b'<html>\n<title> - FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n         FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS\n\n                                 of the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED THIRTEETH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 9, 2013\n\n                               __________\n\n                           Serial No. 113-25\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n81-281                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c0a7b0af80a3b5b3b4a8a5acb0eea3afadee">[email&#160;protected]</a>  \n\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 DARRELL E. ISSA, California, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nPATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of \nJIM JORDAN, Ohio                         Columbia\nJASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts\nTIM WALBERG, Michigan                WM. LACY CLAY, Missouri\nJAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nPAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia\nPATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California\nSCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, \nTREY GOWDY, South Carolina               Pennsylvania\nBLAKE FARENTHOLD, Texas              MARK POCAN, Wisconsin\nDOC HASTINGS, Washington             TAMMY DUCKWORTH, Illinois\nCYNTHIA M. LUMMIS, Wyoming           ROBIN L. KELLY, Illinois\nROB WOODALL, Georgia                 DANNY K. DAVIS, Illinois\nTHOMAS MASSIE, Kentucky              PETER WELCH, Vermont\nDOUG COLLINS, Georgia                TONY CARDENAS, California\nMARK MEADOWS, North Carolina         STEVEN A. HORSFORD, Nevada\nKERRY L. BENTIVOLIO, Michigan        MICHELLE LUJAN GRISHAM, New Mexico\nRON DeSANTIS, Florida\n\n                   Lawrence J. Brady, Staff Director\n                John D. Cuaderes, Deputy Staff Director\n                    Stephen Castor, General Counsel\n                       Linda A. Good, Chief Clerk\n                 David Rapallo, Minority Staff Director\n\n                 Subcommittee on Government Operations\n\n                    JOHN L. MICA, Florida, Chairman\nTIM WALBERG, Michigan                GERALD E. CONNOLLY, Virginia \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nTHOMAS MASSIE, Kentucky              MARK POCAN, Wisconsin\nMARK MEADOWS, North Carolina\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on May 9, 2013......................................     1\n\n                               WITNESSES\n\nMr. Stephen Sadler, Assistant Administrator, Office of \n  Intelligence and Analysis, Transportation Security \n  Administration\n    Oral Statement...............................................     7\n    Written Statement............................................     9\nMr. Stephen A. Lord, Director, Forensic Audits and \n  Investigations, U.S. Government Accountability Office\n    Oral Statement...............................................    16\n    Written Statement............................................    18\n\n\n         FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS\n\n                              ----------                              \n\n\n                         Thursday, May 9, 2013,\n\n                  House of Representatives,\n             Subcommittee on Government Operations,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to call, at 9:00 a.m., in \nRoom 2154, Rayburn House Office Building, Hon. John Mica \n[chairman of the subcommittee] presiding.\n    Present: Representatives Mica, Massie, Meadows, Connolly, \nand Cummings.\n    Staff Present: Ali Ahmad, Majority Communications Advisor; \nAlexia Ardolina, Majority Assistant Clerk; Molly Boyl, Majority \nParliamentarian; Sharon Casey, Majority Senior Assistant Clerk; \nAdam P. Fromm, Majority Director of Member Services and \nCommittee Operations; Linda Good, Majority Chief Clerk; Ryan M. \nHambleton, Majority Professional Staff Member; Michael R. Kiko, \nMajority Staff Assistant; Mitchell S. Kominsky, Majority \nCounsel; Mark D. Marin, Majority Director of Oversight; Laura \nL. Rush, Majority Deputy Chief Clerk; Scott Schmidt, Majority \nDeputy Director of Digital Strategy; Jaron Bourke, Minority \nDirector of Administration; Devon Hill, Minority Research \nAssistant; Lucinda Lessley, Minority Policy Director; Rory \nSheehan, Minority New Media Press Secretary; and Cecelia \nThomas, Minority Counsel.\n    Mr. Mica. Good morning. I would like to call this \nsubcommittee hearing of Government Operations Subcommittee of \nthe House Government Oversight and Reform Committee to order.\n    Welcome, everyone, this morning. The topic of today\'s \nhearing is Federal Government Approaches to Issuing Biometric \nIDs. It looks like a relatively brief hearing. We have two \nwitnesses that will be participating and I will introduce them \nshortly.\n    The order of business today, we will hear members\' opening \nstatements, then we will hear from our two witnesses, and then \nwe will have a round or rounds of questioning, as appropriate.\n    So, with that, let me again welcome everyone. I want to \nagain state on behalf of the committee that we believe we have \na very important mission of oversight. This committee exists \nfor a very fundamental purpose, two basic principles. First, \nthe American people have the right to know how their money is \nspent that Washington has taken from them. We have the \nfiduciary responsibility of seeing how it is expended and what \nprograms are successful, what are unsuccessful, making certain, \nfirst of all, that the American public, our Nation is secure.\n    And I think, finally, the American public deserves an \nefficient, effective Government that works for them. We have \nthat important responsibility in this committee and we intend \nto protect those rights. We want to hold Government accountable \nfor the taxpayers and make certain that we, through these \nhearings and the proceeding today, that we keep the executive \nbranch and others charged with important responsibilities true \nto the intent and legislative purpose that Congress has set \nforth.\n    So that is our purpose. I look forward to working with Mr. \nConnolly, our ranking member, and members of the subcommittee \nto continue this effort, and thank them for their cooperation \nthis morning.\n    On November 25th, 2002, then_President Bush signed the \nMaritime Transportation Security Act of 2002. That is more than \na decade ago and that legislation set forth the credentialing \nfor individuals that are entering some of our port facilities \nand regulated facilities that accommodate vessels and maritime \ntraffic.\n    According to the GAO, from 2002 to 2012, an excess of half \na billion dollars has been spent in that effort, some $540 \nmillion. About a quarter of a billion dollars raised on fees \nfrom some of the workers and other folks, and then about a \nquarter of a billion dollars in public money and grants.\n    According to CRS, since we first issued the cards in 2007, \nabout 2,001 cards have been issued. The cost initially was \n$129.75 for the past number of years and there is a proposal \nnow that some of the workers can extend their cards for a fee \nof $60. The card was intended from the very beginning, and \nhaving participated in that process, to have a biometric \ncomponent, to be a secure, durable identification that could \nensure the identity of those entering, again, those secure \nareas in our port facilities.\n    We have had at least four hearings that I know of, some on \nthe Transportation Committee, some on some subcommittees, \nreviewing the progress of this card. I think if you will look \nat a poster child for programs that sort of run amok and do not \nget the job done, that the TWIC card, as it is affectionately \nknown, Transportation Worker Identification Card, is \nunfortunately the poster child, again, for not producing what I \nthink Congress intended.\n    Despite all the time that has lapsed, the hearings that \nhave been conducted, GAO continues to find that TSA is failing \nto properly administer the TWIC program. The latest report we \nhave has just come out. This is March 2013. It cites a whole \nhost of problems with the program. First of all, we wanted the \ncard produced with biometric capability. The card had some \ncapability, fingerprint; it doesn\'t have iris, as I understand \nit. The cards were issued. Since 2007 the cards have not had \nthe capability of having a reader. Congress had passed \nadditional legislation trying to get the reader program \nengaged, and we will hear today that while GAO is testing some \nof the equipment, that we still do not have readers deployed in \na universal manner to read the cards.\n    So what you have is a farcical system of a card that, and \nnot by my evaluation, but previous GAO studies have shown, is \nnot what we intended; it is tamperable. It has actually been, \nin testing by GAO, it has been found to be deficient and, \nagain, it is a card that can also be easily reproduced.\n    So what you have is, again, a card that is produced at \ngreat expense to individual workers, great expense to the \nGovernment; does not have a guaranty that it is a secure card, \nthat is, tamperable; it has become a joke among transportation \nworkers because at almost every port they are now required to \nproduce a driver\'s license or some other identification that is \nused for entry.\n    So this sort of goes on and on. After, again, spending an \nincredible amount of money, TSA and the independent tests \nagent, they found did not even have a clear record of baseline \ndata for comparing operational performance at access points \nwith the TSA readers. This is in the testing. GAO went on to \nfind that TSA and the independent test agent did not collect \ncomplete data on malfunctioning TWIC cards.\n    I know this is a long explanation of where we are, but I \nthink it deserves sort of an update for the record. We again \nare faced with more than a decade delay in producing what \nCongress intended. Now years have gone on trying to get a \nreader that is approved.