[Senate Hearing 112-164]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-164

                     ARE OUR NATION'S PORTS SECURE?
 EXAMINING THE TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL PROGRAM

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 10, 2011

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation











                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
71-433 PDF                WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001










       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, 
JOHN F. KERRY, Massachusetts             Ranking
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 JIM DeMINT, South Carolina
MARIA CANTWELL, Washington           JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey      ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas                 JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri           ROY BLUNT, Missouri
AMY KLOBUCHAR, Minnesota             JOHN BOOZMAN, Arkansas
TOM UDALL, New Mexico                PATRICK J. TOOMEY, Pennsylvania
MARK WARNER, Virginia                MARCO RUBIO, Florida
MARK BEGICH, Alaska                  KELLY AYOTTE, New Hampshire
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                   Bruce H. Andrews, General Counsel
   Brian M. Hendricks, Republican Staff Director and General Counsel
            Todd Bertoson, Republican Deputy Staff Director
                Rebecca Seidel, Republican Chief Counsel












                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 10, 2011.....................................     1
Statement of Senator Lautenberg..................................     1
Statement of Senator Ayotte......................................     6
Statement of Senator Klobuchar...................................     7
Statement of Senator Boozman.....................................     7
    Prepared statement...........................................     7
Statement of Senator Begich......................................    55
Statement of Senator Wicker......................................    57
Statement of Senator Snowe.......................................    59
    Prepared statement...........................................    62

                               Witnesses

Hon. John L. Mica, Chairman, Committee on Transportation and 
  Infrastructure, U.S. House of Representatives..................     1
    Prepared statement...........................................     3
Hon. John S. Pistole, Administrator, Transportation Security 
  Administration, U.S. Department of Homeland Security...........     8
    Prepared statement...........................................    10
Rear Admiral Kevin S. Cook, Director of Prevention Policy, U.S. 
  Coast Guard....................................................    11
    Prepared statement...........................................    13
Stephen M. Lord, Director, Homeland Security and Justice Issues, 
  U.S. Government Accountability Office..........................    16
    Prepared statement...........................................    17

                                Appendix

Response to written questions submitted to Hon. John S. Pistole 
  by:
    Hon. Bill Nelson.............................................    71
    Hon. Frank R. Lautenberg.....................................    73
    Hon. Jim DeMint..............................................    75
    Hon. Roger F. Wicker.........................................    77
Response to written questions submitted by Hon. Frank R. 
  Lautenberg to Rear Admiral Kevin Cook..........................    79
Letter dated July 6, 2011 to Hon. Frank R. Lautenberg and Hon. 
  Bill Nelson from Stephen M. Lord, Director, Homeland Security 
  and Justice Issues, U.S. Government Accountability Office......    80

 
                     ARE OUR NATION'S PORTS SECURE?
 EXAMINING THE TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL PROGRAM

                              ----------                              


                         TUESDAY, MAY 10, 2011

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 2:30 p.m. in room 
SR-253, Russell Senate Office Building, Hon. Frank R. 
Lautenberg, presiding.

        OPENING STATEMENT OF HON. FRANK R. LAUTENBERG, 
                  U.S. SENATOR FROM NEW JERSEY

    Senator Lautenberg. I'm pleased to open this hearing of the 
Committee on Commerce, Science, and Transportation. We've got 
important subjects at hand here.
    And we are pleased to see our colleague from the House of 
Representatives, The Honorable John Mica, who is the Chairman 
of the Committee of Jurisdiction on the House side.
    And, Mr. Mica, we welcome you. And we ask you to give your 
testimony. It's customary to have a 5-minute period for 
presentation, but if there is a need to extend it, please don't 
be unwilling to ask for it. And we'll start the clock, please, 
at the 5-minute level.
    Thank you.
    And, Mr. Mica, the table--the microphone is yours, sir.

    STATEMENT OF HON. JOHN L. MICA, CHAIRMAN, COMMITTEE ON 
       TRANSPORTATION AND INFRASTRUCTURE, U.S. HOUSE OF 
                        REPRESENTATIVES

    Mr. Mica. Well, thank you. And I'm pleased to be on the 
Senate side this afternoon, and also to work jointly with your 
committee.
    And actually, I'm here today because I think the subject 
before you is--well, the title is, ``Are Our Nation's Ports 
Secure? Examining the Transportation Worker Identification 
Credential Program.'' And I think also you're going to focus on 
a GAO report that I had the opportunity to be a co-requester 
with members of this important Senate committee. So, I will try 
to talk about both the GAO report and also the issue at hand of 
credentialing our transportation workers.
    I've submitted a full statement for the record, and I'll 
just give some comments here.
    As you know, Mr. Chairman and other members, for nearly a 
decade now the federal government has struggled to produce a 
transportation worker identification credential. We've tried to 
produce a credential for airport and transportation workers. 
We've attempted to produce a pilot's license. And we've also 
attempted to produce a frequent airline traveler identification 
card. After spending years and nearly half a billion dollars, 
we have, unfortunately, missed the mark. We've spent nearly 
half a billion dollars, and unfortunately, we do not have a 
TWIC card that provides secure identification, as you'll hear 
from GAO today, and also that your committee staff has revealed 
in their report.
    I read your committee report. Being a former Senate 
staffer, I want to thank them. They did some excellent work. 
The report--the key findings are summarized very clearly--it 
says, ``GAO investigators were able to access secure 
facilities''--this is using TWIC cards or fraudulent cards--
they ``were able to access secure facilities at U.S. ports 
during covert tests in which they presented either counterfeit 
TWIC cards, authentic TWIC cards obtained through fraudulent 
means, or falsified reasons for requesting access to the 
security.'' Then they also summarized and said, the--``DHS has 
not adequately assessed the effectiveness of the TWIC Program, 
nor has DHS demonstrated that the current TWIC Program enhances 
port and facility security better than what we've had in the 
past.''
    One other key finding is the GAO--in the GAO report, that 
you cite in your report, is that TSA does not have clear 
criteria for applying discretionary authority to applicants who 
have past criminal convictions.
    These are just the highlights of some of the findings, not 
that I came up with, but that your staff recited from the GAO 
report.
    As Chair of the House Aviation Subcommittee, I helped to 
launch--work with many members on this side--the Transportation 
Security Administration, some years ago, in 2001. Even in that 
first measure, Congress recognized and requested development of 
a secure ID for transportation workers. In 2004, I helped pass 
legislation to require the FAA to replace a paper pilot 
identification card. And we put in the law that we required a 
durable, biometrically-enabled license that also had a 
photograph of the pilot on the--this durable new identification 
license.
    After spending billions--I'm sorry--after--I get used to 
billions today--but, after spending millions, FAA produced a 
license that was durable. However, it didn't have a biometric 
means. And I know there'll be a call today for having some 
unification of these different licenses and IDs, and what 
components they'd have. But, they finally produced, again, a 
card, at millions of dollars, that does not have a biometric 
measure and code--and coding capability. And the only pilots 
that appear on the document, on the license, are Wilbur and 
Orville Wright. I don't know if you've seen this, but this is--
turn the--show them Wilbur and Orville Wright, there. So, 
there's--we spent millions of dollars, we produced this 
license, and it actually is not acceptable with TSA, as an ID. 
It doesn't have a--even a photo of the pilot on it.
    When you talk to FAA about this, they point to Homeland 
Security, and then they point to TSA, for trying to get 
directions.
    So, after spending hundreds of millions of dollars on a 
TWIC card, now we find, this report says, that it can easily 
fraudulently be used.
    We still lack deployment of readers. We've issued about 1.7 
million of these cards, but we don't have a reader. The TWIC 
card does have biometric measures for fingerprint. Iris is on 
its way, we're told. It has a photo. But, we don't have a 
reader capable of confirming the identification of the person 
using the card, and knowing that, in fact, is the same person 
that's on the ID, or carrying the ID.
    With--right now, the U.S. House and also your help in the 
Senate--and this is a very important hearing because I'm hoping 
this will help prod the agencies to soon have a TWIC card with 
full biometric fingerprint and iris capability, and also 
readers capable of a reliable confirmation. However, even with 
that equipment and with that new capability, it will not 
address some of the fraudulent issues that are uncovered by 
GAO.
    So, I'm pleased to come----
    Senator Lautenberg. Mr. Mica, we will put your full 
statement into the record. I made a slight error when I invited 
you to go first without making my own statement. So, we listen 
with interest, have heard your public comments about how you 
saw things, in your testimony, here today. So, I am going to 
make my statement. And if you need a minute more, I'm happy to 
give it to you.
    Mr. Mica. Thank you. I'd like to hear your statement. Thank 
you.
    [The prepared statement of Mr. Mica follows:]

    Prepared Statement of Hon. John L. Mica, Chairman, Committee on 
    Transportation and Infrastructure, U.S. House of Representatives
    Mr. Chairman, Ranking Member Hutchinson, and members of the 
Committee, thank you for the opportunity to testify before you today on 
the progress, or lack thereof, of the Transportation Worker 
Identification Credential--or ``TWIC''--Program. It is a privilege to 
appear before you, and I thank you for your continued and vigilant 
oversight on this important issue.
    As you may know, I am one of the co-requestors of the Government 
Accountability Office (GAO) report that I believe this Committee will 
release today on the weaknesses of the TWIC Program. As Chairman of the 
Transportation and Infrastructure Committee in the House of 
Representatives, I can attest that the Members of my Committee are 
committed to ensuring the security of the transportation workers and 
transportation infrastructure they oversee as part of their role on the 
Committee. As an original author of the legislation that created the 
Transportation Security Administration (TSA) after 9/11, I also feel a 
personal sense of obligation to ensure that this important piece of our 
nation's defense apparatus is operating as the efficient and effective 
security agency it was intended to be.
Government Coordination on Transportation Security
    In the wake of 9/11, the federal government realized how disastrous 
storing information in government silos could be. Information-sharing 
became a top priority and the administration directed departments and 
agencies to work together to ensure all relevant information is on the 
table at all times. During this time, the TSA was transferred from the 
Department of Transportation (DOT) to the newly-created Department of 
Homeland (DHS).
    Homeland Security Presidential Directive-7 directed DHS and DOT to 
``collaborate on all matters relating to transportation security and 
transportation infrastructure protection.'' \1\ In 2004, the two 
Departments entered into a Memorandum of Understanding and jointly 
expressed a desire for a ``strong partnership in order to reduce the 
vulnerability of transportation passengers, employees, and systems to 
terrorism and other disruptions.'' \2\ Each department would have 
regulatory responsibilities in the area of transportation security, and 
would communicate and cooperate on funding for transportation security 
projects.
---------------------------------------------------------------------------
    \1\ ``Homeland Security Presidential Directive-7: Critical 
Infrastructure Identification, Prioritization, and Protection,'' The 
White House. December 17, 2003.
    \2\ ``Memorandum of Understanding between the Department of 
Homeland Security and the Department of Transportation on Roles and 
Responsibilities.'' September 28, 2004.
---------------------------------------------------------------------------
    As evidence of this partnership, TSA officials have appeared before 
the Transportation and Infrastructure Committee more than a dozen times 
since the agency was transferred to DHS at the end of 2002. In January 
2008, former-TWIC Program Director Maurine Fanguy provided an update to 
the Committee on the TWIC Program.
    So you will understand my surprise when TSA Administrator Pistole 
and TWIC Program Manager John Schwartz declined an invitation to 
testify before the Transportation Committee on the same issue in April 
of this year.
    I don't understand what has changed, but I do want to impart to 
Administrator Pistole, who I understand is testifying on the next 
panel, that it is imperative that jurisdictional issues not interfere 
with progress, particularly when money is being poured into flawed 
security programs. As evidenced by my appearance before this Committee 
today, Congress does indeed want to work together on these important 
issues and it is not the role of any government agency to interpret 
jurisdictional boundaries of Congressional Committees.
Transportation Worker Identification Credential (TWIC) Program
    With that said, I did come here today to discuss the TWIC Program. 
According to TSA, 1.86 million people have enrolled, 1.72 million cards 
have been activated,\3\ and $420 million has been provided to the TWIC 
Program. In 2007, DHS estimated that the combined cost to the federal 
government and the private sector may reach $3.2 billion over a ten-
year period--not taking into account the full cost of ``implementing 
and operating readers.''
---------------------------------------------------------------------------
    \3\ ``Transportation Worker Identification Credential (TWIC) 
Program Briefing'' to the House Committee on Oversight and Government 
Reform, Transportation Security Administration. May 2, 2011.
---------------------------------------------------------------------------
    TWIC is turning into a dangerous and expensive experiment in 
security. Nearly half-a-billion dollars have been spent since the 
Maritime Transportation Security Act of 2002 directed the Secretary of 
DHS to issue biometric transportation security cards to maritime 
workers. Yet today, 10 years later, TWIC cards are no more useful than 
library cards. In fact, the only port that GAO investigators were NOT 
able to gain access to using fraudulent means was the port that still 
required port-specific identification for admittance to secure areas.
    We have also learned from GAO that:

        1. Individuals can obtain authentic TWICs using fraudulent 
        identification documentation;

        2. Individuals can gain access to ports using counterfeit 
        TWICs; and that, among other things,

        3. TSA is unable to confirm that TWIC holders maintain their 
        eligibility throughout the life of their TWIC.

    This is a troubling scenario and counterintuitive to the purpose of 
the program. GAO determined that an individual does not have to prove 
who they say they are when enrolling in the program. In other words, an 
individual can present a fraudulent identification document with 
somebody else's name, but provide their own fingerprints to obtain an 
authentic TWIC card. In this instance, the TWIC card transforms into a 
biometric key that unlocks our nation's ports and facilities for any 
individual with the intent and desire to do us harm.
    GAO tells us that DHS has not assessed whether or not the TWIC 
program enhances security or not. In fact, DHS cannot demonstrate that 
TWIC--as implemented and planned--is more effective than the approach 
used to secure ports and facilities before 9/11.
    I believe we must begin to ask if these vulnerabilities in fact 
make our nation less secure.
TSA Needs to Conduct Cost-Benefit and Risk Analyses of Programs Prior 
        to Funding
    The root of this problem is evidenced in many other TSA programs as 
well--this fledgling agency still does not conduct risk assessments and 
cost-benefit analyses of its security programs as required by law.
    TSA's Screening People by Observation Techniques--or ``SPOT''--
program, will require $1.2 billion over the next 5 years, but TSA has 
yet to validate the underlying methodology of the program or to conduct 
a cost-benefit analysis.\4\
---------------------------------------------------------------------------
    \4\ ``Efforts to Validate TSA's Passenger Screening Behavior 
Detection Program Underway, but Opportunities Exist to Strengthen 
Validation and Address Operational Challenges.'' U.S. Government 
Accountability Office, May 2010.
---------------------------------------------------------------------------
    Likewise, GAO found in April of last year that TSA has not 
conducted comprehensive risk assessments across the surface 
transportation sector.\5\ This lack of analysis results in ill-informed 
resource allocations and more importantly calls into question whether 
the highest risk targets are being secured. In light of the plot 
against the U.S. rail sector uncovered in the Bin Laden raid, it is 
alarming that TSA still has not addressed recommendations to close 
these gaps.
---------------------------------------------------------------------------
    \5\ ``Surface Transportation Security: TSA Has Taken Actions to 
Manage Risk, Improve Coordination, and Measure Performance, but 
Additional Actions Would Enhance It's Efforts.'' U.S. Government 
Accountability Office, April 2010.
---------------------------------------------------------------------------
Biometric Pilot Licenses
    TSA is not the only agency that has struggled to develop a 
biometric credential for transportation workers. In April, the Federal 
Aviation Administration (FAA) testified before my Committee on the long 
delayed development of biometric pilot license. Although Congress 
mandated that pilot licenses include biometric identifiers in the 
Intelligence Reform and Terrorism Prevention Act of 2004, FAA has yet 
to produce them. FAA recently spent $2.7 million to issue 700,000 pilot 
licenses that complied with one requirement of the 2004 legislation--
they are now plastic instead of paper and therefore tamper-resistant. 
Unfortunately, the requirements to include a photograph and biometric 
identifiers were not taken into consideration.
    In closed door sessions with my Committee, FAA informed Members 
that they believed TSA was going to produce a biometric standard for 
them, perhaps in the form of a TWIC card.
    Given the testimony that you will hear today, and the results of 
this GAO report, I think it is safe to say that roping additional 
transportation workers into the TWIC Program is an idea destined for 
disaster. While the biometric standard for the TWIC Program, developed 
by the National Institute of Standard and Technology (NISI), works well 
and fulfilled a much-needed mandate, the program itself is poorly 
managed.
    NIST's Director of Information Technology recently informed me that 
the agency is in the process of updating the current biometric standard 
to include iris scanning, an effort which I applaud. I understand that 
this standard will be complete by the end of this year and look forward 
to its inclusion in future personal identify verification cards for the 
federal workforce.
    I want to thank the Committee again for the opportunity to testify 
before you today, and for your important work on the issue of secure 
credentials for transportation workers.

    Senator Lautenberg. Thanks very much. And again, welcome.
    And I'm pleased to have a chance to have this committee 
hearing. We have serious concerns about the government's 
record, and efforts to make America's ports more secure. Our 
maritime facilities are global gateways, and they provide 
American businesses and consumers access to the world 
marketplace. The ports are a vital part of our economy, but 
they've also been identified as special targets for terrorist 
attacks.
    Now, my state is home to--as said by the FBI--to the 
country's most at-risk areas for a terrorist attack, a stretch 
that includes major hubs like the Port of New York and New 
Jersey, which handled more than $140 million in cargo last 
year.
    Now, to improve security at our ports, 9 years ago the 
government created a worker identification program, known as 
TWIC, to try to make sure that access to the nation's ports is 
limited to people who belong there, such as dock workers and 
cargo handlers and other professionals. Now, after several 
delays, the program is now, as you said, up and running, and 
the government has issued almost 2 million TWIC cards.
    But, a recent Government Accountability Office 
investigation raises a disturbing question. Are America's ports 
actually safer now than they were a decade ago? The GAO has 
identified serious problems with TWIC, including startling 
evidence that this program might actually diminish the safety 
of our ports.
    At this committee's request, the GAO conducted covert 
testing. Investigators were able to fraudulently obtain TWIC 
cards and use the cards to access secure locations. Not only 
were they able to access the port facilities, but they were 
able to drive a vehicle with a simulated explosive into a 
secure area. Fraudulent and counterfeit cards, like the ones 
used by investigators, could also be used as identification at 
airports or military facilities.
    The problems don't stop with fraudulent cards. There are 
also issues with criminal background checks, immigration 
checks, and the lack of safeguards to determine if an applicant 
even needs a TWIC card. So, despite these alarming findings, 
the Transportation Security Administration has, so far, been 
unable to close the gaping holes that plague this program.
    Additionally, the Department of Homeland Security, which 
heads the TSA, has not yet conducted a review to determine if 
the card program helps or hinders security at our nation's 
ports. And given the critical importance of our ports, it's 
unacceptable that we're spending hundreds of millions of tax 
dollars on a program that might actually be making the ports 
less safe. So, according to estimates, it could cost as much as 
$3 billion to deploy the cards over a 10-year period. And this 
doesn't include the cost of the sophisticated biometric 
equipment that's needed to read the card. So, we've got to 
thoroughly examine and correct the TWIC Program, and make sure 
we're focusing our resources where they're needed most, the 
areas that present the highest risk.
    So, I look forward, Mr. Mica, to hearing from you and our 
other witnesses about how you see the status of the program and 
how we can best implement changes to make sure our port 
security programs are effective and the money we spent--spend 
is improving at our ports.
    Now, I've got Senators here that are waiting at a chance to 
make their statements. And if you want to add a ex post facto 
thing for just a couple of minutes, Mr. Mica, I'd be----
    Mr. Mica. Sure, I'm here, waiting. Love to hear the other 
Senators, too. Thank you, sir.
    Senator Lautenberg. Thank you. In the order of their 
appearance, Senator Ayotte is here. And we're pleased to see 
you, and invite you to give your statement, please.

                STATEMENT OF HON. KELLY AYOTTE, 
                U.S. SENATOR FROM NEW HAMPSHIRE

    Senator Ayotte. Thank you, Mr. Chairman.
    Thank you, Representative Mica. Thank you so much for 
coming over to testify from the House.
    Security at our nation's ports is critically important to 
our safety and to our economy. Not only would an attack on our 
nation's ports be devastating, in terms of the loss of human 
life, but would also severely impact our national economy.
    It is deeply troubling that the GAO investigators were able 
to access secure facilities at U.S. ports during covert tests 
by presenting counterfeit or fraudulent TWIC cards. This 
represents a significant hole in our national security that 
must be addressed. And we certainly don't want a security 
program in place that gives the appearance of making us more 
secure, but in reality does not, because that can cause people 
to actually act less vigilantly than they should, given the 
situation.
    I look forward to discussing the reasons behind why this 
was able to happen, ways we can prevent this from happening in 
the future, and how this program can be corrected to ensure the 
security of our ports. I also wanted to raise the issue that 
transportation workers who are getting these IDs--they also are 
pretty inconvenienced, in terms of having to make two trips to 
a TWIC enrollment center to obtain their TWIC card, which can 
be time-consuming and expensive for, particularly, workers in 
rural areas that don't live close to an enrollment center, 
which can place an additional financial burden, particularly on 
a program which we have questions about the efficacy of it. I'm 
also interested in discussing ways that this burden could be 
alleviated so that workers don't have to make multiple, costly 
trips in order to receive the TWIC card, while, at the same 
time, ensuring the integrity of the card, which is very 
important.
    As millions of TWICs are going to be coming up for renewal 
in 2012, now is the time for this committee to address this 
issue. And it's critical that we solve these problems right 
away.
    And I look forward to your testimony today.
    Thank you.
    Senator Lautenberg. Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. I'm looking forward to hearing from the 
witnesses. Thank you, Mr. Chairman.
    Senator Lautenberg. Senator Boozman.

                STATEMENT OF HON. JOHN BOOZMAN, 
                   U.S. SENATOR FROM ARKANSAS

    Senator Boozman. I think, in the interest of time, Mr. 
Chairman, I will put my statement in the record, with your 
permission.
    [The prepared statement of Senator Boozman follows:]

  Prepared Statement of Hon. John Boozman, U.S. Senator from Arkansas
    Senator Lautenberg, thank you for presiding over this hearing 
today. The results of this GAO study are troubling, including the 
multiple breaches at facilities by investigators using fraudulent and/
or counterfeit TWIC cards. Perhaps the only thing that is positive to 
see is that the Department of Homeland Security agrees with the 
recommendations.
    I look forward to listening to your testimony today, and working 
with both DHS and the Coast Guard in the future to improve the TWIC 
program.

    Senator Lautenberg. We're making haste here, Mr. Mica. 
We've got, if you want, a couple of minutes.
    Mr. Mica. Thank you. I'll just conclude. And again, I 
associate myself with your remarks, and Senators that are here.
    You're looking at TWIC, you're looking at problems we've 
uncovered. The last Senator who spoke indicated that, 2012, 
we'll be renewing these cards. I think it's incumbent on both 
the House and the Senate that we get our act together on these 
IDs. If we've spent a half a billion dollars. We don't have a 
reader. We're on the cusp of getting a second biometric 
measure. And we have transportation workers in other fields--
aviation, for example--where I showed you a card that we have 
for a license, that can't be used for an ID, that doesn't meet 
the criteria that Congress intended. We can, and we must, do a 
better job of getting our whole act together.
    Now, this, folks, too, is not rocket science. There are 
other agencies that already have identification cards. They 
have them with biometrics, both iris and thumb. They have them 
with readers that can confirm that that person is the person 
that has the ID and can be identified. So, we go on spending 
more and more money, and we don't have security at our ports, 
our airports, or other transportation facilities.
    So, I'll work with you. I know you're going to hear from 
Mr. Pistole. He's fairly new at the gate. A lot of this didn't 
happen under his watch. But, we do need to work with him, with 
the administration, and others, to somehow call a halt to 
spending hundreds of millions of dollars and still, 10 years 
later, not having a secure ID.
    Thank you. And I'm pleased to be here.
    Senator Lautenberg. We appreciate your presence here.
    Senator Begich, you've just come in. Can we proceed with 
the witnesses, or----
    Senator Begich. Let me think about it, if you could, Mr. 
Chairman. I have lots of thoughts on my mind.
    Senator Lautenberg. OK.
    Senator Begich. No, go ahead.
    [Laughter.]
    Senator Lautenberg. All right. And I would call the second 
panel to the table: Mr. John Pistole, the Administrator of the 
Transportation Security Administration. You're not so new. And 
we're glad that you've brought your experience and leadership 
to the task. We'll hear from you on the administration's 
efforts to implement the card program. Rear Admiral Kevin Cook, 
Director of Prevention Policy for the United States Coast 
Guard, to testify on the Coast Guard's role in the TWIC 
Program. And Mr. Steve Lord, Director of Homeland Security and 
Justice for the GAO, the Government Accountability Office. And 
your testimony, I understand is going to be on the GAO's 
oversight and investigation of this program.
    So, I thank all of you for coming today.
    And, Mr. Pistole, please begin. We have 5 minutes for your 
testimony.

       STATEMENT OF HON. JOHN S. PISTOLE, ADMINISTRATOR,

            TRANSPORTATION SECURITY ADMINISTRATION,

              U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Pistole. Thank you, Chairman Lautenberg. And good 
afternoon, distinguished members of the Committee.
    I appreciate the opportunity to testify today about 
Transportation Security Administration's work with the United 
States Coast Guard on the Transportation Worker Identification 
Credential Program, or TWIC.
    TWIC Program, of course, authorized by the Maritime 
Transportation Security Act of 2002, MTSA, and the SAFE Port 
Act, strengthens the security of our nation's port while 
facilitating trade through the provision of a tamper-resistant 
biometric credential to all port workers requiring unescorted 
access to secure areas of these MTSA-regulated port facilities 
and vessels.
    The purpose of the TWIC Program is to provide a means of 
positively verifying the identify of those seeking access to 
secure areas, and to conduct Security Threat Assessments, or 
STAs, to determine their eligibility, and to deny access to 
unauthorized individuals.
    Like all security procedures, use of TWIC cards help reduce 
or mitigate risk, but do not eliminate risk, as detailed in the 
GAO report. Not only do I agree with the findings and 
conclusions of the GAO report, and have taken initial steps to 
address the first two recommendations--the first three apply to 
TSA, particularly--but, I've asked GAO to follow up with a 
rigorous cost-benefit analysis of the entire TWIC Program, in 
conjunction with DHS, Coast Guard, and TSA. I believe this type 
of comprehensive assessment will help us all make judgments on 
how well we, the U.S. Government and industry, are buying down 
risk, and the best way forward with this program. In other 
words, what's our return on investment?
    To date, TSA has vetted and ruled more than 1.8 million 
TWIC applicants. The majority of transportation workers who 
have no criminal history receive their TWIC within 5 to 10 
calendar days of submitting an application. Applicants with 
criminal histories require a more stringent review, of course, 
and generally receive either their TWIC or notification of a 
potentially disqualifying offense within 30 calendar days of 
submitting an application.
    Now, in accordance with the SAFE Port Act of 2006, a TWIC 
pilot is currently being conducted to evaluate the feasibility, 
as well as technical and operational impact, of implementing a 
transportation security card reader. Formal data collection 
from the pilots is expected to be completed in 3 weeks--the end 
of May. Thereafter, an independent test agent will develop 
individual participant reports for review by TSA and Coast 
Guard. And we also continue to analyze data already collected 
in the pilot. And we'll analyze new data as it is required. We 
have drafted a report required by section 104 of the SAFE Port 
Act, and will continue to make further updates to this report 
until its anticipated delivery to Congress this summer. These 
reports, along with direct feedback from the participants, will 
inform decisions regarding Coast Guard's rulemaking that will 
establish TWIC-reader use requirements.
    I don't believe this testimony would be complete without 
mention of TSA's efforts to harmonize the Security Threat 
Assessments across all modes of transportation. We share the 
goal of Congress and stakeholders that STA programs be 
harmonized to alleviate the burden and inconvenience placed on 
individuals by the need to obtain multiple STAs. To this end, 
we are working on a rulemaking that may further--may propose 
further harmonization of the security threat assessments. To 
achieve the optimal benefit of this rule, new legislation must 
be enacted that would harmonize different statutorily required 
procedures that prevent harmonization and cannot be changed 
through rulemaking. TSA looks forward--I look forward to 
working with this committee, and other committees, to develop 
the needed legislation.
    Mr. Chairman, members of the Committee, I thank you for the 
opportunity to appear before you. I look forward to your 
questions. Thank you.
    [The prepared statement of Mr. Pistole follows:]

      Prepared Statement of Hon. John S. Pistole, Administrator, 
  Transportation Security Administration, U.S. Department of Homeland 
                                Security
    Good morning, Chairman Lautenberg, Ranking Member Hutchison, and 
distinguished members of the Committee. Thank you for the opportunity 
to testify today about the Transportation Security Administration's 
(TSA) work with the United States Coast Guard (USCG) on the 
Transportation Worker Identification Credential (TWIC) program.
    The TWIC program, authorized by the Maritime Transportation 
Security Act of 2002 (MTSA) and the SAFE Port Act, strengthens the 
security of our nation's ports while facilitating trade through the 
provision of a tamper-resistant biometric credential to all port 
workers requiring unescorted access to secure areas of MTSA-regulated 
port facilities and vessels. The mission of the TWIC program is to 
provide a means of positively verifying the identity of those seeking 
access to secure areas, to conduct Security Threat Assessments (STA) to 
determine their eligibility, and to deny access to unauthorized 
individuals.
    TSA began the national deployment of the TWIC program on October 
16, 2007, with the enrollment of maritime workers at the Port of 
Wilmington, DE. A nationwide requirement for individuals to hold a TWIC 
in order to access MTSA-regulated facilities went into effect in April 
2009, and TSA continues to operate approximately 134 enrollment centers 
located in ports and concentrations of maritime activity throughout the 
United States and its territories. These centers serve the diverse 
population of maritime workers, including truckers, suppliers, 
maintenance personnel and others who require a TWIC to allow them 
unescorted access to secure areas of MTSA-regulated facilities and 
vessels.
    The process to obtain a TWIC requires two visits to an enrollment 
center: an initial visit to provide biographic and biometric data, and 
a subsequent visit to activate the credential upon successful 
completion of the STA. While TSA understands that this process can pose 
a burden on transportation workers who do not live within close 
proximity of an enrollment center, the process is critical to verify 
the identity of the individual to whom the credential is to be issued, 
and TSA has made efforts to mitigate this potential burden by operating 
135 enrollment centers nationwide centered around maritime populations. 
In addition, TSA allows more remote area authorities or organizations 
to conduct enrollment and activation operations on their own for their 
defined population. TSA continues to actively engage all stakeholders 
to address issues concerning proximity to enrollment centers as well as 
other challenges faced by the maritime population relating to the TWIC 
program.
    To date, TSA has vetted more than 1.8 million TWIC applicants. The 
majority of transportation workers who have no criminal history receive 
their TWIC within 5 to 10 calendar days of submitting an application. 
Applicants with criminal histories require a more stringent review and 
generally receive either their TWIC or notification of a potentially 
disqualifying offense within 30 calendar days of submitting an 
application. Initially, transportation workers who requested redress 
following an initial determination of ineligibility experienced delays 
in the process necessary to reach a decision. TSA took this issue very 
seriously and, through increased staff and adjudicative process 
improvements, we have been able to significantly reduce the wait time 
for individuals in these scenarios.
    The national implementation of the TWIC as the common credential 
verifying the identity and background suitability significantly 
enhances national maritime security, which previously relied on a 
patchwork of private and public identity verification and threat 
assessment architectures to allow access to secure and restricted 
areas.
    The STA and associated TWIC must be renewed every 5 years and 
preparations are being made in advance of the impending initial five-
year renewal cycle. TSA is in the process of developing policies and 
procedures that will ensure a smooth renewal phase for the 
transportation workers who rely on this card to do their jobs. These 
procedures will both minimize the operational impact at TWIC enrollment 
centers and ensure that individuals who have completed the redress 
process are not required to repeat the process when no new criminal 
information is found. This will help prevent adjudication backlogs that 
the expected surge in renewal enrollments might otherwise cause. 
Throughout this process, TSA will continue to engage the stakeholder 
community in order to minimize the impact of the renewal cycle on 
affected workers.
    In addition to renewing the STA and TWIC every 5 years, TSA 
conducts recurrent checks of TWIC holders against terrorist watchlists 
and has the authority to revoke TWICs based on the results of this 
recurrent vetting.
    In accordance with the SAFE Port Act of 2006, a TWIC pilot is 
currently being conducted to evaluate the feasibility as well as 
technical and operational impact of implementing a transportation 
security card reader system. Biometric identity verification would 
require workers to present their card to a TWIC card reader and place 
their finger on a biometric sensor. The reader would then verify the 
worker's identity by matching the fingerprint presented to the 
fingerprint templates on the TWIC. Based on stakeholder feedback to the 
TWIC Notice of Proposed Rulemaking (NPRM) \1\ as well as its own 
analysis, DHS determined that the maritime commercial environment would 
benefit from an easy, rapid entrance process, not one that included 
entering a Personal Identification Number (PIN) as is required with the 
Federal Personal Identity Verification (PIV) smart card-based standard 
for Federal employees and contractors.\2\ TSA and the Coast Guard 
engaged maritime stakeholders, smart card industry experts, and 
appropriate Federal agency representatives to develop TWIC 
specifications that would meet maritime industry requirements for 
biometric identity verification.
---------------------------------------------------------------------------
    \1\ 71 FR 29396, May 22, 2006.
    \2\ Federal Information Processing Standards Publication 201-1 
March 2006.
---------------------------------------------------------------------------
    Formal data collection from the pilots is expected to be completed 
at the end of this month. Thereafter, an independent test agent will 
develop individual participant reports for review by TSA and the Coast 
Guard. TSA also continues to analyze data already collected in the 
pilot and will analyze new data as it is acquired. TSA has drafted the 
report required by Section 104 of the SAFE Port Act and will continue 
to make further updates to this report until its anticipated delivery 
to Congress this summer. These reports, along with the direct feedback 
from the participants, will inform decisions regarding the Coast 
Guard's rulemaking that will establish TWIC reader use requirements.
    Notwithstanding several factors that contributed to a delay in 
commencing the TWIC Pilot--including the fact that participation in the 
pilot was voluntary, limiting DHS's ability to influence the overall 
pace of the pilot--the pilot officially began with the start of the 
first reader tests during the Initial Technical Testing (ITT) phase on 
August 20, 2008. The Early Operational Assessment (EOA) phase began in 
April 2009 with the installation of readers in the Port of Brownsville, 
TX, and the System Test and Evaluation (ST&E) phase began in November 
2009. Over the course of the pilot, approximately 156 portable and 
fixed readers were in use at participating ports and facilities.
    This testimony would not be complete without mention of TSA's 
effort to harmonize STAs across all modes of transportation. We share 
the goal of Congress and stakeholders that STA programs be harmonized 
to alleviate the burden and inconvenience placed on individuals by the 
need to obtain multiple STAs. To this end, TSA is working on a 
rulemaking that may propose further harmonization of STAs. To achieve 
the optimal benefit of this rule, new legislation must be enacted that 
would harmonize differing statutorily required procedures that prevent 
harmonization and cannot be changed through rulemaking. TSA will work 
with Congress to develop the needed legislation.
    Mr. Chairman, Ranking Member Hutchison, I thank you for the 
opportunity to appear before you today and I look forward to answering 
your questions about progress in the TWIC program.

    Senator Lautenberg. Thanks very much.
    Admiral your turn. And we look forward to your testimony.

