[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
 IS TSA'S PLANNED PURCHASE OF CAT/BPSS A WISE USE OF TAXPAYER DOLLARS?
=======================================================================



                                HEARING

                               before the

                SUBCOMMITTEE ON TRANSPORTATION SECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 19, 2012

                               __________

                           Serial No. 112-99

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC] [TIFF OMITTED] CONGRESS.#13


                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________



                  U.S. GOVERNMENT PRINTING OFFICE
79-506                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001




                     COMMITTEE ON HOMELAND SECURITY

                   Peter T. King, New York, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Daniel E. Lungren, California        Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Michael T. McCaul, Texas             Henry Cuellar, Texas
Gus M. Bilirakis, Florida            Yvette D. Clarke, New York
Paul C. Broun, Georgia               Laura Richardson, California
Candice S. Miller, Michigan          Danny K. Davis, Illinois
Tim Walberg, Michigan                Brian Higgins, New York
Chip Cravaack, Minnesota             Cedric L. Richmond, Louisiana
Joe Walsh, Illinois                  Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Ben Quayle, Arizona                  Kathleen C. Hochul, New York
Scott Rigell, Virginia               Janice Hahn, California
Billy Long, Missouri                 Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
            Michael J. Russell, Staff Director/Chief Counsel
               Kerry Ann Watkins, Senior Policy Director
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

                SUBCOMMITTEE ON TRANSPORTATION SECURITY

                     Mike Rogers, Alabama, Chairman
Daniel E. Lungren, California        Sheila Jackson Lee, Texas
Tim Walberg, Michigan                Danny K. Davis, Illinois
Chip Cravaack, Minnesota             Cedric L. Richmond, Louisiana
Joe Walsh, Illinois, Vice Chair      Vacancy
Robert L. Turner, New York           Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex              (Ex Officio)
    Officio)
                     Amanda Parikh, Staff Director
                   Natalie Nixon, Deputy Chief Clerk
                   Vacant, Minority Subcommittee Lead


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Mike Rogers, a Representative in Congress From the 
  State of Alabama, and Chairman, Subcommittee on Transportation 
  Security.......................................................     1
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas, and Ranking Member, Subcommittee on 
  Transportation Security........................................    15

                               Witnesses

Mr. Kelly Hoggan, Assistant Administrator, Office Of Security 
  Capabilities, Transportation Security Administration:
  Oral Statement.................................................     4
  Prepared Statement.............................................     6
Mr. Stephen M. Lord, Director, Homeland Security and Justice 
  Issues, Government Accountability Office:
  Oral Statement.................................................     9
  Prepared Statement.............................................    11

                             For the Record

The Honorable Mike Rogers, a Representative in Congress From the 
  State of Alabama, and Chairman, Subcommittee on Transportation 
  Security:
  Letter to John S. Pistole......................................     2


 IS TSA'S PLANNED PURCHASE OF CAT/BPSS A WISE USE OF TAXPAYER DOLLARS?

                              ----------                              


                         Tuesday, June 19, 2012

             U.S. House of Representatives,
           Subcommittee on Transportation Security,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:17 p.m., in 
Room 311, Cannon House Office Building, Hon. Mike Rogers 
[Chairman of the subcommittee] presiding.
    Present: Representatives Rogers, Walberg, Cravaack, and 
Jackson Lee.
    Mr. Rogers. This Committee on Homeland Security, 
Subcommittee on Transportation Security will come to order. The 
subcommittee is meeting today to examine whether TSA's 
Credential Authentication Technology Boarding Pass Screening--
or Scanning System, commonly referred to as CAT/BPSS, is a 
smart use of taxpayer's funds.
    I want to thank our witnesses for being here today, and I 
appreciate your time and energy in preparing for today's 
hearing. I know it takes a lot of time and commitment, and I 
appreciate that. We look forward to your testimony.
    TSA has plans to purchase Credential Authentication 
Technology Boarding Pass Scanning Systems, commonly referred to 
as CAT/BPSS. You will hear me refer to it as the new technology 
because it is easier to say than CAT/BPSS.
    Eventually, the idea is to have this technology replace 
today's manual travel document checking process with an 
automated process. While the technology may assist screeners in 
detecting fake IDs and boarding passes, TSA has not addressed 
several fundamental weaknesses in the technology that could 
render it ineffective.
    As TSA attempts to rebrand itself as a threat-driven 
agency, CAT/BPSS sticks out like a sore thumb. Here are three 
of the problems we have identified with this looming purchase: 
CAT/BPSS is not integrated into TSA's other security layers, 
such as the terrorist watch list. No. 2, the costs of CAT/BPSS 
have grown exponentially since TSA first started looking at 
this. According to TSA figures, acquisition went from $35 
million to $115 million, and projected life-cycle costs went 
from $83 million to $150 million. Finally, TSA plans to 
purchase over 1,000 of these units over a span of a few months. 
That does not appear to be a risk-based approach. For those who 
don't know, TSA already has a lot of extra equipment sitting in 
storage. Mr. Hoggan, we don't need any more.
    This hearing will provide an important opportunity to hear 
more about TSA's plans for CAT/BPSS and examine whether the 
technology makes us more secure and is a wise use of taxpayer's 
dollars. Last week, I sent Administrator Pistole a letter 
expressing my concerns with the technology. If there is no 
objection, I want to insert that into the record at this time.
    So ordered.
    [The information follows:]
          Letter From Chairman Mike Rogers to John S. Pistole
                                     June 11, 2012.
Honorable John S. Pistole,
Administrator, Transportation Security Administration, 601 South 12th 
        Street, Arlington, VA 20598.
    Dear Administrator Pistole: I am writing to express my concerns 
regarding the TSA's plans to purchase and deploy Credential 
Authentication Technology/Boarding Pass Scanning Systems (CAT/BPSS). 
While CAT/BPSS may assist Transportation Security Officers in detecting 
fraudulent or invalid IDs and boarding passes, there are a number of 
weaknesses with this technology that call into question the benefit of 
deploying up to 1,400 units. On May 30, 2012, I appreciated the 
opportunity for my staff and I to receive a briefing and demonstration 
of CAT/BPSS at the TSA's Systems Integration Facility (TSIF). However, 
our discussion with the CAT/BPSS program team further reinforced our 
concerns, as outlined below.
    As you know, the Subcommittee on Transportation Security has held a 
number of hearings on technology procurement reform at TSA. While we 
are beginning to see some improvements, including greater transparency 
with industry, I am concerned that CAT/BPSS falls short in the area of 
requirements generation and collaboration with the Science and 
Technology (S&T) Directorate. It appears that the development and 
deployment of CAT/BPSS technology lacks two critical considerations: 
(1) A thorough risk analysis of the threat scenarios that the 
technology addresses and its associated cost-benefit, and (2) the 
necessary system requirements to achieve risk-based operational 
success.
    I commend TSA's emphasis to move towards a more risk-based approach 
to airport security, so I am puzzled by the apparent lack of risk and 
cost-benefit analyses for the CAT/BPSS technology. My staff and I have 
requested several times that TSA provide us an analysis of the 
projected costs for the CAT/BPSS units, especially given that there is 
a planned large-scale acquisition as early as 5 months from now. TSA 
has provided neither cost projections nor cost threshold requirements 
for the technology. Secondly, while the technology is claimed to be 
part of a layered approach to airport security screening, we have not 
seen any risk analysis that supports the role of this technology in the 
overall security architecture. Specifically, the technology only 
detects potentially fraudulent documents, and does little or nothing to 
link these potentially fraudulent documents to terrorist-related 
threats. CAT/BPSS provides no interconnectivity to other Government 
threat databases, provides no protection against falsification of IDs 
at the issuing source, and provides limited assurance that damaged or 
misprinted, but valid IDs (or boarding passes) can be correctly 
processed by the system.
    I also commend TSA for its use of systems engineering principles in 
developing a set of operational requirements for the CAT/BPSS 
technology. However, I remain deeply concerned, due to the lack of 
risk-based analyses, that some key requirements have been excluded. 
Examples of missing requirements that have been observed include:
   No requirement for interconnectivity to other security 
        systems within or external to the TSA system architecture.
   No requirement for false alarm rates. Since only detection 
        rates and throughput rates are specified, the ``threshold 
        settings'' will likely be set to such a low rate that potential 
        threats will pass through undetected.
   No requirement for human factors. How do we avoid false 
        confidence by the TSOs as they see repeated readings of 
        ``PASS'' by the automated screens? How do we ensure that the 
        technology does not distract from the TSOs' ability to observe 
        passengers for behavioral cues?
   No requirement for phasing in the technology, based on risk 
        and effectiveness. The acquisition plans call for a bulk 
        procurement of 1,400 CAT/BPSS units for deployment at 50% of 
        all lanes at all airports. Based on prior TSA technology 
        experiences, it would seem that a more phased, risk-based 
        procurement and implementation would be prudent.
    As you are aware, I intend to hold a hearing on CAT/BP8S next week. 
This hearing will provide TSA the opportunity to clarify the issues and 
offer solutions for a path forward. In preparation for this hearing, I 
request that TSA provide the following information by June 15, 2012:
   Projected costs of CAT/BPSS, including per-limit costs and 
        projected life-cycle costs.
   Requirements documents for CAT/BPSS.
   Risk analyses conducted on CAT/BPSS, including quantitative 
        assessments of the terrorist-based threats that CAT/BPSS will 
        address, and its role in the overall TSA security system 
        architecture.
   Delineation of the ways in which the S&T Directorate has 
        been engaged and what its expert feedback has been. At my visit 
        to the TSIF on May 30, 2012, the CAT/BPSS program team affirmed 
        there was some level of collaboration with S&T. Since that 
        time, the S&T Directorate has denied having a role in CAT/BPSS 
        development.
    Thank you for your prompt and personal attention to this matter. I 
appreciate your continuing efforts to secure the Nation's 
transportation systems and look forward to working with you to improve 
TSA's performance in carrying out its critical mission.
            Sincerely,
                                               Mike Rogers,
                 Chairman, Subcommittee on Transportation Security.

    Mr. Rogers. Mr. Hoggan, while you are very new to this 
position, this subcommittee has held a number of hearings on 
technology procurement reform at TSA in which we identified a 
long list of procurement problems and heard testimony from your 
predecessor on the subject.
    While we are beginning to see some general improvements, I 
am concerned that CAT/BPSS falls into the same familiar pattern 
of TSA procurement and completely misses the mark. At this 
point, I think CAT/BPSS is a Band-aid measure to solving a 
complex problem.
    The travel document checker can't perform the way we want 
it to--want him or her to do, so instead of revising training 
standards, the management protocols and operational procedures, 
TSA is looking for a quick fix. While an automated process 
makes sense, TSA has not addressed flaws that plague the 
technology, and more importantly, TSA checkpoints operation--
checkpoint operations as a whole.
    Today, I expect concrete answers about the benefits and 
gaps associated with CAT/BPSS and exactly what changed your 
mind about it. Based on the information the committee received 
late on Friday, you have decide to postpone procurement of this 
technology until next year. I am encouraged by that news, but I 
can assure that our oversight of this program and other 
acquisitions will continue to be robust.
    With that, I would ordinarily now turn to my Ranking 
Member, Sheila Jackson Lee of Texas. She is involved in another 
committee and will be here shortly, and we will pause when she 
arrives to recognize her for an opening statement.
    Now we are pleased to recognize our witnesses. By the way, 
the other committee Members are reminded they can submit their 
statements for the record. We are pleased to have two 
distinguished witnesses before us today on this important 
topic. Let me remind each of the witnesses that their entire 
written statements will be submitted for the record.
    Our first witness, Mr. Kelly Hoggan, currently serves as an 
assistant administrator for the Office of Security Capabilities 
at TSA, a position he assumed this past March. I think it was 
April, wasn't it? April?
    Mr. Hoggan. April 8.
    Mr. Rogers. April 8. In this position, Mr. Hoggan is 
responsible for the implementation and development of security 
technologies across multiple modes of transportation. Mr. 
Hoggan joined TSA in 2004 and has served in numerous leadership 
positions, most recently as the regional director for the 
Office of Global Strategies based in Singapore, where he was 
responsible for overseeing TSA's regional tactical operations.
    Mr. Hoggan is also served as the deputy administrative--
assistant administrator for the Office of Global Strategies and 
a deputy assistant administrator for the Office of Security 
Operations. The Chairman now recognizes Mr. Hoggan for 5 
minutes for your own opening statement.

