Aviation Security: Further Steps Needed to Strengthen the
Security of Commercial Airport Perimeters and Access Controls
(04-JUN-04, GAO-04-728).
In the 2 years since passage of the Aviation and Transportation
Security Act (ATSA), the Transportation Security Administration
(TSA) has primarily focused its efforts on improving aviation
security through enhanced passenger and baggage screening. The
act also contained provisions directing TSA to take actions to
improve the security of airport perimeters, access controls, and
airport workers. GAO was asked to assess TSA's efforts to: (1)
evaluate the security of airport perimeters and the controls that
limit access into secured airport areas, (2) help airports
implement and enhance perimeter security and access controls by
providing them funding and technical guidance, and (3) implement
measures to reduce the potential security risks posed by airport
workers.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-04-728
ACCNO: A10404
TITLE: Aviation Security: Further Steps Needed to Strengthen the
Security of Commercial Airport Perimeters and Access Controls
DATE: 06/04/2004
SUBJECT: Air transportation operations
Transportation safety
Airport security
Baggage (personal effects)
Smuggling
Drugs
Airports
Aircraft
Airline industry
FAA Airport Improvement Program
TSA Transportation Worker Identification
Credential Project
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-04-728
GAO
Report to Congressional Requesters
June 2004
AVIATION SECURITY
Further Steps Needed to Strengthen the Security of Commercial Airport Perimeters
and Access Controls
GAO-04-728
Highlights of GAO-04-728, a report to congressional requesters
In the 2 years since passage of the Aviation and Transportation Security
Act (ATSA), the Transportation Security Administration (TSA) has primarily
focused its efforts on improving aviation security through enhanced
passenger and baggage screening. The act also contained provisions
directing TSA to take actions to improve the security of airport
perimeters, access controls, and airport workers. GAO was asked to assess
TSA's efforts to: (1) evaluate the security of airport perimeters and the
controls that limit access into secured airport areas, (2) help airports
implement and enhance perimeter security and access controls by providing
them funding and technical guidance, and (3) implement measures to reduce
the potential security risks posed by airport workers.
GAO is recommending that the Secretary of Homeland Security direct TSA's
Administrator to develop and provide Congress with a plan for meeting the
requirements of the Aviation and Transportation Security Act and taking
other actions to improve airport security.
TSA reviewed a draft of this report and generally agreed with GAO's
findings and recommendations. Technical comments were incorporated as
appropriate.
www.gao.gov/cgi-bin/getrpt?GAO-04-728.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Cathleen Berrick at (202)
512-3404 or [email protected].
June 2004
AVIATION SECURITY
Further Steps Needed to Strengthen the Security of Commercial Airport Perimeters
and Access Controls
TSA has begun evaluating the security of airport perimeters and the
controls that limit access into secured airport areas. Specifically, TSA
is conducting compliance inspections and vulnerability assessments at
selected airports. These evaluations-though not complete-have identified
perimeter and access control security concerns. While TSA officials
acknowledged that conducting these airport security evaluations is
essential to identifying additional perimeter and access control security
measures and prioritizing their implementation, the agency has not
determined how the results will be used to make improvements to the entire
commercial airport system.
TSA has helped some airport operators enhance perimeter and access control
security by providing funds for security equipment, such as electronic
surveillance systems. TSA has also begun efforts to evaluate the
effectiveness of security-related technologies, such as biometric
identification systems. However, TSA has not begun to gather data on
airport operators' historical funding of security projects and current
needs to aid the agency in setting funding priorities. Nor has TSA
developed a plan for implementing new technologies or balancing the costs
and effectiveness of these technologies with the security needs of
individual airport operators and the commercial airport system as a whole.
TSA has taken some steps to reduce the potential security risks posed by
airport workers. However, TSA had elected not to fully address all related
ATSA requirements. In particular, TSA does not require fingerprint-based
criminal history checks and security awareness training for all airport
workers, as called for in ATSA. Further, TSA has not required airport
vendors to develop security programs, another ATSA requirement. TSA said
expanding these efforts would require a time-consuming rulemaking process
and impose additional costs on airport operators. Finally, although not
required by ATSA, TSA has not developed a plan detailing when and how it
intends to address these challenges.
Airport Perimeter Access Gate at a Large Commercial Airport
Source: GAO.
Contents
Letter
Results in Brief
Background
TSA Has Begun Evaluating Commercial Airport Security but Needs
a Better Approach for Assessing Results TSA Has Begun Efforts but Has Not
Fully Developed Plans to Fund Security Enhancements and Assess Security
Technologies
TSA Has Helped to Reduce Potential Security Risks Posed by Airport Workers
but Has Not Determined How to Fully Address Legislative Requirements
Conclusions
Recommendations for Executive Action
Agency Comments
1
3 4
10
16
26 37 38 38
Appendix I Objectives, Scope, and Methodology
Appendix II GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach
Appendix III Comments from the Department of Homeland Security
Appendix IV GAO Contacts and Staff Acknowledgments 54
GAO Contacts 54 Staff Acknowledgments 54
Tables
Table 1: Types of Enforcement Actions Used by TSA to Address
Airport Operator Noncompliance with Security
Requirements between October 2003 and February 2004 12 Table 2:
Distribution of AIP Grant Funds Awarded for Security Projects by Project
Type, Fiscal Year 2002 18
Table 3: Distribution of Airports Receiving Grants Awarded by TSA for
Perimeter and Access Control-Related Security and Projects Funded
Figures
Figure 1: ATSA Requirements Directed to TSA Related to Perimeter, Access
Control, and Airport Worker Security 5
Figure 2: Diagram of Typical Commercial Airport Areas and a Comparison of
Security Requirements That Apply to Each Airport Area 8
Figure 3: Perimeter and Access Control Security Technologies Tested or
Implemented at Selected Commercial Airports across the Nation 25
Figure 4: Elements of a Risk Management Approach 43 Figure 5: How a Risk
Management Approach Can Guide Decision-Making 44 Figure 6: TSA's Threat
Assessment and Risk Management Approach 45
Abbreviations
AIP Airport Improvement Program
AOA air operations area
ATSA Aviation and Transportation Security Act
DHS Department of Homeland Security
FAA Federal Aviation Administration
FBI Federal Bureau of Investigation
FSD federal security director
NCIC National Crime Information Center
PARIS Performance and Results Information System
SIDA security identification display area
TSA Transportation Security Administration
TWIC Transportation Workers Identification Credential Program
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States General Accounting Office Washington, DC 20548
June 4, 2004
The Honorable Joseph I. Lieberman
Ranking Minority Member
Committee on Governmental Affairs
United States Senate
The Honorable Jim Turner
Ranking Minority Member
Select Committee on Homeland Security
House of Representatives
In November 2001, shortly after the September 11 terrorist attacks,
President Bush signed into law the Aviation and Transportation Security
Act, or ATSA (Pub. L. No. 107-71). The act established the Transportation
Security Administration (TSA), giving it responsibility for securing all
modes of transportation, including aviation. One of TSA's first challenges
imposed by the act was to improve the security of airline passenger and
baggage screening activities, activities for which TSA has direct
responsibility. The agency is also taking action to address provisions of
the act to improve three other areas of aviation security: the security of
airport perimeters (such as airfield fencing and access gates), the
adequacy of controls restricting unauthorized access to secured areas
(such as building entry ways leading to aircraft), and security measures
pertaining to individuals who work at airports. Recent media reports of
security breaches and other illegal activities, such as drug smuggling,
taking place at some airports highlight the importance of strengthening
security in these areas. Taken as a whole, these areas, along with
passenger and baggage screening, comprise key elements of the aviation
security environment at commercial airports, both individually and as a
nationwide system.
You requested that we examine TSA's efforts to strengthen security related
to perimeter and access controls. This report assesses TSA's efforts to
(1) evaluate the security of airport perimeters and the controls that
limit
access into secured airport areas, (2) help airports implement and enhance
perimeter security and access controls by providing funding and technical
guidance, and (3) implement measures to reduce the potential security
risk posed by airport workers. Due to TSA's concern that the public
release of some of our detailed findings could compromise aviation
security, we also issued a restricted version of this report.
To perform these assessments, we analyzed TSA data on security evaluations
conducted and funds distributed to commercial airports for security
improvements. We also reviewed pertinent legislation, regulatory
requirements, and policy guidance. To determine to what extent TSA had met
requirements, we discussed with our Office of General Counsel specific
requirements contained in three sections of the act:
o Section 106 (requirements for evaluating airport access controls,
testing and evaluating security technologies, and providing technical and
financial support to small and medium-sized airports);
o Section 136 (recommending commercially available measures to prevent
access to secure airport areas and developing a deployment strategy for
available technology at all large airports); and
o Section 138 (performing background checks for all employees with
unescorted access to secured airport areas, among others).
We obtained and analyzed TSA data on security breaches, covert testing,
inspections of airport compliance with security regulations, and
vulnerability assessments. (TSA's covert testing data and information on
the test program are classified and are the subject of a separate
classified GAO report.) We discussed the threat scenarios used in TSA
vulnerability assessments with TSA officials to identify those related to
perimeter and access control security. We obtained and analyzed data from
the Federal Aviation Administration (FAA) and TSA on perimeter and access
controlrelated security funds distributed to commercial airport
nationwide. We reviewed reports on aviation security issued previously by
GAO and the Department of Transportation Inspector General.
In addition, we conducted site visits at 12 commercial airports to observe
airport security procedures and discuss issues related to perimeter and
access control security with airport operator officials. These were Boston
Logan International Airport, Atlanta Hartsfield Jackson International
Airport, Ronald Reagan Washington National Airport, Washington Dulles
International Airport, Orlando International Airport, Tampa International
Airport, Miami International Airport, Los Angeles International Airport,
San Francisco International Airport, Middle Georgia Regional Airport,
Chattanooga Metropolitan Airport, and Columbus Metropolitan Airport. At 10
of these airports, we analyzed a sample of records to verify that the
procedures to reduce the security risk of airport workers were followed.
We also discussed security issues with TSA airport and headquarters
officials, airport security coordinators at each of the nation's 21
largest
and busiest airports (referred to by TSA as "category X" airports), as
well as airport industry representatives. More detailed information on our
scope and methodology is contained in appendix I. We conducted our review
from June 2003 through March 2004 in accordance with generally accepted
government auditing standards.
Results in Brief
TSA has begun evaluating the security of airport perimeters and the
controls that limit access into secured airport areas, but has not yet
determined how the results of these evaluations could be used to make
improvements to the nation's airport system as a whole. Specifically, TSA
is conducting regulatory compliance inspections, covert testing of
selected security procedures, and vulnerability assessments at selected
airports. These evaluations-though not yet completed-have identified
perimeter and access control security concerns. For example, TSA
identified instances where airport operators failed to comply with
existing security requirements, including access control-related
regulations. (Our evaluation of TSA's covert testing of airport access
controls is classified and is discussed in a separate classified report.)