\n    The final thing I would just point out to Mr. Connolly and \nother members is other agencies do have cards. Most recently, \nhere is our TWIC card, a little mockup of it. Again, I think \nsome of you may have seen this before, the TWIC card, again \nflawed. Here is a clear card which a private company has \nproduced, and it actually has biometric, both fingerprint, and \nI think it is all five fingers, and iris; and it is in use. We \nfound other agencies that have readers and they also have cards \nthat have both components that Congress was trying to get some \nyears ago.\n    So this is very frustrating and the purpose of the hearing \nis to review where TSA is and where we are going to go.\n    With that, I would like to recognize our ranking member, \nMr. Connolly.\n    Mr. Connolly. Mr. Chairman, thank you, and thank you for \nyour leadership on this issue and for holding this hearing. I \ncan\'t help but observe there are two lonely members of the \npress at the press table. Yesterday we had dozens and dozens \nand dozens.\n    Mr. Mica. This isn\'t Benghazi.\n    Mr. Connolly. And yet the Benghazi hearing basically \nuncovered nothing. Actually, today\'s hearing potentially has so \nmuch more of an impact in terms of U.S. security, but I guess \nit is not a particularly sexy subject, at least when it comes \nto the media. But I think it is very important to our Country\'s \nsecurity.\n    And again I thank you for your leadership, Mr. Chairman. I \nknow you cared about this in your previous capacity at \nTransportation and Infrastructure as chairman, and I am so glad \nyou bring that sensitivity to this committee as well.\n    All of us want to make sure that our transportation system \nis secure. Every day our transportation system moves more than \n1.4 million shipments of hazardous materials, any of which \ncould be potentially of harm to Americans. As we all know, \nsecuring all of this cargo is very daunting, but we know it is \nimperative to the safety of the Nation.\n    The Maritime Transportation Security Act of 2002 requires \nthe Department of Homeland Security to issue a biometric \ntransportation security card, TWIC, to identify individuals who \nwill be allowed unescorted access to the secure areas of ports \nand vessels. The biometric information contained in the card \nincludes, of course, as the chairman indicated, fingerprints \nand a digital photograph. TSA is responsible for the issuance \nof the card, while the United States Coast Guard is responsible \nfor enforcing its use.\n    TWIC cards are intended to be utilized with an electronic \nreader that would simply scan the card to determine entry into \nthe respective facility. Under the Safe Port Act of 2006, DHS \nwas required to conduct a pilot program on the efficacy of the \nTWIC card readers. Unfortunately, the most recent GAO report, \nwhich we are going to hear about today, found significant \nmethodological problems with the study.\n    Specifically, GAO determined that TSA lacked data analysis \nplans, performance standards, or sampling methodology \ndevelopment prior to selection of participating facilities and \nvessels in the TWIC reader pilot. In addition, GAO also found \nthat the finalized TWIC cards did not undergo any level of \ndurability testing, which is problematic considering the use of \nthese cards will be in sometimes harsh, wet, maritime \nenvironments, which was also cited by the GAO report.\n    These findings are disappointing and of great concern. I, \nfor one, want to know why the Department has not responded \nfavorably to GAO\'s serious findings, if in fact they have not. \nWe look forward to hearing about that today.\n    If the readers and the TWIC cards fail to function \nproperly, not only will maritime workers not be able to perform \ntheir jobs adequately on a daily basis, but these facilities \nare left vulnerable to a potential security breach. Given the \nvolume of cargo coming into the United States, that is of great \nconcern. The United States transportation system of maritime \nfacilities remain a target and a means through which terrorists \nseek to attack the homeland. We all know that an attack on our \nNation\'s maritime transportation system could have very serious \nconsequences, and it seems to me all of us have got to do \neverything in our power to make sure that does not happen.\n    I look forward to hearing from our witnesses this morning \nand what corrective measures we can take to make TWIC an \neffective security card.\n    With that, I yield back, Mr. Chairman.\n    Mr. Mica. Thank you, Mr. Connolly.\n    Also, I will just explain for the members of the panel that \nwe attempted to look at IDs across the board, because TSA is at \nthe heart of approval and DHS is at the heart of approval of \nmoving all these ID programs forward. We were not able to get \nCustoms and Border Patrol to participate today, nor Department \nof State and some others that we wanted; they wanted more time.\n    So, unfortunately, what we have done is divided this review \nup. We will, hopefully in a couple of weeks, and with the \nagreement of the minority, reconstitute the panel and we will \nlook at problems with the pilots\' license, there are problems \nwith the various cards that we have for identification. At the \nairports we have a global entry under the Department of State.\n    But I think all of these, and it is part of our \nresponsibility. We are the only committee with enough \njurisdiction to look at all of these, and then also TSA\'s \nresponsibility. So we will follow up on that.\n    With that, let me recognize Mr. Meadows, then we will go to \nthe ranking member, Mr. Cummings, of the full committee.\n    Mr. Meadows. Thank you, Mr. Chairman, and thank you to the \nranking member, Mr. Connolly, who has, over and over again, \nexpressed a willingness to work in a bipartisan way to cut out \nwaste, fraud, and abuse.\n    As we are here today obviously looking at some half billion \ndollars spent on a program that is yet to be implemented, I am \nreminded of the fact that there are two ways things get done \nhere in Washington, D.C., slow and never, and we are trying to \nfigure out which one of these this particular thing is going to \nbe, because we have heard testimony in this very room of \ncomputer systems that we have spent some $1 billion on, then \nwas never implemented.\n    So is this just another government program where it has \ngreat intentions of providing security, but in essence we are \ngoing to spend millions and millions, and perhaps billions of \ndollars only to find out later that the theory or the genesis \nof this particular security system is one that is not going to \nbe implemented?\n    The most recent GAO report is troubling from some of the \naccusations and literally some of the research that it is \nproviding here, so I look forward to really less looking at \nwhen are we going to have a system that secures our ports. We \nhave been at this for some 11 years now. So if not next year, \nthen when? If not next year, then are we looking at another 10 \nyears? What is the time line? And from a practical standpoint \nwhat are the deficiencies? Would we be better off to just say \nwe made a mistake, let\'s go back to the drawing board, let\'s \nfind another area to do it?\n    I have the privilege of having Google in my particular \ndistrict, and I can tell you the type of security that is there \nwith those facilities didn\'t take this long to get implemented \nin the private sector and, quite frankly, are extremely secure. \nSo if the private sector can do it, certainly we, with all of \nour resources of the greatest Nation in the world, should be \nable to figure it out. So I look forward to your testimony.\n    With that, I yield back, Mr. Chairman. Thank you so much.\n    Mr. Mica. I thank the gentleman.\n    Now I am pleased to recognize the ranking member of the \nfull committee, the gentleman from Maryland, Mr. Cummings.\n    Mr. Cummings. Thank you very much, Mr. Chairman and Ranking \nMember Connolly, for calling this hearing. And I want to thank \nthe witnesses for their testimony.\n    This is a subject that is of great interest to me because I \npreviously served as the chairman of the Subcommittee on the \nCoast Guard and Maritime Transportation, and during my tenure \nin that position I convened two hearings to examine the rollout \nof the TWIC card, which began, unbelievably, in 2007.\n    Now, six long years later, 2.5 million transportation \nworkers have been enrolled in the TWIC program and 2.7 million \nTWIC cards have been printed. These enrollees have paid an \nestimated $300 million to implement this program. However, \nthose TWIC cards are nothing more than very expensive flash \npasses without sophisticated electronic readers to read them. \nThat is sad.\n    We now know that many vessels and facilities will never use \nTWIC readers, yet workers there are still being required to \nobtain the TWIC card. The Coast Guard, which is responsible for \nenforcing the use of the TWIC cards, has recently issued a \nNotice of Proposed Rulemaking that would require only vessels \nand facilities in what are known as Risk Group A classification \nto utilize TWIC card readers. As a result, far less than 1 \npercent of regulated vessels and approximately 16 percent of \nfacilities will require a TWIC reader.\n    So the TWIC card is just a very expensive flash pass for \nall the mariners and transportation workers working in the 99 \npercent of vessels and more than 80 percent of facilities \nwithout TWIC card readers.\n    But the problems with the TWIC card program run deeper than \nthat. Where TWIC card readers will be required, they must be \nable to determine whether a card is valid and matches the \nbiometrics of the individual who seeks access to a restricted \narea in a port or on a vessel. Unfortunately, we cannot count \non that. When the GAO reviewed the TWIC pilot program required \nby the Safe Port Act, it identified methodological problems \nwith the pilot that are so severe GAO has concluded that the \nresults of the pilot are simply not reliable.