 STATEMENT OF KELLY HOGGAN, ASSISTANT ADMINISTRATOR, OFFICE OF 
 SECURITY CAPABILITIES, TRANSPORTATION SECURITY ADMINISTRATION

    Mr. Hoggan. Thank you, Chairman Rogers and distinguished 
Members of the subcommittee. Thank you for the opportunity to 
testify about the Transportation Security Administration's use 
of technology to support a layered approach to securing the 
Nation's transportation system, while ensuring freedom of 
movement for people and commerce.
    TSA's workforce responsibilities include security screening 
of passengers and baggage at more than 450 airports in the 
United States, facilitating air travel for 1.8 million people 
per day. We also vet more than 14 million passenger 
reservations, 13 million transportation workers against a 
terrorist watch list every week.
    One way in which our security approach continues evolving 
is by investing in innovative technologies and pursuing 
initiatives that further standardize and integrate equipment. I 
appreciate the opportunity to discuss with the subcommittee 
TSA's efforts to strengthen our multi-layered security system 
through technology innovation.
    As you know, last fall TSA began developing a strategy for 
enhanced use of intelligence to help implement a risk-based 
approach to transportation security. Our objective is to 
mitigate risk in a way that effectively balances security 
measures with privacy, civil rights, and civil liberty 
concerns.
    Through various risk-based security, or RBS, initiatives, 
TSA is moving away from a one-size-fits-all security model and 
close to its goal of providing the most effective 
transportation security in the most efficient way possible.
    Perhaps the most widely-known enhancement we are putting in 
place is TSA PreCheck, which, like other RBS initiatives, 
leverages our advancements in technology.
    For example, we are able to leverage our secure-flight 
technology in a manner that identifies lower risk passengers 
and distinguishing them in a checkpoint through barcodes on 
their boarding passes.
    Another initiative we are currently testing in a handful of 
airports is a credential authentication technology boarding 
pass scanning system, or CAT/BPSS, to provide TSO's with an 
effective tool to quickly detect fraudulent and altered 
documents.
    This equipment automatically and currently verifies 
passenger boarding passes and IDs as they are presented to TSA 
during the security checkpoint screening process.
    Using CAT/BPSS, TSA can verify the authenticity of a 
passenger's ID by comparing the format and security features of 
a passenger's against a known set of security features for that 
particular identity credential type.
    Most legitimate forms of identification issued today 
includes some forms of encoded data that is written into the 
credential by the issuing authority in one or more widely-
accepted formats. The most common form of formats include one- 
and two-dimensional bar codes, magnetic strips, embedded 
circuits, machine readable text.
    The formatted security features set for each credential 
type were provided to the TSA by the credential issuers so that 
TSA can compare the security features on the passenger ID with 
the security features provided by the credential issuer.
    TSA is currently conducting CAT/BPSS technology pilots in 
San Juan, Houston Air Continental and Dulles Washington 
Airports. During the process, TSA is evaluating the throughput 
as well as determining the overall operational availability of 
the various solutions.
    If testing proves successful, CAT/BPSS units could replace 
Travel Document Checker podiums in the entrance of airport 
security checkpoints and the current manual lights and loupes 
process for boarding pass authentication.
    TSA is also in the process of upgrading currently deployed 
AT X-ray systems as well as deploying next generation AT2 
systems. This technology is used to screen carry-on luggage at 
security checkpoints in addition to other upgrades to 
streamline the baggage check process.
    Next generation A2X-Ray units featured enhanced explosive 
detection capabilities to help our officers detect new threats. 
There are currently more than 1,400 AT units at 125 airports 
with additional deployments for the remainder of the calendar 
year 2012.
    We are working close with DHS S&T and our qualified vendor 
list to assess the AT2 system's capability to detect liquid, 
aerosols, and gels, commonly known as LAGs, which could 
expedite the secondary bag search process.
    Bottle liquid scanners, or BLS, security screening systems 
are used to detect potential liquids or gels threats while 
differentiating between liquid explosives and common benign 
liquids such as baby formula and insulin.
    Next-generation BLS systems have the ability to detect a 
wider range of explosive material and use light waves to screen 
sealed containers for explosive liquids.
    TSA recently deployed an additional 500 next-generation BLS 
units to airports Nation-wide and now is a total of 1,200 at 
350 airports. Going forward, TSA will continue its efforts to 
strengthen this multi-layer security system through 
technological advances.
    Chairman Rogers, thank you, once again, for the opportunity 
for today.
    [The statement of Mr. Hoggan follows:]
                   Prepared Statement of Kelly Hoggan
                             June 19, 2012
    Good afternoon Chairman Rogers, Ranking Member Jackson Lee, and 
distinguished Members of the subcommittee. Thank you for the 
opportunity to testify today about the Transportation Security 
Administration's (TSA) use of technology to support our layered 
approach to securing the Nation's transportation systems while ensuring 
freedom of movement for people and commerce. TSA employs risk-based, 
intelligence-driven measures to deter and prevent terrorist attacks and 
to reduce vulnerabilities in the Nation's transportation systems. In 
partnership with airport operators, airlines, and local law enforcement 
agencies, TSA secures our Nation's commercial airports through a 
variety of programs that create a multi-layered system of 
transportation security to mitigate risk.
    The TSA workforce operates on the front line, executing the 
agency's transportation security responsibilities in support of the 
Nation's counterterrorism efforts. These responsibilities include 
security screening of passengers and baggage at over 450 airports in 
the United States that facilitate air travel for 1.8 million people per 
day; recurrently vetting over 13 million transportation workers against 
the terrorist watch list each day; and conducting security regulation 
compliance inspections and enforcement activities at airports, for 
domestic and foreign air carriers, and for air cargo screening 
operations throughout the United States and at last point of departure 
locations internationally. In 2011, Transportation Security Officers 
(TSOs) stopped more than 125,000 prohibited items at airport 
checkpoints. Of those items, more than 1,300 were firearms.
    Since our creation in the wake of the September 11 terrorist 
attacks, TSA has evolved our security approach based on intelligence 
and by examining how specific security procedures are carried out, 
improving workforce efficiencies, investing in innovative technologies 
and pursuing initiatives to further standardize and integrate 
equipment. Following our Congressional mandate to keep the millions of 
Americans who travel each day safe and secure across numerous modes of 
transportation, TSA has strengthened security by creating successful 
programs and deploying technologies that were not in place prior to 
September 11, while also taking steps whenever possible to enhance the 
passenger experience.
    I am pleased to have an opportunity today to discuss with the 
subcommittee TSA's technological innovations, which have strengthened 
our multi-layered security system.
               risk-based security (rbs) and tsa precheck
    Last fall, TSA began developing a strategy for enhanced use of 
intelligence and other information to support a more risk-based 
approach in all facets of transportation, including passenger 
screening, air cargo, and surface transportation. At its core, the 
concept of RBS builds upon the work TSA has been doing throughout its 
first decade of service to the Nation. Our objective is to mitigate the 
risk of an attack against our transportation systems in a way that 
effectively balances security measures with privacy, civil rights, and 
civil liberties concerns while promoting the safe movement of people 
and commerce.
    Through various RBS initiatives, TSA is moving away from a one-
size-fits-all security model and closer to its goal of providing the 
most effective transportation security in the most efficient way 
possible. In the passenger screening context, RBS allows our dedicated 
TSOs to focus more attention on those travelers we believe are more 
likely to pose a risk to our transportation network while providing the 
opportunity for expedited screening to those we consider pose less 
risk. The most widely known risk-based security enhancement we are 
putting in place is TSA PreCheckTM, which, like other RBS 
initiatives, leverages our advancements in technology. Since first 
implementing this idea last fall, TSA PreCheckTM has been 
expanded to 15 airports, making it possible for eligible passengers 
flying from these airports to experience expedited security screening 
through TSA PreCheckTM. The feedback we've been receiving is 
consistently positive. TSA pre-screens TSA PreCheckTM 
passengers each time they fly through participating airports. 
Currently, U.S. citizens flying domestically who are qualified frequent 
fliers of American Airlines, Delta Air Lines, and Alaska Airlines, or 
members of U.S. Customs and Border Protection's trusted traveler 
programs such as Global Entry, may be eligible for expedited screening 
at select checkpoints. TSA is actively working with other major air 
carriers such as United Airlines, US Airways, and Jet Blue to expand 
both the number of participating airlines and the number of airports 
where expedited screening through TSA PreCheckTM is 
provided. By the end of 2012, TSA plans to have TSA 
PreCheckTM operating at over 30 of the Nation's busiest 
airports.
    TSA PreCheckTM travelers are able to divest fewer items, 
which may include leaving on their shoes, jacket, and light outerwear 
as well as other modifications to the standard screening process. As 
always, TSA will continue to incorporate random and unpredictable 
security measures throughout the security process. At no point are TSA 
PreCheckTM travelers guaranteed expedited screening.
  credential authentication technology/boarding pass scanning systems
    TSA is currently evaluating a new technology to improve the 
effectiveness of verifying and validating passengers' travel and 
identity credentials (ID). This Credential Authentication Technology/
Boarding Pass Scanning System (CAT/BPSS), provides TSOs with an 
effective tool to quickly detect fraudulent or altered IDs or boarding 
passes, ensure that the identity information on the ID and boarding 
pass match, and automatically identify passengers that have been 
selected, under the RBS concept, for differentiated screening.
    CAT/BPSS provides TSA with a greater ability to identify fraudulent 
ID documents and can verify the authenticity of boarding passes. CAT/
BPSS compares the format and security features of the passenger ID 
against a known set of security features for that particular identity 
credential type. The most common security features are one and two 
dimensional (1D, 2D) barcodes, magnetic stripes, embedded circuits, and 
machine readable text.
    TSA is currently concluding CAT/BPSS technology pilots at San Juan, 
Houston, and Washington Dulles airports. During this technical 
evaluation process, TSA is determining the overall operational 
suitability of different vendor solutions. Prior to proceeding to the 
field pilots each CAT/BPSS system were required to go through two 
rounds of qualification testing plus two additional rounds of 
regression testing, to remediate issues identified during qualification 
testing, at the TSA Systems Integration Facility (TSIF).
    If testing proves successful, CAT/BPSS units could replace the 
Travel Document Checker podium at the entrance of airport security 
checkpoints as well as the current manual method of ID and boarding 
pass authentication with a more effective security measure.
                      advanced imaging technology
    Advanced Imaging Technology (AIT) helps TSOs screen passengers for 
metallic and non-metallic threats including weapons, explosives, and 
other objects concealed under layers of clothing without physical 
contact. Currently, there are more than 700 AIT units at nearly 190 
airports. AIT is a critical component of TSA's risk-based security 
approach. Consistent with recent U.S. Department of Homeland Security 
(DHS), Office of Inspector General (OIG), and Government Accountability 
Office (GAO) recommendations, TSA is implementing an action plan to 
increase the level of available AIT screening capacity across the 
Nation's aviation system. Where AIT is deployed and relied upon, TSA 
has established a utilization target consistent with the recommendation 
by OIG, and is meeting or exceeding that target.
    TSA has developed and implemented an AIT instructor certification 
curriculum for Security Training Instructors (STI) assigned at the 
airports. These STIs are responsible for delivering AIT training as 
airports receive the technology. A full training curriculum package, 
including training kits and training aids, has been distributed to all 
AIT airports and allows each airport to train as many operators as 
required. Airports that have not received AIT units will receive the 
training kit and aids when the equipment is installed.
    In addition, introduction of Automated Target Recognition (ATR) 
functionality eliminates the need for a remote Image Operator in all 
new machines. ATR capability is being retrofitted on all existing 
machines using millimeter-wave technology, and TSA is currently 
completing the evaluation of ATR on Backscatter AIT systems. The ATR 
software provides the same high level of detection and it allows for 
more targeted pat-downs, because of the manner in which anomalies are 
displayed. The introduction of ATR reduced the amount of time required 
for initial operator training and certification. By using local airport 
STIs to conduct this training, TSA has eliminated concerns about 
training being a constraint in achieving our AIT utilization goal.
    The availability of AIT equipment supports long-term needs while 
increasing efficiencies at checkpoints with even more effective ATR 
software and a reduced footprint, which will inform future deployment 
strategies. In support of the increasing number of AIT units deployed 
with ATR, TSA is developing a new training kit specifically designed to 
support AIT ATR training and testing. Working with the Johns Hopkins 
University Applied Physics Laboratory, TSA is also working to increase 
the number of AIT testing scenarios under our Aviation Screening 
Assessment Program (ASAP). TSA has been conducting a preliminary 
assessment to develop and validate additional testing stimulants and 
scenarios for use with the AIT ATR equipment. The intent is to 
incorporate new scenarios and stimulants appropriate for use with AIT 
ATR into ASAP's National-level testing framework. TSA is also working 
with industry in order to enhance ATR and AIT hardware for greater 
detection effectiveness.
                          automated wait time
    Automated Wait Time (AWT) systems utilize technology to monitor and 
track queuing traffic at the security checkpoint, enabling TSA to 
reallocate resources to areas of higher congestion and priority as 
needed. The AWT system includes the ability to display wait times to 
the traveling public on monitors within airport checkpoints. TSA 
preliminarily tested an AWT system at the TSIF and anticipates testing 
it in airports in the coming months.
               next generation advanced technology x-ray
    TSA is in the process of upgrading currently deployed Advanced 
Technology (AT) X-ray systems, as well as deploying next generation, or 
AT-2 systems. This technology is used to screen carry-on luggage at the 
security checkpoint. In addition to other upgrades that streamline the 
bag check process, next generation AT X-ray units feature enhanced 
explosive detection capabilities that enable TSA to detect additional 
threats.
    There are currently more than 1,400 AT units at over 125 airports. 
These systems enhance security effectiveness and efficiency, and 
deployments will continue through calendar year 2012. We are working 
closely with the DHS Science and Technology Directorate (S&T) and our 
qualified vendors to assess the AT-2 system's capability to detect 
liquids, aerosols, and gels (LAG), which would provide the TSOs more 
efficient tools to perform a targeted bag search.
                   shoe-scanning detection technology
    Shoe-Scanning Detection (SSD) technology is an advanced technology 
which would be capable of detecting both metallic and non-metallic 
threats concealed in passenger footwear without requiring that 
passengers to remove their footwear at the checkpoint. S&T recently 
issued a Broad Agency Announcement that allows it to support private-
sector R&D research and development efforts to develop shoe-scanner 
detection systems that meet TSA detection requirements.
                        bottled liquids scanners
    Bottled Liquids Scanner (BLS) screening systems are used to detect 
potential liquid or gel threats, which may be contained in a 
passenger's property while differentiating between liquid explosives 
and common, benign liquid such as baby formula and insulin. Next-
generation BLS screening systems have the ability to detect a wider 
range of explosive materials and use light waves to screen sealed 
containers for explosive liquids. TSA recently deployed an additional 
500 next-generation BLS units to airports Nation-wide. These recent 
deployments bring the total number of BLS units Nation-wide to over 
1,200 at nearly 350 airports.
                       explosives trace detection
    Explosives Trace Detection (ETD) technology is used at security 
checkpoints around the country to screen passengers and their carry-on 
baggage for traces of explosives. Officers may swab a piece of luggage 
or passenger hands and place the swab inside the ETD unit to analyze 
the content for the presence of potential explosive residue. TSA is 
focusing on recapitalization efforts to perform life-cycle replacements 
with more effective next-generation solutions. In addition, TSA is 
expanding its use of ETD technology in airports as part of its layered 
approach to aviation security. TSA is currently conducting pilot 
testing on portable trace solutions to support more widespread usage of 
this technology and working with S&T on the development of next-
generation ETDs.
     explosives detection systems recapitalization and optimization
    Over the next 5 years, a large number of Explosives Detection 
Systems (EDS) will approach the end of their useful life and replacing 
these aging units is a top priority. TSA will fund recapitalization 
projects, which include the work required to remove the existing EDS as 
well as minimal modifications to the Baggage Handling System 
infrastructure associated with the replacement of the EDS and the 
associated purchase and installation of the new EDS. TSA's plan to 
replace the aging EDS fleet of equipment will be prioritized based on a 
combination of age and maintenance data.
                               conclusion
    TSA will continue to enhance its layered security approach through 
state-of-the-art technologies, expanded use of existing and proven 
technology, passenger pre-screening and other developments that will 
continue to strengthen aviation security. Thank you for the opportunity 
to appear before you today, and I look forward to answering your 
questions.