       STATEMENT OF REAR ADMIRAL KEVIN S. COOK, DIRECTOR,

             OF PREVENTION POLICY, U.S. COAST GUARD

    Admiral Cook. Well, good afternoon, Mr. Chairman and 
distinguished members of the Committee.
    With your permission, Mr. Chairman, I'd like to have my 
written testimony entered into the record.
    Senator Lautenberg. So it'll be done.
    Admiral Cook. Thank you for the opportunity to speak with 
you today about the progress the Coast Guard, working together 
with the Transportation Security Administration, has made in 
implementation of the TWIC Program, the ongoing TWIC compliance 
efforts for facilities and vessels regulated under the Maritime 
Transportation Security Act, or MTSA, and future plans for card 
readers.
    The Coast Guard remains cognizant of how implementation and 
enforcement of TWIC impacts individuals and their livelihoods 
while balancing security needs with the economic vitality of 
port operations. The TWIC Program, as envisioned under MTSA and 
strengthened by the subsequent requirements of the SAFE Port 
Act, provides an additional layer of security. This is 
accomplished by ensuring all transportation workers and 
credentialed merchant mariners who seek unescorted access to 
secure areas in approximately 2,700 regulated facilities, 
12,000 regulated vessels, and 50 regulated Outer Continental 
Shelf facilities have been vetted and do not pose a security 
risk to our marine transportation system.
    As of April 15, 2009, applicable Coast Guard-credentialed 
mariners, MTSA-regulated facilities and vessels were required 
to be in compliance with the TWIC Program. The Coast Guard, 
through the captain of the port and the area maritime security 
committees, continue to monitor and enforce TWIC regulations by 
working closely with owners and operators.
    Internal guidance documents for training, compliance, and 
enforcement for Coast Guard personnel have been developed and 
shared with our DHS partners, including TSA and CBP, and state 
and local agencies to promote a unified approach to enforcement 
protocols.
    The SAFE Port Act mandates that the Coast Guard conduct two 
security inspections annually at all MTSA-regulated facilities, 
with one inspection being unannounced. During each of these, 
TWICs are checked by Coast Guard personnel either visually or 
using biometric hand-held readers.
    As originally planned with the TWIC rule in 2006, the final 
step of implementation of the TWIC Program is to utilize the 
full security benefits of the card through the use of readers. 
Although the implementation and reader requirements were 
originally combined in one rulemaking, the Coast Guard and TSA 
heard loud and clear from the industry that further research 
and a different approach for readers was necessary, especially 
as it applies to incorporating contactless reader technology. 
Our stakeholders spoke, and we listened, and agreed to split 
the rule so that the first phase of the TWIC Program, that 
we're using now, is based on visual verification. Based on 
industry recommendations, a working specification for the use 
of contactless readers was developed. It is subsequently being 
tested through the reader pilot test that Administrator Pistole 
just mentioned.
    In parallel with the pilot testing, the Coast Guard has 
been working on a proposed rulemaking that will address 
potential requirements for MTSA vessels and facilities to 
utilize electronic card readers. A key component in this will 
be informing with the operational, environmental, and technical 
data from--the TWIC reader pilot program brings to our 
rulemaking. Based on the current status of the pilot program, 
we hope to be able to publish a notice of proposed rulemaking 
toward the end of calendar year 2011 or early in 2012.
    In the meantime, to maximize the security benefits of the 
TWIC, the Coast Guard procured and deployed over 200 hand-held 
readers for use during routine and unscheduled inspections. The 
Coast Guard and TSA developed several supplementary documents 
to help those who are required to comply with the TWIC 
regulations. The latest Policy Advisory Council decision, 01-
11, on the voluntary use of TWIC readers was published in the 
Federal Register on the 15th of March, 2011, to assist the 
marine industry with consistency in the voluntary use of TWIC 
readers.
    Also, we recently directed that our captains of the port 
place a higher priority on review and validation of TWIC 
verification procedures that are conducted during MTSA 
inspections. This is being done through a direct engagement 
with facility security officers to highlight the importance of 
properly trained guards, and remind them of the training aids 
that are available on the Coast Guard's Homeport website.
    In conclusion, Mr. Chairman, the TWIC implementation marked 
a major milestone in the MTSA to protect our maritime 
transportation system. Card readers are a key step in 
maximizing the security benefit. And the Coast Guard is 
anxiously awaiting the pilot test results to help us draft 
effective regulations, minimizing the potential adverse impacts 
of the reader. While we have accomplished a great deal thus 
far, we acknowledge that the process has not been free from 
challenges. We will continue to keep the public interest in 
mind and also keep you informed on our progress.
    Thank you for the opportunity to speak with you today. And 
I would be pleased to take any of your questions.
    [The prepared statement of Admiral Cook follows:]

           Prepared Statement of Rear Admiral Kevin S. Cook, 
            Director of Prevention Policy, U.S. Coast Guard
    Good morning, Chairman Rockefeller, Ranking Member Hutchison and 
distinguished members of the Committee. I am Rear Admiral Kevin Cook, 
U.S. Coast Guard Director of Prevention Policy. It is a pleasure to be 
here today to update you on how the Coast Guard, in partnership with 
the Transportation Security Administration (TSA), continues to 
implement the Transportation Worker Identification Credential (TWIC) 
program, which strengthens the security of our nation's ports while 
facilitating trade by adding a layer of security which allows vetted 
employees with a biometric credential to have unescorted access to 
secure areas.
    TWIC enrollment began in 2007 and today, maritime vessels and 
facilities within all 42 Coast Guard Captain of the Port (COTP) Zones 
are in compliance with the TWIC program. In April of this year, we 
reached more than 1.8 million enrollments for TWIC with no significant 
impact to commerce and the maritime transportation system. Since the 
Coast Guard and TSA published the TWIC requirements on January 25, 2007 
in a Final Rule, we have been developing regulations, policies, systems 
and capabilities to serve as a solid foundation for enrollment and 
compliance. The deliberate process and careful steps taken to lay this 
foundation ensure that we gain the full security benefit from TWIC.
Background
    The TWIC program builds on the security framework established by 
Congress in the Maritime Transportation Security Act (MTSA) of 2002. 
Coast Guard regulations stemming from MTSA established security 
requirements for maritime vessels and facilities posing a high risk of 
being involved in a transportation security incident. The MTSA also 
required the Secretary of Homeland Security to issue a biometric 
transportation security card to all licensed and documented U.S. 
mariners, as well as those individuals granted unescorted access to 
secure areas of MTSA-regulated vessels and facilities. TSA was assigned 
this requirement, and because of our overlapping responsibilities, the 
Coast Guard and TSA formally joined efforts to carry out the TWIC 
program in November 2004. In this partnership, TSA is responsible for 
TWIC enrollment, security threat assessment and adjudication, card 
production, technology, TWIC issuance, conduct of the TWIC appeal and 
waiver process as it pertains to credential issuance, and management of 
government support systems. The Coast Guard is responsible for 
establishing and enforcing TWIC access control requirements for MTSA-
regulated vessels and facilities.
    TSA and the Coast Guard published a joint TWIC Notice of Proposed 
Rulemaking (NPRM) on May 22, 2006. Following the publication of the 
NPRM and the subsequent comment period, Congress enacted the Security 
and Accountability for Every Port Act of 2006 (the SAFE Port Act). The 
SAFE Port Act created new statutory requirements for the TWIC Program, 
including: the commencement of a pilot program to test the viability of 
TWIC cards and readers in the maritime environment; deployment of the 
program in priority ports by set deadlines; inclusion of a provision to 
allow newly hired employees to work while their TWIC application is 
being processed; and concurrent processing of the TWIC and merchant 
mariner applications.
    TSA and the Coast Guard published the TWIC Final Rule on January 
25, 2007, in which the Coast Guard's MTSA regulations and TSA's 
Hazardous Material Endorsement regulations were amended to incorporate 
the TWIC requirements. After receiving many comments regarding 
technology issues of the reader requirements as proposed in the NPRM, 
we removed from the final rule the requirement to install TWIC readers 
at vessels and facilities. This requirement is currently being 
addressed in a second rulemaking, which I will discuss later.
Policy
    The Coast Guard and TSA developed several supplementary documents 
to help those who are required to comply with the TWIC regulation. To 
explain in detail how the Coast Guard intends to apply TWIC 
regulations, we established policy guidance in the form of a Navigation 
and Vessel Inspection Circular (NVIC) and provided answers in 16 Policy 
Advisory Council documents that have been published since November 21, 
2007.
    The Policy Advisory Council was established during the original 
implementation of the MTSA regulations. It is made up of Coast Guard 
representatives from headquarters and field level commands that are 
charged with considering questions from stakeholders and/or field 
offices to ensure consistent interpretation of regulation. The latest 
Policy Advisory Council Decision 01-11 on the voluntary use of TWIC 
readers was published in the Federal Register on March 15, 2011. This 
guidance document will assist the maritime industry and general public 
with TWIC reader requirements and is designed to ensure consistent 
installation for the voluntary use of TWIC readers for electronic 
identity verification across MTSA-regulated facilities and vessels.
Stakeholder Engagement and Outreach
    Engagement with affected stakeholders continues to be crucial to 
successful implementation, and the regulatory process is one of the 
most important vehicles for the public to voice concerns and provide 
comment on the TWIC program. For example, responses received during the 
TWIC NPRM comment period provided valuable insight into the unique 
operational issues facing labor, maritime facilities and vessels 
required to comply with TWIC requirements. Comments regarding the 
technological and economic feasibility of employing the TWIC cards and 
card readers in the maritime environment led to splitting the rule, 
with the card reader requirements forming a separate, pending 
rulemaking. The Coast Guard published the TWIC Reader Requirements 
Advanced Notice of Proposed Rulemaking (ANPRM) on March 27, 2009, which 
again afforded the public and maritime community an opportunity to 
shape future TWIC requirements.
    Since publication of the TWIC Final Rule and TWIC Reader 
Requirements ANPRM, the Coast Guard and TSA have conducted numerous 
outreach events at national venues such as: the American Trucking 
Association; Association of American Railroads; American Short Line and 
Regional Railroad Association; Passenger Vessel Association; American 
Waterways Operators; National Association of Charter Boat Operators; 
National Association of Waterfront Employers; National Petrochemical 
Refiners Association meetings; smart card and biometric industry 
conferences; maritime union meetings; American Association of Port 
Authorities conferences; and many others. In addition, quarterly TWIC 
Stakeholder Communication Committee meetings are being held and remain 
an important avenue for keeping the public informed and creating the 
opportunity for open dialogue.
    The Coast Guard, through COTP and Area Maritime Security 
Committees, continues to closely monitor and encourage enrollment for 
TWIC and work collaboratively with owners and operators of regulated 
facilities and vessels to ensure compliance and enforcement of the TWIC 
program.
Reader Pilot Testing
    In accordance with the SAFE Port Act of 2006, a TWIC pilot is 
currently being conducted to evaluate the feasibility as well as 
technical and operational impact of implementing a transportation 
security card reader system. TSA and the Coast Guard have begun 
operational testing of the TWIC card readers at geographically and 
operationally diverse port and vessel locations and formal data 
collection should be completed on May 31, 2011. Thereafter, individual 
participant reports will be developed by an independent test agent and 
then reviewed by TSA and the Coast Guard. These individual participant-
level reports, along with the direct feedback from the participants, 
will be the primary data source for the Coast Guard to move forward in 
the next phase of the TWIC reader rulemaking.
Reader Requirements
    Per the SAFE Port Act, the Coast Guard is required to use the pilot 
report to inform a final reader rulemaking. The Coast Guard, with the 
support of TSA, is developing a second TWIC reader requirements rule 
that will serve to meet the requirement for electronic TWIC readers in 
the maritime environment. This rulemaking will apply requirements in a 
risk-based fashion to leverage security benefits and capabilities. The 
Coast Guard solicited and received valuable input and recommendations 
from the Towing Safety Advisory Committee, Merchant Marine Personnel 
Advisory Committee, and the National Maritime Security Advisory 
Committee on specific aspects of potential applications of readers for 
vessels and facilities. As in all aspects of the TWIC program, our goal 
is to enhance maritime security while balancing impacts on the 
stakeholders, who are at the forefront of providing that security. As 
we evaluate the economic and operational impact on the maritime 
industry we will continue to seek input and recommendations to develop 
and issue regulations requiring industry compliance.
Compliance
    The Coast Guard has the primary responsibility for ensuring 
compliance with the TWIC regulations. We continue to work extensively 
with our DHS partners, including TSA and U.S. Customs and Border 
Protection, as well as state and local agencies to enhance partnerships 
and develop enforcement assistance protocols.
    All of the approximately 2,700 maritime facilities impacted by the 
TWIC regulations are--and have been--in compliance as of the April 15, 
2009 implementation date. The Coast Guard continues to conduct both 
announced and unannounced spot checks to ensure compliance with the 
TWIC regulations.
    To fully leverage the security benefits of the TWIC and other 
credentials, the Coast Guard has deployed 218 multi-use biometric 
handheld readers nationwide. The use of these readers serves as the 
primary means of TWIC verification during Coast Guard compliance 
activities. Over the past 2 years since the national compliance date, 
the Coast Guard has verified more than 150,000 TWICs through a 
combination of visual and electronic verification methods.
    The use of readers by the Coast Guard and industry alike reduces 
the risk of successful counterfeit attempts and further adds to the 
ability to identify authentic credentials that have been revoked at 
some point after activation and delivery.
The Way Ahead
    The Coast Guard continues to focus on the enforcement of the TWIC 
regulations and deployment of handheld readers will continue to enhance 
these efforts. Approximately 130 additional readers are scheduled for 
deployment in 2011.
    We recently directed our COTPs to place higher priority on review 
and validation of TWIC verification procedures during required MTSA 
inspections. This review and validation is being done through direct 
engagement with Facility Security Officers to highlight the importance 
of properly trained guards and remind them of the training aids 
available.
    Our ongoing compliance efforts in combination with the future 
reader requirements on commercial vessels and facilities through 
rulemaking are critical in ensuring the security of America's maritime 
transportation system.
Conclusion
    We continue to work closely with TSA to facilitate outreach to the 
maritime industry in an effort to enhance the overall TWIC experience 
for workers and maritime operators--from improving the enrollment and 
activation processes to ensuring the necessary guidance and support is 
in place for maritime operator enforcement. We have accomplished 
important milestones, strengthened working relationships with public 
and industry stakeholders, and held a steadfast commitment to securing 
the maritime transportation system while facilitating commerce. As we 
continue to make improvements regarding compliance, enforcement, and 
continued industry engagement, we will ensure Congress remains informed 
of our progress.
    Thank you for the opportunity to testify today. I look forward to 
your questions.

    Senator Lautenberg. Thank you, Admiral Cook.
    And Mr. Steve Lord, we invite you to give your testimony.

            STATEMENT OF STEPHEN M. LORD, DIRECTOR,

             HOMELAND SECURITY AND JUSTICE ISSUES,

             U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Lord. Thank you, Mr. Chairman and distinguished members 
of the Committee.
    I'm really pleased to be here today to discuss the findings 
of our TWIC report, which is being publicly released today. As 
you know, TSA and the Coast Guard jointly manage the TWIC 
Program, which requires maritime workers to obtain a biometric 
ID card to access secure areas of MTSA-regulated facilities and 
vessels.
    Today, I would like to discuss two issues: the internal 
controls governing TWIC enrollment, background checking, and 
use, as well as DHS assessments of the effectiveness of this 
program.
    The main point that I'd like to convey today is that 
internal control weaknesses in the TWIC Program's enrollment 
and background checking process do not provide what we deem as 
reasonable assurance in meeting key security goals; in other 
words, that only qualified individuals are acquiring TWICs. And 
second, once issued a TWIC, TWIC holders maintain their 
eligibility for holding the card. For example, we found that 
the flags raised by enrollment personnel or electronic document 
scanners were not being systematically used during the 
background checking process to verify an applicant's 
identification. This helps explain why our special 
investigators were not detected when using counterfeit or 
fraudulent application documents to acquire TWICs. TSA also 
does not verify that applicants need a TWIC for employment-
related reasons. In other words, there's not employee 
sponsorship, unlike other government credentials. We also found 
that program adjudicators do not use clear criteria when 
reviewing TWIC applicants with extensive, nondisqualifying 
criminal convictions, such as larceny and theft. This is an 
important issue, as about 461,000 TWIC holders have a criminal 
record, based on the results from the FBI. And this is about 27 
percent of the total TWIC-holder population.
    Finally, we also found that program controls did not 
provide reasonable assurance that TWIC holders continue to meet 
immigration eligibility requirements once they acquire TWIC. 
For example, the program does not issue TWICs for a term less 
than 5 years, to match the expiration of a visa. Instead, TSA 
relies on TWIC holders and employers to report if a worker is 
no longer legally present in the country.
    The weaknesses I've discussed may have contributed to the 
breach of MTSA-regulated ports and facilities during the covert 
tests we ran. During these tests, our investigators were 
successful in accessing ports using either counterfeit TWICs or 
real TWICs acquired through fraudulent means, paired with a 
false business case for entering a facility.
    And regarding our second key research objective, in seeking 
to determine the impact of the program, we found that DHS has 
not assessed the program's effectiveness in enhancing port 
security, a key program goal. Thus, it's unclear, at this 
point, whether the program is more effective or less effective 
than prior approaches used to enhance port and vessel security. 
Our report findings would question the other witness' statement 
that the program significantly enhances national maritime 
security.
    Today's report makes several important recommendations to 
address the internal control weaknesses we identified. For 
example, our report is recommending that DHS complete an 
internal control assessment to identify other potential holes 
in the system, as well as identifying cost-effective fixes. We 
also recommended that DHS conduct a formal assessment to 
clarify how the program will improve security, beyond the port 
efforts already in place. We also recommended that the Coast 
Guard improve the quality of the information used to monitor 
and enforce TWIC compliance. The good news I'd like to report 
today, Mr. Chairman, is that the DHS, TSA, and the Coast Guard 
all agreed to implement all our report recommendations.
    In closing, before proceeding on the path to full 
implementation, with potentially billions of dollars at stake, 
it's important that Congress and industry stakeholders fully 
understand the program's current strengths, current weaknesses, 
and the likely cost of mitigating the risks we've identified in 
the report we're releasing today.
    Mr. Chairman, this concludes my prepared testimony. I look 
forward to answering any questions that you or other members of 
the Committee may have.
    Thank you.
    [The prepared statement of Mr. Lord follows:]

Prepared Statement of Stephen M. Lord, Director, Homeland Security and 
         Justice Issues, U.S. Government Accountability Office
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee:
    I am pleased to be here today to discuss credentialing issues 
associated with the security of U.S. transportation systems and 
facilities. Securing these systems requires balancing security to 
address potential threats while facilitating the flow of people and 
goods that are critical to the U.S. economy and international commerce. 
As we have previously reported, these systems and facilities are 
vulnerable and difficult to secure given their size, easy 
accessibility, large number of potential targets, and proximity to 
urban areas.\1\ The Maritime Transportation Security Act of 2002 (MTSA) 
required regulations preventing individuals from having unescorted 
access to secure areas of MTSA-regulated facilities and vessels unless 
they possess a biometric transportation security card and are 
authorized to be in such an area. MTSA further required that biometric 
transportation security cards be issued to eligible individuals unless 
determined that an applicant poses a security risk warranting denial of 
the card. The Transportation Worker Identification Credential (TWIC) 
program is designed to implement these biometric maritime security card 
requirements.\2\
---------------------------------------------------------------------------
    \1\ See GAO, Transportation Worker Identification Credential: 
Progress Made in Enrolling Workers and Activating Credentials but 
Evaluation Plan Needed to Help Inform the Implementation of Card 
Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 2009).
    \2\ The program requires maritime workers to complete background 
checks to obtain a biometric identification card and be authorized to 
be in the secure area by the owner/operator in order to gain unescorted 
access to secure areas of MTSA-regulated facilities and vessels. Under 
Coast Guard regulations, a secure area, in general, is an area over 
which the owner/operator has implemented security measures for access 
control in accordance with a Coast Guard-approved security plan. For 
most maritime facilities, the secure area is generally any place inside 
the outer-most access control point. For a vessel or outer continental 
shelf facility, such as off-shore petroleum or gas production 
facilities, the secure area is generally the whole vessel or facility. 
Biometrics refers to technologies that measure and analyze human body 
characteristics for authentication purposes. The Department of Homeland 
Security (DHS) has estimated that implementing the TWIC program could 
cost the Federal Government and the private sector a combined total of 
between $694.3 million and $3.2 billion over a ten-year period. 
However, these figures do not include costs associated with 
implementing and operating readers. A pilot on the use of TWIC with 
card readers is currently underway and will inform a proposed TWIC 
regulation, and these figures are to be updated as part of this 
process.
---------------------------------------------------------------------------
    The TWIC program, once implemented, aims to meet the following 
stated mission needs:

        Positively identify authorized individuals who require 
        unescorted access to secure areas of the nation's 
        transportation system.

        Determine the eligibility of individuals to be authorized 
        unescorted access to secure areas of the transportation system 
        by conducting a security threat assessment.

        Ensure that unauthorized individuals are not able to defeat or 
        otherwise compromise the access system in order to be granted 
        permissions that have been assigned to an authorized 
        individual.

        Identify individuals who fail to maintain their eligibility 
        requirements subsequent to being permitted unescorted access to 
        secure areas of the Nation's transportation system and 
        immediately revoke the individual's permissions.

    Within the Department of Homeland Security (DHS), the 
Transportation Security Administration (TSA) and the U.S. Coast Guard 
are responsible for implementing and enforcing the TWIC program. In 
addition, DHS's Screening Coordination Office facilitates coordination 
among the various DHS components involved in TWIC.
    My statement is based on a report we are releasing publicly today 
on the TWIC program.\3\ Like the report, it will discuss the extent to 
which: (1) TWIC processes for enrollment, background checking, and use 
are designed to provide reasonable assurance that unescorted access to 
secure areas of MTSA-regulated facilities and vessels is limited to 
qualified individuals, and (2) DHS has assessed the effectiveness of 
TWIC, and whether the Coast Guard has effective systems in place to 
measure compliance.
---------------------------------------------------------------------------
    \3\ See GAO, Transportation Worker Identification Credential: 
Internal Control Weaknesses Need to be Corrected to Help Achieve 
Security Objectives, GAO-11-657 (Washington, D.C.: May 10, 2011).
---------------------------------------------------------------------------
    For the report, we reviewed applicable laws, regulations, and 
policies, as well as documentation provided by TSA on the TWIC program 
systems and processes. We also reviewed the processes and data sources 
with TWIC program management from TSA and Lockheed Martin (the 
contractor responsible for implementing the program) and met with 
officials from TSA and the Coast Guard, as well as the Criminal Justice 
Information Services Division at the Federal Bureau of Investigation 
(FBI). We then evaluated the processes against the TWIC program's 
mission needs and Standards for Internal Control in the Federal 
Government.\4\ Further, our investigators conducted covert testing at 
enrollment center(s) to identify whether individuals providing 
fraudulent information could acquire an authentic TWIC, and at maritime 
ports with MTSA-regulated facilities and vessels to identify security 
vulnerabilities and program control deficiencies. In addition, we 
reviewed the type and substance of management information available to 
the Coast Guard and compared them to Standards for Internal Control in 
the Federal Government. We conducted this work in accordance with 
generally accepted government auditing standards. We conducted our 
related investigative work in accordance with standards prescribed by 
the Council of the Inspectors General on Integrity and Efficiency.
---------------------------------------------------------------------------
    \4\ GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
---------------------------------------------------------------------------
Internal Control Weaknesses in DHS's Biometric Transportation ID 
        Program Hinder Efforts to Ensure Security Objectives Are Fully 
        Achieved
    DHS has established a system of TWIC-related processes and 
controls. However, internal control weaknesses governing the 
enrollment, background checking, and use of TWIC potentially limit the 
program's ability to meet the program's stated mission needs or provide 
reasonable assurance that access to secure areas of MTSA-regulated 
facilities is restricted to qualified individuals. Specifically, 
internal controls \5\ in the enrollment and background checking 
processes are not designed to provide reasonable assurance that: (1) 
only qualified individuals can acquire TWICs; (2) adjudicators follow a 
process with clear criteria for applying discretionary authority when 
applicants are found to have extensive criminal convictions; or (3) 
once issued a TWIC, TWIC holders have maintained their eligibility.
---------------------------------------------------------------------------
    \5\ In accordance with Standards for Internal Control in the 
Federal Government, the design of the internal controls is to be 
informed by identified risks the program faces from both internal and 
external sources; the possible effect of those risks; control 
activities required to mitigate those risks; and the cost and benefits 
of mitigating those risks.
---------------------------------------------------------------------------
    To meet the stated program purpose, TSA's focus in designing the 
TWIC program was on facilitating the issuance of TWICs to maritime 
workers. However, TSA did not assess the internal controls in place to 
determine whether they provided reasonable assurance that the program 
could meet defined mission needs for limiting access to only qualified 
individuals. For example, controls that the TWIC program has in place 
to identify the use of potentially counterfeit identity documents are 
not used to routinely inform background checking processes. 
Additionally, controls are not in place to determine whether an 
applicant has a need for a TWIC. For example, regulations governing the 
TWIC program security threat assessments require applicants to disclose 
their job description and location(s) where they will most likely 
require unescorted access, if known, among other things. However, TSA 
enrollment processes do not require that this information be provided 
by applicants.
    In addition, TWIC program controls are not designed to require that 
adjudicators follow a process with clear criteria for applying 
discretionary authority when applicants are found to have extensive 
criminal convictions. Being convicted of a felony does not 
automatically disqualify a person from being eligible to receive a 
TWIC; however, prior convictions for certain crimes are automatically 
disqualifying.\6\ For example, offenses such as espionage or treason 
would permanently disqualify an individual from obtaining a TWIC. Other 
offenses, such as murder or the unlawful possession of an explosive 
device, while categorized as permanent disqualifiers, are also eligible 
for a waiver under TSA regulations. These offenses might not 
permanently disqualify an individual from obtaining a TWIC if TSA 
determines that an applicant does not represent a security threat. As 
of September 8, 2010, the agency reported 460,786 cases where the 
applicant was approved, but had a criminal record based on the results 
from the FBI. This represents approximately 27 percent of individuals 
approved for a TWIC at the time. Although TSA has the discretion and 
authority to consider the totality of an individual's criminal record, 
including the existence of: (1) extensive criminal convictions, (2) 
criminal offenses not defined as a permanent or interim disqualifying 
criminal offense, such as theft or larceny, and (3) certain periods of 
imprisonment, TSA has not developed a definition for what extensive 
foreign or domestic criminal convictions means, or developed guidance 
to ensure that adjudicators apply this authority consistently. In 
commenting on our report, DHS concurred with our related 
recommendation, and consequently may address this weakness as part of 
its efforts to correct internal control weaknesses in the TWIC program.
---------------------------------------------------------------------------
    \6\ Threat assessment processes for the TWIC program include 
conducting background checks to determine whether each TWIC applicant 
poses a security threat. These checks, in general, can include checks 
for criminal history records, immigration status, terrorism databases 
and watchlists, and records indicating an adjudication of a lack of 
mental capacity, among other things. As defined in TSA implementing 
regulations, the term security threat means an individual who TSA 
determines or suspects of posing a threat to national security, to 
transportation security, or of terrorism.
---------------------------------------------------------------------------
    Further, TWIC program controls are not designed to provide 
reasonable assurance that TWIC holders have maintained their 
eligibility once issued TWICs. For example, controls are not designed 
to determine whether TWIC holders have committed disqualifying crimes 
at the Federal or state level after being granted a TWIC. Although 
existing policies may hamper TSA's ability to check FBI-held 
fingerprint-based criminal history records for the TWIC program on an 
ongoing basis after TWIC issuance, TSA has not explored alternatives 
for addressing this weakness, such as informing facility and port 
operators of this weakness and identifying solutions for leveraging 
existing state criminal history information, where available. In 
addition, controls are not designed to provide reasonable assurance 
that TWIC holders continue to meet immigration status eligibility 
requirements. For example, if a TWIC holder's stated period of legal 
presence in the United States is about to expire or has expired, the 
TWIC program does not request or require proof from TWIC holders to 
show that they continue to maintain legal presence in the United 
States. Additionally, although it has regulatory authority to do so, 
the program does not issue TWICs for a term less than 5 years to match 
the expiration of a visa.\7\
---------------------------------------------------------------------------
    \7\ Instead, TSA relies on: (1) TWIC holders to self-report if they 
no longer have legal presence in the country, and (2) employers to 
report if a worker is no longer legally present in the country. TWIC-
related regulations provide, for example, that individuals disqualified 
from holding a TWIC for immigration status reasons must surrender the 
TWIC to TSA. In addition, the regulations provide that TWICs are deemed 
to have expired when the status of certain lawful nonimmigrants with a 
restricted authorization to work in the United States (e.g., H-1B1 Free 
Trade Agreement) expires, the employer terminates the employment 
relationship with such an applicant, or such applicant otherwise ceases 
working for the employer, regardless of the date on the face of the 
TWIC. Upon the expiration of such nonimmigrant status for an individual 
who has a restricted authorization to work in the United States, the 
employer and employee both have related responsibilities--the employee 
is required to surrender the TWIC to the employer, and the employer is 
required to retrieve the TWIC and provide it to TSA.
---------------------------------------------------------------------------
    Internal control weaknesses in TWIC enrollment, background 
checking, and use could have contributed to the breach of selected 
MTSA-regulated facilities during covert tests conducted by our 
investigators. During these tests at several selected ports, our 
investigators were successful in accessing ports using counterfeit 
TWICs, authentic TWICs acquired through fraudulent means, and false 
business cases (i.e., reasons for requesting access). Our investigators 
did not gain unescorted access to a port where a secondary port-
specific identification was required in addition to the TWIC. TSA and 
Coast Guard officials stated that the TWIC card alone is not sufficient 
and that the cardholder is also required to present a business case. 
However, our covert tests demonstrated that having an authentic TWIC 
and a legitimate business case were not always required in practice.
    Prior to fielding the program, TSA did not conduct a risk 
assessment of the TWIC program to identify program risks and the need 
for controls to mitigate existing risks and weaknesses, as called for 
by internal control standards. Such an assessment could help provide 
reasonable assurance that control weaknesses in one area of the program 
do not undermine the reliability of other program areas or impede the 
program from meeting mission needs. TWIC program officials told us that 
control weaknesses were not addressed prior to initiating the TWIC 
program because they had not previously identified them, or because 
they would be too costly to address. However, as we noted in our 
report, officials did not provide: (1) documentation to support their 
cost concerns and (2) did not complete an assessment of whether they 
needed to implement additional compensating controls or of the risks 
associated with not correcting for existing internal control 
weaknesses. In our May 2011 report, we recommended that the Secretary 
of Homeland Security perform an internal control assessment of the TWIC 
program by: (1) analyzing existing controls, (2) identifying related 
weaknesses and risks, and (3) determining cost-effective actions needed 
to correct or compensate for those weaknesses so that reasonable 
assurance of meeting TWIC program objectives can be achieved. This 
assessment should consider weaknesses we identified in this report 
among other things. DHS officials concurred with our recommendation.
TWIC's Effectiveness at Enhancing Security Has Not Been Assessed, and 
        the Coast Guard Lacks the Ability to Assess Trends in TWIC 
        Compliance
    DHS asserted in its 2009 and 2010 budget submissions that the 
absence of the TWIC program would leave America's critical maritime 
port facilities vulnerable to terrorist activities.\8\ However, to 
date, DHS has not assessed the effectiveness of TWIC at enhancing 
security or reducing risk for MTSA-regulated facilities and vessels. 
Further, DHS has not demonstrated that TWIC, as currently implemented 
and planned with card readers, is more effective than prior approaches 
used to limit access to ports and facilities, such as using facility-
specific identity credentials with business cases.
---------------------------------------------------------------------------
    \8\ See DHS, DHS Exhibit 300 Public Release BY10/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington, 
D.C.: Apr. 17, 2009) and DHS Exhibit 300 Public Release BY09/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington, 
D.C.: July 27, 2007).
---------------------------------------------------------------------------
    According to TSA and Coast Guard officials, because the program was 
mandated by Congress as part of MTSA, DHS did not conduct a risk 
assessment to identify and mitigate program risks prior to 
implementation. Further, according to these officials, neither the 
Coast Guard nor TSA analyzed the potential effectiveness of TWIC in 
reducing or mitigating security risk--either before or after 
implementation--because they were not required to do so by Congress. 
However, internal control weaknesses raise questions about the 
effectiveness of the TWIC program. Moreover, as we have previously 
reported, Congress also needs information on whether and in what 
respects a program is working well or poorly to support its oversight 
of agencies and their budgets, and agencies' stakeholders need 
performance information to accurately judge program effectiveness. 
Therefore, we recommended in our May 2011 report that the Secretary of 
Homeland Security conduct an effectiveness assessment that includes 
addressing internal control weaknesses and, at a minimum, evaluates 
whether use of TWIC in its present form and planned use with readers 
would enhance the posture of security beyond efforts already in place 
given costs and program risks. DHS concurred with our recommendation.
    Further, Executive Branch requirements provide that prior to 
issuing a new regulation, agencies are to conduct a regulatory 
analysis, which is to include an assessment of costs, benefits, and 
risks. Therefore, DHS is required to issue a new regulatory analysis 
for its proposed regulation on the use of TWIC with biometric card 
readers. Conducting a regulatory analysis using the information from 
the internal control and effectiveness assessments could better inform 
the new regulatory analysis and could help DHS identify and assess the 
full costs and benefits of implementing the TWIC program. Therefore, in 
our May 2011 report, we recommended that the Secretary of Homeland 
Security use the information from the internal control and 
effectiveness assessments as the basis for evaluating the costs, 
benefits, security risks, and corrective actions needed to implement 
the TWIC program. This should be done in a manner that will meet stated 
mission needs and mitigate existing security risks as part of the 
regulatory analysis being completed for the new TWIC biometric card 
reader regulation. DHS concurred with our recommendation.
    Finally, the Coast Guard's approach for monitoring and enforcing 
TWIC compliance nationwide could be improved by enhancing its 
collection and assessment of related maritime security information. For 
example, the Coast Guard tracks TWIC program compliance, but the 
processes involved in the collection, cataloguing, and querying of 
information cannot be relied on to produce the management information 
needed to assess trends in compliance with the TWIC program or 
associated vulnerabilities. The Coast Guard uses its Marine Information 
for Safety and Law Enforcement (MISLE) database to monitor activities 
related to MTSA-regulated facility and vessel oversight, including 
observations of TWIC-related deficiencies. Coast Guard officials 
reported that they are making enhancements to the MISLE database and 
plan to distribute updated guidance on how to collect and input 
information. However, as of May 2011, the Coast Guard had not yet set a 
date for implementing these changes. Further, these enhancements do not 
address all weaknesses identified in our report that hamper the Coast 
Guard's efforts to conduct trend analysis of the deficiencies as part 
of its compliance reviews. Therefore, in our May 2011 report, we 
recommended that the Secretary of Homeland Security direct the 
Commandant of the Coast Guard to design effective methods for 
collecting, cataloguing, and querying TWIC-related compliance issues to 
provide the Coast Guard with the enforcement information needed to 
assess trends in compliance with the TWIC program and identify 
associated vulnerabilities. DHS concurred with our recommendation.
    As the TWIC program continues on the path to full implementation--
with potentially billions of dollars needed to install TWIC card 
readers in thousands of the nation's ports, facilities, and vessels at 
stake--it is important that Congress, program officials, and maritime 
industry stakeholders fully understand the program's potential benefits 
and vulnerabilities, as well as the likely costs of addressing these 
potential vulnerabilities. The report we are releasing today aims to 
help inform stakeholder views on these issues.
    Chairman Rockefeller, Ranking Member Hutchison, and members of the 
Committee, this concludes my prepared testimony. I look forward to 
answering any questions that you may have.
                                 ______
                                 
                               Attachment
 U.S. Government Accountability Office (GAO)--Report to Congressional 
 Requesters--May 2011--Transportation Worker Identification Credential
Internal Control Weaknesses Need to Be Corrected to Help Achieve 
        Security Objectives
Abbreviations

        ATSA--Aviation and Transportation Security Act

        CSOC--Colorado Springs Operations Center

        DHS--Department of Homeland Security

        FBI--Federal Bureau of Investigation

        FEMA--Federal Emergency Management Agency

        IAFIS--Integrated Automated Fingerprint Identification System

        III--Interstate Identification Index

        MISLE--Marine Information for Safety and Law Enforcement

        MSRAM--Maritime Security Risk Analysis Model

        MTSA--Maritime Transportation Security Act

        NCIC--National Crime Information Center

        NIPP--National Infrastructure Protection Plan

        SAFE Port Act--Security and Accountability For Every Port Act

        SAVE--Systematic Alien Verification for Entitlements

        TSA--Transportation Security Administration

        TWIC--Transportation Worker Identification Credential
                                 ______
                                 