\n    I am stunned by the scope of the shortcomings identified by \nthe GAO, particularly given that as long ago as 2009 GAO \nidentified shortcomings that needed to be addressed to ensure \nthe TWIC pilot program would yield reliable results.\n    We are all aware that we need to take every effective step \nto protect our maritime facilities from those who wish to harm \nus. However, at this time we still have no reliable data \nproving that the TWIC card is one of those steps.\n    I can simply say I am disappointed and we are better than \nthat. As my colleague said just a moment ago, if the private \nsector can do this, we ought to be able to do this, and we need \nto know exactly why we can\'t.\n    When I was chairman of the Coast Guard subcommittee, Mr. \nChairman, I constantly talked about, I was really talking about \nthe Coast Guard and its acquisition program, but talked about \nhow we were moving into a culture of mediocrity; and I think \nthis whole fiasco is a step below that. So I am hoping that we \nwill get some answers, that we will get some results soon so \nthat the intended purpose of the TWIC card will be able to \ncarry out the way we wanted it to be done.\n    With that, I yield back.\n    Mr. Mica. Well, I thank the ranking member and concur in \nhis very frank statement. We will work together. We have to \nfigure out a way to get this program back on track.\n    No other members this morning, so I will ask unanimous \nconsent that members have seven days to submit opening \nstatements for the record. Without objection, so ordered.\n    So now we will turn to our two witnesses this morning. \nFirst we have Mr. Steve Sadler, and he is the Assistant \nAdministrator for Intelligence Analysis for the Transportation \nSecurity Administration.\n    Welcome back, Mr. Steve Lord. He is the Director of \nForensic Audits and Investigative Services for GAO, the \nGovernment Accountability Office.\n    Gentlemen, this is an investigative panel of Congress. If \nyou will stand and be sworn. Please raise your right hand.\n    Do you solemnly swear that the testimony you are about to \ngive before this subcommittee of Congress is the whole truth \nand nothing but the truth, so help you, God?\n    [Witnesses respond in the affirmative.]\n    Mr. Mica. Let the record reflect that both witnesses \nanswered in the affirmative.\n    We aren\'t too pressed for time this morning, so we will \ngive you a little bit of leeway. Usually it is a little \nbriefer, but we will recognize first Mr. Sadler, the Assistant \nAdministrator for Intelligence and Analysis at TSA.\n    Welcome and you are recognized, sir.\n\n                  STATEMENT OF STEPHEN SADLER\n\n    Mr. Sadler. Good morning, Chairman Mica, Ranking Member \nConnolly, and distinguished members of the subcommittee. Thank \nyou for the opportunity to testify today about TSAs role in the \nTWIC program.\n    TWIC is a fee-based program that issues a tamper-resistant \nbiometric credential. Eligible maritime workers use TWIC for \nunescorted access to secure areas of port facilities and \nvessels regulated under the Maritime Transportation Security \nAct of 2002. TSAs primary areas of responsibility include \nconducting security threat assessments, providing customer \nservice at enrollment centers, and engaging industry to develop \nspecifications for TWIC readers.\n    The full enrollment fee for a transportation worker is \n$129.75, and an initial TWIC is valid for five years. Under the \nExtended Expiration Date Initiative, eligible workers may \nrequest a three-year extension by paying the $60 card \nreplacement fee.\n    Currently, the United States Coast Guard requires maritime \noperators to visually inspect the TWIC prior to granting \nunescorted access to secure areas. Under MTSA, the Coast Guard \ncurrently regulates nearly 14,000 vessels and more than 3200 \nfacilities. With a single uniform credential, facilities, \nvessel operators, and law enforcement entities can verify an \nindividual\'s identity and eligibility to enter secure areas \nwith a higher level of confidence than was feasible prior to \nTWIC. TWIC is an important layer in maritime security as risk-\nbased control requirements and technical capabilities mature.\n    TWIC readers determine whether a card is authentic and \nissued by TSA. The readers also check that the card has not \nexpired and has not been revoked or reported lost or stolen. \nThe Coast Guard recently published a proposed Notice of \nRulemaking on TWIC readers in which the use of those readers \nwould be required for certain high-risk vessels and facilities.\n    Recently, several major challenges have converged for the \nTWIC program. These include the expiration, re-enrollment, and \ndemand for replacement of 1.5 million TWICs over an 18-month \nperiod; modifications to the process to limit enrollment and \ncard issuance to a single visit; and a transition of the \nprogram from a current single-provider contract to separate \ncontracts for enrollment services and system operations.\n    Beginning this summer, the first phase of an initiative to \nenable individuals to apply for and obtain a TWIC with a single \nvisit to an enrollment center will be tested in Alaska and \nshould expand nationwide in 2014. One visit represents the most \nsignificant program change since TWICs inception and will \ngreatly ease the burden on future applicants and individuals \nneeding a replacement card.\n    Additional customer service improvements include expanding \nthe number of TWIC enrollment centers from 136 to more than \n300; increasing call center representatives focused on reducing \ncall wait times; developing a web-based process to apply for \nextended expiration date TWICs or replacement cards; and \nincreasing mobile enrollment opportunities to facilities \nwanting to enroll workers onsite.\n    As a result of the TWIC pilot program, we obtained \nconsiderable data and sufficient quantity and quality to \nsupport the general findings and conclusions in the pilot \nreport. Our analysis concluded that TWIC readers function \nproperly when they are designed, installed, and operated in a \nmanner consistent with the characteristics and business needs \nof the facility or vessel operation. The analysis also \nconcluded that reader systems can make access decisions \nefficiently and effectively.\n    Thank you for the opportunity today, and I will be glad to \nanswer any of your questions.\n    [Prepared statement of Mr. Sadler follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1281.001\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.002\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.003\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.004\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.005\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.006\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.007\n    \n    Mr. Mica. Thank you.\n    We will turn now to Mr. Steve Lord, the Director of \nForensic Audits and Investigative Services for GAO. Welcome \nback.\n\n                  STATEMENT OF STEPHEN A. LORD\n\n    Mr. Lord. Thank you very much, Mr. Chairman, Ranking Member \nConnolly, and Representative Meadows. I am really pleased to be \nhere today to discuss the results of our recent TWIC report \nissued just recently. I should point out this is not the only \nreport we have issued on this subject. We have work going back \nseveral years, including a very significant study we issued in \n2009 on the design of the pilot, as well as a May 2011 report \non the internal controls in the program.\n    The overall message that I wanted to convey today, I think \nit is a very important message, that the pilot results should \nnot be used to inform future decisions regarding the TWIC \nreader rule or the future deployment of card readers. This is \nwhere we disagree with TSA and DHS. I am also surprised to see \nthat the Coast Guard went ahead and issued their March 22nd \nNotice of Proposed Rulemaking, because it incorporated the \nresults of the pilot even though we found major issues in the \npilot data, which we had previously shared with them.\n    I would like to briefly touch on some of the key challenges \nwe identified in the pilot. They fall into three major buckets. \nThe first one is planning. Bottom line is DHS did not address \nthe pilot planning weaknesses we identified in our 2009 report. \nAlthough it took some initial steps to address them, it did not \ndevelop a full evaluation plan or the performance standards we \ncalled for to help guide the pilot as it unfolded.\n    The second key issue we identified was related to data \ncollection. We identified eight separate weaknesses in how the \npilot participants collected data. I am not going to discuss \nall eight today, but I would like to briefly highlight three.\n    First, TSA and the independent test agent did not record \nclear baseline data. If you don\'t have a clear baseline, you \nreally have nothing to compare the collected data to.\n    They also did not collect complete data on reasons for card \nfailures or the reasons people were denied access to \nfacilities. Obviously, they collected some, but we scrutinized \nthe data they did collect and we found several significant \ndiscrepancies and anomalies in the data.\n    The third key data collection issue we identified was the \noperational impact of using TWICs with readers was not \nconsistently documented. And this is a really important issue \nbecause this was one of the major reasons they ran a pilot, to \nmeasure the business impact on the private sector. Yet, when we \nlooked at how they measured that, they didn\'t do a good job and \nthey essentially did not collect the data needed to assess that \nissue.\n    As a result of all the challenges we identified, we think \nit is really difficult to assess whether the problems \nexperienced were due to the cards themselves, to the readers, \nor to the way the users were using them. So it could have been \na combination of all three, and that is something we highlight \nin our report.\n    We also scrutinized DHS\'s report to Congress. I should \nmention we just didn\'t evaluate the report; we looked at what \nwent into the preparation of the report. We pulled all \navailable data sets that were used to support the February 2012 \nreport to Congress.