    Mr. Rogers. Thanks, Mr. Hoggan.
    Our next witness is Mr. Steve Lord. Mr. Lord is a GAO 
executive responsible for directing numerous engagements on 
aviation and surface transportation issues and regularly 
discusses these issues before Congress and at industry forums.
    He has recently conducted in-depth reviews of the TSA's 
passenger checked baggage and air-cargo screening operations. 
Before his appointment to the Senior Executive Service in 2007, 
he led GAO's work on a number of key international security, 
finance, and trade issues.
    Mr. Lord, we appreciate you appearing before this committee 
on many occasions and look forward to your testimony today. The 
Chairman now recognizes Mr. Lord for his statement.

 STATEMENT OF STEPHEN M. LORD, DIRECTOR, HOMELAND SECURITY AND 
        JUSTICE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Lord. Thank you, Mr. Chairman. Chairman Rogers and 
other distinguished Members of the committee, I am pleased to 
be here today to discuss TSA's efforts to acquire this new 
technology. I don't use the acronym either. Some of our past 
work on TSA acquisitions which could inform the deliberations 
over TSA's progress in procuring this:
    This is an important issue as TSA acquisitions represent 
billions of dollars in life-cycle costs and support a wide 
range of missions. As you know, TSA started testing some of 
this new technology to help verify passenger IDs and boarding 
passes.
    They plan to use this technology to eventually replace the 
current process, the manual process, for inspecting and 
detecting fraudulent or altered documents.
    Today, I would like to discuss two specific issues. No. 1, 
the status of the actual acquisition for this technology and 
some broader challenges we have previously identified in TSA's 
acquisition process that may be relevant for today's 
discussion.
    First, regarding the acquisition status, TSA is now 
preparing to start a really important phase of the acquisitions 
referred to an operational test and evaluation and that is the 
one going to occur at three airports, Houston, Dulles, and San 
Juan.
    During the operational testing, TSA plans to assess the 
system's performance in terms of three performance criteria, 
detection capabilities, passenger throughput, and availability. 
Those are referred to as key performance parameters.
    According to the acquisition documents we reviewed, the 
estimated life-cycle cost of the program is about $130 million 
based on a procurement of 4,000 units over 20 years.
    You have to understand 4,000 includes replacement costs. 
Out of 1,400 referred to earlier, that is the planned buy, but 
since they are only expected to last 7 or 8 years, you, 
ultimately, have to replace them.
    We reviewed the life-cycle cost estimate of the passenger 
screening program and found the estimate to be reasonably 
comprehensive and documented. We have clear criteria for 
evaluating these life-cycle cost estimates.
    However, we could not determine the credibility because the 
current version does not include a risk analysis or independent 
cost estimate as deemed by best practice.
    We also noted that the assumed deflation rate over the life 
of the program is 1 percent rather than the historical rate of 
3 to 4 percent. So, thus, if a higher assumed inflation rate 
was used, estimated program costs would definitely be higher.
    More broadly, our prior work has identified three 
consistent challenges that are worth noting as this TSA 
acquisition unfolds. Our prior work emphasizes the importance 
of establishing and meeting clear program requirements, No. 2, 
properly overseeing and testing the technologies you are 
procuring.
    No. 3, developing sound acquisition program baselines to 
benchmark progress and meeting initial costs, schedule, and 
performance targets. We previously reported that DHS and TSA 
have faced challenges in developing requirements when acquiring 
new screening technologies.
    For example, in June 2010, we reported that more than half 
of the 15 DHS reviewed, awarded contracts to initiate 
acquisitions without required approval of key acquisition 
documents. The good news for CAT/BPSS is it does have some of 
these key documents. On the other hand, as I noted earlier, we 
have some concerns about the credibility of the life-cycle cost 
estimate.
    In closing, this hearing provides an excellent opportunity 
to ask some broader questions about the TSA procurement. First, 
how will TSA ensure that this new system addresses the security 
of vulnerabilities it previously identified with the fraudulent 
IDs?
    Second, what confidence does TSA have in its unit cost 
estimate? Third, how does the screening technology fit into 
TSA's broader acquisition--I am sorry, aviation security 
strategy? Finally, what cost-benefit analysis, if any, is being 
used to guide TSA decision-makers?
    Mr. Chairman, this concludes my remarks. I look forward to 
responding to any questions you may have. Thank you.
    [The statement of Mr. Lord follows:]
                 Prepared Statement of Stephen M. Lord
                             June 19, 2012
   aviation security.--status of tsa's acquisition of technology for 
         screening passenger identification and boarding passes
    Chairman Rogers, Ranking Member Jackson Lee, and Members of the 
committee: I am pleased to be here today to discuss our past work 
examining the Transportation Security Administration's (TSA) progress 
and challenges in developing and acquiring technologies to address 
aviation security needs. TSA's acquisition programs represent billions 
of dollars in life-cycle costs and support a wide range of aviation 
security missions and investments. Within the Department of Homeland 
Security (DHS), the Science and Technology Directorate (S&T) and TSA 
have responsibilities for researching, developing, and testing and 
evaluating new technologies, including airport checkpoint screening 
technologies. Specifically, S&T is responsible for the basic and 
applied research and advanced development of new technologies, while 
TSA, through its Passenger Screening Program, identifies the need for 
new checkpoint screening technologies and provides input to S&T during 
the research and development of new technologies, which TSA then 
procures and deploys.
    TSA screens more than 600 million air passengers per year through 
approximately 2,300 security checkpoint lanes at about 450 airports 
Nation-wide, and must attempt to balance its aviation security mission 
with concerns about efficiency and the privacy of the traveling public. 
The agency relies upon multiple layers of security to deter, detect, 
and disrupt persons posing a potential risk to aviation security. Part 
of its checkpoint security controls include a manual review and 
comparison by a travel document checker of each person's boarding pass 
and identification, such as passports or State-issued driver's 
licenses. However, concerns have been raised about security 
vulnerabilities in this process. For example, in 2006, a university 
student created a website that enabled individuals to create fake 
boarding passes. In addition, in 2011, a man was convicted of stowing 
away aboard an aircraft after using an expired boarding pass with 
someone else's name on it to fly from New York to Los Angeles. Recent 
news reports have also highlighted the apparent ease of ordering high-
quality counterfeit driver's licenses from China. We have previously 
reported on significant fraud vulnerabilities in the passport issuance 
process and on difficulties in detecting fraudulent identity 
documentation, such as driver's licenses.\1\
---------------------------------------------------------------------------
    \1\ GAO, State Department: Significant Vulnerabilities in the 
Passport Issuance Process, GAO-09-681T (Washington, DC: May 5, 2009), 
and Transportation Worker Identification Credential: Internal Control 
Weaknesses Need to Be Corrected to Help Achieve Security Objectives, 
GAO-11-657 (Washington, DC: May 10, 2011). We also have on-going 
classified work looking at the effectiveness of the travel document 
checker at detecting fraudulent documents, which we expect to finalize 
later this summer.
---------------------------------------------------------------------------
    In response to these vulnerabilities, and as part of its broader 
effort to improve security and increase efficiency, TSA began 
developing technology designed to automatically verify boarding passes 
and to better identify altered or fraudulent passenger identification 
documents. TSA plans for this technology, known as Credential 
Authentication Technology/Boarding Pass Scanning Systems (CAT/BPSS), to 
eventually replace the current procedure used by travel document 
checkers to detect fraudulent or altered documents. However, we have 
previously reported that DHS and TSA have experienced challenges in 
managing their acquisition efforts, including implementing technologies 
that did not meet intended requirements and were not appropriately 
tested and evaluated, and have not consistently included completed 
analyses of costs and benefits before technologies were implemented.\2\
---------------------------------------------------------------------------
    \2\ For example, see GAO, Homeland Security: DHS and TSA Face 
Challenges Overseeing Acquisition of Screening Technologies, GAO-12-
644T (Washington, DC: May 9, 2012).
---------------------------------------------------------------------------
    Since DHS's inception in 2003, we have designated implementing and 
transforming DHS as high-risk because DHS had to transform 22 
agencies--several with major management challenges--into one 
department.\3\ This high-risk area includes challenges in strengthening 
DHS's management functions, including acquisitions; the effect of those 
challenges on DHS's mission implementation; and challenges in 
integrating management functions within and across the department and 
its components. DHS currently has several plans and efforts under way 
to address the high-risk designation as well as the more specific 
challenges related to acquisition and program implementation that we 
have previously identified. For example, DHS provided us with its 
Integrated Strategy for High-Risk Management in June 2012, which 
includes management initiatives and corrective actions to address 
acquisition management challenges, among other management areas. We 
will continue to monitor and assess DHS's implementation and 
transformation efforts through our on-going and planned work, including 
the 2013 high-risk update that we expect to issue in early 2013.
---------------------------------------------------------------------------
    \3\ GAO, High-Risk Series: An Update, GAO-11-278 (Washington, DC: 
Feb. 16, 2011).
---------------------------------------------------------------------------
    My statement today focuses on: (1) The status of TSA's CAT/BPSS 
acquisition and the extent to which the related life-cycle cost 
estimate is consistent with best practices, and (2) challenges we have 
previously identified in TSA's acquisition process to manage, test, 
acquire, and deploy screening technologies. This statement also 
provides information on issues for possible Congressional oversight 
related to CAT/BPSS.
    This statement is based on reports and testimonies we issued from 
October 2009 through May 2012 related to TSA's efforts to manage, test, 
acquire, and deploy various technology programs.\4\ In addition, we 
obtained updated information in June 2012 from TSA on the status of its 
efforts to implement our recommendations from these reports. For our 
past work, we reviewed program schedules, planning documents, testing 
reports, and other acquisition documentation. For some of the programs 
we discuss in this testimony, we conducted site visits to a range of 
facilities, such as National laboratories, airports, and other 
locations to observe research, development, and testing efforts. We 
also conducted interviews with DHS component program managers and DHS 
Science and Technology Directorate officials to discuss issues related 
to individual programs. More detailed information on the scope and 
methodology from our previous work can be found within each specific 
report. In addition, this statement contains new information we 
obtained from TSA in June 2012 on the status of its CAT/BPSS 
acquisition. We reviewed key acquisition documents--including the 
mission needs statement (September 2008), request for proposal (April 
2011), operational requirements document (August 2011), life-cycle cost 
estimate (November 2011), and acquisition program baseline (November 
2011)--interviewed officials from TSA's Office of Security 
Capabilities, and viewed a demonstration of the CAT/BPSS test units. We 
compared the life-cycle cost estimate with best practices from our Cost 
Estimating and Assessment Guide to determine whether the official cost 
estimates were comprehensive (i.e., include all costs), accurate, well-
documented, and credible.\5\ We conducted all of our work in accordance 
with generally accepted Government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings based on our 
audit objectives. We discussed new information in this statement with 
TSA officials and incorporated their comments as appropriate.
---------------------------------------------------------------------------
    \4\ See the related products list at the end of this statement. 
Examples of these technology programs include advanced imaging 
technology (AIT)--commonly referred to as a full-body scanner--that 
screens passengers for metallic and non-metallic threats including 
weapons, explosives, and other objects concealed under layers of 
clothing; explosives detection systems, which use X-rays with computer-
aided imaging to automatically recognize the characteristic signatures 
of threat explosives; and explosives trace detection machines, in which 
a human operator (e.g., a baggage screener) uses chemical analysis to 
manually detect traces of explosive materials' vapors and residue.
    \5\ GAO, GAO Cost Estimating and Assessment Guide: Best Practices 
for Developing and Managing Capital Program Costs, GAO-09-3SP 
(Washington, DC: March 2009).
---------------------------------------------------------------------------
    In summary, TSA has completed its initial testing of the CAT/BPSS 
technology and has begun operational testing at three airports. We 
found the project's associated life-cycle cost estimate to be 
reasonably comprehensive and well-documented, although we are less 
confident in its accuracy due to questions about the assumed inflation 
rate. In addition, we could not evaluate its credibility because the 
current version does not include an independent cost estimate or an 
assessment of how changing key assumptions and other factors would 
affect the estimate. Our past work has identified three key challenges 
related to TSA's efforts to acquire and deploy technologies to address 
homeland security needs: (1) Developing and meeting technology program 
requirements, (2) overseeing and conducting testing of new screening 
technologies, and (3) developing acquisition program baselines to 
establish initial cost, schedule, and performance parameters.
 cat/bpss is in the operational testing and evaluation phase, and the 
  life-cycle cost estimate is not fully consistent with best practices
