Port Security: Better Planning Needed to Develop and Operate	 
Maritime Worker Identification Card Program (10-DEC-04, 	 
GAO-05-106).							 
                                                                 
As part of a multilayered effort to strengthen port security, the
Maritime Transportation Security Act (MTSA) of 2002 calls for the
Department of Homeland Security (DHS) to issue a worker 	 
identification card that uses biological metrics, such as	 
fingerprints, to control access to secure areas of ports or	 
ships. Charged with the responsibility for developing this card, 
the Transportation Security Administration (TSA), within DHS,	 
initially planned to issue a Transportation Worker Identification
Credential in August 2004 to about 6 million maritime workers.	 
GAO assessed what factors limited TSA's ability to meet its	 
August 2004 target date for issuing cards and what challenges	 
remain for TSA to implement the card.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-05-106 					        
    ACCNO:   A14338						        
  TITLE:     Port Security: Better Planning Needed to Develop and     
Operate Maritime Worker Identification Card Program		 
     DATE:   12/10/2004 
  SUBJECT:   Best practices					 
	     Cost effectiveness analysis			 
	     Counterterrorism					 
	     Deep water ports					 
	     Facility security					 
	     Harbors						 
	     Identification cards				 
	     Identity verification				 
	     Marine transportation operations			 
	     National preparedness				 
	     Planning						 
	     Schedule slippages 				 
	     Transportation workers				 
	     Best practices methodology 			 
	     Homeland security					 
	     TSA Transportation Worker Identification		 
	     Credential Project 				 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-05-106

     

     * Results in Brief
     * Background
     * Three Main Factors Caused TSA to Miss Its Initial Target Date for
       Issuing Worker Identification Cards
     * Using Established Planning and Management Practices Could Help TSA
       Address Challenges and Better Manage Risk
          * Best Practices for Planning and Key Management Practices Are
            Important for Information Technology Programs
          * Lack of a Comprehensive Project Plan Could Limit
          * Lack of Specific Plan for Mitigating Risks Could
          * Lack of Specific Plans for Cost-Benefit and Alternatives Analyses
            Could Create Further Delays
     * Conclusions
     * Recommendations for Executive Action
     * Agency Comments and Our Evaluation
     * Appendix I: Comments from the Department of Homeland Security
          * Order by Mail or Phone

                 United States Government Accountability Office

Report to the Chairman and Ranking

GAO

Minority Member, Committee on Commerce, Science, and Transportation, U.S. Senate

December 2004

PORT SECURITY

  Better Planning Needed to Develop and Operate Maritime Worker Identification
                                  Card Program

GAO-05-106

PORT SECURITY

Better Planning Needed to Develop and Operate Maritime Worker
Identification Card Program

  What GAO Found

Three main factors, all of which resulted in delays for testing a
prototype of the maritime worker identification card system, caused the
agency to miss its initial August 2004 target date for issuing the cards:
(1) officials had difficulty obtaining timely approval to proceed with the
prototype test from DHS, (2) extra time was required to identify data to
be collected for a costbenefit analysis, and (3) additional work to assess
card technologies was required. DHS has not determined when it may begin
issuing cards.

In the future, TSA will face difficult challenges as it moves forward with
developing and operating the card program, for example, developing
regulations that identify eligibility requirements for the card. An
additional challenge-and one that holds potential to adversely affect the
entire program-is that TSA does not yet have a comprehensive plan in place
for managing the project. Failure to develop such a plan places the card
program at higher risk of cost overruns, missed deadlines, and
underperformance. Following established, industry best practices for
project planning and management could help TSA address these challenges.
Best practices suggest managers develop a comprehensive project plan and
other, detailed component plans. However, while TSA has initiated some
project planning, the agency lacks an approved comprehensive project plan
to govern the life of the project and has not yet developed other,
detailed component plans for risk mitigation or the cost-benefit and
alternatives analyses.

                 How a Biometric Card Could Help Control Access

Source: GAO analysis of TSA and state of Florida data.

a

Cards that are no longer valid due to new threat information or because
they are lost, stolen, or damaged.

                 United States Government Accountability Office

Contents

Letter 1
Results in Brief 2
Background 4
Three Main Factors Caused TSA to Miss Its Initial Target Date for
Issuing Worker Identification Cards 9
Using Established Planning and Management Practices Could Help
TSA Address Challenges and Better Manage Risk 10
Conclusions 17
Recommendations for Executive Action 18
Agency Comments and Our Evaluation 18
: Policy Issues to Be Completed and Regulatory Processes
to Be Finalized
Figure

Appendix I Comments from the Department of Homeland Security

Table

: How a Biometric Card Could Be Used to Control Access

Abbreviations

DHS                Department of Homeland Security                         
DOT                Department of Transportation                            
IRB                Investment Review Board                                 
MTSA               Maritime Transportation Security Act                    
OMB                Office of Management and Budget                         
TSA                Transportation Security Administration                  
TWIC                       Transportation Worker Identification Credential 
USCG               United States Coast Guard                               

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office Washington, DC 20548

December 10, 2004

The Honorable John McCain Chairman The Honorable Ernest F. Hollings, Jr.
Ranking Minority Member Committee on Commerce, Science, and Transportation
United States Senate

