted field site visits to 15 TSA-
regulated airports with SPOT to observe operations and meet with key
program personnel.[Footnote 7] We also interviewed recognized experts
in the field, as well as cognizant officials from other U.S.
government agencies that utilize behavior analysis in their work. For
the updates, we analyzed documentation from TSA on the actions it has
taken to implement the recommendations from our May 2010 report,
including efforts to validate the scientific basis for the program. As
part of our efforts to update this information, we analyzed DHS's
April 2011 SPOT validation study and discussed its findings with
cognizant DHS officials. For our September 2009 report on TSA efforts
to secure airport perimeters and access controls, we examined TSA
documents related to risk assessments, airport security programs, and
risk management. We also interviewed TSA, airport, and industry
association officials and conducted site visits at nine TSA-regulated
airports of varying size.[Footnote 8] For the updates, we analyzed
documentation from TSA on actions it has taken to implement
recommendations from our 2009 report, including efforts to conduct a
comprehensive risk assessment and evaluate the need to conduct an
assessment of security vulnerabilities at airports nationwide, and to
develop a national strategy for airport perimeters and access controls
security that identifies key elements such as goals and priorities. As
part of our efforts to update this information, we analyzed TSA data
on the number of vulnerability assessments conducted at airports from
fiscal year 2004 through July 1, 2011, by airport. More detailed
information on our scope and methodology can be found in our prior
reports.
All of our work was conducted in accordance with generally accepted
government auditing standards.
Background:
The Aviation and Transportation Security Act established TSA as the
federal agency with primary responsibility for securing the nation's
civil aviation system, which includes the screening of all passenger
and property transported by commercial passenger aircraft.[Footnote 9]
At the 463 TSA-regulated airports in the United States, prior to
boarding an aircraft, all passengers, their accessible property, and
their checked baggage are screened pursuant to TSA-established
procedures, which include passengers passing through security
checkpoints where they and their identification documents are checked
by transportation security officers (TSO) and other TSA employees or
by private sector screeners under TSA's Screening Partnership Program.
[Footnote 10] Airport operators, however, are directly responsible for
implementing TSA security requirements, such as those relating to
perimeter security and access controls, in accordance with their
approved security programs and other TSA direction.
TSA relies upon multiple layers of security to deter, detect, and
disrupt persons posing a potential risk to aviation security. These
layers include behavior detection officers (BDO), who examine
passenger behaviors and appearances to identify passengers who might
pose a potential security risk at TSA-regulated airports;[Footnote 11]
TSA has selectively deployed about 3,000 BDOs to 161 of 463 TSA-
regulated airports in the United States, including Boston-Logan
airport where the program was initially deployed in 2003. Other
security layers include travel document checkers, who examine tickets,
passports, and other forms of identification; TSOs responsible for
screening passengers and their carry-on baggage at passenger
checkpoints, using x-ray equipment, magnetometers, Advanced Imaging
Technology, and other devices; random employee screening; and checked
baggage screening systems.[Footnote 12] Additional layers cited by TSA
include, among others, intelligence gathering and analysis; passenger
prescreening against terrorist watchlists; random canine team searches
at airports; federal air marshals, who provide federal law enforcement
presence on selected flights operated by U.S. air carriers; Visible
Intermodal Protection Response (VIPR) teams; reinforced cockpit doors;
the passengers themselves; as well as other measures both visible and
invisible to the public.[Footnote 13] Figure 1 shows TSA's layers of
aviation security. TSA has also implemented a variety of programs and
protective actions to strengthen airport perimeters and access to
sensitive areas of the airport, including conducting additional
employee background checks and assessing different biometric-
identification technologies.[Footnote 14] Airport perimeter and access
control security is intended to prevent unauthorized access into
secure areas of an airport--either from outside or within the airport
complex.