    CAT/BPSS, which is part of TSA's Passenger Screening Program, has 
undergone initial testing and is in the operational testing and 
evaluation phase of acquisition, according to TSA. The goal of CAT/BPSS 
is to deploy a computerized system that will read and analyze data and 
embedded security features on every passenger's identification and some 
boarding passes, and to identify fraudulent credentials and boarding 
passes. In 2011, TSA conducted qualification testing of this system at 
its System Integration Facility at Washington Reagan National Airport, 
including testing the systems against more than 530 genuine and 
fraudulent documents, such as State-issued driver's licenses, 
passports, and military identification cards, according to TSA. The 
technology is designed to automatically compare a passenger's 
identification with a set of embedded security features to seek to 
identify indicators of fraud and concurrently ensure that the 
information on the identification and boarding pass matches. This 
system is intended to help ensure that identity credentials and 
boarding passes presented at the checkpoint have not been tampered with 
or fraudulently produced, and that the information on the boarding pass 
matches that of the identity credential. According to TSA, CAT/BPSS is 
to compare identity credentials with an internal database of more than 
2,400 templates for various types of credentials and to check for 
certain embedded security features, then alert the operator of any 
discrepancies.
    In September 2011, TSA awarded contracts for approximately $3.2 
million, which included the purchase of 30 units from three different 
vendors.\6\ In April 2012, TSA began deploying units to three 
airports--George Bush Intercontinental in Houston, Luis Munoz Marin 
International in San Juan, and Washington Dulles International--in 
preparation for initial operational testing. TSA officials said that 
those airports were selected, in part, because of their high passenger 
volume and experience with detecting fraudulent documents. In 
preparation for initial testing, TSA tested the performance of its 
current process for comparison purposes. TSA is also training personnel 
on the CAT/BPSS systems, collecting preliminary data on system 
performance and availability, and assessing the adequacy of the concept 
of operations and standard operating procedures. According to TSA 
officials, these efforts will allow travel document checkers at the 
three airports to test the three systems in an operational environment 
and provide feedback on the systems' performance. During operational 
testing, TSA plans to assess the systems' performance against key 
performance parameters for detection, passenger throughput, and 
availability. Once operational testing is complete, TSA plans to 
produce a system evaluation report and recommend whether to move 
forward with the acquisition or make modifications. Vendors that 
successfully exit the operational testing phase will be eligible to 
compete for a contract to produce 1,400 units, according to TSA.
---------------------------------------------------------------------------
    \6\ According to TSA, the $3.2 million included costs for 
maintenance, database updates, and training, among other things.
---------------------------------------------------------------------------
    According to the life-cycle cost estimate for the Passenger 
Screening Program, of which CAT/BPSS is a part, the estimated 20-year 
life-cycle cost of CAT/BPSS is approximately $130 million based on a 
procurement of 4,000 units.\7\ As highlighted in our Cost Estimating 
and Assessment Guide, a reliable cost estimate has four 
characteristics--it is comprehensive, well-documented, accurate, and 
credible.\8\ We reviewed TSA's November 2011 life-cycle cost estimate 
for the Passenger Screening Program and compared it with the four 
characteristics. Based on our assessment, the life-cycle cost estimate 
is reasonably comprehensive and well-documented. Regarding accuracy, 
the cost estimate assumes a 1 percent inflation rate from fiscal years 
2015 through 2029, as compared with the historic inflation rates 
calculated for fiscal years 2009 through 2014, which ranged from 3.3 to 
4.5 percent. If a larger inflation rate were used, costs would be much 
higher than what are currently estimated. In addition, we cannot make a 
determination as to the credibility of the life-cycle cost estimate as 
it does not include a risk and uncertainty analysis or an independent 
cost estimate. The risk assessment would quantify risks and identify 
effects of changing key cost driver assumptions and factors.\9\ In the 
cost estimate, TSA indicates that it is pursuing the acquisition of 
risk analysis capability and plans on having such capabilities in time 
for the next life-cycle cost estimate. Likewise, there is no evidence 
that an independent cost estimate was conducted by a group outside the 
acquiring organization to determine whether other estimating methods 
would produce similar results. TSA officials indicated that the agency 
is updating its life-cycle cost estimate to include a risk and 
uncertainty analysis and independent cost estimate, but the document 
has not yet been approved.
---------------------------------------------------------------------------
    \7\ This includes an initial procurement of 1,400 units in fiscal 
year 2013, and an additional 2,600 replacement units by fiscal year 
2029.
    \8\ GAO-09-3SP. The DHS Cost Analysis Division has implemented our 
Cost Estimating and Assessment Guide as the standard for cost 
estimating at DHS.
    \9\ DHS did not approve the life-cycle cost estimate due to the 
lack of risk and sensitivity analysis, according to TSA.
---------------------------------------------------------------------------
    The agency plans to expand the CAT/BPSS deployment schedule 
following successful implementation and testing in the selected airport 
environments. As of June 2012, TSA officials estimated that this could 
occur as soon as the end of this calendar year, depending on the 
results of the operational testing and evaluation phase.
previously identified challenges tsa faces in overseeing acquisition of 
                         screening technologies
    Our past work has identified three key challenges related to TSA's 
efforts to acquire and deploy technologies to address homeland security 
needs: (1) Developing and meeting technology program requirements, (2) 
overseeing and conducting testing of new screening technologies, and 
(3) developing acquisition program baselines to establish initial cost, 
schedule, and performance parameters.
    We have previously reported that DHS and TSA have faced challenges 
in developing and meeting program requirements when acquiring screening 
technologies, and that program performance cannot be accurately 
assessed without valid baseline requirements established at the program 
start. In June 2010, for example, we reported that more than half of 
the 15 DHS programs we reviewed awarded contracts to initiate 
acquisition activities without component or Department approval of 
documents essential to planning acquisitions, setting operational 
requirements, or establishing acquisition program baselines.\10\ We 
made a number of recommendations to help address issues related to 
these procurements. DHS generally agreed with these recommendations 
and, to varying degrees, has begun taking actions to address them. We 
currently have on-going work related to this area and we plan to report 
the results later this fall.\11\ At the program level, in May 2012, we 
reported that TSA did not fully follow DHS acquisition policies when 
acquiring advanced imaging technology (AIT), or body scanners, which 
resulted in DHS approving full AIT deployment without full knowledge of 
TSA's revised specifications.\12\
---------------------------------------------------------------------------
    \10\ GAO, Department of Homeland Security: Assessments of Selected 
Complex Acquisitions, GAO-10-588SP (Washington, DC: June 30, 2010). 
Three of 15 were TSA programs.
    \11\ We are conducting this work at the request of the Senate 
Committee on Homeland Security and Governmental Affairs and the 
Subcommittee on Oversight, Investigations, and Management of the House 
Committee on Homeland Security.
    \12\ See GAO-12-644T, in which we publicly reported some of the 
findings and recommendations from our January 2012 classified report on 
TSA's procurement and deployment of AIT, commonly referred to as full-
body scanners, at airport checkpoints.
---------------------------------------------------------------------------
    We have also reported on DHS and TSA challenges in overseeing and 
testing new screening technologies, which can lead to costly redesign 
and rework at a later date. Addressing such problems before moving to 
the acquisition phase can help agencies better manage costs. For 
example, in October 2009, we reported that TSA had deployed explosives 
trace portals, a technology for detecting traces of explosives on 
passengers at airport checkpoints, in January 2006 even though TSA 
officials were aware that tests conducted during 2004 and 2005 on 
earlier models of the portals suggested the portals did not demonstrate 
reliable performance in an airport environment. As a result, we found 
that TSA procured and deployed a technology that met evolving 
requirements, but not the initial requirements included in its key 
acquisition requirements document that the agency initially determined 
were necessary to enhance the aviation system. We recommended that TSA 
develop a road map that outlines vendors' progress in meeting all key 
performance parameters. DHS agreed with our recommendation and has 
begun taking action to address it.\13\ In June 2006, TSA halted 
deployment of the explosives trace portals because of performance 
problems and high installation costs. In our 2009 report, we 
recommended that, to the extent feasible, TSA ensure that tests are 
completed before deploying new checkpoint screening technologies to 
airports. DHS concurred with the recommendation and has taken action to 
address it, such as requiring more recent technologies to complete both 
laboratory and operational tests prior to deployment.
---------------------------------------------------------------------------
    \13\ GAO, Aviation Security: DHS and TSA Have Researched, 
Developed, and Begun Deploying Passenger Checkpoint Screening 
Technologies, but Continue to Face Challenges, GAO-10-128 (Washington, 
DC: Oct. 7, 2009).
---------------------------------------------------------------------------
    DHS and TSA have also experienced challenges identifying 
acquisition program baselines, which include program schedules and 
costs. Our prior work has found that realistic acquisition program 
baselines with stable requirements for cost, schedule, and performance 
are among the factors that are important to successful acquisitions 
delivering capabilities within cost and schedule. We also found that 
program performance metrics for cost and schedule can provide useful 
indicators of the health of acquisition programs. For example, we 
reported in April 2012 that TSA has not had a DHS-approved acquisition 
program baseline since the inception of the Electronic Baggage 
Screening Program (EBSP) more than 8 years ago.\14\ Further, DHS did 
not require TSA to complete an acquisition program baseline until 
November 2008. According to TSA officials, they have twice submitted an 
acquisition program baseline to DHS for approval--first in November 
2009 and again in February 2011. An approved baseline would provide DHS 
with additional assurances that TSA's approach is appropriate and that 
the capabilities being pursued are worth the expected costs. In 
November 2011, because TSA did not have a fully-developed life-cycle 
cost estimate as part of its acquisition program baseline for the EBSP, 
DHS instructed TSA to revise the life-cycle cost estimates as well as 
its procurement and deployment schedules to reflect budget constraints. 
DHS officials told us that they could not approve the acquisition 
program baseline as written because TSA's estimates were significantly 
over budget. TSA officials stated that TSA is currently working with 
DHS to amend the draft program baseline and plans to resubmit the 
revised acquisition program baseline before the next Acquisition Review 
Board meeting, which is planned for July or August 2012. Establishing 
and approving a program baseline, as DHS and TSA plan to do for the 
EBSP, could help DHS assess the program's progress in meeting its goals 
and achieve better program outcomes.
---------------------------------------------------------------------------
    \14\ GAO, Checked Baggage Screening: TSA Has Deployed Optimal 
Systems at the Majority of TSA-Regulated Airports, but Could Strengthen 
Cost Estimates, GAO-12-266 (Washington, DC: Apr. 27, 2012).
---------------------------------------------------------------------------
    Our prior work on TSA acquisition management identified oversight 
problems that have led to cost increases, delivery delays, and other 
operational challenges for certain assets, such as EBSP, but TSA has 
also taken several steps to improve its acquisition management. For 
example, while we continue to find that some TSA acquisition programs 
do not have key documents needed for properly managing acquisitions, 
CAT/BPSS has a DHS-approved mission needs statement, operational 
requirements document, and acquisition program baseline.\15\
---------------------------------------------------------------------------
    \15\ The life-cycle cost estimate was approved by TSA but not by 
DHS.
---------------------------------------------------------------------------
                     congressional oversight issues
    This hearing provides an opportunity for Congressional stakeholders 
to focus a dialogue on how to continue a sufficient level of oversight 
of the CAT/BPSS acquisition and implementation and other key components 
of the Passenger Screening Program. For example, relevant questions 
that could be raised include the following:
   To what extent, if any, have key performance parameters 
        changed during the course of the acquisition, and how will 
        these changes affect security and efficiency at the checkpoint? 
        What would be TSA's strategy if vendors have difficulty meeting 
        the key performance parameters?
   How will TSA ensure that implementation of the system 
        addresses the security vulnerabilities previously identified?
   What confidence does TSA have in its cost estimates and how 
        is the agency mitigating the risk of cost escalation or 
        schedule delays?
   In managing limited resources to mitigate a potentially 
        unlimited range of security threats, how does CAT/BPSS fit into 
        TSA's broader aviation security strategy? What cost-benefit and 
        related analyses, if any, are being used to guide TSA decision 
        makers?
    These types of questions and related issues warrant on-going 
consideration by TSA management and continued oversight by 
Congressional stakeholders.
    Chairman Rogers, Ranking Member Jackson Lee, and Members of the 
committee, this concludes my prepared statement. I look forward to 
responding to any questions that you may have.

