[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]




 
         FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED THIRTEETH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 9, 2013

                               __________

                           Serial No. 113-25

                               __________

Printed for the use of the Committee on Oversight and Government Reform


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform



                  U.S. GOVERNMENT PRINTING OFFICE
81-281                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              MARK POCAN, Wisconsin
DOC HASTINGS, Washington             TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming           ROBIN L. KELLY, Illinois
ROB WOODALL, Georgia                 DANNY K. DAVIS, Illinois
THOMAS MASSIE, Kentucky              PETER WELCH, Vermont
DOUG COLLINS, Georgia                TONY CARDENAS, California
MARK MEADOWS, North Carolina         STEVEN A. HORSFORD, Nevada
KERRY L. BENTIVOLIO, Michigan        MICHELLE LUJAN GRISHAM, New Mexico
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director

                 Subcommittee on Government Operations

                    JOHN L. MICA, Florida, Chairman
TIM WALBERG, Michigan                GERALD E. CONNOLLY, Virginia 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
THOMAS MASSIE, Kentucky              MARK POCAN, Wisconsin
MARK MEADOWS, North Carolina


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 9, 2013......................................     1

                               WITNESSES

Mr. Stephen Sadler, Assistant Administrator, Office of 
  Intelligence and Analysis, Transportation Security 
  Administration
    Oral Statement...............................................     7
    Written Statement............................................     9
Mr. Stephen A. Lord, Director, Forensic Audits and 
  Investigations, U.S. Government Accountability Office
    Oral Statement...............................................    16
    Written Statement............................................    18


         FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS

                              ----------                              


                         Thursday, May 9, 2013,

                  House of Representatives,
             Subcommittee on Government Operations,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 9:00 a.m., in 
Room 2154, Rayburn House Office Building, Hon. John Mica 
[chairman of the subcommittee] presiding.
    Present: Representatives Mica, Massie, Meadows, Connolly, 
and Cummings.
    Staff Present: Ali Ahmad, Majority Communications Advisor; 
Alexia Ardolina, Majority Assistant Clerk; Molly Boyl, Majority 
Parliamentarian; Sharon Casey, Majority Senior Assistant Clerk; 
Adam P. Fromm, Majority Director of Member Services and 
Committee Operations; Linda Good, Majority Chief Clerk; Ryan M. 
Hambleton, Majority Professional Staff Member; Michael R. Kiko, 
Majority Staff Assistant; Mitchell S. Kominsky, Majority 
Counsel; Mark D. Marin, Majority Director of Oversight; Laura 
L. Rush, Majority Deputy Chief Clerk; Scott Schmidt, Majority 
Deputy Director of Digital Strategy; Jaron Bourke, Minority 
Director of Administration; Devon Hill, Minority Research 
Assistant; Lucinda Lessley, Minority Policy Director; Rory 
Sheehan, Minority New Media Press Secretary; and Cecelia 
Thomas, Minority Counsel.
    Mr. Mica. Good morning. I would like to call this 
subcommittee hearing of Government Operations Subcommittee of 
the House Government Oversight and Reform Committee to order.
    Welcome, everyone, this morning. The topic of today's 
hearing is Federal Government Approaches to Issuing Biometric 
IDs. It looks like a relatively brief hearing. We have two 
witnesses that will be participating and I will introduce them 
shortly.
    The order of business today, we will hear members' opening 
statements, then we will hear from our two witnesses, and then 
we will have a round or rounds of questioning, as appropriate.
    So, with that, let me again welcome everyone. I want to 
again state on behalf of the committee that we believe we have 
a very important mission of oversight. This committee exists 
for a very fundamental purpose, two basic principles. First, 
the American people have the right to know how their money is 
spent that Washington has taken from them. We have the 
fiduciary responsibility of seeing how it is expended and what 
programs are successful, what are unsuccessful, making certain, 
first of all, that the American public, our Nation is secure.
    And I think, finally, the American public deserves an 
efficient, effective Government that works for them. We have 
that important responsibility in this committee and we intend 
to protect those rights. We want to hold Government accountable 
for the taxpayers and make certain that we, through these 
hearings and the proceeding today, that we keep the executive 
branch and others charged with important responsibilities true 
to the intent and legislative purpose that Congress has set 
forth.
    So that is our purpose. I look forward to working with Mr. 
Connolly, our ranking member, and members of the subcommittee 
to continue this effort, and thank them for their cooperation 
this morning.
    On November 25th, 2002, then_President Bush signed the 
Maritime Transportation Security Act of 2002. That is more than 
a decade ago and that legislation set forth the credentialing 
for individuals that are entering some of our port facilities 
and regulated facilities that accommodate vessels and maritime 
traffic.
    According to the GAO, from 2002 to 2012, an excess of half 
a billion dollars has been spent in that effort, some $540 
million. About a quarter of a billion dollars raised on fees 
from some of the workers and other folks, and then about a 
quarter of a billion dollars in public money and grants.
    According to CRS, since we first issued the cards in 2007, 
about 2,001 cards have been issued. The cost initially was 
$129.75 for the past number of years and there is a proposal 
now that some of the workers can extend their cards for a fee 
of $60. The card was intended from the very beginning, and 
having participated in that process, to have a biometric 
component, to be a secure, durable identification that could 
ensure the identity of those entering, again, those secure 
areas in our port facilities.
    We have had at least four hearings that I know of, some on 
the Transportation Committee, some on some subcommittees, 
reviewing the progress of this card. I think if you will look 
at a poster child for programs that sort of run amok and do not 
get the job done, that the TWIC card, as it is affectionately 
known, Transportation Worker Identification Card, is 
unfortunately the poster child, again, for not producing what I 
think Congress intended.
    Despite all the time that has lapsed, the hearings that 
have been conducted, GAO continues to find that TSA is failing 
to properly administer the TWIC program. The latest report we 
have has just come out. This is March 2013. It cites a whole 
host of problems with the program. First of all, we wanted the 
card produced with biometric capability. The card had some 
capability, fingerprint; it doesn't have iris, as I understand 
it. The cards were issued. Since 2007 the cards have not had 
the capability of having a reader. Congress had passed 
additional legislation trying to get the reader program 
engaged, and we will hear today that while GAO is testing some 
of the equipment, that we still do not have readers deployed in 
a universal manner to read the cards.
    So what you have is a farcical system of a card that, and 
not by my evaluation, but previous GAO studies have shown, is 
not what we intended; it is tamperable. It has actually been, 
in testing by GAO, it has been found to be deficient and, 
again, it is a card that can also be easily reproduced.
    So what you have is, again, a card that is produced at 
great expense to individual workers, great expense to the 
Government; does not have a guaranty that it is a secure card, 
that is, tamperable; it has become a joke among transportation 
workers because at almost every port they are now required to 
produce a driver's license or some other identification that is 
used for entry.
    So this sort of goes on and on. After, again, spending an 
incredible amount of money, TSA and the independent tests 
agent, they found did not even have a clear record of baseline 
data for comparing operational performance at access points 
with the TSA readers. This is in the testing. GAO went on to 
find that TSA and the independent test agent did not collect 
complete data on malfunctioning TWIC cards.
    I know this is a long explanation of where we are, but I 
think it deserves sort of an update for the record. We again 
are faced with more than a decade delay in producing what 
Congress intended. Now years have gone on trying to get a 
reader that is approved.
    The final thing I would just point out to Mr. Connolly and 
other members is other agencies do have cards. Most recently, 
here is our TWIC card, a little mockup of it. Again, I think 
some of you may have seen this before, the TWIC card, again 
flawed. Here is a clear card which a private company has 
produced, and it actually has biometric, both fingerprint, and 
I think it is all five fingers, and iris; and it is in use. We 
found other agencies that have readers and they also have cards 
that have both components that Congress was trying to get some 
years ago.
    So this is very frustrating and the purpose of the hearing 
is to review where TSA is and where we are going to go.
    With that, I would like to recognize our ranking member, 
Mr. Connolly.
    Mr. Connolly. Mr. Chairman, thank you, and thank you for 
your leadership on this issue and for holding this hearing. I 
can't help but observe there are two lonely members of the 
press at the press table. Yesterday we had dozens and dozens 
and dozens.
    Mr. Mica. This isn't Benghazi.
    Mr. Connolly. And yet the Benghazi hearing basically 
uncovered nothing. Actually, today's hearing potentially has so 
much more of an impact in terms of U.S. security, but I guess 
it is not a particularly sexy subject, at least when it comes 
to the media. But I think it is very important to our Country's 
security.
    And again I thank you for your leadership, Mr. Chairman. I 
know you cared about this in your previous capacity at 
Transportation and Infrastructure as chairman, and I am so glad 
you bring that sensitivity to this committee as well.
    All of us want to make sure that our transportation system 
is secure. Every day our transportation system moves more than 
1.4 million shipments of hazardous materials, any of which 
could be potentially of harm to Americans. As we all know, 
securing all of this cargo is very daunting, but we know it is 
imperative to the safety of the Nation.
    The Maritime Transportation Security Act of 2002 requires 
the Department of Homeland Security to issue a biometric 
transportation security card, TWIC, to identify individuals who 
will be allowed unescorted access to the secure areas of ports 
and vessels. The biometric information contained in the card 
includes, of course, as the chairman indicated, fingerprints 
and a digital photograph. TSA is responsible for the issuance 
of the card, while the United States Coast Guard is responsible 
for enforcing its use.
    TWIC cards are intended to be utilized with an electronic 
reader that would simply scan the card to determine entry into 
the respective facility. Under the Safe Port Act of 2006, DHS 
was required to conduct a pilot program on the efficacy of the 
TWIC card readers. Unfortunately, the most recent GAO report, 
which we are going to hear about today, found significant 
methodological problems with the study.
    Specifically, GAO determined that TSA lacked data analysis 
plans, performance standards, or sampling methodology 
development prior to selection of participating facilities and 
vessels in the TWIC reader pilot. In addition, GAO also found 
that the finalized TWIC cards did not undergo any level of 
durability testing, which is problematic considering the use of 
these cards will be in sometimes harsh, wet, maritime 
environments, which was also cited by the GAO report.
    These findings are disappointing and of great concern. I, 
for one, want to know why the Department has not responded 
favorably to GAO's serious findings, if in fact they have not. 
We look forward to hearing about that today.
    If the readers and the TWIC cards fail to function 
properly, not only will maritime workers not be able to perform 
their jobs adequately on a daily basis, but these facilities 
are left vulnerable to a potential security breach. Given the 
volume of cargo coming into the United States, that is of great 
concern. The United States transportation system of maritime 
facilities remain a target and a means through which terrorists 
seek to attack the homeland. We all know that an attack on our 
Nation's maritime transportation system could have very serious 
consequences, and it seems to me all of us have got to do 
everything in our power to make sure that does not happen.
    I look forward to hearing from our witnesses this morning 
and what corrective measures we can take to make TWIC an 
effective security card.
    With that, I yield back, Mr. Chairman.
    Mr. Mica. Thank you, Mr. Connolly.
    Also, I will just explain for the members of the panel that 
we attempted to look at IDs across the board, because TSA is at 
the heart of approval and DHS is at the heart of approval of 
moving all these ID programs forward. We were not able to get 
Customs and Border Patrol to participate today, nor Department 
of State and some others that we wanted; they wanted more time.
    So, unfortunately, what we have done is divided this review 
up. We will, hopefully in a couple of weeks, and with the 
agreement of the minority, reconstitute the panel and we will 
look at problems with the pilots' license, there are problems 
with the various cards that we have for identification. At the 
airports we have a global entry under the Department of State.
    But I think all of these, and it is part of our 
responsibility. We are the only committee with enough 
jurisdiction to look at all of these, and then also TSA's 
responsibility. So we will follow up on that.
    With that, let me recognize Mr. Meadows, then we will go to 
the ranking member, Mr. Cummings, of the full committee.
    Mr. Meadows. Thank you, Mr. Chairman, and thank you to the 
ranking member, Mr. Connolly, who has, over and over again, 
expressed a willingness to work in a bipartisan way to cut out 
waste, fraud, and abuse.
    As we are here today obviously looking at some half billion 
dollars spent on a program that is yet to be implemented, I am 
reminded of the fact that there are two ways things get done 
here in Washington, D.C., slow and never, and we are trying to 
figure out which one of these this particular thing is going to 
be, because we have heard testimony in this very room of 
computer systems that we have spent some $1 billion on, then 
was never implemented.
    So is this just another government program where it has 
great intentions of providing security, but in essence we are 
going to spend millions and millions, and perhaps billions of 
dollars only to find out later that the theory or the genesis 
of this particular security system is one that is not going to 
be implemented?
    The most recent GAO report is troubling from some of the 
accusations and literally some of the research that it is 
providing here, so I look forward to really less looking at 
when are we going to have a system that secures our ports. We 
have been at this for some 11 years now. So if not next year, 
then when? If not next year, then are we looking at another 10 
years? What is the time line? And from a practical standpoint 
what are the deficiencies? Would we be better off to just say 
we made a mistake, let's go back to the drawing board, let's 
find another area to do it?
    I have the privilege of having Google in my particular 
district, and I can tell you the type of security that is there 
with those facilities didn't take this long to get implemented 
in the private sector and, quite frankly, are extremely secure. 
So if the private sector can do it, certainly we, with all of 
our resources of the greatest Nation in the world, should be 
able to figure it out. So I look forward to your testimony.
    With that, I yield back, Mr. Chairman. Thank you so much.
    Mr. Mica. I thank the gentleman.
    Now I am pleased to recognize the ranking member of the 
full committee, the gentleman from Maryland, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman and Ranking 
Member Connolly, for calling this hearing. And I want to thank 
the witnesses for their testimony.
    This is a subject that is of great interest to me because I 
previously served as the chairman of the Subcommittee on the 
Coast Guard and Maritime Transportation, and during my tenure 
in that position I convened two hearings to examine the rollout 
of the TWIC card, which began, unbelievably, in 2007.
    Now, six long years later, 2.5 million transportation 
workers have been enrolled in the TWIC program and 2.7 million 
TWIC cards have been printed. These enrollees have paid an 
estimated $300 million to implement this program. However, 
those TWIC cards are nothing more than very expensive flash 
passes without sophisticated electronic readers to read them. 
That is sad.
    We now know that many vessels and facilities will never use 
TWIC readers, yet workers there are still being required to 
obtain the TWIC card. The Coast Guard, which is responsible for 
enforcing the use of the TWIC cards, has recently issued a 
Notice of Proposed Rulemaking that would require only vessels 
and facilities in what are known as Risk Group A classification 
to utilize TWIC card readers. As a result, far less than 1 
percent of regulated vessels and approximately 16 percent of 
facilities will require a TWIC reader.
    So the TWIC card is just a very expensive flash pass for 
all the mariners and transportation workers working in the 99 
percent of vessels and more than 80 percent of facilities 
without TWIC card readers.
    But the problems with the TWIC card program run deeper than 
that. Where TWIC card readers will be required, they must be 
able to determine whether a card is valid and matches the 
biometrics of the individual who seeks access to a restricted 
area in a port or on a vessel. Unfortunately, we cannot count 
on that. When the GAO reviewed the TWIC pilot program required 
by the Safe Port Act, it identified methodological problems 
with the pilot that are so severe GAO has concluded that the 
results of the pilot are simply not reliable.
    I am stunned by the scope of the shortcomings identified by 
the GAO, particularly given that as long ago as 2009 GAO 
identified shortcomings that needed to be addressed to ensure 
the TWIC pilot program would yield reliable results.
    We are all aware that we need to take every effective step 
to protect our maritime facilities from those who wish to harm 
us. However, at this time we still have no reliable data 
proving that the TWIC card is one of those steps.
    I can simply say I am disappointed and we are better than 
that. As my colleague said just a moment ago, if the private 
sector can do this, we ought to be able to do this, and we need 
to know exactly why we can't.
    When I was chairman of the Coast Guard subcommittee, Mr. 
Chairman, I constantly talked about, I was really talking about 
the Coast Guard and its acquisition program, but talked about 
how we were moving into a culture of mediocrity; and I think 
this whole fiasco is a step below that. So I am hoping that we 
will get some answers, that we will get some results soon so 
that the intended purpose of the TWIC card will be able to 
carry out the way we wanted it to be done.
    With that, I yield back.
    Mr. Mica. Well, I thank the ranking member and concur in 
his very frank statement. We will work together. We have to 
figure out a way to get this program back on track.
    No other members this morning, so I will ask unanimous 
consent that members have seven days to submit opening 
statements for the record. Without objection, so ordered.
    So now we will turn to our two witnesses this morning. 
First we have Mr. Steve Sadler, and he is the Assistant 
Administrator for Intelligence Analysis for the Transportation 
Security Administration.
    Welcome back, Mr. Steve Lord. He is the Director of 
Forensic Audits and Investigative Services for GAO, the 
Government Accountability Office.
    Gentlemen, this is an investigative panel of Congress. If 
you will stand and be sworn. Please raise your right hand.
    Do you solemnly swear that the testimony you are about to 
give before this subcommittee of Congress is the whole truth 
and nothing but the truth, so help you, God?
    [Witnesses respond in the affirmative.]
    Mr. Mica. Let the record reflect that both witnesses 
answered in the affirmative.
    We aren't too pressed for time this morning, so we will 
give you a little bit of leeway. Usually it is a little 
briefer, but we will recognize first Mr. Sadler, the Assistant 
Administrator for Intelligence and Analysis at TSA.
    Welcome and you are recognized, sir.