Protecting waterfronts and ports from terrorist threats has taken on
special urgency in the post-September 11, 2001, world. Hubs of economic
activity involving millions of workers and often tied to the nation's land
transportation network, U.S. seaports are particularly vulnerable to
terrorism and particularly challenging to protect. To strengthen port
security, Congress enacted the Maritime Transportation Security Act (MTSA)
of 2002, 1 which establishes a multilayered defense strategy to strengthen
port security. As part of this effort, MTSA calls for the Secretary of the
Department of Homeland Security (DHS) to issue a maritime worker
identification card that uses biometrics, such as fingerprints, to control
access to secure areas of ports or ships. The Transportation Security
Administration (TSA) within DHS, which was charged with developing this
identification card, initially planned to issue the cards in August 2004
to about 6 million maritime workers; however, TSA missed that target date.

After we testified in September of 2003 on the challenges DHS faces in
implementing MTSA, 2 you asked us to follow up on certain issues. This
report addresses (1) what factors caused TSA to miss its August 2004
target date for issuing the identification cards and (2) what challenges
remain as TSA attempts to issue the identification cards.

To respond to your concerns, we interviewed DHS and TSA officials and
collected and analyzed documents and other information from them. We also
interviewed port and port facility managers and labor union officials. We
visited ports and facilities involved in testing TSA's prototype

1

Pub. L. No. 107-295, 116 Stat. 2064 (2002).

2

See GAO, Maritime Security: Progress Made in Implementing Maritime
Transportation Security Act, but Concerns Remain, GAO-03-1155T
(Washington, D.C.: Sept. 9, 2003).

    Page 1 GAO-05-106 Port Security

                                Results in Brief

identification card system and representing different types of facilities
on both east and west coasts. 3 Since the maritime worker identification
card is a major information technology system, we also reviewed Office of
Management and Budget (OMB) regulations, GAO and DHS guidance for
documenting and reviewing information technology investments, and
established industry best practices for information technology project
management and planning. We asked TSA officials what steps they took to
ensure the reliability of the data on which they based their life cycle
cost estimates. TSA officials said they used a range of documents and
sources to ensure data reliability, including information and lessons
learned from other federal credentialing programs. 4 Officials also used
estimates from government and industry sources, published component cost
quotes, and costs extrapolated from current government programs. We
conducted our work from October 2003 through October 2004 in accordance
with generally accepted government auditing standards.

Three main factors, all of which resulted in delays for testing the
prototype card system, caused the agency to miss its initial August 2004
target date for issuing maritime worker identification cards. 5 First, TSA
officials said that although the agency received permission from TSA and
DHS information technology officials to test a card system prototype, it
was difficult to obtain a response from DHS policy officials, which
contributed to delays. Senior DHS policy officials said that, while they
were consistently briefed throughout the development of the worker
identification card, they did not provide a formal response regarding the
prototype test to program officials because other important security and
statutory requirements, including the creation and consolidation of DHS

3

Of the facilities testing TSA's prototype, we visited ports and facilities
in the Delaware River Region, including Wilmington Port Authority, the
Philadelphia Maritime Exchange, and the South Jersey Port. We also visited
ports and facilities on the west coast, including those in the Port of
Seattle, Port of Los Angeles, and Port of Long Beach as well as ports and
facilities in Florida, including Port Everglades and the Port of
Jacksonville, and Florida state agencies responsible for the state's
biometric identification card program for maritime workers.

4

These other credentialing programs included OMB's Interagency Advisory
Board, various federal working groups, General Services Administration
(GSA) Smart Access Common ID (referred to commonly as the Smart Card
Schedule) Contract and its Smart Card Center of Excellence Smart Card,
Biometric and Security industry events, and industry representatives.

5

Testing a biometric card system prototype is scheduled to begin in fall
2004, and the final report on the prototype is to be completed by May
2005.

and the planning and execution of measures to close security gaps in the
international aviation arena, created competition for executive level
attention and agency resources. Second, DHS officials also directed TSA,
as part of the prototype test, to conduct a cost-benefit analysis and
evaluate the feasibility of various program alternatives for issuing a
card. Working with DHS and OMB officials to identify additional
information needed for the cost-benefit and alternative analyses required
time, further delaying the prototype test. TSA officials said that because
of the urgency to establish an identification card program after the
terrorist attacks of September 11, 2001, these analyses were not
completely documented as required by OMB regulations and DHS guidance.
Third, TSA officials said that in response to direction from congressional
oversight committees, they conducted additional tests of various card
technologies, comparing their performance at different seaports. This
technical assessment required more time to complete than anticipated,
delaying the prototype test. This type of assessment is typical of good
program management and planning and, while it may have delayed the
original schedule, the purpose of such assessments is to prevent delays in
the future. Because of the delays in the program, some port facilities
have made temporary security improvements, while others, recognizing an
immediate need to enhance access control systems, are proceeding with
plans for local or regional identification cards.