\n    And one notable issue we identified was the assessments of \nthe entry times at ports, again, the throughput times. This is \na really important issue that was looked at, where these \nmeasures were mixed up with reader response times, which is the \ntime it takes a card to be read in a laboratory setting. So \nobviously they weren\'t really measuring throughput, which is a \nkey objective of the pilot, but basically how much time it took \na card to be read in a laboratory setting.\n    Given all the issues we identified, we do not believe using \nTWICs with readers would provide a critical layer of port \nsecurity. We think that has yet to be demonstrated, and that is \nwhy we called for the agency to implement our prior \nrecommendation on that point, to do a security assessment, to \ntry to identify the value added of using TWICs with readers. Is \nit better than the regimes used in the past or not? We think \nthat is a really important issue. So that is why, again, we \ncalled for that in our 2011 report.\n    But we do acknowledge some of the many challenges that DHS \nexperienced in the pilot. They were dealing with 17 different \nsites; they participated on a voluntary basis, they couldn\'t \ncompel them to participate or collect data in a certain way. \nAnd we recognize that, yet we still think some of those risks \ncould have been mitigated by perhaps having more personnel \ninvolved at the sites or providing additional resources.\n    In closing, given the many issues we identified, as we \nhighlight in our report, we think Congress should consider \nrepealing the requirement that the final regulations for the \ncard readers be consistent with the pilot findings. \nEssentially, we think those two issues should be de-linked \ngiven the issues we identified in the pilot. Instead, we \nbelieve Congress should require DHS to complete a security \nassessment, as we originally called for in our May 2011 report. \nAgain, the security assessment will help demonstrate the value \nof the program.\n    And the assessment should also include a comparison of \nalternative credentialing approaches. There are different \noptions they could have considered. For example, the Government \ncan conduct a security assessment and have the credentials be \nprovided at the local level. That was an option that was never \nconsidered in the early analysis of alternatives, and we think \nthat has possible merit that should be studied further.\n    Thank you, Mr. Mica, Ranking Member Connolly, \nRepresentative Meadows. This concludes my prepared statement \nand I look forward to answering any questions.\n    [Prepared statement of Mr. Lord follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T1281.008\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.009\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.010\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.011\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.012\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.013\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.014\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.015\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.016\n    \n    [GRAPHIC] [TIFF OMITTED] T1281.017\n    \n    Mr. Mica. Thank you. We will start questions. I will start \nwith a round.\n    First, Mr. Sadler, have you ever had the opportunity see \nthe movie Groundhog Day?\n    Mr. Sadler. Yes, I did, sir.\n    Mr. Mica. In that movie, doesn\'t the character keep \nrepeating the same day over and over again and sort of the same \nthing over and over?\n    Mr. Sadler. I believe he does, sir.\n    Mr. Mica. I feel a little bit like that character, Mr. \nConnolly and Mr. Meadows. From 2002, 2005, 2006, 2009, to 2011. \nLast I checked, this is 2013. And we still do not have a viable \nTWIC program. I just heard Mr. Lord go through his analysis of \nthese reader tests experiences. We have his report here. It is \nvery frustrating.\n    I guess you did 17 sites?\n    Mr. Sadler. That is right, sir.\n    Mr. Mica. And we don\'t really know how many people went \nthrough. DHS\'s report to Congress shows a total population of \n33,111. However, final pilot site test systems showed a \npopulation of 79,000. There is a discrepancy even in the number \nof participants. Mr. Lord said that you couldn\'t get some to \nparticipate.\n    The report says pilot participants did not document \ninstances of denied access. TSA and the independent test agent \ndid not collect complete data on malfunctioning TWIC cards. I \nmean, the report just goes on and on about, again, what is \nsupposed to be pilot testing to develop a card that we can use \nand have some basic knowledge about what is effective and how \nall this can be utilized. How do you respond to GAO?\n    Mr. Sadler. I would say that GAO, in their opening \nstatement, pointed out some of the challenges that we faced \nwhen we started this pilot program, and that is a key point. \nThis is a pilot program that we implemented in the commercial \nmaritime environment. No one has done that before. And I know \nyou have heard that before, but that is the crux of the issue.\n    Mr. Mica. In a maritime environment?\n    Mr. Sadler. No one has done this type of pilot, that I know \nof, in this type of environment. So we got voluntary \nparticipation from the facilities. We were very happy that \nthese facilities stepped forward and participated, but we did \nthis pilot under the condition of an operational maritime port \nfacility. So we couldn\'t put readers at every access point; \nwhether it was for a vehicle, whether it was for a pedestrian.\n    So those were some of the challenges that we faced. It was \na voluntary pilot; it was in an maritime operational \nenvironment; not all access points had readers. If we could \nhave locked the place down and put a reader at every access \npoint, possibly----\n    Mr. Mica. So you are saying it is not practical to have a \nreader with a TWIC program?\n    Mr. Sadler. No, I am not saying that, sir. What I am saying \nis under the conditions we had to test, we faced challenges; \nand we stated those in our report to Congress as well.\n    Mr. Mica. Now, let me ask you a question. You have issued, \nwhat, 1.8 million of these?\n    Mr. Sadler. About 2.5 million, sir.\n    Mr. Mica. But is there 1.8 million coming due or something?\n    Mr. Sadler. Well, there are about 1.5 million cards that \nare set to expire over the next 18 months.\n    Mr. Mica. I am sorry, I messed up the figures. So in the \nnext 18 months you have 1.5 million. Do you have a card now \nthat has a biometric component that would recognize both \nfingerprints and iris?\n    Mr. Sadler. Sir, we use the fingerprint template only \nbecause that is the only federal standard that is in existence \ntoday, and it was the most robust biometric.\n    Mr. Mica. And you are working with the folks that set the \nstandards, and they have told us at several previous hearings \nthat the standard was just around the corner for iris. What are \nthey telling you now?\n    Mr. Sadler. As I understand it, they are in their second \niteration of the iris standard out for comment, and I don\'t \nknow what their schedule is for final publication of that \nstandard. I would have to defer to them.\n    Mr. Mica. Well, TSA, you also oversee entry programs, for \nexample, the CLEAR program. I am told that the CLEAR program \nhas an iris and also I think all five fingers are incorporated, \nand this is in use in the airports, is that correct?\n    Mr. Sadler. It may be, sir. I am not aware that we are \noverseeing that program at this point.\n    Mr. Mica. TSA just lets anybody put a program in place?\n    Mr. Sadler. It is not about TSA allowing the program; it is \nabout a relationship between the contractor or that company and \nthe airport.\n    Mr. Mica. So do you accept these cards? These aren\'t \naccepted?\n    Mr. Sadler. I don\'t know if they are accepted or not. I \nwould have to get back to you on that answer. As far as \nboarding an aircraft?\n    Mr. Mica. Yes.\n    Mr. Sadler. I would have to get back to you on that answer. \nWhat I would say about that is we use a fingerprint template; \nwe do not use an image for privacy purposes. We have to encrypt \nour biometric. I don\'t know if they encrypt their biometric.\n    Also, if an individual comes up to a kiosk in an airport, \nthat is much different than an individual who is in a tractor \ntrailer or a truck going through a gate trying to use an iris \nscan. If I could set every person going into a port coming up \nto a kiosk and take the time I needed to take that iris scan \nand embed that in the card, then we would do that, but that is \nnot the way the port operates. Now, if the port wanted to use \nan iris, they can use an iris and they can use a TWIC card as a \npointer to get back to that biometric.\n    Mr. Mica. So basically you are going to be issuing more \nthan a million cards, reissuing the cards that have expired, \nwithout an iris component and I guess somewhat limited \nfingerprint component. I think one of the previous studies that \nMr. Lord did was some of the flaws with the card that they \ncould be tampered with.\n    And, actually, I think on several occasions you thwarted \nthe system, is that correct, Mr. Lord?\n    Mr. Lord. Yes. We did some covert testing as part of our \n2011 report and this report as well. We dispatched covert \ntesters to basically conduct two types of tests. We presented \nfraudulent identification documents. We were able to obtain an \nauthentic TWIC and we also manufactured a TWIC, we basically \nmade a fake TWIC; and we were able to access facilities using \nboth types of credentials.\n    Mr. Mica. Did you use any of the fake TWICs to thwart the \npilot?\n    Mr. Lord. At one site they were using a reader, but it is \nmy understanding they had some problems with false positives, \nso our undercover investigators were waved in. Even after the \nentry guard tried to swipe it and it wasn\'t working, she still \nprovided them access to the facility.\n    Mr. Mica. Very good.