                                                       May 10, 2011
                                   Congressional Requesters

    Securing transportation systems and facilities requires balancing 
security to address potential threats while facilitating the flow of 
people and goods that are critical to the United States economy and 
necessary for supporting international commerce. As we have previously 
reported, these systems and facilities are vulnerable and difficult to 
secure given their size, easy accessibility, large number of potential 
targets, and proximity to urban areas.\1\
---------------------------------------------------------------------------
    \1\ See GAO, Transportation Worker Identification Credential: 
Progress Made in Enrolling Workers and Activating Credentials but 
Evaluation Plan Needed to Help Inform the Implementation of Card 
Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 2009); Transportation 
Security: DHS Should Address Key Challenges before Implementing the 
Transportation Worker Identification Credential Program, GAO-06-982 
(Washington, D.C.: Sept. 29, 2006); and Port Security: Better Planning 
Needed to Develop and Operate Maritime Worker Identification Card 
Program, GAO-05-106 (Washington, D.C.: Dec. 10, 2004).
---------------------------------------------------------------------------
    The Maritime Transportation Security Act of 2002 \2\ (MTSA) 
required the Secretary of Homeland Security to prescribe regulations 
preventing individuals from having unescorted access to secure areas of 
MTSAregulated facilities and vessels unless they possess a biometric 
transportation security card and are authorized to be in such an 
area.\3\ MTSA further tasked the Secretary with the responsibility to 
issue biometric transportation security cards to eligible individuals 
unless the Secretary determines that an applicant poses a security risk 
warranting denial of the card. The Transportation Worker Identification 
Credential (TWIC) program is designed to implement these biometric 
maritime security card requirements. The program requires maritime 
workers to complete background checks to obtain a biometric 
identification card and be authorized to be in the secure area by the 
owner/operator in order to gain unescorted access to secure areas of 
MTSA-regulated facilities and vessels.\4\ According to the Coast Guard, 
as of December 2010 and January 2011, there were 2,509 facilities and 
12,908 vessels, respectively, which are subject to MTSA regulations and 
must implement TWIC provisions.\5\
---------------------------------------------------------------------------
    \2\ Pub. L. No. 107-295, 116 Stat. 2064 (2002).
    \3\ Under Coast Guard regulations, a secure area, in general, is an 
area over which the owner/operator has implemented security measures 
for access control in accordance with a Coast Guard-approved security 
plan. For most maritime facilities, the secure area is generally any 
place inside the outer-most access control point. For a vessel or outer 
continental shelf facility, such as off-shore petroleum or gas 
production facilities, the secure area is generally the whole vessel or 
facility.
    \4\ Biometrics refers to technologies that measure and analyze 
human body characteristics--such as fingerprints, eye retinas and 
irises, voice patterns, facial patterns, and hand measurements--for 
authentication purposes.
    \5\ 33 C.F.R. Part 105, for example, governs maritime facility 
security and sets forth general security requirements along with 
requirements for facility security assessments and facility security 
plans, among other things. General maritime security requirements 
pertaining to vessels are set out in 33 C.F.R. Part 104.
---------------------------------------------------------------------------
    Within the Department of Homeland Security (DHS), the 
Transportation Security Administration (TSA) and the U.S. Coast Guard 
are responsible for implementing and enforcing the TWIC program. TSA's 
responsibilities include enrolling TWIC applicants, conducting 
background checks to assess the individual's security threat, and 
issuing TWICs. The Coast Guard is responsible for developing TWIC-
related security regulations and ensuring that MTSA-regulated maritime 
facilities and vessels are in compliance with these regulations. In 
addition, DHS's Screening Coordination Office facilitates coordination 
among the various DHS components involved in TWIC, such as TSA and the 
Coast Guard, as well as the U.S. Citizenship and Immigration Services, 
which personalizes the credentials,\6\ and the Federal Emergency 
Management Agency, which administers grant funds in support of the TWIC 
program.
---------------------------------------------------------------------------
    \6\ A card is personalized when the card holder's personal 
information, such as photograph and name, are added to the card.
---------------------------------------------------------------------------
    In January 2007, a federal regulation (known as the TWIC credential 
rule) set a compliance deadline, subsequently extended to April 15, 
2009, whereby each maritime worker seeking unescorted access to secure 
areas of MTSA-regulated facilities and vessels must possess a TWIC.\7\ 
In September 2008, we reported that TSA, the Coast Guard, and maritime 
industry stakeholders (e.g., operators of MTSA-regulated facilities and 
vessels) had faced challenges in implementing the TWIC program, 
including enrolling and issuing TWICs to a larger population than was 
originally anticipated, ensuring that TWIC access control technologies 
perform effectively in the harsh maritime environment, and balancing 
security requirements with the flow of maritime commerce.\8\ In 
November 2009, we reported that progress had been made in enrolling 
workers and activating TWICs, and recommended that TSA develop an 
evaluation plan to guide pilot efforts and help inform the future 
implementation of TWIC with electronic card readers.\9\ DHS generally 
concurred and discussed actions to implement the recommendations, but 
these actions have not yet fully addressed the intent of all of the 
recommendations. Currently, TWICs are primarily used as visual identity 
cards--known as a flashpass--where a card is to be visually inspected 
before a cardholder is allowed unescorted access to a secure area of a 
MTSA-regulated port or facility.\10\ As of January 6, 2011, TSA 
reported over 1.7 million enrollments and 1.6 million cards issued and 
activated.\11\
---------------------------------------------------------------------------
    \7\ 72 Fed. Reg. 3492 (2007); Extension of deadline to April 15, 
2009 by 73 Fed. Reg. 25562 (2008).
    \8\ GAO, Transportation Worker Identification Credential: A Status 
Update, GAO-08-1151T (Washington, D.C.: Sept. 17, 2008).
    \9\ GAO-10-43.
    \10\ TWIC guidance provides that possession of a TWIC is required 
for an individual to be eligible for unescorted access to secure areas 
of vessels and facilities. With the issuance of a TWIC, it is still the 
responsibility of facility and vessel owners to determine who should be 
granted access to their facilities or vessels.
    \11\ Prior to issuing a TWIC, each TWIC is activated, or turned on, 
after the person being issued the TWIC provides a personal 
identification number.
---------------------------------------------------------------------------
    In response to your request, we evaluated the extent to which TWIC 
program controls provide reasonable assurance that unescorted access to 
secure areas of MTSA-regulated facilities and vessels is limited to 
those possessing a legitimately issued TWIC and who are authorized to 
be in such an area. Specifically, this report addresses the following 
questions:

        1. To what extent are TWIC processes for enrollment, background 
        checking, and use designed to provide reasonable assurance that 
        unescorted access to secure areas of MTSA-regulated facilities 
        and vessels is limited to qualified individuals?

        2. To what extent has DHS assessed the effectiveness of TWIC, 
        and does the Coast Guard have effective systems in place to 
        measure compliance?

    This report is a public version of a related sensitive report that 
we issued to you in May 2011. DHS and TSA deemed some of the 
information in the prior report as sensitive security information, 
which must be protected from public disclosure. Therefore, this report 
omits sensitive information about the TWIC program, including 
techniques used to enroll and conduct a background check on individuals 
and assess an individual's eligibility for a TWIC, and the technologies 
that support TWIC security threat assessment determinations and Coast 
Guard inspections. In addition, at TSA's request, we have redacted data 
on specific enrollment center(s) and maritime ports where our 
investigators conducted covert testing. Although the information 
provided in this report is more limited in scope, it addresses the same 
questions and includes the same recommendations as the sensitive 
report. Also, the overall methodology used for both reports is the 
same.
    To assess the extent to which TWIC program processes were designed 
to provide reasonable assurance that unescorted access to secure areas 
of MTSA-regulated facilities and vessels is limited to qualified 
individuals, we reviewed applicable laws, regulations, and 
policies.\12\ We also reviewed documentation provided by TSA on the 
TWIC program systems and processes, such as the TWIC User Manual for 
Trusted Agents, Statement of Objectives, and Concept of Operations. We 
further reviewed the processes and data sources with TWIC program 
management from TSA and Lockheed Martin (the contractor responsible for 
implementing the program).\13\ We also met with: (1) the Director of 
Vetting Operations at TSA's Colorado Springs Operations Center (CSOC), 
where background checks for links to terrorism and continual vetting of 
TWIC holders is to take place; (2) the Operations Manager for the 
Adjudication Center, where secondary background checks are to be 
conducted for applicants with identified criminal or immigration 
issues; and (3) the Director at DHS's Screening Coordination Office 
responsible for overseeing credentialing programs across DHS. 
Additionally, we met with the Criminal Justice Information Services 
Division at the Federal Bureau of Investigation (FBI) to discuss 
criminal vetting processes and policies. We then evaluated the 
processes against the TWIC program's mission needs and Standards for 
Internal Control in the Federal Government.\14\ As part of our 
assessment of TWIC program controls, we also did the following:
---------------------------------------------------------------------------
    \12\ See, for example, MTSA, Security and Accountability For Every 
Port Act (SAFE Port Act) of 2006 (Pub. L. No. 109-347, 120 Stat. 1884 
(2006)) amendments to MTSA, Navigation and Vessel Inspection Circular 
Number 03-07: Guidance for the Implementation of the Transportation 
Worker Identification Credential Program in the Maritime Sector 
(Washington, D.C.: July 2, 2007), Coast Guard Policy Advisory Council 
(PAC) decisions, and Commandant Instruction M16601.01: Coast Guard 
Transportation Worker Identification Credential Verification and 
Enforcement Guide (Washington, D.C.: Oct. 10, 2008).
    \13\ To assess the reliability of data on the number of TWIC 
enrollments, the number of self-identified U.S. citizens or nationals 
asserting themselves to be born in the United States or in a U.S. 
territory, and the number of TWICs approved after the initial 
background check, we reviewed program systems documentation and 
interviewed knowledgeable agency officials about the source of the data 
and the controls the TWIC program and systems had in place to maintain 
the integrity of the data. We determined that the data were 
sufficiently reliable for the purposes of our report. The data we 
reviewed were collected between October 2007 and December 2010.
    \14\ GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

   We visited four TWIC enrollment and activation centers 
        located in areas with high population density and near ports 
        participating in the TWIC pilot to observe how TWIC enrollments 
        are conducted.\15\ The results are not generalizable to all 
        enrollment and activation centers; however, because all centers 
        are to conduct the same operations following the same guidance, 
        the locations we visited provided us with an overview of the 
        TWIC enrollment and activation/issuance processes.
---------------------------------------------------------------------------
    \15\ We visited the Howland Hook enrollment center in Staten 
Island, New York, the Whitehall Ferry Terminal enrollment center in New 
York, New York, the Terminal Island enrollment center in San Pedro, 
California, and the Long Beach enrollment center in Long Beach, 
California.

   We had our investigators conduct covert testing at 
        enrollment center(s) operating at the time to identify whether 
        individuals providing fraudulent information could acquire an 
        authentic TWIC. The information we obtained from the covert 
        testing at enrollment center(s) is not generalizable across all 
        TWIC enrollment centers. However, because all enrollments are 
        to be conducted following the same established processes, we 
        believe that the information from our covert tests provided us 
        with important perspective on TWIC program enrollment and 
        background checking processes, as well as potential challenges 
---------------------------------------------------------------------------
        in verifying an individual's identity.

    Further our investigators conducted covert testing at several 
selected maritime ports with MTSA-regulated facilities and vessels to 
identify security vulnerabilities and program control deficiencies. 
These locations were selected based on their geographic location across 
the country (east coast, gulf coast, and west coast) and port size in 
terms of cargo volume. We also visited or met with officials at each of 
the seven original pilot sites being used to test TWIC card 
readers,\16\ interviewed port security officials at two additional 
ports responsible for implementing TWIC at their port,\17\ and met with 
nine maritime or transportation industry associations \18\ to obtain 
information on: (1) the use of TWIC as a flashpass and with biometric 
readers where they are in use, (2) experiences with TWIC card 
performance, and (3) any suspected or reported cases of TWIC card 
fraud. The information we obtained from the security officials at the 9 
ports or pilot participants we visited is not generalizable across the 
maritime transportation industry as a whole, but collectively, the 
ports we visited accounted for 56 percent of maritime container trade 
in the United States, and the ports our investigators visited as part 
of our covert testing efforts accounted for 54 percent of maritime 
container trade in the United States in 2009. As such, we believe that 
the information from these interviews, site visits, and covert tests 
provided us with important additional perspective and context on the 
TWIC program, as well as information about potential implementation 
challenges faced by MTSA-regulated facilities/vessels, transportation 
workers, and mariners.
---------------------------------------------------------------------------
    \16\ We visited pilot participants at the Ports of Los Angeles, 
Long Beach, and Brownsville, and the Port Authority of New York and New 
Jersey. We also interviewed and or met with officials at vessel 
operations participating in the TWIC pilot, including the Staten Island 
Ferry in Staten Island, New York; Magnolia Marine Transports in 
Vicksburg, Mississippi; and Watermark Cruises in Annapolis, Maryland.
    \17\ We met with officials responsible for implementing TWIC at the 
Port of Baltimore and the Port of Houston. We selected the Port of 
Baltimore based on proximity to large population centers and we 
selected the Port of Houston because it was using TWICs with readers.
    \18\ We interviewed representatives from the Association of the Bi-
State Motor Carriers, the New Jersey Motor Truck Association, the 
Association of American Railroads, the American Public Transportation 
Association, the American Association of Port Authorities, the 
International Liquid Terminals Association, the International Longshore 
and Warehouse Union, the National Employment Law Project, and the 
Passenger Vessel Association. These organizations were selected because 
together they represent the key constituents of port operations.
---------------------------------------------------------------------------
    To assess the extent to which DHS has assessed the effectiveness of 
TWIC, and determine whether the Coast Guard has effective systems in 
place to measure compliance, we reviewed applicable laws, regulations, 
and policies.\19\ We also met with TWIC program officials from TSA and 
the Coast Guard, as well as Coast Guard officials responsible for 
assessing maritime security risk, and reviewed related documents, to 
identify how TWIC is to enhance maritime security.\20\ In addition, we 
met with Coast Guard TWIC program officials, data management staff, and 
Coast Guard officials stationed at four port areas across the United 
States with enforcement responsibilities to assess the agency's 
approach to enforcing compliance with TWIC regulations and measuring 
program effectiveness.\21\ As part of this effort, we reviewed the type 
and substance of management information available to the Coast Guard 
for assessing compliance with TWIC. In performing this work, we 
evaluated the Coast Guard's practices against TWIC program mission 
needs and Standards for Internal Control in the Federal Government.
---------------------------------------------------------------------------
    \19\ See, for example, MTSA, Security and Accountability For Every 
Port Act (SAFE Port Act) of 2006 (Pub. L. No. 109-347, 120 Stat. 1884 
(2006)) amendments to MTSA, Navigation and Vessel Inspection Circular 
Number 03-07: Guidance for the Implementation of the Transportation 
Worker Identification Credential Program in the Maritime Sector 
(Washington, D.C.: July 2, 2007), Coast Guard Policy Advisory Council 
(PAC) decisions, and Commandant Instruction M16601.01: Coast Guard 
Transportation Worker Identification Credential Verification and 
Enforcement Guide (Washington, D.C.: Oct. 10, 2008).
    \20\ See, for example, the Coast Guard's 2008 Analysis of 
Transportation Worker Identification Credential (TWIC) Electronic 
Reader Requirements in the Maritime Sector, and the Homeland Security 
Institute's 2008 Independent Verification and Validation of Development 
of Transportation Worker Identification Credential (TWIC) Reader 
Requirements.
    \21\ We interviewed Coast Guard officials in New York and New 
Jersey; Los Angeles and Long Beach, California; Corpus Christi, Texas; 
and Baltimore, Maryland. We met with these Coast Guard officials 
because the facilities, vessels, and enrollment centers we visited are 
housed in these officials' area(s) of responsibility.
---------------------------------------------------------------------------
    We conducted this performance audit from November 2009 through 
March 2011 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. We 
conducted our related investigative work in accordance with standards 
prescribed by the Council of the Inspectors General on Integrity and 
Efficiency.\22\
---------------------------------------------------------------------------
    \22\ During the course of the audit, we provided briefings on the 
preliminary results of our work in May and October 2010.
---------------------------------------------------------------------------
Background
TWIC History and Purpose
    In November 2001, the Aviation and Transportation Security Act 
(ATSA) \23\ was enacted, requiring TSA to, among other things, work 
with airport operators to strengthen access control points to secured 
areas and to consider using biometric access control systems, or 
similar technologies, to verify the identity of individuals who seek to 
enter a secure airport area. In response to ATSA, TSA established the 
TWIC program in December 2001.\24\ In November 2002, MTSA was enacted 
and required the Secretary of Homeland Security to issue a maritime 
worker identification card that uses biometrics to control access to 
secure areas of maritime transportation facilities and vessels.\25\ In 
addition, the Security and Accountability For Every Port Act (SAFE Port 
Act) of 2006 amended MTSA and directed the Secretary of Homeland 
Security to, among other things, implement the TWIC pilot project to 
test TWIC use with biometric card readers and inform a future 
regulation on the use of TWIC with electronic readers.
---------------------------------------------------------------------------
    \23\ Pub. L. No. 107-71, 115 Stat. 597 (2001).
    \24\ TSA was transferred from the Department of Transportation to 
DHS pursuant to requirements in the Homeland Security Act, enacted on 
November 25, 2002 (Pub. L. No. 107-296, 116 Stat. 2135, 2178 (2002)).
    \25\ Prior to TWIC, facilities and vessels administered their own 
approaches for controlling access based on the perceived risk at the 
facility. These approaches, among others, included requiring people 
seeking access to have a reason for entering, facility-specific 
identification, and in some cases, a background check. Some ports and 
port facilities still maintain their own credentials.
---------------------------------------------------------------------------
    In requiring the issuance of transportation security cards for 
entry into secure areas of a facility or vessel as part of MTSA, 
Congress noted in the ``Findings'' section of the legislation that 
ports in the United States are a major location for Federal crime such 
as cargo theft and smuggling, and are susceptible to large-scale acts 
of terrorism.\26\ For example, according to the Coast Guard's January 
2008 National Maritime Terrorism Threat Assessment, al Qaeda leaders 
and supporters have identified western maritime assets as legitimate 
targets.\27\ Moreover, according to the Coast Guard assessment, al 
Qaeda-inspired operatives are most likely to use vehicle bombs to 
strike U.S. cargo vessels, tankers, and fixed coastal facilities such 
as ports. Studies have demonstrated that attacks on ports could have 
serious consequences. For example, a study by the Center for Risk and 
Economic Analysis of Terrorist Events on the impact of a dirty bomb 
attack on the Ports of Los Angeles and Long Beach estimated that the 
economic consequences from a shutdown of the harbors due to the 
contamination could result in significant losses in the tens of 
billions of dollars, including the decontamination costs and the 
indirect economic impacts due to the port shutdown.\28\
---------------------------------------------------------------------------
    \26\ Maritime Transportation Security Act of 2002 (Pub. L. No. 107-
295,116 Stat. 2064 (2002)). The FBI estimates that in the United 
States, cargo crime amounts to $12 billion annually and finds that most 
cargo theft occurs in or near seaports.
    \27\ U.S. Coast Guard Intelligence Coordination Center, National 
Maritime Terrorism Threat Assessment (Washington, D.C.: Jan. 7, 2008).
    \28\ H. Rosoff and D. von Winterfeldt, ``A Risk and Economic 
Analysis of Dirty Bomb Attacks on the Ports of Los Angeles and Long 
Beach,'' Journal of Risk Analysis, vol. 27, no. 3 (2007). This research 
was supported by DHS through the Center for Risk and Economic Analysis 
of Terrorist Events by grant funding.
---------------------------------------------------------------------------
    As defined by DHS, the purpose of the TWIC program is to design and 
field a common credential for all transportation workers across the 
United States who require unescorted access to secure areas at MTSA-
regulated maritime facilities and vessels.\29\ As such, the TWIC 
program, once implemented, aims to meet the following stated mission 
needs:
---------------------------------------------------------------------------
    \29\ This is defined in the TWIC System Security Plan and the DHS 
Budget Justification to Congress for Fiscal Years 2009 and 2010.

   Positively identify authorized individuals who require 
        unescorted access to secure areas of the Nation's 
---------------------------------------------------------------------------
        transportation system.

   Determine the eligibility of individuals to be authorized 
        unescorted access to secure areas of the transportation system 
        by conducting a security threat assessment.

   Ensure that unauthorized individuals are not able to defeat 
        or otherwise compromise the access system in order to be 
        granted permissions that have been assigned to an authorized 
        individual.

   Identify individuals who fail to maintain their eligibility 
        requirements subsequent to being permitted unescorted access to 
        secure areas of the Nation's transportation system and 
        immediately revoke the individual's permissions.
TWIC Program Processes for Ensuring TWIC-Holder Eligibility
    TSA is responsible for enrolling TWIC applicants and conducting 
background checks to ensure that only eligible individuals are granted 
TWICs.\30\ In addition, pursuant to TWIC-related regulations, 
MTSAregulated facility and vessel operators are responsible for 
reviewing each individual's TWIC as part of their decision to grant 
unescorted access to secure areas of their facilities. The Coast Guard 
is responsible for assessing and enforcing operator compliance with 
TWIC-related laws and regulations. Described below are key components 
of each process for ensuring TWIC-holder eligibility.
---------------------------------------------------------------------------
    \30\ TWIC program threat assessment processes include conducting a 
background check to determine whether each TWIC applicant is a security 
risk to the United States. These checks, in general, can include checks 
for criminal history records, immigration status, terrorism databases 
and watchlists, and records indicating an adjudication of lack of 
mental capacity, among other things. TSA security threat assessment-
related regulations define the term security threat to mean an 
individual whom TSA determines or suspects of posing a threat to 
national security; to transportation security; or of terrorism.
---------------------------------------------------------------------------
    Enrollment: Transportation workers are enrolled by providing 
biographic information, such as name, date of birth, and address, and 
proof of identity documents, and then being photographed and 
fingerprinted at enrollment centers by trusted agents. A trusted agent 
is a member of the TWIC team who has been authorized by the Federal 
Government to enroll transportation workers in the TWIC program and 
issue TWIC cards.\31\ Appendix I summarizes key steps in the enrollment 
process.
---------------------------------------------------------------------------
    \31\ Trusted agents are subcontractor staff acquired by Lockheed 
Martin as part of its support contract with TSA for the TWIC program.
---------------------------------------------------------------------------
    Background checking: TSA conducts background checks on each worker 
who applies for a TWIC to ensure that individuals who enroll do not 
pose a security risk to the United States. A worker's potential link to 
terrorism, criminal history, immigration status, and mental capacity 
are considered as part of the security threat assessment. Workers have 
the opportunity to appeal negative results of the threat assessment or 
request a waiver of certain specified criminal offenses, and 
immigration or mental capacity standards. Specifically, the TWIC 
background checking process includes two levels of review.

        First-level review: Initial automated background checking. The 
        initial automated background checking process is conducted to 
        determine whether any derogatory information is associated with 
        the name and fingerprints submitted by an applicant during the 
        enrollment process. This check is conducted against the FBI's 
        criminal history records. These records contain information 
        from Federal and state and local sources in the FBI's National 
        Crime Information Center (NCIC) database and the FBI's 
        Integrated Automated Fingerprint Identification System (IAFIS)/
        Interstate Identification Index (III), which maintain criminal 
        records and related fingerprint submissions. Rather than 
        positively confirming each individual's identity using the 
        submitted fingerprints, the FBI's criminal history records 
        check is a negative identification check, whereby the 
        fingerprints are used to confirm that the associated individual 
        is not on the FBI criminal history list. If an individual is 
        identified as being on the FBI's criminal history list, 
        relevant information is to be forwarded to TSA for 
        adjudication.\32\ The check is also conducted against Federal 
        terrorism information from the Terrorist Screening Data base, 
        including the Selectee and No-Fly Lists.\33\ To determine an 
        applicant's immigration/citizenship status and eligibility, TSA 
        also runs applicant information against the Systematic Alien 
        Verification for Entitlements (SAVE) system. If the applicant 
        is identified as a U.S.-born citizen with no related derogatory 
        information, the system can approve the issuance of a TWIC with 
        no further review of the applicant or human intervention.
---------------------------------------------------------------------------
    \32\ Not all TWIC applicants will have readable fingerprints. As we 
have previously reported, it is estimated that about 2 percent to 5 
percent of people cannot be easily fingerprinted because their 
fingerprints have become dry or worn from age, extensive manual labor, 
or exposure to corrosive chemicals (See GAO, Technology Assessment: 
Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: 
Nov. 15, 2002).
    \33\ Pursuant to Homeland Security Presidential Directive 6, dated 
September 16, 2003, the Terrorist Screening Center--under the 
administration of the FBI--was established to develop and maintain the 
U.S. government's consolidated terrorist screening database (the watch 
list) and to provide for the use of watch-list records during security-
related screening processes. The Selectee List contains information on 
individuals who should receive enhanced screening (e.g., additional 
physical screening or a hand-search of carryon baggage) before 
proceeding through the security checkpoint at airports. The No Fly List 
contains information on individuals who should be precluded from 
boarding flights. The No Fly and Selectee lists contain applicable 
records from the FBI Terrorist Screening Center's consolidated database 
of known or appropriately suspected terrorists.

        Second-level review: TSA's Adjudication Center Review. A 
        second-level review is conducted as part of an individual's 
        background check if: (1) the applicant has self-identified 
        themselves to be a non-U.S. citizen or non-U.S.-born citizen or 
        national, or (2) the first-level review uncovers any derogatory 
        information. As such, not all TWIC applicants will be subjected 
        to a second-level review. The second-level review consists of 
        staff at TSA's adjudication center reviewing the applicant's 
        enrollment file.\34\
---------------------------------------------------------------------------
    \34\ If an applicant has asserted him/herself to be a non-U.S. 
citizen or non-U.S.-born citizen, TSA staff at the adjudication center 
are to positively identify the individual by confirming aspects of the 
individual's biographic information, inclusive of their alien 
registration number and other physical descriptors, against available 
databases. For those individuals, TSA requires that at least one of the 
documents provided as proof of identity demonstrates immigration status 
or United States citizenship. According to TWIC officials, the program 
is able to validate immigration status and citizenship-related 
documents required of noncitizens and non-U.S.-born citizens--such as 
certificates of naturalization--with the originating source. For 
individuals with derogatory information, staff at the adjudication 
center reviews each applicant's file to determine if the derogatory 
information accurately applies to the individual or includes 
disqualifying information.

    Card use and compliance: Once a TWIC has been activated and issued, 
the worker may present his or her TWIC to security officials when he or 
she seeks unescorted access to a secure area. Currently, visual 
inspections of TWICs are required for controlling access to secure 
areas of MTSAregulated facilities and vessels.\35\ Approaches for 
inspecting TWICs using biometric readers at individual facilities and 
vessels across the nation are being considered as part of a pilot but 
are not yet required. Pursuant to Coast Guard policy,\36\ Coast Guard 
inspectors are required to verify TWIC cards during annual compliance 
exams, security spot checks, and in the course of other Coast Guard 
duties as determined by the Captain of the Port \37\ based on risk and 
resource availability. The Coast Guard's primary means of verification 
is shifting toward the use of biometric handheld readers with the 
continued deployment of readers to each of its Sectors and Marine 
Safety Units.\38\ As of December 21, 2010, the Coast Guard reports to 
have deployed biometric handheld readers to all of its 35 Sectors and 
16 Marine Safety Units.
---------------------------------------------------------------------------
    \35\ Coast Guard regulations require that such an inspection 
include: (1) a match of the photo on the TWIC to the individual 
presenting the TWIC, (2) verification that the TWIC has not expired, 
and (3) a visual check of the various security features present on the 
card to determine whether the TWIC has been tampered with or forged.
    \36\ See United States Coast Guard, Commandant Instruction Manual 
16601.1: Coast Guard Transportation Worker Identification Credential 
(TWIC) Verification and Enforcement Guide (Washington, D.C.: Oct. 10, 
2008).
    \37\ The Captain of the Port is the Coast Guard officer designated 
by the Commandant to enforce within his or her respective areas port 
safety and security and marine environmental protection regulations, 
including, without limitation, regulations for the protection and 
security of vessels, harbors, and waterfront facilities.
    \38\ Coast Guard Sectors run all Coast Guard missions at the local 
and port levels, such as search and rescue, port security, 
environmental protection, and law enforcement in ports and surrounding 
waters, and oversee a number of smaller Coast Guard units, including 
small cutters and small-boat stations.
---------------------------------------------------------------------------
TWIC Regulations and Cost
    In August 2006, DHS officials decided, based on industry comment, 
to implement TWIC through two separate regulations, or rules. The first 
rule, issued in January 2007, directs the use of the TWIC as an 
identification credential, or flashpass. The second rule, the card 
reader rule, is currently under development and is expected to address 
how the access control technologies, such as biometric card readers, 
are to be used for confirming the identity of the TWIC holder against 
the biometric information on the TWIC. On March 27, 2009, the Coast 
Guard issued an Advance Notice of Proposed Rule Making for the card 
reader rule.\39\
---------------------------------------------------------------------------
    \39\ 74 Fed. Reg. 13360 (2009). An advanced notice of proposed 
rulemaking is published in the Federal Register and contains notices to 
the public of the proposed issuance of rules and regulations. The 
purpose of this advanced notice of proposed rulemaking was to encourage 
the discussion of potential TWIC reader requirements prior to the 
rulemaking process.
---------------------------------------------------------------------------
    To inform the rulemaking process, TSA initiated a pilot in August 
2008, known as the TWIC reader pilot, to test TWIC-related access 
control technologies.\40\ This pilot is intended to test the 
technology, business processes, and operational impacts of deploying 
TWIC readers at secure areas of the marine transportation system. As 
such, the pilot is expected to test the feasibility and functionality 
of using TWICs with biometric card readers within the maritime 
environment. After the pilot has concluded, a report on the findings of 
the pilot is expected to inform the development of the card reader 
rule. DHS currently estimates that a notice of proposed rulemaking will 
be issued late in calendar year 2011 and that the final rule will be 
promulgated no earlier than the end of calendar year 2012.
---------------------------------------------------------------------------
    \40\ The pilot initiation date is based on the first date of 
testing identified in the TWIC pilot schedule. This date is not 
inclusive of time taken for planning the pilot prior to the first test. 
The SAFE Port Act required the pilot to commence no later than 180 days 
after the date of enactment (Oct. 13, 2006) of the SAFE Port Act. See 
GAO-06-982.
---------------------------------------------------------------------------
    According to agency officials, from Fiscal Years 2002 through 2010, 
the TWIC program had funding authority totaling $420 million. In 
issuing the credential rule, DHS estimated that implementing the TWIC 
program could cost the Federal Government and the private sector a 
combined total of between $694.3 million and $3.2 billion over a 10-
year period. However, these figures did not include costs associated 
with implementing and operating readers.\41\ Appendix II contains 
additional program funding details.
---------------------------------------------------------------------------
    \41\ See Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Final Rule, 72 Fed. Reg. 3492, 
3571 (2007).
---------------------------------------------------------------------------
Standards for Internal Control
    Standards for Internal Control in the Federal Government 
underscores the need for developing effective controls for meeting 
program objectives and complying with applicable regulations.\42\ 
Effective internal controls provide for an assessment of the risks the 
agency faces from both internal and external sources. Once risks have 
been identified, they should be analyzed for their possible effect. 
Management then has to decide upon the internal control activities 
required to mitigate those risks and achieve the objectives of 
efficient and effective operations. As part of this effort, management 
should design and implement internal controls based on the related cost 
and benefits.
---------------------------------------------------------------------------
    \42\ GAO/AIMD-00-21.3.1.
---------------------------------------------------------------------------
    In addition, internal control standards highlight the need for the 
following:

   capturing information needed to meet program objectives;

   designing controls to assure that ongoing monitoring occurs 
        in the course of normal operations;

   determining that relevant, reliable, and timely information 
        is available for management decisionmaking purposes;

   conducting reviews and testing of development and 
        modification activities before placing systems into operation;

   recording and communicating information to management and 
        others within the entity who need it and in a form and within a 
        time-frame that enables them to carry out their internal 
        control and other responsibilities; and

   designing internal controls to provide reasonable assurance 
        that compliance with applicable laws and regulations is being 
        achieved, and provide appropriate supervisory review of 
        activities to help provide oversight of operations. This 
        includes designing and implementing appropriate supervisory 
        review activities to help provide oversight and analyzing data 
        to compare trends in actual performance to expected results to 
        identify any areas that may require further inquiries or 
        corrective action.