TSA officials indicated that in the near future, as they move forward with
developing and operating a maritime worker identification card program,
they face a number of challenges, including resolving issues with external
stakeholders and completing regulations. An additional challenge that
officials did not specifically identify-but one that holds potential to
adversely affect the entire program-is that TSA is attempting to develop
this program without following industry-established best practices for
project planning and management. Such practices call for a comprehensive
plan that identifies work to be completed, milestones for completing this
work, and project budgets for the remaining life of the project. TSA,
however, does not yet have an approved, comprehensive plan in place for
the next phases of the project-testing the prototype card system and
issuing cards. TSA officials said that in the near term they intend to
complete a plan to guide the test of the prototype card system, but that
until policy decisions are made, for example, selecting the most feasible
program for issuing the card, they cannot create a plan for the remaining
life of the project. Moving ahead without such a plan holds significant
potential to adversely affect the card program, putting it at higher risk
of cost overruns, missed deadlines, and underperformance. Best practices
for such projects also suggest that project managers

                                   Background

prepare other more detailed plans-such as plans for mitigating risks-to
support the comprehensive plan. However, TSA has not yet prepared some of
these more specific detailed component plans. For instance, TSA lacks a
risk mitigation plan to help manage known risks, such as a potential
decline in external stakeholders' support of the program, which may
complicate TSA's ability to issue the card. Further, TSA officials said
they do not have a plan in place to guide the required cost-benefit and
alternatives analyses, which are to determine the feasibility of various
approaches to issue the cards.

To help ensure that TSA meets the challenges it is facing in developing
and operating its maritime worker identification card program, we are
recommending that the Secretary of Homeland Security direct the TSA
Administrator to employ industry best practices for project planning and
management, including developing a comprehensive project plan for managing
the remaining life of the project and completing specific, detailed plans
that support the comprehensive project plan, including plans for risk
mitigation and cost-benefit and alternatives analyses. DHS and TSA
reviewed our report and generally concurred with our recommendations.

As part of a multilayered defense strategy, MTSA required vessels and port
facilities to have security plans in place by July 1, 2004, including
provisions establishing and controlling access to secure areas of vessels
and ports. Given that ports are not only centers for passenger traffic and
import and export of cargo, but also sites for oil refineries, power
plants, factories, and other facilities important to the nation's economy,
securing sensitive sites of ports and vessels against access from
unauthorized persons is critical. But because ports are often large and
diverse places, controlling access can be difficult. To facilitate access
control, MTSA required the DHS Secretary to issue a biometric
identification card to individuals who required unescorted access to
secure areas of port facilities or to vessels. These secure areas are to
be defined by port facilities and vessels in designated security plans
they were to submit to the United States Coast Guard (USCG) in July 2004.

About 1 year before the passage of MTSA in 2002, work on a biometric
identification card began at the Department of Transportation (DOT),
partly in response to provisions in the Aviation and Transportation
Security Act 6 and the USA PATRIOT Act 7 that relate to access control in
transportation sectors. TSA-then a part of DOT-began to develop a
transportation worker identification credential (TWIC) 8 as an identity
authentication tool that would ensure individuals with such an
identification card had undergone an assessment verifying that they do not
pose a terrorism security risk. The credential was designed by TSA to be a
universally recognized identification card accepted across all modes of
the national transportation system, including airports, seaports, and
railroad terminals, for transportation workers requiring unescorted
physical access to secure areas in this system. The credential is also to
be used to help secure access to computers, networks, and applications.

As shown in figure 1, ports or facilities could use an identification
credential that stored a biometric, such as a fingerprint, to verify a
worker's identity and, through a comparison with data in a local facility
database, determine the worker's authority to enter a secure area.

6

Pub. L. No. 107-71, 115 Stat. 597 (2001).

7

The 2001 law titled Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
is also known as the USA PATRIOT Act. Pub. L. No. 107-56, 115 Stat. 272
(2001).

8

While TSA has not selected TWIC as the most appropriate approach to issue
the biometric identification card required by MTSA, TSA program officials
use the term TWIC to describe their maritime card program.

         Figure 1: How a Biometric Card Could Be Used to Control Access

Source: GAO analysis of TSA and state of Florida data.

a

Cards that are no longer valid due to new threat information or because
they are lost, stolen, or damaged.

During early planning stages in 2003 and while still a part of DOT, TSA
decided that the most feasible approach to issue a worker identification
card would be a cost-sharing partnership between the federal government
and local entities, with the federal government providing the biometric
card and a database to confirm a worker's identity and local entities
providing the equipment to read the identity credential and to control
access to a port's secure areas. In 2003, TSA projected that it would test
a prototype of such a card system within the year and issue the first of
the cards in August 2004.

In March 2003, as part of a governmentwide reorganization, TSA became a
part of DHS and was charged with implementing MTSA's requirement for a
maritime worker identification card. TSA decided to use the prototype card
system to issue the maritime identification card required under MTSA. At
that time, TSA was preparing to test a prototype card system; later, DHS
policy officials directed the agency to explore additional options for
issuing the identification card required by MTSA. As a result, in addition
to testing its prototype card system, TSA is exploring the
costeffectiveness of two other program alternatives: (1) a federal
approach: a program wholly designed, financed, and managed by the federal
government and (2) a decentralized approach: a program requiring ports and
port facilities to design, finance, and manage programs to issue
identification cards. 9 According to TSA documents, each approach is to
meet federally established standards for technical performance and
interoperability 10 across different transportation modes (such as air,
surface, or rail).