Figure 1: TSA's Layers of Security:
[Refer to PDF for image: illustration]
Terrorist paths:
Intelligence;
International Partnerships;
Customs and Border Protection;
Joint Terrorism Task Force;
No-fly List and Passenger Pre-screening[A];
Crew Vetting;
VIPR;
Canines;
Behavior Detection Officers;
Travel Document Checker;
Checkpoint/Transportation Security Officers;
Checked Baggage;
Transportation Security Inspectors;
Random Employee Screening;
Bomb Appraisal Officers;
Federal Air Marshal Service;
Federal Flight Deck Officers;
Trained Flight Crew;
Law Enforcement Officers;
Hardened Cockpit Door;
Passengers.
Source: TSA.
[A] The No-Fly List is used to identify individuals who are to be
prevented from boarding an aircraft while the Selectee List, another
aspect of passenger prescreening, is used to identify individuals
required to undergo additional screening before being permitted to
board an aircraft. The No Fly and Selectee lists are derived from the
consolidated terrorist watchlist maintained by the Federal Bureau of
Investigation's Terrorist Screening Center.
[End of figure]
According to TSA, each one of these layers alone is capable of
stopping a terrorist attack. TSA states that the security layers in
combination multiply their value, creating a much stronger system, and
that a terrorist who has to overcome multiple security layers to carry
out an attack is more likely to be pre-empted, deterred, or to fail
during the attempt.
TSA Has Taken Actions To Validate the Science Underlying Its Behavior
Detection Program, but More Work Remains:
We reported in May 2010 that TSA deployed SPOT nationwide before first
determining whether there was a scientifically valid basis for using
behavior and appearance indicators as a means for reliably identifying
passengers who may pose a risk to the U.S. aviation system.[Footnote
15] DHS's Science and Technology Directorate completed a validation
study in April 2011 to determine the extent to which SPOT was more
effective than random screening at identifying security threats and
how the program's behaviors correlate to identifying high-risk
travelers.[Footnote 16] However, as noted in the study, the assessment
was an initial validation step, but was not designed to fully validate
whether behavior detection can be used to reliably identify
individuals in an airport environment who pose a security risk.
According to DHS, additional work will be needed to comprehensively
validate the program.
According to TSA, SPOT was deployed before a scientific validation of
the program was completed to help address potential threats to the
aviation system, such as those posed by suicide bombers. TSA also
stated that the program was based upon scientific research available
at the time regarding human behaviors. We reported in May 2010 that
approximately 14,000 passengers were referred to law enforcement
officers under SPOT from May 2004 through August 2008.[Footnote 17] Of
these passengers, 1,083 were arrested for various reasons, including
being illegal aliens (39 percent), having outstanding warrants (19
percent), and possessing fraudulent documents (15 percent). The
remaining 27 percent were arrested for other reasons. As noted in our
May 2010 report, SPOT officials told us that it is not known if the
SPOT program has resulted in the arrest of anyone who is a terrorist,
or who was planning to engage in terrorist-related activity. According
to TSA, in fiscal year 2010, SPOT referred about 50,000 passengers for
additional screening and about 3,600 referrals to law enforcement
officers. The referrals to law enforcement officers yielded
approximately 300 arrests. Of these 300 arrests, TSA stated that 27
percent were illegal aliens, 17 percent were drug-related, 14 percent
were related to fraudulent documents, 12 percent were related to
outstanding warrants, and 30 percent were related to other offenses.
DHS has requested about $254 million for fiscal year 2012 for the SPOT
program, which would support an additional 350 (or 175 full-time
equivalent) BDOs. If TSA receives its requested appropriation, TSA
will be in a position to have invested about $1 billion in the SPOT
program since fiscal year 2007.
According to TSA, as of August 2011, TSA is pilot testing revised
procedures for BDOs at Boston-Logan airport to engage passengers
entering screening in casual conversation to help determine suspicious
behaviors. According to TSA, after a passenger's travel documents are
verified, a BDO will briefly engage each passenger in conversation. If
more information is needed to help determine suspicious behaviors, the
officer will refer the passenger to a second BDO for a more thorough
conversation to determine if additional screening is needed. TSA noted
that these BDOs have received additional training in interviewing
methods. TSA plans to expand this pilot program to additional airports
in the fall of 2011.