In addition, TSA identified threats to perimeter and access control
security at each of the airports where vulnerability assessments were
conducted in 2003. In January 2004, TSA temporarily suspended its
assessment efforts to conduct higherpriority vulnerability assessments
dealing with airport vulnerability to shoulder-fired missiles. TSA plans
to begin conducting joint vulnerability assessments with the Federal
Bureau of Investigation (FBI) but has not yet determined how it will
allocate existing resources between its own independent airport
assessments and the new joint assessments, or developed a schedule for
conducting future vulnerability assessments. In addition, TSA has not yet
determined how to use the results of its inspections in conjunction with
its efforts to conduct covert testing and vulnerability assessments to
enhance the overall security of the nation's commercial airport system.
TSA has helped some airports enhance perimeter and access control security
by providing funds for security equipment, such as electronic surveillance
systems. TSA has also begun efforts to evaluate the effectiveness of
security-related technologies, such as biometric identification systems.
Responsibility for funding most airport security projects shifted in
December 2003 from FAA to TSA. As a result, TSA is developing new policies
to determine how to review, approve, and prioritize security project
funding. However, TSA has not yet begun to gather data on airport
operators' historical funding of security projects and current needs to
aid the agency in setting funding priorities. Nor has
TSA developed a plan for implementing new technologies or balancing the
costs and effectiveness of these technologies with the security needs of
individual airports and the commercial airport system as a whole.
TSA has taken some steps to implement measures to reduce the potential
security risk posed by airport workers. However, at the time of our
review, TSA had not fully addressed all related requirements in the 2001
Aviation and Transportation Security Act. For example, TSA required
fingerprintbased criminal history records checks and security awareness
training for most, but not all, airport workers called for in the act. TSA
relies on background checks as a method of screening most airport workers
in lieu of physical screening, as is conducted for passengers and their
baggage. However, TSA has not analyzed the security threat posed by
airport workers in terms of the potential costs and security benefits of
physically screening all airport workers. Further, TSA has not addressed
the act's provision that calls for the agency to require that airport
vendors with direct access to the airfield and aircraft develop security
programs to address security measures specific to vendor employees. TSA
said that expanding requirements for background checks and security
awareness training for additional workers and establishing requirements
for vendor security programs would be costly to implement and would
require timeconsuming rule-making efforts to assess potential impacts and
obtain and incorporate public comment on any proposed regulations.
This report contains recommendations to the Secretary of the Department of
Homeland Security (DHS) to help the department articulate and justify
future decisions on how best to proceed with security evaluations, fund
and implement security improvements-including new security
technologies-and implement additional measures to reduce the potential
security risks posed by airport workers. We provided a draft of this
report to TSA officials who generally concurred with our findings and
recommendations. TSA's written comments are presented in appendix III.
Background ATSA, signed into law on November 19, 2001,1 shifted certain
responsibilities for aviation security from commercial airport operators
and air carriers to the federal government and the newly created
Transportation Security Administration. Specifically, ATSA granted TSA
direct operational responsibility for the screening of passengers and
their
1ATSA, Pub. L. No. 107-71, 115 Stat. 597 (2001).
baggage, as well as responsibility for overseeing U.S. airport operators'
efforts to maintain and improve the security of commercial airport
perimeters, access controls, and workers. While airport operators, not
TSA, retain direct day-to-day operational responsibility for these areas
of security, ATSA's sections 106, 136, and 138 direct TSA to improve the
security of airport perimeters and the access controls leading to secured
airport areas, as well as measures to reduce the security risks posed by
airport workers, as shown in figure 1.
Figure 1: ATSA Requirements Directed to TSA Related to Perimeter, Access
Control, and Airport Worker Security
Requirements for evaluating airport access controls
Assess and test for airport compliance with access control requirements on
an ongoing basis and report annually on the findings of the assessments;
assess the effectiveness of penalties in ensuring compliance with security
procedures and take any other appropriate enforcement actions when
noncompliance is found. Sec.106(c)(2).
Requirements for strengthening the security of airport perimeters and
access controls
Within 6 months after enactment of the act, recommend to airport operators
commercially available measures or procedures to prevent access to secure
airport areas by unauthorized persons. This 6-month assessment shall
review emerging security technologies and procedures and shall include a
12-month deployment strategy for currently available technology at all
category X (i.e., the largest and busiest) airports. Sec.136. a
Establish a pilot program in no fewer than 20 airports to test and
evaluate technology for providing access control and security protections
for closed or secure areas. Sec. 106(d).
Develop a plan to provide technical support and financial assistance to
small- and medium-sized airports to enhance security operations and to
defray the cost of security. Sec. 106(b).
Requirements for reducing the risks posed by airport workers
Perform background checks for all employees with unescorted access to
secured airport areas and individuals who have regularly escorted access
to secured airport areas and review available law enforcement databases
and records of other governmental and international agencies. Sec. 138.
Require airports and air carriers to develop security awareness training
programs for airport employees; ground crews; gate, ticket, curbside
agents of the air carriers; and other individuals employed at airports.
Sec. 106(e).
Require vendors having direct access to the airfield and aircraft to
develop their own security programs. Sec. 106(a).
Require screening/inspection of all persons, vehicles, equipment, goods,
and property before entering secured areas of U.S. commercial airports.
Sec. 106(a).
Source: TSA and GAO.
aSection 136 also requires the Secretary of Transportation to conduct a
review of reductions in unauthorized access at the category X airports no
later than 18 months after the enactment of ATSA.
On February 17, 2002, TSA assumed responsibility from FAA for certain
aspects of security at the nation's commercial airports, including FAA's
existing aviation security programs, plans, regulations, orders, and
directives.2 Soon thereafter, on February 22, 2002, the Department of
Transportation issued regulations to reflect the change in jurisdiction
from FAA to TSA.3 Also, TSA reissued security directives originally issued
by
FAA after September 11, 2001, related to perimeter and access control
security.
TSA hired 158 federal security directors (FSDs) to oversee the
implementation of these requirements at airports nationwide. The FSDs also
work with inspection teams from TSA's Aviation Regulatory Inspection
Division to conduct compliance inspections. In addition, as part of its
oversight role, TSA headquarters staff conducts covert testing4 and
vulnerability assessments to help individual airport operators determine
how to improve security and to gather data to support systemwide analysis
of security vulnerabilities and weaknesses. Airport operators are
responsible for implementing TSA security requirements for airport
perimeters, access controls, and airport workers. Each airport's security
program, which must be approved by TSA, outlines the security policies,
procedures, and systems the airport intends to use in order to comply with
TSA security requirements.
There are about 450 commercial airports in the United States.5 Depending
upon the type of aircraft operations, airport operators must establish
2ATSA created TSA as an agency within the Department of Transportation and
referred to the head of the TSA as the Under Secretary of Transportation
for Security. Since the transfer of TSA to the newly created DHS pursuant
to the Homeland Security Act of 2002, Pub. L. 107-296,116 Stat. 2135, the
title of the head of TSA has been administratively changed to
Administrator. Within DHS, TSA is a distinct entity under the authority of
the Under Secretary for Border and Transportation Security.
3TSA regulations governing airport security are codified at Title 49 of
the Code of Federal Regulations, Chapter XII.
4Covert testing involves TSA agents working undercover to evaluate, among
other things, the effectiveness of access control processes and
procedures.
5According to TSA, the total number of commercial airports regulated for
security in the United States varies from about 429 to 456, depending on
various factors such as the type and level of commercial operations that
an aircraft operator conducts at that particular airport, the time of year
or season where a particular airport is located, and the economic
stability of that airport's region.
either complete, supporting, or partial security programs.6 Complete
security programs include guidelines for performing background checks on
airport workers, providing security training for these workers, and
controlling access to secured airport areas, among other things. Federal
regulations also require that commercial airports with complete security
programs designate areas where specific security practices and measures
are in place and provide a diagram of these areas. Figure 2 is a diagram
of a typical commercial airport and the security requirements that apply
to each airport area.
6Supporting and partial security programs contain fewer requirements and
typically apply to smaller airports. An aircraft operator may receive
permission from TSA to amend its security program, provided that the
proposed amendments are consistent with safety and the public interest and
provide the requisite level of security. Also, if TSA concludes that the
needs of safety and the public interest require an amendment to an
aircraft operator's security program, the agency may amend the program on
its own initiative.
Figure 2: Diagram of Typical Commercial Airport Areas and a Comparison of
Security Requirements That Apply to Each Airport Area
Source: GAO.
TSA classifies airports into one of five categories (X, I, II, III, and
IV) based on various factors, such as the total number of take-offs and
landings annually, the extent to which passengers are screened at the
airport, and other special security considerations. U.S. commercial
airports are divided into different areas with varying levels of security.
Individual airport operators determine the boundaries for each of these
areas on a case-bycase basis, depending on the physical layout of the
airport. As a result, some of these areas may overlap. Secured areas,
security identification display areas (SIDA), and air operations areas
(AOA) are not to be accessed by passengers, and typically encompass areas
near terminal buildings, baggage loading areas, and other areas that are
close to parked aircraft and airport facilities, including air traffic
control towers and runways used for landing, taking off, or surface
maneuvering. On the other hand, sterile areas are located within the
terminal where passengers wait after screening to board departing
aircraft. Access to these areas is controlled by TSA screeners at
checkpoints where they conduct physical screening of passengers and their
carry-on baggage for weapons and explosives.
According to TSA estimates, there are about 1,000,000 airport and vendor
employees who work at the nation's commercial airports. About 900,000 of
these workers perform duties in the secured or SIDA areas. Airport
operators issue SIDA badges to these airport workers. These badges
identify the workers and grant them the authority to access the SIDA and
secured areas without an escort. Examples of workers with unescorted
access to the SIDA and secured areas include workers who access aircraft,
including mechanics, catering employees, refuelers, cleaning crews,
baggage handlers, and cargo loaders. TSA estimates there are an additional
100,000 employees who work in sterile airport areas, such as the concourse
or gate area where passenger flights load and unload. Examples of
employees who work or perform duties in the sterile area include those
operating concessions and shops, and other air carrier or vendor
employees. Other workers may, from time to time, need to enter the SIDA or
secured area and must be accompanied by an escort who has been granted
unescorted access authority. According to TSA, only a relatively small
number of airport workers need regular escorted access to the SIDA and
secured areas.7 Job functions in this category would include delivery
personnel, construction workers, and specialized maintenance crews.
7Regular escorted access is not defined in statute or by regulation.
TSA Has Begun Evaluating Commercial Airport Security but Needs a Better
Approach for Assessing Results
Methods used by airports to control access through perimeters or into
secured areas vary because of differences in the design and layout of
individual airports, but all access controls must meet minimum performance
standards in accordance with TSA requirements. There are a variety of
commercially available technologies that are currently used for these
purposes or are used for other industries but could be applied to
airports. In addition, TSA has a research and development program to
develop new and emerging technologies for these and other securityrelated
purposes.
TSA has three efforts under way to evaluate the security of commercial
airports' perimeters and the controls that limit unauthorized access into
secured areas. While ATSA only requires that TSA perform compliance
inspections, the agency also relies on covert testing8 of selected
security procedures and vulnerability assessments to meet the
legislation's mandate to strengthen perimeter and access control security.