    Mr. Rogers. I thank the gentleman.
    The Chairman now recognizes the Ranking Member for her 
opening statement.
    Ms. Jackson Lee. Chairman, thank you for hosting this 
hearing and, as I indicated to you, two committees that I love 
the most, Judiciary and Homeland Security and, particularly 
these subcommittees seem to have an uncanny ability to overlap 
their committee meetings, particularly mark-ups.
    So let me thank the two witnesses and the Chairman for 
holding this hearing and I would like to have a rhetorical 
response back to the rhetorical question which is the title of 
this hearing that indicates whether it is a wise use and I 
think, to Mr. Hoggan and Mr. Lord, the chief responsibility of 
the hearing today is for you to answer that question.
    I have an answer, I think it is wise, but I think the 
Chairman's inquiry is appropriate, in terms of the procurement 
or the utilization of funds or the technology and contractor, 
whether or not we are at the best level of efficiencies to 
ensure that we get the job done.
    I hope that I will be able to secure some answers on that 
very point. So I thank the Chairman for holding today's hearing 
and I know, from our discussions, that we share the same 
commitment to securing our Nation's transportation systems. We 
also share the same commitment to ensuring that technologies 
procured by the Department are acquired after a robust testing 
and evaluation process.
    Today marks the fourth hearing the subcommittee is holding 
regarding the procurement practices at the Department and 
transportation and security technologies.
    I might add that I have often said that I am interested in 
small, minority, women-owned businesses. I don't know if they 
have a chance to be engaged in this procurement process and the 
question is would they have been better? Is this a small 
business or a large business? I would be interested in knowing 
that.
    Although I welcome the delivered oversight of procurement 
practices carried by this committee, I respectfully reassert my 
request that we hold a hearing evaluating TSA's in-cabin 
security efforts and I look forward to working with the 
Chairman on determining that.
    That is an assessment of TSA's work if they have that 
ability and as well, airlines and what they are doing for in-
cabin security. As we learned on September 11, if all else 
fails, the cabin of an airplane may become our last line of 
defense.
    Today, we will hear from the Transportation Security 
Commission Government Accountability Office regarding the 
procurement goals by TSA on CAT/BPSS. This system has been 
deployed for testing at three major airports since last April.
    As of today, TSA is still working on reviewing the data it 
gathered from testing and evaluating this technology in real-
life conditions. This is a critical step in assessing the 
effectiveness of any piece of technology. As we learned from 
the puffer machines, what works in the lab may not work in 
real-life and this is a large and looming question.
    I look forward to hearing from TSA about its preliminary 
findings on the performance of this technology and what you 
will do next.
    I also look forward to hearing about the risk analysis TSA 
conducted on the use of fraudulent documents by potential 
terrorists. Last year the media exposed an incident in which a 
24-year-old man was arrested after attempting to board a flight 
from a Los Angeles airport to Atlanta using outdated boarding 
passes.
    What was even more alarming was the fact that this same 
individual had already navigated layers of security at JFK and 
boarded a flight using an outdated boarding pass to fly to Los 
Angeles International Airport. This incident underscored the 
need for additional training and technology to enable TSOs to 
detect fraudulent documents.
    This is a learning and growing process. We want it to be a 
learning and growing process by saving the lives of Americans. 
I think TSA is committed to that, and I think this technology 
is one aspect of making good on that promise of securing the 
homeland.
    Since that incident, TSA has been working to identify 
technological solutions to resolve the problem of detecting 
fraudulent documents. The system we will hear about today, CAT/
BPSS, may be one possible technological solution.
    Science is not perfect. Testing a new technology is part of 
the TAFF--test, test, test, improve the technology, test, test, 
test, improve the technology and save lives. There is nothing 
wrong with that.
    I look forward to today's testimony from GAO and TSA that 
we have already heard, and I thank you for your testimony. I 
hope each will shed light and has shed light on the procurement 
process and--identify the type of technology needed to address 
the vulnerability.
    As we know, this subcommittee has been particularly 
interested in ensuring that the procurement goals set forth by 
the Department are administered by the under secretary of 
management and those at TSA.
    Last fall, Mr. Chairman, you held three hearings that 
examined the practices used to evaluate, procure, and deploy 
technology across our transportation system. During these 
hearings we heard from former homeland security officials. They 
testified about the need for greater cooperation between the 
business and Government in developing contract requirements for 
major research projects.
    While this is an interesting thought, as you know, the 
Federal Acquisition Regulations have strict rules about the 
depth and breadth of permissible discussions between Government 
and industry prior to the announcement of a contracting 
opportunity. I think those hearings also made clear that this 
administration has taken action on how TSA and S&T can improve 
this collaboration. Congress needs to support and encourage 
efforts to ensure that Government is more efficient, genuinely 
meets the needs of its customers, the American taxpayers, and 
use our dollars in a fiscally responsible way.
    Unfortunately, under our budgetary constraints, we may lose 
the opportunity to get the best technology. Mr. Chairman, we 
cannot use money to fill every security gap, but we cannot 
ignore money in terms of what the needs are for new technology.
    So I look forward to assessing the procurement problem and 
as well to solving the problem if there is one, but to make 
sure that everything we do is to secure the homeland and to 
save lives.
    With that, Mr. Chairman, I yield back.
    Mr. Rogers. I thank the gentlelady. Now we will turn to 
questions.
    Before I start my questions I wanted to share something 
with Mr. Hoggan, which is not your fault, but it is something 
you should be aware of that your staff has done.
    If you will look up on the screens, you will see written 
testimony that was strikingly similar to testimony we got from 
your predecessor a year ago. That testimony was from a 
different hearing on a different topic. All of the highlighted 
content on this page up on the screen was recycled from that 
hearing. So they basically took your predecessor's testimony 
from a hearing a year ago and gave it to you to regurgitate 
again this year.
    Slide 2, if they can get that up there--guess not--there it 
is. This slide shows that 7 pages of the testimony TSA was--
dedicated less than a paragraph to the specific topic of this 
hearing, and of that, some of the material was also recycled. 
This testimony also does not address any of the questions this 
committee has raised in the past month, including questions I 
specifically raised in a letter to Mr. Pistole.
    I try not to waste your time, and I hope you will have your 
committee make sure they don't waste our time, because it is 
disrespectful.
    With that, as you know, we talked briefly yesterday and I 
am pleased about the turn of events with your postponement. 
About 5 or 6 weeks ago, I along with a number of staff members 
from both sides of the aisle went out to the TSIF to be briefed 
by your staff on this new technology. As a result, we found 
what it could do, but also had real questions about what it 
couldn't do and couldn't get our questions answered 
satisfactorily. We are concerned about the cost.
    So we wrote the letter to Administrator Pistole and it is 
my understanding that you all have now postponed it for the 
third time. I want to know if you agree with the statement that 
if it had not been postponed and we had gone ahead with the 
procurement, with its limitations, it would have been a waste 
of money to do that.
    Mr. Hoggan. Sir, I wouldn't have proposed going forward 
with procurement as it exists today with the information I know 
from OT&E.
    Mr. Rogers. That is what I thought.
    Well, I am glad. I am glad you came in and recognized that 
we don't need to be wasting any money. The fact is that, as you 
know, and I have talked with Administrator Pistole about this 
on numerous occasions, the public is just outraged by what they 
see with TSA and a lot of the wasteful money that has been 
spent in the past. They are looking for us to be better 
stewards and also to be a little bit more threat-based in our 
approach and not treat everybody like terrorists.
    So it has got a lot of problems, but one of them has been 
the money. In these new, more austere times, we are going to 
have to be good stewards of our Federal tax dollars.
    With that in mind, the cost of this technology skyrocketed, 
as you heard me say earlier. It went from $35 million projected 
cost in 2008 to $115 million in 2011. It is a 200 percent 
increase. Can you tell me how that developed?
    Mr. Hoggan. Sir, I will have to get back on you for that. I 
know the original procurement for the 1,400 units could cost 
anywhere from $35 million to $45 million and the life-cycle 
cost estimate over a 20-year time frame would be an additional 
upwards of $130 million over that time, as Mr. Lord had talked 
about, that has to do with the life cycle being anywhere from 7 
to 8 years and a replenishment factor for 2,600 units to manage 
it to 1,400 across that 20-year time frame.
    The specifics of the reasons why the changes had happened I 
will have to research that and I will provide that back to you, 
sir.
    Mr. Rogers. What about this? In 2011, TSA said the cost of 
each machine was going to be roughly $25,000. More recently TSA 
said the cost of each machine is now going to be $100,000. It 
is a pretty big jump.
    Mr. Hoggan. That is incorrect, sir. This is a procurement-
sensitive issue right now, and I could talk to you specifically 
off-line about the individual cost because we are still in the 
middle of the process.
    However, it is not $100,000 per machine. I can assure you 
that.
    Mr. Rogers. Good, I am glad to hear that.
    It took this committee 3 weeks to share--or it took TSA 3 
weeks to share with this committee the cost of this program, 
those numbers which you now point out are incorrect. Given 
these huge cost increases, it is easy to understand why.
    Were you aware it took 3 weeks for your office to get that 
information to us in the time we requested it?
    Mr. Hoggan. No, sir, I am not.
    Mr. Rogers. Okay. Do you find that acceptable?
    Mr. Hoggan. No, sir, I do not.
    Mr. Rogers. Great.
    Tell me what you see is the purpose of the CAT/BPSS.
    Mr. Hoggan. In 2007 TSA, as a layered approach to security, 
took over the boarding pass ID authentication and review at the 
check point from airline employees or individuals as were 
subcontracted by airlines at the departure gates. At that time 
we employed transportation security officers to do the review 
of the documents and the boarding passes.
    What we have found over time--and I will give you the 
example and the numbers--with the 50 States and eight different 