Appropriations committee conference reports, for fiscal years 2003 and
2004, directed up to $85 million 11 of appropriated funds for the
development and testing of a maritime worker identification card system
prototype. With respect to fiscal year 2005 appropriations, $15 million
was directed for the card program. 12 The fiscal year 2005 funding was
decreased from the $65 million as proposed by the House and the $53
million as proposed by the Senate because of delays in prototyping and
evaluating the card system, according to the conference committee report.
13

Several forms of guidance and established best practices apply to the
acquisition and management of a major information technology system such
as the maritime worker identification card program. 14 For major
information technology investments, DHS provided capital planning and

9

A senior TSA official said that under the decentralized approach, TSA
would not issue the card but would issue a regulation that would require
local entities to issue the card.

10

Interoperability means that the system will allow transportation workers
to use the same card and associated background checks at multiple
transportation facilities.

11

Specifically, the Conferees directed $50 million to the transportation
worker identification card for fiscal year 2004 and $35 million jointly to
the credentialing program and another program-the aviation registered
traveler program-for fiscal year 2003. See, H.R. Conf. Rept. No. 108-280,
at 37-38 (2003) and H.R. Conf. Rept. No. 108-10, at 1235-1236 (2003).

12

H.R. Conf. Rept. No. 108-774, at 53 (2004). The Conferees specified that
of the total funding, $5 million is a direct appropriation that is to be
used to develop and install necessary hardware and software at those sites
producing and personalizing the transportation worker identification
credentials. The Conferees further specified that the additional $10
million appropriation would be offset throughout the fiscal year from
application fees.

13

Of the total amounts provided in both the House and Senate Committee on
Appropriations reports, each committee report specified that $50 million
was to be offset throughout the fiscal year from fee collections. See,
H.R. Rept. No. 108-541, at 48 (2004); S. Rept. No. 108-280, at 38 (2004).

14

DHS classified the maritime worker identification card as a major
information technology investment under DHS guidelines.

investment control guidance as early as May 2003 that established four
levels of investments, the top three of which are subject to review by
department-level boards, including the Investment Review Board (IRB) and
the Enterprise Architecture Board. The guidance also laid out a process
for selecting, controlling, and managing investments. For example, DHS
guidance suggests that as part of the control process, the agency should
consider alternative means of achieving program objectives, such as
different methods of providing services and different degrees of federal
involvement. The guidance recommends that an alternatives analysis-a
comparison of various approaches that demonstrates one approach is more
cost-effective than others-should be conducted and a preferred alternative
selected on the basis of that analysis. For projects like the maritime
worker identification card program, whose costs and benefits extend 3 or
more years, OMB also instructs federal agencies, including TSA, to
complete an alternative analysis as well as a cost-benefit analysis. 15
This analysis is to include intangible and tangible benefits and costs and
willingness to pay for those benefits. In addition to DHS and OMB
guidance, established industry best practices identify project management
and planning best practices for major information technology system
acquisition, including the development of a comprehensive plan to guide
the project as detailed later in this report. 16

15

Office of Management and Budget, Guidelines and Discount Rates for
Benefit-Cost Analysis of Federal Programs, Circular A-94, revised October
29, 1992. OMB requires both a cost-benefit analysis and an alternatives
analysis to be completed but does not specify at what point in the project
this work is to be done. However, DHS guidance and best practices for
program management recognized by DHS suggest that programs complete an
alternatives analysis in an early planning stage and then test a prototype
of the preferred alternative.

16

Carnegie Mellon's Software Engineering Institute, a federally-funded
research and development center operated by Carnegie Mellon University and
sponsored by the U.S. Department of Defense, created models such as
Capability Maturity Model(R) Integration (CMMI) to guide information
technology projects through best practices of project planning and project
management. The CMMI sets out specific project planning activities that
should take place for a project to best fulfill its mission.

  Three Main Factors Caused TSA to Miss Its Initial Target Date for Issuing
  Worker Identification Cards

Three main factors, all of which resulted in delays for testing the
prototype card system, caused the agency to miss its initial August 2004
target date for issuing maritime worker identification cards. First,
program officials said that although they received permission from TSA and
DHS information technology officials to test a card system prototype, TSA
officials had difficulty obtaining a response from DHS policy officials,
contributing to the schedule slippage. Program officials said that
although DHS officials reviewed the proposed card system during late 2003,
senior officials provided no formal direction to program staff. Senior DHS
officials said that while they were consistently briefed throughout the
development of the worker identification card system, they did not provide
formal direction regarding the prototype test because other important
statutory and security requirements required their attention. For example,
the creation and consolidation of DHS and the planning and execution of
measures to close security gaps in the international aviation arena led to
competition for executive-level attention and agency resources. DHS policy
officials subsequently approved the test of a card system prototype.