\n    Let me go to Mr. Connolly. I want to be fair with the \nmembers that are here.\n    Mr. Connolly. Thank you, Mr. Chairman.\n    Mr. Sadler, do you think the pilot program was successful?\n    Mr. Sadler. I think the pilot program showed what we asked \nit to do.\n    Mr. Connolly. Whoa. Time out. The pilot is the predicate \nfor moving forward. It is kind of a critical question. Was it \nsuccessful? Because GAO says that not only was it not \nsuccessful; they are recommending the Congress decouple future \nregulations and standards from the pilot. Do you disagree with \nthat?\n    Mr. Sadler. I think it was successful in what we intended \nto do, which was show that if that reader was installed \nproperly, if the operator was trained properly, if the \nindividuals were trained properly in the use of the card and \nthat reader was put in place based on the business requirements \nof that port, then the reader did its job with the TWIC card.\n    Mr. Connolly. Mr. Sadler, we just heard testimony, and \nthere is more in the report, you didn\'t test for durability. \nDurability of the card actually could be very important in \nterms of long-term security. The wet conditions are a problem \nin terms of accurate reading. You just heard Mr. Lord say they \nactually manufactured a fake card and, sadly, that fake card \npassed muster that all too often the differentiation between \nthe fake card and the TWIC card failed in the readers.\n    Now, you think that is just a matter of fine-tuning? And, \nby the way, another aspect of the GAO report is the cost \nfigures were so flawed as to not be reliable, and they caution \nCongress don\'t read too much into that because the methodology, \nfrankly, is not really an accurate picture of what it cost.\n    What aspect, pray tell, of this pilot could be considered \nsuccessful such that we could have confidence in moving \nforward?\n    Mr. Sadler. If someone uses a card that is fraudulent, and \nI think it was shown in this case that the reader would not \nread that card, so that individual who came up with that \nfraudulent card did not get a positive read off the reader, \nfrom what I understand. And if the individual was allowed into \nthat facility, the person should not have been let into that \nfacility without a business need.\n    Mr. Connolly. Time out.\n    Mr. Lord, tell us how it worked.\n    Mr. Lord. The card reader rejected the card; the person was \nallowed to enter the facility based on what they referred to as \nsocial engineering, some discussion with the guard, the \nsecurity guard.\n    Mr. Connolly. So they were able to bypass the card system \nentirely.\n    Mr. Lord. Yes. They were able to basically talk their way \nin.\n    Mr. Connolly. So you are saying that is not really a \nfailure of TWIC; that is a breach of security protocols in \ngeneral.\n    Mr. Sadler. What I am saying is in that case it appears \nthat the card and reader did their job; they didn\'t have a \npositive identification for that individual. And then the \nindividual talked to the security guard, apparently.\n    Mr. Connolly. So a separate issue.\n    Mr. Sadler. That is a different issue completely than the \ncard itself or the reader. If that person didn\'t have a \nbusiness need to get into that port, that person should not \nhave been let in.\n    Mr. Connolly. But how do you respond, Mr. Sadler, to Mr. \nLord\'s and GAO\'s recommendation to the Congress that the lack \nof efficacy of the pilot is such we should pass legislation to \ndecouple it from moving forward? That is a pretty rare \nrecommendation coming out of GAO.\n    Mr. Sadler. I think that the TWIC card and reader, when \ninstalled properly, provides security value at the port. It is \nnot a silver bullet; it is part of our layered security, and I \nthink it provides value when it is used properly and installed \nproperly.\n    Mr. Connolly. Can you point to a place where it has been \ninstalled properly and it works and, therefore, we should have \nconfidence in it?\n    Mr. Sadler. In some of the pilot locations it has been \ninstalled properly.\n    Mr. Connolly. For example?\n    Mr. Sadler. In a Long Beach Port there was one single gate \nthrough the back, and I believe it was Long Beach, it might \nhave been Los Angeles; I would have to go back and check. There \nwas one single gate where, if you came into that back gate you \nhad to use the card, you had to use the reader. It worked and \nwe didn\'t see any appreciable backup in the flow of traffic. \nAnd I will go back and confirm that.\n    Mr. Connolly. All right. Yes, I wish you would. You know, I \nspent 20 years, before I came here to Congress, in the private \nsector, and in two organizations that do a lot of security \nwork, including port security, I might add. I spent 14 years in \nlocal government. The practice in both local government and in \nthe private sector, when we were looking at a challenge, was to \nfirst look at best practices. We benchmarked ourselves against \nthe competition.\n    I will use local government rather than the private sector. \nI represented Fairfax County, a pretty advanced county \ngovernment, big local government. So we would compare ourselves \nto DuPage in Illinois and Los Angeles County, and depending on \nthe subject matter, how are they doing it? What are they doing? \nHow does it work? What can we learn from their lessons?\n    Did we do that before we decided to embrace TWIC as the \nanswer to port security going forward? Because the chairman \npointed out that there are other examples, seemingly, of cards \nthat do seem to work and processes that do seem to work. What \nhave we learned from those that we are trying to apply to what \nseems to be a flawed process here?\n    Mr. Sadler. Well, we were required by Congress to issue the \nbiometric credential, and we are doing that.\n    Mr. Connolly. Excuse me, Mr. Sadler. If I may interrupt \njust one second. We take that point; the chairman addressed \nthat. The cards he gave you as an example that seemed to work \nalso include biometric data. This is not unique to TWIC.\n    Mr. Sadler. Those cards are not working in the same \nenvironment we are working in.\n    Mr. Connolly. Your argument is that the port environment, \nthe maritime environment is unique and has special \nrequirements?\n    Mr. Sadler. Yes. The port environment is unique. And as far \nas durability of the card goes, some of the analysis that we \nsaw, the use of the card was equivalent to use by DOD, use by \npark rangers. So this is a very tough environment. It is not \nthe same as coming up to a kiosk in an airport, which is \ninside, which is a controlled environment. So I would say, yes, \nit is unique.\n    Mr. Connolly. All right, my time is almost up, but if I \ncould just add one last question on that.\n    Mr. Lord, could you respond to that? What about that? This \nis a unique environment and some of your criticisms might be \nmore applicable if we were talking about access to an office \nenvironment in a commercial office building, but you are not \nbeing cognizant of the unique attributes of the maritime \nenvironment.\n    Mr. Lord. I think we are. We fully recognize the harsh \nmaritime conditions the card is used within. The analogy we \ndrew in our report was to the DOD CAC card. That card, in \ncontrast to the TWIC card, is durability tested after it is \npersonalized, which tends to introduce some vulnerabilities in \nthe card when you add the little unique features; and that was, \nto me, an important distinction between the TSA approach and \nthe DOD approach.\n    As you know, if you have ever been abroad, Iraq, \nAfghanistan, that is the common access card they use in those \ntypes of environments, which we think are pretty harsh \nenvironments as well, and those cards are considered a success \nbecause they are considered more durable.\n    Mr. Connolly. Thank you.\n    Mr. Mica. Thank you, Mr. Connolly.\n    Mr. Meadows?\n    Mr. Meadows. Thank you, Mr. Chairman. I am going to pick up \non some of the line of questioning that the ranking member \nbrought up with regards to the pilot program and the existence, \nwhy we have a pilot program is hopefully to make determinations \non whether we should proceed.\n    You are saying that it is a congressional thing and, Mr. \nSadler, I am sorry to point all these questions to you. This is \nnot a personal thing and obviously I am looking to you for \nguidance on what we need to go forward with, because we have \nhad, according to my research, six or seven studies already by \nGAO in terms of recommendations on this particular thing. Is \nthat correct?\n    Mr. Sadler. I don\'t know the exact number, sir, but there \nhave been quite a few.\n    Mr. Meadows. A number of them?\n    Mr. Sadler. Yes, sir.\n    Mr. Meadows. And each time, from what I understand, you \nhave agreed, or your agency has agreed to the recommendations \nthat the GAO has made, is that correct?\n    Mr. Sadler. Yes, sir, I believe that is correct.\n    Mr. Meadows. And so I guess my question is why have those \nnot been followed up on or really, truly implemented? Is it \nbecause of the weather conditions that you are talking about?\n    Mr. Sadler. I think that is part of it. It is not \nnecessarily the weather conditions. I think the weather \nconditions are a part of it.\n    Mr. Meadows. Well, I know that maritime constitutes salt \nwater, generally; not always, but many times salt water. And I \nknow that salt just eats the hell out of anything. So when we \nhave this technology, is this something that could be viable \nlong-term, or are we going to be spending another $3.2 billion \nfive years from now to replace readers?\n    Mr. Sadler. No, I think what we found in the pilot was that \nif the reader was installed properly and covered properly, that \ncut down on a lot of the issues.\n    Mr. Meadows. Okay. And you have installed those readers at \n17 ports, is that correct?\n    Mr. Sadler. Seventeen ports, 100 access points.\n    Mr. Meadows. For the cost of $500 million?\n    Mr. Sadler. No, the total cost of the pilot that we \nconducted to the ports was $15 million, and to the Government \napproximately $8 million. So the total amount of money expended \nfor this pilot was $23 million.