                  STATEMENT OF STEPHEN SADLER

    Mr. Sadler. Good morning, Chairman Mica, Ranking Member 
Connolly, and distinguished members of the subcommittee. Thank 
you for the opportunity to testify today about TSAs role in the 
TWIC program.
    TWIC is a fee-based program that issues a tamper-resistant 
biometric credential. Eligible maritime workers use TWIC for 
unescorted access to secure areas of port facilities and 
vessels regulated under the Maritime Transportation Security 
Act of 2002. TSAs primary areas of responsibility include 
conducting security threat assessments, providing customer 
service at enrollment centers, and engaging industry to develop 
specifications for TWIC readers.
    The full enrollment fee for a transportation worker is 
$129.75, and an initial TWIC is valid for five years. Under the 
Extended Expiration Date Initiative, eligible workers may 
request a three-year extension by paying the $60 card 
replacement fee.
    Currently, the United States Coast Guard requires maritime 
operators to visually inspect the TWIC prior to granting 
unescorted access to secure areas. Under MTSA, the Coast Guard 
currently regulates nearly 14,000 vessels and more than 3200 
facilities. With a single uniform credential, facilities, 
vessel operators, and law enforcement entities can verify an 
individual's identity and eligibility to enter secure areas 
with a higher level of confidence than was feasible prior to 
TWIC. TWIC is an important layer in maritime security as risk-
based control requirements and technical capabilities mature.
    TWIC readers determine whether a card is authentic and 
issued by TSA. The readers also check that the card has not 
expired and has not been revoked or reported lost or stolen. 
The Coast Guard recently published a proposed Notice of 
Rulemaking on TWIC readers in which the use of those readers 
would be required for certain high-risk vessels and facilities.
    Recently, several major challenges have converged for the 
TWIC program. These include the expiration, re-enrollment, and 
demand for replacement of 1.5 million TWICs over an 18-month 
period; modifications to the process to limit enrollment and 
card issuance to a single visit; and a transition of the 
program from a current single-provider contract to separate 
contracts for enrollment services and system operations.
    Beginning this summer, the first phase of an initiative to 
enable individuals to apply for and obtain a TWIC with a single 
visit to an enrollment center will be tested in Alaska and 
should expand nationwide in 2014. One visit represents the most 
significant program change since TWICs inception and will 
greatly ease the burden on future applicants and individuals 
needing a replacement card.
    Additional customer service improvements include expanding 
the number of TWIC enrollment centers from 136 to more than 
300; increasing call center representatives focused on reducing 
call wait times; developing a web-based process to apply for 
extended expiration date TWICs or replacement cards; and 
increasing mobile enrollment opportunities to facilities 
wanting to enroll workers onsite.
    As a result of the TWIC pilot program, we obtained 
considerable data and sufficient quantity and quality to 
support the general findings and conclusions in the pilot 
report. Our analysis concluded that TWIC readers function 
properly when they are designed, installed, and operated in a 
manner consistent with the characteristics and business needs 
of the facility or vessel operation. The analysis also 
concluded that reader systems can make access decisions 
efficiently and effectively.
    Thank you for the opportunity today, and I will be glad to 
answer any of your questions.
    [Prepared statement of Mr. Sadler follows:]

    [GRAPHIC] [TIFF OMITTED] T1281.001
    
    [GRAPHIC] [TIFF OMITTED] T1281.002
    
    [GRAPHIC] [TIFF OMITTED] T1281.003
    
    [GRAPHIC] [TIFF OMITTED] T1281.004
    
    [GRAPHIC] [TIFF OMITTED] T1281.005
    
    [GRAPHIC] [TIFF OMITTED] T1281.006
    
    [GRAPHIC] [TIFF OMITTED] T1281.007
    
    Mr. Mica. Thank you.
    We will turn now to Mr. Steve Lord, the Director of 
Forensic Audits and Investigative Services for GAO. Welcome 
back.

                  STATEMENT OF STEPHEN A. LORD

    Mr. Lord. Thank you very much, Mr. Chairman, Ranking Member 
Connolly, and Representative Meadows. I am really pleased to be 
here today to discuss the results of our recent TWIC report 
issued just recently. I should point out this is not the only 
report we have issued on this subject. We have work going back 
several years, including a very significant study we issued in 
2009 on the design of the pilot, as well as a May 2011 report 
on the internal controls in the program.
    The overall message that I wanted to convey today, I think 
it is a very important message, that the pilot results should 
not be used to inform future decisions regarding the TWIC 
reader rule or the future deployment of card readers. This is 
where we disagree with TSA and DHS. I am also surprised to see 
that the Coast Guard went ahead and issued their March 22nd 
Notice of Proposed Rulemaking, because it incorporated the 
results of the pilot even though we found major issues in the 
pilot data, which we had previously shared with them.
    I would like to briefly touch on some of the key challenges 
we identified in the pilot. They fall into three major buckets. 
The first one is planning. Bottom line is DHS did not address 
the pilot planning weaknesses we identified in our 2009 report. 
Although it took some initial steps to address them, it did not 
develop a full evaluation plan or the performance standards we 
called for to help guide the pilot as it unfolded.
    The second key issue we identified was related to data 
collection. We identified eight separate weaknesses in how the 
pilot participants collected data. I am not going to discuss 
all eight today, but I would like to briefly highlight three.
    First, TSA and the independent test agent did not record 
clear baseline data. If you don't have a clear baseline, you 
really have nothing to compare the collected data to.
    They also did not collect complete data on reasons for card 
failures or the reasons people were denied access to 
facilities. Obviously, they collected some, but we scrutinized 
the data they did collect and we found several significant 
discrepancies and anomalies in the data.
    The third key data collection issue we identified was the 
operational impact of using TWICs with readers was not 
consistently documented. And this is a really important issue 
because this was one of the major reasons they ran a pilot, to 
measure the business impact on the private sector. Yet, when we 
looked at how they measured that, they didn't do a good job and 
they essentially did not collect the data needed to assess that 
issue.
    As a result of all the challenges we identified, we think 
it is really difficult to assess whether the problems 
experienced were due to the cards themselves, to the readers, 
or to the way the users were using them. So it could have been 
a combination of all three, and that is something we highlight 
in our report.
    We also scrutinized DHS's report to Congress. I should 
mention we just didn't evaluate the report; we looked at what 
went into the preparation of the report. We pulled all 
available data sets that were used to support the February 2012 
report to Congress.
    And one notable issue we identified was the assessments of 
the entry times at ports, again, the throughput times. This is 
a really important issue that was looked at, where these 
measures were mixed up with reader response times, which is the 
time it takes a card to be read in a laboratory setting. So 
obviously they weren't really measuring throughput, which is a 
key objective of the pilot, but basically how much time it took 
a card to be read in a laboratory setting.
    Given all the issues we identified, we do not believe using 
TWICs with readers would provide a critical layer of port 
security. We think that has yet to be demonstrated, and that is 
why we called for the agency to implement our prior 
recommendation on that point, to do a security assessment, to 
try to identify the value added of using TWICs with readers. Is 
it better than the regimes used in the past or not? We think 
that is a really important issue. So that is why, again, we 
called for that in our 2011 report.
    But we do acknowledge some of the many challenges that DHS 
experienced in the pilot. They were dealing with 17 different 
sites; they participated on a voluntary basis, they couldn't 
compel them to participate or collect data in a certain way. 
And we recognize that, yet we still think some of those risks 
could have been mitigated by perhaps having more personnel 
involved at the sites or providing additional resources.
    In closing, given the many issues we identified, as we 
highlight in our report, we think Congress should consider 
repealing the requirement that the final regulations for the 
card readers be consistent with the pilot findings. 
Essentially, we think those two issues should be de-linked 
given the issues we identified in the pilot. Instead, we 
believe Congress should require DHS to complete a security 
assessment, as we originally called for in our May 2011 report. 
Again, the security assessment will help demonstrate the value 
of the program.
    And the assessment should also include a comparison of 
alternative credentialing approaches. There are different 
options they could have considered. For example, the Government 
can conduct a security assessment and have the credentials be 
provided at the local level. That was an option that was never 
considered in the early analysis of alternatives, and we think 
that has possible merit that should be studied further.
    Thank you, Mr. Mica, Ranking Member Connolly, 
Representative Meadows. This concludes my prepared statement 
and I look forward to answering any questions.
    [Prepared statement of Mr. Lord follows:]