Second, while providing this approval, DHS officials also directed TSA, as
part of the prototype test, to conduct a cost-benefit analysis and to
evaluate the feasibility of other program alternatives for providing a
card. TSA had completed these analyses earlier in the project, but DHS
officials said they did not provide sufficiently detailed information on
the costs and benefits of the various program alternatives. TSA officials
said that because of the urgency to establish an identification card
program after the terrorist attacks of September 11, 2001, the earlier
cost-benefit and alternatives analyses were not completely documented as
typically required by OMB regulations and DHS guidance. Working with DHS
and OMB officials to identify additional information needed for a
cost-benefit analysis and alternatives analysis required additional time,
further delaying the prototype test.

Third, TSA officials said that before testing the card system prototype,
in response to direction from congressional committees, TSA conducted
additional tests of various card technologies. Officials assessed the
capabilities of various card technologies, such as their reliability, to
determine which technology was most appropriate for controlling access in
seaports. This technology assessment required 7 months to complete, more
time than anticipated, delaying the prototype test. This analysis is
typical of good program management and planning and, while it may have
delayed the original schedule, the purpose of such assessments is to
prevent delays in the future.

  Using Established Planning and Management Practices Could Help TSA Address
  Challenges and Better Manage Risk

DHS has not determined when it may begin issuing cards under any of the
three proposed program alternatives-the federal, decentralized, or TWIC
programs. Because of the delays in the program, some port facilities have
made temporary security improvements while waiting for TSA's maritime
worker identification card system. 17 Others, recognizing an immediate
need to enhance access control systems, are proceeding with plans for
local or regional identification cards that may require additional
investment in order to make them compatible with TSA's system. For
example, the state of Georgia is implementing a state-based maritime
worker identification card, and ports along the eastern seaboard are
pursuing plans for a regional identification card.

TSA officials indicated that in the near future, as they move forward with
developing and operating a maritime worker identification card program,
they face a number of challenges, including resolving issues with
stakeholders, such as how to share costs of the program, determining the
fee for the maritime worker identification card, obtaining funding for the
next phase of the program. Further, in the coming months, regardless of
which approach the DHS chooses-the federal, decentralized, or TWIC
approach-TSA will also face challenges completing key program policies,
regulatory processes, and other work as indicated in table 1.

17

According to a senior DHS official, the timeframe for issuing cards
depends on which approach DHS selects. DHS policy officials are expected
to make this decision during TSA's test of a TWIC prototype, which began
in November 2004.

Page 10 GAO-05-106 Port Security

Table 1: Policy Issues to Be Completed and Regulatory Processes to Be Finalized

             Work to be accomplished Explanation Estimated schedule

Eligibility requirements A basic program requirement has not been Unknown
determined. While MTSA contains some general provisions relating to
eligibility, DHS has not established which felony convictions should
disqualify maritime workers as posing a terrorism risk. DHS has said it
will likely base the maritime worker eligibility requirements on those
used to screen hazardous material truck drivers but has not determined
whether all workers will be required to meet the same requirements for a
credential.

Policies for adjudicating card applications Program policies, procedures,
and processes for Unknown and appeal and waiver requests from adjudicating
card applications and appeal and waiver workers denied a card requests
have not been developed. While MTSA

contains general provisions relating to adjudicating applications, neither
TSA nor DHS has established an appeal and waiver process for workers
denied a card.

Card issuance Whether TSA will field a credential through a TWIC During or
at conclusion of program or establish a decentralized program requiring
prototype other entities to issue the card has not been decided.

Cost sharing The extent to which the federal government or local During or
at conclusion of public and private stakeholders will bear costs for a
prototype maritime worker identification card program has not been
decided.

Scope of card TSA officials have not decided whether the biometric Unknown
identification card will be implemented intermodally, that is, in
transportation sectors other than seaports, and what issues related to
intermodal implementation would affect implementation in seaports.

Regulatory processes Several regulations, including a final rule
implementing Unknown the MTSA card requirement and a regulatory impact
assessment, are yet to be completed. Estimated bestcase scenario for time
needed to a final rule is 9 to 12 months, according to TSA officials. Time
needed to complete other regulatory processes is unknown.

Source: GAO analysis of TSA documents.

While TSA officials acknowledged the importance of completing key program
policies, for example, establishing the eligibility requirements a worker
must meet before receiving a card and processes for adjudicating appeals
and requests for waivers from workers denied a card, officials also said
that this work had not yet been completed. 18 A senior TSA official and
DHS officials said they plan to base these policies and regulations for
the maritime worker identification card on those TSA is currently
completing for the hazardous materials endorsement for commercial truck
drivers. 19 According to a senior TSA official who was in charge of the
card program, TSA placed a higher priority on completing regulations for
the hazardous materials endorsement than completing those for the maritime
worker identification card.

