Aviation Security: Secure Flight Development and Testing Under
Way, but Risks Should Be Managed as System Is Further Developed
(28-MAR-05, GAO-05-356).
Among its efforts to strengthen aviation security, the
Transportation Security Administration (TSA) is developing a new
passenger prescreening system--known as Secure Flight. As
required by Congress, TSA is planning to assume, through Secure
Flight, the prescreening function currently performed by the air
carriers. This report assesses the (1) status of Secure Flight's
development and implementation, (2) factors that could influence
the effectiveness of Secure Flight, (3) processes used to oversee
and manage the Secure Flight program, and (4) efforts taken to
minimize the impacts on passengers and protect passenger rights.
In conducting this assessment, we addressed the 10 specific areas
of congressional interest related to Secure Flight outlined in
Public Law 108-334.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-05-356
ACCNO: A20159
TITLE: Aviation Security: Secure Flight Development and Testing
Under Way, but Risks Should Be Managed as System Is Further
Developed
DATE: 03/28/2005
SUBJECT: Airport security
Counterterrorism
Data bases
Data integrity
Information resources management
Information systems
National preparedness
Operational testing
Performance measures
Program evaluation
Program management
Homeland security
Aviation security
TSA Computer-Assisted Passenger
Prescreening Program
TSA Secure Flight Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-05-356
* Highlights
* Results in Brief
* Background
* Current Passenger Prescreening
* CAPPS II
* Secure Flight
* Development and Testing of Secure Flight Are Under Way, but Key
Activities Have Not Yet Been Completed
* TSA Recently Developed a Comprehensive Schedule, but Key System
Documentation and Development Activities Have Not Yet Been
Completed
* TSA Is Conducting Initial Testing, but Key System Testing Remains
* TSA Completed Initial Testing on CAPPS II System That Will
Support Secure Flight Testing
* TSA Currently Conducting Tests to Further Define Secure
Flight Data Needs and Functionality
* TSA Plans to Conduct Stress Testing as Part of Final System
Testing
* TSA Is Taking Steps to Improve the Ability of Secure Flight to
Identify Passengers Who Should Undergo Additional Security Scrutiny,
but System Effectiveness Has Not Been Determined
* Initial Secure Flight Test Results Show Improvements over Current
Passenger Prescreening, but Key Issues Regarding How Data Will Be
Obtained and Transmitted Have Not Yet Been Resolved
* Efforts Are Being Taken to Improve the Quality of Data That Will
Support Secure Flight Operations, but the Accuracy of These Data
Has Not Been Determined
* Changes to CAPPS I Rules May Result in More Targeted Security
Screening, but Potential Benefits to Secure Flight Are Not Yet
Known
* False Identifying Information and Identity Theft Could Affect the
Security Benefits of Secure Flight
* DHS and TSA Have Taken Actions to Strengthen Their Oversight and
Management of Secure Flight, but Key Issues Will Need to Be Resolved
as the Program Is Further Developed
* DHS Oversight Board and External Advisory Committee Are in Place
to Oversee the Development and Implementation of Secure Flight
* Acquisition Oversight Is Provided by DHS
* External Advisory Committee Designed to Provide Advice and
Assistance for Secure Flight
* TSA Has Taken Steps to Strengthen Contractor Oversight and
Acquisition Planning, but Risks Remain
* TSA Plans to Develop Oversight Policies and Performance Measures
after System Testing
* TSA Has Engaged in Outreach with Key External Stakeholders, but
Concerns Exist over Potential Impacts of Secure Flight
Operational Requirements
* TSA Has Discussed Secure Flight Development Activities with
Key External Stakeholders
* Air Carriers and Privacy Groups Are Concerned about System
Connectivity and Data Accuracy and Protections
* TSA Has Initiated Information System Security Activities but
Cannot Complete All Key Actions until Secure Flight Is Further
Developed
* Life-Cycle Cost Estimates Have Not Been Developed and An
Expenditure Plan Was Recently Finalized
* TSA Has Taken Steps to Minimize Impacts on Passengers and Protect
Passenger Rights, but Its Operational Plans Must Be More Fully Defined
before Protections and Impacts Can Be Accurately Assessed
* Privacy Protections and Impacts Cannot Yet Be Assessed
* A Redress Process Is Being Developed, but Key Stakeholder Roles
and Responsibilities Have Not Yet Been Defined
* Secure Flight Design Reduces Some International Privacy Concerns,
but Issues Remain
* Conclusions
* Recommendations for Executive Action
* Agency Comments and Our Evaluation
* Appendix I: Objectives, Scope, and Methodology
* Appendix II: Comments from the Department of Homeland Security
* Appendix III: GAO Contacts and Staff Acknowledgments
* GAO Contacts
* Staff Acknowledgments
* GAO Related Products
*
* Order by Mail or Phone
United States Government Accountability Office
GAO
Report to Congressional Committees
March 2005
AVIATION SECURITY
Secure Flight Development and Testing Under Way, but Risks Should Be Managed as
System Is Further Developed
GAO-05-356
[IMG]
March 2005
AVIATION SECURITY
Secure Flight Development and Testing Under Way, but Risks Should Be Managed as
System Is Further Developed
What GAO Found
TSA is making progress in addressing each of the key areas of
congressional interest related to the development and implementation of
Secure Flight, including developing and testing the system. However, TSA
has not yet completed these efforts or fully addressed these areas, due
largely to the current stage of the system's development. For example,
while TSA has drafted a concept of operations and system requirements, it
has not finalized these key documents or completed test activities that
will need to be accomplished before Secure Flight becomes operational.