\n    Mr. Meadows. All right, so we are talking about $23 million \nthere for the pilot, is that correct?\n    Mr. Sadler. That is correct.\n    Mr. Meadows. Okay. And you have issued about 2.5 million \ncards, is that correct?\n    Mr. Sadler. That is correct also.\n    Mr. Meadows. So how many of those cards have been lost or \nstolen?\n    Mr. Sadler. I would have to get back to you, sir, with that \nnumber; I don\'t have that off the top of my head.\n    Mr. Meadows. Do you think you know exactly the number of \ncards that have been lost or stolen at your agency at this \npoint?\n    Mr. Sadler. I think we would have a pretty good idea. I \ndon\'t know if we would know the exact number.\n    Mr. Meadows. So everybody that loses a card or has one \nstolen, with the transient nature of employment, would call you \nand let you know?\n    Mr. Sadler. They would have to call and get a replacement \ncard, yes.\n    Mr. Meadows. Only if they were trying to get back in.\n    Mr. Sadler. Yes, sir.\n    Mr. Meadows. But if they lost it and they were unemployed, \nwould they call you?\n    Mr. Sadler. If they needed the card, they would call us.\n    Mr. Meadows. But only if they needed it. My point is when \nwe have this and we are looking at this biometric there, if \nthese cards are transient and you have no kind of iris \nscreening that would connect them, for a million bucks maybe I \ngive my card to somebody else. So does it actually provide a \nmore secure environment, with the transient nature of this and \nwith nothing that is actually tied to the person that you issue \nit to?\n    Mr. Sadler. We can\'t eliminate that risk, sir; we can try \nto mitigate it. And that is why I would say we need the \nreaders.\n    Mr. Meadows. All right.\n    Mr. Sadler. Just as the GAO mentioned, when they tried the \ncard where a reader was positioned, it didn\'t acknowledge that \ncard. It was social engineering that got it through, not a \nfraudulent TWIC.\n    Mr. Meadows. So if you were to come back before Congress \nand say, well, we are doing this because Congress told us we \nhad to do it, if we were to put forth a piece of legislation \ntoday that says Congress changed its mind because this is not a \nwise investment of hardworking American taxpayers\' dollars, \nwould you endorse that?\n    Mr. Sadler. Well, we would try our best to comply with \nwhatever statute Congress passed.\n    Mr. Meadows. But if you were in my shoes, would you put \nforth a piece of legislation, knowing what you know over the \nlast 11 years, that we have spent over $500 million and we are \nstill yet to have secure ports, would you make that \nrecommendation? If you were going back home and people were \ngoing to say, well, it is my money, are you being responsible, \nis that the kind of decision you would make?\n    Mr. Sadler. What I would tell my constituents, I would say \nTWIC is a valuable security tool.\n    Mr. Meadows. It is a valuable security tool.\n    Mr. Sadler. Yes. And I believe that.\n    Mr. Meadows. And you make that based on 17 installations \nout of 360?\n    Mr. Sadler. Seventeen installations, 100 access points, 156 \nreaders, 400,000 pieces of data.\n    Mr. Meadows. Okay. How sure are you that we are only going \nto spend $3.2 billion to implement this? On the level of 10 \nbeing the highest that you are absolutely confident, how sure \nare you, Mr. Sadler?\n    Mr. Sadler. Well, the life cycle cost estimate that was \nconducted, I believe, in 2005 had a limit of $694 million up to \n$3.2 billion.\n    Mr. Meadows. During the pilot have you had cost overruns?\n    Mr. Sadler. No, sir.\n    Mr. Meadows. Because there was no budget. So it is hard to \ngo over or under a budget.\n    Mr. Sadler. No, there was a budget.\n    Mr. Meadows. Okay.\n    Mr. Sadler. There was $23 million in grants that were let \nto the facilities, there was $8 million let to TSA, and it is a \nfee-funded program. So if you have a fee-funded program, you \ncannot go over budget.\n    Mr. Meadows. So as long as they are paying for it, you \ndon\'t go over budget. Because I am reading in the GAO there \nwere some concerns with regard to some of the issues in how we \nimplement this, and we have, obviously, a Government-centric \nfocus here. Do you think we ought to reevaluate that and go \nwith something that is not Government-centric? Or is the \nGovernment the best place to provide security here?\n    Mr. Sadler. I don\'t know exactly what you mean, sir.\n    Mr. Meadows. Well, it is all about calling into a \nGovernment call center to provide these particular cards, and \nas we look at that it is all about the Government providing it. \nCould a private agency do a better job than we are doing?\n    Mr. Sadler. I don\'t think so, sir, because a private agency \nis not going to have access to the information we have access \nto to make those decisions.\n    Mr. Meadows. So there is no private security that could \nprovide that. So you are saying basically because of the \ninformation with regards to the matrix with fingerprinting, \netcetera?\n    Mr. Sadler. In my opinion, I think that is correct.\n    Mr. Meadows. So your recommendation is to continue to go \nforward with this plan?\n    Mr. Sadler. My recommendation is to implement readers in \nthe maritime environment.\n    Mr. Meadows. I can see my time is up, so let me finish up \nwith this line of questioning. We have been here for 11 years. \nWe have yet to have really new port security. In fact, you even \nmentioned that we have issues. The GAO report mentions that we \nhave issues. So we don\'t have a more secure environment in 11 \nyears.\n    At what point can I tell my folks back home that we are \ngoing to have more secure ports, is it five years, six years? \nYou have $3.2 billion to spend, so at what point do we have a \nmore secure environment?\n    Mr. Sadler. You can tell them that today, sir.\n    Mr. Meadows. So it will be more secure today?\n    Mr. Sadler. It is already more secure. You have a common \ncredential; you have a consistent security threat assessment \nthat nobody has done before.\n    Mr. Meadows. So you have reached your objective?\n    Mr. Sadler. No, sir, we have not.\n    Mr. Meadows. So my question, you know what I am meaning, at \nwhat point do we reach our objective, Mr. Sadler?\n    Mr. Sadler. We reach our objective when we get readers \ninstalled.\n    Mr. Meadows. All right, which will be when?\n    Mr. Sadler. I defer to the Coast Guard and their time \nschedule. They have an MPR out now; they are taking comments. \nThey are going to adjudicate the comments and get a final rule.\n    Mr. Meadows. So we needed to have the Coast Guard here. And \nyou are saying that they can implement it with the pilot \nresults that you have right now?\n    Mr. Sadler. I am going to defer to the Coast Guard on which \nresults from that pilot program they use and which they don\'t \nuse.\n    Mr. Meadows. So if it fails, whose fault will it be, yours, \nTSAs because of the pilot, or the Coast Guard for \nimplementation?\n    Mr. Sadler. That is a hard question to answer, sir. I am \nthe responsible executive at TSA for this program, so I don\'t \nthink failure is an option. I know failure isn\'t an option, but \nthat is a difficult question to answer because I am \npresupposing that I know why it failed, if it does, and I don\'t \nbelieve that it will.\n    Mr. Meadows. Well, the pilot should have told us that. But \nI am way over time.\n    I appreciate our indulgence, Mr. Chairman, and I yield \nback.\n    Mr. Mica. Well, let me just follow up on that.\n    Now, wait a second. You are shifting the responsibility to \nthe Coast Guard, but you provided the Coast Guard the data on \nwhich they are going to evaluate their response to you, is that \ncorrect?\n    Mr. Sadler. Sir, I am not shifting responsibility to the \nCoast Guard. What I said was we provided data to the Coast \nGuard.\n    Mr. Mica. But Mr. Lord said that the data you provide, I \nmean, his whole report shows the data is flawed and the test \nresults can\'t, you didn\'t even have clear baseline data from \nwhich you started.\n    Mr. Connolly and I, Mr. Cummings and the others that were \nhere, our investigators did not go after this; we rely on GAO \nto evaluate what you are doing with the pilot program, and they \ncame back with one of the most critical reports I have seen. \nSo, again, you are telling us that you are giving the data and \nthe Coast Guard is going to evaluate it based on the data, \nwhich is flawed, according to the GAO.\n    Mr. Sadler. Well, we believe there is meaningful data in \nthat pilot report, and we provided that to the Coast Guard.\n    Mr. Mica. You cited one place where you thought this worked \nat some back gate, and you weren\'t sure if----\n    Mr. Sadler. Well, you asked me for an example, sir, and I \ngave you that example.\n    Mr. Mica. But that is at one back gate.\n    Mr. Sadler. And the reason I gave you that example was \nbecause that was a controlled gate; that wasn\'t an area where \nyou might have eight gates with only two readers.\n    Mr. Mica. How much have we spent on the pilot project?\n    Mr. Sadler. Twenty-three million dollars.\n    Mr. Mica. Twenty-three million dollars.\n    Pretty good, Mr. Connolly. We got that one back gate \nsecure. All this data that was collected without reliability.\n    Mr. Lord, I thought you said that others could do this, and \nin harsh conditions.\n    Mr. Lord. Chair, before I respond to that, I think I would \nlike to address one point Mr. Sadler raised. I think there is \nbroad agreement among most stakeholders that there is some \nvalue in the program, and that is the background check that is \nconducted.\n    Mr. Mica. Yes. And, you know, he didn\'t do a very good job \non that. If I were him, I would have said, well, we stopped \n50,000 people from actually getting the cards.\n    Mr. Lord. But I agree with Mr. Sadler. He did mention that \nwas one of the values of the program. But beyond that, I think \nthat is where, to us, it gets a little fuzzy, because that was \none option that wasn\'t really considered at the start of the \nprogram. What if the Government did the background checks and \nwe left the issuance of the credential to the local ports? That \nis essentially what they do with the CITA model with the \nairports.