TSA has other work to complete in addition to these policies and
regulations. TSA officials said OMB recently directed them and DHS
officials to develop the TWIC program card in a way that allows its
processes and procedures to also be used for other DHS credentialing
programs. To develop such a system, DHS expects TSA to standardize, to
some degree, eligibility requirements for the maritime worker
identification card with those for surface and aviation workers, a task
that will be challenging, according to officials. 20 In the near future,
TSA will need to produce other work, for instance, it has initiated but
not yet

18

While MTSA contains some general provisions related to eligibility, it
requires DHS to establish which felony convictions indicate that a
maritime worker could pose a terrorism security risk and should therefore
be disqualified from receiving a card. MTSA also requires DHS officials to
develop processes for workers to appeal the denial of a card and to
request a waiver of the eligibility requirements allowing them to receive
a card if disqualified due to their criminal record.

19

TSA plans to harmonize the eligibility requirements for the maritime
worker identification card with credentialing requirements for surface and
aviation workers.

20

DHS officials expect TSA to make recommendations that establish
eligibility requirements for maritime workers and harmonize them, to the
extent possible, with those used to screen surface and aviation
transportation workers. Certain workers in the aviation industry, the
maritime industry, and truck drivers seeking a license to transport
hazardous materials are subject to statutorily required background and
criminal history record checks. With respect to the results of criminal
history record checks in the aviation context, disqualifying criminal
offenses are set out in statute. Neither the USA PATRIOT Act provisions
relating to records checks of transporters of hazardous materials nor the
MTSA provisions relating to records checks of maritime workers specify the
types of criminal offenses to be considered as grounds for
disqualification. With respect to workers in the maritime industry, MTSA
further requires the issuance of a biometric security card for maritime
workers.

finalized cost estimates for the card program 21 and a cost-benefit
analysis, which is a necessary part of a regulatory impact analysis
required by OMB regulations.

Our analysis, however, indicates that TSA faces another significant
challenge besides the ones it has identified. This challenge is that TSA
is attempting to proceed with the program without following certain
industry-established best practices for project planning and management.
Two key components of these practices are missing. The first is a
comprehensive plan that identifies work to be completed, milestones for
completing this work, and project budgets for the project's remaining
life. The second is detailed plans for specific and important components
of the project-particularly mitigating risks and assessing alternative
approaches-that would support the overall project plan. Failure to develop
these plans holds significant potential to adversely affect the card
program, putting it at higher risk of cost overruns, missed deadlines, and
underperformance.

TSA has estimated the total life-cycle program costs to the federal
government of a TWIC approach to be about $1 billion. This estimate spans
10 years, fiscal years 2005 - 2014, and does not include all program
costs, such as costs to port facilities, costs of background checks, and
costs to adjudicate applications for a biometric identification card,
appeal the decision to deny a worker a biometric transportation card, and
waiver requests should a maritime worker not meet the eligibility
requirements for a biometric identification card (e.g., if he or she was
convicted of a serious felony making him or her ineligible for the card).
TSA estimates the cost to maintain the TWIC program would be $116.2
million per year. TSA program officials said that the costs to the
government would be recovered through a statutorily authorized fee
collection program, but the agency has not established the fee amount yet.

    Best Practices for Planning and Key Management Practices Are Important for
    Information Technology Programs

Over the years, we have analyzed information technology systems across a
broad range of federal programs and agencies, and these analyses have
repeatedly shown that without adequate planning, the risks increase for
cost overruns, schedule slippages, and systems that are not effective or
usable. 22 According to industry best practices for managing information
technology projects like the maritime worker identification card, program
managers should develop a comprehensive project plan that governs and
defines all aspects of the project, tying them together in a logical
manner. 23 A documented comprehensive project plan is necessary to achieve
the mutual understanding, commitment, and performance of individuals,
groups, and organizations that must execute or support the plans. A
comprehensive project plan identifies work to be completed, milestones for
completing this work, and project budgets as well as identifying other
specific, detailed plans that are to be completed to support the
comprehensive project plan.

The comprehensive plan, in turn, needs to be supplemented by specific,
detailed plans that support the plan where necessary. Such plans might be
needed to address such matters as the program's budget and schedule, data
to be analyzed, risk management and mitigation, staffing. For example, a
risk mitigation plan would be important in situations where potential
problems exist. One purpose of risk management is to identify potential
problems before they occur; a risk mitigation plan specifies risk
mitigation strategies and when they should be invoked to mitigate adverse
outcomes. Effective risk management includes early and aggressive
identification of risks because it is typically easier, less costly, and
less disruptive to make changes and correct work efforts during the
earlier phases of the project. In addition, plans for activities such as
cost-benefit

22

See GAO, Maritime Security: Better Planning Needed to Help Ensure and
Effective Port Security Assess Program, GAO-04-1062 (Washington, D.C.:
Sept. 29, 2004); Land Management Systems: Progress and Risks in Developing
BLM's Land and Mineral Record System , GAO/AIMD-95-180 (Washington, D.C.:
Aug. 31, 1995); Land Management Systems: BLM Faces Risks in Completing the
Automated Land and Mineral Record System, GAO/AIMD-97-42 (Washington,
D.C.: Mar. 19, 1997); Land Management Systems: Actions Needed in
Completing the Automated Land and Mineral Record System Development ,
GAO/AIMD-98-107 (Washington, D.C.: May 15, 1998); and Land Management
Systems: Major Software Development Does Not Meet BLM's Business Needs,
GAO/AIMD-99-135 (Washington, D.C.: Apr. 30, 1999)

23

Carnegie Mellon's Software Engineering Institute, a federally funded
research and development center operated by Carnegie Mellon University and
sponsored by the U.S. Department of Defense, created models such as
Capability Maturity Model(R) Integration to guide information technology
projects through best practices of project planning and project
management.