A 2008 report issued by the National Research Council of the National
Academy of Sciences stated that the scientific evidence for behavioral
monitoring is preliminary in nature.[Footnote 18] The report also
noted that an information-based program, such as a behavior detection
program, should first determine if a scientific foundation exists and
use scientifically valid criteria to evaluate its effectiveness before
deployment. The report added that such programs should have a sound
experimental basis and that the documentation on the program's
effectiveness should be reviewed by an independent entity capable of
evaluating the supporting scientific evidence.[Footnote 19] According
to the report, a terrorist's desire to avoid detection makes
information-gathering techniques, such as asking what a person has
done, is doing, or plans to do, highly unreliable. Using these
techniques to elicit information could also have definite privacy
implications. These findings, in particular, may be important as TSA
moves forward with its pilot program to expand BDOs' use of
conversation and interviews with all passengers entering screening.
As we reported in May 2010, an independent panel of experts could help
DHS develop a comprehensive methodology to determine if the SPOT
program is based on valid scientific principles that can be
effectively applied in an airport environment for counterterrorism
purposes. Thus, we recommended that the Secretary of Homeland Security
convene an independent panel of experts to review the methodology of
the validation study on the SPOT program being conducted to determine
whether the study's methodology was sufficiently comprehensive to
validate the SPOT program. We also recommended that this assessment
include appropriate input from other federal agencies with expertise
in behavior detection and relevant subject matter experts.[Footnote
20] DHS concurred and stated that its validation study, completed in
April 2011, included an independent review of the study with input
from a broad range of federal agencies and relevant experts, including
those from academia.
DHS's validation study found that SPOT was more effective than random
screening to varying degrees. For example, the study found that SPOT
was more effective than random screening at identifying individuals
who possessed fraudulent documents and identifying individuals who law
enforcement officers ultimately arrested.[Footnote 21] However, DHS
noted that the identification of such high-risk passengers was rare in
both the SPOT and random tests. In addition, DHS determined that the
base rate, or frequency, of SPOT behavioral indicators observed by TSA
to detect suspicious passengers was very low and that these observed
indicators were highly varied across the traveling public. Although
details about DHS's findings related to these indicators are sensitive
security information, the low base rate and high variability of
traveler behaviors highlights the challenge that TSA faces in
effectively implementing a standardized list of SPOT behavioral
indicators.
In addition, DHS outlined several limitations to the study. For
example, the study noted that BDOs were aware of whether individuals
they were screening were referred to them as the result of identified
SPOT indicators or random selection. DHS stated that this had the
potential to introduce bias into the assessment. DHS also noted that
SPOT data from January 2006 through October 2010 were used in its
analysis of behavioral indicators even though questions about the
reliability of the data exist.[Footnote 22] In May 2010, we reported
weaknesses in TSA's process for maintaining operational data from the
SPOT program database. Specifically, the SPOT database did not have
computerized edit checks built into the system to review the format,
existence, and reasonableness of data. In another example, BDOs could
not input all behaviors observed in the SPOT database because the
database limited entry to eight behaviors, six signs of deception, and
four types of prohibited items per passenger referred for additional
screening. Because of these data-related issues, we reported that
meaningful analyses could not be conducted at that time to determine
if there is an association between certain behaviors and the
likelihood that a person displaying certain behaviors would be
referred to a law enforcement officer or whether any behavior or
combination of behaviors could be used to distinguish deceptive from
nondeceptive individuals. In our May 2010 report, we recommended that
TSA establish controls for this SPOT data. DHS agreed and TSA has
established additional data controls as part of its database upgrade.
However, some of DHS's analysis for this study used SPOT data recorded
prior to these additional controls being implemented.