territories we have approximately 600 different permeations of 
IDs that could be presented at checkpoints.
    If you take that into consideration with TWIC cards or CAC 
cards or TESLA cards from the DOD, as well as passports, we 
have upwards of 2,470 different variations of ID's that could 
be presented at a checkpoint alone for travel, you know, on the 
air.
    That being said, a TSO who is deployed at Washington Dulles 
might have a very good understanding of driver's license from 
District of Columbia, State of Maryland, State of Virginia, 
maybe State of Pennsylvania or West Virginia, but they don't 
have a fundamental pure understanding of IDs from other parts 
of the country.
    Notwithstanding, 2,470 different permeations of ID is hard 
for anybody to get a perspective on. So the technology allows 
us to have good authentication of the different travel 
documents that are presented, whether it is the ID and the 
boarding pass. The boarding pass also allows us to have the 
name matches, as well as other fields, not least of which is 
departure date, flight, and so forth to ensure that it matches 
the data.
    So for a human factors component it is very difficult for a 
TSO over time to have a continued high level of proficiency for 
that many variables, but the technology does provide it.
    Mr. Rogers. Thank you. My time is expired.
    The Chairman now recognizes the Ranking Member for any 
questions she may have.
    Ms. Jackson Lee. I thank the Chairman very much. I thank 
the witnesses again.
    Mr. Hoggan, what is the name of the contractor? Are there 
many contractors or just one?
    Mr. Hoggan. Madam, right now there are three contractors 
that have provided BAE Systems. I would have to look at my 
notes for the exact full names of them, but we have three 
contractors now--presented. There were four original 
contractors that came in the procurement, but only three of 
them cleared the process.
    Ms. Jackson Lee. Okay. I don't want to be unfair, but I 
think you have got staff sitting behind you and they are not--
we need to be helpful to the witness. Maybe they can find it 
for you, Mr. Hoggan, so you won't have to look. I think they 
can better look for it.
    Are these small companies or medium-sized companies or 
what?
    Mr. Hoggan. Madam, originally one of them was a small 
business during the procurement life cycle. Subsequently, my 
understanding is, it had been purchased by a larger business in 
the interim and----
    Ms. Jackson Lee. Why don't you read the names into the 
record, please?
    Mr. Hoggan. Names of record are Trans Digital Technologies, 
BAE Systems, NCR Government Solutions.
    Ms. Jackson Lee. Each are offering their type of technology 
or they are collaborating?
    Mr. Hoggan. Each are offering their own type of technology.
    Ms. Jackson Lee. They are involved in the pilot.
    Mr. Hoggan. Yes, madam, they are, in the OT&E.
    Ms. Jackson Lee. Do you find one technology better than the 
other?
    Mr. Hoggan. Not right now. They are very similar. There are 
unique differences. It is preliminary, as we talked about 
before. We are still in the OT&E process. It just completed 
last week. We are in the process of gathering the data. We had 
all the machines at Dulles for 6 weeks and at San Juan and 
George Bush Intercontinental for 4 weeks. So we are pulling the 
data right now.
    But the preliminary information that I have been privy to 
is that they are very similar, but there are some unique 
differences--minor unique differences. One of them might have a 
harder time reading a BlackBerry or----
    Ms. Jackson Lee. So you are not going to at this point in 
time say that of the three, two are out and one is in?
    Mr. Hoggan. No, madam, I am not.
    Ms. Jackson Lee. All right. Let me rapidly move forward on 
my questions, so I can get as many in as possible.
    You are not--so therefore the assessment that we have to go 
back to the drawing board comes from where?
    Mr. Hoggan. The assessment comes from the OT&E review as it 
relates to the technology in detection and most importantly as 
well as reliability and speed for the processing. They are not 
at the levels they need to be, and we found these issues as it 
relates to the IDs, the boarding passes.
    So we want to go back to the manufacturers and update some 
database entries as well as some software----
    Ms. Jackson Lee. So the incident that I recited in my 
statement about a gentleman getting on the plane with a false 
boarding pass generated the interest in trying to enhance 
technology to determine about these false documents?
    Mr. Hoggan. No, madam, we actually started this in 2007 
with integrated product team back when we took over----
    Ms. Jackson Lee. What was the purpose of starting this?
    Mr. Hoggan. It was a travel document checking process that 
we took over with the TSOs. This is the fourth procurement 
event for this type activity. We had an RFP go out in March 
2009 and we had no vendors that qualified with our----
    Ms. Jackson Lee. So then you came back?
    Mr. Hoggan. Yes, madam.
    Ms. Jackson Lee. Do you see a value in the utilization of 
this technology if it can be perfected?
    Mr. Hoggan. Yes, madam, I do.
    Ms. Jackson Lee. How does that value translate to securing 
the homeland?
    Mr. Hoggan. It allows us the opportunity to ensure that the 
people who are traveling, as they present themselves, are who 
they say they are; their ID is authenticated; it matches the 
boarding passes for travel on that day, which then ensures, 
because there are encrypted data that comes through, that all 
those boarding passes have----
    Ms. Jackson Lee. So if someone is leaving West Virginia, 
going to Montana, and they have Montana documents, and you are 
having TSOs who are unfamiliar with Montana documents, can this 
technology enhance that TSO's ability to protect the homeland 
by knowing whether those are false documents, through that 
technology?
    Mr. Hoggan. Yes, madam.
    Ms. Jackson Lee. So there is a value to it?
    Mr. Hoggan. Yes, madam.
    Ms. Jackson Lee. Let me ask you, Mr. Lord. In your 
assessment, is this a valuable technology if it is perfected 
and if it has the efficiencies of scale?
    Mr. Lord. Well, with all due respect, madam, those are 
major ``ifs.'' That is the purpose of the operational test and 
evaluation.
    Ms. Jackson Lee. Do you view the operational test as 
valuable?
    Mr. Lord. Yes.
    Ms. Jackson Lee. Is this what we should be doing?
    Mr. Lord. That is something we have identified in our prior 
work. In the past, TSA's tended to either not do that or 
truncated the testing. So we think it is very important to take 
as much time as needed in operational tests and evaluation to 
ensure the technology you are procuring meets the original 
requirements.
    Ms. Jackson Lee. So how many more tests would you suggest 
they have?
    Mr. Lord. Well, it is the length of the testing period. 
What they are doing is they bought two each, as Mr. Hoggan 
indicated. There are three vendors. They are testing two units 
of each vendors' technology in the three airports. So they 
purchased. The initial buy was 30 for $3 million, so that is 
how he derived the $100,000 per unit cost.
    That is the original up-front cost, but if you are going to 
purchase 1,400, obviously, the unit costs are going to come way 
down. But again----
    Ms. Jackson Lee [continuing]. Not asking for that right 
now.
    Mr. Lord. Yes.
    Ms. Jackson Lee. Go ahead.
    Mr. Lord. Again, but the major lesson learned here is slow 
to train down if you have to. There is an old saying in 
procurement circles, ``If you want it bad, you get it bad.'' So 
that just underscores----
    Ms. Jackson Lee. So, from your perspective, when you are 
dealing with these agencies--and you have just given us a 
review--do you see the validity in this technology, but what 
you are bringing to us as a committee, in terms of our 
oversight, is to slow this process down; be deliberative; 
ensure that the technology will do what it is supposed to do?
    Mr. Lord. Before going with your plan, you know, the full 
buy, yes.
    Ms. Jackson Lee. Full steam ahead.
    Mr. Lord. Yes.
    Ms. Jackson Lee. This is my last--do you have any concern 
that these machines, this technology cannot stand by a 
checkpoint and operate themselves; it requires a TSO personnel?
    Mr. Lord. Yes, it definitely requires--in fact, if you 
looked at the total life-cycle costs of the program, by and 
large, the biggest component is cost of the TSOs to operate the 
machines.
    Ms. Jackson Lee. But if the TSOs are already there, so the 
cost is just the TSOs there now working the equipment. Is that 
correct?
    Mr. Lord. Well, it is going to require some training. That 
is another concern I have. TSA indicated earlier they are 
planning to roll this out in December, but you not only have to 
complete the operational tests and evaluation; you have to 
train new staff.
    So I am encouraged to here today they are thinking of 
moving that date to the right.
    Ms. Jackson Lee. So you would be comfortable if, No. 1, we 
had a more deliberative--when I say we, the oversight of TSA, 
had a more deliberative approach--and I am glad for your 
report, to be very honest with you--and that you would 
certainly want TSOs to be trained?
    Mr. Lord. Properly trained.
    Ms. Jackson Lee. But in your looking at the technology, 
since you have that expertise, do you see it as having some 
ultimate value if done right?
    Mr. Lord. Well, it is--the technology is designed to 
address a real vulnerability, and that is the use of fraudulent 
IDs and boarding passes. So assuming you can get the technology 
to work properly and it meets requirements, there obviously 
would be some value in addressing that vulnerability.
    Ms. Jackson Lee. Mr. Chairman, I thank you.
    Mr. Lord, thank you for affirming the value of saving lives 
through adequate and efficient technology, and how we can work 
through this is, I think, an important point going forward.
    Mr. Chairman, thank you. I yield back.
    Mr. Rogers. I thank the gentlelady. The Chairman now 
recognizes the gentleman from Minnesota, Mr. Cravaack, for 5 
minutes.
    Mr. Cravaack. Thank you, Mr. Chairman.
    Mr. Hoggan, you having fun so far?
    Mr. Hoggan. Yes, sir, I am.
    Mr. Cravaack. Good to hear. Good to hear. Well, anyway, 
thank you for being here today.
    Just some quick questions. In studying for today's 
committee hearing, I just had some questions in regards to the 
system itself. As I understand it, this system is not linked to 
any no-fly lists or any type of State or Federal database. Is 
that correct?
    Mr. Hoggan. That is correct. Right now, it is not linked. 
There is an interoperability requirement in the operation 
requirements document. I believe it is in Section 3.2, Mr. 
Rogers, as we provided. It says it allows the opportunity, 
going forward in time, to do that. It is not in our original 
requirements this time, but if we find, going forward, that we 
need to hook to either something internal or external, there is 
an opportunity to do that, depending on what it is as well as 
taking into concerns, privacy concerns----
    Mr. Cravaack. Well, taking into account your answer, sir, 
my question would be, technically, if a person were able to, 
you know, fabricate a pretty good fake ID, you could have the 
same person at the same address flying on the same day, 
practically at the same time, without interoperability of the 
machines themselves. Would that be a correct statement?
    Mr. Hoggan. Not necessarily because, the--ID, we have 
confidence that the equipment could get it. The no-fly list, 
sir, may I remind you, is connected through the airlines 
reservation systems. So that check will be done behind the 