    Lack of a Comprehensive Project Plan Could Limit TSA's Ability to Complete
    Future Work

and alternatives analyses should be developed to help facilitate data
collection and analysis. These types of plans typically describe, among
other things, the data to be collected, the source of these data, and how
the data will be analyzed. Such plans are important to guide needed data
analysis as well as prevent unnecessary data collection, which can be
costly. For this program, both risk mitigation and data analysis are key,
because the program runs significant risks with regard to ensuring
cooperation of stakeholders, and because TSA still faces considerable
analytical work in deciding which approach to adopt.

According to TSA officials, the agency lacks an approved, comprehensive
project plan to guide the remaining phases of the project, which include
the testing of a maritime worker identification card system prototype and
issuance of the cards. While it has initiated some project planning,
according to officials, the agency has not completed a comprehensive
project plan, which is to identify work to be completed, milestones for
completing this work, and project budgets as well as identifying other
specific, detailed plans that are to be completed. Officials said that
with contractor support they intended to develop a plan to manage the
prototype test. However, officials did not intend to develop a plan for
the remainder of the project until key policy decisions had been made,
such as what type of card program will be selected to issue the cards. 24
Once key policies are determined, TSA may move forward with a
comprehensive plan. As a consequence of not having such a plan in place,
officials have not documented work to be completed, milestones for
completing it, or accountability for ensuring that the work is done.
Without a comprehensive project plan and agreement to follow the plan from
the appropriate DHS and TSA officials, TSA program staff may have
difficulty managing future work, putting the program at higher risk of
additional delays and cost overruns. Officials did not provide a timeframe
for completing such a project plan.

24

TSA officials said that they cannot complete an implementation plan until
DHS decides which type of program--the federal, decentralized, or
TWIC-will be implemented. Of the various strategies for rolling out the
card program, officials said TSA must determine which one is the best, for
instance, a regional strategy where cards are issued to workers in all
transportation sectors in one geographic region or a threat-based
strategy, where cards are first issued to workers in maritime ports
considered at highest risk.

Page 15 GAO-05-106 Port Security

    Lack of Specific Plan for Mitigating Risks Could Affect TSA's Ability to
    Partner with Stakeholders

According to TSA planning documents and discussions with officials, TSA
lacks a risk management plan that specifies strategies for mitigating
known risks which could limit TSA's ability to manage these risks. For
instance, TSA documents identified failure to sustain the support of
external stakeholders, such as labor unions for port workers, as a program
risk and indicated a mitigation strategy was needed to address this risk.
But, TSA has not developed such a strategy to address this specific risk.
TSA documents also indicated that involving stakeholders in decision
making could help mitigate program risks associated with defining the
eligibility requirements for the card. However, TSA has not planned for
stakeholder involvement in decision-making.

Several stakeholders at ports and port facilities told us that while TSA
solicited their input on some issues, TSA did not respond to their input
or involve them in making decisions regarding eligibility requirements for
the card. 25 In particular, some stakeholders said they had not been
included in discussions about which felony convictions should disqualify a
worker from receiving a card, even though they had expected and requested
that DHS and TSA involve them in these decisions. One port security
director said TSA promised the port a "large role" in determining the
eligibility requirements which has not materialized, and others said that
in the absence of TSA defining the eligibility requirements for the card,
they recently drafted and sent proposed eligibility requirements to TSA.
TSA officials said they have an extensive outreach program to inform
external stakeholders about the program, for instance, by frequently
attending industry conferences and maritime association meetings.

Obtaining stakeholder involvement is important because achieving program
goals hinges on the federal government's ability to form effective
partnerships among many public and private stakeholders. If such
partnerships are not in place-and equally important, if they do not work
effectively-TSA may not be able to test and deliver a program that
performs as expected. For example, TSA currently relies on facilities and
workers to voluntarily participate in tests of the prototype card system.
Without this and other support provided by stakeholders, the prototype
card system could not be tested as planned. Planning for stakeholder

25

Of the facilities testing TSA's prototype, we visited ports and facilities
in the Delaware River Region, including Wilmington Port Authority, the
Philadelphia Maritime Exchange, and the South Jersey Port. We also visited
ports and facilities on the west coast, including those in the Port of
Seattle, Port of Los Angeles, and Port of Long Beach as well as ports and
facilities in Florida, including Port Everglades and the Port of
Jacksonville.