\n    Mr. Mica. Actually, this became an issue. I forgot Mr. \nConnolly and I were discussing it. I was telling him, in South \nFlorida, about 25 percent of our port workers had criminal \nbackgrounds, and this actually came into Congress, I think, Mr. \nConnolly, as to what we could consider in background checks. \nWhat do you consider now? I thought we set the standard because \nI know it became a big brouhaha.\n    Mr. Lord. They do criminal record checks.\n    Mr. Mica. How far back? You couldn\'t do State checks versus \nFederal or something. What is the status of what?\n    Mr. Lord. It depends on the disqualifying crime. Some \ncrime, such as murder, is an unlimited look back; other crimes \nare seven years or five years from release of incarceration.\n    Mr. Mica. I think that is what we got into, yes.\n    Mr. Lord. Well, we do use State records. We receive State \nrecords from 40 States now that we utilize in the background \ncheck.\n    Mr. Mica. Well, again, we spent $23 million just on the \npilot program. We are 11 years away from when we passed the \ninitial legislation. We don\'t have a reader. We are going to \nissue, again, another million-plus cards, and they don\'t have \nthe capability that Congress originally intended because, \nagain, you say another agency has not set the standard for \niris.\n    Any hope of when, again, we could actually see this happen \nif we go through the Coast Guard process, any processes that \nyou have? And then when would you pick a reader, guesstimate? \nAnd then when would they be deployed; will it be in the next \ndecade?\n    Mr. Sadler. Well, sir, I would have to defer to the Coast \nGuard on the time line as they are promulgating the rule. I \ncan\'t answer that question.\n    Mr. Mica. Who actually issues the TWIC card, the Coast \nGuard?\n    Mr. Sadler. No, we issue. That is our responsibility, to \nissue the TWIC.\n    Mr. Mica. I thought the Coast Guard was sort of the \nenforcement agency.\n    Mr. Sadler. They are.\n    Mr. Mica. They do a great job. Thank God for the Coast \nGuard, because they are there 24/7, low pay, and guarding the \nports at entry points far beyond these gates, also making \ncertain that our maritime facilities are secure.\n    Okay, let\'s work this out. Remember my Groundhog Day? I \nwant to know how many more times we are going to do this. So \nyou have the Coast Guard, now this rulemaking. Is that an open-\nended thing or is there a time frame?\n    Mr. Sadler. Ninety-day comment period from March 22nd.\n    Mr. Mica. Okay. And then you expect them to digest this? \nAre they going to get back with you? What is the process? \nExplain it.\n    Mr. Sadler. The process is that they have public meetings.\n    Mr. Mica. After the rulemaking or during the rulemaking?\n    Mr. Sadler. During this 90-day period.\n    Mr. Mica. We got to that.\n    Mr. Sadler. Then they receive written comments.\n    Mr. Mica. I got to 90 days.\n    Mr. Sadler. Ninety days.\n    Mr. Mica. Then what is going to happen?\n    Mr. Sadler. Then they take the written comments, they take \nthe verbal comments from their public meetings, they adjudicate \nthose comments, and then they start to develop the final rule.\n    Mr. Mica. And any guess as to?\n    Mr. Sadler. No, sir, I don\'t.\n    Mr. Mica. No guess?\n    Mr. Sadler. No, sir.\n    Mr. Mica. Mr. Lord?\n    Mr. Lord. Yes. I think it is worth noting the Coast Guard \nrecently extended the comment period by 30 days. It may be \nbeneficial, given all the issues we discussed at today\'s \nhearing, to perhaps extend it another 30 days to get additional \nstakeholder comments. I imagine there are going to be a lot of \ncomments generated in the next few weeks.\n    Mr. Mica. Mr. Sadler, how long have you been with TSA?\n    Mr. Sadler. Since September 22nd, 2003.\n    Mr. Mica. From the beginning. So you have been there to see \nthat this is something we have tried to put into place for more \nthan a decade, and we seem to, at every turn, not make the \nprogress that Congress originally intended. We don\'t, again, \nhave a card, I think, that is adequate and we don\'t have \nreaders or a program really to get a reader in place, so it is \nvery frustrating. We have spent half a billion dollars on this \nand we have a card now that is flawed; and not by my \ndefinition, but by GAO\'s evaluation.\n    Mr. Lord, have you got any idea how this will all end?\n    Mr. Lord. I really don\'t, sir. That is more a matter for \nCongress and the executive agencies. Our role is simply to \nrespond to the mandate and the Coast Guard Authorization Act to \nstudy the results of the pilot and provide the report to \nCongress, so that is what we did. On the other hand, we have \nreported extensively on other TWIC-related issues in the past. \nIt will be interesting to see how it progresses after today.\n    Mr. Mica. Well, I believe there have been enough models out \nthere and enough opportunities to adopt a better system. It may \nnot be flawless, but, for the money we have spent and the \nresults we have gotten, this is a pitiful commentary to be here \nMay 2013 and still in this situation.\n    Mr. Connolly?\n    Mr. Connolly. Thank you, Mr. Chairman.\n    I guess in addition to just the facts here, I am bothered \nby two Federal agencies coming to two different conclusions \nbased on the data available. Mr. Lord and GAO have taken the \nposition, if I understand it correctly, that the efficacy of \nthe pilot is flawed such that we should not rely on it. It \nshould not be a guide as we move forward, or something that can \nbe adhered to as a guide because it is so flawed in its \nmethodology in almost all respects, except there are some \nancillary things that produced positive externalities, but not \nby design, you know, background checks or whatever.\n    Mr. Sadler, if I understood your testimony correctly, you \nbelieve that is not correct; that there is reliable data, at \nleast sufficiently reliable that you and the Coast Guard can go \nforward in expanding the pilot to other facilities. Is that \naccurate?\n    Mr. Sadler. What I said, sir, was I think there is enough \nreliable data to support the conclusions of the pilot itself, \nwhich are that the reader, when installed properly, operated \nproperly, and when the individuals are trained properly, \nwhether it is the operator or the individual with the TWIC \ncard, that the reader works properly.\n    Mr. Connolly. And you say that the GAO report and evident \nlack of confidence in same notwithstanding.\n    Mr. Sadler. I am sorry, sir, could you repeat that?\n    Mr. Connolly. You are saying that you are fully aware of \nGAO\'s findings and reports that come to a very different \nconclusion.\n    Mr. Sadler. Well, that was our conclusion when we wrote the \npilot report that we sent to Congress, so, yes, that is what I \nam saying. So we agree in many areas with GAO, and we have to \nagree because our pilot report itself pointed out many of the \nsame challenges that GAO pointed out as well. So we admitted to \nthose and we know it is a challenge.\n    Mr. Connolly. But here is the fundamental difference, Mr. \nSadler. GAO has come to the conclusion that those flaws, \ndeficiencies, problems, and lack of accurate data because of \nmethodology flaws are of sufficient gravity that Congress \nshould not rely on the pilot. You, in your position on behalf \nof TSA, are saying quite the opposite. You are saying we are \ngoing to rely on it; we don\'t agree that it is so flawed that \nit can\'t be relied upon. And that is what I mean. Their \nfindings notwithstanding, you intend to go forward based on the \npilot, even though GAO is saying to Congress we actually think \nyou ought to decouple it from the pilot, it is that flawed.\n    Mr. Sadler. Well, sir, we have to go forward. We have been \ndirected to issue the credential; we have been directed to \ninstall readers. And unless Congress gives us other direction, \nthen we are going to go forward.\n    But we still stand by the fact that there was enough \ninformation gleaned from the pilot to support our conclusions \nin the pilot report. Then we take that information, we give it \nto the Coast Guard, and that is why I defer to the Coast Guard, \nbecause the Coast Guard takes that information and they use it \nbased on how they think they need it, how they weight it, if \nthey shouldn\'t use it. So I am not shifting responsibility to \nthe Coast Guard, it is just the fact that they are writing the \nrule.\n    Mr. Connolly. Surely, Mr. Sadler, you can sympathize, \nthough, with a taxpayer concern that if we have such a flawed \nentity in the pilot, why not acknowledge that and find another \nparadigm with which we are more comfortable, and there are \nother models that seem to work in harsh environments, albeit \nmaybe not a maritime one, as opposed to slavishly sticking to \nthe pilot because statute cites it?\n    I mean, you are here to give advice today, as well as to be \naccountable to Congress, and if it is your studied judgment \nthat we did our college best, but the pilot failed, or it is \nsufficiently flawed that, in good conscience, if you asked my \nopinion, I would find something else as a model to base going \nforward on rather than the pilot.\n    And I don\'t want to mischaracterize, but what I am hearing \nyou saying is you don\'t, that is not your opinion; your opinion \nis the pilot, flaws and all, is going to give us sufficient \ndata and is sufficiently efficacious that I have confidence \nthat we can move forward based on what we learned from that \npilot.\n    Mr. Sadler. And I want to be careful how I say this because \nI do have to defer to the Coast Guard, but the pilot data is \none of many sources that the Coast Guard used in promulgating \ntheir rule. So what I said, and what I will say again, is that \nwe believe we got sufficient data in sufficient quantity, in \nsufficient quality, to support the conclusions of that pilot \nitself, which was that if the readers are installed properly, \npeople are trained properly, and they were purchased and \ninstalled based on the requirements of that particular port, \nthen they work properly and they can be used to help make \naccess decisions. Those were the conclusions of the pilot.