Until requirements are defined, operating policies are finalized, and
testing is completed- scheduled for later in the system's development-we
cannot determine whether Secure Flight will fully address these areas of
interest.
TSA also initiated a number of actions designed to improve the ability of
Secure Flight to identify passengers who should undergo additional
security scrutiny, in place of the prescreening currently conducted by air
carriers. Specifically, TSA officials stated that recently completed
initial testing identified improvements over the current prescreening
system, and TSA plans to use intelligence analysts to increase the
accuracy of data matches. However, the effectiveness of Secure Flight in
identifying passengers who should undergo additional security scrutiny has
not been fully determined. For example, TSA has not resolved how passenger
data will be transmitted from air carriers to TSA to support Secure Flight
operations. Further, the ability of Secure Flight to make accurate matches
between passenger data and data contained in the terrorist screening
database is dependent on the quality of the data used, which has not been
determined.
TSA has also strengthened the oversight and management of Secure Flight,
and has established relationships with key program stakeholders. However,
air carriers expressed concerns regarding the uncertainty of system
requirements, and the impact these requirements may have on the airline
industry in terms of system modifications and costs. Additionally, TSA has
taken steps to minimize potential impacts on passengers and to protect
passenger rights during Secure Flight testing. However, TSA has not yet
clearly defined the privacy impacts of the operational system or all of
the actions TSA plans to take to mitigate potential impacts.
Secure Flight Passenger Prescreening Process United States Government
Accountability Office
Contents
Letter
Results in Brief
Background
Development and Testing of Secure Flight Are Under Way, but Key
Activities Have Not Yet Been Completed
TSA Is Taking Steps to Improve the Ability of Secure Flight to Identify
Passengers Who Should Undergo Additional Security Scrutiny, but System
Effectiveness Has Not Been Determined
DHS and TSA Have Taken Actions to Strengthen Their Oversight and
Management of Secure Flight, but Key Issues Will Need to Be Resolved as
the Program Is Further Developed
TSA Has Taken Steps to Minimize Impacts on Passengers and Protect
Passenger Rights, but Its Operational Plans Must Be More Fully Defined
before Protections and Impacts Can Be Accurately Assessed
Conclusions
Recommendations for Executive Action
Agency Comments and Our Evaluation
1
4 8
17
27
38
53 60 63 64
Appendix I Objectives, Scope, and Methodology
Appendix II Comments from the Department of Homeland Security
Appendix III GAO Contacts and Staff Acknowledgments 78
GAO Contacts 78
Staff Acknowledgments 78
GAO Related Products 79
Tables
Table 1: Summary of TSA's Status in Addressing Ten Areas of Congressional
Interest Included in Public Law 108-334 as of March 15, 2005 4
Table 2: System Capabilities Planned for CAPPS II 10
Table 3: Key Capabilities for Passenger Prescreening Programs 13 Table 4:
TSA's Schedule for Final Phases of Secure Flight Testing 26 Table 5:
Cross-references of Legislatively Mandated Issues to Be
Reviewed by GAO with the Sections in this Report 72
Figures
F igure 1: Planned Operations of Secure Flight 15 Figure 2: TSA Projected
Key Milestones for the Development and Implementation of Secure Flight, as
of March 2005 20 Figure 3: Slippage in Key Secure Flight Milestones
between September 2004 and February 2005 21 Figure 4: TSA's Completed,
Current, and Future Planned Testing and Operations for Secure Flight 22
Abbreviations
CAPPS I Computer-Assisted Passenger Prescreening System I
CAPPS II Computer-Assisted Passenger Prescreening System II
CBP U.S. Customs and Border Protection
DHS Department of Homeland Security
OMB Office of Management and Budget
PNR Passenger name record
TSA Transportation Security Administration
TSC Terrorist Screening Center
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office Washington, DC 20548
March 28, 2005
Congressional Committees:
Strengthening the security of commercial aviation has been a goal-and a
challenge-for many years, but since the September 11, 2001, terrorist
attacks, it has become a much more critical issue. The attacks
demonstrated that the consequences of inadequate security can be more
severe and tragic than previously imagined. Moreover, the attacks showed
that terrorists are targeting commercial aviation within the nation's
borders, and that measures taken to provide security were not always
effective. Consequently, since that time, the federal government has
initiated a number of efforts designed to strengthen the security of
virtually all aspects of commercial aviation.