    [GRAPHIC] [TIFF OMITTED] T1281.008
    
    [GRAPHIC] [TIFF OMITTED] T1281.009
    
    [GRAPHIC] [TIFF OMITTED] T1281.010
    
    [GRAPHIC] [TIFF OMITTED] T1281.011
    
    [GRAPHIC] [TIFF OMITTED] T1281.012
    
    [GRAPHIC] [TIFF OMITTED] T1281.013
    
    [GRAPHIC] [TIFF OMITTED] T1281.014
    
    [GRAPHIC] [TIFF OMITTED] T1281.015
    
    [GRAPHIC] [TIFF OMITTED] T1281.016
    
    [GRAPHIC] [TIFF OMITTED] T1281.017
    
    Mr. Mica. Thank you. We will start questions. I will start 
with a round.
    First, Mr. Sadler, have you ever had the opportunity see 
the movie Groundhog Day?
    Mr. Sadler. Yes, I did, sir.
    Mr. Mica. In that movie, doesn't the character keep 
repeating the same day over and over again and sort of the same 
thing over and over?
    Mr. Sadler. I believe he does, sir.
    Mr. Mica. I feel a little bit like that character, Mr. 
Connolly and Mr. Meadows. From 2002, 2005, 2006, 2009, to 2011. 
Last I checked, this is 2013. And we still do not have a viable 
TWIC program. I just heard Mr. Lord go through his analysis of 
these reader tests experiences. We have his report here. It is 
very frustrating.
    I guess you did 17 sites?
    Mr. Sadler. That is right, sir.
    Mr. Mica. And we don't really know how many people went 
through. DHS's report to Congress shows a total population of 
33,111. However, final pilot site test systems showed a 
population of 79,000. There is a discrepancy even in the number 
of participants. Mr. Lord said that you couldn't get some to 
participate.
    The report says pilot participants did not document 
instances of denied access. TSA and the independent test agent 
did not collect complete data on malfunctioning TWIC cards. I 
mean, the report just goes on and on about, again, what is 
supposed to be pilot testing to develop a card that we can use 
and have some basic knowledge about what is effective and how 
all this can be utilized. How do you respond to GAO?
    Mr. Sadler. I would say that GAO, in their opening 
statement, pointed out some of the challenges that we faced 
when we started this pilot program, and that is a key point. 
This is a pilot program that we implemented in the commercial 
maritime environment. No one has done that before. And I know 
you have heard that before, but that is the crux of the issue.
    Mr. Mica. In a maritime environment?
    Mr. Sadler. No one has done this type of pilot, that I know 
of, in this type of environment. So we got voluntary 
participation from the facilities. We were very happy that 
these facilities stepped forward and participated, but we did 
this pilot under the condition of an operational maritime port 
facility. So we couldn't put readers at every access point; 
whether it was for a vehicle, whether it was for a pedestrian.
    So those were some of the challenges that we faced. It was 
a voluntary pilot; it was in an maritime operational 
environment; not all access points had readers. If we could 
have locked the place down and put a reader at every access 
point, possibly----
    Mr. Mica. So you are saying it is not practical to have a 
reader with a TWIC program?
    Mr. Sadler. No, I am not saying that, sir. What I am saying 
is under the conditions we had to test, we faced challenges; 
and we stated those in our report to Congress as well.
    Mr. Mica. Now, let me ask you a question. You have issued, 
what, 1.8 million of these?
    Mr. Sadler. About 2.5 million, sir.
    Mr. Mica. But is there 1.8 million coming due or something?
    Mr. Sadler. Well, there are about 1.5 million cards that 
are set to expire over the next 18 months.
    Mr. Mica. I am sorry, I messed up the figures. So in the 
next 18 months you have 1.5 million. Do you have a card now 
that has a biometric component that would recognize both 
fingerprints and iris?
    Mr. Sadler. Sir, we use the fingerprint template only 
because that is the only federal standard that is in existence 
today, and it was the most robust biometric.
    Mr. Mica. And you are working with the folks that set the 
standards, and they have told us at several previous hearings 
that the standard was just around the corner for iris. What are 
they telling you now?
    Mr. Sadler. As I understand it, they are in their second 
iteration of the iris standard out for comment, and I don't 
know what their schedule is for final publication of that 
standard. I would have to defer to them.
    Mr. Mica. Well, TSA, you also oversee entry programs, for 
example, the CLEAR program. I am told that the CLEAR program 
has an iris and also I think all five fingers are incorporated, 
and this is in use in the airports, is that correct?
    Mr. Sadler. It may be, sir. I am not aware that we are 
overseeing that program at this point.
    Mr. Mica. TSA just lets anybody put a program in place?
    Mr. Sadler. It is not about TSA allowing the program; it is 
about a relationship between the contractor or that company and 
the airport.
    Mr. Mica. So do you accept these cards? These aren't 
accepted?
    Mr. Sadler. I don't know if they are accepted or not. I 
would have to get back to you on that answer. As far as 
boarding an aircraft?
    Mr. Mica. Yes.
    Mr. Sadler. I would have to get back to you on that answer. 
What I would say about that is we use a fingerprint template; 
we do not use an image for privacy purposes. We have to encrypt 
our biometric. I don't know if they encrypt their biometric.
    Also, if an individual comes up to a kiosk in an airport, 
that is much different than an individual who is in a tractor 
trailer or a truck going through a gate trying to use an iris 
scan. If I could set every person going into a port coming up 
to a kiosk and take the time I needed to take that iris scan 
and embed that in the card, then we would do that, but that is 
not the way the port operates. Now, if the port wanted to use 
an iris, they can use an iris and they can use a TWIC card as a 
pointer to get back to that biometric.
    Mr. Mica. So basically you are going to be issuing more 
than a million cards, reissuing the cards that have expired, 
without an iris component and I guess somewhat limited 
fingerprint component. I think one of the previous studies that 
Mr. Lord did was some of the flaws with the card that they 
could be tampered with.
    And, actually, I think on several occasions you thwarted 
the system, is that correct, Mr. Lord?
    Mr. Lord. Yes. We did some covert testing as part of our 
2011 report and this report as well. We dispatched covert 
testers to basically conduct two types of tests. We presented 
fraudulent identification documents. We were able to obtain an 
authentic TWIC and we also manufactured a TWIC, we basically 
made a fake TWIC; and we were able to access facilities using 
both types of credentials.
    Mr. Mica. Did you use any of the fake TWICs to thwart the 
pilot?
    Mr. Lord. At one site they were using a reader, but it is 
my understanding they had some problems with false positives, 
so our undercover investigators were waved in. Even after the 
entry guard tried to swipe it and it wasn't working, she still 
provided them access to the facility.
    Mr. Mica. Very good.
    Let me go to Mr. Connolly. I want to be fair with the 
members that are here.
    Mr. Connolly. Thank you, Mr. Chairman.
    Mr. Sadler, do you think the pilot program was successful?
    Mr. Sadler. I think the pilot program showed what we asked 
it to do.
    Mr. Connolly. Whoa. Time out. The pilot is the predicate 
for moving forward. It is kind of a critical question. Was it 
successful? Because GAO says that not only was it not 
successful; they are recommending the Congress decouple future 
regulations and standards from the pilot. Do you disagree with 
that?
    Mr. Sadler. I think it was successful in what we intended 
to do, which was show that if that reader was installed 
properly, if the operator was trained properly, if the 
individuals were trained properly in the use of the card and 
that reader was put in place based on the business requirements 
of that port, then the reader did its job with the TWIC card.
    Mr. Connolly. Mr. Sadler, we just heard testimony, and 
there is more in the report, you didn't test for durability. 
Durability of the card actually could be very important in 
terms of long-term security. The wet conditions are a problem 
in terms of accurate reading. You just heard Mr. Lord say they 
actually manufactured a fake card and, sadly, that fake card 
passed muster that all too often the differentiation between 
the fake card and the TWIC card failed in the readers.
    Now, you think that is just a matter of fine-tuning? And, 
by the way, another aspect of the GAO report is the cost 
figures were so flawed as to not be reliable, and they caution 
Congress don't read too much into that because the methodology, 
frankly, is not really an accurate picture of what it cost.
    What aspect, pray tell, of this pilot could be considered 
successful such that we could have confidence in moving 
forward?
    Mr. Sadler. If someone uses a card that is fraudulent, and 
I think it was shown in this case that the reader would not 
read that card, so that individual who came up with that 
fraudulent card did not get a positive read off the reader, 
from what I understand. And if the individual was allowed into 
that facility, the person should not have been let into that 
facility without a business need.