TSA acknowledged the importance of conducting these evaluation efforts as
an essential step to determine the need for, and prioritization of,
additional perimeter security and access control security measures. But
the agency has not yet established several elements needed for effective
short-and long-term management of these evaluations, such as schedules for
conducting its efforts and an analytical approach to using the results of
its evaluations to make systematic improvements to the nation's commercial
airport system.
TSA Has Revised Its Approach to Conducting Airport Compliance Inspections
but Has Not Determined How to Use Results to Strengthen Security
ATSA, (Sec. 106 (c)(2)), requires TSA to assess and test for airport
compliance with federal access control security requirements and report
annually on its findings. TSA originally planned to conduct comprehensive
assessments at each commercial airport periodically. Staff from TSA's
Aviation Regulatory Inspection Division along with local airport
inspection staff working under federal security directors completed
relatively few comprehensive airport inspections in fiscal year 2002,
although TSA completed considerably more in 2003. In addition, TSA records
indicated that a significant number of individual, or "supplemental"
inspections of specific areas of security or local airport security
concerns were conducted in fiscal years 2002 and 2003, respectively. TSA,
however, did
8Our evaluation of TSA's covert testing of airport access controls is
classified and is discussed in a separate report.
not identify the scope of these inspections, or how many airports were
inspected through its supplemental inspections. In addition, the agency
did not report on the results of these comprehensive or individual
supplemental inspections, as required by ATSA. According to TSA, the
agency was limited in its ability to analyze these data because compliance
reports submitted during this time frame were compiled in a prototype
reporting system that was under development. In July 2003, TSA deployed
the automated system-Performance and Results Information System
(PARIS)-and began to compile the results of compliance reviews.
In TSA's Annual Inspection and Assessment Plan for fiscal year 2004, TSA
revised its approach for reviewing airport operator compliance with
security regulations.9 According to TSA, the new inspection process uses
risk management principles that consider threat factors, local security
issues, and input from airport operators and law enforcement to target key
vulnerabilities and critical assets. Under the new inspection process, the
local federal security director at each airport is responsible for
determining the scope and emphasis of the inspections, as well as managing
local TSA inspection staff. According to the agency, the continuous
inspections approach resulted in completion of a significant number of
individual inspections of airport access controls and other security
requirements in the first few months of fiscal year 2004.
The percentage of inspections that found airport operators to be in
compliance with security requirements, including those related to
perimeters and access control, was high. According to TSA, its goal is for
airport operators to be in 100 percent compliance with security
requirements. Despite the generally high compliance rates, TSA identified
some instances of airport noncompliance involving access controls.
According to TSA, the agency's new approach to conducting compliance
inspections is designed to be a cooperative process based on the premise
that voluntary and collaborative airport operator compliance to facilitate
solutions to security issues is more effective than the use of penalties
to enforce compliance. This approach is intended to identify the root
causes of security problems, develop solutions cooperatively with airport
operators, and focus the use of civil enforcement actions on the most
serious security risks revealed by TSA's inspections. As a result, TSA
said that the majority of airport inspection violations related to airport
security
9TSA's inspections review for compliance in 14 areas.
was addressed through on-site counseling with airport operator officials,
rather than administrative actions or civil monetary penalties, which TSA
is authorized to issue when airport operators fail to address identified
areas of noncompliance.10 According to TSA, on-site counseling is used
only for minor infractions that can be easily and quickly corrected.
Administrative actions progress from a warning notice suggesting
corrective steps to a letter of correction that requires an airport
operator to take immediate action to avoid civil penalties. TSA was able
to provide the number of cases in which it recommended the issuance of
civil penalties to airport operators for violations of security
requirement.11 Table 1 shows the various types of enforcement actions used
by TSA to address airport operator noncompliance with security
requirements for the period between October 2003 and February 2004.
Table 1: Types of Enforcement Actions Used by TSA to Address Airport
Operator Noncompliance with Security Requirements between October 2003 and
February 2004
Number of
Enforcement action Sanction used enforcement actions
Resolved with counseling None 571
Administrative action Warning notice 106
Letter of correction 123
Civil penalties Monetary
recommended
Total 867
Source: GAO analysis of TSA data.
TSA had not assessed the effectiveness of these penalties in ensuring
airport compliance with security requirements as required by ATSA (Sec.
106 (c)(2)). TSA said the agency was not able to conduct inspections at
all commercial airports in prior years, or assess the effectiveness of the
use of
10The statutory authority for TSA to issue fines and penalties to
individual airport operators, air carriers, and individual airport or
airline workers for not complying with established security procedures is
49 U.S.C. S: 46301. The penalty for an aviation security violation is
found at 49 U.S.C. S: 46301(a)(4) and states that the maximum civil
penalty for violating chapter 449 [49 U.S.C. S:S: 44901 et seq.] or
another requirement under this title administered by the TSA's
administrator shall be $10,000 except that the maximum civil penalty shall
be $25,000 in the case of a person operating an aircraft for the
transportation of passengers or property for compensation.
11According to TSA, the agency's new automated reporting system documents
the number of cases in which a civil penalty was recommended. TSA did not
confirm the number of penalties issued.
penalties to ensure airport compliance because of limited personnel
assigned to perform these tasks and agency decisions to direct these
resources to address other areas of aviation security, such as passenger
and baggage screening operations. According to TSA, the primary focus of
field inspectors was to monitor passenger and baggage screening operations
immediately following the attacks of September 11. As a result, routine
inspections were not assigned as high a priority during the months
following the attacks. For example, while DHS authorized TSA to use 639
full-time employees for the purpose of performing airport security
inspections in fiscal year 2003, TSA allocated 358 full-time employees for
this purpose. TSA said that the agency is hiring new regulatory inspectors
at airports to help conduct required inspections. In its fiscal year 2005
budget submission, TSA requested over 1,200 full-time employees to conduct
compliance inspections.
TSA said airport compliance inspections are needed to ensure that airport
operators take steps to address deficiencies as they are identified. TSA
also said that the agency has proposed measuring the performance of
individual airport against national performance averages, and airports
that fall below accepted levels of compliance will receive additional
inspections or other actions. However, TSA has not yet developed a plan
outlining how the results of its compliance inspections will be used to
interpret and help analyze the results of airport vulnerability
assessments and covert testing. For example, at the time of our review, a
majority of airports tested had high compliance rates, indicating that
these airports are implementing most security regulations. However,
assessing airport operator compliance with security requirements as a
stand-alone measure does not provide a complete picture of the level of
security at these airports. Covert testing and vulnerability assessments
provide additional information that, taken together with the results of
compliance inspections, provide a more complete picture of the security
environment at commercial airports on a systemwide basis.
Initial Airport Vulnerability Assessments Reveal Security Concerns, but TSA
Lacks Both a Timetable for Completion and a Plan for Making Systematic
Improvements
From September to December 2003,12 TSA conducted vulnerability assessments
at some of the nation's commercial airports to help individual airport
operators determine how to improve security. At the time of our review,
TSA had not established a schedule for completing assessments at the
remaining airports. TSA is conducting these vulnerability assessments as
part of a broader effort to implement a risk management approach to better
prepare for and withstand terrorist threats. A risk management approach is
a systematic process to analyze threats, vulnerabilities, and the
criticality (or relative importance) of assets to better support key
decisions. (See app. II for a description of risk management principles
and TSA's tools for implementing these principles.)13 TSA uses various
threat scenarios that describe potentially dangerous situations as a basis
for conducting its vulnerabilities assessments. During the assessments,
TSA and airport operators review the scenarios and rank them according to
the risk each poses to the individual airport.
As part of each vulnerability assessment, TSA provided airport operators
with a report on the results and recommended short-and long-term
countermeasures to reduce the threats identified. According to TSA, some
of these countermeasures may be difficult for (1) airport operators to
implement because of limited availability of security funding and (2) TSA
to mandate because issuing new security regulations is an often
timeconsuming process that involves public comment and analysis of
potential impacts.14 However, TSA does have authority under 49 U.S.C. S:
114(l)(2) to issue regulations or security directives immediately in order
to protect transportation security.
Various sources have highlighted the importance of TSA's continuing
efforts to assess airport vulnerabilities. For example, in December 2003,
12Prior to September 2003, TSA completed a vulnerability assessment of a
"generic" large airport that focused on threats coming through an
airport's perimeter. According to TSA, the assessment and its results,
which were issued in October 2002, were of limited value because they
focused on one airport area (perimeters) in isolation, and thus needed to
be revalidated and updated in the context of the entire airport operation
environment.
13U.S. General Accounting Office, Homeland Security: A Risk Management
Approach Can Guide Preparedness Efforts, GAO-02-208T (Washington, D.C.:
Oct. 31, 2001).
14We have previously reported on the challenges associated with the
issuance of aviation regulations, see U.S. General Accounting Office,
Aviation Rulemaking: Further Reform Is Needed to Address Long-standing
Problems, GAO-01-821 (Washington, D.C.: July 6, 2001).
the President issued a directive15 calling for assessments of the
vulnerability of critical infrastructure, including airports, to assist in
developing the nation's homeland security strategy. In addition, TSA data
on reported security breaches16 of airport access controls revealed that
such known breaches have increased in recent years.17 Further, airport
operator officials we spoke with noted the importance of vulnerability
assessments as the key step in determining needed security enhancements at
each airport. Specifically, airport security coordinators at 12 of the
nation's 21 largest and busiest airports said that a TSA vulnerability
assessment would facilitate their efforts to comprehensively identify and
effectively address perimeter and access control security weaknesses.
At the time of our review, TSA had allocated 9 staff to conduct the
vulnerability assessments and another 5 staff to analyze the results.18
According to TSA, these staff also perform other assessment and analytical
tasks. Although TSA initially said that it expected to conduct additional
assessments in 2004, the agency suspended its efforts to use established
threat scenarios to assess vulnerabilities in January 2004. TSA said that
the agency elected to redirect staff resources to conduct higher priority
assessments of the threat posed by shoulder-fired missiles, also referred
to as man portable air defense systems (MANPADS). In addition, TSA said
that the agency planned to begin conducting joint vulnerability
assessments with the FBI. The FBI previously conducted joint assessments
with FAA in response to requirements established in the Federal Aviation
Administration Reauthorization Act of 1996. At the time
15On December 17, 2003, President Bush issued a Homeland Security
Presidential Directive (#7) addressing critical infrastructure
identification, prioritization, and protection. The directive calls for
federal departments and agencies to identify, prioritize, and coordinate
the protection of critical infrastructure and key resources in order to
prevent, deter, and mitigate the effects of deliberate efforts to destroy,
incapacitate, or exploit them. The directive also requires federal
departments and agencies to work with state and local governments and the
private sector to accomplish this objective.
16A breach of security does not necessarily mean that a threat was
imminent or successful. According to TSA, the significance of a breach
must be considered in light of several factors, including the intent of
the perpetrator and whether existing security measures and procedures
successfully responded to, and mitigated against, the breach so that no
harm to persons, facilities, or other assets resulted.
17According to TSA, differences in the way FAA reported and complied
breach data may account for some portion of the increase from 2001 to
2003. Through its PARIS, TSA hopes to standardize breach data reporting in
the future. PARIS became operational in July 2003.