    Internal control also serves as the first line of defense in 
safeguarding assets and preventing and detecting errors and fraud. An 
internal control weakness is a condition within an internal control 
system worthy of attention. A weakness, therefore, may represent a 
perceived, potential, or real shortcoming, or an opportunity to 
strengthen internal controls to provide a greater likelihood that the 
entity's objectives will be achieved.
Internal Control Weaknesses in DHS's Biometric Transportation ID 
        Program Hinder Efforts to Ensure Security Objectives Are Fully 
        Achieved
    DHS has established a system of TWIC-related processes and 
controls. However, internal control weaknesses governing the 
enrollment, background checking, and use of TWIC potentially limit the 
program's ability to provide reasonable assurance that access to secure 
areas of MTSA-regulated facilities is restricted to qualified 
individuals. Specifically, internal controls \43\ in the enrollment and 
background checking processes are not designed to provide reasonable 
assurance that: (1) only qualified individuals can acquire TWICs; (2) 
adjudicators follow a process with clear criteria for applying 
discretionary authority when applicants are found to have extensive 
criminal convictions; or (3) once issued a TWIC, TWIC holders have 
maintained their eligibility. To meet the stated program mission needs, 
TSA designed TWIC program processes to facilitate the issuance of TWICs 
to maritime workers. However, TSA did not assess the internal controls 
designed and in place to determine whether they provided reasonable 
assurance that the program could meet defined mission needs for 
limiting access to only qualified individuals. Further, internal 
control weaknesses in TWIC enrollment, background checking, and use 
could have contributed to the breach of selected MTSA-regulated 
facilities during covert tests conducted by our investigators.
---------------------------------------------------------------------------
    \43\ In accordance with Standards for Internal Control in the 
Federal Government, the design of the internal controls is to be 
informed by identified risks the program faces from both internal and 
external sources; the possible effect of those risks; control 
activities required to mitigate those risks; and the cost and benefits 
of mitigating those risks.
---------------------------------------------------------------------------
TWIC Program Controls Are Not Designed to Provide Reasonable Assurance 
        That Only Qualified Applicants Can Acquire TWICs
    DHS has established a system of TWIC-related processes and controls 
that as of April 2011 has resulted in TWICs being denied to 1,158 
applicants based on a criminal offense, criminal immigration offense, 
or invalid immigration status.\44\ However, the TWIC program's internal 
controls for positively identifying an applicant, arriving at a 
security threat determination for that individual, and approving the 
issuance of a TWIC, are not designed to provide reasonable assurance 
that only qualified applicants can acquire TWICs.\45\ Assuring the 
identity and qualifications of TWIC-holders are two of the primary 
benefits that the TWIC program is to provide MTSA-regulated facility 
and vessel operators making access control decisions. If an individual 
presents an authentic TWIC acquired through fraudulent means when 
requesting access to the secure areas of a MTSA-regulated facility or 
vessel, the cardholder is deemed not to be a security threat to the 
maritime environment because the cardholder is presumed to have met 
TWIC-related qualifications during a background check. In such cases, 
these individuals could better position themselves to inappropriately 
gain unescorted access to secure areas of a MTSAregulated facility or 
vessel.\46\
---------------------------------------------------------------------------
    \44\ TSA further reports that as of April 2011 there have been 
34,503 cases out of 1,841,122 enrollments, or 1.9 percent of TWIC 
enrollments, where enrollees have not been approved for a TWIC because 
TSA has identified that the enrollees have at least one potentially 
disqualifying criminal offense, criminal immigration offense, or 
invalid immigration status, and the enrollee did not respond to an 
initial determination of threat assessment. Under the TWIC vetting 
process, an applicant that receives an initial determination of threat 
assessment is permitted to provide additional information to respond to 
or challenge the determination, or to request a waiver for the 
disqualifying condition, and subsequently be granted a TWIC.
    \45\ For the purposes of this report, routinely is defined as a 
process being consistently applied in accordance with established 
procedure so as to render consistent results.
    \46\ The TWIC program requires individuals to both hold a TWIC and 
be authorized to be in the secure area by the owner/operator in order 
to gain unescorted access to secure areas of MTSA-regulated facilities 
and vessels.
---------------------------------------------------------------------------
    As confirmed by TWIC program officials, there are ways for an 
unqualified individual to acquire an authentic TWIC. According to TWIC 
program officials, to meet the stated program purpose, TSA's focus in 
designing the TWIC program was on facilitating the issuance of TWICs to 
maritime workers. However, TSA did not assess internal controls prior 
to implementing the program. Further, prior to fielding the program, 
TSA did not conduct a risk assessment of the TWIC program to identify 
program risks and the need for controls to mitigate existing risks and 
weaknesses, as called for by internal control standards. Such an 
assessment could help provide reasonable assurance that control 
weaknesses in one area of the program do not undermine the reliability 
of other program areas or impede the program from meeting mission 
needs. TWIC program officials told us that control weaknesses were not 
addressed prior to initiating the TWIC program because they had not 
previously identified them, or because they would be too costly to 
address. However, officials did not provide documentation to support 
their cost concerns and told us that they did not complete an 
assessment that accounted for whether the program could achieve defined 
mission needs without implementing additional or compensating controls 
to mitigate existing risks, or the risks associated with not correcting 
for existing internal control weaknesses.
    Our investigators conducted covert tests at enrollment center(s) to 
help test the rigor of the TWIC enrollment and background checking 
processes. The investigators fully complied with the enrollment 
application process. They were photographed and fingerprinted, and 
asserted themselves to be U.S.-born citizens.\47\ The investigators 
were successful in obtaining authentic TWIC cards despite going through 
the background-checking process. Not having internal controls designed 
to provide reasonable assurance that the applicant has: (1) been 
positively identified, and (2) met all TWIC eligibility requirements, 
including not posing a security threat to MTSA-regulated facilities and 
vessels, could have contributed to the investigators' successes. 
Specifically, we identified internal control weaknesses in the 
following three areas related to ensuring that only qualified 
applicants are able to obtain a TWIC.
---------------------------------------------------------------------------
    \47\ The details related to the means used by the investors in the 
tests could not be detailed here because they were deemed sensitive 
security information by TSA.
---------------------------------------------------------------------------
    Controls to identify the use of potentially counterfeit identity 
documents are not used to inform background checking processes. As part 
of TWIC program enrollment, a trusted agent is to review identity 
documents for authenticity and use an electronic authentication device 
to assess the likelihood of the document being counterfeit.\48\ 
According to TWIC program officials, the trusted agent's review of TWIC 
applicant identity documents and the assessment provided by the 
electronic authentication device are the two steps intended to serve as 
the primary controls for detecting whether an applicant is presenting 
counterfeit identity documents. Additionally, the electronic device 
used to assess the authenticity of identification credentials renders a 
score on the likelihood of the document being authentic and produces an 
assessment report in support of the score. Assessing whether the 
applicant's credential is authentic is one source of information for 
positively identifying an applicant. Our investigators provided 
counterfeit or fraudulently acquired documents, but they were not 
detected.
---------------------------------------------------------------------------
    \48\ As designed, the TWIC program's enrollment process relies on a 
trusted agent--a contract employee--to collect an applicant's 
identification information. The trusted agent is provided basic 
training on how to detect a fraudulent document. The training, for 
example, consists of checking documents for the presence of a laminate 
that is not peeling, typeset that looks legitimate, and seals on 
certain types of documents.
---------------------------------------------------------------------------
    However, the TWIC program's background checking processes are not 
designed to routinely consider the results of controls in place for 
assessing whether an applicant's identity documents are authentic. For 
example, assessments of document authenticity made by a trusted agent 
or the electronic document authentication device as part of the 
enrollment process are not considered as part of the first-level 
background check. Moreover, TWIC program officials agree that this is a 
program weakness. As of December 1, 2010, approximately 50 percent of 
TWICs were approved after the first-level background check without 
undergoing further review.\49\ As an initial step toward addressing 
this weakness, and in response to our review, TWIC program officials 
told us that since April 17, 2010, the comments provided at enrollment 
by trusted agents have been sent to the Screening Gateway--a TSA system 
for aggregating threat assessment data. However, this change in 
procedure does not correct the internal control weaknesses we 
identified.\50\ Attempts to authenticate copies of documents are 
limited because it is not possible to capture all of the security 
features when copies of the identity documents are recorded, such as 
holograms or color-shifting ink. Using information on the authenticity 
of identity documents captured during enrollment to inform the 
background check could help TSA better assess the reliability and 
authenticity of such documents provided at enrollment.
---------------------------------------------------------------------------
    \49\ Of the 1,697,160 enrollments approved for a TWIC, 852,540 were 
approved using TSA's automated process as part of the first-level 
background check without undergoing further review.
    \50\ Details from this section were removed because the agency 
deemed them sensitive security information.
---------------------------------------------------------------------------
    Controls related to the legal status of self-reported U.S.-born 
citizens or nationals.\51\ The TWIC program does not require that 
applicants claiming to be U.S.-born citizens or nationals provide 
identity documents that demonstrate proof of citizenship, or lawful 
status in the United States. See appendix III for the list of documents 
U.S.-born citizens or nationals must select from and present when 
applying for a TWIC.\52\ For example, an applicant could elect to 
provide one document, such a U.S. passport, which, according to TSA 
officials, serves as proof of U.S. citizenship or proof of nationality. 
However, an applicant could elect to submit documents that do not 
provide proof of citizenship. As of December 1, 2010, nearly 86 percent 
of approved TWIC enrollments were by self-identified United States 
citizens or nationals asserting that they were born in the United 
States or a United States territory.\53\
---------------------------------------------------------------------------
    \51\ National means a citizen of the United States or a noncitizen 
owing permanent allegiance to the United States. In general, U.S.-born 
nationals who are not U.S. citizens at birth are individuals born in an 
outlying possession of the United States. Details from this section 
were removed because the agency deemed them sensitive security 
information.
    \52\ Various identity documents can be provided by U.S.-born 
citizens or nationals when applying for a TWIC. For certain documents, 
such as an unexpired U.S. passport, TSA requires one document as a 
proof of identity. For other documents, such as a Department of 
Transportation Medical Card or United States Military Dependents 
Identification Card, TSA requires that TWIC applicants provide two 
identity documents from a designated list, with one being a government-
issued photo identification.
    \53\ As of December 1, 2010, TSA reported that 1,697,160 TWIC 
enrollments have been approved, of which 1,457,337 were self-identified 
United States citizens or nationals asserting that they were born in 
the United States or in a United States territory.
---------------------------------------------------------------------------
    Verifying a U.S.-born citizen's identity and related lawful status 
can be costly and is a challenge faced by U.S. Government programs such 
as passports.\54\ However, reaching an accurate determination of a TWIC 
applicant's potential security threat in meeting TWIC mission needs is 
dependant on positively identifying the applicant. Given such potential 
cost constraints, consistent with internal control standards, 
identifying alternative mechanisms to positively identify individuals 
to the extent that the benefits exceed the costs and TWIC program 
mission needs are met could enhance TSA's ability to positively 
identify individuals and reduce the likelihood that criminals or 
terrorists could acquire a TWIC fraudulently.
---------------------------------------------------------------------------
    \54\ See GAO, State Department: Significant Vulnerabilities in the 
Passport Issuance Process, GAO-09-681T (Washington, D.C.: May 5, 2009) 
and State Department: Improvements Needed to Strengthen U.S. Passport 
Fraud Detection Efforts, GAO-05-477 (Washington, D.C.: May 20, 2005).
---------------------------------------------------------------------------
    Controls are not in place to determine whether an applicant has a 
need for a TWIC.\55\ Regulations governing the TWIC program security 
threat assessments require applicants to disclose their job description 
and location(s) where they will most likely require unescorted access, 
if known, and the name, telephone number, and address of the 
applicant's current employer(s) if the applicant works for an employer 
that requires a TWIC.\56\ However, TSA enrollment processes do not 
require that this information be provided by applicants. For example, 
when applying for a TWIC, applicants are to certify that they may need 
a TWIC as part of their employment duties. However, the enrollment 
process does not request information on the location where the 
applicant will most likely require unescorted access, and enrollment 
processes include asking the applicant if they would like to provide 
employment information, but informing the applicant that employer 
information is not required.
---------------------------------------------------------------------------
    \55\ TWIC is unlike other federally-sponsored access control 
credentials, such as the Department of Defense's Common Access Card--
the agencywide standard identification card--for which sponsorship by 
an employer is required. For these Federal credentialing programs, 
employer sponsorship begins with the premise that an individual is 
known to need certain access as part of their employment. Further, the 
employing agency is to conduct a background investigation on the 
individual and has access to other personal information, such as prior 
employers, places of residency, and education, which they may confirm 
as part of the employment process and use to establish the individual's 
identity.
    \56\ Implementing regulations at 49 C.F.R.  1572.17 require that 
when applying for or renewing a TWIC, the applicant provide, among 
other information: (1) the reason that the applicant requires a TWIC, 
including, as applicable, the applicant's job description and the 
primary facility, vessel, or maritime port location(s) where the 
applicant will most likely require unescorted access, if known; (2) the 
name, telephone number, and address of the applicant's current 
employer(s) if the applicant works for an employer that requires a 
TWIC; and (3) if the applicant works for an employer that does not 
require possession of a TWIC, does not have a single employer, or is 
self-employed, the primary vessel or port location(s) where the 
applicant requires unescorted access, if known. The regulation states 
that this information is required to establish eligibility for a TWIC 
and that TSA is to review the applicant information as part of the 
intelligence-related check.
---------------------------------------------------------------------------
    While not a problem prior to implementing the TWIC program, 
according to TSA officials, a primary reason for not requiring employer 
information be captured by applicant processes is that many applicants 
do not have employers, and that many employers will not accept 
employment applications from workers who do not already have a TWIC. 
However, TSA could not provide statistics on: (1) how many individuals 
applying for TWICs were unemployed at the time of their application; or 
(2) a reason why the TWIC-related regulation does not prohibit 
employers from denying employment to non-TWIC holders who did not 
previously have a need for a TWIC. Further, according to TSA and Coast 
Guard officials, industry was opposed to having employment information 
verified as part of the application process, as industry 
representatives believed such checks would be too invasive and time-
consuming. TSA officials further told us that confirming this 
information would be too costly.
    We recognize that implementing mechanisms to capture this 
information could be time-consuming and involve additional costs. 
However, collecting information on present employers or operators of 
MTSA-regulated facilities and vessels to be accessed by the applicant, 
to the extent that the benefits exceed the costs and TWIC program 
mission needs are met, could help ensure TWIC program mission needs are 
being met, and serve as a barrier to individuals attempting to acquire 
an authentic TWIC through fraudulent means. Therefore, if TSA 
determines that implementing such mechanisms are, in fact, cost 
prohibitive, identifying and implementing appropriate compensating 
controls could better position TSA to positively identify the TWIC 
applicant. Not taking any action increases the risk that individuals 
could gain unescorted access to secure areas of MTSAregulated 
facilities and vessels.
    As of September 2010, TSA's background checking process had 
identified no instances of nonimmigration-related document or identity 
fraud. This is in part because of previously discussed weaknesses in 
TWIC program controls for positively identifying applicants, and the 
systems and procedures the TWIC program relies on not being designed to 
effectively monitor for such occurrences, in accordance with internal 
control standards. Though not an exhaustive list, through a review of 
Coast Guard reports and publicly available court records, we identified 
five court cases where the court documents indicate that illegal 
immigrants acquired, or in one of the cases sought to acquire, an 
authentic TWIC through fraudulent activity such as providing fraudulent 
identity information and, in at least one of the cases and potentially 
up to four, used the TWIC to access secure areas of MTSA-regulated 
facilities. Four of these cases were a result of, or involved, United 
States Immigration and Customs Enforcement efforts after individuals 
had acquired, or sought to acquire, a TWIC. As of September 2010, the 
program's background checking process identified 18 instances of 
potential fraud out of the approximately 1,676,000 TWIC enrollments. 
These instances all involved some type of fraud related to 
immigration.\57\ The 18 instances of potential fraud were identified 
because the 18 individuals asserted themselves to be non-U.S.- born 
applicants and, unlike processes in place for individuals asserting to 
be U.S.-born citizens, TSA's background checking process includes 
additional controls to validate such individuals' identities. For 
example, TSA requires that at least one of the documents provided by 
such individuals at enrollment show proof of their legal status and 
seeks to validate each non-U.S.-born applicant's identity with the U.S. 
Citizenship and Immigration Services.
---------------------------------------------------------------------------
    \57\ According to TSA, as of September 8, 2010, a total of 18 TWIC 
applicants were issued an Initial Determination of Threat Assessment 
for invalid immigration documents. Upon submission to the U.S. 
Citizenship and Immigration Services, the documentation was reported to 
be altered or counterfeit. Of these 18 instances, only 1 applicant 
submitted additional documentation following an Initial Determination 
of Threat Assessment to challenge TSA's determination. The single 
applicant was subsequently awarded a TWIC.
---------------------------------------------------------------------------
    Internal control standards highlight the need for capturing 
information needed to meet program objectives; ensuring that relevant, 
reliable, and timely information is available for management 
decisionmaking purposes; and providing reasonable assurance that 
compliance with applicable laws and regulations is being achieved.\58\ 
Conducting a control assessment of the TWIC program's processes to 
address existing weaknesses could enhance the TWIC program's ability to 
prevent and detect fraud and positively identify TWIC applicants. Such 
an assessment could better position DHS in strengthening the program to 
ensure it achieves its objectives in controlling access to MTSA-
regulated facilities and vessels.
---------------------------------------------------------------------------
    \58\ GAO/AIMD-00-21.3.1.
---------------------------------------------------------------------------
TWIC Program Controls Are Not Designed to Require Adjudicators to 
        Follow a 
        Process with Clear Criteria for Applying Discretionary 
        Authority When 
        Applicants Are Found to Have Extensive Criminal Convictions
    Being convicted of a felony does not automatically disqualify a 
person from being eligible to receive a TWIC; however, prior 
convictions for certain crimes are automatically disqualifying. Threat 
assessment processes for the TWIC program include conducting background 
checks to determine whether each TWIC applicant poses a security 
threat.\59\ Some of these offenses, such as espionage or treason, would 
permanently disqualify an individual from obtaining a TWIC. Other 
offenses, such as murder or the unlawful possession of an explosive 
device, while categorized as permanent disqualifiers, are also eligible 
for a waiver under TSA regulations and might not permanently disqualify 
an individual from obtaining a TWIC if TSA determines upon subsequent 
review that an applicant does not represent a security threat.\60\ 
Table 1 presents examples of disqualifying criminal offenses set out in 
statute and implementing regulations for consideration as part of the 
adjudication process.
---------------------------------------------------------------------------
    \59\ These checks, in general, can include checks for criminal 
history records, immigration status, terrorism databases and 
watchlists, and records indicating an adjudication of a lack of mental 
capacity, among other things. As defined in TSA implementing 
regulations, the term security threat means an individual whom TSA 
determines or suspects of posing a threat to national security; to 
transportation security; or of terrorism. 49 C.F.R.  1570.3.
    \60\ These permanent disqualifying offenses for which no waiver can 
be issued include espionage, sedition, treason, a Federal crime of 
terrorism, or conspiracy to commit any of these offenses.



------------------------------------------------------------------------



    Table 1.--Examples of Disqualifying Offenses for TWIC Eligibility
------------------------------------------------------------------------
       Permanent         Permanent disqualifying   Interim disqualifying
disqualifying offenses    offenses  that can be          offenses c
           a                     waived b
------------------------------------------------------------------------
Espionage               Murder                     Bribery
Sedition                Unlawful possession, use,  Smuggling
Treason                  sale, distribution,       Arson
A federal crime of       manufacture, purchase,    Extortion
terrorism                receipt, transfer,        Robbery
                         shipping, transporting,
                         import, export, storage
                         of, or dealing in an
                         explosive or explosive
                         device
                        A crime involving a
                         transportation security
                         incident
                        Making any threat
                         concerning the
                         deliverance, placement,
                         or detonation of an
                         explosive or other
                         lethal device in or
                         against a place of
                         public use, a state or
                         government facility, a
                         public transportation
                         system, or an
                         infrastructure facility
------------------------------------------------------------------------
Source: GAO analysis of regulations and TSA.
Notes: See appendix IV for a list of all disqualifying offenses.
a Permanent disqualifying offenses are offenses defined in 49 C.F.R.
  1572.103(a) for which no waiver can be granted under 49 C.F.R.
  1515.7(a)(i).
b Permanent disqualifying offenses that can be waived are offenses
  defined in 49 C.F.R. 1572.103(a) for which a waiver can be granted in
  accordance with 49 C.F.R. 1515.7(a)(i). Applicants with certain
  permanent criminal offenses and all interim disqualifying criminal
  offenses may request a waiver of their disqualification. TSA
  regulations provide that in determining whether to grant a waiver, TSA
  will consider: (1) the circumstances of the disqualifying act or
  offense; (2) restitution made by the applicant; (3) any Federal or
  state mitigation remedies; (4) court records or official medical
  release documents indicating that the applicant no longer lacks mental
  capacity; and (5) other factors that indicate the applicant does not
  pose a security threat warranting denial of a hazardous materials
  endorsement or TWIC.
c Interim disqualifying offenses are offenses defined in 49 C.F.R.
  1572.103(b) for which the applicant has either been: (1) convicted, or
  found not guilty by reason of insanity, within a 7-year period
  preceding the TWIC application, or (2) incarcerated for within a 5-
  year period preceding the TWIC application.


    TSA also has the authority to add to or modify the list of interim 
disqualifying crimes. Further, in determining whether an applicant 
poses a security threat, TSA officials stated that adjudicators have 
the discretion to consider the totality of an individual's criminal 
record, including criminal offenses not defined as a permanent or 
interim disqualifying criminal offenses, such as theft or larceny.\61\ 
More specifically, TSA's implementing regulations provide, in part, 
that with respect to threat assessments, TSA may determine that an 
applicant poses a security threat if the search conducted reveals 
extensive foreign or domestic criminal convictions, a conviction for a 
serious crime not listed as a permanent or interim disqualifying 
offense, or a period of foreign or domestic imprisonment that exceeds 
365 consecutive days. Thus, if a person was convicted of multiple 
crimes, even if each of the crimes were not in and of themselves 
disqualifying, the number and type of convictions could be 
disqualifying.
---------------------------------------------------------------------------
    \61\ The U.S. government's Adjudicative Desk Reference, used in 
adjudicating security clearances, states that multiple criminal 
offenses indicate intentional continuing behavior that raises serious 
questions about a person's trustworthiness and judgment.
---------------------------------------------------------------------------
    Although TSA has the discretion and authority to consider criminal 
offenses not defined as a disqualifying offense, such as larceny and 
theft, and periods of imprisonment, TSA has not developed a definition 
for what extensive foreign or domestic criminal convictions means, or 
developed guidance to ensure that adjudicators apply this authority 
consistently in assessing the totality of an individual's criminal 
record. For example, TSA has not developed guidance or benchmarks for 
adjudicators to consistently apply when reviewing TWIC applicants with 
extensive criminal convictions but no disqualifying offense. This is 
particularly important given TSA's reasoning for including this 
authority in TWICrelated regulation. Specifically, TSA noted that it 
understands that the flexibility this language provides must be used 
cautiously and on the basis of compelling information that can 
withstand judicial review. They further noted that the decision to 
determine whether an applicant poses a threat under this authority is 
largely a subjective judgment based on many facts and circumstances.
    While TSA does not track metrics on the number of TWICs provided to 
applicants with specific criminal offenses not defined as disqualifying 
offenses, as of September 8, 2010, the agency reported 460,786 cases 
where the applicant was approved, but had a criminal record based on 
the results from the FBI. This represents approximately 27 percent of 
individuals approved for a TWIC at the time. In each of these cases, 
the applicant had either a criminal offense not defined as a 
disqualifying offense or an interim disqualifying offense that was no 
longer a disqualification based on conviction date or the applicant's 
release date from incarceration. Consequently, based on TSA's 
background checking procedures, all of these cases would have been 
reviewed by an adjudicator for consideration as part of the second-
level background check because derogatory information had been 
identified. As such, each of these cases had to be examined and a 
judgment had to be made as to whether to deny an applicant a TWIC based 
on the totality of the offenses contained in each applicant's criminal 
report.
    While there were 460,786 cases where the applicant was approved, 
but had a criminal record, TSA reports to have taken steps to deny 1 
TWIC applicant under this authority. However, in the absence of 
guidance for the application of this authority, it is not clear how TSA 
applied this authority in approving the 460,786 applications and 
denying the 1. Internal control standards call for controls and other 
significant events to be clearly documented in directives, policies, or 
manuals to help ensure operations are carried out as intended.
    According to TSA officials, the agency has not implemented guidance 
for adjudicators to follow on how to apply this discretion in a 
consistent manner because they are confident that the adjudicators 
would, based on their own judgment, identify all applicants where the 
authority to deny a TWIC based on the totality of all offenses should 
be applied. However, in the absence of criteria, we were unable to 
analyze or compare how the approximately 30 adjudicators who are 
assigned to the TWIC program at any given time made determinations 
about TWIC applicants with extensive criminal histories. Given that 27 
percent of TWIC holders have been convicted of at least one 
nondisqualifying offense, defining what extensive criminal convictions 
means and developing guidance or criteria for how adjudicators should 
apply this discretionary authority could help provide TSA with 
reasonable assurance that applications are consistently adjudicated. 
Defining terms and developing guidance is consistent with internal 
control standards.
TWIC Program Controls Are Not Designed to Provide Reasonable Assurance 
        That TWIC Holders Have Maintained Their Eligibility Once Issued 
        TWICs
    DHS's defined mission needs for TWIC include identifying 
individuals who fail to maintain their eligibility requirements once 
issued a TWIC, and immediately revoking the individual's card 
privileges. Pursuant to TWICrelated regulations, an individual may be 
disqualified from holding a TWIC and be required to surrender the TWIC 
to TSA for failing to meet certain eligibility criteria related to, for 
example, terrorism, crime, and immigration status. However, weaknesses 
exist in the design of the TWIC program's internal controls for 
identifying individuals who fail to maintain their eligibility that 
make it difficult for TSA to provide reasonable assurance that TWIC 
holders continue to meet all eligibility requirements.
    Controls are not designed to determine whether TWIC holders have 
committed disqualifying crimes at the Federal or state level after 
being granted a TWIC. TSA conducts a name-based check of TWIC holders 
against Federal wants \62\ and warrants on an ongoing basis. According 
to FBI and TSA officials, policy and statutory provisions hamper the 
program from running the broader FBI fingerprint-based check using the 
fingerprints collected at enrollment on an ongoing basis. More 
specifically, because the TWIC background check is considered to be for 
a noncriminal justice purpose,\63\ to conduct an additional 
fingerprint-based check as part of an ongoing TWIC background check, 
TSA would have to collect a new set of fingerprints from the TWIC-
holder,\64\ if the prints are more than 1 year old, and submit those 
prints to the FBI each time they want to assess the TWIC-holder's 
criminal history. According to TSA officials, it would be cost 
prohibitive to run the fingerprint-based check on an ongoing basis, as 
TSA would have to pay the FBI $17.25 per check.
---------------------------------------------------------------------------
    \62\ Federal wants generally consist of information on wanted 
persons, or individuals, for whom Federal warrants are outstanding.
    \63\ Under the National Crime Prevention and Privacy Compact Act of 
1998 (Pub. L. No. 105- 251, 112 Stat. 1870, 1874 (1998) (codified as 
amended at 42 U.S.C.  14601-14616)), which established an 
infrastructure by which states and other specified parties can exchange 
criminal records for noncriminal justice purposes authorized under 
Federal or state law, the term noncriminal justice purposes means uses 
of criminal history records for purposes authorized by Federal or state 
law other than purposes relating to criminal justice activities, 
including employment suitability, licensing determinations, immigration 
and naturalization matters, and national security clearances.
    \64\ Under the 1998 Act, subject fingerprints or other approved 
forms of positive identification must be submitted with all requests 
for criminal history record checks for noncriminal justice purposes.
---------------------------------------------------------------------------
    Although existing policies may hamper TSA's ability to check FBI-
held fingerprint-based criminal history records for the TWIC program, 
TSA has not explored alternatives for addressing this weakness, such as 
informing facility and port operators of this weakness and identifying 
solutions for leveraging existing state criminal history information, 
where available. For instance, state maritime organizations may have 
other mechanisms at their disposal for helping to identify TWIC-holders 
who may no longer meet TWIC qualification requirements. Specifically, 
laws governing the maritime environment in New York and New Jersey 
provide for credentialing authorities being notified if licensed or 
registered longshoremen have been arrested. Further, other governing 
entities, such as the State of Florida and the Alabama State Port 
Authority, have access to state-based criminal records checks. While 
TSA may not have direct access to criminal history records, TSA could 
compensate for this control weakness, for example, by leveraging 
existing mechanisms available to maritime stakeholders across the 
country to better ensure that only qualified individuals retain TWICs.
    Controls are not designed to provide reasonable assurance that TWIC 
holders continue to meet immigration status eligibility requirements. 
If a TWIC holder's stated period of legal presence in the United States 
is about to expire or has expired, the TWIC program does not request or 
require proof from TWIC holders to show that they continue to maintain 
legal presence in the United States. Additionally, although they have 
the regulatory authority to do so, the program does not issue TWICs for 
a term less than 5 years to match the expiration of a visa. Instead, 
TSA relies on: (1) TWIC holders to self-report if they no longer have 
legal presence in the country, and (2) employers to report if a worker 
is no longer legally present in the country.\65\ As we have previously 
reported, government programs for granting benefits to individuals face 
challenges in confirming an individual's immigration status.\66\ TWIC 
program officials stated that the program uses a United States 
Citizenship and Immigration Services system during the background 
checking process prior to issuing a TWIC as a method for confirming the 
legal status of non-U.S. citizens.\67\ TSA has not, however, consistent 
with internal control standards, implemented alternative controls to 
compensate for this limitation and provide reasonable assurance that 
TWIC holders remain eligible. For instance, the TWIC program has not 
compensated for this limitation by: (1) using its authority to issue 
TWICs with shorter expiration dates to correspond with each 
individual's legal presence, or (2) updating the TWIC system to 
systematically suspend TWIC privileges for individuals who no longer 
meet immigration eligibility requirements until they can provide 
evidence of continued legal presence.\68\
---------------------------------------------------------------------------
    \65\ TWIC-related regulations provide, for example, that 
individuals disqualified from holding a TWIC for immigration status 
reasons must surrender the TWIC to TSA. In addition, the regulations 
provide that TWICs are deemed to have expired when the status of 
certain lawful nonimmigrants with a restricted authorization to work in 
the United States (e.g., H-1B1 Free Trade Agreement) expires, the 
employer terminates the employment relationship with such an applicant, 
or such applicant otherwise ceases working for the employer, regardless 
of the date on the face of the TWIC. Upon the expiration of such 
nonimmigrant status for an individual who has a restricted 
authorization to work in the United States, the employer and employee 
both have related responsibilities--the employee is required to 
surrender the TWIC to the employer, and the employer is required to 
retrieve the TWIC and provide it to TSA. According to TSA officials, 
the TWIC program could not provide a count of the total number of TWIC 
holders whose employers reported that the TWIC holders no longer have 
legal status, as they do not track this information.
    \66\ See, for example, GAO, EmploymentVerification: Federal 
Agencies Have Taken Steps to Improve E-Verify, but Significant 
Challenges Remain, GAO-11-146 (Washington, D.C.: Dec. 17, 2010), and 
Immigration Enforcement: Weaknesses Hinder Employment Verification and 
Worksite Enforcement Efforts, GAO-05-813 (Washington, D.C.: Aug. 31, 
2005).
    \67\ Details from this section were removed because the agency 
deemed them sensitive security information.
    \68\ The TWIC program accepts various documents, such as visas, 
Interim Employment Authorizations, and form I-94 Arrival and Departure 
Records, as evidence of legal presence in the United States.
---------------------------------------------------------------------------
    TWIC program officials stated that implementing these compensating 
measures would be too costly, but they have not conducted an assessment 
to identify the costs of implementing these controls, or determined if 
the benefits of mitigating related security risks would outweigh those 
costs, consistent with internal control standards. Not implementing 
such measures could result in a continued risk of individuals no longer 
meeting TWIC legal presence requirements continuing to hold a federally 
issued identity document and gaining unescorted access to secure areas 
of MTSAregulated facilities and vessels.\69\ Thus, implementing 
compensating measures, to the extent that the benefits outweigh the 
costs and meet the program's defined mission needs, could provide TSA, 
the Coast Guard, and MTSA-regulated stakeholders with reasonable 
assurance that each TWIC holder continues to meet TWIC-related 
eligibility requirements.
---------------------------------------------------------------------------
    \69\ TWIC is a federally issued identity document that can be used 
as proof of identity for nonmaritime activities, such as boarding 
airplanes at United States airports and certain Department of Defense 
facilities in accordance with Department of Defense policy, Directive-
Type Memorandum (DTM) 09-012, ``Interim Policy Guidance for DOD 
Physical Access Control,'' dated December 8, 2009.
---------------------------------------------------------------------------
Internal Control Weaknesses in TWIC Enrollment, Background Checking, 
        and Use Could Have Contributed to Breach of MTSA-Regulated 
        Ports
    As of January 7, 2011, the Coast Guard reports that it has 
identified 11 known attempts to circumvent TWIC requirements for 
gaining unescorted access to MTSA-regulated areas by presenting 
counterfeit TWICs. The Coast Guard further reports to have identified 4 
instances of individuals presenting another person's TWIC as their own 
in attempts to gain access. Further, our investigators conducted covert 
tests to assess the use of TWIC as a means for controlling access to 
secure areas of MTSA-regulated facilities. During covert tests of TWIC 
at several selected ports, our investigators were successful in 
accessing ports using counterfeit TWICs, authentic TWICs acquired 
through fraudulent means, and false business cases (i.e., reasons for 
requesting access).\70\ Our investigators did not gain unescorted 
access to a port where a secondary port specific identification was 
required in addition to the TWIC.
---------------------------------------------------------------------------
    \70\ Existing vulnerabilities with TWIC to date have included, for 
example, problems with deteriorating TWIC card security features. Cards 
fading and delaminating have been reported by stakeholders across the 
country from places such as New York, Virginia, Texas, and California, 
with a range of climate conditions. According to stakeholders, these 
problems make it difficult for security guards to distinguish an 
authentic TWIC that is faded from a fraudulent TWIC. TSA and the Coast 
Guard have also received reports of problems with the card's chip or 
antenna connection not working from locations where TWICs are being 
used with readers. The total number of damaged TWICs with a damaged 
chip or antenna is unknown because TWICs are not required to be used 
with readers.
---------------------------------------------------------------------------
    In response to our covert tests, TSA and Coast Guard officials 
stated that, while a TWIC card is required for gaining unescorted 
access to secure areas of a MTSA-regulated facility, the card alone is 
not sufficient. These officials stated that the cardholder is also 
required to present a business case, which security officials at 
facilities must consider as part of granting the individual access. In 
addition, according to DHS's Screening Coordination Office, a 
credential is only one layer of a multilayer process to increase 
security. Other layers of security might include onsite law 
enforcement, security personnel, cameras, locked doors and windows, 
alarm systems, gates, and turnstiles. Thus, a weakness in the 
implementation of TWIC will not guarantee access to the secure areas of 
a MTSA-regulated port or facility.
    However, as our covert tests demonstrated, having an authentic TWIC 
and a legitimate business case were not always required in practice. 
The investigators' possession of TWIC cards provided them with the 
appearance of legitimacy and facilitated their unescorted entry into 
secure areas of MTSA-regulated facilities and ports at multiple 
locations across the country. If individuals are able to acquire 
authentic TWICs fraudulently, verifying the authenticity of these cards 
with a biometric reader will not reduce the risk of undesired 
individuals gaining unescorted access to the secure areas of MTSA-
regulated facilities and vessels.
    Given existing internal control weaknesses, conducting a control 
assessment of the TWIC program's processes to address existing 
weaknesses could enhance the TWIC program's ability to prevent and 
detect fraud and positively identify TWIC applicants. Such an 
assessment could better position DHS in strengthening the program to 
ensure it achieves its objectives in controlling unescorted access to 
MTSA-regulated facilities and vessels. It could also help DHS identify 
and implement the minimum controls needed to: (1) positively identify 
individuals, (2) provide reasonable assurance that control weaknesses 
in one area of the program would not undermine the reliability of other 
program areas or impede the program from meeting mission needs, and (3) 
provide reasonable assurance that the threat assessments are based on 
complete and accurate information. Such actions would be consistent 
with internal control standards, which highlight the need for capturing 
information needed to meet program objectives; determining that 
relevant, reliable, and timely information is available for management 
decision-making purposes; and designing internal controls to provide 
reasonable assurance that compliance with applicable laws and 
regulations is being achieved, as part of implementing effective 
controls. Moreover, our prior work on internal controls has shown that 
management should design and implement internal controls based on the 
related costs and benefits and continually assess and evaluate its 
internal controls to assure that the controls being used are effective 
and updated when necessary.\71\
---------------------------------------------------------------------------
    \71\ GAO/AIMD-00-21.3.1.
---------------------------------------------------------------------------
TWIC's Effectiveness at Enhancing Security Has Not BeenAssessed, and 
        the Coast Guard Lacks the Ability to Assess Trends in TWIC 
        Compliance
    The TWIC program is intended to improve maritime security by using 
a federally sponsored credential to enhance access controls to secure 
areas at MTSA-regulated facilities and vessels, but DHS has not 
assessed the program's effectiveness at enhancing security. In 
addition, Coast Guard's approach for monitoring and enforcing TWIC 
compliance nationwide could be improved by enhancing its collection and 
assessment of related maritime security information. For example, the 
Coast Guard tracks TWIC program compliance, but the processes involved 
in the collection, cataloguing, and querying of information cannot be 
relied on to produce the management information needed to assess trends 
in compliance with the TWIC program or associated vulnerabilities.
TWIC Has Not Been Assessed to Measure Effectiveness at Enhancing 
        Security
    DHS asserted in its 2009 and 2010 budget submissions that the 
absence of the TWIC program would leave America's critical maritime 
port facilities vulnerable to terrorist activities.\72\ However, to 
date, DHS has not assessed the effectiveness of TWIC at enhancing 
security or reducing risk for MTSA-regulated facilities and vessels. 
Such assessments are consistent with DHS's National Infrastructure 
Protection Plan, which recognizes that metrics and other evaluation 
procedures should be used to measure progress and assess the 
effectiveness of programs designed to protect key assets.\73\ Further, 
DHS has not demonstrated that TWIC, as currently implemented and 
planned with readers, is more effective than prior approaches used to 
limit access to ports and facilities, such as using facility specific 
identity credentials with business cases. According to TSA and Coast 
Guard officials, because the program was mandated by Congress as part 
of MTSA, DHS did not conduct a risk assessment to identify and mitigate 
program risks prior to implementation. Further, according to these 
officials, neither the Coast Guard nor TSA analyzed the potential 
effectiveness of TWIC in reducing or mitigating security risk--either 
before or after implementation--because they were not required to do so 
by Congress. Rather, DHS assumed that the TWIC program's enrollment and 
background checking procedures were effective and would not allow 
unqualified individuals to acquire and retain authentic TWICs.
---------------------------------------------------------------------------
    \72\ See DHS, DHS Exhibit 300 Public Release BY10/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington, 
D.C.: Apr. 17, 2009) and DHS Exhibit 300 Public Release BY09/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington, 
D.C.: July 27, 2007).
    \73\ DHS, National Infrastructure Protection Plan: Partnering to 
Enhance Protection and Resiliency (Washington, D.C.: 2009). The NIPP, 
first issued in June 2006 by DHS, established a six-step risk 
management framework to establish national priorities, goals, and 
requirements for Critical Infrastructure and Key Resources (CIKR) 
protection so that Federal funding and resources are applied in the 
most effective manner to deter threats, reduce vulnerabilities, and 
minimize the consequences of attacks and other incidents. The NIPP 
states that comprehensive risk assessments are necessary for 
determining which assets or systems face the highest risk, for 
prioritizing risk mitigation efforts and the allocation of resources, 
and for effectively measuring how security programs reduce risks.
---------------------------------------------------------------------------
    The internal control weaknesses that we discuss earlier in the 
report, as well as the results of our covert tests of TWIC use, raise 
questions about the effectiveness of the TWIC program. According to the 
Coast Guard official responsible for conducting assessments of maritime 
risk, it may now be possible to assess TWIC effectiveness and the 
extent to which, or if, TWIC use could enhance security using current 
Maritime Security Risk Analysis Model (MSRAM) data. Since MSRAM's 
deployment in 2005, the Coast Guard has used its MSRAM to help inform 
decisions on how to best secure our nation's ports and how to best 
allocate limited resources to reduce terrorist risks in the maritime 
environment.\74\ Moreover, as we have previously reported, Congress 
also needs information on whether and in what respects a program is 
working well or poorly to support its oversight of agencies and their 
budgets, and agencies' stakeholders need performance information to 
accurately judge program effectiveness.\75\ Conducting an effectiveness 
assessment that evaluates whether use of TWIC in its present form and 
planned use with readers would enhance the posture of security beyond 
efforts already in place given costs and program risks could better 
position DHS and policymakers in determining the impact of TWIC on 
enhancing maritime security.
---------------------------------------------------------------------------
    \74\ The Coast Guard uses MSRAM to assess risk for various types of 
vessels and port infrastructure in accordance with the guidance on 
assessing risk from DHS's National Infrastructure Protection Plan 
(NIPP). The Coast Guard uses the analysis tool to help implement its 
strategy and concentrate maritime security activities when and where 
relative risk is believed to be the greatest. The model assesses the 
risk--threats, vulnerabilities, and consequences--of a terrorist attack 
based on different scenarios; that is, it combines potential targets 
with different means of attack, as recommended by the risk assessment 
aspect of the NIPP. Also in accordance with the NIPP, the model is 
designed to support decisionmaking for the Coast Guard. At the national 
level, the model's results are used, among other things, for 
identifying capabilities needed to combat future terrorist threats.
    \75\ GAO, Executive Guide: Effectively Implementing the Government 
Performance and Results Act, GAO/GGD-96-118 (Washington, D.C.: June 
1996).
---------------------------------------------------------------------------
    Further, pursuant to Executive Branch requirements, prior to 
issuing a new regulation, agencies are to conduct a regulatory 
analysis, which is to include an assessment of costs, benefits, and 
associated risks.\76\ Prior to issuing the regulation on implementing 
the use of TWIC as a flashpass, DHS conducted a regulatory analysis, 
which asserted that TWIC would increase security. The analysis included 
an evaluation of the costs and benefits related to implementing TWIC. 
However, DHS did not conduct a risk-informed cost-benefit analysis that 
considered existing security risks. For example, the analysis did not 
account for the costs and security risks associated with designing 
program controls to prevent an individual from acquiring an authentic 
TWIC using a fraudulent identity and limiting access to secure areas of 
MTSA-regulated facilities and vessels to those with a legitimate need, 
in accordance with stated mission needs. As a proposed regulation on 
the use of TWIC with biometric card readers is under development, DHS 
is to issue a new regulatory analysis. Conducting a regulatory analysis 
using the information from the internal control and effectiveness 
assessments as the basis for evaluating the costs, benefits, security 
risks, and needed corrective actions could better inform and enhance 
the reliability of the new regulatory analysis. Moreover, these actions 
could help DHS identify and assess the full costs and benefits of 
implementing the TWIC program in a manner that will meet stated mission 
needs and mitigate existing security risks, and help ensure that the 
TWIC program is more effective and cost-efficient than existing 
measures or alternatives at enhancing maritime security.
---------------------------------------------------------------------------
    \76\ Office of Management and Budget, Circular A-4, Regulatory 
Analysis (Revised Sept. 17, 2003) provides guidance to Federal agencies 
on the development of regulatory analysis as required by Executive 
Order 12866 of September 30, 1993, as amended by Executive Order 13258 
of February 26, 2002, and Executive Order 13422 of January 18, 2007, 
``Regulatory Planning and Review.'' According to Executive Order 12866, 
agencies should adhere to certain specified principles, such as: (1) 
with respect to setting regulatory priorities, each agency shall 
consider, to the extent reasonable, the degree and nature of the risks 
posed by various substances or activities within its jurisdiction, and 
(2) each agency shall base its decisions on the best reasonably 
obtainable scientific, technical, economic, and other information 
concerning the need for, and consequences of, the intended regulation. 
According to Circular A-4, a regulatory analysis should include the 
following three basic elements: (1) a statement of the need for the 
proposed action, (2) an examination of alternative approaches, and (3) 
an evaluation of the benefits and costs--quantitative and qualitative--
of the proposed action and the main alternatives identified by the 
action. The evaluation of benefits and costs is to be informed by a 
risk assessment.
---------------------------------------------------------------------------
Coast Guard's Approach for Monitoring and Enforcing TWIC Compliance 
        Could Be Improved by Enhancing Its Collection and Assessment of 
        Maritime Security 
        Information
    Internal control standards state that: (1) internal controls should 
be designed to ensure that ongoing monitoring occurs in the course of 
normal operations, and (2) information should be communicated in a form 
and within a time-frame that enables management to carry out its 
internal control responsibilities.\77\ Further, our prior work has 
stated that Congress also needs information on whether and in what 
respects a program is working well or poorly to support its oversight 
of agencies and their budgets, and agencies' stakeholders need 
performance information to accurately judge program effectiveness.\78\ 
The Coast Guard uses its Marine Information for Safety and Law 
Enforcement (MISLE) database to meet these needs by recording 
activities related to MTSA-regulated facility and vessel oversight, 
including observations of TWIC-related deficiencies.\79\ The purpose of 
MISLE is to provide the capability to collect, maintain, and retrieve 
information necessary for the administration, management, and 
documentation of Coast Guard activities. In February 2008, we reported 
that flaws in the data in MISLE limit the Coast Guard's ability to 
accurately portray and appropriately target oversight activities.\80\
---------------------------------------------------------------------------
    \77\ See GAO/AIMD-00-21.3.1.
    \78\ See GAO/GGD-96-118.
    \79\ MISLE began operating in December 2001 and is the Coast 
Guard's primary data system for documenting facility oversight and 
other activities.
    \80\ We recommended that, among other things, the Coast Guard 
assess MISLE compliance data, including the completeness of the data, 
data entry, consistency, and data field problems, and make any changes 
needed to more effectively use MISLE data. DHS concurred with this 
recommendation. The Coast Guard acknowledged the need for improvement 
in MISLE compliance data and has taken initial steps to reduce some of 
the database concerns identified in our previous work. However, as of 
January 2011, the recommendation has not been fully addressed. See GAO, 
Maritime Security: Coast Guard Inspections Identify and Correct 
Facility Deficiencies, but More Analysis Needed of Program's Staffing, 
Practices, and Data, GAO-08-12 (Washington, D.C.: Feb. 14, 2008).
---------------------------------------------------------------------------
    In accordance with Coast Guard policy, Coast Guard inspectors are 
required to verify TWIC cards during annual compliance exams and 
security spot checks, and may do so in the course of other Coast Guard 
duties. As part of each inspection, Coast Guard inspectors are, among 
other things, to: (1) ensure that the card is authentic by examining it 
to visually verify that it has not been tampered with; (2) verify 
identity by comparing the photograph on the card with the TWIC holder 
to ensure a match; (3) check the card's physical security features; and 
(4) ensure the TWIC is valid--a check of the card's expiration date. 
Additionally, Coast Guard inspectors are to assess the proficiency of 
facility and vessel security personnel in complying with TWIC 
requirements through various means including oral examination, actual 
observation, and record review. Coast Guard inspectors randomly select 
workers to check their TWICs during inspections. The number of TWIC 
cards checked is left to the discretion of the inspectors.
    As of December 17, 2010, according to Coast Guard data, 2,135 
facilities have undergone at least 2 MTSA inspections as part of annual 
compliance exams and spot checks. In reviewing the Coast Guard's 
records of TWICrelated enforcement actions, we found that, in addition 
to verifying the number of inspections conducted, the Coast Guard is 
generally positioned to verify that TWIC cards are being checked by 
Coast Guard inspectors and, of the card checks that are recorded, the 
number of cardholders who are compliant and noncompliant. For instance, 
the Coast Guard reported inspecting 129,464 TWIC holders' cards from 
May 2009 through January 6, 2011. The Coast Guard reported that 124,203 
of the TWIC holders, or 96 percent, were found to be compliant--
possessed a valid TWIC.\81\ However, according to Coast Guard 
officials, local Coast Guard inspectors may not always or consistently 
record all inspection attempts. Consequently, while Coast Guard 
officials told us that inspectors verify TWICs as part of all security 
inspections, the Coast Guard could not reliably provide the number of 
TWICs checked during each inspection.
---------------------------------------------------------------------------
    \81\ These numbers represent a combination of visual and electronic 
verifications because the TWIC verification window in MISLE is not 
currently designed to capture whether cards are verified visually or 
electronically. According to Coast Guard officials, with the recent 
deployment of handheld readers to Coast Guard units, the Coast Guard is 
in the process of enhancing MISLE to include the ability to distinguish 
between the number of visual inspections of cards and the number of 
verifications conducted using the handheld readers.
---------------------------------------------------------------------------
    Since the national compliance deadline in April 2009 requiring TWIC 
use at MTSA-regulated facilities and vessels, the Coast Guard has not 
identified major concerns with TWIC implementation nationally. However, 
while the Coast Guard uses MISLE to track program compliance, because 
of limitations in the MISLE system design, the processes involved in 
the collection, cataloguing, and querying of information cannot be 
relied upon to produce the management information needed to assess 
trends in compliance with the TWIC program or associated 
vulnerabilities. For instance, when inspectors document a TWIC card 
verification check, the system is set up to record the number of TWICs 
reviewed for different types of workers and whether the TWIC holders 
are compliant or noncompliant. However, other details on TWIC-related 
deficiencies, such as failure to ensure that all facility personnel 
with security duties are familiar with all relevant aspects of the TWIC 
program and how to carry them out, are not recorded in the system in a 
form that allows inspectors or other Coast Guard officials to easily 
and systematically identify that a deficiency was related to TWIC. For 
example, from January 2009 through December 2010, the Coast Guard 
reported issuing 145 enforcement actions as a result of annual 
compliance exams or security spot checks at the 2,135 facilities that 
have undergone the inspections.\82\ These included 57 letters of 
warning, 40 notices of violation, 32 civil penalties, and 16 operations 
controls (suspension or restriction of operations). However, it would 
be labor-intensive for the Coast Guard to identify how many of the 57 
letters of warning or 40 notices of violation were TWIC related, 
according to a Coast Guard official responsible for TWIC compliance, 
because there is not an existing query designed to extract this 
information from the system. Someone would have to manually review each 
of the 97 inspection reports in the database indicating either a letter 
of warning or a notice of violation to verify whether or not the 
deficiencies were TWIC related. As such, the MISLE system is not 
designed to readily provide information that could help management 
measure and assess the overall level of compliance with the TWIC 
program or existing vulnerabilities.
---------------------------------------------------------------------------
    \82\ According to the Coast Guard, 2,509 facilities are subject to 
MTSA and must actively implement TWIC provisions.
---------------------------------------------------------------------------
    According to a Coast Guard official responsible for TWIC 
compliance, Coast Guard headquarters staff has not conducted a trend 
analysis of the deficiencies found during reviews and inspections and 
there are no other analyses they planned to conduct regarding 
enforcement until after readers are required to be used. According to 
the Coast Guard, it can generally identify the number of TWICs checked 
and recorded in the MISLE system. However, it cannot perform trend 
analysis of the deficiencies as it would like to do, as it requires 
additional information. In the interim, as of January 7, 2011, the 
Coast Guard reported deploying 164 handheld biometric readers 
nationally to units responsible for conducting inspections.\83\ These 
handheld readers are intended to be the Coast Guard's primary means of 
TWIC verification. During inspections, Coast Guard inspectors use the 
card readers to electronically check TWICs in three ways: (1) 
verification--a biometric one-to-one match of the fingerprint; (2) 
authentication--electronically confirming that the certificates on the 
credential are authentic; and (3) validation--electronically check the 
card against the ``hotlist'' of invalid or revoked cards. The Coast 
Guard believes that the use of these readers during inspections will 
greatly improve the effectiveness of enforcement efforts and enhance 
record keeping through the use of the readers' logs.
---------------------------------------------------------------------------
    \83\ The Coast Guard estimated a need for 300 handheld biometric 
readers, based on an estimate of 5 readers for each of the Coast 
Guard's major field inspections units across the country.
---------------------------------------------------------------------------
    As a result of limitations in MISLE design and the collection and 
recording of inspection data, it will be difficult for the Coast Guard 
to identify trends nationwide in TWIC-related compliance, such as 
whether particular types of facilities or a particular region of the 
country have greater levels of noncompliance, on an ongoing basis. 
Coast Guard officials acknowledged these deficiencies and reported that 
they are in the process of making enhancements to the MISLE database 
and plan to distribute updated guidance on how to collect and input 
information into MISLE to the Captains of the Port. However, as of 
January 2011, the Coast Guard had not yet set a date for implementing 
these changes. Further, while this is a good first step, these 
enhancements do not address weaknesses related to the collection 
process and querying of MISLE information so as to facilitate the Coast 
Guard performing trend analysis of the deficiencies as part of its 
compliance reviews. By designing and implementing a cost-effective and 
practical method for collecting, cataloging, and querying TWIC-related 
compliance information, the Coast Guard could be better positioned to 
identify and assess TWIC-related compliance and enforcement trends, and 
to obtain management information needed to assess and understand 
existing vulnerabilities with the use of TWIC.
Conclusions
    As the TWIC program continues on the path to full implementation--
with potentially billions of dollars needed to install TWIC card 
readers in thousands of the Nation's ports, facilities, and vessels at 
stake--it is important that Congress, program officials, and maritime 
industry stakeholders fully understand the program's potential benefits 
and vulnerabilities, as well as the likely costs of addressing these 
potential vulnerabilities. Identified internal control weaknesses and 
vulnerabilities include weaknesses in controls related to preventing 
and detecting identity fraud, assessing the security threat that 
individuals with extensive criminal histories pose prior to issuing a 
TWIC, and ensuring that TWIC holders continue to meet program 
eligibility requirements. Thus, conducting an internal control 
assessment of the program by analyzing controls, identifying related 
weaknesses and risks, and determining cost-effective actions to correct 
or compensate for these weaknesses could better position DHS to provide 
reasonable assurance that control weaknesses do not impede the program 
from meeting mission needs.
    In addition, conducting an effectiveness assessment could help 
provide reasonable assurance that the use of TWIC enhances the posture 
of security beyond efforts already in place or identify the extent to 
which TWIC may possibly introduce security vulnerabilities because of 
the way it has been designed and implemented. This assessment, along 
with the internal controls assessment, could be used to enhance the 
regulatory analysis to be conducted as part of implementing a 
regulation on the use of TWIC with readers. More specifically, 
considering identified security risks and needed corrective actions as 
part of the regulatory analysis could provide insights on the full 
costs and benefits of implementing the TWIC program in a manner that 
will meet stated mission needs and mitigate existing security risks. 
This is important because, unlike prior access control approaches which 
allowed access to a specific facility, the TWIC potentially facilitates 
access to thousands of facilities once the Federal Government attests 
that the TWIC holder has been positively identified and is deemed not 
to be a security threat. Further, doing so as part of the regulatory 
analysis could better assure DHS, Congress, and maritime stakeholders 
that TWIC program security objectives will be met. Finally, by 
designing and implementing a cost-effective and practical method for 
collecting, cataloging, and querying TWIC-related compliance 
information, the Coast Guard could be better positioned to identify 
trends and to obtain management information needed to assess and 
understand existing vulnerabilities with the use of TWIC.
Recommendations for Executive Action
    To identify effective and cost-efficient methods for meeting TWIC 
program objectives, and assist in determining whether the benefits of 
continuing to implement and operate the TWIC program in its present 
form and planned use with readers surpass the costs, we recommend that 
the Secretary of Homeland Security take the following four actions:

   Perform an internal control assessment of the TWIC program 
        by: (1) analyzing existing controls, (2) identifying related 
        weaknesses and risks, and (3) determining cost-effective 
        actions needed to correct or compensate for those weaknesses so 
        that reasonable assurance of meeting TWIC program objectives 
        can be achieved. This assessment should consider weaknesses we 
        identified in this report among other things, and include:

     strengthening the TWIC program's controls for preventing 
            and detecting identity fraud, such as requiring certain 
            biographic information from applicants and confirming the 
            information to the extent needed to positively identify the 
            individual, or implementing alternative mechanisms to 
            positively identify individuals;

     defining the term extensive criminal history for use in 
            the adjudication process and ensuring that adjudicators 
            follow a clearly defined and consistently applied process, 
            with clear criteria, in considering the approval or denial 
            of a TWIC for individuals with extensive criminal 
            convictions not defined as permanent or interim 
            disqualifying offenses; and

     identifying mechanisms for detecting whether TWIC holders 
            continue to meet TWIC disqualifying criminal offense and 
            immigration-related eligibility requirements after TWIC 
            issuance to prevent unqualified individuals from retaining 
            and using authentic TWICs.

   Conduct an effectiveness assessment that includes addressing 
        internal control weaknesses and, at a minimum, evaluates 
        whether use of TWIC in its present form and planned use with 
        readers would enhance the posture of security beyond efforts 
        already in place given costs and program risks.

   Use the information from the internal control and 
        effectiveness assessments as the basis for evaluating the 
        costs, benefits, security risks, and corrective actions needed 
        to implement the TWIC program in a manner that will meet stated 
        mission needs and mitigate existing security risks as part of 
        conducting the regulatory analysis on implementing a new 
        regulation on the use of TWIC with biometric card readers.

   Direct the Commandant of the Coast Guard to design effective 
        methods for collecting, cataloguing, and querying TWIC-related 
        compliance issues to provide the Coast Guard with the 
        enforcement information needed to assess trends in compliance 
        with the TWIC program and identify associated vulnerabilities.
Agency Comments and Our Evaluation
    We provided a draft of the sensitive version of this report to the 
Secretary of Homeland Security for review and comment on March 18, 
2011. DHS provided written comments on behalf of the Department, the 
Transportation Security Administration, and the United States Coast 
Guard, which are reprinted in full in appendix IV. In commenting on our 
report, DHS stated that it concurred with our four recommendations and 
identified actions planned or under way to implement them.
    While DHS did not take issue with the results of our work, DHS did 
provide new details in its response that merit additional discussion. 
First, DHS noted that it is working to strengthen controls around 
applicant identity verification in TWIC, but that document fraud is a 
vulnerability to credential-issuance programs across the Federal 
Government, state and local governments, and the private sector. DHS 
further noted that a governmentwide infrastructure does not exist for 
information sharing across all entities that issue documents that other 
programs, such as TWIC, use to positively authenticate an individual's 
identity. We acknowledge that such a government-wide infrastructure 
does not exist, and, as discussed in our report, recognize that there 
are inherent weaknesses in relying on identity documents alone to 
confirm an individual's identity. However, positively identifying 
individuals--or confirming their identity--and determining their 
eligibility for a TWIC is a key stated program goal. Issuing TWICs to 
individuals without positively identifying them and subsequently 
assuring their eligibility could, counter to the program's intent, 
create a security vulnerability. While we recognize that additional 
costs could be imposed by requiring positive identification checks, 
taking actions to strengthen the existing identity authentication 
process, such as only accepting documents that TSA can and does confirm 
to be authentic with the issuing agency, and verifying an applicant's 
business need, could enhance TWIC program efforts to prevent and detect 
identity fraud and enhance maritime security.
    Second, DHS stated that it is working to continually verify TWIC-
holder eligibility after issuance but also noted the limitations in the 
current process. While TSA does receive some criminal history records 
information when it sends fingerprints to the FBI, the information is 
not provided recurrently, nor is the information necessarily complete. 
DHS stated that to provide the most robust recurrent vetting against 
criminal records, TSA would need access to additional state and Federal 
systems, and have additional authority to do so. As we reported, FBI 
and TWIC officials stated that because the TWIC background check is 
considered to be for a noncriminal justice purpose, policy and 
statutory provisions hamper the program from running the broader FBI 
fingerprint-based check using the fingerprints collected at enrollment 
on an ongoing basis. However, we continue to believe that TSA could 
compensate for this weakness by leveraging existing mechanisms 
available to maritime stakeholders. For example, other governing 
entities--such as the Alabama State Port Authority--that have an 
interest in ensuring the security of the maritime environment, might be 
willing to establish a mechanism for independently sharing relevant 
information when warranted. Absent efforts to leverage available 
information sources, TSA may not be successful in tempering existing 
limitations.
    Lastly, DHS sought clarification on the reporting of our 
investigators' success at breaching security at ports during covert 
testing. Specifically, in its comments, DHS noted that it believes that 
our report's focus on access to port areas rather than access to 
individual facilities can be misleading. DHS noted that we do not 
report on the number of facilities that our investigators attempted to 
gain access to within each port area. DHS stated that presenting the 
breaches in terms of the number of port areas breached rather than the 
number of facilities paints a more troublesome picture of the actual 
breaches that occurred. We understand DHS's concern but continue to 
believe that the results of our investigators' work, as reported, 
fairly and accurately represents the results and significance of the 
work conducted. The goal of the covert testing was to assess whether or 
not weaknesses exist at ports with varying characteristics across the 
nation, not to define the pervasiveness of existing weaknesses by type 
of facility, volume, or other characteristic. Given the numerous 
differences across facilities and the lack of publicly available 
information and related statistics for each of the approximately 2,509 
MTSA-regulated facilities, we identified covert testing at the port 
level to be the proper unit of analysis for our review and reporting 
purposes. Conducting a detailed assessment of the pervasiveness of 
existing weaknesses by type of facility, volume, or other 
characteristics as suggested by DHS would be a more appropriate tasking 
for the Coast Guard as part of its continuing effort to ensure 
compliance with TWIC-related regulations.
    In addition, with regard to covert testing, DHS further commented 
that the report does not distinguish among breaches in security using a 
counterfeit TWIC or an authentic TWIC card obtained with fraudulent 
documents. DHS noted that because there is no ``granularity'' with the 
report as to when a specific card was used, one can be left with the 
unsupported impression that individual facilities in all cases were 
failing to implement TWIC visual inspection requirements. For the above 
noted reason, we did not report on the results of covert testing at the 
facility level. However, our records show that use of counterfeit TWICs 
was successful for gaining access to more than one port where our 
investigators breached security. Our investigators further report that 
security officers never questioned the authenticity of TWICs presented 
for acquiring access. Our records show that operations at the locations 
our investigators breached included cargo, containers, and fuel, among 
others.
    In addition, TSA provided written technical comments, which we 
incorporated into the report, as appropriate.
    We are sending copies of this report to the Secretary of Homeland 
Security, the Assistant Secretary for the Transportation Security 
Administration, the Commandant of the United States Coast Guard, and 
appropriate congressional committees. In addition, this report is 
available at no charge on the GAO website at http://www.gao.gov.
    If you or your staff have any questions about this report, please 
contact me.

                                            Stephen M. Lord
                     Director, Homeland Security and Justice Issues
List of Requesters
    The Honorable John D. Rockefeller, IV
    Chairman
    Committee on Commerce, Science, and Transportation
    U.S. Senate

    The Honorable Susan M. Collins
    Ranking Member
    Committee on Homeland Security and Governmental Affairs
    U.S. Senate

    The Honorable John L. Mica
    Chairman
    Committee on Transportation and Infrastructure
    House of Representatives

    The Honorable Bennie G. Thompson
    Ranking Member
    Committee on Homeland Security
    House of Representatives

    The Honorable Frank R. Lautenberg
    Chairman
    Subcommittee on Surface Transportation and Merchant Marine 
Infrastructure, Safety, and Security
    Committee on Commerce, Science, and Transportation
    U.S. Senate

    The Honorable Olympia J. Snowe
    Ranking Member
    Subcommittee on Oceans, Atmosphere, Fisheries, and Coast Guard
    Committee on Commerce, Science, and Transportation
    U.S. Senate

    The Honorable Frank A. LoBiondo
    Chairman
    Subcommittee on Coast Guard and Maritime Transportation
    Committee on Transportation and Infrastructure
    House of Representatives

    The Honorable Mike Rogers
    Chairman
    Subcommittee on Transportation Security
    Committee on Homeland Security
    House of Representatives

    The Honorable Candice S. Miller
    Chairwoman
    Subcommittee on Border and Maritime Security
    Committee on Homeland Security
    House of Representatives
                                 ______
                                 
          Appendix I: Key Steps in the TWIC Enrollment Process
    Transportation workers are enrolled by providing biographic 
information, such as name, date of birth, and address, and proof of 
identity documents, and then photographed and fingerprinted at 1 of 
approximately 149 enrollment centers by trusted agents. A trusted agent 
is a member of the TWIC team who has been authorized by the Federal 
Government to enroll transportation workers in the TWIC program and 
issue TWIC cards. Trusted agents are subcontractor staff acquired by 
Lockheed Martin as part of its support contract with TSA for the TWIC 
program. Table 2 below summarizes key steps in the enrollment process.



------------------------------------------------------------------------



                Table 2.--TWIC Enrollment Process Summary
------------------------------------------------------------------------

------------------------------------------------------------------------
1.                                 The TWIC applicant fills out a TWIC
                                    Application and Disclosure Form and
                                    affirms that the information he or
                                    she is providing to TSA is truthful.
2.                                 The applicant is required to present
                                    documentation to establish his or
                                    her identity to the trusted agent at
                                    the enrollment center. The
                                    documentation required is dependant
                                    upon the applicant's legal presence
                                    in the United States or whether the
                                    applicant was born in the United
                                    States.
3.                                 The trusted agent (government
                                    contractor) captures the applicant's
                                    biographic information, such as name
                                    and date of birth, in the TWIC
                                    system. This can be done in various
                                    ways, such as by scanning
                                    fingerprints and certain identity
                                    documents or by manually typing
                                    information into the system.
4.                                 The trusted agent reviews the
                                    identity documents to establish and
                                    confirm the applicant's identity and
                                    to confirm the documents'
                                    authenticity by reviewing the
                                    physical security features on the
                                    documents.
5.                                 The trusted agent scans the identity
                                    documents to record a digital image
                                    of the applicant's identity
                                    information.
6.                                 The trusted agent uses a machine-
                                    readable document scanning device to
                                    assess the risk of certain documents
                                    being fraudulent. Not all documents
                                    can be assessed using this device.
7.                                 The applicant's 10 fingerprints
                                    (where available) are captured in
                                    the system. The presence of
                                    nonsuitable fingerprints or lack of
                                    a finger for biometric use is
                                    documented in the system by the
                                    trusted agent.
8.                                 The applicant's digital picture is
                                    taken.
9.                                 The enrollment record is completed,
                                    encrypted, and is forwarded by the
                                    trusted agent to undergo the TWIC
                                    program's background checking
                                    procedures.
------------------------------------------------------------------------
Source: GAO analysis of the TWIC program enrollment process and
  documentation.

                                 ______
                                 
                   Appendix II: TWIC Program Funding
    According to TSA and Federal Emergency Management Agency (FEMA) 
program officials, from Fiscal Year 2002 through 2010, the TWIC program 
had funding authority totaling $420 million. Through Fiscal Year 2009, 
$111.5 million in appropriated funds, including reprogramming and 
adjustments, had been provided to TWIC (see table 3 below). An 
additional $196.8 million in funding was authorized from Fiscal Years 
2008 through 2010 through the collection of TWIC enrollment fees by 
TSA, and $111.7 million had been made available to maritime facilities 
implementing TWIC from FEMA grant programs--the Port Security Grant 
Program and the Transit Security Grant Program--from Fiscal Years 2006 
through 2010. In addition, industry has spent between approximately 
$185.7 million and $234 million to purchase 1,765,110 TWICs as of 
January 6, 2011.\1\ The costs for implementing the TWIC program, as 
estimated by TSA for informing the regulation on requiring the use of 
TWIC as an identification credential, is from $694.3 million to $3.2 
billion over a 10-year period. This estimate includes the costs related 
to purchasing TWICs and visually inspecting them. However, this 
estimate does not include the costs related to implementing TWIC with 
biometric card readers or related access control systems.\2\
---------------------------------------------------------------------------
    \1\ Range based on a reduced fee of $105.25 per TWIC for workers 
with current, comparable background checks or a $132.50 fee per TWIC 
for those without.
    \2\ See Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Final Rule, 72 Fed. Reg. 3492, 
3571 (2007).



----------------------------------------------------------------------------------------------------------------



                       Table 3.--TWIC Program Funding from Fiscal Years 2002 through 2010
                                               Dollars in millions
----------------------------------------------------------------------------------------------------------------
                                                                             Federal security
 Fiscal year   Appropriated     Reprogramming     Adjustments    TWIC fee      grant awards      Total funding
                                                               authority a  related to TWIC b      authority
----------------------------------------------------------------------------------------------------------------
2002                       0                  0             0            0                  0                  0
----------------------------------------------------------------------------------------------------------------
2003                    $5.0                  0           $20            0                  0              $25.0
----------------------------------------------------------------------------------------------------------------
2004                   $49.7                  0             0            0                  0              $49.7
----------------------------------------------------------------------------------------------------------------
2005                    $5.0                  0             0            0                  0               $5.0
----------------------------------------------------------------------------------------------------------------
2006                       0              $15.0             0            0              $24.3              $39.3
----------------------------------------------------------------------------------------------------------------
2007                       0               $4.0          $4.7            0            $31.5 c              $40.2
----------------------------------------------------------------------------------------------------------------
2008                    $8.1                  0             0        $42.5              $18.0              $68.6
----------------------------------------------------------------------------------------------------------------
2009                       0                  0             0       $109.3            $22.2 d             $131.5
----------------------------------------------------------------------------------------------------------------
2010                       0                  0             0        $45.0              $15.7              $60.7
----------------------------------------------------------------------------------------------------------------
Total                  $67.8              $19.0         $24.7       $196.8             $111.7               $420
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of TWIC program funding reported by TSA and FEMA.
a Figures in the TWIC fee authority column represent the dollar amount TSA is authorized to collect from TWIC
  enrollment fees and not the actual dollars collected. TSA reports to have collected $41.7 million for Fiscal
  Year 2008, $76.2 million for Fiscal Year 2009, and $30.6 million for Fiscal Year 2010.
b According to FEMA, many of these awards are issued as cooperative agreements and, as such, the scope and
  amounts may change as the project(s) proceed. Also, FEMA has not received projects from all grant recipients
  so the total number of projects may increase slightly over time.
c Federal security grant funding subtotal for Fiscal Year 2007 includes $19.2 million in Fiscal Year Port
  Security Grant Program funding, $10.8 million in supplemental funding, and $1.5 million in Transit Security
  Grant Program funding.
d Federal security grant funding subtotal for Fiscal Year 2009 includes $3.9 million in Fiscal Year Port
  Security Grant Program funding and an additional $18.3 million in American Recovery and Reinvestment Act of
  2009 (Pub. L. No. 111-5, 123 Stat. 115 (2009)) funding.

                                 ______
                                 
 Appendix III: List of Documents U.S.-Born Citizens or Nationals Must 
            Select from to Present When Applying for a TWIC
    TWIC applicants who are citizens of the United States (or its 
outlying possessions) and were born inside the United States (or its 
outlying possessions), must provide one document from list A or two 
documents from list B. If two documents from list B are presented, at 
least one of them must be a government-issued photo identification, 
such as a state-issued driver's license, military ID card, or state 
identification card.
List A

   Unexpired United States passport book or passport card

   Unexpired Merchant Mariner Document

   Unexpired Free and Secure Trade Card \1\
---------------------------------------------------------------------------
    \1\ The Free and Secure Trade (FAST) Card is to be issued to 
approved commercial drivers to facilitate the travel of low-risk 
screened shipments across the borders between the U.S.-Canadian border 
and to the U.S. from Mexico.

   Unexpired NEXUS Card \2\
---------------------------------------------------------------------------
    \2\ The NEXUS card can be used as an alternative to the passport 
for air, land, and sea travel into the United States for U.S. and 
Canadian citizens. The NEXUS program allows prescreened travelers 
expedited processing by United States and Canadian officials at 
dedicated processing lanes at designated northern border ports of 
entry, at NEXUS kiosks at Canadian Preclearance airports, and at marine 
reporting locations.

   Unexpired Secure Electronic Network for Travelers Rapid 
        Inspection Card
List B

   Unexpired driver's license issued by a state or outlying 
        possession of the United States

   Unexpired identification card issued by a state or outlying 
        possession of the United States. Must include a state or state 
        agency seal or logo (such as state port authority 
        identification or state university identification)

   Original or certified copy of birth certificate issued by a 
        state, county, municipal authority, or outlying possession of 
        the United States bearing an official seal

   Voter's registration card

   United States military identification card or United States 
        retired military identification

   United States military dependent's card

   Expired United States passport (within 12 months of 
        expiration)

   Native American tribal document (with photo)

   United States Social Security card

   United States military discharge papers (DD-214)

   Department of Transportation medical card

   United States civil marriage certificate

   Unexpired Merchant Mariner License bearing an official 
        raised seal, or a certified copy

   Unexpired Department of Homeland Security/Transportation 
        Security Administration Transportation Worker Identification 
        Credential Card

   Unexpired Merchant Mariner Credential
                                 ______
                                 
  Appendix IV: Criminal Offenses That May Disqualify Applicants from 
                            Acquiring a TWIC
    Listed below are criminal offenses that can prevent TWIC applicants 
from being issued a TWIC. Pursuant to TSA implementing regulations, 
permanent disqualifying offenses are offenses defined in 49 C.F.R. 
1572.103(a). Permanent disqualifying offenses that can be waived are 
those offenses defined in 49 C.F.R. 1572.103(a) for which a waiver can 
be granted in accordance with 49 C.F.R. 1515.7(a)(i). Interim 
disqualifying offenses are offenses defined in 49 C.F.R. 1572.103(b) 
for which the applicant has either been: (1) convicted, or found not 
guilty by reason of insanity, within a 7-year period preceding the TWIC 
application, or (2) incarcerated for within a 5-year period preceding 
the TWIC application. Applicants with certain permanent criminal 
offenses and all interim disqualifying criminal offenses may request a 
waiver of their disqualification. In general, TSA may issue such a 
waiver and grant a TWIC if TSA determines that an applicant does not 
pose a security threat based upon the security threat assessment.
    Permanent disqualifying criminal offenses for which no waiver may 
be granted.

        1. Espionage, or conspiracy to commit espionage.

        2. Sedition, or conspiracy to commit sedition.

        3. Treason, or conspiracy to commit treason.

        4. A Federal crime of terrorism as defined in 18 U.S.C. 
        2332b(g), or comparable state law, or conspiracy to commit such 
        crime.

    Permanent disqualifying criminal offenses for which a waiver may be 
granted.

        1. A crime involving a transportation security incident. A 
        transportation security incident is a security incident 
        resulting in a significant loss of life, environmental damage, 
        transportation system disruption, or economic disruption in a 
        particular area, as defined in 46 U.S.C.  70101. The term 
        economic disruption does not include a work stoppage or other 
        employee-related action not related to terrorism and resulting 
        from an employer-employee dispute.

        2. Improper transportation of a hazardous material under 49 
        U.S.C.  5124, or a state law that is comparable.

        3. Unlawful possession, use, sale, distribution, manufacture, 
        purchase, receipt, transfer, shipping, transporting, import, 
        export, storage of, or dealing in an explosive or explosive 
        device. An explosive or explosive device includes, but is not 
        limited to, an explosive or explosive material as defined in 18 
        U.S.C.  232(5), 841(c) through 841(f), and 844(j); and a 
        destructive device, as defined in 18 U.S.C.  921(a)(4) and 26 
        U.S.C.  5845(f).

        4. Murder.

        5. Making any threat, or maliciously conveying false 
        information knowing the same to be false, concerning the 
        deliverance, placement, or detonation of an explosive or other 
        lethal device in or against a place of public use, a state or 
        government facility, a public transportations system, or an 
        infrastructure facility.

        6. Violations of the Racketeer Influenced and Corrupt 
        Organizations Act, 18 U.S.C. 1961, et seq. , or a comparable 
        state law, where one of the predicate acts found by a jury or 
        admitted by the defendant, consists of one of the crimes listed 
        in paragraph 49 C.F.R.  1572.103(a).