    Mr. Connolly. Time out.
    Mr. Lord, tell us how it worked.
    Mr. Lord. The card reader rejected the card; the person was 
allowed to enter the facility based on what they referred to as 
social engineering, some discussion with the guard, the 
security guard.
    Mr. Connolly. So they were able to bypass the card system 
entirely.
    Mr. Lord. Yes. They were able to basically talk their way 
in.
    Mr. Connolly. So you are saying that is not really a 
failure of TWIC; that is a breach of security protocols in 
general.
    Mr. Sadler. What I am saying is in that case it appears 
that the card and reader did their job; they didn't have a 
positive identification for that individual. And then the 
individual talked to the security guard, apparently.
    Mr. Connolly. So a separate issue.
    Mr. Sadler. That is a different issue completely than the 
card itself or the reader. If that person didn't have a 
business need to get into that port, that person should not 
have been let in.
    Mr. Connolly. But how do you respond, Mr. Sadler, to Mr. 
Lord's and GAO's recommendation to the Congress that the lack 
of efficacy of the pilot is such we should pass legislation to 
decouple it from moving forward? That is a pretty rare 
recommendation coming out of GAO.
    Mr. Sadler. I think that the TWIC card and reader, when 
installed properly, provides security value at the port. It is 
not a silver bullet; it is part of our layered security, and I 
think it provides value when it is used properly and installed 
properly.
    Mr. Connolly. Can you point to a place where it has been 
installed properly and it works and, therefore, we should have 
confidence in it?
    Mr. Sadler. In some of the pilot locations it has been 
installed properly.
    Mr. Connolly. For example?
    Mr. Sadler. In a Long Beach Port there was one single gate 
through the back, and I believe it was Long Beach, it might 
have been Los Angeles; I would have to go back and check. There 
was one single gate where, if you came into that back gate you 
had to use the card, you had to use the reader. It worked and 
we didn't see any appreciable backup in the flow of traffic. 
And I will go back and confirm that.
    Mr. Connolly. All right. Yes, I wish you would. You know, I 
spent 20 years, before I came here to Congress, in the private 
sector, and in two organizations that do a lot of security 
work, including port security, I might add. I spent 14 years in 
local government. The practice in both local government and in 
the private sector, when we were looking at a challenge, was to 
first look at best practices. We benchmarked ourselves against 
the competition.
    I will use local government rather than the private sector. 
I represented Fairfax County, a pretty advanced county 
government, big local government. So we would compare ourselves 
to DuPage in Illinois and Los Angeles County, and depending on 
the subject matter, how are they doing it? What are they doing? 
How does it work? What can we learn from their lessons?
    Did we do that before we decided to embrace TWIC as the 
answer to port security going forward? Because the chairman 
pointed out that there are other examples, seemingly, of cards 
that do seem to work and processes that do seem to work. What 
have we learned from those that we are trying to apply to what 
seems to be a flawed process here?
    Mr. Sadler. Well, we were required by Congress to issue the 
biometric credential, and we are doing that.
    Mr. Connolly. Excuse me, Mr. Sadler. If I may interrupt 
just one second. We take that point; the chairman addressed 
that. The cards he gave you as an example that seemed to work 
also include biometric data. This is not unique to TWIC.
    Mr. Sadler. Those cards are not working in the same 
environment we are working in.
    Mr. Connolly. Your argument is that the port environment, 
the maritime environment is unique and has special 
requirements?
    Mr. Sadler. Yes. The port environment is unique. And as far 
as durability of the card goes, some of the analysis that we 
saw, the use of the card was equivalent to use by DOD, use by 
park rangers. So this is a very tough environment. It is not 
the same as coming up to a kiosk in an airport, which is 
inside, which is a controlled environment. So I would say, yes, 
it is unique.
    Mr. Connolly. All right, my time is almost up, but if I 
could just add one last question on that.
    Mr. Lord, could you respond to that? What about that? This 
is a unique environment and some of your criticisms might be 
more applicable if we were talking about access to an office 
environment in a commercial office building, but you are not 
being cognizant of the unique attributes of the maritime 
environment.
    Mr. Lord. I think we are. We fully recognize the harsh 
maritime conditions the card is used within. The analogy we 
drew in our report was to the DOD CAC card. That card, in 
contrast to the TWIC card, is durability tested after it is 
personalized, which tends to introduce some vulnerabilities in 
the card when you add the little unique features; and that was, 
to me, an important distinction between the TSA approach and 
the DOD approach.
    As you know, if you have ever been abroad, Iraq, 
Afghanistan, that is the common access card they use in those 
types of environments, which we think are pretty harsh 
environments as well, and those cards are considered a success 
because they are considered more durable.
    Mr. Connolly. Thank you.
    Mr. Mica. Thank you, Mr. Connolly.
    Mr. Meadows?
    Mr. Meadows. Thank you, Mr. Chairman. I am going to pick up 
on some of the line of questioning that the ranking member 
brought up with regards to the pilot program and the existence, 
why we have a pilot program is hopefully to make determinations 
on whether we should proceed.
    You are saying that it is a congressional thing and, Mr. 
Sadler, I am sorry to point all these questions to you. This is 
not a personal thing and obviously I am looking to you for 
guidance on what we need to go forward with, because we have 
had, according to my research, six or seven studies already by 
GAO in terms of recommendations on this particular thing. Is 
that correct?
    Mr. Sadler. I don't know the exact number, sir, but there 
have been quite a few.
    Mr. Meadows. A number of them?
    Mr. Sadler. Yes, sir.
    Mr. Meadows. And each time, from what I understand, you 
have agreed, or your agency has agreed to the recommendations 
that the GAO has made, is that correct?
    Mr. Sadler. Yes, sir, I believe that is correct.
    Mr. Meadows. And so I guess my question is why have those 
not been followed up on or really, truly implemented? Is it 
because of the weather conditions that you are talking about?
    Mr. Sadler. I think that is part of it. It is not 
necessarily the weather conditions. I think the weather 
conditions are a part of it.
    Mr. Meadows. Well, I know that maritime constitutes salt 
water, generally; not always, but many times salt water. And I 
know that salt just eats the hell out of anything. So when we 
have this technology, is this something that could be viable 
long-term, or are we going to be spending another $3.2 billion 
five years from now to replace readers?
    Mr. Sadler. No, I think what we found in the pilot was that 
if the reader was installed properly and covered properly, that 
cut down on a lot of the issues.
    Mr. Meadows. Okay. And you have installed those readers at 
17 ports, is that correct?
    Mr. Sadler. Seventeen ports, 100 access points.
    Mr. Meadows. For the cost of $500 million?
    Mr. Sadler. No, the total cost of the pilot that we 
conducted to the ports was $15 million, and to the Government 
approximately $8 million. So the total amount of money expended 
for this pilot was $23 million.
    Mr. Meadows. All right, so we are talking about $23 million 
there for the pilot, is that correct?
    Mr. Sadler. That is correct.
    Mr. Meadows. Okay. And you have issued about 2.5 million 
cards, is that correct?
    Mr. Sadler. That is correct also.
    Mr. Meadows. So how many of those cards have been lost or 
stolen?
    Mr. Sadler. I would have to get back to you, sir, with that 
number; I don't have that off the top of my head.
    Mr. Meadows. Do you think you know exactly the number of 
cards that have been lost or stolen at your agency at this 
point?
    Mr. Sadler. I think we would have a pretty good idea. I 
don't know if we would know the exact number.
    Mr. Meadows. So everybody that loses a card or has one 
stolen, with the transient nature of employment, would call you 
and let you know?
    Mr. Sadler. They would have to call and get a replacement 
card, yes.
    Mr. Meadows. Only if they were trying to get back in.
    Mr. Sadler. Yes, sir.
    Mr. Meadows. But if they lost it and they were unemployed, 
would they call you?
    Mr. Sadler. If they needed the card, they would call us.
    Mr. Meadows. But only if they needed it. My point is when 
we have this and we are looking at this biometric there, if 
these cards are transient and you have no kind of iris 
screening that would connect them, for a million bucks maybe I 
give my card to somebody else. So does it actually provide a 
more secure environment, with the transient nature of this and 
with nothing that is actually tied to the person that you issue 
it to?
    Mr. Sadler. We can't eliminate that risk, sir; we can try 