18The Coast Guard, another agency within DHS, elected to hire a contractor
to conduct similar assessments of seaports.
of our review, TSA said that the agency had not yet determined how to
allocate its resources to conduct vulnerability assessments using
established threat scenarios versus initiating joint assessment efforts
with the FBI. When TSA resumes its scenario-based assessment efforts, the
agency plans to prioritize its efforts by focusing on the most critical
airports. (TSA said the agency intends to determine the criticality of
commercial airports based on factors such as current threat intelligence,
the number of fatalities that could occur during an attack on the airport,
and the economic and sociopolitical importance of the facility.)
After TSA resumes its assessment efforts, the agency intends to compile
baseline data on security vulnerabilities to enable it to conduct a
systematic analysis of airport security vulnerabilities on a nationwide
basis. TSA said such an analysis is essential since it will allow the
agency to determine minimum standards and the adequacy of security
policies and help the agency and airports better direct limited resources.
Nonetheless, at the time of our review, TSA had not yet developed a plan
that prioritizes its assessment efforts, provides a schedule for
completing these assessments, or describes how assessment results will be
used to help guide agency decisions on what, if any, security improvements
are needed.
Through funding of a limited number of security enhancements, TSA has
helped to improve perimeter and access control security at some airports.
However, at the time of our review, TSA had not yet developed a plan to
prioritize expenditures to ensure that funds provided have the greatest
impact in improving the security of the commercial airport system.
Concerning evaluations of security technologies, ATSA contained three
provisions (Secs. 136, 106(b), and 106(c)) directing TSA to assess
security technologies related to perimeter and access control security and
develop a plan to provide technical (and funding) assistance to small-and
mediumsized airport operators. TSA has not fully addressed these
provisions or developed plans for how and when these requirements will be
met. Some airport operators are currently testing or implementing security
technologies independently, while others are waiting for TSA to complete
its own technology assessments and issue guidance.
TSA Has Begun Efforts but Has Not Fully Developed Plans to Fund Security
Enhancements and Assess Security Technologies
TSA Assumed In fiscal years 2002 and 2003, TSA worked with FAA to review
and Responsibility for Funding approve security-related Airport
Improvement Program (AIP) grant Security Improvements but applications19
for perimeter security and access control projects and other Has Not Yet
Set Priorities security-related projects. As we reported in October
2002,20 perimeter and
access control security measures-fencing, surveillance and fingerprinting
equipment, and access control systems-accounted for almost half of fiscal
year 2002 AIP funding for security projects, as shown in table 2.
19Historically, FAA has provided technical support and financial
assistance to airports through its AIP grant program, including the
acquisition and installation of security equipment, based on formal
requests airport operator officials submitted in accordance with 49 U.S.C.
S:S: 47101 et seq., and the Airport and Airway Improvement Act of 1982,
Pub.
L. No. 97-248, 96 Stat. 671.
20U.S. General Accounting Office, Airport Finance: Using Airport Grant
Funds for Security Projects Has Affected Some Development Projects,
GAO-03-27 (Washington, D.C.: Oct. 15, 2002).
Table 2: Distribution of AIP Grant Funds Awarded for Security Projects by
Project Type, Fiscal Year 2002
Dollars in millions
Grant award Percentage of total Type of security project amount security
funding
Access control $141.8 25.3%
Perimeter fencing 78.1 13.9%
Surveillance and fingerprinting equipment 51.4 9.2%
Subtotal 271.3 48.4%
Other security projects funded (primarily
terminal modifications) 289.8 51.6%
Total $561.1 100.0%
Source: GAO analysis of AIP grant awards.
In fiscal year 2003, FAA provided a total of $491 million for
securityrelated AIP projects, including about $45.6 million for perimeter
fencing projects and another $56.9 million for access control security, a
total of about 21 percent of security funding. In addition, Congress
appropriated a $175 million supplement to the program in January 2002 to
reimburse 317 airports for post-September 11 security mandates.21
TSA said that FAA's AIP served as its plan to provide the financial
assistance to small and medium-sized airports required by Section 106(b)
of ATSA. According to TSA, local federal security directors worked with
FAA officials to review and approve security-related AIP grant
applications submitted by individual airports, evaluating their merits on
an airport-by-airport basis based on guidelines developed and provided by
TSA. TSA has not, however, developed an approach to prioritize funding for
perimeter and access control security projects at small-and mediumsized
(or larger) airports. Without a plan to consider airports' security needs
systematically, including those of small- and medium-sized airports, TSA
could not ensure that the most critical security needs of the commercial
airport system were identified and addressed in a priority order. More
importantly, because TSA has assumed primary responsibility for funding
security-related projects, FAA's AIP cannot continue to serve as TSA's
plan for providing financial assistance to small-and medium-sized
airports. Without a plan, TSA could be less able to document, measure,
21Department of Defense Appropriations Act, Pub. L. No. 107-117, 115 Stat.
2230, 2328 (2002).
and improve the effectiveness of the agency's efforts to provide funding
support for enhancing perimeter and access control security.
While acknowledging the lack of a specific plan, TSA said the agency had,
in conjunction with FAA, deployed and installed explosive detection
systems, explosive trace detection and metal detection devices, and other
security equipment at many small-and medium-sized airports for use by
federal screeners at those airports and that over 300 small- and
mediumsized airports had received technical support and equipment of some
kind. However, in advising FAA throughout this process, TSA did not
compile and analyze historical information on the cost and types of
technology used or the specific airports receiving AIP assistance for
perimeter and access control-related security enhancement projects
(although TSA stated that historical data were available that could be
used to conduct such analyses). FAA has historically maintained data on
the uses of AIP funding (including the types of projects funded, amounts,
and locations) in a commonly used commercial database system (Access). In
addition, airport associations, such as the American Association of
Airport Executives, also collect and disseminate information on the use of
AIP funds for security enhancements.22 Without analyses of such historical
information, TSA's ability to establish a baseline of security funding for
current and future planning efforts to enhance perimeter and access
controls could be limited.
In addition to consulting with FAA to provide funding for airport security
projects through the AIP, TSA recently began providing security funding
directly to airport operators. Specifically, in December 2003, TSA awarded
approximately $8 million in grants to 8 airports as part of $17 million
appropriated by Congress for enhancing the security of airport terminals,
including access controls and perimeter security.23 Table 3 provides a
brief
22We contacted several airport operators to obtain specific examples of
how AIP funds were used. For example, one airport operator used about $2.5
million to upgrade perimeter security and access controls by installing an
automatic security gate, connecting perimeter gates to security systems,
adding new video screens in the airport emergency operations center,
adding motion sensors along airport SIDA perimeters to detect unauthorized
intrusion into the SIDA area, among other things. Another airport operator
used $884,000 for additional law enforcement personnel, airport
surveillance, and the revalidation of airport identification badges.
23As part of the 2002 Supplemental Appropriations Act for Further Recovery
from and Response to Terrorist Attacks on the United States, Pub. L. No.
107-206, 116 Stat. 820, 879
80.
description of the perimeter and access control security-related projects
at the 8 airports TSA selected for funding.24
Table 3: Distribution of Airports Receiving Grants Awarded by TSA for
Perimeter and Access Control-Related Security and Projects Funded
Airport Funding Purpose of security project
Providence T. F. Green $2.38 million Video surveillance system for
detecting and tracking unauthorized persons and vehicles that may breach
the perimeter of the airport and advanced ground radar-based security
display system for detecting persons or vehicles inside the airport
perimeter.
Video surveillance system for
Newark International $1.67 million detecting and tracking persons
and vehicles
that breach the airport
perimeter.
Helena Regional $1.2 million Sensors to detect intruders on
airport property.
Boston Logan International $989,879 Automated system to manage
Airport security equipment.
Video surveillance system to
Pittsburgh International $600,453 monitor airport exits from
controlled terminal
areas.
Physical barrier system that can
be deployed so that the
Chicago Midway Airport $533,016 evacuation of an
entire concourse may be avoided
should an incident occur at the
checkpoint.
Video surveillance system to
Denver International $309,033 monitor airport exits from
controlled terminal
areas.
Video surveillance system for
detecting and tracking persons
Key West International $195,400 and vehicles
on the air operations area.
Source: GAO analysis of TSA data.
The Vision 100-Century of Aviation Reauthorization Act shifted most of the
responsibility for airport security project funding from FAA and the AIP
to TSA by establishing a new Federal Aviation Security Capital Fund in
December 2003.25 Through the new fund, Congress authorized up to $500
million for airport security for each fiscal year from 2004 through 2007.
Of the total, $250 million will be derived from passenger security fees,
along with an additional authorization of up to $250 million. Of this
amount, half of the money from each funding source is to be allocated
pursuant to a formula that considers airport size and security risk.26 The
24After we completed our review, TSA announced the award of an additional
$8.2 million in grants to 10 airports for perimeter and access control
security-related enhancements.
25Vision 100-Century of Aviation Reauthorization Act, Pub. L. No. 108-176,
S: 605, 117 Stat. 2490, 2566-68 (2003).
26Forty percent is allocated to large hub airports, 20 percent for medium
hub airports, 15 percent for small and nonhub airports, and 25 percent
distributed at the Secretary's discretion on the basis of security risks.
other half would be distributed at the Under Secretary's discretion, with
priority given to fulfilling intentions to obligate under letters of
intent that TSA has issued. TSA said it is working on, but had not yet
developed policies and procedures for, first, defining how the agency will
fund and prioritize airport security projects under the new program or
second, determining how much, if any, of the new funding will be used for
perimeter security and access control projects.27 However, TSA said that
the administration requested in its 2005 budget justification that
Congress eliminate the allocation formula so that the agency could
allocate funds according to a threat-based, risk assessment approach,
regardless of the size of the airport.
TSA Lacks a Technology Plan to Guide Future Enhancements to Airport
Perimeter Security and Access Controls
TSA has begun efforts to test commercially available and emerging security
technologies to enhance perimeter and access control security. However,
TSA has not yet fully addressed three ATSA requirements related to
testing, assessing, recommending, and deploying airport security
technologies and has not taken steps to otherwise compile and communicate
the results of airport operators' independent efforts to test and deploy
security technologies.28
Two ATSA provisions required that TSA assess technologies for enhancing
perimeter and access control security. The first provision (Sec. 136)
required that TSA (1) recommend commercially available security measures
or procedures for preventing access to secured airport areas by
unauthorized persons within 6 months of the act's passage and (2) develop
a 12-month deployment strategy for commercially available security
technology at the largest and busiest airports (category X).29 TSA has not
explicitly addressed the requirements in this provision and did not meet
the associated legislative deadlines. For example, TSA has not recommended
commercially available technologies to improve surveillance and use of
controls at access points by May 2002 or developed a deployment strategy.
TSA said the agency failed to meet these deadlines
27The fiscal year 2004 Department of Homeland Security Appropriations Act,
Pub. L. No. 108-90, 117 Stat.1137, 1141-42, precludes the obligation or
expenditure of any funds to carry out provisions o f the Aviation Security
Capital Fund.