        7. Attempt to commit the crimes in paragraphs listed under 49 
        C.F.R.  1572.103(a)(1) through (a)(4).

        8. Conspiracy or attempt to commit the crimes in 49 C.F.R.  
        1572.103(a)(5) through (a)(10).

    The interim disqualifying felonies.

        1. Unlawful possession, use, sale, manufacture, purchase, 
        distribution, receipt, transfer, shipping, transporting, 
        delivery, import, export of, or dealing in a firearm or other 
        weapon. A firearm or other weapon includes, but is not limited 
        to, firearms as defined in 18 U.S.C.  921(a)(3) or 26 U.S.C.  
        5845(a), or items contained on the United States Munitions 
        Import List at 27 CFR  447.21.

        2. Extortion.

        3. Dishonesty, fraud, or misrepresentation, including identity 
        fraud and money laundering where the money laundering is 
        related to a crime described in 49 C.F.R.  1572.103(a) or (b). 
        Welfare fraud and passing bad checks do not constitute 
        dishonesty, fraud, or misrepresentation for purposes of this 
        paragraph.

        4. Bribery.

        5. Smuggling.

        6. Immigration violations.

        7. Distribution of, possession with intent to distribute, or 
        importation of a controlled substance.

        8. Arson.

        9. Kidnapping or hostage taking.

        10. Rape or aggravated sexual abuse.

        11. Assault with intent to kill.

        12. Robbery.

        13. Fraudulent entry into a seaport as described in 18 U.S.C.  
        1036, or a comparable state law.

        14. Violations of the Racketeer Influenced and Corrupt 
        Organizations Act, 18 U.S.C.  1961, et seq., or a comparable 
        state law, other than the violations listed in paragraph 49 
        C.F.R.  1572.103(a)(10).

        15. Conspiracy or attempt to commit the interim disqualifying 
        felonies.
                                 ______
                                 
       Appendix V: Comparison of Authentic and Counterfeit TWICs
    Figure 1: Comparison of Authentic and Counterfeit TWICs
    Details from this section were removed because the agency deemed 
them to be sensitive security information.
                                 ______
                                 
     Appendix VI: Comments from the Department of Homeland Security
                       U.S. Department or Homeland Security
                                        Washington, DC, May 5, 2011
Mr. Stephen M. Lord,
Director, Homeland Security and Justice Issues,
U.S. Government Accountability Office,
Washington, DC.

Dear Mr. Lord:

Re: GAO-11-657, Draft Report, Transportation Worker Identification 
            Credential: Internal Control Weaknesses Need to be 
            Corrected to Help Achieve Security Objectives

    Thank you for the opportunity to review and comment on this draft 
report. The U.S. Department of Homeland Security (DHS) appreciates the 
U.S. Government Accountability Office's (GAO's) work in planning and 
conducting its review and issuing this report.
    Transportation Worker Identification Credential (TWIC) is a vital 
security program that is jointly administered by the U.S. Coast Guard 
(USCG) and the Transportation Security Administration (TSA). TSA is 
responsible for enrollment, vetting, and card production, with the 
support of the U.S. Citizenship and Immigration Services, while the 
USCG governs access control requirements and has primary responsibility 
for enforcement. As of March 2011, TSA has enrolled and vetted more 
than 1.8 million maritime workers. As a result of DHS's rigorous 
vetting process, 35,661 individuals were denied from receiving a TWIC. 
DHS agrees that more work is needed to strengthen existing security 
controls and has begun efforts to address many of the GAO's findings.
DHS Increasing Applicant Identity Verification Controls
    DHS is working to strengthen controls around applicant identity 
verification in TWIC, knowing that document fraud is a vulnerability to 
credential-issuance programs across Federal, state, and local 
governments, and the private sector. To establish identity and proof-
of-citizenship, TWIC leverages documents issued by multiple Federal, 
state, and local entities. However, a government-wide infrastructure 
does not exist for information sharing across all entities that issue 
the breeder documents that relying parties use to positively 
authenticate an identity. TWIC follows best practices to mitigate the 
risks from not having visibility or control of the physical 
characteristics or the issuance process for these documents. 
Specifically. TWIC uses document authentication readers and requires 
fraudulent document training of its Trusted Agents as safeguards 
against document fraud.
    TWIC will benefit from national efforts to strengthen identity 
documents. For example, DHS continues to work with the states to 
implement the requirements of the REAL ID Act for more secure driver's 
licenses, as well as the underlying issuance processes and procedures. 
Furthermore, efforts are underway in the Federal Government, state 
vital records agencies, and departments of motor vehicles to enhance 
security related to core breeder documents. such as birth certificates, 
which would assist in positive authentication.
    TSA is also actively engaged with the DHS's United States Visitor 
and Immigrant Status Indicator Technology (US-VISIT) program to include 
TWIC applicant data into the US-VISIT database, referred to as IDENT. 
Biometrics placed in IDENT are linked to specific biographic 
information, enabling a person's identity to be established and then 
verified by the U.S. Government.
    TWIC is also strengthening safeguards against cards being misused 
after issuance. An upcoming USCG rulemaking will include a requirement 
for electronic verification of the TWIC card through use of card 
readers. The use of electronic readers will provide the port or 
facility authority in charge of access control decisions with a higher 
level of assurance that the TWIC presented is authentic, valid (not 
revoked), and unexpired.
DHS Working to Continually Verify TWIC Holder Eligibility after 
        Issuance
    DHS strongly agrees on the value of recurrent vetting. DHS is 
making progress in the effort to reasonably assure that TWIC holders 
have maintained their eligibility once issued their TWICs. TSA conducts 
recurrent checks of TWIC holders against the Terrorist Screening 
Database and other databases. TSA has the authority to revoke TWICs 
based on the results of recurrent vetting, and use of card readers for 
electronic verification will strengthen the effectiveness of these 
processes.
    In order to provide the most robust recurrent vetting against 
criminal history records, TSA needs full access to Criminal History 
Records Information (CHRI), similar to that of a criminal justice 
agency or law enforcement officer; this information is available at the 
state level and accessed via the Interstate Identification Index 
managed by the U.S. Department of Justice, Federal Bureau of 
Investigation (FBI). Although TSA receives some CHRI when it sends 
fingerprints to the FBI for initial vetting, the FBI does not perform 
recurrent vetting of CHRI on behalf of TSA. The FBI has deemed that 
TSA's security threat assessments for TWIC are non-criminal justice 
activities. As a result, TSA is unable to request subsequent CHRI for 
recurrent vetting without a submission of new fingerprints from the 
individual. Additionally, TSA may not always receive all available 
information because of the FBI's designation as ``non-criminal 
justice'' purposes for TSA security threat assessments. States may not 
upload all available information into the FBI biometric system and may 
not respond to CHRI requests for ``non-criminal justice'' activities. 
DHS has and will continue to work with the FBI and states to try to 
expand access to the CHRI.
    While not a final solution to the challenge of recurrent criminal 
vetting, including TWIC data in IDENT would provide a framework to 
initiate more recurrent vetting on CURL, where available, for TWIC 
holders. In addition to supporting identity verification, biometric 
data from IDENT is used to conduct vetting against criminals and 
immigration violators. TSA and US-VISIT are working to include TWIC 
data in the IDENT database.
DHS Clarification on GAO Breaches of MTSA-Regulated Ports
    DHS would also like to address aspects of GAO's covert operation 
defined in the report that we believe warrant further clarification.
    DHS believes that the focus on access to port areas rather than 
access to individual facilities can be misleading. Specifically, the 
report states that GAO investigators successfully penetrated ports 
between August 2009 and February 2010. However, the report does not 
breakdown the number of facilities to which GAO attempted to gain 
access within each port area. Each port is unique in design and 
operation--ranging from some ports housing hundreds of individual 
facilities spread over a large geographic area to other ports 
containing only a few facilities in a small geographic area with one 
main access control point. While GAO stated that it did not require its 
covert investigators to record the individual attempts to access 
facilities, investigators indicated during discussions with USCG that 
they were successful in gaining unauthorized access at some individual 
facilities within the port areas. The presentation of breaches at port 
versus individual facilities paints a more troublesome picture of the 
actual breaches that occurred.
    Third, the report does not distinguish among fraud committed with 
counterfeit TWIC cards, authentic TWIC cards obtained with fraudulent 
documents, and access control decisions made by facility personnel. 
Each type of fraud has a different mitigation technique. The fact that 
a Facility Security Officer does not question what appears to be a 
valid card should not be intertwined with cases in which a counterfeit 
card was presented to gain access. Because there is no granularity 
within the report as to when a specific card was used, one can be left 
with the unsupported impression that individual facilities in all cases 
were failing to implement TWIC visual inspection requirements. Or, as 
written in this report, that ports failed to properly implement these 
requirements.
Recent Developments
    The GAO audit was beneficial in helping DHS identify immediate 
actions that could strengthen the effectiveness of the TWIC program.
    TSA has already taken steps to remedy some of the missing internal 
controls that GAO has identified. Starting in January 2011, the TWIC 
program initiated a 100-percent review of all fingerprint matches 
received in the system. These matches could highlight potential fraud 
in the TWIC enrollment process where one individual could be attempting 
to enroll under a different identity and possibly with fraudulent 
documents. During this process, the TWIC program has already referred 
numerous cases to our Law Enforcement Investigations Unit where 
investigations are under way.
    On February 14, 2011, USCG Headquarters published additional 
guidance to field units regarding the importance of TWIC inspections 
and verifications. The guidance directed Captains of the Port to place 
a higher priority on the review and validation of TWIC verification 
procedures during the required Maritime Transportation Security Act 
(MTSA) security inspections. Additionally, the guidance encouraged 
Captains of the Port and the Facility Security Officers to take 
advantage of training aids regarding the identification of fraudulent 
TWICs published on Homeport-the USCG's Internet site for maritime 
information.
    As previously mentioned, the USCG is currently developing an 
upcoming rulemaking that will include a requirement for card readers at 
ports and facilities. The TWIC program has completed a pilot that 
evaluated using card readers for electronic verification of the TWIC 
card. DHS believes that electronic verification of TWIC cards will 
significantly enhance protection against counterfeit, tampered, or 
expired TWIC cards being used to gain access to secure facilities.
    TSA is in the initial phases of a modernization effort for its 
vetting infrastructure. This effort is aimed at consolidating 
systematic processes related to conducting background checks with the 
goal of improving the overall security and consistency of our 
enrollment and vetting processes. As the modernization effort moves 
forward, the TWIC program will continue to be heavily involved to 
ensure that any internal control gaps or risks are addressed or further 
mitigated.
GAO Recommendations
    DHS takes the findings of this review very seriously. DHS strongly 
believes that TWIC has an overall effect of strengthening the security 
of our nation's ports. We also acknowledge and appreciate GAO's work to 
identify opportunities to enhance current program controls. We 
recognize that breaches did occur and that the Department and port 
facility owners and operators need to take steps to enhance security. 
DHS appreciates the opportunity to provide GAO with comments to its 
audit recommendations.
    ``To identify effective and cost efficient methods for meeting TWIC 
program objectives, and assist in determining whether the benefits of 
continuing to implement and operate the TWIC program in its present 
form and planned use with readers surpass the costs, we recommend that 
the Secretary of Homeland Security take the following four actions:

    Recommendation 1: Perform an internal control assessment of the 
TWIC program by: (1) analyzing existing controls, (2) identifying 
related weaknesses and risks, and (3) determining cost-effective 
actions needed to correct or compensate for those weaknesses so that 
reasonable assurance of meeting TWIG program objectives can be 
achieved. This assessment should consider weaknesses we identified in 
this report, among other things, and include:

   strengthening the TWIC program's controls for preventing and 
        detecting identity fraud, such as requiring certain biographic 
        information from applicants and confirming the information to 
        the extent needed to positively identify the individual, or 
        implementing alternative mechanisms to positively identify 
        individuals;

   defining the term extensive criminal history for use in the 
        adjudication process and ensuring that adjudicators follow a 
        clearly defined and consistently applied process, with clear 
        criteria, in considering the approval and denial of a TWIC for 
        individuals with extensive criminal convictions not defined as 
        a permanent or interim disqualifying offense, and;

   identifying mechanisms for detecting whether TWIC-holders 
        continue to meet TWIC disqualifying criminal offense and 
        immigration-related eligibility requirements after TWIC 
        issuance to prevent unqualified individuals from retaining and 
        using authentic TWICs.''

    Response: Concur. DHS agrees that an internal control assessment 
should and will be performed. Once the final GAO report is issued, DHS 
will initiate a comprehensive review of current internal controls with 
a specific focus on the controls highlighted in this report. In the 
interim, TSA and USCG are evaluating and implementing new internal 
controls as discussed in this letter.
    Recommendation 2: ``Conduct an effectiveness assessment that 
includes addressing internal control weaknesses and, at a minimum, 
evaluates whether use of TWIC in its present form and planned use with 
readers would enhance the posture of security beyond efforts already in 
place given costs and program risks.''
    Response: Concur. DHS agrees that the results of the internal 
control assessment should be used to further evaluate the effectiveness 
of the TWIC program.
    Recommendation 3: ``Use the information from the internal control 
and effectiveness assessments as the basis for the evaluating the 
costs, benefits, security risks, and corrective actions needed to 
implement the TWIC program in a manner that will meet stated mission 
needs and mitigate existing security risks as part of conducting the 
regulatory analysis on implementing a new regulation on the use of TWIC 
with biometric card readers.''
    Response: Concur. As the internal control assessments progress, any 
applicable data or risks will be communicated to USCG for consideration 
during their regulatory analysis.
    Recommendation 4: ``Direct the Commandant of the Coast Guard to 
design effective methods for collecting, cataloging, and querying TWIC-
related compliance issues to provide the Coast Guard with the 
enforcement information needed to assess trends in compliance with the 
TWIC program and identify associated vulnerabilities.''
    Response: Concur. USCG has already incorporated changes to its 
current version of Marine Information for Safety and Law Enforcement 
(MISLE) to enhance data collection since the TWIC compliance date of 
April 15, 2009. Incorporation of additional changes is planned in a 
future release of MISLE that will add to current capabilities to 
collect data and allow for more detailed trend analysis.
    Again, thank you for the opportunity to review and comment on this 
draft report. We look forward to working with you on future Homeland 
Security issues.
            Sincerely,
                                         Jim H. Crumpacker,
                     Director, Departmental GAO/OIG Liaison Office.
                                 ______
                                 
                  Appendix VII: GAO Contact and Staff
    Stephen M. Lord at (202) 512-4379 or at [email protected]
Staff Acknowledgments
    In addition to the contact named above, David Bruno (Assistant 
Director), Joseph P. Cruz, Scott Fletcher, Geoffrey Hamilton, Richard 
Hung, Lemuel Jackson, Linda Miller, Jessica Orr, and Julie E. Silvers 
made key contributions to this report.

    Senator Lautenberg. Thank you very much, Mr. Lord.
    It's astounding to hear your testimony and see the large 
percentage of those really not qualified to receive the card. 
And then you said, being convicted of a felony does not 
automatically disqualify a person from being eligible. And it 
goes on to detail what kind of offenses: espionage, treason, 
other offenses, such as murder or the unlawful possession of 
explosive device. It sounds like we're not attracting, always, 
the kinds of applicants that would qualify to get a card. And 
that's a tough outcome for something that ought to be done much 
differently.
    Through your covert testing, you said you were able to 
obtain fraudulent TWIC cards, and access secure facilities 
using these cards. Now, what kind of threats are these to our 
ports and our other secure facilities?
    Mr. Lord. Well, in our report today, we reference a 2008 
Coast Guard assessment, in which it states, very clearly, al 
Qaeda considers U.S. ports and facilities to be legitimate 
targets. Perhaps the Coast Guard witness could expound on that. 
But, that to us, that's why this issue is important.
    Senator Lautenberg. The fact of the matter is that there's 
a question that invites a view of the magnitude of the problems 
that are involved in having something that can be stabilized 
and relied upon. And I wonder what other kinds of approaches 
there might be in order to get this to be an easier program to 
manage--one that's more reliable. Anyone want to make a quick 
suggestion here on that regard?
    Mr. Pistole?
    Admiral Cook. Mr. Chairman, I would just go back a little 
bit in history. I happen to have been the Captain of Port for 
the Houston-Galveston area during 9/11. And at that time, when 
we tried to bring into account--actually, before the MTSA, but 
certainly recognizing that access control was very, very 
important--that we tried to find a document that could be 
universally recognized from facility to facility which, 
typically, would have their own card. Sometimes they would 
recognize driver's license. Sometimes they would recognize 
other Federal ID cards. That was a very important thing for us 
to address early on. So, as we move from that initial, you 
know, implementation, and realizing that we needed to have more 
secure ports in the future, looking forward to one card that 
could be universally recognized, that guards could be trained 
to recognize, security features could be built in. And I think 
that that has been viewed as a very good thing. The Coast Guard 
actually looks forward to the opportunity to maximize that card 
through the use of card readers, which will then provide an 
additional level of verification, authentication, and 
validation. But--so, I--from my point of view, I would say that 
the card has introduced a significant amount of security, and 
certainly with my past experience----
    Senator Lautenberg. Well, but there is--Admiral, there is a 
suggestion that, in some ways, we might have not gained on it, 
and exposed ourselves to more difficult problems in the future.
    So, Mr. Pistole, before we discuss TSA's effort to address 
port security, it was discovered that al Qaeda was planning an 
attack on a U.S. rail line. To date, TSA's efforts on rail 
security have been delayed and nearly nonexistent, compared to 
aviation security. In light of this information, what immediate 
steps are we taking to increase rail security measures?
    Mr. Pistole. Thank you, Mr. Chairman. Well, obviously, as 
soon as we got the word from the document exploitation from the 
bin Laden raid and the killing of bin Laden, we engaged, 
particularly, with our partners in the rail security, 
particularly Amtrak for the Northeast Corridor, but all 
passenger and freight rail, noting the context for this 
information, coming from February of last year, and talking 
about an attack on passenger rail for the 10th anniversary of 
9/11. So, it's still months away. But, we passed that 
information immediately and then worked with, particularly, 
Amtrak Police, and others, in terms of what they were doing, in 
terms of additional random, unpredictable patrols, both 
uniformed officers, canines, explosive trace detection--all 
those things that would serve as a deterrent, knowing that the 
three things the terrorists are looking for, in terms of 
deterrent, are additional police patrols, additional canines, 
or closed-circuit television cameras, as long as they're not 
suicide bombers, as we saw in London, on July 5 and 21 of 2005.
    So, that's what we have done. We're obviously very much 
interested in the Transportation Security Grant Program and the 
outcome of Congress's decision on that, in terms of where that 
will be--how much money we'll have to support both the training 
efforts and the additional efforts that I've mentioned, in 
terms of things such as infrastructure protection, whether it's 
the Port Authority, Trans-Hudson, the PATH tunnels that you're 
so familiar with, shoring up those vulnerabilities, and other 
issues. So, those are some of the things we've done since that 
announcement.
    Senator Lautenberg. Senator Boozman.
    Senator Boozman. Thank you, Mr. Chairman.
    Mr. Lord, how much money has been spent on the project?
    Mr. Lord. Since the inception of the program, it's 
approximately $420 million. And that includes $111 million in 
direct appropriations, $112 million in grants, including port 
security grants and transit security grants, and approximately 
$198 million raised in fees. Once you apply for a TWIC, you're 
to pay $132.50. So, that represents a significant share of the 
program proceeds.
    Senator Boozman. After looking, the ability to essentially 
very easily obtain a TWIC fraudulently, the fact that it looks 
like--am I reading it right?--of the 1,676,000, 460,000--over 
460,000 criminals, only one has been denied?
    Mr. Lord. Actually, we didn't have full visibility over 
that, but that's our understanding. Most--virtually all were 
approved, and the one was denied, as part of that adjudication 
process; once derogatory information is identified in the 
application process. That's our understanding, which we include 
in our report.
    Senator Boozman. Based on your investigation, would a 
normal driver's license from the states, now, that are required 
to do the--you know, much more background check than they used 
to, as far as who you are--would that be more secure identity 
than the TWIC card? Or, is it at least as secure?
    Mr. Lord. It's at least as secure, probably, in many cases, 
more secure. That's our point.
    Senator Boozman. We've spent all this money, and right 
now--up to now, what we have is less secure than a driver's 
license.
    Mr. Lord. Yes. And that was the purpose of our report, 
quite frankly. We identified some design flaws in the system--
some holes. We think they can be patched. And we also raised an 
issue of facility training. The security guards play a key role 
in the process, and they, perhaps, need to be provided some 
additional training. They'll need to be a little more rigorous 
in scrutinizing the credentials, which are currently being used 
as a flash pass only. The biometric reader, that's the next 
stage of the program.
    Senator Boozman. And I guess, Admiral Cook, I would take 
exception to your remark about the TWIC card making us--you 
know, that we've had improvement by having it. And you can 
comment on this, too, Mr. Lord, and you, Mr. Pistole. But, the 
fact that we have this card that means nothing, or very little, 
because Mr. Lord's group has demonstrated it's very easy to get 
around it--to me, it makes us less secure than ever, because 
when your guys check this card, they, in good faith, feel like 
they're dealing--you know, this system--they have no idea that 
the card wasn't valid--then it gives them a false sense that 
they really shouldn't have at this point. Is that true or 
false?
    Admiral Cook. Senator--and this is not to be argumentative 
in any way--the--I pretty--I'm starting, pre-9/11, in my mind. 
But, then one of the things that--as I said, we're looking 
forward to being able to move to the electronic reader. And 
what the Coast Guard has done to try to move ahead on that is, 
we deployed over 200 portable readers so that we can take 
advantage of that biometrics. It still does not account for 
someone that had a TWIC obtained based on fraudulent documents, 
because then the--biometric in the card.
    Senator Boozman. The point is, it's so easy to obtain these 
things fraudulently.
    Admiral Cook. Well, the--as the mariners and workers----
    Senator Boozman. And this is not your problem. You're just 
the guy that's checking. I don't----
    Admiral Cook. Right.
    Senator Boozman. But, again, I think it puts--you're all at 
a disadvantage.
    Mr. Lord, who initiated the GAO study?
    Mr. Lord. It was this committee and eight other 
Congressional committees.
    Senator Boozman. Did you find any evidence, as you were 
investigating, that anybody--the Coast Guard, TSA--were 
concerned about this prior to your investigating the--was 
this--did this seem something that was at the top of their 
radar, as far as concerns about safety and security in this 
area?
    Mr. Lord. Oh, I think, absolutely, it was on their agenda; 
it was on their radar. But just contextually, we have completed 
a large body of work on TWIC-related issues over the last 5 
years. We've worked very closely with TSA and the Coast Guard 
on this. We have a good, collaborative relationship, and they 
have taken steps to address some of the issues we identified in 
our report.
    Senator Boozman. Mr. Pistole, who in your agency--I find it 
remarkable--you know, if you talk to the truckers and people 
like that, you know checking records--and just employers, in 
general, you know, with drug screenings and--this doesn't have 
anything to do with drug screenings--but, just in general, 
checking people out, whether or not they're going to drive a 
schoolbus or whatever--it's remarkable that, of your people 
with a criminal record, there's such a low, low, low percentage 
of people that were flagged. Who in your agency--who's 
responsible for that? What entity within TSA is responsible for 
making that decision?
    Mr. Pistole. Well, of course, I'm responsible, overall, but 
the----
    Senator Boozman. No, but you don't check----
    Mr. Pistole. Yes.
    Senator Boozman.--these things off.
    Mr. Pistole. Right. But----
    Senator Boozman. Who does that?
    Mr. Pistole.--TTAC, which is our credentialing group, is 
responsible for that.
    And just, if I could, Senator----
    Senator Boozman. So, what is the name of that group?
    Mr. Pistole. TTAC. It's T-T-A-C, the credentialing group.
    And just for context, I think--so, I would say--I agree 
with a number of your comments--I would say we are more secure 
from the standpoint of, prior to any of these cards, somebody 
could use a driver's license, a union card, whatever it may be, 
that they just used to get access to the ports, with no----
    Senator Boozman. Mr. Lord has just testified that a 
driver's license is more secure than the card.
    Mr. Pistole. So, if I could just finish, there--without any 
background check, necessarily--and so, at least, we're doing 
background checks now. Obviously, there are statutory 
provisions for people with criminal histories. And just by the 
nature of the workforce, a number of dockworkers may have had 
some criminal history. So----
    Senator Boozman. Right.
    Thank you, Mr. Chairman.
    Senator Lautenberg. Thank you very much.
    Senator Begich?

                STATEMENT OF HON. MARK BEGICH, 
                    U.S. SENATOR FROM ALASKA

    Senator Begich. Thank you very much, Mr. Chairman.
    First, I want to thank you, Administrator Pistole, for one 
program called ``Enroll Your Own,'' which is very important in 
our rural parts of Alaska, as you know. In order to have people 
to get the TWIC card is very expensive, complex for--and the 
travel in some of our fishing communities. And so, first I want 
to say thank you for that. We do have some suggestions we want 
to share with you--we'll do it for the record--from our police 
departments, who you work with.
    Mr. Pistole. Good.
    Senator Begich. And I think they have some very positive 
suggestions that I would hope you would consider as you 
continue to roll this program out.
    Mr. Pistole. Sure.
    Senator Begich. And I just want to issue a cautionary note, 
on the discussion here on criminal records and so forth--you 
hinted to it--in some of these industries, not everyone's going 
to have a stellar background, but are working in jobs that pay 
sometimes very low wages, and a variety of other things. So, I 
know that's a careful balance that you have to have.
    My concern--and I don't know who wants to answer this. Let 
me, first, start with one example. And I may be a little off, 
here, but I'm using an example from my own--one of my own staff 
people, a loaner from one of the agencies, NOAA. Because he 
works on a ship and works on a dock, he goes through a whole 
process to get his card, his common access card--
fingerprinting, all the 9 yards. Then he has to get a TWIC 
card, go through the same process. That seems such a simple 
fix, that if you've got a Coast Guard person that's required to 
go through and get their card, or a NOAA person, or any of 
these Federal agencies or government agencies, like a police 
department or maritime enforcement office, depending on if 
you're a coastal area, that, once they've done that, they 
shouldn't have to repeat that. Is that an easy fix that you can 
do?
    Mr. Pistole. I will take that, Senator. It's not easy, 
unfortunately, but you've identified a key issue which is 
really overriding all these individual issues that we're 
talking about here today, and that's not only for the whole 
U.S. Government, in terms of having a universal access card, 
whatever that may be--of course every state has different 
standards. The National Institute of Standards Technology, of 
course, sets some standards that we abide by. But, that's the 
challenge that we deal with, that this goes--even in my last 
job, at the FBI, where there were all types of fraudulent 
documents because of differing standards by state and the 
federal government.
    Senator Begich. But, you'll probably never get to the 
unified card of any kind. So, we have to take that as a given, 
even though I know, from a law-enforcement--as someone who was 
a mayor that managed a police department, you know, they would 
love to have one card, one place, one location. But, that will 
never happen, because of states' rights, and many other things. 
But, it seems, even in the Federal agencies--I think if a NOAA 
person or a Coast Guard person or--pick the agency--that goes 
through this already, that they shouldn't have to go through it 
again.
    Mr. Pistole. So, there's----
    Senator Begich. First, let me ask, does that make sense, 
that logic?
    Mr. Pistole. Yes.
    Senator Begich. OK.
    Mr. Pistole. Absolutely.
    Senator Begich. So, why not figure out--I know what we'd 
like to do, it seems, in the federal government, as I've 
learned now, is always get the big pitch, try to do it all at 
once, and do everything, which is disastrous. Example A, $300 
million. You know, maybe we'll learn a little bit out of this. 
But, it seems like--why don't we just take one piece of the pie 
and try to deal with it and get it to work, rather than this 
holistic, which--you know, it sounds like another contractor 
making a lot of money on a system that doesn't work, that we'll 
probably never recoup anything from, and then they'll charge us 
more to do some more work.
    Mr. Pistole. So, I agree, completely.
    Senator Begich. It's the----
    Mr. Pistole. You would think, Senator----
    Senator Begich.--the federal M.O.
    Mr. Pistole. Right. So, we are working on some proposed 
rulemaking that would help in that regard. Obviously, industry 
has a lot of interest and input into that. And so, as we work 
through this, unfortunately I believe it's a longer-term rather 
than a short-term fix. But, I agree completely with your 
philosophical approach of trying to consolidate and make it 
more efficient and effective for those who need these access 
cards.
    Senator Begich. And then--but, I just give you a cautionary 
note. The standard thought is, ``Well, let's try to figure out 
all the Federal--just take the Coast Guard, get them cleared 
up. Get the NOAA, get them cleared up.'' In other words, 
piecemeal it out so, each one, you're just trying to 
incrementally do. Is that a realistic approach, rather than 
this--it just makes me very nervous that we're going to try to 
do all of it at once and then, maybe a year and a half or 2 
years from now, we'll have the same conversation, maybe with 
different people, maybe the same people, talking about more 
expense. Is that----
    Admiral I don't know who. Mr. Lord? Whoever.
    Mr. Lord. No, it makes perfect sense. I believe you're 
referring to consolidating the so-called security threat 
assessment process. Typically, when you go in for a credential 
now, they'll run a STA on you. To complete an STA, you may need 
another credential. They'll do it again. What they're doing is 
accessing the same--essentially, the same databases. So, they 
have an effort. They just started. They're trying to 
consolidate that. So, they, the Department of Homeland 
Security, wholeheartedly would agree with your position. And 
they're already taking steps to do that. Initial steps. But, 
that's the vision. You want to consolidate----
    Senator Begich. Right.
    Mr. Lord.--all that so-called background-checking process, 
and just have one person, one check----
    Senator Begich. Right.
    Mr. Lord.--rather than having one person, multiple checks. 
It's currently----
    Senator Begich. Doesn't make sense, that latter part.
    Mr. Lord.--inefficient, and it costs the consumer, the 
person applying for the card, more money.
    Senator Begich. Let me just end with one question. The 
people that initiated this process--I know it wasn't under some 
of you folks, because some of you are new, obviously--but, the 
people below you who deal with all this, are they the same 
people that initiated this process, or are they new people? And 
the reason I ask that, sometimes--you know, there's my 
question. Because, I just heard a little knock on--to the left.
    [Laughter.]
    Senator Begich. Yes or no?
    Mr. Pistole. Yes, mostly the same people.
    Senator Begich. That's a problem. I'll leave it at that.
    Senator Lautenberg. Thank you very much.
    Senator Wicker.

              STATEMENT OF HON. ROGER F. WICKER, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Wicker. Thank you.
    Gentleman, the results of the GAO report, I must say, are 
absolutely breathtaking. TSA has failed to implement and 
evaluate the TWIC Program in a way that provides reasonable 
assurance that only qualified individuals have access. GAO 
investigators were able to access secure facilities at U.S. 
ports during covert tests in which they presented either 
counterfeit TWIC cards, authentic TWIC cards, or cards obtained 
through fraud. GAO found that controls to identify the use of 
potentially counterfeit identity documents were not used to 
inform the background- checking process. TSA does not have 
clear criteria for applying discretionary authority to 
applicants who have past criminal convictions. And controls are 
not designed to determine whether cardholders have committed 
disqualifying crimes at the federal and state level after being 
granted a TWIC.
    It seems to me that a decade of work has resulted in a 
system that would put Rube Goldberg to shame, and it almost 
argues for starting over from scratch and trying to design 
something that would work. I would mention again what Senator 
Boozman has pointed out, that of 460,000 TWIC applicants with a 
criminal record, TSA was able to deny access to one of those 
460,000-plus applicants. I mean, it is absolutely astounding. 
But, the requirement has succeeded in making things harder on 
the applicants. And I have a report here from a constituent 
group, regarding TWIC card applications and the two-trip 
requirement. And I'll quote from this business, ``The 
requirement that applicants make two trips to a TWIC enrollment 
center that may be hundreds of miles from their workplace or 
home represents a substantial burden on transportation workers 
across the country. A resident living in West Plains, Missouri, 
for example, must make, at minimum, two 350-mile round-trips to 
apply for and activate their card at the nearest enrollment 
center located in Memphis. Another worker in Meridian, 
Mississippi, must make, at minimum, two 267-mile round-trips to 
apply for and activate their card at the nearest enrollment 
center in Mobile.''
    So, for the honest worker who doesn't have a criminal 
background, he's got to make two trips. Mr. Lord, is there some 
way, in your judgment, that we could devise a system that does 
not require the two trips? I have confidence in the mail 
system. And it seems to me that receiving a card in the mail, 
then calling with secure information to verify that that card 
has been received, and then activated at that point, much like 
the credit cards are done, that something of that nature should 
be used to apply some common sense to the honest people that 
are being inconvenienced, to the tune of hundreds of miles.
    Mr. Lord. No, that's an excellent question, sir. We 
recently looked at that, whether you could simply mail a TWIC 
card to an applicant's place of residence. It sounds easy. But, 
like many things, once you start looking into it, it's a little 
more complicated. And what we found was, the current policy of 
the Department is to remain aligned with the so-called FIPS 201 
standard. This is a biometric security standard that pertains 
to all government credentials. As long as the policy is to 
remain aligned with that standard, it would preclude you from 
mailing it to an applicant's place of residence. Why? Because 
you have to do a biometric match, in person, to ensure 
security. That helps limit potential fraud. And it's a key 
security enhancement. We had discussions with the NIST 
officials who crafted the standard--TSA, DHS; they agreed with 
our assessment. So, as long as that's their policy, the current 
policy is to remain aligned with that standard. Obviously, they 
could change the policy and have to reengineer their business 
processes, but as long as that policy remains unchanged, they 
cannot mail the TWIC to a person's place of residence.
    To TSA's credit, they did add some flexibility to the 
program. In February 2009, they allowed the applicant to 
designate what enrollment center they'd like to pick it up. 
Sometimes people move. You apply for a TWIC in Seattle, say, 
and move to Memphis. You can now say, ``I'd like to pick up my 
card in Memphis,'' without having to drive all the way back to 
Seattle. So, there has been some effort to respond to the needs 
of applicants. But, I cannot criticize them for requiring the 
in-person biometric match. That's a key part of the process.
    Senator Wicker. Well, I would just simply suggest, as I 
yield back, that there are so many aspects of this program that 
are obviously going to have to be rethought, that we ought to 
put up the best minds in the country on some way to make this 
less burdensome on the honest folks that actually do comply.
    Thank you.
    Mr. Pistole. Mr. Chairman----
    Senator Lautenberg. Yes.
    Mr. Pistole. I'm sorry.
    Senator Lautenberg. I'm sorry. Yes.
    Mr. Pistole. If I may just respond on the one part to the 
Senator's question----
    Senator Lautenberg. Sure.
    Mr. Pistole.--just briefly.
    Senator on the one denial, the overall numbers--we've 
actually denied over 35,000 people, for various disqualifying 
criteria. The one you're referring to is one who is an 
individual who had several criminal convictions, none of which 
was individually disqualifying, but, taken in totality, was 
disqualifying. So, it has actually been over 35,000. So, that's 
the whole purpose of that. We've also had several people who, 
it turned out, are on the terrorist watch list, who've applied 
for TWIC card, that have also been denied. And I could go into 
more detail in a closed setting on that.
    Senator Lautenberg. Thank you.
    Senator Snowe.