Page 16 GAO-05-106 Port Security

    Lack of Specific Plans for Cost-Benefit and Alternatives Analyses Could
    Create Further Delays

involvement is also important because in the future other groups or
organizations, for instance, other federal agencies or states, may be
charged with developing biometric identification card programs and emerge
as important external stakeholders for the maritime worker identification
card program. 26

According to best practices, in order to ensure that the appropriate data
are collected to support analyses on which program decisions are made,
managers should develop a plan that describes data to be collected, the
source of these data, and how the data will be analyzed. During the test
of the prototype card system, officials said they are to collect data on
the feasibility of the federal and decentralized approaches in order to
conduct an alternatives analysis-a comparison of the three possible
approaches that demonstrates one approach is more cost-effective than the
others. TSA officials acknowledge they have not yet completed a plan;
however, they said they intend to do so with contractor support. On the
basis of interviews with a number of officials and review of documents, we
determined TSA has not identified who would be responsible for collecting
the data; the sources for the data, and how it will be analyzed. These
details are needed to ensure production of a good result. Completing the
cost-benefit and alternatives analyses is important because not only do
OMB regulations and DHS guidance instruct agencies to complete them, but
DHS officials said the alternatives analysis would guide their decision
regarding which approach is the most cost-effective way to provide the
card. Without a plan to guide this activity, TSA may not perform the
necessary analysis to inform sound decision making, possibly causing
further delays.

With the passage of MTSA, Congress established a framework for

  Conclusions

homeland security that relies on a multilayered defense strategy to
enhance port security. Improving access control by providing ports a
maritime worker identification card is an important part of this strategy.
Each delay in TSA's program to develop the card postpones enhancements

26

As a result of the recommendations made in the report of the National
Commission on Terrorist Attacks upon the United States (the 9/11
Commission), Congress has considered legislative proposals related to
biometric identification cards. While it is too soon tell what effect, if
any, legislative proposals may have on the maritime worker identification
card program, such proposals could create new and important stakeholders
for the card, have the potential to affect the design and implementation
of TSA's card program, or make the TSA card unnecessary and duplicative.

to port security and complicates port stakeholders' efforts to make wise
investment decisions regarding security infrastructure.

Despite delays and the difficulties of a major governmentwide
reorganization, DHS and TSA have made some progress in developing a
maritime worker identification card. Nevertheless, without developing a
comprehensive project plan and its component parts-an established industry
best practice for project planning and management-TSA is placing the
program's schedule and performance at higher risk. More delays could
occur, for example, unless DHS and TSA agree on a comprehensive project
plan to guide the remainder of the project, identify work that TSA and DHS
officials must complete, and set deadlines for completing it. Without
adequate risk mitigation plans, TSA may not be able to resolve problems
that could adversely affect the card program objectives, such as
insufficient stakeholder support to successfully develop, test, and
implement the card program. Further, without a plan to guide the
cost-benefit and alternatives analyses, TSA increases the risk that it may
fail to sufficiently analyze the feasibility of various approaches to
issue the card, an analysis needed by DHS policy officials to make
informed decisions about the program, putting the program at risk for
further delays.

To help ensure that TSA meets the challenges it is facing in developing
and

  Recommendations for

operating its maritime worker identification card program, we are

Executive Action recommending that the Secretary of Homeland Security
direct the TSA Administrator to employ industry best practices for project
planning and management, by taking the following two actions:

     o Develop a comprehensive project plan for managing the remaining life
       of the project.
     o Develop specific, detailed plans for risk mitigation and cost-benefit
       and alternatives analyses.

                                Agency Comments
                               and Our Evaluation

We provided a draft of this report to DHS and TSA for their review and
comment. DHS and TSA generally concurred with the findings and
recommendations that we made in our report and provided technical comments
that we incorporated where appropriate. DHS and TSA also provided written
comments on a draft of this report (see app. I). In its comments, DHS
noted actions that it has recently taken or plans to take to address
concerns we raised regarding outstanding regulatory and policy issues.

Although DHS and TSA concurred with our recommendations, in their
comments, they contend that project plans and program management controls
are currently in place to manage their test of the TWIC prototype.
However, at the time of our review, the project planning documents
identified by DHS and TSA in their comments were incomplete, lacked the
necessary approvals from appropriate officials, or were not provided
during our audit. Furthermore, project plans and other management controls
have not been developed for the remaining life of the project.

We are sending copies of this report to other interested Members of
Congress. We are also sending copies to the Secretary of Homeland
Security. We will make copies available to others upon request. In
addition, the report will be available at no charge on GAO's Web site at
http://www.gao.gov.

If you or your staffs have any questions about this report, please contact
me at (415) 904-2200 or at [email protected]. Other major contributors to
this report included Jonathan Bachman, Chuck Bausell, Tom Beall, Steve
Calvo, Ellen Chu, Matt Coco, Lester Diamond, Geoffrey Hamilton, Rich Hung,
Lori Kmetz, Anne Laffoon, Jeff Larson, David Powner, Tomas Ramirez, and
Stan Stenerson.

Margaret T. Wrightson Director, Homeland Security and Justice Issues

Appendix I: Comments from the Department of Homeland Security

Appendix I: Comments from the Department of Homeland Security

Appendix I: Comments from the Department of Homeland Security

(440265)

  GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov) . Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To

have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

                             Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

  E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Relations
Washington, D.C. 20548

Susan Becker, Acting Manager, [email protected] (202) 512-4800

  Public Affairs

U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

    PRINTED ON

RECYCLED PAPER
*** End of document. ***