to mitigate it. And that is why I would say we need the 
readers.
    Mr. Meadows. All right.
    Mr. Sadler. Just as the GAO mentioned, when they tried the 
card where a reader was positioned, it didn't acknowledge that 
card. It was social engineering that got it through, not a 
fraudulent TWIC.
    Mr. Meadows. So if you were to come back before Congress 
and say, well, we are doing this because Congress told us we 
had to do it, if we were to put forth a piece of legislation 
today that says Congress changed its mind because this is not a 
wise investment of hardworking American taxpayers' dollars, 
would you endorse that?
    Mr. Sadler. Well, we would try our best to comply with 
whatever statute Congress passed.
    Mr. Meadows. But if you were in my shoes, would you put 
forth a piece of legislation, knowing what you know over the 
last 11 years, that we have spent over $500 million and we are 
still yet to have secure ports, would you make that 
recommendation? If you were going back home and people were 
going to say, well, it is my money, are you being responsible, 
is that the kind of decision you would make?
    Mr. Sadler. What I would tell my constituents, I would say 
TWIC is a valuable security tool.
    Mr. Meadows. It is a valuable security tool.
    Mr. Sadler. Yes. And I believe that.
    Mr. Meadows. And you make that based on 17 installations 
out of 360?
    Mr. Sadler. Seventeen installations, 100 access points, 156 
readers, 400,000 pieces of data.
    Mr. Meadows. Okay. How sure are you that we are only going 
to spend $3.2 billion to implement this? On the level of 10 
being the highest that you are absolutely confident, how sure 
are you, Mr. Sadler?
    Mr. Sadler. Well, the life cycle cost estimate that was 
conducted, I believe, in 2005 had a limit of $694 million up to 
$3.2 billion.
    Mr. Meadows. During the pilot have you had cost overruns?
    Mr. Sadler. No, sir.
    Mr. Meadows. Because there was no budget. So it is hard to 
go over or under a budget.
    Mr. Sadler. No, there was a budget.
    Mr. Meadows. Okay.
    Mr. Sadler. There was $23 million in grants that were let 
to the facilities, there was $8 million let to TSA, and it is a 
fee-funded program. So if you have a fee-funded program, you 
cannot go over budget.
    Mr. Meadows. So as long as they are paying for it, you 
don't go over budget. Because I am reading in the GAO there 
were some concerns with regard to some of the issues in how we 
implement this, and we have, obviously, a Government-centric 
focus here. Do you think we ought to reevaluate that and go 
with something that is not Government-centric? Or is the 
Government the best place to provide security here?
    Mr. Sadler. I don't know exactly what you mean, sir.
    Mr. Meadows. Well, it is all about calling into a 
Government call center to provide these particular cards, and 
as we look at that it is all about the Government providing it. 
Could a private agency do a better job than we are doing?
    Mr. Sadler. I don't think so, sir, because a private agency 
is not going to have access to the information we have access 
to to make those decisions.
    Mr. Meadows. So there is no private security that could 
provide that. So you are saying basically because of the 
information with regards to the matrix with fingerprinting, 
etcetera?
    Mr. Sadler. In my opinion, I think that is correct.
    Mr. Meadows. So your recommendation is to continue to go 
forward with this plan?
    Mr. Sadler. My recommendation is to implement readers in 
the maritime environment.
    Mr. Meadows. I can see my time is up, so let me finish up 
with this line of questioning. We have been here for 11 years. 
We have yet to have really new port security. In fact, you even 
mentioned that we have issues. The GAO report mentions that we 
have issues. So we don't have a more secure environment in 11 
years.
    At what point can I tell my folks back home that we are 
going to have more secure ports, is it five years, six years? 
You have $3.2 billion to spend, so at what point do we have a 
more secure environment?
    Mr. Sadler. You can tell them that today, sir.
    Mr. Meadows. So it will be more secure today?
    Mr. Sadler. It is already more secure. You have a common 
credential; you have a consistent security threat assessment 
that nobody has done before.
    Mr. Meadows. So you have reached your objective?
    Mr. Sadler. No, sir, we have not.
    Mr. Meadows. So my question, you know what I am meaning, at 
what point do we reach our objective, Mr. Sadler?
    Mr. Sadler. We reach our objective when we get readers 
installed.
    Mr. Meadows. All right, which will be when?
    Mr. Sadler. I defer to the Coast Guard and their time 
schedule. They have an MPR out now; they are taking comments. 
They are going to adjudicate the comments and get a final rule.
    Mr. Meadows. So we needed to have the Coast Guard here. And 
you are saying that they can implement it with the pilot 
results that you have right now?
    Mr. Sadler. I am going to defer to the Coast Guard on which 
results from that pilot program they use and which they don't 
use.
    Mr. Meadows. So if it fails, whose fault will it be, yours, 
TSAs because of the pilot, or the Coast Guard for 
implementation?
    Mr. Sadler. That is a hard question to answer, sir. I am 
the responsible executive at TSA for this program, so I don't 
think failure is an option. I know failure isn't an option, but 
that is a difficult question to answer because I am 
presupposing that I know why it failed, if it does, and I don't 
believe that it will.
    Mr. Meadows. Well, the pilot should have told us that. But 
I am way over time.
    I appreciate our indulgence, Mr. Chairman, and I yield 
back.
    Mr. Mica. Well, let me just follow up on that.
    Now, wait a second. You are shifting the responsibility to 
the Coast Guard, but you provided the Coast Guard the data on 
which they are going to evaluate their response to you, is that 
correct?
    Mr. Sadler. Sir, I am not shifting responsibility to the 
Coast Guard. What I said was we provided data to the Coast 
Guard.
    Mr. Mica. But Mr. Lord said that the data you provide, I 
mean, his whole report shows the data is flawed and the test 
results can't, you didn't even have clear baseline data from 
which you started.
    Mr. Connolly and I, Mr. Cummings and the others that were 
here, our investigators did not go after this; we rely on GAO 
to evaluate what you are doing with the pilot program, and they 
came back with one of the most critical reports I have seen. 
So, again, you are telling us that you are giving the data and 
the Coast Guard is going to evaluate it based on the data, 
which is flawed, according to the GAO.
    Mr. Sadler. Well, we believe there is meaningful data in 
that pilot report, and we provided that to the Coast Guard.
    Mr. Mica. You cited one place where you thought this worked 
at some back gate, and you weren't sure if----
    Mr. Sadler. Well, you asked me for an example, sir, and I 
gave you that example.
    Mr. Mica. But that is at one back gate.
    Mr. Sadler. And the reason I gave you that example was 
because that was a controlled gate; that wasn't an area where 
you might have eight gates with only two readers.
    Mr. Mica. How much have we spent on the pilot project?
    Mr. Sadler. Twenty-three million dollars.
    Mr. Mica. Twenty-three million dollars.
    Pretty good, Mr. Connolly. We got that one back gate 
secure. All this data that was collected without reliability.
    Mr. Lord, I thought you said that others could do this, and 
in harsh conditions.
    Mr. Lord. Chair, before I respond to that, I think I would 
like to address one point Mr. Sadler raised. I think there is 
broad agreement among most stakeholders that there is some 
value in the program, and that is the background check that is 
conducted.
    Mr. Mica. Yes. And, you know, he didn't do a very good job 
on that. If I were him, I would have said, well, we stopped 
50,000 people from actually getting the cards.
    Mr. Lord. But I agree with Mr. Sadler. He did mention that 
was one of the values of the program. But beyond that, I think 
that is where, to us, it gets a little fuzzy, because that was 
one option that wasn't really considered at the start of the 
program. What if the Government did the background checks and 
we left the issuance of the credential to the local ports? That 
is essentially what they do with the CITA model with the 
airports.
    Mr. Mica. Actually, this became an issue. I forgot Mr. 
Connolly and I were discussing it. I was telling him, in South 
Florida, about 25 percent of our port workers had criminal 
backgrounds, and this actually came into Congress, I think, Mr. 
Connolly, as to what we could consider in background checks. 
What do you consider now? I thought we set the standard because 
I know it became a big brouhaha.
    Mr. Lord. They do criminal record checks.
    Mr. Mica. How far back? You couldn't do State checks versus 
Federal or something. What is the status of what?
    Mr. Lord. It depends on the disqualifying crime. Some 
crime, such as murder, is an unlimited look back; other crimes 
are seven years or five years from release of incarceration.
    Mr. Mica. I think that is what we got into, yes.
    Mr. Lord. Well, we do use State records. We receive State 
records from 40 States now that we utilize in the background 
check.