              STATEMENT OF HON. OLYMPIA J. SNOWE, 
                    U.S. SENATOR FROM MAINE

    Senator Snowe. Thank you, Mr. Chairman.
    And just to follow up on the question on the enrollment 
centers which is obviously a problem in a state like Maine, 
where we only have two enrollment centers, one in Bangor and 
one in Portland. So, I'm going to explore with you the issue of 
distance. Do have you have any information regarding the impact 
it has on these workers to go long distances in order to secure 
the card and then have to go back and get it approved, and so 
on, and requiring two different trips for these identity cards? 
And so, do you have any information on that? Who's----
    Mr. Lord. Just to clarify, we audited the program, but we 
did speak to many applicants. And that was a persistent pain 
point, having to make two trips to get your credential. And I 
know there has been various discussions about how to mitigate 
that. They have portable enrollment centers. You can move 
certain enrollment centers around the country. But, again, I'm 
from GAO, not TSA. So, that's probably a better question for 
TSA.
    Senator Snowe. Mr. Pistole?
    Mr. Pistole. So, Senator, yes, it's clearly less than ideal 
for most persons who are not located close. I have a map of 
where the permanent enrollment centers are. And, of course, 
they're located where most of these workers that would need 
them. We've also done several dozen of the mobile centers. And 
if there's a need in Maine that you've identified that would 
need one of these mobile centers, I'd be glad to take a look at 
that to try to facilitate that. So, we're--and also, by 
allowing the applicants to pick up their card at a different 
location, as noted, because they do move around and are--work 
in different places, it is a challenge, in trying to comply 
with the NIST standards, in terms of the best security, while 
also providing for the best convenience. So, that's the dynamic 
we deal with.
    Senator Snowe. Well, there is obviously a gap between the 
enrolled and the activated. So, is it your surmisal that they 
travel from one place to another--activate at one--enroll in 
one area and activate it in another location?
    Mr. Pistole. Some of the applicants request that, because 
they're jobs have changed----
    Senator Snowe. Do they have to get prior approval for doing 
that?
    Mr. Pistole. You know, I don't know that. I'll have to 
check on that.
    Senator Snowe. Well, somehow, we're going to just have to 
make this simpler. I just think it's cumbersome and 
bureaucratic. I mean, only 167 centers nationwide. So, it 
just--there must be a better way. I mean, I think about the 
amount of money that has already been spent on this program. 
Frankly, I think--the Chairman and I are probably one of the 
few members that were here on the Committee post-9/11, working 
on this very issue, and this was one of the issues that was 
identified as a priority. And that was back in the aftermath of 
9/11. In 2002, we began this process. I think it was then 
former President Bush identified as, you know, having the 
identity of these workers established, and developing a system. 
And we will have spent $3.2 billion, and we've yet to clear all 
the hurdles to say that it's fully implemented and satisfied.
    And so, I think it's--it--presenting enormous difficulties 
and complexity and failing to uphold the major standard, which 
is to confirm the identity of a cardholder. I mean, ultimately, 
that is not something that's been achieved at this point, it 
seems to me. And so, now we're going to spend all this money on 
biometric reading and digital devices, which are going to cost, 
as I understand it, up to $8,000 apiece. Is that correct?
    Admiral Cook. That is correct, yes.
    Senator Snowe. It is. So--I mean, so there's another 
monumental cost. And next year, we're supposed to have--mandate 
the use of these cards. Are we going to be prepared for that?
    Mr. Pistole. So, that is one of our challenges. And that's 
exactly why I've asked, along with Coast Guard and the 
Department, to--asking GAO to look the cost-benefit analysis of 
this whole program, because we do have hundreds of millions 
invested in it, between us, the U.S. Government, taxpayers, and 
industry. The question is, what's our return on investment? Are 
we clearly safer? Yes, we are. But, at what cost? And so, 
that's why we've asked for GAO to follow up on this.
    Senator Snowe. Well, I guess it's a red flag for all of us 
in Congress. I mean, I think if it takes so long to get a 
program up and running, something must be truly wrong, and 
we've got to decide differently, because it has been the better 
part of the decade, obviously, and we still haven't completed 
it. And yet, it's going to cost a great deal. I mean, it has 
been practically, what, from 2002 to 2012, essentially, and 
we're still not that much further ahead, in terms of where we 
need to be, and all the other problems that have been exposed.
    In 2006, I introduced an amendment to the SAFE Port Acts 
that required a GAO report to review the various background 
checks among various agencies. Now, is there any way that we 
can sort of synchronize these background checks, you know, so 
that we can have one unified background check, in credentials, 
for workers, instead of, you know, multiplicity?
    Mr. Pistole. So, that's what----
    Senator Snowe. Admiral Cook, and Mr. Pistole?
    Admiral Cook. Well, Senator----
    Senator Snowe. Who's in charge on this one?
    Admiral Cook. I'll go ahead and----
    Senator Snowe. OK.
    Admiral Cook.--step up, Senator. But, I think the--you 
know, to answer your question, we're kind of at a pivotal time 
right now in the program, because the pilot reader program is 
being concluded. I don't know if you were in here when we 
mentioned it would--the Administrator mentioned that that data 
for the final report will be closed out at the end of this 
month. And then that report will come over to the Coast Guard, 
and that will be part of the background for our notice of 
proposed rulemaking to establish the readers.
    So, I think, you know, in terms of the GAO audit, the work 
that has already been put into the TWIC, we are on the verge of 
being able to exploit the fundamental biometric data that we 
all wanted to achieve. And I know that the industry, who has 
been--you know, used to having the TWIC cards just flash passed 
us for the last few years, is anxious to move to that phase. 
They understand there'll be some costs. They're anxious to 
participate and help us get it right. And I think that's what I 
can offer at this time.
    Senator Snowe. Well, is it going to be interoperable in any 
way? I mean, are you--talking about this, you know, electronic 
reader--is that all going to be interoperable with other 
systems within government, or is it going to be stove-pipe?
    Admiral Cook. The standards are--should be set, such that 
they were--have the ability to read several different kinds of 
cards. And that's the--that will be a plus, right there. The--
but, they'll be focused back to databases which relate to the 
TWIC, from what I understand right now. But, as I say, as a 
pivotal point, we can start integrating different aspects that 
the GAO has brought to our attention and that we already have 
some internal programs for.
    Senator Snowe. Well, is it--can we understand, then, that 
there's going to be harmonization of these security 
credentials, among agencies, or not? I guess that's the 
question.
    Mr. Pistole?
    Mr. Pistole. So, that's--Senator, that's one of the things, 
at least within the Department of Homeland Security, the 
Secretary is focused on, to ensure that, for example, just 
within TSA, we do vetting and credentialing for up to 15 
million people in 28 different categories. So, there's a lot of 
that just within what we're doing. And that's what the 
Secretary is focused on.
    Senator Snowe. Thank you.
    I ask unanimous consent to include my statement in the 
record, Mr. Chairman. Thank you.
    Senator Lautenberg. Without any objection, certainly.
    [The prepared statement of Senator Snowe follows:]

  Prepared Statement of Hon. Olympia J. Snowe, U.S. Senator from Maine
    Thank you, Mr. Chairman for holding this hearing. As an original 
requestor of the GAO report presented today, I have great concerns 
about the Transportation Worker Identification Credential, or TWIC 
card, and the security of our nation's ports. For nearly a decade we 
have been grappling with many port security questions, and I think the 
report we see today identifies a need for review of current security 
practices. When we joined several of our colleagues to request this 
critical review of the TWIC, I believe you and I shared the view that 
when it comes to maritime security, we can, and must do better to 
protect our country's 360 ports and maritime facilities.
    Biometric identification cards for transportation workers were one 
of the first security challenges addressed by Congress following 
September 11 in the Aviation and Transportation Security Act of 2001. 
In subsequent years, the mandate for identification for port workers 
was amended several times to define the ID we now call the TWIC. Since 
2007, more than 1.7 million truckers, merchant mariners, longshoreman, 
and port workers have been issued these cards. Even the students at the 
Maine Maritime Academy have these $132 Federal security credentials to 
access the secure port facility on campus.
    Secure ID cards like the TWIC are vital in insuring that access to 
critical port facilities is restricted to known-persons. In 2004, 
President Bush issued Homeland Security Presidential Directive Number 
12, which among other things, required the Federal Government to 
establish a standard for ``secure and reliable forms of 
identification'' that must: (1) reliably identify an employee's 
identity, (2) be resistant to tampering or counterfeiting, (3) be 
rapidly authenticated electronically, and (4) be issued by providers 
whose reliability has been established. Unfortunately, we can see from 
today's report that the TWIC credential has failed on all counts.
    The truth of the matter is, the implementation of the TWIC card has 
not increased the level of security at our ports as designed, and has 
become another example of bureaucracy at its worst. Not only do the 
cards fail to accurately establish that transportation workers are who 
they say they are, they fail to work as designed, require an unwieldy 
process to obtain, and add yet another redundant credential to the list 
of federal security cards.
    Today's report indicates that the TWIC card may fail the first 
fundamental challenge of a security credential- accurately confirming 
the identity of the cardholder. GAO investigators were able to obtain 
TWIC cards by misrepresenting themselves as natural born U.S. citizens 
and by presenting forged birth certificates and drivers licenses. We're 
told that the documents presented can even be noted in the system as 
forgeries, but that these red flags are not accessible by the final 
adjudicator! Even if the TWIC processing center indicates a probable 
forgery, there is no path for review of the original documents 
presented.
    Even worse, the production of a false card does not seem to be 
beyond the capability of a common criminal. Since the cards are often 
used as ``flash passes'' where card holders simply wave the card at a 
gate agent, the cards only need a passing resemblance to the true card. 
GAO inspectors were able to enter port facilities with false cards, 
unchallenged on a number of occasions! The lack of digital verification 
of TWIC cards is a critical failure in ensuring the effective use of 
the credential, and we must move forward quickly in deploying cost 
effective, equipment designed for a marine environment.
    The TWIC cards have also so far failed to be rapidly authenticated 
electronically--most are worn as another badge, or presented for visual 
inspection, often from a distance of several feet. And the deployment 
of mobile readers suitable for ports has been slow at best. The 
substantial Federal investment of more than $400 million in the past 8 
years, combined with the industry investment of approximately $200 
million was designed to enhance and protect our nations ports, but I 
question if the program has been administered to provide the greatest 
security benefit.
    In the next year, a mandate for the use of TWIC card readers will 
begin to roll out, and we must ensure that we invest wisely in 
technology that will add to our security, and not just our bottom line. 
I would like additional information from our witnesses on the costs 
associated with the technology requirements, and how to best utilize 
the readers to maximize their security impact.
    The GAO report which we receive today also highlights significant 
concerns with the process used to vet applicants and reliably confirm 
the identity of individuals granted these security credentials. From 
asking workers to self identify a need for access to ports, and their 
place of birth, to incomplete verification of identity documents, it is 
clear that the security process for reviewing TWIC applicants has 
significant loopholes. I look forward to hearing from Administrator 
Pistole how TSA plans to address the concerns noted in the report.
    Frustratingly, this is not only a security problem; the two 
separate visits needed to process TWIC credentials has a impact on 
trucking, shipping, and port workers and managers. Workers must first 
take the time to visit the enrollment center nearest them, which in 
some cases may be many miles away. At this time, Maine has only two 
TWIC enrollment centers of 167 nationwide. Students from the Maine 
Maritime Academy must travel the 50 miles from Castine, where the 
Academy is located, to Bangor, where the nearest TWIC processing center 
is located to begin the application, and back to the center again 
several weeks later to activate and pick up their TWIC card. While most 
of these locations are at, or near busy ports, with a highly mobile 
work force, this is a poorly thought out process that does not mirror 
the distribution of other Federal documents like passports which can be 
mailed to applicants.
    Port workers, truckers, and other maritime professionals find 
themselves forced to obtain this additional security, often in addition 
to several other Federal issue identifications or endorsements. The 
TWIC is often carried in addition to Merchant Mariner Licenses, 
Merchant Mariner Credentials, and Commercial Drivers Licenses with 
Hazardous Materials Endorsements. How many times must the Federal 
Government screen and provide access credentials to a single 
individual? Can the departments of the Federal Government not work 
together to grant a single document to port and maritime workers to 
access and secure their workplace?
    In 2006, I offered an amendment to the SAFE Ports Act, which 
required GAO to look into these Federal background checks for 
credentials like these. While GAO and DHS identified several 
credentials which can use the same background check information, I 
believe we must take additional steps to reduce duplication of effort 
and the unnecessary repetition of these background checks. We must 
implement common sense reform to ensure efficiency and maximize cost 
savings--credentialing operations should be streamlined by reducing the 
number of redundant offices and procedures.
    I look forward to the testimony of today's witnesses, and I will be 
looking for information on how we can improve the credentialing 
process, the use of the card, and how we can adapt the use of the 
document to ensure the security of our nation's ports.
    Thank you, Mr. Chairman.

    Senator Lautenberg. And thank you, Senator Snowe, for your 
diligence in matters of security for our country, and 
particularly because the state of Maine has so much water 
access and ports that mean a lot. We thank you for your 
efforts.
    The questions that have arisen here are obviously a small 
number of the questions that actually exist. And we kind of 
feel like we're looking at a Rubik's Cube here. You know, you 
don't know where to start and quite where to stop. And we're 
talking about somewhat safer, but I wonder if that can be--if 
that sentence can end--or, that expression can end with 
``somewhat safer,'' because I think there's also larger risk 
accompanying this because of the fraudulent nature of things.
    And I ask, Mr. Pistole, when we know that GAO investigators 
were able to fraudulently obtain TWIC cards, use them for 
access to secure facilities--and these cards can be used to 
access literally thousands of facilities nationwide--so, what's 
being done to prevent fraudulently obtained cards from being 
used to access the airports, military bases? I think Senator 
Snowe was going there, as well. And can we do something that 
says, ``OK, these cards are good for limited use, limited time 
periods--reenrollment is the question that you raised--
biometric--I don't know--things that are visually protected. 
When I hear of the number of ineligibles that wanted to sign up 
for a card, it tells me that there is something really amiss in 
the basic structure.
    And I ask you, any one of you, what--has there been an 
assessment of the program of any significance since its 
origination, some years ago?
    Mr. Lord. Sure. We've, again, done a large body of work on 
this. I'd like to think we contributed to some better 
understanding of what some of the program's successes and 
weaknesses are. And when I think about this holistically, we're 
trying to apply this program, on a very large scale, in a so-
called one-size-fits-all manner. I think that when you do 
something of this magnitude, it's really important to design it 
very carefully, number one, and, two, make sure your staff are 
well trained in implementing it. In our report, that's 
essentially what we found wrong, that we found some design 
imperfections; some of the information they collect at the 
front end isn't acted upon; and some of the security guards and 
trusted agents, which are delegated a large responsibility for 
making this thing successful, they had some lapses. Some of our 
covert investigators used fraudulent documents and the trusted 
agents should have flagged them. I can't really discuss any of 
the details, because it's sensitive security information. But, 
you know, we found some holes at the front end and at the back 
end, when the security guards are looking at these things and 
letting people on their facilities.
    Senator Lautenberg. I'd almost like to ask that you--on a 
scale of 1 to 10, how comfortable we are with the progress that 
we've made, and this is not intended to be accusatory; it's 
intended to understand better where the problems are. I mean, 
the problems--we keep on, I think, discovering new problems as 
we move along here. And is the design an impossible one to make 
sense from? Or, what--anybody--I--you want to volunteer a quick 
opinion, Mr. Pistole?
    Mr. Pistole. Sure, Chairman.
    Senator Lautenberg. Admiral Cook?
    Mr. Pistole. No, I think this hearing has identified a lot 
of the challenges in trying to deploy a biometric card to a 
civilian population in--on a large-scale basis. And I think, 
although some progress has been made, it is clearly not what 
anybody intended, especially those going back to post-9/11. So, 
I have my own concerns. And that's why I've asked for the GAO 
to do, basically, a--just a top-to-bottom review to assess what 
that return on investment is.
    The thing that I do have some comfort in is that we largely 
know about those who are working in ports now, and docks. The 
fact that they have access to a dock doesn't mean they have 
access to the ship or anything else. I mean, there are 
obviously multiple layers of security, here. What I'm concerned 
about is the ease of using a fraudulent document. We know 
there's, you know, tens of thousands, perhaps 35,000 places in 
the country you can get a birth certificate, hopefully 
legitimate, but perhaps not. And if that's a breeder document, 
that's a document you're using to establish your bona fides; 
that makes it very difficult. The social engineering, which Mr. 
Lord referred to, simply having one of his folks--undercover 
officers go in and, you know, say, ''I have an appointment 
here,`` even though the card doesn't work, or, ''I need to use 
the restroom.`` So, that gets to this--to the training of the 
guards. And so, there--it is a complex issue.
    In answer to your question about 1-to-10, I would put it at 
a 3 right now.
    Senator Lautenberg. Either one of you--I'm going to go to 
my colleagues for a second round of questions--in response to 
my question--it sounds like what we've got--we've got a new 
idea: we'll make prisons without bars, and maybe that will help 
control behavior. I don't think we're quite getting there.
    Admiral Cook, do you----
    Admiral Cook. Senator, I would say that I'm anxious to move 
to a phase where I believe we'll provide--we'll wring out some 
of the uncertainty when we go to more biometrics. And the 
reason I would say I'm anxious is, we have anecdotal evidence, 
because we have a strong network, through our area maritime 
security committees, where we're in constant contact with the 
facility security officers, the actual people paid, on the 
waterfront facilities, by their companies, to maintain 
security. And we have feedback that things like pilferage and 
other small crimes have been reduced. I don't have statistical 
evidence. I'm just saying it's all anecdotal. So, I would like 
to move past the anecdotes, past the feeling of the area 
maritime security.
    Senator Lautenberg. Well, we agree.
    Admiral Cook. And that--so, that's where I am.
    Senator Lautenberg. Past the anecdotes. But, I'd like to 
move past the difficulties and the experiences that we've had.
    Mr. Lord, before I call on Senator Ayotte, do you have 
anything you want to volunteer, here?
    Mr. Lord. Again, a key program goal--I always like to go 
back to the program goals--there are four key program goals. 
One of them was to positively identify individuals applying for 
a TWIC. It's difficult to positively identify someone. What 
they do now is negatively identify. And all that means is, they 
run your fingerprints past the FBI criminal records checks, and 
if there's not derogatory information that comes back on that 
or the other database checks, you're given a TWIC card. You 
could say you're Joe Blow, essentially have your fingerprints 
run, name checked; as long as no derogatory information comes 
back, you could be provided a card. And that's not positively 
identifying; that's a negative ID. So, it costs more, up front. 
It's more rigorous. They have to make a judgment whether there 
are additional steps they can take, up front, to positively 
identify someone, like you do with a driver's license; you have 
to show them your electric bill, show them some proof of 
documentation that you're a resident in the state with that 
name. There's more rigor, up front, involved. But, it makes for 
a better system.
    Senator Lautenberg. Senator Ayotte.
    Senator Ayotte. Thank you, Chairman.
    I wanted to ask, as I understand it--and whoever's most 
appropriate to answer this question--that part of the screening 
process would be to match it up against the terrorist watch 
list. And this, of course, makes sense, in terms of making sure 
that those individuals on the list don't receive cards. So, 
that is part of the screening process. Is that right?
    Mr. Pistole. That's correct, Senator.
    Senator Ayotte. And have you ever had a situation where a 
TWIC applicant has actually been on the list--a known or 
suspected terrorist?
    Mr. Pistole. Yes.
    Senator Ayotte. Can you give us a sense on how frequently 
that has occurred?
    Mr. Pistole. So--infrequently, fortunately. And the actual 
number is sensitive security information. But----
    Senator Ayotte. Right.
    Mr. Pistole.--it's a small number, out of the 1.8 million. 
But, yes, we do have--and I can give you the exact number--but, 
we do have a small number of people who are on the watch list 
who have applied and been denied.
    Senator Ayotte. And if that occurs, is the process denial?
    Mr. Pistole. So, it would probably be denial. But, there 
may be an instance, because of the reason the person's on the 
watch list; and so we have to go back to the FBI or the 
intelligence community to see why they're on the watch list. Is 
there something--because, there are all different levels of 
reasons, whether it's material support, fund raisers, as 
opposed to bomb throwers. So, there may be something in there 
that would be mitigating.
    Senator Ayotte. So, is there a procedure in place to 
coordinate with other agencies--for example, the FBI--in terms 
of how you deal with someone on the watch list that applies for 
the TWIC?
    Mr. Pistole. Yes. So, there is. But, in the process of 
preparing for this hearing, I've found something that we can 
improve that I don't want to go into in an open hearing. But, 
yes, there is a vulnerability there that we need to address, 
both between us and with the FBI.
    Senator Ayotte. Is that something that we could learn about 
in a more appropriate----
    Mr. Pistole. Yes, absolutely.
    Senator Ayotte.--classified setting?
    Mr. Pistole. Sure.
    Senator Ayotte. Because, I think it's very important. 
Because, obviously, one of the issues we wanted to address, 
post-9/11, was the coordination among agencies----
    Mr. Pistole. Right.
    Senator Ayotte.--and making sure that, if we have that 
situation, that, if we need to create a situation where further 
intelligence-gathering has to occur, we're all working from the 
same page. So, I would really appreciate that answer in a more 
appropriate setting.
    Mr. Pistole. Absolutely. I'd be glad to do it after this, 
if you have time. But, yes.
    Senator Ayotte. Great. Thank you. I appreciate that.
    I also just wanted to share the concerns, as I understand, 
that have already been raised by my colleagues, and I raised in 
my opening statement, about figuring out a way where the 
multiple trips by the transportation workers to the enrollment 
centers, particularly those that live in areas that aren't so 
close to some of those centers. Is there a better way to do it? 
Can we do it in a more efficient way? And I know that many of 
my colleagues asked you about that, so I won't repeat that. 
But, I would echo their concerns.
    Mr. Pistole. Noted.
    Senator Ayotte. And finally, to the extent you haven't 
answered this, but if you can help me with it--when you're in a 
position where DHS is doing multiple screening processes--and 
you mentioned it in your opening statement--so, one facility, 
for example, could be going through one type of process, and 
that same facility may have to get a screening from you in 
another process. What is it that you are doing to eliminate 
those redundancies that--you know, one of the concerns--it's 
not just a cost issue of how much the redundancies cost on both 
the applicant and the government cost, but also, when you've 
got the right hand and the left hand, you can end up in 
confusion. So, if you could address that, I'd appreciate it.
    Mr. Pistole. Sure, Senator. So, there are a couple aspects 
to this. One is what we're doing, in terms of trying to limit 
the number of security threat assessments, the STAs, that would 
be done for somebody who has any type of government-issued ID 
that gives them access to something. So, we--15 million people, 
that I've mentioned, in the private sector, that we do some 
type of background and credentialing for them--so, do they--if 
they have, for example, a TWIC card, a hazardous material 
endorsement card, if they're an aviation worker--have access, 
or something--any number of things--and, of course, different 
things for other components--can we use that STA, that security 
threat assessment, that would apply to all of those? So, that's 
something that we're working through, just to streamline, make 
more efficient.
    In terms of the enrollment, I know, between Coast Guard and 
TSA, we have consolidated some centers. So--and I would defer 
to the Coast Guard, in terms of the details of that--where a 
person would be able to go into a TWIC enrollment center and 
apply for something that would be a Coast Guard card. And so--
--
    Senator Ayotte. Can you help me, also, in thinking about 
this--is there one universal standard, or are there multiple 
standards that--and can we move, in appropriate settings, to 
one universal standard for, obviously, similarly situated 
settings for threat?
    Mr. Pistole. So, there's not----
    Senator Ayotte. That would seem simpler, from----
    Mr. Pistole. Right.
    Senator Ayotte.--a government perspective.
    Mr. Pistole. Yes. And that would be--and it would be good 
for industry in many respects. But, for example, the criteria 
and standards that would be used--that we use on a national 
level for TWIC cards is a different standard than individual--
450 airports, for the--what they call the SIDA, the S-I-D-A, 
access--so--which are issued locally by each airport--and so, 
there--there's not constituency there. And then--so, there are 
a number of issues that we could peel back on that that would 
be helpful, that we are moving to try to address. There are a 
number of challenges there.
    Senator Ayotte. Well, you know, I appreciate that this is 
challenging. And I hope that, to the extent we can, we do move 
to a universal screening process for those that are in the same 
category. I can recognize that there may be additional 
screening for those in different categories, depending on the 
amount of risk that could be incurred, based on the activity.
    Mr. Pistole. Exactly.
    Senator Ayotte. But, it seems to me that that would be a 
better way to rank it and rate it, based on risk of activity, 
with screening, so that we could use our resources more 
efficiently in a universal standard.
    Mr. Pistole. Agreed. Agreed.
    Senator Ayotte. So----
    Senator Lautenberg. The record will be open for further 
submissions.
    Senator Ayotte. Great.
    Thank you very much.
    Senator Lautenberg. I would ask a question, here, related 
to something Senator Ayotte was talking about, about trying to 
define risks regarding the individual who's applying for the 
card. But, I go further, and it's said, and I'm sure you're all 
aware, that New Jersey is home to the most at-risk area for a 
terrorist attack in the United States. The FBI said, the 
distance from the Newark Airport to the harbor is the most 
dangerous 2 miles in the country for a terrorist attack. There 
are 12 million people within a short radius of that area. So, 
shouldn't the TSA, Mr. Pistole--and either one of you, as 
well--prioritize these high-risk areas for TWIC funding and 
implementation, and move on these things in some kind of 
priority basis?
    Mr. Pistole. Chairman, I think it--yes, exactly. And the--
part of this fits in with what we are doing with what we're 
describing as a risk-based security initiative, and it applies 
as much to aviation as anything. But, that--this fits within 
that--that we expedite those in those high-risk areas, 
recognizing, similar to the Transportation Security Grant 
Program, that there are a lot of different opinions about how 
those funds should be allocated. There's also different 
priorities, depending on what outcome you're trying to achieve. 
So, clearly, those who have access to the most sensitive high-
risk areas should be expedited, and we'll take that back.
    Senator Lautenberg. Thank you.
    This hearing is to be adjourned. And we will keep the 
record open. And I ask that, within some degree of promptness, 
that responses be given in writing.
    And I thank you, Senator Ayotte, for being here and for 
your questions.
    Thank all of you.
    [Whereupon, at 4 p.m., the hearing was adjourned.]
                            A P P E N D I X

    Response to Written Questions Submitted by Hon. Bill Nelson to 
                          Hon. John S. Pistole
    Question 1. What specific efforts have been made to partner with 
the states to ensure that TSA is granted access to states' criminal 
records, and guarantee that important information is not being 
neglected from background checks?
    Answer. The Department of Homeland Security, including the 
Transportation Security Administration (TSA), recognizes that there is 
additional information at the state level not available currently via 
the criminal history records information provided from the Department 
of Justice, Federal Bureau of Investigation (FBI).
    TSA has worked with the states, FBI and the National Crime 
Prevention and Privacy Compact Council to convene working groups to 
identify possible solutions to receive data directly from other states 
and to identify a standard, automated, cost efficient and effective 
solution. TSA discovered multiple problems with obtaining information 
directly from the states:

        a. The states have varying data systems, legal and practical 
        constraints, and TSA would likely be required to develop and 
        build a unique solution for each state in order to request data 
        directly for each Security Threat Assessment (STA) case. To 
        minimize these problems, TSA has discussed with the states an 
        option of defining one common technical solution through which 
        states could send their data directly to TSA. TSA is pursuing 
        this effort as part of the Transportation Threat Assessment and 
        Credentialing (TTAC) Infrastructure Modernization (TIM) 
        program, which was established to standardize and consolidate 
        TSA's security threat assessment systems.

        b. Because many transportation workers have resided in and 
        continually travel across multiple states, requesting and 
        receiving state level data from only an applicant's state of 
        residence or enrollment may miss criminal history in other 
        states.

        c. Some states may require additional fees to request and 
        receive information directly, rather than using the FBI's 
        system. Most TSA STA programs are primarily funded via user 
        fees and this additional cost could dramatically increase the 
        fees charged to workers.

    For all these reasons, TSA has determined that using the 
established FBI Interstate Identification Index (III) system to request 
and receive data from all states would be the most effective and 
efficient solution. State level criminal history data may be accessed 
via the III system managed by the FBI. The extent of access to state 
level data is based on the purpose for the data request; however, a 
program must be deemed to have a criminal justice purpose in order to 
receive the full breadth of Criminal History Records Information (CHRI) 
available from all 50 states and the District of Columbia. Many states 
may not upload all available information into the FBI biometric system 
made available to TSA today, and many states do not provide their III 
records for ``non-criminal justice'' activities.
    The Department of Justice has deemed that TSA's security threat 
assessments for TWIC and other similar programs are non-criminal 
justice activities. As a result, TSA is effectively provided the same 
access as an employer, and does not receive all available information. 
Additionally, TSA is not authorized to request subsequent CHRI for the 
purpose of conducting recurrent criminal background checks without a 
submission of new fingerprints from the individual.
    To provide the most robust recurrent vetting against criminal 
history records, TSA needs full access to CHRI similar to the access 
granted to criminal justice agencies and law enforcement officers. TSA, 
in coordination with the Department of Homeland Security (DHS), has and 
will continue to work with the FBI, the National Crime Prevention and 
Privacy Compact Council, and states to expand access to the CHRI.

    Question 2. The TWIC program currently does not make an effort to 
ensure that its holders are legally permitted to work under our 
immigration laws. Our immigration system is largely administered by the 
same department in which TSA is contained, the Department of Homeland 
Security, and it's no secret that individuals are permitted to work for 
different lengths of time, and that visas expire. Why doesn't the TWIC 
program reflect the reality of our immigration laws?
    Answer. The design of the Transportation Worker Identification 
Credential (TWIC) vetting program seeks to ensure consistency with 
current immigration laws, including the need to accommodate visa 
holders who receive an extension to their stay.
    TWIC leverages the capabilities of the Department of Homeland 
Security (DHS) as related to immigration. TWIC applicants who are not 
U.S. citizens undergo an immigration check using the U.S. Citizenship 
and Immigration Services (USCIS) Systematic Alien Verification for 
Entitlements (SAVE) data base. This check reviews an applicant's 
immigration status using TWIC-eligible immigration categories, 
developed as part of the rulemaking effort, that include visa 
categories that relate to working in the maritime industry. If the 
immigration check reveals information demonstrating that the individual 
is not in a TWIC-eligible immigration category, the individual is 
determined to be ineligible. If the check indicates that the individual 
may be in the U.S. illegally or improperly, the individual is 
determined ineligible and the Transportation Security Administration 
(TSA) coordinates with immigration authorities to take appropriate 
action.
    Input from industry and stakeholders strongly suggested that 
linking the TWIC expiration date to a non-U.S. citizen's visa 
expiration date would be problematic. Industry feedback focused on 
minimizing the disruption to ports and the flow of commerce when a non-
U.S. citizen's visa date was extended, as frequently happens. 
Electronic security features on the current TWIC make it impossible to 
extend the expiration date to reflect the extension of the visa. 
Furthermore, the TWIC expiration date is printed on the card. If the 
TWIC expiration was tied to the original visa expiration, the TWIC 
holder would have to assume the cost and process to get a new TWIC each 
time the visa was extended, or each time the individual came to the 
U.S. to conduct business. The ports would incur the economic cost of 
the individual's inability to access secure areas.
    As an alternative, the determination was made that individual 
employers--at the local level--should track the visa information on 
their non-immigrant employees, as they are required to do by law 
already, independent of TWIC. Per the TWIC regulation, individual TWIC 
holders are responsible for returning their TWICs if they no longer 
meet eligibility requirements and employers are responsible for 
collecting an individual's TWIC upon the expiration of his/her work 
visa.
    TSA believes believe the current process strikes a reasonable 
balance between ensuring only those who are in lawful status to work in 
the U.S. have access to regulated facilities and the need to 
accommodate business needs when visa holders receive an extension to 
their stay. Changing the requirement for the TWIC expiration date would 
entail significant changes to the current system and processes, 
including close integration with other DHS components and the 
Department of State, as well as oblige the TWIC holder to incur 
additional costs to obtain new credentials correlated with the duration 
of the individual's visa.

    Question 3. The contractors running the TWIC program have only 
denied one application that came under their discretionary review 
authority. What sort of oversight is there for the 460,786 other 
applicants who were flagged by the first check, but ultimately granted 
TWICs? Is there any follow up to insure that the proper judgment was 
made about those individuals?
    Answer. The Transportation Worker Identification Credential (TWIC) 
program employs contractors for the TWIC enrollment and operations, and 
separate contractors to assist with the high volume of TWIC 
applications to review background check information. The Transportation 
Threat Assessment and Credentialing (TTAC) staff makes the vast 
majority of initial denial decisions and all final denial decisions. 
The majority of the 460,786 approvals listed were made by the 
contractor after review of the background check information. TTAC 
provides a four-phased training program to all new adjudicators, both 
contractors and Federal employees, during which time the trainees are 
constantly evaluated. In order for a trainee to obtain status as a 
self-approver, he/she must pass a test administered by the government. 
After a trainee has been approved to be a self-approver, the government 
maintains a quality assurance process, where 5 to 10 percent of each 
self-approver's decisions are randomly reviewed each day to identify 
potential errors.
    It is important to note that the statement from GAO concerning the 
adjudicator's denial of ``one application that came under their 
discretionary review authority'' relates to a sentence in the TWIC 
regulations (49 CFR 1572.107(b)) that permits the Transportation 
Security Administration (TSA) to disqualify an applicant for 
``extensive foreign or domestic criminal convictions; a conviction for 
a crime not listed in 1572.103; or a period of foreign or domestic 
imprisonment that exceeds 365 consecutive days.'' TSA created this 
provision to cover the unusual circumstance of an applicant who 
appeared to pose a distinct ``terrorism security risk'' called for by 
the statute (46 U.S.C. 70105), but did not have serious criminal 
convictions listed on the specific list of disqualifying offenses. TSA 
never intended this provision to cover petty or frequent violators of 
the criminal code who, while perhaps untrustworthy and deceitful, did 
not pose a ``terrorism security risk.'' TSA intended for the list of 
criminal disqualifiers and periods for disqualification that are set 
forth by statute and regulation to be the primary list we would use to 
evaluate an applicant as to criminal history. (In fact, as of March 
2011 TSA has denied TWICs to 35,661 out of 1.8 million applicants.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to 
                          Hon. John S. Pistole
    Question 1. It was discovered last week that Al Qaeda was planning 
an attack on a U.S. rail line. To date, TSA's efforts on rail security 
have been delayed, incomplete and nearly nonexistent compared to 
aviation security. In light of this new plot, what immediate steps are 
you taking to increase rail security measures?
    Answer.
Mass Transit and Passenger Railroad Security
    In response to the news that Al Qaeda was planning an attack on a 
U.S. rail line, the Transportation Security Administration (TSA) held 
teleconference calls with the Transit Policing and Security Peer 
Advisory Group (PAG) on Monday, May 2, 2011, and Friday, May 6, 2011. 
The PAG was established under the Sector Coordinating Council structure 
and serves as a vital component for the mass transit industry.
    On the May 2 call, TSA encouraged all public transportation 
agencies to ramp up visible deterrence measures, and promoted the value 
of conducting unscheduled Regional Alliances including Local, State, 
and Federal Effort (RAILSAFE) operations.
    During the May 6 call, the PAG members discussed increased rail 
security measures that their respective public transportation systems 
were implementing. Such measures include:

   Maintaining high levels of K9 units deployed, including 
        vapor-wake teams on Amtrak trains

   Special briefings of engineers/track employees to emphasize 
        reporting of suspicious activity along Right of Way

   Implementing special operations deployments

   Participating in Visible Intermodal Prevention and Response 
        (VIPR) Team missions in critical locations

   Deploying Anti-Terrorism Teams

   Sending out awareness notices urging vigilance to transit 
        police and employees

   Emphasizing the ``See Something, Say Something'' campaign

   Adding extra police patrols over the weekend

    In addition to the independent security actions taken above, the 
public transportation agencies across the United States conducted a 
RAILSAFE exercise on Tuesday, May 5, 2011, which was stood-up in less 
than 24 hours, and involved over 90 agencies across 29 states and the 
District of Columbia, incorporating over 1,000 officers.
    Going forward, TSA will continue Security Awareness messages and 
Operational Deterrence Programs, which include training, public 
awareness, K9 units, and VIPR Teams. The focus will shift from extended 
periods of time to shorter periods, such as months or weeks. TSA 
encourages continuing RAILSAFE operations on a random basis to prepare 
for various security threats.
Freight Rail
    For nearly a decade, the freight rail industry, with guidance and 
assistance from TSA, has taken steps to reduce vulnerabilities within 
the freight rail network, specifically, the vulnerability of 
potentially dangerous cargoes. The industry has sought to raise the 
baseline of security by emphasizing employee training and awareness, 
and by instituting fundamental changes to daily processes that 
emphasize deterrence and increase the likelihood of detection of 
potential acts of terrorism.
    Regarding the most recent intelligence that Al Qaeda had plans to 
attack trains or railroad infrastructure, the information garnered was 
non-specific and general in nature. As such, TSA immediately 
communicated with the freight railroad industry and advised them to 
continue a state of vigilance and awareness. The success of this 
increased vigilance was evidenced by the increase in reporting of 
suspicious incidents detected throughout the railroad industry.
    In summary, TSA will continue to work closely with the freight 
railroad industry to ensure appropriate processes are in place that 
will enable them to meet emerging threats and continue to improve the 
baseline of security in the industry.