scenes before the boarding pass is actually generated. So that 
check should already have been done.
    Mr. Cravaack. Okay. But in regards to just the ID 
themselves, wherever there is an offensive measure, there is 
always a countermeasure that will happen later on. We have seen 
that through the years. As a military person, I understand that 
completely. But the bottom line is this system does not track 
travel patterns. It doesn't track who is flying on a certain 
day or anything of that nature; it just takes a look at the 
idea itself and goes from there. Is that correct?
    Mr. Hoggan. That is correct, sir.
    Mr. Cravaack. Okay. The other questions I have--how are 
identifications of an ID--become--there is a question about the 
ID itself. How is that situation then handled?
    Mr. Hoggan. If an ID has some type of warning or notice 
through the process, the TSO then takes a manual review of the 
ID, depending on what the different criteria was that caused 
the error. There is also opportunity in the SOP that a 
supervisory TSO actually does another review on top of that as 
well. Keep in mind we also still have a layered approach based 
on the behaviors and whether it is the TSO watching or behavior 
detection officers. But it is run through a next-level, second-
tier, third-tier review.
    Mr. Cravaack. Well, my question is the technology could be 
such that there is such a high rate of passengers subject to 
additional screening because of the false alarm rate being set 
at a high level that people could be going through security 
and, really through no fault of their own, because they have a 
valid ID, could also be subject to more intense scrutiny.
    So I am a little concerned about that and what I have been 
reading so far on the technology.
    Mr. Hoggan. You are absolutely correct. Some of the 
preliminary information we are finding during the testing 
phase, and we want to go back and address those specific areas 
of concern and go back with the vendors as relates to the 
database as well as the algorithms and make those modifications 
and changes.
    It is currently performing very near the standard it is 
supposed to be at in some areas. In others, it is not, and we 
need to address that. So that is the intent of extending the 
test and evaluation.
    Mr. Cravaack. Has the TSA worked in conjunction with S&T 
Directorate or the DOD?
    Mr. Hoggan. Yes, sir. We work with S&T as it relates to our 
operational test and evaluation. We are a DHS-approved testing 
facility for this type of technology.
    Mr. Cravaack. Okay, that is good to hear.
    Mr. Lord, can you tell me that TSA--and, kind of, jumping 
on what Ms. Jackson was saying, the TSA has said in the past, 
at least in my readings, that this technology, the purchase of 
this technology, would help reduce workforce needs?
    Is that a true or incorrect statement?
    Mr. Lord. I am not sure at this point, sir. I would have to 
go back and look at the workforce projections. But, again, this 
is not a piece of technology that works--I mean, it works in 
conjunction with the transportation screen officer. He is still 
standing at the platform and he is on--the technology gives you 
read, essentially red light/green light, and he is the one that 
has to interpret that and then make the judgment, in some cases 
referred a person to secondary screening or another person for 
review.
    So it does not eliminate the need for a TSO, just to be 
clear.
    Mr. Cravaack. So it would not necessarily reduce workforce.
    I have just been handed a note from our staff that S&T is 
saying that they didn't play any role in your study, sir. So 
seeing that time is over, will there be a second round, sir?
    Okay. With that, sir, I will yield back.
    Mr. Rogers. Thank you. The Chairman now recognizes Mr. 
Walberg for any questions he may have.
    Mr. Walberg. Thank you, Mr. Chairman.
    Mr. Hoggan, currently this technology doesn't connect to 
any other State or Federal database, as I understand.
    Mr. Hoggan. That is correct, sir.
    Mr. Walberg. To me, that seems like an obvious 
vulnerability for coordination that generally you think would 
be important. What plans does TSA have to link this technology 
to other databases in the future?
    Mr. Hoggan. It is something that we need to review once we 
get the original requirements moving forward. That is in the 
second phase, to make that determination. Originally, this 
program was set to do ID authentication and then boarding pass 
matching with the names. As we go forward in time, that is 
definitely something we will review.
    Mr. Walberg. Speaking of review, could you describe the 
initial results from the operational testing and evaluation of 
the technology at Dulles, at George Bush International--or 
Intercontinental Airport, basically those airports, what were 
the results of the operational testing?
    Mr. Hoggan. Well, the operational testing just completed 
last week, so they are providing the reports to me now. But the 
anecdotal information I have been giving is that there are some 
issues as it relates to boarding pass authentication, whether 
it is encrypted with--you need to have 2D bar codes to have it 
encrypted; 1D doesn't necessarily do that.
    There are some issues when name matches, presentation of 
names--first, last and changes. There are also some issues as 
it relates to IDs.
    You know, some States, like I said, with the 50 States and 
the eight territories, there are 600 permeations. I have in my 
pocket right now a Virginia State ID that is well over 5 years 
old, but there are a lot of individuals who have different IDs.
    So you also have problems with wear on the IDs, and 
different security features on there that are causing problems, 
as well. So these are the little things we are looking at. 
There is a slight problem with one of the vendors as it relates 
to reading mobile boarding passes. There are some changes that 
have to be done on that.
    But the exact specifics, I don't have a full document. This 
is just anecdotal information I have from talking with 
individuals.
    Like I said, we just completed that. We are still in the 
process. We haven't finished it. So if you would like, as soon 
as I have that preliminary report I would be more than happy to 
share it to the committee.
    Mr. Walberg. I think we would appreciate that.
    Mr. Hoggan. Okay, sir.
    Mr. Walberg. In your view, how does the technology propel 
TSA forward in a more economical threat-based--as a more 
economical threat-based agency?
    Mr. Hoggan. Economical in meaning the saving--the TSOs in 
the process?
    Mr. Walberg. Savings across the board.
    Mr. Hoggan. Well, as Mr. Lord had said, the original 
requirements document showed a processing rate of 240 
passengers an hour, which is comparable to the planning, 
staffing levels that we have today. So I will have to research 
and find the documentation that, Chairman Rogers, you had 
referred to, as well as you, sir, that it would be a savings. 
Right now I don't project it to be a savings of staff. I 
project it to be an increased opportunity to cover a 
vulnerability that we have and have a better detection 
capability as it relates to fraudulent IDs as well as ensuring 
that the passenger is the one that has gone through the Secure 
Flight engine.
    But as it relates to the economics of saving FTE or TSOs, I 
don't see that being the case right now. So I will have to 
research the documents that you refer to.
    Mr. Walberg. Thank you. Mr. Lord, given TSA's track record 
of having a continuously expanding workforce, do you think that 
this technology realistically could lead to a reduction in the 
TSA workforce needs?
    Mr. Lord. I am not sure at this point. We will have to wait 
and see how the tests and evaluation phase goes. Again, that is 
still being tested. So they anticipated some reductions 
initially. But I always like to see how the testing goes before 
finalizing my judgment.
    The good news is they are conducting a separate operational 
test and evaluation phase for the technology. As Mr. Hoggan 
indicated, they are already identifying some issues with 
throughput and character recognition, et cetera.
    So that is--I mean, that is good. They are trying to fix 
the bugs, so to speak.
    Mr. Walberg. In your experience, Mr. Lord, when a 
Government agency is planning procurement, do they generally 
have a sense of what the cost will be?
    Mr. Lord. Oh, yes. The DHS acquisition guidance requires 
before you start purchasing, before--it is called--at the end 
of the so-called analyze phase you are supposed to have a 
validated life-cycle cost estimate. So you are supposed to have 
a pretty good idea what your costs are going to be. It is not 
sufficient to just generate a life-cycle cost estimate. You 
have to have a review by an outside party to help ensure there 
is no bias in their projections.
    We note, at least with this program, as part of this 
passenger screening program, the life-cycle costs for the 
larger program is yet to be validated by an outside entity, so 
that is something I raise in my statement today, a concern.
    So, you know, we are not sure what the costs are gonna be 
at this point.
    Mr. Walberg. Thank you. I yield back.
    Mr. Rogers. I thank the gentleman.
    I want to pick back up where my questioning left off when I 
had asked Mr. Hoggan the purpose of the CAT/BPSS. I would ask 
Mr. Lord, do you believe the CAT/BPSS would identify terrorist 
threat?
    Mr. Lord. Well, that is a really important question. It is 
oriented to detect the use of fraudulent IDs. There have been 
some instances where--in the past where terrorists have been 
exposed and--have used fraudulent IDs. But, again, you have to 
make the overall judgment. The system is gonna cost over $100 
million. Is it--it is gonna provide some incremental benefit. 
Is it justifiable? I have not seen the cost-benefit analysis 
that clearly lays that out. But there have been instances in 
the past--terrorists have used fraudulent documents. So it 
potentially could help address that vulnerability. But----
    Mr. Rogers. I would ask either one of you if you are aware 
if TSA's done a cost-benefit analysis of the potential costs 
against the benefit that we would incur.
    Mr. Hoggan or Mr. Lord, either one.
    Mr. Lord. I haven't seen one. Mr. Hoggan could correct me 
if needed.
    But part of the problem is that a key component of that is 
the life-cycle cost assessment, and that is not completed yet 
because it hasn't been fully validated. So I am not sure how 
they could do one because that is a big piece of it, having a 
validated cost----
    Mr. Rogers. Do you know, Mr. Hoggan?
    Mr. Hoggan. Mr. Lord is correct, we actually submitted our 
life-cycle cost estimate to DHS in November 2011. It came back 
in the spring of 2012 for review and adjustment, as well as an 
introduction of the risk analysis that is in review. We expect 
to have it back to DHS inside of 30 days, sir.
    Mr. Rogers. Do you know, Mr. Hoggan if the CAT/BPSS is in 
any way based upon or pulling from intelligence about a known 
terrorist threat? You know, one of my concerns when we were out 
there was the no-fly list was not pegged against what it was 
scanning for.
    Mr. Hoggan. The no-fly list right now as I was talking to 
the gentleman comes through the air carriers as it relates to 
the issuance of the boarding passes. So that is how it is tied 
into the system.
    Now, if you are asking whether the system----
    Mr. Rogers. So you are saying the boarding pass----
    Mr. Rogers [continuing]. Pinged off the no-fly list?
    Mr. Hoggan. Yes, sir, to be able to get the boarding pass 
generated by the air carrier it must go through the Secure 
Flight process.