The study also noted that it was not designed to comprehensively
validate whether SPOT can be used to reliably identify individuals in
an airport environment who pose a security risk. The DHS study made
recommendations related to strengthening the program and conducting a
more comprehensive validation of whether the science can be used for
counterterrorism purposes in the aviation environment.[Footnote 23]
Some of these recommendations, such as the need for a comprehensive
program evaluation including a cost-benefit analysis, reiterate
recommendations made in our May 2010 report. TSA is currently
reviewing the study's findings and assessing the steps needed to
address DHS's recommendations but does not have time frames for
completing this work. If TSA decides to implement the recommendations
in the April 2011 DHS validation study, DHS may be years away from
knowing whether there is a scientifically valid basis for using
behavior detection techniques to help secure the aviation system
against terrorist threats given the broad scope of the additional work
and related resources identified by DHS for addressing the
recommendations. Thus, as we reported in March 2011, Congress may wish
to consider the study's results in making future funding decisions
regarding the program.[Footnote 24]
TSA Has Taken Actions to Strengthen Airport Perimeter and Access
Controls Security, but Issues Remain:
We reported in September 2009 that TSA has implemented a variety of
programs and actions since 2004 to improve and strengthen airport
perimeter and access controls security, including strengthening worker
screening and improving access control technology.[Footnote 25] For
example, to better address the risks posed by airport workers, in 2007
TSA implemented a random worker screening program that was used to
enforce access procedures, such as ensuring workers display
appropriate credentials and do not possess unauthorized items when
entering secure areas. According to TSA officials, this program was
developed to help counteract the potential vulnerability of airports
to an insider attack--an attack from an airport worker with authorized
access to secure areas. TSA has also expanded its requirements for
conducting worker background checks and the population of individuals
who are subject to these checks. For example, in 2007 TSA expanded
requirements for name-based checks to all individuals seeking or
holding airport-issued identification badges and in 2009 began
requiring airports to renew all airport-identification media every 2
years. TSA also reported taking actions to identify and assess
technologies to strengthen airport perimeter and access controls
security, such as assisting the aviation industry and a federal
aviation advisory committee in developing security standards for
biometric access controls.
However, we reported in September 2009 that while TSA has taken
actions to assess risk with respect to airport perimeter and access
controls security, it had not conducted a comprehensive risk
assessment based on assessments of threats, vulnerabilities, and
consequences, as required by DHS's National Infrastructure Protection
Plan (NIPP).[Footnote 26] We further reported that without a full
depiction of threats, vulnerabilities, and consequences, an
organization's ability to establish priorities and make cost-effective
security decisions is limited.[Footnote 27] We recommended that TSA
develop a comprehensive risk assessment, along with milestones for
completing the assessment. DHS concurred with our recommendation and
said it would include an assessment of airport perimeter and access
control security risks as part of a comprehensive assessment for the
transportation sector--the Transportation Sector Security Risk
Assessment (TSSRA). The TSSRA, published in July 2010, included an
assessment of various risk-based scenarios related to airport
perimeter security but did not consider the potential vulnerabilities
of airports to an insider attack--the insider threat--which it
recognized as a significant issue. In July 2011, TSA officials told us
that the agency is developing a framework for insider risk that is to
be included in the next iteration of the assessment, which TSA
expected to be released at the end of calendar year 2011. Such action,
if taken, would meet the intent of our recommendation.