28GAO has a separate, ongoing review of TSA's research and development
program.
29Section 136 also requires the Secretary of Transportation to conduct a
review of reductions in unauthorized access at the category X airports no
later than 18 months after the enactment of ATSA.
because resources and management attention were primarily focused on
meeting the many deadlines and requirements associated with passenger and
baggage screening, tasks for which TSA has direct operational
responsibility.
The second technology provision of ATSA (Sec. 106(d)) requires that TSA
establish a pilot program to test, assess, and provide information on new
and emerging technologies30 for improving perimeter and access control
security at 20 airports. TSA's $20 million Airport Access Control Pilot
Program is intended to assist the agency in developing minimum performance
standards for airport security systems, assess the suitability of emerging
security technologies, and share resulting information with airport
operators and other aviation industry stakeholders. In October 2003, TSA
selected a systems integrator to oversee the program and coordinate
testing; however, the agency has not selected the specific technologies to
be evaluated. TSA plans to look at four areas: biometric identification
systems, new identification badges, controls to prevent unauthorized
persons from piggybacking (following authorized airport workers into
secured areas), and intrusion detection systems.31 TSA said the agency
will conduct the technology assessments in two phases and that the second
phase is scheduled to be completed by the end of 2005. 32 However, TSA has
not developed a plan describing the steps it will take once the program is
completed, although TSA said the agency intends to communicate the results
of both assessment phases to airport operators. TSA also said the agency
will determine how to use results of the technology assessments and if it
will issue any new security or performance standards to airports
nationwide when both program assessment phases are completed. Without a
plan that considers the potential steps the agency may need to take to
effectively use the results of the pilot tests-for example, by issuing new
standards-TSA's ability to take effective and immediate steps once the
program is completed could be limited.
30TSA defines new and emerging technologies as commercial products that
have not been implemented in an airport security application or products
that will be produced in 9 months in sufficient quantities for large-scale
deployment.
31The requirements to assess biometric identification systems and the
controls that prevent unauthorized persons from piggybacking are specified
in ATSA, Section 136.
32After we completed our review, TSA announced the selection of 8 airports
to participate in the first phase of the pilot program.
In addition to the pilot program, testing of a national credentialing
system for workers in all modes of transportation-the Transportation
Workers Identification Credential (TWIC) Program-is another effort that
may help TSA address the requirement in Section 136 of ATSA related to
testing and recommending commercially available security technologies to
enhance perimeter and access control security. According to TSA, the
program is intended to establish a uniform identification credential for 6
million workers who require unescorted physical or cyber access to secured
areas of transportation facilities. The card is intended to combine
standard background checks and new and emerging biometric technology so
that a worker can be positively matched to his or her credential.
According to TSA, the agency spent $15 million for the program in fiscal
year 2003. In April 2003, TSA awarded a contract for $3.8 million to an
independent contractor to assist TSA in the technology evaluation phase of
the TWIC program and to test and evaluate different types of technologies
at multiple facilities across different modes of transportation at pilot
sites. Congress directed $50 million for the TWIC program for fiscal year
2004. This program is scheduled for completion in 2008. We have a separate
review under way looking at TSA's TWIC pilot testing at maritime ports and
expect to report to the Senate Commerce Committee later this year.
Airport operators and aviation industry associations identified a number
of operational issues that they said need to be resolved for the TWIC card
to be feasible. For example, they said the TWIC card would have to be
compatible with the many types of card readers used at airports around the
country, or new card readers would have to be installed. At large
airports, this could entail replacing hundreds of card readers, and
airport representatives have expressed concerns about how this effort
would be funded. According to TSA, however, the TWIC card is intended to
be compatible with all airports' card readers. Nonetheless, TSA has not
yet conducted an analysis of the cost and operational impacts of
implementing the program at airports nationwide. TSA said it intends to
gather additional information needed to conduct such an analysis at some
point in the future.
The third provision of ATSA related to technology (Sec. 106(b)) requires
that TSA develop a plan to provide technical (and funding) support to
small-and medium-sized airports. TSA had not developed such a plan. As
discussed earlier, TSA said that FAA's AIP was the agency's effort to meet
this provision. However, this was an FAA plan and did not fully meet the
requirement. More importantly, because the amount of money coming from the
AIP for security-related projects will be significantly reduced, and
thereby TSA's continuing in involvement with FAA in administering the
program, the AIP cannot continue to serve as TSA's plan for providing
technical assistance to small-and medium-sized airports. Without a plan,
TSA could be less able to document, measure, and improve the effectiveness
of the agency's efforts to provide technical support for enhancing
perimeter and access control security.
Airport Operators' Response to Lack of TSA Guidance on Security Technology
Varies
We contacted airport operator officials responsible for security at the
nation's 21 largest and busiest U.S. commercial airports to obtain their
views on the need for technical guidance from TSA to enhance the security
of perimeters and access controls. Some airport operators said they were
waiting for TSA to complete its technology assessments before enhancing
perimeter and access control security, while other airport operators were
independently testing and deploying security technologies. Officials at
these airports said they are waiting for TSA to provide guidance before
proceeding with security upgrades. These airport operators also said that
security technology is very costly, and they cannot afford to pay for
testing technology prior to purchasing and installing such technology at
their airports. They said that information or guidance from TSA about what
technologies are available or most effective to safeguard airport
perimeters would be beneficial. Conversely, officials at other airports
also said they were assessing what is needed to improve their perimeter
security and access controls by independently testing and installing
security technologies. Several of these officials said that the
trialand-error approach to improving security would not be necessary if
TSA would act as a clearinghouse for information on the most effective
security technologies and how they can be applied. They said that their
independent efforts did not always ensure that increasingly limited
resources for enhancing security were used in the most effective way.
In addition to contacting the 21 largest and busiest airports, we
identified 13 other airports as examples of airports that have tested or
implemented technologies for improving airport perimeter and access
control security.33 Figure 3 shows where various perimeter and access
control security technologies were being tested at the time of our review
or had been implemented at selected commercial airports across the nation.
33We identified these 13 airports through our site visits to selected
airports and through discussions with officials from one of the primary
associations representing airport operators, the American Association of
Airport Executives.
TSA Has Helped to Reduce Potential Security Risks Posed by Airport Workers but
Has Not Determined How to Fully Address Legislative Requirements
workers, but operated at a high failure rate. Although compiling
information on this pilot test and other airports' efforts would augment
TSA's own efforts to assess technology, TSA has not considered the costs
and benefits of compiling and assessing the information being collected
through these independent efforts. TSA agreed that compiling such data
could be beneficial, but the agency had not yet focused its attention on
gathering data to generate useful information on such independent testing
efforts. Without taking steps to collect and disseminate the results of
these independent airport operator efforts to test and deploy security
technologies, TSA could miss opportunities to enhance its own testing
activities, as well as help other airport operators avoid potentially
costly and less effective independent test programs.
TSA has taken steps to increase measures to reduce the potential security
risks posed by airport workers, but it has not addressed all of the
requirements in ATSA related to background checks, screening, security
training, and vendor security programs or developed plans that describe
the actions they intend to take to fully address these requirements. For
example, TSA required criminal history records checks and security
awareness training for most, but not all, the airport workers called for
in ATSA (Secs. 138(a)(8) and 106(e), respectively). Finally, TSA does not
require airport vendors with direct access to the airfield and aircraft to
develop security programs, which would include security measures for
vendor employees and property, as required by ATSA (Sec. 106(a)). TSA
cited resource, regulatory, and operational concerns associated with
performing checks on additional workers, and providing additional
training, as well as the potentially significant costs to vendors to
establish and enforce independent security programs. However, TSA had not
yet completed analyses to quantify these costs, determine the extent to
which the industry would oppose regulatory changes, or determine whether
it would be operationally feasible for TSA to monitor implementation of
such programs.
Background Checks Are Not Required for All Airport Workers, and the Checks
Have Limitations
TSA requires most airport workers who perform duties in secured and
sterile areas to undergo a fingerprint-based criminal history records
check, and it requires airport operators to compare applicants' names
against TSA's aviation security watch lists.34 Once workers undergo this
review, they are granted access to airport areas in which they perform
duties. For example, those workers who have been granted unescorted access
to secured areas are authorized access to these areas without undergoing
physical screening for prohibited items (which passengers undergo prior to
boarding a flight). To meet TSA requirements, airport operators transmit
applicants' fingerprints to a TSA contractor, who in turn forwards the
fingerprints to TSA, who submits them to the FBI to be checked for
criminal histories that could disqualify an applicant for airport
employment. TSA also requires that airport operators verify that
applicants' names do not appear on TSA's "no fly" and "selectee" watch
lists to determine whether applicants are eligible for employment.35
According to TSA, all airport workers who have unescorted access to
secured airport areas-approximately 900,000 individuals nationwide-
underwent a fingerprint-based criminal history records check and
verification that they did not appear on TSA's watch lists by December 6,
2002, as required by regulation. In late 2002, TSA required airport
operators to conduct fingerprint-based checks and watch list verifications
for an additional approximately 100,000 airport workers who perform duties
in sterile areas. As of April 2004, TSA said that airport operators had
completed all of these checks. To verify that required criminal checks
were conducted, we randomly sampled airport employee files at 9 airports
we visited during our review and examined all airport employee files at a
10th airport.36 Based on our samples, we estimate that criminal history
record checks at 7 of the airports were conducted for 100 percent of the
34In 49 U.S.C. S: 44936 airports and air carriers are required to conduct
fingerprint-based criminal history records checks for all workers seeking
unescorted access to the SIDA. Specifically, no individual may be given
unescorted access authority if he or she has been convicted, or found not
guilty by reason of insanity, of any of 28 disqualifying offenses during
the 10 years before the date of the individual's application for
unescorted access authority, or while the individual has unescorted access
authority.
35TSA's no-fly list contains the names of individuals that pose, or are
suspected of posing, a threat to civil aviation or national security.
Individuals on this list will not be permitted to board an aircraft. There
is also a selectee process by which individuals who meet certain criteria
are set aside for additional screening.
36We visited a total of 12 U.S. commercial airports. We did not conduct a
records review at the category III and IV commercial airports we visited.
airport employees.37 In the other 2 airports in which samples were
conducted, we estimate that criminal history checks were conducted for 98
percent and 96 percent of the airport workers.38 At the 10th airport, we
examined all airport employee files.We found that criminal history checks
were conducted for 93 percent of the airport employees there. Although
airport operators could not provide documentation that the checks were
conducted in a small number of cases, airport security officials said that
no individuals were granted access to secured or sterile areas without the
completion of such a check. TSA said that verification of airport
compliance with background check requirements was a standard part of
airport compliance inspections. For example, according to TSA, the agency
conducted criminal history records check verification inspections at 103
airports between October 1, 2003, and February 9, 2004, and found that the
airports were in compliance about 99 percent of the time.
TSA does not require airport workers who need access to secured areas from
time to time (such as construction workers), and who must be regularly
escorted, to undergo a fingerprint check or scan against law enforcement
databases, even though such checks are also required by ATSA (Sec.