    Mr. Mica. Well, again, we spent $23 million just on the 
pilot program. We are 11 years away from when we passed the 
initial legislation. We don't have a reader. We are going to 
issue, again, another million-plus cards, and they don't have 
the capability that Congress originally intended because, 
again, you say another agency has not set the standard for 
iris.
    Any hope of when, again, we could actually see this happen 
if we go through the Coast Guard process, any processes that 
you have? And then when would you pick a reader, guesstimate? 
And then when would they be deployed; will it be in the next 
decade?
    Mr. Sadler. Well, sir, I would have to defer to the Coast 
Guard on the time line as they are promulgating the rule. I 
can't answer that question.
    Mr. Mica. Who actually issues the TWIC card, the Coast 
Guard?
    Mr. Sadler. No, we issue. That is our responsibility, to 
issue the TWIC.
    Mr. Mica. I thought the Coast Guard was sort of the 
enforcement agency.
    Mr. Sadler. They are.
    Mr. Mica. They do a great job. Thank God for the Coast 
Guard, because they are there 24/7, low pay, and guarding the 
ports at entry points far beyond these gates, also making 
certain that our maritime facilities are secure.
    Okay, let's work this out. Remember my Groundhog Day? I 
want to know how many more times we are going to do this. So 
you have the Coast Guard, now this rulemaking. Is that an open-
ended thing or is there a time frame?
    Mr. Sadler. Ninety-day comment period from March 22nd.
    Mr. Mica. Okay. And then you expect them to digest this? 
Are they going to get back with you? What is the process? 
Explain it.
    Mr. Sadler. The process is that they have public meetings.
    Mr. Mica. After the rulemaking or during the rulemaking?
    Mr. Sadler. During this 90-day period.
    Mr. Mica. We got to that.
    Mr. Sadler. Then they receive written comments.
    Mr. Mica. I got to 90 days.
    Mr. Sadler. Ninety days.
    Mr. Mica. Then what is going to happen?
    Mr. Sadler. Then they take the written comments, they take 
the verbal comments from their public meetings, they adjudicate 
those comments, and then they start to develop the final rule.
    Mr. Mica. And any guess as to?
    Mr. Sadler. No, sir, I don't.
    Mr. Mica. No guess?
    Mr. Sadler. No, sir.
    Mr. Mica. Mr. Lord?
    Mr. Lord. Yes. I think it is worth noting the Coast Guard 
recently extended the comment period by 30 days. It may be 
beneficial, given all the issues we discussed at today's 
hearing, to perhaps extend it another 30 days to get additional 
stakeholder comments. I imagine there are going to be a lot of 
comments generated in the next few weeks.
    Mr. Mica. Mr. Sadler, how long have you been with TSA?
    Mr. Sadler. Since September 22nd, 2003.
    Mr. Mica. From the beginning. So you have been there to see 
that this is something we have tried to put into place for more 
than a decade, and we seem to, at every turn, not make the 
progress that Congress originally intended. We don't, again, 
have a card, I think, that is adequate and we don't have 
readers or a program really to get a reader in place, so it is 
very frustrating. We have spent half a billion dollars on this 
and we have a card now that is flawed; and not by my 
definition, but by GAO's evaluation.
    Mr. Lord, have you got any idea how this will all end?
    Mr. Lord. I really don't, sir. That is more a matter for 
Congress and the executive agencies. Our role is simply to 
respond to the mandate and the Coast Guard Authorization Act to 
study the results of the pilot and provide the report to 
Congress, so that is what we did. On the other hand, we have 
reported extensively on other TWIC-related issues in the past. 
It will be interesting to see how it progresses after today.
    Mr. Mica. Well, I believe there have been enough models out 
there and enough opportunities to adopt a better system. It may 
not be flawless, but, for the money we have spent and the 
results we have gotten, this is a pitiful commentary to be here 
May 2013 and still in this situation.
    Mr. Connolly?
    Mr. Connolly. Thank you, Mr. Chairman.
    I guess in addition to just the facts here, I am bothered 
by two Federal agencies coming to two different conclusions 
based on the data available. Mr. Lord and GAO have taken the 
position, if I understand it correctly, that the efficacy of 
the pilot is flawed such that we should not rely on it. It 
should not be a guide as we move forward, or something that can 
be adhered to as a guide because it is so flawed in its 
methodology in almost all respects, except there are some 
ancillary things that produced positive externalities, but not 
by design, you know, background checks or whatever.
    Mr. Sadler, if I understood your testimony correctly, you 
believe that is not correct; that there is reliable data, at 
least sufficiently reliable that you and the Coast Guard can go 
forward in expanding the pilot to other facilities. Is that 
accurate?
    Mr. Sadler. What I said, sir, was I think there is enough 
reliable data to support the conclusions of the pilot itself, 
which are that the reader, when installed properly, operated 
properly, and when the individuals are trained properly, 
whether it is the operator or the individual with the TWIC 
card, that the reader works properly.
    Mr. Connolly. And you say that the GAO report and evident 
lack of confidence in same notwithstanding.
    Mr. Sadler. I am sorry, sir, could you repeat that?
    Mr. Connolly. You are saying that you are fully aware of 
GAO's findings and reports that come to a very different 
conclusion.
    Mr. Sadler. Well, that was our conclusion when we wrote the 
pilot report that we sent to Congress, so, yes, that is what I 
am saying. So we agree in many areas with GAO, and we have to 
agree because our pilot report itself pointed out many of the 
same challenges that GAO pointed out as well. So we admitted to 
those and we know it is a challenge.
    Mr. Connolly. But here is the fundamental difference, Mr. 
Sadler. GAO has come to the conclusion that those flaws, 
deficiencies, problems, and lack of accurate data because of 
methodology flaws are of sufficient gravity that Congress 
should not rely on the pilot. You, in your position on behalf 
of TSA, are saying quite the opposite. You are saying we are 
going to rely on it; we don't agree that it is so flawed that 
it can't be relied upon. And that is what I mean. Their 
findings notwithstanding, you intend to go forward based on the 
pilot, even though GAO is saying to Congress we actually think 
you ought to decouple it from the pilot, it is that flawed.
    Mr. Sadler. Well, sir, we have to go forward. We have been 
directed to issue the credential; we have been directed to 
install readers. And unless Congress gives us other direction, 
then we are going to go forward.
    But we still stand by the fact that there was enough 
information gleaned from the pilot to support our conclusions 
in the pilot report. Then we take that information, we give it 
to the Coast Guard, and that is why I defer to the Coast Guard, 
because the Coast Guard takes that information and they use it 
based on how they think they need it, how they weight it, if 
they shouldn't use it. So I am not shifting responsibility to 
the Coast Guard, it is just the fact that they are writing the 
rule.
    Mr. Connolly. Surely, Mr. Sadler, you can sympathize, 
though, with a taxpayer concern that if we have such a flawed 
entity in the pilot, why not acknowledge that and find another 
paradigm with which we are more comfortable, and there are 
other models that seem to work in harsh environments, albeit 
maybe not a maritime one, as opposed to slavishly sticking to 
the pilot because statute cites it?
    I mean, you are here to give advice today, as well as to be 
accountable to Congress, and if it is your studied judgment 
that we did our college best, but the pilot failed, or it is 
sufficiently flawed that, in good conscience, if you asked my 
opinion, I would find something else as a model to base going 
forward on rather than the pilot.
    And I don't want to mischaracterize, but what I am hearing 
you saying is you don't, that is not your opinion; your opinion 
is the pilot, flaws and all, is going to give us sufficient 
data and is sufficiently efficacious that I have confidence 
that we can move forward based on what we learned from that 
pilot.
    Mr. Sadler. And I want to be careful how I say this because 
I do have to defer to the Coast Guard, but the pilot data is 
one of many sources that the Coast Guard used in promulgating 
their rule. So what I said, and what I will say again, is that 
we believe we got sufficient data in sufficient quantity, in 
sufficient quality, to support the conclusions of that pilot 
itself, which was that if the readers are installed properly, 
people are trained properly, and they were purchased and 
installed based on the requirements of that particular port, 
then they work properly and they can be used to help make 
access decisions. Those were the conclusions of the pilot.
    Mr. Connolly. Okay. The record will show that is in 
distinct contrast to the GAO point of view. Okay.
    Final set of questions, Mr. Chairman, if I may.
    Mr. Lord, you cited in our previous round of questioning 
harsh conditions in Afghanistan and Iraq, war conditions, and 