We also recommended that, as part of a comprehensive risk assessment
of airport perimeter and access controls security, TSA evaluate the
need to conduct an assessment of security vulnerabilities at airports
nationwide.[Footnote 28] At the time of our review, TSA told us its
primary measures for assessing the vulnerability of airports to attack
were professional judgment and the collective results of joint
vulnerability assessments (JVA) it conducts with the Federal Bureau of
Investigation (FBI) for select--usually high-risk--airports.[Footnote
29] Our analysis of TSA data showed that from fiscal years 2004
through 2008, TSA conducted JVAs at about 13 percent of the
approximately 450 TSA-regulated airports that existed at that time,
thus leaving about 87 percent of airports unassessed.[Footnote 30] TSA
has characterized U.S. airports as an interdependent system in which
the security of all is affected or disrupted by the security of the
weakest link. However, we reported that TSA officials could not
explain to what extent the collective JVAs of specific airports
constituted a reasonable systems-based assessment of vulnerability
across airports nationwide. Moreover, TSA officials said that they did
not know to what extent the 87 percent of commercial airports that had
not received a JVA as of September 2009--most of which were smaller
airports--were vulnerable to an intentional security breach. DHS
concurred with our 2009 report recommendation to assess the need for a
vulnerability assessment of airports nationwide, and TSA officials
stated that based on our review they intended to increase the number
of JVAs conducted at Category II, III, and IV airports and use the
resulting data to assist in prioritizing the allocation of limited
resources. Our analysis of TSA data showed that from fiscal year 2004
through July 1, 2011, TSA conducted JVAs at about 17 percent of the
TSA-regulated airports that existed at that time, thus leaving about
83 percent of airports unassessed.[Footnote 31]
Since we issued our report in September 2009, TSA had not conducted
JVAs at Category III and IV airports.[Footnote 32] TSA stated that the
TSSRA is to provide a comprehensive risk assessment of airport
security, but could not tell us to what extent it has studied the need
to conduct JVAs of security vulnerabilities at airports nationwide.
Additionally, in August 2011 TSA reported that its national inspection
program requires that transportation security inspectors conduct
vulnerability assessments at all commercial airports, which are based
on the joint vulnerability assessment model. According to TSA, every
commercial airport in the United States receives a security assessment
each year, including an evaluation of perimeter security and access
controls. We have not yet assessed the extent to which transportation
security inspectors consistently conduct vulnerability assessments
based on the joint vulnerability model. Providing additional
information on how and to what extent such security assessments have
been performed would more fully address our recommendation.
We also reported in September 2009 that TSA's efforts to enhance the
security of the nation's airports have not been guided by a national
strategy that identifies key elements, such as goals, priorities,
performance measures, and required resources.[Footnote 33] To better
ensure that airport stakeholders take a unified approach to airport
security, we recommended that TSA develop a national strategy for
airport security that incorporates key characteristics of effective
security strategies, such as measurable goals and priorities. DHS
concurred with this recommendation and stated that TSA would implement
it by updating the Transportation Systems-Sector Specific Plan (TS-
SSP), to be released in the summer of 2010.[Footnote 34] TSA provided
a copy of the updated plan to congressional committees in June 2011
and to us in August 2011. We reviewed this plan and its accompanying
aviation model annex and found that while the plan provided a high-
level summary of program activities for addressing airport security
such as the screening of workers, the extent to which these efforts
would be guided by measurable goals and priorities, among other
things, was not clear. Providing such additional information would
better address the intent of our recommendation.
Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee, this concludes my statement. I look forward to answering
any questions that you may have at this time.
GAO Contact and Staff Acknowledgments:
For questions about this statement, please contact Stephen M. Lord at
(202) 512-8777 or lords@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this statement. Individuals making key contributions to this
testimony are David M. Bruno and Steve Morris, Assistant Directors;
Ryan Consaul; Barbara Guffy; Tracey King; Tom Lombardi; and Lara
Miklozek.
[End of section]
Footnotes:
[1] TSA's behavior-based passenger screening program is known as the
Screening of Passengers by Observation Techniques (SPOT) program.
[2] National Strategy for Counterterrorism (Washington, D.C.: June 28,
2011).
[3] See GAO, Department of Homeland Security: Progress Made and Work
Remaining In Implementing Homeland Security Missions 10 Years After
9/11, [hyperlink, http://www.gao.gov/products/GAO-11-881] (Washington,
D.C.: Sept. 7, 2011).
[4] For the purposes of this testimony, "secure area" is used
generally to refer to areas specified in an airport security program
for which access is restricted, including the security identification
display areas (SIDA), the air operations areas (AOA), and the sterile
areas. While security measures governing access to such areas may
vary, in general a SIDA is an area in which appropriate identification
must be worn, an AOA is an area providing access to aircraft movement
and parking areas, and a sterile area provides passengers access to
boarding aircraft and where access is generally controlled by TSA or a
private screening entity under TSA oversight. See 49 C.F.R. § 1540.5.