138(a)(6)). Although TSA does not require that airport operators conduct
these checks, TSA drafted a proposed rule in 2002 to require checks on
individuals escorted in secured areas. The draft rule also set forth
minimum standards for providing escorts for these individuals. In a
February 2003 report on TSA's efforts to enhance airport security, the
Department of Transportation Inspector General recommended that TSA revise
its proposed rule to enhance the security benefits that the new rule could
provide by including (1) additional background check requirements, (2) a
more specific description of escort procedures, and (3) a clarification on
who would be exempt from such requirements.39 However, at the time of our
review, TSA had not addressed these recommendations, issued the proposed
rule, or developed a schedule for conducting and completing the rule
making process.
37The 95 percent confidence intervals associated with these estimates
extend from 96 percent to 100 percent for 5 of the 7 airports. The
analogous interval for a 6th airport extends from 95 percent to 100
percent, and the analogous interval for the 7th airport extends from 94
percent to 100 percent.
38The 95 percent confidence intervals for these estimates extend from 92
percent to 99.7 percent, and from 90 percent to 99 percent, respectively.
39Department of Transportation Office of Inspector General, Progress
Implementing Sections 106 and 138 of the Aviation and Transportation
Security Act, SC-2003-023, February 27, 2003.
The Effectiveness of Fingerprint-Based Criminal Checks Is Limited
According to TSA, the agency plans to proceed with its rule making to
address background checks for those who have regularly escorted access,
and, in consultation with DHS and the Office of Management and Budget, has
included this rule making as part of a priority list of 20 rule makings
that the agency plans to initiate in the next 12 months.
While TSA has taken steps to conduct fingerprint-based checks for airport
employees who work in secured and sterile areas, certain factors limit the
effectiveness of these checks. For example, fingerprint-based checks only
identify individuals with fingerprints and a criminal record on file with
the FBI's national fingerprint database. Limitations of these checks were
highlighted by recent multifederal agency investigations, which found that
thousands of airport workers falsified immigration, Social Security, or
criminal history information to gain unescorted access to secured and
sterile airport areas.40 In some of these cases, airport workers who had
provided false information to obtain unescorted access underwent a
fingerprint-based check and passed.41 TSA noted that the federal
government had not yet developed a system that would allow interagency
database searches to provide access to social security and immigration
42
information.
40Operation Tarmac was a joint investigation initiated by the Immigration
and Naturalization Service, U.S. Attorneys' offices, FBI, Department of
Transportation Inspector General, Social Security Administration, and FAA
after the September 11 attacks. The operation was aimed at identifying and
arresting airport workers who obtained their positions and security status
through fraud. Results of the sweeps through airports nationwide has
resulted in over 4,200 airport workers being caught having falsified
information in order to be hired and be granted SIDA badges. Most of the
fraud is through falsification or misrepresentation of Social Security
information and immigration documents.
41Other airport operator officials we spoke with use additional measures
to ensure that an individual provides accurate information prior to being
hired at the airport. One airport operator we contacted verifies the
accuracy of Social Security numbers and immigration documents before
hiring new workers. Officials at this and another airport said they
conducted supplemental background checks at the airport operator's own
expense to provide further assurance that applicants have no criminal
record and have provided accurate information on employment applications.
However, these employer checks are not to be confused with, or substitutes
for, checks for secured area access badges issued by airport badging
authorities.
42We previously reported that federal watch lists do not have the
capability to automatically share information on immigration status and
biographical, financial, and other data. See U.S. General Accounting
Office, Information Technology: Terrorist Watch Lists Should Be
Consolidated to Promote Better Integration and Sharing, GAO-03-322
(Washington, D.C.: Apr. 15, 2003).
Another limitation with TSA's process for conducting background checks on
airport workers is that fingerprint checks do not include a review of,
among other things, all available local (county and municipal) criminal
record files. As a result, an individual could pass the fingerprint check
although he or she had a local criminal record. TSA officials did not
consider the lack of a local criminal records check to be a limiting
factor because local criminal records are not likely to include any of the
28 criminal convictions that would disqualify an individual from obtaining
unescorted access to secured airport areas. According to TSA, local
criminal files do not include the more serious crimes such as murder,
treason, arson, kidnapping, and espionage that are listed in state and
federal criminal databases. Further, several airport operator officials we
spoke with expressed concern about cases in which individuals had
committed disqualifying criminal offenses and were ultimately granted
access to secured areas because federal law (and TSA's implementing
regulation) disqualifies an individual only if he or she has been
convicted of an offense within 10 years of applying for employment at the
airport. Others said that a few disqualifying criminal offenses, such as
air piracy, warranted a lifetime rather than a 10-year ban on employment
in secured airport areas. Also, current regulation requires that airport
workers must report if they are convicted of a crime after the initial
criminal check is conducted and surrender their security identification
badges within 24 hours of their conviction.43 In addressing the issue of
background checks in May 2003, the Department of Transportation's
Inspector General issued a statement supporting random recurrent
background checks.44
TSA recognizes the potential limitations of current fingerprint check
requirements and has taken steps to improve the process. For example, in
2002, TSA began conducting an additional two-part background check
consisting of a name-based FBI National Crime Information Center (NCIC)
check and a terrorist link analysis against selected terrorism databases
for the approximately 100,000 airport workers who perform duties in
sterile areas. TSA said it expanded the background check process for these
workers because it believed that the cost was more feasible for airport
operators to bear, given these workers represent a significantly smaller
population than workers who have unescorted access to secured areas.
4349 C.F.R. S: 1542.209(l).
44Inspector General, United States Department of Transportation: Statement
Before the National Commission on Terrorist Attacks Upon the U.S. on
Aviation Security, CC-2003117 (Washington, D.C.: May 22, 2003).
TSA Faces Challenges in Expanding the Scope of Background Checks
TSA used the NCIC database, a computerized index of documented criminal
justice information, to conduct a criminal history record check that
compares an individual's name against 19 nationwide criminal history
lists.45 The terrorist link analysis determines whether an airport worker
is known to pose a potential terrorist threat. TSA officials noted that
the terrorist link analysis could identify personal information on airport
employment applications, among other things, thus improving the current
background check process.
TSA faces challenges in expanding the scope and frequency of current
background check requirements to include additional airport workers and
more extensive background checks. In terms of expanding background checks
to include airport workers who have regularly escorted access to secured
areas, TSA said that determining how many workers are regularly escorted
in secured airport areas is a challenge because these individuals (such as
construction workers) enter the airport on an infrequent and unpredictable
basis. TSA said airport officials could not easily determine how many
workers are regularly escorted in secured areas and which workers would
warrant a background check. TSA had not conducted any sampling or other
analysis efforts to attempt to determine how many workers this might
include.
In terms of expanding the scope of current background check requirements
to include more extensive checks on airport workers who have unescorted
access to secured areas, TSA cited the time needed to establish regulatory
requirements for the more extensive checks and the potential costs of
conducting the checks as challenges. In contrast, to reduce the security
risk associated with federal airport screeners, TSA conducts far more
extensive checks before providing screeners the same level or lower levels
of airport access.
The agency supports conducting the expanded checks for all commercial
aviation workers and estimated that the cost to perform fingerprint-based
criminal history records checks for all secured and sterile area workers
nationwide has been approximately $60 million to $80 million (or about
45The 19 nationwide criminal files include: stolen article file, boat
file, convicted person on supervised release file, convicted sexual
offender registry, deported felon file, foreign fugitive file, gun file,
license plate file, missing person file, originating agency identifier
file, protection order file, securities file, SENTRY file, unidentified
persons file, Secret Service Protective order file, vehicle file, violent
gang and terrorist organization file, wanted persons file, and
vehicle/boat part file.
$60 to $80 for each of the approximately 1 million secured and sterile
area workers). TSA had not estimated the costs of applying additional
checks to all airport workers. In addition, TSA stated that increasing the
frequency of background checks would also increase costs to airport
operators. However, TSA had not developed a specific cost analysis to
assess the costs of expanding the scope and frequency of the checks or
whether the additional security provided by taking such steps would
warrant the additional costs.
TSA said the agency is considering alternatives for how these additional
checks would be funded. TSA also said that requiring airport workers
themselves to pay for a portion of the background check, which is a common
practice at some airports, could help to fund these additional checks. In
recognition of the potential security risk posed by airport workers, TSA
said the agency was weighing the costs and security benefits of expanding
the scope and frequency of current background check requirements to
include additional airport workers, as well as more extensive checks.
However, TSA has not yet established a plan outlining how and when it will
do so. For example, TSA has not yet proposed specific analyses to support
its decision making or a schedule describing when it plans to decide this
issue.
TSA Cites Challenges to Physically Screening All Airport Workers
TSA has different requirements for screening airport workers. For sterile
area workers, TSA requires, among other things, that they be screened at
the checkpoint. According to TSA's Office of Chief Counsel, TSA intended
that sterile area workers be required to enter sterile areas through the
passenger-screening checkpoint and be physically screened. However,
airport officials, with the FSD's approval, may allow sterile area workers
to enter sterile areas through employee access points or may grant them
unescorted access authority and SIDA badges.46
TSA does not require airport workers who have been granted unescorted SIDA
access to be physically screened for prohibited items when entering
secured areas. According to TSA, the agency relies on its
fingerprint-based criminal history records check as a means of meeting the
ATSA
46The issue of sterile area worker screening was raised at a March 17,
2004, hearing of the Subcommittee on Aviation, House Committee on
Transportation and Infrastructure. During the hearing, the chairman asked
TSA to survey FSDs to determine how this requirement is being met. In
addition, as part of a separate effort, GAO is surveying FSDs, to
determine, among other things, the extent to which sterile area workers
are being physically screened.
requirement that all individuals entering secured areas at airports be
screened and that the screening of airport workers provides at least the
same level of protection that results from physical screening of
passengers and their baggage. However, as previously noted, there are
limitations with the scope and effectiveness of the background check
process. TSA acknowledged that physically screening airport workers for
access to secured areas could increase security, but it cited challenges
such as the need (and associated costs) for more screening staff and
increased passenger delays. Although TSA said fingerprint checks are a
more economically feasible alternative, the agency had not conducted
analyses to determine the actual costs, assessed the potential operational
delays that could occur, or the reduction of the risk posed by airport
workers that physical screening would provide. However, in October 2002,
TSA conducted an analysis of threats posed by airport workers with access
to secured areas, and one recommendation in the resulting report was to
require airport operators to conduct random physical screening of workers
entering secured areas.47 TSA elected not to adopt this recommendation
because of what it characterized as the cost and operational difficulties
in physically screening workers. However, TSA did not gather or analyze
data from airports to substantiate its claim.
Some airport operator officials we contacted agreed with TSA that
physically screening workers prior to entering secured areas would be
costly and difficult. For example, some airport operator officials said
physical screening of these airport workers would result in increased
staffing costs and longer wait times for passengers at passenger-screening
checkpoints, or could require screening airport workers at a location
separate from passengers to avoid passenger delays. In addition to the
operational difficulty of physically screening each worker, TSA and
airport operators noted that some airport workers must use prohibited
items (such as box cutters and knives) to perform their job functions, and
monitoring which workers are allowed to carry such items could be
difficult. Also, these prohibited items would still be available to
workers who wished to use them to cause harm even after they had been
physically screened. At one airport we visited, airport workers who have
access to secured areas are required to undergo physical screening when
they arrive at work through centralized employee-screening checkpoints but
are not
47U.S. Department of Transportation, Transportation Security
Administration, TSA Airside Security Risk Assessment, October 3, 2002.
screened when they subsequently enter secured areas through other access
points.