    Question 2. The TWIC program has more than one point eight (1.8) 
million people enrolled across the country, from crane operators to 
Alaskan fishermen. All of these applicants have access to secure 
facilities throughout the United States with their TWIC cards. Plus, 
the current enrollment process doesn't even check to see if these 
applicants legitimately need access to secure facilities. Are you 
confident that the TWIC program is making our ports more secure?
    Answer. The Transportation Security Administration (TSA) is 
confident that the Transportation Worker Identification Credential 
(TWIC) program has made the United States' ports more secure. Although 
the 1.8 million workers who have been issued TWICs are eligible to be 
granted unescorted access to secure areas of regulated facilities and 
vessels, they are not entitled or allowed to enter secure areas of 
facilities and vessels without the permission of the owners or 
operators of those facilities.
    Prior to the implementation of TWIC, the identity document 
requirements for access to secure areas of ports and vessels were 
dependent on each facility's Facility Security Plan. Facilities often 
accepted a number of documents such as a driver's license, passport, 
state ID, port/facility specific security card, or a Z-card (now 
Merchant Mariner Credential). Without uniform credential issuance 
processes, most facilities were unable to positively authenticate the 
identity of an individual or determine the authenticity of the identity 
documents presented. There also were no universal methods for 
determining if a once-valid credential holder were no longer eligible 
for access privileges, or to effectively revoke an individual's access 
permissions or credentials. TWIC enhances maritime security by 
providing one standardized biometric credential, removing the need to 
have security personnel discern the authenticity of multiple identity 
documents. In addition, TWIC standardized the security threat 
assessment (STA) conducted on workers in these secure areas to include 
comprehensive terrorism, criminal history, and immigration checks.
    In advance of a rule requiring reader use, ports are now made more 
secure by readers installed and in use through the recently completed 
TWIC reader pilot; the voluntary installation and use of readers at 
many facilities; and the more than 200 portable readers used by Coast 
Guard personnel to check TWICs during routine facility inspections. The 
use of these readers confirms that a valid TWIC is present, that it has 
not expired, and that it has not been revoked. In the biometric mode, 
the worker's identity is confirmed. Port security will continue to be 
enhanced as more electronic readers are put into use at secure 
facilities and vessels around the country.

    Question 3. When the TWIC program expanded nationwide, most cards 
were issued within a short period of time--and most of those cards are 
set to expire in 2012. What is TSA doing to work with labor and 
industry to prepare for the expiration of the current credentials?
    Answer. The Transportation Worker Identification Credential (TWIC) 
enrollments began in October 2007 when enrollment centers were phased 
in nationwide. Over the eighteen month period from October 2007 until 
the national compliance date of April 15, 2009, 1.1 million people 
applied for a TWIC. The Security Threat Assessment and associated TWIC 
for each applicant must be renewed every 5 years, for the credential to 
remain valid. Therefore, the expiration dates for the initial 
population of TWIC holders is spread out from October 2012 to April 
2014 (5 years after the national compliance date). Preparations are 
being made in advance of the impending initial five-year renewal cycle. 
The Transportation Security Administration (TSA) is in the process of 
developing policies and procedures that will ensure a smooth renewal 
phase for the transportation workers who rely on this card to do their 
jobs. TSA's enrollment services contract provides for increased hours 
and days of operation, and additional equipment and personnel to meet 
fluctuating demands for service. These procedures both minimize the 
operational impact at TWIC enrollment centers, and ensure that 
individuals who have completed the redress process are not required to 
repeat the process when no new criminal information is found. This 
approach will help expedite adjudication during the expected surge in 
renewal enrollments. Throughout this process, TSA will continue to 
engage the stakeholder community in order to minimize the impact of the 
renewal cycle on affected workers.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Jim DeMint to 
                          Hon. John S. Pistole
    Question 1. From GAO's ``TWIC Security Review'' (GAO-11-657):
    ``While TSA does not track metrics on the number of TWICs provided 
to applicants with specific criminal offenses not defined as 
disqualifying offenses, as of September 8, 2010, the agency reported 
460,786 cases where the applicant was approved, but had a criminal 
record based on the results from the FBI. This represents approximately 
27 percent of individuals approved for a TWIC at the time. In each of 
these cases, the applicant had either a criminal offense not defined as 
a disqualifying offense or an interim disqualifying offense that was no 
longer a disqualification based on conviction date or the applicant's 
release date from incarceration. Consequently, based on TSA's 
background checking procedures, all of these cases would have been 
reviewed by an adjudicator for consideration as part of the second-
level background check because derogatory information had been 
identified. As such, each of these cases had to be examined and a 
judgment had to be made as to whether to deny an applicant a TWIC based 
on the totality of the offenses contained in each applicant's criminal 
report.
    While there were 460,786 cases where the applicant was approved, 
but had a criminal record, TSA reports to have taken steps to deny 1 
TWIC applicant under this authority.''
    Does the TSA track metrics on the number of TWICs provided to 
applicants with specific offenses defined as disqualifying offenses? If 
so, how many TWICs have been provided to such applicants? Is it 
accurate to conclude that an applicant with specific offenses defined 
as disqualifying offenses may only be provided a TWIC after receiving a 
waiver?
    Answer. As of March 2011, TSA has enrolled and vetted over 1.8 
million maritime workers. As a result of DHS's rigorous vetting 
process, 35,661 individuals were denied from receiving a TWIC. To 
clarify the quoted statement from the GAO report in the second 
paragraph of the question, that only 1 applicant has been denied a TWIC 
``under this authority'', the authority is the 49 CFR 1572.107(b) 
provision of the TWIC regulation. This provision permits the 
Transportation Security Administration (TSA) to disqualify an applicant 
for ``extensive foreign or domestic criminal convictions; a conviction 
for a crime not listed in 1572.103; or a period of foreign or domestic 
imprisonment that exceeds 365 consecutive days.'' TSA created this 
provision to cover the unusual circumstance of an applicant who 
appeared to pose a distinct ``terrorism security risk'' called for by 
the statute (46 U.S.C. 70105), but did not have serious criminal 
convictions listed on the specific list of disqualifying offenses. TSA 
never intended this provision to cover petty or frequent violators of 
the criminal code who, while perhaps untrustworthy and deceitful, did 
not pose a ``terrorism security risk.'' TSA intended for the list of 
criminal disqualifiers and periods for disqualification that are set 
forth by statute and regulation to be the primary list we would use to 
evaluate an applicant as to criminal history.
    TSA tracks metrics on the number of Transportation Worker 
Identification Credentials (TWICs) provided to applicants, with 
specific offenses defined as disqualifying, who apply for an appeal or 
waiver. TSA approved 44,444 appeal requests and 7,962 waiver requests 
as of June 5, 2011, that involve disqualifying criminal offenses.
    An applicant, with specific offenses defined as disqualifying may 
also be provided a TWIC after approval of his/her request for an appeal 
where the applicant is able to prove that the disqualifying offense is 
out of scope (conviction is greater than 7 years old and release from 
incarceration on that disqualifying offense is greater than 5 years 
old), the conviction was later reversed on appeal, the applicant is not 
the person who committed the offense, or other fact that shows that the 
disqualifying offense standards have not been met.

    Question 2. How many applicants with the following criminal 
offenses as part of their backgrounds have been issued TWICs through a 
waiver process?
    a. A crime involving a transportation security incident. A 
transportation security incident is a security incident resulting in a 
significant loss of life, environmental damage, transportation system 
disruption, or economic disruption in a particular area, as defined in 
46 U.S.C.  70101. The term economic disruption does not include a work 
stoppage or other employee-related action not related to terrorism and 
resulting from an employer-employee dispute.
    Answer. 4 waivers approved

    Question 2b. Improper transportation of a hazardous material under 
49 U.S.C. 5124, or a state law that is comparable.
    Answer. 22 waivers approved

    Question 2c. Unlawful possession, use, sale, distribution, 
manufacture, purchase, receipt, transfer, shipping, transporting, 
import, export, storage of, or dealing in an explosive or explosive 
device. An explosive or explosive device includes, but is not limited 
to, an explosive or explosive material as defined in 18 U.S.C.  
232(5), 841(c) through 841(f), and 844(j); and a destructive device, as 
defined in 18 U.S.C.  921(a)(4) and 26 U.S.C.  5845(f).
    Answer. All crimes involving explosives, explosives devices, and/ 
or other lethal devices are classified in the same manner. 89 waivers 
approved

    Question 2d. Murder.
    Answer. 564 waivers approved

    Question 2e. Making any threat, or maliciously conveying false 
information knowing the same to be false, concerning the deliverance, 
placement, or detonation of an explosive or other lethal device in or 
against a place of public use, a state or government facility, a public 
transportations system, or an infrastructure facility.
    Answer. All crimes involving explosives, explosives devices, and/ 
or other lethal devices are classified in the same manner. Question c. 
and e. are tracked as one metric with a total of 89 waivers approved 
for all explosive crimes.

    Question 2f. Violations of the Racketeer Influenced and Corrupt 
Organizations Act, 18 U.S.C.  1961, et seq., or a comparable state 
law, where one of the predicate acts found by a jury or admitted by the 
defendant, consists of one of the crimes listed in paragraph 49 C.F.R. 
 1572.103(a).
    Answer. All crimes involving Violations of the Racketeer Influenced 
and Corrupt Organizations Act are classified in the same manner. 26 
waivers approved

    Question 2g. Attempt to commit the crimes in paragraphs listed 
under 49 C.F.R.  1572.103(a)(1) through (a)(4).
    Answer. Attempts to commit the crimes in paragraphs listed under 49 
C.F.R.  1572.103(a)(1) through (a)(4) are not tracked separately.

    Question 2h. Conspiracy or attempt to commit the crimes in 49 
C.F.R.  1572.103(a)(5) through (a)(10).
    Answer. Conspiracy or attempt to commit the crimes in 49 C.F.R.  
1572.103(a)(5) through (a)(10) are not tracked separately.

    Question 2i. Unlawful possession, use, sale, manufacture, purchase, 
distribution, receipt, transfer, shipping, transporting, delivery, 
import, export of, or dealing in a firearm or other weapon. A firearm 
or other weapon includes, but is not limited to, firearms as defined in 
18 U.S.C.  921(a)(3) or 26 U.S.C.  5845(a), or items contained on the 
United States Munitions Import List at 27 C.F.R.  447.21.
    Answer. 942 waivers approved

    Question 2j. Extortion.
    Answer. 6 waivers approved

    Question 2k. Dishonesty, fraud, or misrepresentation, including 
identity fraud and money laundering where the money laundering is 
related to a crime described in 49 C.F.R.  1572.103(a) or (b). Welfare 
fraud and passing bad checks do not constitute dishonesty, fraud, or 
misrepresentation for purposes of this paragraph.
    Answer. 922 waivers approved

    Question 2l. Bribery.
    Answer. 12 waivers approved

    Question 2m. Smuggling.
    Answer. 9 waivers approved

    Question 2m. Immigration violations.
    Answer. 0

    Question 2o. Distribution of, possession with intent to distribute, 
or importation of a controlled substance.
    Answer. 2,968 waivers approved

    Question 2p. Arson.
    Answer. 61 waivers approved

    Question 2q. Kidnapping or hostage taking.
    Answer. 24 waivers approved

    Question 2r. Rape or aggravated sexual abuse.
    Answer. 281 waivers approved

    Question 2s. Assault with intent to kill.
    Answer. 4 waivers approved

    Question 2t. Robbery.
    Answer. 552 waivers approved

    Question 2u. Fraudulent entry into a seaport as described in 18 
U.S.C.  1036, or a comparable state law.
    Answer. 0 waivers approved

    Question 2v. Violations of the Racketeer Influenced and Corrupt 
Organizations Act, 18 U.S.C.  1961, et seq., or a comparable state 
law, other than the violations listed in paragraph 49 C.F.R.  
1572.103(a)(10).
    Answer. All crimes involving Violations of the Racketeer Influenced 
and Corrupt Organizations Act are classified in the same manner. 
Question f. and v. are tracked as one metric with a total of 26 waivers 
approved for all RICO crimes.

    Question 2w. Conspiracy or attempt to commit the interim 
disqualifying felonies.
    Answer. Conspiracy or attempt to commit interim disqualifying 
felonies are not tracked separately.

    Question 3. From GAO's ``TWIC Security Review'' (GAO-11-657):
    ``TSA regulations provide that in determining whether to grant a 
waiver, TSA will consider: (1) the circumstances of the disqualifying 
act or offense; (2) restitution made by the applicant; (3) any Federal 
or state mitigation remedies; (4) court records or official medical 
release documents indicating that the applicant no longer lacks mental 
capacity; and (5) other factors that indicate the applicant does not 
pose a security threat warranting denial of a hazardous materials 
endorsement or TWIC.''
    These criteria generally, and (5) in particular, seem to grant 
broad latitude to TSA to grant TWICs to convicted felons. Please detail 
for the committee the guidance you have provided to your staff 
regarding the granting of waivers for disqualified individuals.
    Answer. The waiver review regulation is designed to provide a 
framework, for subjective assessment of whether the Transportation 
Worker Identification Credential (TWIC) applicant has overcome the 
presumption that he/she poses a security risk, for reviewing the 
totality of the TWIC applicant's criminal background and circumstances. 
The Transportation Security Administration (TSA) has maintained 
extensive communication between TSA's Office of Chief Counsel (OCC) and 
Office of Transportation Threat Assessment and Credentialing (TTAC) to 
develop guidelines and training materials to accomplish waiver reviews 
and make waiver determinations. Each waiver request is assessed by 
obtaining and reviewing information from the applicant as well as 
pertinent law enforcement, legal, business, and community officials. 
Once sufficient material has been obtained and reviewed, a 
recommendation to grant or deny the waiver is made to the appropriate 
TTAC decisionmaking official, and the TTAC official makes the waiver 
decision.
    According to 46 U.S.C. 70105(c)(2), TSA must develop a waiver 
program and give ``consideration to the circumstances of any 
disqualifying act or offense, restitution made by the individual, 
Federal and State mitigation remedies, and other factors.''
    TSA proposed a list of disqualifying offenses and did not limit the 
crimes that are eligible for a waiver in its initial notice of proposed 
rulemaking, which was subject to broad public comment, and included 
consultation with the Department of Justice as part of the rulemaking 
process. Many comments asserted that criminal history generally does 
not give rise to the ``terrorism security risk,'' as called for by the 
statute, and the list of disqualifying offenses should be much shorter 
than TSA's proposed list. Many feared that too many workers would be 
disqualified, and commerce and small businesses would suffer 
significantly as a result. Thus, TSA balanced a variety of important 
legal and policy issues in arriving at the current policy.
                                 ______
                                 
  Response to Written Questions Submitted by Hon. Roger F. Wicker to 
                          Hon. John S. Pistole
    Question 1. What steps were taken to identify security 
vulnerabilities in the TWIC program before it was implemented?
    Answer. The Transportation Worker Identification Credential (TWIC) 
program followed the principle of establishing a chain-of-trust from 
the initial enrollment of an applicant to delivery of their TWIC. Best 
practices from other credentialing programs were reviewed and adopted 
as appropriate. Integrating document authenticating scanner technology 
to assist in identifying counterfeit documents, such as driver licenses 
and passports, and comparing a new applicant's fingerprints to those of 
previous applicants, to catch an attempt to enroll more than once, are 
two examples of adopting best practices from other programs.
    The secure card technology and issuance procedures for a TWIC are 
very similar to the standards developed for government workers and 
contractors, specified for the Personal Identity Verification (PIV) 
card. The physical security features on the card meet the highest 
levels of counterfeit resistance specified by the Government. The 
procedures for issuing the TWIC ensure that the card is only delivered 
to its rightful holder.

    Question 2. The information encoded in the TWIC cards includes 
sensitive information about the cardholders, including information that 
could be used to profile cardholders. What steps are taken to protect 
this information from being leaked to third parties?
    Answer. Protecting personal privacy is a key component of the 
Transportation Worker Identification Credential (TWIC) program's 
mission statement. TWIC includes limited personal information contained 
on the card. The TWIC contains only three elements of personal 
information: name, facial photograph, and fingerprint templates for two 
fingerprints. The cardholder's name is printed on the card and encoded 
on the Integrated Circuit Chip (ICC) so that it may be freely read by a 
card reader. The facial photograph is also printed on the card and 
encoded on the ICC. However, it is encoded on the ICC such that it is 
protected from being viewed by a card reader without a Personal 
Identification Number (PIN)--selected by, and known only to, the 
cardholder. The fingerprint templates are stored in two locations on 
the card to facilitate use by either a TWIC reader or a Personal 
Identity Verification card reader. In the first case, the algorithm is 
encrypted to prevent disclosure of the template if an attempt is made 
to ``skim'' (i.e., the practice of intercepting information from a 
smart card using a device without the knowledge of the card holder) the 
card using radio-frequency technology. To decrypt the algorithm, a 
cardholder must physically ``swipe'' or insert his/her card into a 
reader. Thus, an un-encrypted fingerprint template cannot be obtained 
without the cardholder's action. In the second case, the algorithm is 
available only after entering a PIN.
    Note: A fingerprint template is a compact digital representation of 
distinct characteristics derived from a fingerprint image. Fingerprint 
templates are used as the basis for comparison during biometric 
authentication.

    Question 3. After the Agency addresses the problems cited by the 
GAO report, how will it evaluate those remediation steps to determine 
that they close the gaps the GAO identified?
    Answer. The Transportation Security Administration (TSA) is 
currently working to initiate the recommended controls assessment of 
the Transportation Worker Identification Credential (TWIC) program. As 
part of this assessment, a method will be established for each control 
enhancement that defines how TSA will monitor the effectiveness of the 
change. While the evaluation technique will depend on the remediation 
method, TSA plans to continue unannounced system and operational audits 
regarding key security areas. In addition, reporting mechanisms will be 
created that will assist TSA in ensuring that any new security 
procedures are being followed.

    Question 4. Robust and effective cybersecurity and the protection 
of freight information systems are important elements in port security 
for the United States. Among other important goals of port security are 
the ability to reliably and economically detect weapons of mass 
destruction that may be hidden in containers and cargo. Additionally it 
is important to verify the trustworthiness of foreign shippers. The 
compromise of data and information systems that relate to these 
vulnerabilities would represent critical risks to national security. 
Has the cybersecurity of port security systems, and related freight 
information, been addressed?
    Answer. Yes. All U.S. Customs and Border Protection (CBP) systems, 
including port security systems, abide by the Federal Information 
Security Management Act (FISMA) of 2002. FISMA requires each Federal 
agency to develop, document, and implement an agency-wide program to 
provide information security for the information and information 
systems that support the operations and assets of the agency. CBP has 
developed a robust Certification and Accreditation program to align 
with the goals and objectives of FISMA. Additionally, the Security and 
Technology Policy Branch ensures that port security systems align with 
DHS Sensitive Systems Policy Directive 4300A and CBP Information 
Systems Security Policies and Procedures Handbook 1400-05D.
    The National Cyber Security Division (NCSD), within the National 
Protection and Program Directorate's Office of Cybersecurity and 
Communications, is working with its public and private sector partners 
to address industrial control systems security and general 
cybersecurity at port and shipping facilities. Its Control Systems 
Security Program (CSSP) provided resources to conduct high-level 
assessments in Boston, Houston, and Norfolk. The assessment reports are 
still in development. Using the Cyber Security Evaluation Tool, CSSP 
will be conducting evaluations at ports and terminals located at the 
top ten facilities, based on a ranking by the Department of 
Transportation's Bureau of Transportation Statistics, as well as Maersk 
Shipping. In 2009, CSSP conducted several evaluations of freight rail 
facilities, as well as a port facility in Saipan, Commonwealth of the 
Northern Mariana Islands.

    Question 5. What evaluations, assessments, and tests have been 
performed to determine whether other port security systems under the 
agency's purview, such as freight information systems, can be 
compromised as readily as the GAO was able to with the TWIC program?
    Answer. CBP employs a defense-in-depth approach to security. As a 
component of FISMA, a detailed and thorough Security Test and 
Evaluation (ST&E) of port security systems is conducted. Testing 
includes personal interviews, scans of workstations, websites and data 
bases, and a physical site assessment to find and mitigate potential 
vulnerabilities. Additionally, CBP site risk assessments are performed 
to evaluate the site's security posture. Risk assessments are performed 
continuously throughout the calendar year. Each port security system 
also has a dedicated Information Systems Security Officer (ISSO) who 
handles day-to-day security for the system. ISSO duties include daily/
weekly log file examination, review of the CBP Security Operations 
Center monthly enterprise vulnerability scans, and oversight of 
configuration management.
    NCSD's Critical Infrastructure Protection--Cyber Security (CIP-CS) 
program is in discussions with the Maritime Sector Specific Agency 
(U.S. Coast Guard) to scope a Maritime Sector-wide cybersecurity risk 
assessment. This assessment would focus on identifying and assessing 
risks to categories of cyber critical infrastructure that support 
Maritime Sector critical functions. CIP-CS is conducting this work in 
support of the critical infrastructure and key resources cross-sector 
community to identify cyber critical infrastructure and support sector-
wide approaches to cybersecurity risk management.
                                 ______
                                 
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to 
                        Rear Admiral Kevin Cook
    Question 1. The Coast Guard uses a risk analysis model to inform 
decisions on how best to secure our nation's ports and allocate limited 
resources. Could the Coast Guard model be applied to TWIC to assess its 
effectiveness and to enhance security?
    Answer. The Coast Guard Maritime Security Risk Analysis Model 
(MSRAM) is a terrorism risk analysis tool and process used by Coast 
Guard analysts across the nation to perform detailed risk analysis for 
their areas of responsibility. The results of this process are used to 
support a variety of risk management decisions at the strategic, 
operational, and tactical levels.
    During the initial rollout of TWIC, MSRAM data was used as part of 
a risk analysis approach in developing TWIC reader requirements in the 
maritime sector, and MSRAM will continue to provide risk analysis 
support to TWIC. However, since MSRAM is a risk analysis tool and not 
designed or capable of being used as a measure of effectiveness, it is 
not an appropriate model to assess the effectiveness of TWIC.

    Question 2. It has been more than 9 years since the TWIC program 
was created, but ports still do not have readers for the cards. 
Instead, they rely on visual verification, which can be more 
susceptible to fraud. How much will it cost to install readers at ports 
across the country and who is expected to pay for it?
    Answer. The Department of Homeland Security managed the TWIC pilot 
through the joint participation of TSA and the Coast Guard. The Coast 
Guard plans on using data from the TWIC Pilot Program, along with other 
studies and reader vendor data, to estimate the costs to fully 
implement the final card reader phase of the TWIC program. The Coast 
Guard is working on publishing a Notice of Proposed Rulemaking in the 
Federal Register that will present estimates of the costs to install 
readers at affected port facilities and present the number and types of 
affected facilities that will need to install readers. The cost of 
readers, as well as any necessary installation, will be incurred by the 
affected facilities. The ports may apply for grants to fund 
installation.
    TWIC Projects are eligible for funding under the FEMA Port Security 
Grant Program (PSGP). TWIC related projects have been specifically 
funded since FY06 or earlier and identified as a PSGP priority since 
FY07. TWIC Readers and associated equipment have been specifically 
identified as the major component of over $88M of PSGP funded projects 
since FY06. Project size, scope, and costs vary greatly among ports, 
and TWIC projects may typically include readers, cameras, fencing, 
gates, lighting, and associated installation costs as part of the 
overall project.

    Question 3. According to the FBI, New Jersey is home to the most 
at-risk area for a terrorist Answer. attack in the U.S. This area has 
targets ranging from the port to airports to chlorine gas plants. An 
attack in this area could impact 12 million people who live nearby. 
Shouldn't TSA prioritize these high-risk areas for TWIC funding and 
implementation?
    Answer. It is essential that the prioritization for TWIC funding 
and reader implementation be consistent across the Nation. Those 
facilities and vessels that present the highest risk, or are in high-
risk areas, will be prioritized accordingly, as they were in the 
initial TWIC implementation.

    Question 4. GAO investigators were able to fraudulently obtain TWIC 
cards and then use them to access secure facilities. TWIC cards can be 
used to access literally thousands of facilities nationwide. What is 
being done to prevent fraudulently obtained cards from being used to 
access airports, military bases, and other secure facilities?
    Answer. Each port establishes the requirements for access to its 
secure facilities. Possession of a TWIC, while a necessary element for 
access, does not guarantee its holder the right of access absent 
meeting the business case that individual port authorities establish 
for entering their secure facilities. The Coast Guard works with the 
ports to ensure the enforcement of security practices for access to 
secure facilities.
    Another important enhancement will be the use of card readers to 
verify TWICs electronically and ensure that the cards have not been 
revoked. The Coast Guard is currently developing an upcoming rulemaking 
that will include requirements for TWIC readers at Maritime 
Transportation Security Act (MTSA) regulated facilities and vessels. 
Once the final card reader phase of the program is implemented for 
electronic verification of TWICs, it will significantly enhance 
protection against counterfeit, tampered, or expired TWICs being used 
to gain access to MTSA-regulated facilities and vessels.
    Finally, TSA is conducting a review of internal controls for TWIC 
enrollment to identify ways to enhance the program's ability to prevent 
people from obtaining a TWIC using fraudulent identity documents. 
Almost all credentialing programs at all levels of government and the 
private sector face this challenge. TSA follows best practices by 
requiring the use of document authentication technology as a safeguard 
against TWIC applicants using counterfeit or altered identity documents 
at enrollment. DHS will continue to seek out best practices and new 
technologies to ensure that TWIC takes every reasonable precaution 
against fraud.
                                 ______
                                 
             United States Government Accountability Office
                                       Washington, DC, July 6, 2011
Hon. Frank R. Lautenberg,
Hon. Bill Nelson,
Committee on Commerce, Science, and Transportation,
U.S. Senate.

Subject: Transportation Worker Identification Credential: Responses to 
            Posthearing Questions for the Record

    On May 10, 2011, I testified before the Committee on Commerce, 
Science, and Transportation on the Department of Homeland Security's 
(DHS) credentialing program known as the Transportation Worker 
Identification Credential (TWIC). This letter responds to the three 
questions for the record that you posed. The responses are based on 
work associated with previously issued GAO products.\1\ Your questions 
and my responses follow.
---------------------------------------------------------------------------
    \1\ See GAO, Transportation Worker Identification Credential: 
Internal Control Weaknesses Need to Be Corrected to Help Achieve 
Security Objectives, GAO-11-657 (Washington, D.C.: May 10, 2011); 
Transportation Worker Identification Credential: Internal Control 
Weaknesses Need to Be Corrected to Help Achieve Security Objectives, 
GAO-11-648T (Washington, D.C.: May 10, 2011); and Transportation Worker 
Identification Credential: Progress Made in Enrolling Workers and 
Activating Credentials but Evaluation Plan Needed to Help Inform the 
Implementation of Card Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 
2009).
---------------------------------------------------------------------------
    Question 1. Through your covert testing, you were able to obtain 
fraudulent TWIC cards and access secure facilities using fraudulent and 
counterfeit cards. What potential security threats are our ports and 
other secure facilities exposed to because of the problems with the 
TWIC program?
    Answer. We reported in May 2011 that internal control weaknesses in 
TWIC enrollment, background checking, and use could have contributed to 
the breach of Maritime Transportation Security Act (MTSA)-regulated 
ports during covert tests conducted by our investigators.\2\ We had our 
investigators conduct covert testing at TWIC enrollment center(s) to 
identify whether individuals providing fraudulent information could 
acquire an authentic TWIC. Further, during covert tests of TWIC use at 
several selected ports, our investigators were successful in accessing 
ports using counterfeit TWICs, authentic TWICs acquired through 
fraudulent means, and false business cases (i.e., reasons for 
requesting access). Our records show that operations at the ports our 
investigators breached included cargo, containers, and fuel, among 
others.\3\ Our investigators reported that throughout the testing, 
security officers did not question the authenticity of TWICs presented 
for acquiring access.
---------------------------------------------------------------------------
    \2\ GAO-11-657.
    \3\ The details related to the means used by the investigators in 
the tests could not be described here because they were deemed 
sensitive security information by TSA.
---------------------------------------------------------------------------
    According to the Coast Guard's January 2008 National Maritime 
Terrorism Threat Assessment, al Qaeda leaders and supporters have 
identified western maritime assets as legitimate targets.\4\ Moreover, 
according to the Coast Guard assessment, al Qaeda-inspired operatives 
are most likely to use vehicle bombs to strike U.S. cargo vessels, 
tankers, and fixed coastal facilities such as ports. If an individual 
presents an authentic TWIC acquired through fraudulent means when 
requesting unescorted access to the secure areas of a MTSA-regulated 
facility or vessel, the cardholder is deemed not to be a security 
threat to the maritime environment because the cardholder is presumed 
to have met TWIC-related qualifications during a background check. In 
such cases, individuals who wish to do harm to the maritime 
transportation system could better position themselves to 
inappropriately gain unescorted access to secure areas of a MTSA-
regulated facility or vessel.\5\
---------------------------------------------------------------------------
    \4\ U.S. Coast Guard Intelligence Coordination Center, National 
Maritime Terrorism Threat Assessment (Washington, D.C.: Jan. 7, 2008).
    \5\ The TWIC program requires individuals to both hold a TWIC and 
be authorized to be in the secure area by the owner/operator to gain 
unescorted access to secure areas of MTSA-regulated facilities and 
vessels. A regulation on the use of TWICs with card readers is 
currently under development and expected to address how the access 
control technologies, such as biometric card readers, are to be used 
for confirming the identity of the TWIC holder against the biometric 
information on the TWIC.
---------------------------------------------------------------------------
    As we recently reported in May 2011, while one of the goals of the 
TWIC program was to improve security by reducing risks associated with 
fraudulent or altered credentials by using biometrics to positively 
match an individual to the credential, as our covert tests 
demonstrated, an authentic TWIC and a legitimate business case were not 
always required in practice.\6\ As detailed in our report, inspection 
of TWICs with biometric readers is not currently required. Rather, 
TWICs are primarily used as visual identity cards--known as a 
flashpass--where a card is to be visually inspected before a cardholder 
is allowed unescorted access to a secure area of a MTSAregulated port 
or facility. The investigators' possession of TWICs provided them with 
the appearance of legitimacy and facilitated their unescorted entry 
into secure areas of MTSA-regulated ports at multiple locations across 
the country. If individuals are able to acquire authentic TWICs 
fraudulently, verifying the authenticity of these cards with a 
biometric reader will not necessarily reduce the risk of undesired 
individuals gaining unescorted access to the secure areas of MTSA-
regulated facilities and vessels. Our report noted that, unlike prior 
access control approaches, which allowed access to a specific facility, 
the TWIC potentially facilitates access to thousands of facilities once 
the Federal Government attests that the TWIC holder has been positively 
identified and is deemed not to be a security threat.
---------------------------------------------------------------------------
    \6\ GAO-11-657.

    Question 2. According to the FBI, New Jersey is home to the most 
at-risk area for a terrorist attack in the U.S. This area has targets 
ranging from the port to airports to chlorine gas plants. An attack in 
this area could impact 12 million people who live nearby. Shouldn't TSA 
prioritize these high-risk areas for TWIC funding and implementation?
    Answer. Funding for the TWIC program is a shared responsibility 
between the Federal Government and the private sector. TSA's efforts to 
issue the TWIC are to be funded by enrollment fees collected from TWIC 
applicants.\7\ Additional resources, however, would be required if TWIC 
is to be implemented with biometric card readers. For instance, MTSA-
regulated facility operators could be required to expend resources on 
TWIC readers and infrastructure to support TWIC-related operations, 
such as installing fiber optic cables and investing in computing 
system(s) capable of managing and recording TWIC-related access control 
efforts. While funding for such efforts is anticipated to be the 
responsibility of facility operators, limited Federal funding is 
expected to be available through Federal grant programs, such as the 
Federal Emergency Management Agency's (FEMA) Port Security Grant 
Program and the Transit Security Grant Program.\8\ As we previously 
reported, issuance of such grants is, in part, based on available risk 
information.\9\
---------------------------------------------------------------------------
    \7\ TSA was authorized to fund the program's operations by 
collecting $196.8 million in enrollment fees from TWIC applicants from 
Fiscal Years 2008 through 2010.
    \8\ From Fiscal Years 2006 through 2010, $111.7 million had been 
made available to maritime facilities implementing TWIC from FEMA grant 
programs--the Port Security Grant Program and the Transit Security 
Grant Program.
    \9\ See GAO, Transit Security Grant Program: DHS Allocates Grants 
Based on Risk, but Its Risk Methodology, Management Controls, and Grant 
Oversight Can Be Strengthened, GAO-09-491 (Washington, D.C.: June 8, 
2009); and Risk Management: Further Refinements Needed to Assess Risks 
and Prioritize Protective Measures at Ports and Other Critical 
Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005).
---------------------------------------------------------------------------
    Funding and implementing TWIC in a risk-informed manner would be 
consistent with our prior work.\10\ The purported benefit of making 
risk-informed investments is that Federal funds are to be directed at 
those programs that are most effective at reducing risk given available 
resources. However, as we reported in May 2011, DHS had not assessed 
the effectiveness of TWIC at enhancing security or reducing risk for 
MTSAregulated facilities and vessels.\11\ Further, DHS had not 
demonstrated that TWIC, as currently implemented and planned with 
readers, is more effective than prior approaches used to limit access 
to ports and facilities, such as using facility-specific identity 
credentials with business cases. Moreover, our May 2011 report found 
that enrollment and background checking processes were not designed to 
provide reasonable assurance that only qualified individuals could 
acquire TWICs, or that once issued a TWIC, TWIC-holders had maintained 
their eligibility. These weaknesses, coupled with the results of our 
covert tests on TWIC use, raise questions about the effectiveness of 
the TWIC program. As such, we recommended that the Secretary of 
Homeland Security evaluate the costs, benefits, security risks, and 
corrective actions needed to implement the TWIC program in a manner 
that will mitigate existing security risks. Completing these steps will 
facilitate efforts to identify high-risk areas for TWIC funding and 
implementation.
---------------------------------------------------------------------------
    \10\ See GAO, Homeland Security: Applying Risk Management 
Principles to Guide Federal Investments, GAO-07-386T (Washington, D.C.: 
Feb. 7, 2007); and GAO-06-91.
    \11\ GAO-11-657.

    Question 3. We have four of the highest volume U.S. ports in 
Florida, which are involved in tens of billions of dollars in trade 
each year. Did your investigators turn anything up unique about the 
efforts made by the folks running the TWIC program in Florida?
    Answer. Prior to being amended, previous Florida state law required 
workers accessing the state's 12 active deepwater public ports to 
undergo a state criminal history records check, and Florida's ports 
required workers to obtain a local port identification card. In doing 
so, Florida had implemented background check and identification 
requirements that extended beyond those of the TWIC program. First, 
prior to being repealed on May 24, 2011, a Florida statutory provision 
required that all applicants undergo a State of Florida fingerprint-
based criminal history records check to identify certain specified 
state criminal offenses, such as theft and burglary, separately from 
those specifically required to be identified or considered by the 
criminal history records check conducted by the TWIC program. Second, 
Florida denied access to individuals who had obtained their TWIC 
through the TWIC-waiver process, whereby individuals with disqualifying 
offenses could be granted a TWIC. Third, Florida maintained a database 
that retained the fingerprints and eligibility status of all seaport 
workers accessing its ports, and provided ports with an ongoing 
notification of the workers' criminal histories. While Florida has 
repealed its background check requirements, various Florida ports still 
require that individuals attempting to gain access to a port or 
facility provide a port-specific identification card in addition to the 
TWIC to gain access to ports in Florida.
    As we reported in May 2011, our investigators were successful in 
accessing ports using counterfeit TWICs, authentic TWICs acquired 
through fraudulent means, and false business cases (i.e., reasons for 
requesting access) during covert tests of TWIC use at several selected 
ports.\12\ Information on the specific ports and locations that our 
investigators were unable to access during covert testing was deemed 
sensitive security information by TSA. However, our report states that 
our investigators did not gain unescorted access to a port where a 
secondary port specific identification was required in addition to the 
TWIC.
---------------------------------------------------------------------------
    \12\ GAO-11-657.
---------------------------------------------------------------------------
    If you have any questions about this letter or need additional 
information, please contact me at (202) 512-4379 or [email protected].

                                           Stephen M. Lord,
                    Director, Homeland Security and Justice Issues.

                                  