[5] See GAO, Aviation Security: A National Strategy and Other Actions
Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters
and Access Controls, [hyperlink,
http://www.gao.gov/products/GAO-09-399] (Washington, D.C.: Sept. 30,
2009); Aviation Security: Efforts to Validate TSA's Passenger
Screening Behavior Detection Program Underway, but Opportunities Exist
to Strengthen Validation and Address Operational Challenges,
[hyperlink, http://www.gao.gov/products/GAO-10-763] (Washington, D.C.:
May 20, 2010); Aviation Security: TSA Has Taken Actions to Improve
Security, but Additional Efforts Remain, [hyperlink,
http://www.gao.gov/products/GAO-11-807T] (Washington, D.C.: July 13,
2011); and [hyperlink, http://www.gao.gov/products/GAO-11-881].
[6] National Research Council, Protecting Individual Privacy in the
Struggle Against Terrorists: A Framework for Assessment (Washington,
D.C.: National Academies Press, 2008). The report's preparation was
overseen by the National Academy of Sciences Committee on Technical
and Privacy Dimensions of Information for Terrorism Prevention and
Other National Goals. Although the report addresses broader issues
related to privacy and data mining, a senior National Research Council
official stated that the committee included behavior detection as a
focus because any behavior detection program could have privacy
implications.
[7] For the purposes of this testimony, the term "TSA-regulated
airport" refers to a U.S. airport operating under a TSA-approved
security program and subject to TSA regulation and oversight. See 49
C.F.R. pt. 1542.
[8] See [hyperlink, http://www.gao.gov/products/GAO-09-399].
[9] See Pub. L. No. 107-71, 115 Stat. 597 (2001). For purposes of this
testimony, "commercial passenger aircraft" refers to a U.S. or foreign-
based air carrier operating under TSA-approved security programs with
regularly scheduled passenger operations to or from a U.S. airport.
[10] Private-sector screeners under contract to and overseen by TSA,
and not TSOs, perform screening activities at airports participating
in TSA's Screening Partnership Program. See 49 U.S.C. § 44920.
According to TSA, 16 airports participated in the program as of July
2011.
[11] TSA designed SPOT to provide BDOs with a means of identifying
persons who may pose a potential security risk at TSA-regulated
airports by focusing on behaviors and appearances that deviate from an
established baseline and that may be indicative of stress, fear, or
deception.
[12] Advanced Imaging Technology screens passengers for metallic and
non-metallic threats including weapons, explosives, and other objects
concealed under layers of clothing.
[13] Working alongside local security and law enforcement officials,
VIPR teams conduct a variety of security tactics to introduce
unpredictability and deter potential terrorist actions, including
random high-visibility patrols at mass transit and passenger rail
stations and conducting passenger and baggage screening operations
using specially trained behavior detection officers and a varying
combination of explosive detection canine teams and explosives
detection technology.
[14] Biometrics are measurements of an individual's unique
characteristics, such as fingerprints, irises, and facial
characteristics, used to verify identity.
[15] See [hyperlink, http://www.gao.gov/products/GAO-10-763].
[16] See DHS, SPOT Referral Report Validation Study Final Report
Volume I: Technical Report (Washington, D.C.: April 5, 2011). DHS's
study defines high-risk passengers as travelers that knowingly and
intentionally try to defeat the security process including those
carrying serious prohibited items, such as weapons; illegal items,
such as drugs; or fraudulent documents; or those that were ultimately
arrested by law enforcement.
[17] See [hyperlink, http://www.gao.gov/products/GAO-10-763].
[18] Specifically, the report states that the scientific support for
linkages between behavioral and physiological markers and mental state
is strongest for elementary states, such as simple emotions; weak for
more complex states, such as deception; and nonexistent for highly
complex states, such as when individuals hold terrorist intent and
beliefs.
[19] A study performed by the JASON Program Office raised similar
concerns. The JASON Program Office is an independent scientific
advisory group that provides consulting services to the U.S.
government on matters of defense science and technology.