TSA has not estimated the cost associated with requiring physical
screening of secured area airport workers, although airport operators and
industry associations believe the cost would be significant. While TSA is
weighing the security benefits of requiring physical screening of workers
who have access to secured airport areas against the associated costs, the
agency has yet to determine whether such requirements will be established.
According to TSA, screening in the form of enhanced background checks on
all airport workers-checks that would investigate Social Security
information, immigration status, and links to terrorism- would, if
instituted, further ensure that airport workers were trustworthy and
reduce risk, if not the need to physically screen workers. However, TSA
has not developed a plan defining when and how the agency will determine
whether it will institute these expanded checks or if physically screening
airport workers who need access to secured areas is ultimately necessary
and feasible.
TSA Requires Security Training for Some but Not All Airport Workers
ATSA, (Sec. 106(e)), mandates that TSA require airport operators and air
carriers to develop security awareness training programs for airport
workers such as ground crews, and gate, ticket, and curbside agents of air
carriers. However, while TSA requires such training for these airport
workers if they have unescorted access to secured areas, the agency does
not require training for airport workers who perform duties in sterile
airport areas.48 According to TSA, training requirements for these airport
workers have not been established because additional training would result
in increased costs for airport operators. Nonetheless, officials at some
airports we visited said that the added cost is warranted and have
independently required security training for their airport employees that
work in sterile areas to increase awareness of their security
responsibilities. Among other things, security training teaches airport
workers their responsibility to challenge suspicious persons who are not
authorized to be in secured areas (an area included in TSA airport covert
testing programs). Some airport operator officials said they also used
challenge reward programs, whereby airport workers are given rewards
48TSA regulations governing security training are virtually the same as
those required previously under FAA.
for challenging suspicious persons or individuals who are not authorized
to be in secured areas, as a way of reinforcing security awareness
training.
Many airport operator officials we spoke with were concerned that security
training for airport workers in secured areas is not required by TSA
regulations on a recurrent basis, an issue previously raised by the
Department of Transportation's Inspector General.49 TSA also agreed that
recurrent training could be beneficial in raising the security awareness
of airport workers. Although recurrent training is not required by ATSA or
by TSA regulation, a federal law does require recurrent security training
for the purpose of improving secured area access controls.50 Other airport
operators independently provide recurrent training for individuals who
demonstrate a lack of security awareness.
TSA has acknowledged the value of recurrent training for its own
workforce. We previously identified that training for TSA employees-
airport screeners-should be recurrent, and TSA said it is developing a
recurrent training program for its screening workforce to aid in
maintaining security awareness, among other things.51 At the time of our
review, TSA said it was considering the benefits of expanding the scope
and frequency of security training against the associated costs in time
and money to airport operators and businesses. However, TSA had not
developed a plan or schedule for conducting the analyses needed to support
its decision making or projected when a decision might be made.
49Inspector General, United States Department of Transportation: Statement
Before the National Commission on Terrorist Attacks Upon the United States
on Aviation Security, CC-2003-117 (Washington, D.C.: May 22, 2003).
50See 49 U.S.C. S:S: 44903(g)(2)(B), 44935(a),(c).
51U.S. General Accounting Office, Airport Passenger Screening: Preliminary
Observations on Progress Made and Challenges Remaining, GAO-03-1173
(Washington, D.C.: Sept. 24, 2003).
TSA Does Not Require TSA has not issued a regulation requiring airport
vendors52 (companies Airport Vendors to doing business in or with the
airport) with direct access to the airfield and Develop Their Own aircraft
to develop a security program, as required by ATSA (Sec. 106(a)).
TSA had not developed an estimate of the number of airport vendorsSecurity
Programs nationwide, although TSA officials said the number could be in
the
thousands. As an example, security officials at an airport we visited said
that over 550 airport vendors conducted business in or with the airport.
According to TSA, existing airport security requirements address the
potential security risks posed by vendors and their employees. For
example, vendor employees that perform duties in secured or sterile areas
are required to undergo a fingerprint-based criminal history records
check, just as other airport workers are and are prevented by access
controls from entering secured airport areas if they are not authorized to
do so. However, as discussed above, fingerprint-based criminal history
records checks may have limitations.
Many airport operator and airport association officials we spoke with said
that requiring vendors to develop their own security program would be
redundant because the airport's security program comprises all aspects
that a vendor program would include, such as requirements for employee
security training, procedures for challenging suspicious persons,
background checks, monitoring and controlling employee identification
badges, and securing equipment and vehicles. In addition, some said such a
requirement would also place a financial and administrative burden on
vendors doing business at the airport, particularly the smaller ones, to
develop and update such programs. Two airport vendors we spoke with said
that developing security programs could be costly, time-consuming, and
require the use of a consultant with the necessary security expertise to
develop such a plan. In addition, vendors said that airport operators are
in the best position and have the necessary expertise to determine
security policies for all workers, including vendors, working at the
airport.53
52The Department of Transportation's Inspector General recommended that
TSA issue this regulation in its Audit Report-Progress Implementing
Sections 106 and 138 of the Aviation and Transportation Security Act;
Report Number SC-2003-023 (February 27, 2003). Current TSA regulation
(1542.113) allows for but does not require airport tenants (entities
conducting business on airport property) to develop security programs. TSA
did not maintain data on airport vendors or tenants that have developed
such a program to date.
53According to TSA, current security directives address some aspects of
vendor security; however, the specific content of security directives is
security sensitive information protected from disclosure under 49 CFR
1520.7(b). As a result, the relevant sections are described in the
restricted version of this report.
Conclusions
According to TSA, requiring vendors to develop and maintain their own
security programs would also present a resource challenge to TSA's
inspection staff. In addition to conducting reviews of airport operator
and air carrier compliance with federal security regulations, the already
understaffed inspection workforce would also have to determine a way to
review vendor security programs and enforce any violations. According to
TSA, the process of reviewing the programs and verifying implementation of
the program's provisions could require visits to thousands of different
vendor locations spread throughout the United States.54 Despite these
challenges, TSA said the agency is considering the costs, benefits, and
feasibility of issuing a regulation that would require airport vendors to
develop security programs in order to meet the requirements in ATSA. TSA
said that it has formed a working group to consider the best approach to
take, and this group could become the core of any future rule-making team
if necessary. However, the agency has not developed a plan detailing when
this analysis will be complete or when any decisions about whether to
issue a new rule will be made.
During its first 2 years, TSA assumed a wide variety of responsibilities
to ensure that airport perimeter and access controls are secure and that
the security risks posed by airport workers are reduced. Given the range
of TSA's responsibilities and its relative newness, it is understandable
that airport security evaluations remain incomplete and that some
provisions of ATSA-which pose operational and funding challenges-have not
been met. TSA has begun efforts to evaluate the security environments at
airports, fund security projects and test technologies, and reduce the
risks posed by airport workers. However, these efforts have been in some
cases fragmented rather than cohesive. As a result, TSA has not yet
determined how it will address the resource, regulatory, and operational
challenges the agency faces in (1) identifying security weaknesses of the
commercial airport system as a whole, (2) prioritizing funding to address
the most critical needs, or (3) taking additional steps to reduce the
risks posed by airport workers. Without a plan to address the steps it
will take to fulfill the wide variety of security oversight
responsibilities the agency has
54Depending upon the scope of the possible regulation, the term "vendor"
could include all of the companies involved in the supply chain that
serves an airport. TSA said that since the supply chain for delivery of
office products to the businesses located in the airport's sterile areas
could include stages conducted by manufacturers, suppliers, transporters,
retailers, and customers, the aggregate number of potential vendors cannot
be readily determined.
Recommendations for Executive Action
assumed in the area of perimeter and access control security, TSA will be
less able to justify its resource needs and clearly identify its progress
in addressing requirements in ATSA and associated improvements in this
area of airport security. Such a plan would also provide a better
framework for Congress and others interested in holding TSA accountable
for the effectiveness of its efforts.
To help ensure that TSA is able to articulate and justify future decisions
on how best to proceed with security evaluations, fund and implement
security improvements-including new security technologies-and implement
additional measures to reduce the potential security risks posed by
airport workers, we recommend that the Secretary of Homeland Security
direct TSA's Administrator to develop and provide Congress with a plan for
meeting the requirements of ATSA. In addition, at a minimum, we recommend
the following four actions be addressed:
o Establish schedules and an analytical approach for completing
compliance inspections and vulnerability assessments for evaluating
airport security.
o Conduct assessments of technology, compile the results of these
assessments as well as assessments conducted independently by airport
operators, and communicate the integrated results of these assessments to
airport operators.
o Use the information resulting from the security evaluation and
technology assessment efforts cited above as a basis for providing
guidance and prioritizing funding to airports for enhancing the security
of the commercial airport system as a whole.
o Determine, in conjunction with aviation industry stakeholders, if and
when additional security requirements are needed to reduce the risks posed
by airport workers and develop related guidance, as needed.
Agency Comments We provided a draft copy of this report to the Department
of Homeland Security and the Transportation Security Administration for
their review and comment. TSA generally concurred with the findings and
recommendations in the report and provided formal written comments that
are presented in appendix III. These comments noted that TSA has started
to, or plans to, implement many of the actions we recommended. TSA also
provided technical comments that we incorporated as appropriate.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days from
the date of this report. At that time, we will send copies to appropriate
congressional committees; the Secretary, DHS; the Secretary, DOT; the
Director of Office of Management and Budget; and other interested parties.
We will also make copies available to others upon request. In addition,
the report will be available at no charge on GAO's Web site at
http://www.gao.gov.
If you or your staff have any questions about this report, please contact
me at (202) 512-3404 or at [email protected] or Chris Keisling, Assistant
Director, at (404) 679-1917 or at [email protected]. Key contributors to
this report are listed in appendix IV.
Cathleen A. Berrick Director, Homeland Security
and Justice Issues
Appendix I: Objectives, Scope, and Methodology
To assess the Transportation Security Administration's (TSA) efforts to
(1) evaluate the security of airport perimeters and the controls that
limit access into secured airport areas, (2) help airports implement and
enhance perimeter security and access controls by providing funding and
technical guidance, and (3) implement measures to reduce the potential
security risk posed by airport workers, we reviewed pertinent legislation
(the Aviation and Transportation Security Act, or ATSA), regulatory
requirements, and policy guidance. We discussed specific ATSA requirements
related to Sections 106, 136, and 138, which address perimeter and access
control security, as well as strengthening requirements for airport
workers, with our Office of General Counsel to determine to what extent
TSA had met these requirements. We limited our review of TSA's efforts to
test, assess, and deploy security technologies as it related to provisions
in Sections 106 and 136 of ATSA. We also obtained and analyzed TSA data on
security breaches, inspections of airport compliance with security
regulations, and vulnerability assessments. (TSA's covert testing data and
information on the test program is classified and is the subject of a
separate GAO report.) We discussed the threat scenarios used in TSA
vulnerability assessments with TSA officials to identify those related to
perimeter and access control security. We also obtained and analyzed data
from the Federal Aviation Administration (FAA) and TSA on perimeter and
access control-related security funds distributed to commercial airports
nationwide. We also reviewed reports on aviation security issued
previously by us and the Department of Transportation Inspector General.