lots of weather challenges too, I might add. I have been to 
both. But they use an access card that includes biometric 
information, is that correct?
    Mr. Lord. Yes. It is called the common access card, the CAC 
card.
    Mr. Connolly. CAC card. And how many CAC cards have been 
issued?
    Mr. Lord. That is a good question. I am not the subject 
matter expert on that. I know just from personal experience. I 
was deployed to Iraq for GAO for three months and I had one and 
it seemed to work and I never had an issue with it.
    Mr. Connolly. Hundreds of thousands of contractors?
    Mr. Lord. Absolutely. And the servicemen themselves.
    Mr. Connolly. And the servicemen. Well, when you look at 
the total number that have come through Afghanistan and Iraq, 
it is well over a million, probably, right?
    Mr. Lord. Yes.
    Mr. Connolly. So we have had a lot of these cards issued. I 
don't know if it approaches the TWIC, but it would be fairly 
comparable, is that correct?
    Mr. Lord. I believe so. I don't have the exact numbers. But 
again I cited it as a success. That is an example where the 
Government was able to issue----
    Mr. Connolly. Yes. I am back to my benchmarking. We 
actually have an example, and the security challenge is 
paramount. That is why we issued these CAC cards, to make sure 
bad guys don't get into sensitive facilities or, for that 
matter, even canteens, where lots of our servicemen and women 
are congregating, assuming it is a safe harbor; and it works. 
And it has been working for how long?
    Mr. Lord. For how long? That is a good question. I don't 
know the answer.
    Mr. Connolly. Well, we have been at war for 12 years, so 
presumably most of the duration of that 12 years. Almost 
paralleling the same time frame that the chairman cited in his 
frustration, understandable frustration, where we have been 
trying to work this out in the ports. And I guess I just wonder 
what is the likelihood we could perhaps learn from a successful 
lesson and try to apply it to TSA.
    Mr. Lord. Well, that is obviously an option. You know, 
there is another option. It is not, obviously, my call, but 
they could rerun the pilot on a limited scale and resource it 
and oversee it correctly. That is obviously one option. Or you 
could pursue a different model, as you suggested, you know, 
have the Government do the background checks and have the local 
ports provide the credential. That is what I call a hybrid 
option. But, again, that is not my call, that is the Congress's 
call.
    Mr. Connolly. I know it is the chairman's intention, 
perhaps, and I would join him in this if that is what he wishes 
to pursue, where we are going to hear from different examples 
of Federal agencies using these kinds of access cards, and 
undoubtedly we will have TSA back, but it will be most 
instructive to hear more about how the DOD has successfully 
managed to create and deploy a card that seems to work.
    Mr. Lord. In harsh conditions. Actually, they would 
probably be a very good witness to have at your upcoming 
hearing.
    Mr. Connolly. Thank you very much.
    Mr. Chairman, I yield back and I thank you for holding this 
hearing. It is most illuminating.
    Mr. Mica. Well, thank you, Mr. Connolly. We will work with 
you.
    I think, again, our intent is to sort of end this Groundhog 
Day and not have another one of these hearings. Again, there 
are just so many of them. I just was reminded by the staff, Mr. 
Connolly, that we had a one-year pilot program testing the 
readers back in 2006 at the Port of New York and New Jersey, 
and we had collected data on fingerprints at that juncture. But 
we have done that pilot program, we have done these pilot 
programs. Now we are at this stage and Mr. Lord said it might 
be valuable to go back and do another pilot program again with 
some data that is reliable.
    Mr. Sadler, you said we spent $23 million on this pilot. Is 
there any money left?
    Mr. Sadler. I believe there is some grant money. And out of 
the $23 million, as I understand it, the ports expended $15 
million of the grant money.
    And I would like to make a comment on the DOD, and maybe 
Mr. Lord can answer this. The DOD may be using a contact mode 
only, and I don't know if that is accurate or not.
    Mr. Mica. But, you know, it is amazing. Are you the head of 
this program for TSA?
    Mr. Sadler. I am the senior responsible executive.
    Mr. Mica. And you don't know about the other programs?
    Mr. Sadler. If they are using a CAC card, that is a contact 
biometric, sir.
    Mr. Mica. I think the first thing I would do, if I were the 
head of this, Mr. Connolly, find out what works, is somebody 
doing it. Are we reinventing the wheel?
    Mr. Sadler. Well, I will tell you, sir, contact is not 
going to work in the maritime environment. And if the CAC card 
is using a contact biometric, where you have to put the card 
into a reader and put a PIN in, you are not going to get trucks 
and individuals through those gates using a contact mode.
    Now, to fix that problem, we actually developed a 
specification with industry to wirelessly transmit an encrypted 
biometric. There is no standard in the Federal Government for 
that today. So if we compare models, we need to compare similar 
models.
    Mr. Connolly. Mr. Sadler?
    Mr. Chairman?
    Mr. Mica. Go ahead.
    Mr. Connolly. If I could just follow up on the chairman's 
point, Mr. Sadler. I am not trying to put you on the spot, but 
instead of theorizing about what CAC does or does not do, or 
whether it is applicable or it is not applicable, how about 
finding out? Would it be worth it? Would you be willing to 
commit that TSA is going to actually look at how CAC works?
    Mr. Mica. Not just CAC, Mr. Connolly, but others. There are 
programs that do work.
    Mr. Connolly. And let's see if we can't fold that into our 
experience with our own pilot and see if we can't make a better 
product. Our interest here is success, it is not laying blame; 
and we would like to partner with you, but if we have a model 
that is successful, and you may be absolutely right, it may not 
fully be applicable, it may not be applicable at all, but 
trucks have to go to remote locations in Afghanistan, and 
previously Iraq, long convoys, so there may be comparable 
aspects of this that we could benefit from.
    So I wonder if you would be willing to make that 
commitment, that you are going to look at that to see if there 
are aspects of it that could be relevant as we fold in lessons 
learned in the pilot.
    Mr. Sadler. We will look at anything, sir, to make this 
pilot better and to make the result better.
    Mr. Connolly. I thank you for that commitment.
    Mr. Sadler. And my comment was not meant to infer 
otherwise.
    Mr. Mica. And maybe we will give him about 60 days or 
something like that, Mr. Connolly; call him back and see what 
he has learned that is out there that may be applicable, get an 
evaluation of where they are. Again, maybe you could come back 
to the committee with a better time line. We have this 90-day 
review in place.
    And then maybe, if there is money left over, Mr. Lord and 
this report says that some of the basis by which you are 
proceeding is flawed. Even the data that is given to Coast 
Guard by which you are making a further evaluation isn't up to 
date. But, my God, this thing is going on forever. We do not 
have readers.
    The other thing, too, what is the agency that sets the 
standard for the high risk?
    Mr. Sadler. NIST.
    Mr. Mica. Yes. Could you write them and ask them when they 
think they will have that standard? I have had them before 
Congress several times. I would just be curious if you would 
write them, and then I will ask the committee staff, we will 
sign a letter together, when they will have this ready. It was 
coming some years ago in the summer, and then it was coming in 
the fall, and then it was coming in mid-January. We still don't 
have this. And then maybe if we don't, we can find some 
standards that Congress could adopt or something.
    But to issue cards that do not have a biometric component 
that is reliable, cards that can be thwarted, which GAO has 
done in covert testing, and to have this system in place at 
great expense both to the truckers and the transportation 
workers, and maybe 129 doesn't sound like a lot to us, but to 
again have this whole thing not working and not as it was set 
out to provide us with some firm identification.
    Now, we are just looking at TWIC. We are going to look at 
global entry, we are going to look at the CLEAR card, we are 
going to look at the pilot's license, all these IDs that TSA 
and Homeland Security have some say in, and try to see what we 
can do to ensure that we have better identification, because we 
are putting ourselves at risk. We are not knowing who we are 
dealing with. And if we can know that, you can speed up the 
process, the inconveniences to passengers, to business, 
truckers, to port personnel.
    So that is our intent. I want to thank, again, Mr. Connolly 
for his involvement, Mr. Cummings, Mr. Meadows, and others. We 
have a small panel, so we can have this nice exchange. We will 
be back.
    There being, I guess, no further business before the 
subcommittee, I thank the witnesses for being with us. I thank 
you and the committee stands adjourned.
    [Whereupon, at 10:29 a.m., the subcommittee was adjourned.]

                                 