    Mr. Rogers. You know, the biggest threat that we are facing 
right now when it comes to air security is the non-metallic 
explosive device. Do you know if there is anything about this 
other than detecting somebody is not who they pretend to be 
that would detect an explosive device on the person?
    Mr. Hoggan. No, sir. This is a credential authentication 
and boarding pass authentication. It has got nothing to do with 
screening of the passengers.
    Mr. Rogers. Okay.
    I want to go back to Mr. Walberg's questions. One of the 
things I was wondering when they were demonstrating the devices 
to our group was why would we still need TSOs--if they can 
develop this technology so it has a higher degree of 
proficiency and we feel comfortable that it will add benefit, 
why would we need a TSO to put the driver's license or the 
boarding pass in the machine? Why couldn't we let the passenger 
do that and then if the green light goes off a little gate open 
and they can walk on through? All you need is one TSO to watch 
each of the gates to make sure people only going through on a 
green light, or if somebody got a red light then go over and 
interdict.
    You know, why do we have to have just as many people--you 
know, you go to McDonald's now and you pour your own Coca-Cola, 
you know. Why can't we just take some of that approach?
    Mr. Hoggan. Because we are--the technology is not there, 
yet, sir, to be honest with you. As I said, this is the fourth 
time we have gone through. The first time we put an RFP out we 
had zero vendors that actually met our requirements. The second 
time we had one, and we couldn't have a procurement with just 
one vendor. This was in March, if I am not mistaken. I have it 
written down, if--I can tell you the exact months if you want--
but it would have been in March 2009.
    Then again it would have been--I am sorry--July 2009. Then 
a third time there were no vendors that met the requirements, 
the minimum requirements--in October 2010. This is the fourth 
time they came through, which is April 2011.
    In a perfect world, going forward in time, is that 
technology matures, and part of our spiral development and 
getting technology that meets our baselines, I could foresee 
that happening. But as it exists today with the technology you 
still have to have the TSO there to do a couple things.
    The first thing that is most important is a visual check to 
make sure that the picture on the ID matches the person----
    Mr. Rogers. Right, right.
    Mr. Hoggan [continuing]. That presents themselves, as well 
as ensuring that the compliance of the boarding passes are 
actually compliant in ensuring all the information is in there 
as it relates to----
    Mr. Rogers. See, the machine ought to do that, though. 
Before you ever purchase that machine, the second----
    I agree first item is a point that is valid. The second 
item, that machine ought to tag that base.
    Mr. Hoggan. You are absolutely correct. The machine does 
that. But if the information is not provided accurately from 
the carriers as they present the information on the boarding 
pass, the machine can't read what is not there. So that is why 
we continue to have outreach with the carriers to ensure that 
we have the encryption and we have the information in the 
specific fields in the boarding pass that we want in the bar 
code----
    Mr. Rogers. Right.
    Mr. Hoggan. Provided we have that and we have a good 
representation and a consistent representation of that 
information of the passenger, I could accept your comment. But 
right now it is not there.
    Mr. Rogers. Well, you know, as I told you yesterday, one of 
the things I would invite you all to do--and I have done this 
with department heads across the entire Department--is to have 
more of an open dialogue with the private sector about what you 
are trying to do. I think you may find these goals are 
achievable, including the self-service approach, if we think 
about it and we talk about the subject matter with the private 
sector before we do the RFP.
    But thank you very much.
    We will now go to Mr. Cravaack for a second round of 
questions.
    Mr. Cravaack. Thank you, Mr. Chairman.
    Thank you, again.
    I wanted to just say thank you for the prescreening for our 
troops. Appreciate that. I mean, we are going to the risk-based 
analysis, so thank you. It gives me a nice smile when I see a 
trooper that is coming back from Afghanistan able to not be 
strip-searched and able to get through. So thank you very much.
    With that said, in regard to the risk-based analysis, the 
deployment of the machines themselves, I have read, is going to 
be evenly distributed throughout the system. Would that be a 
correct statement?
    Mr. Hoggan. The original deployment plan as listed in the 
operations requirement document would be the purchase of 1,400 
units, which simple math says if we have 2,800 lanes it is one 
for every two, and that was what was in there.
    As it relates to which ones go where and which sequence, if 
in fact that we did purchase all 1,400 based on the 
requirements, there would be threat-based and risk-based.
    Mr. Cravaack. Okay.
    Mr. Hoggan. It would be deployed at our higher-risk 
airports----
    Mr. Cravaack. Good.
    Mr. Hoggan. I am sure JFK would get it before a much 
smaller airport that only handles 10 passengers a day, sir.
    Mr. Cravaack. Yes, as I understand it they were supposed to 
be all deployed at one time, so that is----
    Mr. Hoggan. Yes, that couldn't happen. We would never 
deploy anything at one time.
    Mr. Cravaack. Yes, okay.
    Mr. Hoggan. It would be staggered based on risk, sir.
    Mr. Cravaack. Yes, I read that.
    Just to make sure that I understand what this system does, 
it is a stand-alone system, is that correct? It isn't----
    Mr. Hoggan. That is correct, sir.
    Mr. Cravaack. No interoperability with any other Federal, 
State, or airline databases, is that correct?
    Mr. Hoggan. For the machine--correct.
    Mr. Cravaack. At the same time, does not alleviate any 
workforce demands upon the system, is that correct?
    Mr. Lord. That is correct.
    Mr. Cravaack. Okay.
    We really don't have any source of action regarding false 
alarm rates and, you know, how do we adjust for that and making 
sure that the system works correctly and what we do with false 
alarms and what kind of false alarm rate system we have, is 
that correct?
    Mr. Lord. Well, we are in a process of reviewing that with 
DOE T&E. We have standards that we have for the machines to 
choose it. But there will be a protocol in place to address 
anything that is a false alarm not unlike what we had the day 
with our other technology and checkpoints.
    Mr. Cravaack. Okay, then with all that said, and I commend 
your decision to not pursue rolling the system out until those 
questions are answered, I can't support this program 
whatsoever. Though like the Chairman says, the concept is 
great, but we have to--before we do something like we did with 
the puffer machines and spent a lot of the taxpayers' hard-
earned money on systems that don't work, I highly recommend, 
sir, that you step back, reevaluate the situation and then make 
sure that we have the proper procedures and the proper 
equipment with the layered security that you were just--we all 
want and need to make sure our traveling public is safe.
    So with that, thank you very much sir, I appreciate all 
your information, Mr. Lord as well.
    I will yield back.
    Mr. Rogers. I thank the gentleman.
    The Chairman now recognizes Mr. Walberg for a second round 
of questions.
    Mr. Walberg. Thank you, Mr. Chairman.
    Going back to analysis, Mr. Hoggan, did TSA use independent 
cost validation?
    Mr. Hoggan. We did not, I don't believe we did, sir.
    Mr. Walberg. Okay, so no concern about looking, letting 
someone outside look in?
    Mr. Hoggan. It is my understanding that we performed with 
the DHS acquisitions directorate but I will double check that. 
I am not sure that that is in there. I will have to follow up, 
I apologize, I will have to get information back with you on 
that, sir.
    Mr. Walberg. Then let me ask you, has TSA developed 
procedures for the travel document checker if the technology we 
are discussing at the checkpoint experiences a system failure, 
would there be a TSO there trained in the lights and loupes 
method?
    Mr. Hoggan. Yes, absolutely sir, that would be a backup for 
the procedure that we have in place, not unlike what actually 
exists across the Nation.
    Mr. Walberg. Any other backup other than that in case the 
system goes down?
    Mr. Hoggan. No, you would refer back to the process that we 
have in place. Again, this is a huge vulnerability we hope to 
cover and move it--refer back to what we are doing today.
    Mr. Walberg. Thank you.
    Mr. Lord, you have got definitely a lot of experience in 
assessing weaknesses in TSA's past procurements. What concerns 
me and I think our committee is that it appears that the TSA is 
not applying lessons learned from its past missteps to this 
procurement.
    Can you discuss some of the problems that you identify with 
TSA's procurement process for this technology thus far?
    Mr. Lord. In general, the lessons learned have been a 
three-fold. First, it is important to test and evaluate any 
technology you are procuring. It is important to have clear 
requirements set up front so you can measure what are the--
requirements. It is also important to adhere to, you know, to 
document the major decisions. These are some of the lessons 
learned.
    We have found in the past and specific to this platform, 
one thing Mr. Hoggan noted as there could be some issues 
related to throughput, which is related to throughput, which 
is, you know, an important consideration to look at when you 
are evaluating the technology. So rather than change the 
requirements, we would like to know: Is TSA going to respond to 
that concern?
    Well they hopefully take a little longer and work with the 
vendor and ensure they get the throughput they are looking for 
rather than modify and of the, you know, the requirements.
    Mr. Walberg. Okay.
    Thank you.
    I yield back.
    Mr. Rogers. Just one point of clarification, Mr. Hoggan. In 
response to Mr. Walberg's question, you referred to this false 
identification problem as being a huge vulnerability. Could you 
expand on that? What did you mean by it?
    Mr. Hoggan. It is a vulnerability, I am sorry if I said 
huge. But there is a vulnerability that we need to ensure that 
the----
    Mr. Rogers. Well I agree. When you said huge, it made me 
think that this was a much more prominent problem----
    Mr. Hoggan. I am sorry, I meant a vulnerability----
    Mr. Rogers. Right, right.
    Mr. Hoggan [continuing]. Not a huge vulnerability.
    Mr. Rogers. I knew that we had occasional false IDs, I 
didn't think it was happening that much except down on the 
border now, we have them all the time coming in our ports of 
entry down in El Paso and other places. So we might see this 
technology being used in some of those ports of entry, 
hopefully only at a much lower cost because these numbers are 
pretty staggering.
    But with that, I want to thank the witnesses for their 
time. I will remind you that the Members who could not be here 
because of conflicts may have questions and these Members as 
well as I may have some additional questions we will submit to 
you in writing.
    So for the next 10 days, this hearing will remain open for 
that purpose. If you do get those written questions, I would 
ask that you provide timely responses to those. Thank you 
again.
    This hearing is adjourned.
    [Whereupon, at 2:17 p.m., the subcommittee was adjourned.]

                                 