We discussed the reliability of TSA's airport security breach data for
fiscal years 2001, 2002, and 2003 (through October); vulnerability
assessment data for 2003; and compliance inspection data for fiscal years
2002, 2003, and 2004 (to February) with TSA officials in charge of both
efforts. Specifically, we discussed methods for inputting, compiling, and
maintaining the data. In addition, we reviewed reports related to TSA's
compliance reviews and vulnerability assessments to determine the results
and identify any inconsistencies in the data. Subsequently, no
inconsistencies were found, and we determined that the data provided by
TSA were sufficiently reliable for the purposes of our review.
In addition, we conducted site visits at 12 commercial airports (8
category X, 1 category I, 1 category II, 1 category III, and 1 category
IV) to observe airport security procedures and discuss issues related to
perimeter and access control security with airport officials. Airports we
visited were Boston Logan International Airport, Atlanta Hartsfield
Jackson International Airport, Ronald Reagan Washington National Airport,
Appendix I: Objectives, Scope, and Methodology
Washington Dulles International Airport, Orlando International Airport,
Tampa International Airport, Miami International Airport, Los Angeles
International Airport, San Francisco International Airport, Middle Georgia
Regional Airport, Chattanooga Metropolitan Airport, and Columbus
Metropolitan Airport. We chose these airports on the basis of several
factors, including airport size, geographical dispersion, and airport
efforts to test and implement security technologies. We also conducted
semistructured interviews with airport security coordinators at each of
the 21 category X airports to discuss their views on perimeter and access
control security issues. In addition, we contacted or identified 13 other
airports that had tested or implemented perimeter and access control
security technologies.
We reviewed a random sample of 838 airport workers at 10 of the 12
airports we visited (categories X, I, and II) where workers were indicated
as having a fingerprint-based criminal history records check in calendar
year 2003 to verify that these workers had undergone the check. We did not
conduct a records review at the category III and IV commercial airports we
visited. We randomly selected probability samples from the study
populations of airport workers who underwent a fingerprint-based criminal
history record check in the period between January 1, 2003, and the date
in which we selected our sample or December 31, 2003, whichever was
earlier. With these probability samples, each member of the study
populations had a nonzero probability of being included, and that
probability could be computed for any member. Each sample element selected
was subsequently weighted in the analysis to account statistically for all
the members of the population at each airport. Because we followed a
probability procedure based on random selections at each airport, our
samples are only one of a large number of samples that we might have
drawn. Since each sample could have provided different estimates, we
express our confidence in the precision of our particular samples' results
as 95 percent confidence intervals (e.g., plus or minus 7 percentage
points). These are the intervals that would contain the actual population
value for 95 percent of the samples we could have drawn. As a result, we
are 95 percent confident that each of the confidence intervals in this
report will include the true values in the respective study populations.
Further, we interviewed TSA headquarters officials in Arlington, Virginia,
and from the Office of Internal Affairs and Program Review, Office of
Aviation Operations, Office of Chief Counsel, Credentialing Program
Office, Office of Aviation Security Measures, and officials from the
Office of Technology in Atlantic City, New Jersey, to discuss the agency's
efforts to address perimeter and access control security. We also spoke
with
Appendix I: Objectives, Scope, and Methodology
officials from two aviation industry associations-the American Association
of Airport Executives and Airports Council International-to obtain their
views on the challenges associated with improving perimeter and access
control security. We also interviewed airport vendors to determine the
need and feasibility of requiring all vendors to develop their own
security programs.
We conducted our work between June 2003 and March 2004 in accordance with
generally accepted government auditing standards.
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a Risk
Management Approach
Risk management is a systematic and analytical process to consider the
likelihood that a threat will endanger an asset, an individual, or a
function and to identify actions to reduce the risk and mitigate the
consequences of an attack. Risk management principles acknowledge that
while risk cannot be eliminated, enhancing protection from existing or
potential threats can help reduce it. Accordingly, a risk management
approach is a systematic process to analyze threats, vulnerabilities, and
the criticality (or relative importance) of assets to better support key
decisions. The purpose of this approach is to link resources with efforts
that are of the highest priority. Figure 4 describes the elements of a
risk management approach.
Figure 4: Elements of a Risk Management Approach
A threat assessment identifies and evaluates potential threats on the
basis of factors such as capabilities, intentions, and past activities.
This assessment represents a systematic approach to identifying potential
threats before they materialize, and is based on threat information
gathered from both the intelligence and law enforcement communities.
However, even if updated often, a threat assessment might not adequately
capture some emerging threats. The risk management approach, therefore,
uses vulnerability and criticality assessments as additional input to the
decision-making process.
A vulnerability assessment identifies weaknesses that may be exploited by
identified threats and suggests options to address those weaknesses. In
general, a vulnerability assessment is conducted by a team of experts
skilled in such areas as engineering, intelligence, security, information
systems, finance, and other disciplines.
A criticality assessment evaluates and prioritizes assets and functions in
terms of specific criteria, such as their importance to public safety and
the economy. The assessment provides a basis for identifying which
structures or processes are relatively more important to protect from
attack. As such, it helps managers to determine operational requirements
and target resources at their highest priorities, while reducing the
potential for targeting resources at lower priorities.
Source: GAO.
Figure 5 illustrates how the risk management approach can guide decision
making and shows that the highest risks and priorities emerge where the
three elements of risk management overlap.
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach
Figure 5: How a Risk Management Approach Can Guide Decision-Making
For example, an airport that is determined to be a critical asset,
vulnerable to attack, and a likely target would be at most risk and,
therefore, would be a higher priority for funding compared with an airport
that is only vulnerable to attack. In this vein, aviation security
measures shown to reduce the risk to the most critical assets would
provide the greatest protection for the cost.
According to TSA, once established, risk management principles will drive
all decisions-from standard setting to funding priorities and to staffing.
TSA has not yet fully implemented its risk management approach, but it has
taken steps in this direction. Specifically, TSA's Office of Threat
Assessment and Risk Management is in various stages of developing four
assessment tools that will help assess threats, criticality, and
vulnerabilities. TSA plans to fully implement and automate its risk
management approach by September 2004. Figure 6 shows TSA's threat
assessment and risk management approach.
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach
Figure 6: TSA's Threat Assessment and Risk Management Approach
The first tool, which will assess criticality, will determine a
criticality score for a facility or transportation asset by incorporating
factors such as the number of fatalities that could occur during an attack
and the economic and sociopolitical importance of the facility or asset.
This score will enable TSA, in conjunction with transportation
stakeholders, to rank facilities and assets within each mode and thus
focus resources on those that are deemed most important. TSA is working
with another Department of Homeland Security (DHS) office-the Information
and Analysis Protection Directorate-to ensure that the criticality tool
will be consistent with DHS's overall approach for managing critical
infrastructure.
A second tool-the Transportation Risk Assessment and Vulnerability Tool
(TRAVEL)-assesses threats and analyzes vulnerabilities at those
transportation assets TSA determines to be nationally critical. The tool
is used in a TSA-led and -facilitated assessment that will be conducted on
the site of the transportation asset. The facilitated assessments
typically take several days to complete and are conducted by TSA subject
matter experts, along with airport representatives such as operations
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach
management, regulatory personnel, security personnel, and law enforcement
agents. Specifically, the tool assesses an asset's baseline security
system and that system's effectiveness in detecting, deterring, and
preventing various threat scenarios, and it produces a relative risk score
for potential attacks against a transportation asset or facility.
Established threat scenarios contained in the TRAVEL tool outlines a
potential threat situation including the target, threatening act,
aggressor type, tactic/dedication, contraband, contraband host, and
aggressor path. In addition, TRAVEL will include a cost-benefit component
that compares the cost of implementing a given countermeasure with the
reduction in relative risk to that countermeasure. TSA is working with
economists to develop the cost-benefit component of this model and with
the TSA Intelligence Service to develop relevant threat scenarios for
transportation assets and facilities. According to TSA officials, a
standard threat and vulnerability assessment tool is needed so that TSA
can identify and compare threats and vulnerabilities across transportation
modes. If different methodologies are used in assessing the threats and
vulnerabilities, comparisons could be problematic. However, a standard
assessment tool would ensure consistent methodology.
A third tool-the Transportation Self-Assessment Risk Module (TSARM)-will
be used to assess and analyze vulnerabilities for assets that the
criticality assessment determines to be less critical. The selfassessment
tool included in TSARM will guide a user through a series of
security-related questions in order to develop a comprehensive security
baseline of a transportation entity and will provide mitigating strategies
for use when the threat level increases. For example, as the threat level
increases from yellow to orange, as determined by DHS, the assessment tool
might advise an entity to take increased security measures, such as
erecting barriers and closing selected entrances. TSA had deployed one
self-assessment module in support of targeted maritime vessel and facility
categories.1
The fourth risk management tool that TSA is currently developing is the
TSA Vulnerability Assessment Management System (TVAMS). TVAMS is TSA's
intended repository of criticality, threat, and vulnerability
1TSA's Maritime Self-Assessment Risk Module was developed in response to
requirements outlined in the Maritime Transportation Security Act of 2002.
The act mandates that any facility or vessel that the Secretary believes
might be involved in a transportation security incident will be subject to
a vulnerability assessment and must submit a security plan to the U.S.
Coast Guard.
Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a
Risk Management Approach
assessment data. TVAMS will maintain the results of all vulnerability
assessments across all modes of transportation. This repository will
provide TSA with data analysis and reporting capabilities. TVAMS is
currently in the conceptual stage and requirements are still being
gathered.
Appendix III: Comments from the
Department of Homeland Security
Appendix III: Comments from the Department of Homeland Security
Appendix III: Comments from the Department of Homeland Security
Appendix III: Comments from the Department of Homeland Security
Appendix III: Comments from the Department of Homeland Security
Appendix III: Comments from the Department of Homeland Security
Appendix IV: GAO Contacts and Staff Acknowledgments
GAO Contacts Norman J. Rabkin (202) 512-3610 Cathleen A. Berrick (202)
512-3404 Chris Keisling (404) 679-1917
Staff In addition to those named above, Leo Barbour, Amy Bernstein,
Christopher Currie, Dave Hooper, Thomas Lombardi,
Acknowledgments Sara Ann Moessbauer, Jan Montgomery, Steve Morris,
Octavia Parks, Dan Rodriguez, and Sidney Schwartz were key contributors to
this report.
(440311)
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO's Web site (www.gao.gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO e-mail this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in E-mail: [email protected]
Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470
Jeff Nelligan, Managing Director, [email protected] (202) 512-4800
Public Affairs U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
*** End of document. ***