[20] See [hyperlink, http://www.gao.gov/products/GAO-10-763].
[21] The extent to which SPOT is more effective than random at
identifying fraudulent documents and individuals ultimately arrested
by law enforcement officers is deemed sensitive security information
by TSA.
[22] DHS officials stated that this historical SPOT data was not used
in their analysis to determine whether SPOT was more effective than
random screening.
[23] The study made recommendations related to SPOT in three areas:
(1) future validation efforts; (2) comparing SPOT with other screening
programs; and (3) broader program evaluation issues. TSA designated
the specific details of these recommendations sensitive security
information.
[24] See GAO, Opportunities to Reduce Potential Duplication in
Government Programs, Save Tax Dollars, and Enhance Revenue,
[hyperlink, http://www.gao.gov/products/GAO-11-318SP] (Washington,
D.C.: Mar. 1, 2011).
[25] [hyperlink, http://www.gao.gov/products/GAO-09-399].
[26] [hyperlink, http://www.gao.gov/products/GAO-09-399]. DHS
developed the NIPP to guide risk assessment efforts and the protection
of the nation's critical infrastructure, including airports.
[27] See GAO, Transportation Security: Comprehensive Risk Assessments
and Stronger Internal Controls Needed to Help Inform TSA Resource
Allocation, [hyperlink, http://www.gao.gov/products/GAO-09-492]
(Washington, D.C.: Mar. 27, 2009).
[28] [hyperlink, http://www.gao.gov/products/GAO-09-399].
[29] According to TSA officials, JVAs are assessments that teams of
TSA special agents and other officials conduct jointly with the FBI,
generally, as required by law, every 3 years for airports identified
as high risk. See 49 U.S.C. § 44904(a)-(b). See also Pub. L. No. 104-
264, § 310, 110 Stat. 3213, 3253 (1996) (establishing the requirement
that the Federal Aviation Administration (FAA) and the FBI conduct
joint threat and vulnerability assessments every three years, or more
frequently, as necessary, at each airport determined to be high risk).
Pursuant to ATSA, responsibility for conducting JVAs transferred from
FAA to TSA. For more information on this issue, see GAO-09-399.
[30] From fiscal years 2004 through 2008 TSA conducted 67 JVAs at a
total of 57 airports; 10 airports received 2 JVAs. TSA classifies the
nation's airports into one of five categories (X, I, II, III, and IV)
based on various factors such as the number of take-offs and landings
annually, the extent of passenger screening at the airport, and other
security considerations. In general, Category X airports have the
largest number of passenger boardings and Category IV airports have
the smallest. According to TSA data, of the 67 JVAs conducted at 57
airports from fiscal years 2004 through 2008, 58--or 87 percent--were
Category X and I airports. Of the remaining 9 assessments, 6 were at
Category II airports, 1 at a Category III airport, and 2 at Category
IV airports. Since our September 2009 report was issued, the number of
TSA-regulated airports has increased from approximately 450 to 463.
[31] From fiscal year 2004 through July 1, 2011, TSA conducted 125
JVAs at 78 airports; 47 airports received more than one JVA during
this period.
[32] From fiscal year 2009 through July 1, 2011, TSA conducted 58 JVAs
at a total of 56 airports; 2 airports received 2 JVAs. According to
TSA data, of the 58 JVAs conducted, 47--or 88 percent--were at
Category X and I airports; 7--12 percent--were conducted at Category
II airports. TSA officials told us that since our report in September
2009 they have initiated a semi-annual report process that, in part,
included a data analysis of the JVAs conducted at airports for the
prior 6 months. The semi-annual report focuses on airport perimeter,
terminal, critical infrastructure, airport operations, and airport
services. Beginning in fiscal year 2011 the reports are to be
developed on an annual basis. The reports are also used to direct
future JVA efforts.
[33] [hyperlink, http://www.gao.gov/products/GAO-09-399].
[34] TSA developed the TS-SSP to conform to NIPP requirements, which
required sector-specific agencies to develop strategic risk management
frameworks for their sectors that aligned with NIPP guidance.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