\n    Mr. Connolly. Okay. The record will show that is in \ndistinct contrast to the GAO point of view. Okay.\n    Final set of questions, Mr. Chairman, if I may.\n    Mr. Lord, you cited in our previous round of questioning \nharsh conditions in Afghanistan and Iraq, war conditions, and \nlots of weather challenges too, I might add. I have been to \nboth. But they use an access card that includes biometric \ninformation, is that correct?\n    Mr. Lord. Yes. It is called the common access card, the CAC \ncard.\n    Mr. Connolly. CAC card. And how many CAC cards have been \nissued?\n    Mr. Lord. That is a good question. I am not the subject \nmatter expert on that. I know just from personal experience. I \nwas deployed to Iraq for GAO for three months and I had one and \nit seemed to work and I never had an issue with it.\n    Mr. Connolly. Hundreds of thousands of contractors?\n    Mr. Lord. Absolutely. And the servicemen themselves.\n    Mr. Connolly. And the servicemen. Well, when you look at \nthe total number that have come through Afghanistan and Iraq, \nit is well over a million, probably, right?\n    Mr. Lord. Yes.\n    Mr. Connolly. So we have had a lot of these cards issued. I \ndon\'t know if it approaches the TWIC, but it would be fairly \ncomparable, is that correct?\n    Mr. Lord. I believe so. I don\'t have the exact numbers. But \nagain I cited it as a success. That is an example where the \nGovernment was able to issue----\n    Mr. Connolly. Yes. I am back to my benchmarking. We \nactually have an example, and the security challenge is \nparamount. That is why we issued these CAC cards, to make sure \nbad guys don\'t get into sensitive facilities or, for that \nmatter, even canteens, where lots of our servicemen and women \nare congregating, assuming it is a safe harbor; and it works. \nAnd it has been working for how long?\n    Mr. Lord. For how long? That is a good question. I don\'t \nknow the answer.\n    Mr. Connolly. Well, we have been at war for 12 years, so \npresumably most of the duration of that 12 years. Almost \nparalleling the same time frame that the chairman cited in his \nfrustration, understandable frustration, where we have been \ntrying to work this out in the ports. And I guess I just wonder \nwhat is the likelihood we could perhaps learn from a successful \nlesson and try to apply it to TSA.\n    Mr. Lord. Well, that is obviously an option. You know, \nthere is another option. It is not, obviously, my call, but \nthey could rerun the pilot on a limited scale and resource it \nand oversee it correctly. That is obviously one option. Or you \ncould pursue a different model, as you suggested, you know, \nhave the Government do the background checks and have the local \nports provide the credential. That is what I call a hybrid \noption. But, again, that is not my call, that is the Congress\'s \ncall.\n    Mr. Connolly. I know it is the chairman\'s intention, \nperhaps, and I would join him in this if that is what he wishes \nto pursue, where we are going to hear from different examples \nof Federal agencies using these kinds of access cards, and \nundoubtedly we will have TSA back, but it will be most \ninstructive to hear more about how the DOD has successfully \nmanaged to create and deploy a card that seems to work.\n    Mr. Lord. In harsh conditions. Actually, they would \nprobably be a very good witness to have at your upcoming \nhearing.\n    Mr. Connolly. Thank you very much.\n    Mr. Chairman, I yield back and I thank you for holding this \nhearing. It is most illuminating.\n    Mr. Mica. Well, thank you, Mr. Connolly. We will work with \nyou.\n    I think, again, our intent is to sort of end this Groundhog \nDay and not have another one of these hearings. Again, there \nare just so many of them. I just was reminded by the staff, Mr. \nConnolly, that we had a one-year pilot program testing the \nreaders back in 2006 at the Port of New York and New Jersey, \nand we had collected data on fingerprints at that juncture. But \nwe have done that pilot program, we have done these pilot \nprograms. Now we are at this stage and Mr. Lord said it might \nbe valuable to go back and do another pilot program again with \nsome data that is reliable.\n    Mr. Sadler, you said we spent $23 million on this pilot. Is \nthere any money left?\n    Mr. Sadler. I believe there is some grant money. And out of \nthe $23 million, as I understand it, the ports expended $15 \nmillion of the grant money.\n    And I would like to make a comment on the DOD, and maybe \nMr. Lord can answer this. The DOD may be using a contact mode \nonly, and I don\'t know if that is accurate or not.\n    Mr. Mica. But, you know, it is amazing. Are you the head of \nthis program for TSA?\n    Mr. Sadler. I am the senior responsible executive.\n    Mr. Mica. And you don\'t know about the other programs?\n    Mr. Sadler. If they are using a CAC card, that is a contact \nbiometric, sir.\n    Mr. Mica. I think the first thing I would do, if I were the \nhead of this, Mr. Connolly, find out what works, is somebody \ndoing it. Are we reinventing the wheel?\n    Mr. Sadler. Well, I will tell you, sir, contact is not \ngoing to work in the maritime environment. And if the CAC card \nis using a contact biometric, where you have to put the card \ninto a reader and put a PIN in, you are not going to get trucks \nand individuals through those gates using a contact mode.\n    Now, to fix that problem, we actually developed a \nspecification with industry to wirelessly transmit an encrypted \nbiometric. There is no standard in the Federal Government for \nthat today. So if we compare models, we need to compare similar \nmodels.\n    Mr. Connolly. Mr. Sadler?\n    Mr. Chairman?\n    Mr. Mica. Go ahead.\n    Mr. Connolly. If I could just follow up on the chairman\'s \npoint, Mr. Sadler. I am not trying to put you on the spot, but \ninstead of theorizing about what CAC does or does not do, or \nwhether it is applicable or it is not applicable, how about \nfinding out? Would it be worth it? Would you be willing to \ncommit that TSA is going to actually look at how CAC works?\n    Mr. Mica. Not just CAC, Mr. Connolly, but others. There are \nprograms that do work.\n    Mr. Connolly. And let\'s see if we can\'t fold that into our \nexperience with our own pilot and see if we can\'t make a better \nproduct. Our interest here is success, it is not laying blame; \nand we would like to partner with you, but if we have a model \nthat is successful, and you may be absolutely right, it may not \nfully be applicable, it may not be applicable at all, but \ntrucks have to go to remote locations in Afghanistan, and \npreviously Iraq, long convoys, so there may be comparable \naspects of this that we could benefit from.\n    So I wonder if you would be willing to make that \ncommitment, that you are going to look at that to see if there \nare aspects of it that could be relevant as we fold in lessons \nlearned in the pilot.\n    Mr. Sadler. We will look at anything, sir, to make this \npilot better and to make the result better.\n    Mr. Connolly. I thank you for that commitment.\n    Mr. Sadler. And my comment was not meant to infer \notherwise.\n    Mr. Mica. And maybe we will give him about 60 days or \nsomething like that, Mr. Connolly; call him back and see what \nhe has learned that is out there that may be applicable, get an \nevaluation of where they are. Again, maybe you could come back \nto the committee with a better time line. We have this 90-day \nreview in place.\n    And then maybe, if there is money left over, Mr. Lord and \nthis report says that some of the basis by which you are \nproceeding is flawed. Even the data that is given to Coast \nGuard by which you are making a further evaluation isn\'t up to \ndate. But, my God, this thing is going on forever. We do not \nhave readers.\n    The other thing, too, what is the agency that sets the \nstandard for the high risk?\n    Mr. Sadler. NIST.\n    Mr. Mica. Yes. Could you write them and ask them when they \nthink they will have that standard? I have had them before \nCongress several times. I would just be curious if you would \nwrite them, and then I will ask the committee staff, we will \nsign a letter together, when they will have this ready. It was \ncoming some years ago in the summer, and then it was coming in \nthe fall, and then it was coming in mid-January. We still don\'t \nhave this. And then maybe if we don\'t, we can find some \nstandards that Congress could adopt or something.\n    But to issue cards that do not have a biometric component \nthat is reliable, cards that can be thwarted, which GAO has \ndone in covert testing, and to have this system in place at \ngreat expense both to the truckers and the transportation \nworkers, and maybe 129 doesn\'t sound like a lot to us, but to \nagain have this whole thing not working and not as it was set \nout to provide us with some firm identification.\n    Now, we are just looking at TWIC. We are going to look at \nglobal entry, we are going to look at the CLEAR card, we are \ngoing to look at the pilot\'s license, all these IDs that TSA \nand Homeland Security have some say in, and try to see what we \ncan do to ensure that we have better identification, because we \nare putting ourselves at risk. We are not knowing who we are \ndealing with. And if we can know that, you can speed up the \nprocess, the inconveniences to passengers, to business, \ntruckers, to port personnel.\n    So that is our intent. I want to thank, again, Mr. Connolly \nfor his involvement, Mr. Cummings, Mr. Meadows, and others. We \nhave a small panel, so we can have this nice exchange. We will \nbe back.\n    There being, I guess, no further business before the \nsubcommittee, I thank the witnesses for being with us. I thank \nyou and the committee stands adjourned.\n    [Whereupon, at 10:29 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'