Efforts to strengthen aviation security cover many areas, including
improved controls over screening passengers and baggage, and securing
restricted airport areas and airport perimeters. A recent initiative to
strengthen security is in the area of passenger prescreening. The
prescreening of passengers-that is, identifying passengers that pose a
security risk before they reach the passenger screening checkpoint-can
enable officials to focus security efforts on those passengers
representing the greatest potential threat. Since the late 1990s,
passenger prescreening has been conducted using the Computer-Assisted
Passenger Prescreening System (CAPPS I)-in which data related to a
passenger's reservation and travel itinerary are compared against
characteristics used to select passengers who require additional security
scrutiny, known as CAPPS I rules-and through the matching of passenger
names to terrorist watch lists. However, following the events of September
11, it became clear that the capabilities of the existing prescreening
system to identify possible terrorists needed improvement. Consequently,
in November 2001, Congress passed the Aviation and Transportation Security
Act, which established the Transportation Security Administration (TSA)
and directed that it assume most of the responsibilities for civil
aviation security. 1 In accordance with the act's requirement that a
computer-assisted passenger prescreening system be used to evaluate all
passengers, TSA subsequently began an effort to develop a new prescreening
system known as CAPPS II
1Aviation and Transportation Security Act, Pub. L. No. 107-71, 115 Stat.
597 (2001).
that, unlike the current system that operates as part of each airline's
reservation system, would be operated by TSA. Further, in July 2004, the
National Commission on Terrorists Attacks upon the United States, also
known as the 9/11 Commission, reported that the current passenger
prescreening system needed improvements, and that the watch lists used by
the air carriers did not include all terrorists or terrorism suspects
because of concerns about sharing intelligence information with private
firms and foreign countries. The commission recommended that passenger
screening be performed by the federal government, and make use of the
larger consolidated watch list database maintained by the government. 2
Because of a variety of delays and challenges, in August 2004, the
Department of Homeland Security (DHS) cancelled the development of CAPPS
II. In its place, TSA announced that it would develop a new prescreening
program, called Secure Flight, that would respond to the commission's
recommendation by taking over the responsibility-from air carriers-for
prescreening passengers, using the larger consolidated watch list database
not currently available to air carriers. In developing Secure Flight, TSA
plans to incorporate some but not all of the functionality planned for the
CAPPS II program. Specifically, Secure Flight is being developed to
compare passenger information against data from the consolidated watch
list database. TSA is also considering incorporating CAPPS I rules
processing as part of Secure Flight, and may include the use of commercial
data (e.g., personally identifiable information that either identifies an
individual or is directly attributed to an individual, such as name,
address, and phone number) if the data can be shown, through testing, to
add to the security benefits of Secure Flight.
Public Law 108-334, enacted in October 2004, mandated that we assess and
report on 10 aspects of the development and implementation of Secure
Flight. 3 This report satisfies the requirements of that mandate.
Specifically, this report addresses the following questions: (1) What is
the status of Secure Flight's development and implementation? (2) What
factors could influence the effectiveness of Secure Flight? (3) What
procedures have been put in place to oversee and manage the Secure Flight
program, including ensuring stakeholder coordination? And (4) What efforts
are
2The 9/11 Commission, The 9/11 Commission Report: Final Report of the
National Commission on Terrorist Attacks upon the United States, July
2004.
3Department of Homeland Security Appropriations Act, 2005, Pub. L. No.
108-334, S: 522, 118 Stat. 1298, 1319-20 (2004).
being taken to minimize the impacts on passengers and protect passenger
rights? In answering these questions, we addressed the 10 specific areas
of congressional interest that we were mandated to review based on the
current status of Secure Flight's development. These areas address the
establishment of a redress process, assessment of the accuracy of
databases and the effectiveness of Secure Flight, system stress testing,
program oversight, operational safeguards, security measures, oversight
policies governing the use and operation of the system, system privacy
protections, system modifications to accommodate states with unique air
transportation needs, and life-cycle cost estimates and expenditure plans.
(See app. I, table 5, for a description of the 10 areas identified in
Public Law 108-334 and the sections of the report in which they are
addressed.) Since some of the information addressing the congressional
areas of interest is considered Sensitive Security Information, we are
also issuing a separate letter containing this information. 4
To address these questions, we reviewed available Secure Flight program
documentation to include system requirements, test plans, and privacy
notices. We also interviewed officials from DHS, TSA, U.S. Customs and
Border Protection (CBP), and the Terrorist Screening Center (TSC) 5 to
discuss the status of the program's development as of March 2005, as well
as its anticipated operations. Since TSA developed Secure Flight from a
modified version of the CAPPS II program, and will incorporate program
criteria from CAPPS I, we also reviewed relevant CAPPS II and CAPPS I
program documentation. Further, we questioned officials from selected air
carriers and interviewed personnel from several trade organizations and
privacy advocacy organizations regarding issues related to Secure Flight's
development and implementation. We conducted our work from April 2004
until March 2005 in accordance with generally accepted government auditing
standards. A detailed discussion of our scope and methodology is contained
in appendix I.
4GAO, Aviation Security: TSA Modifications to Rules for Prescreening
Passengers, GAO-05-445SU (Washington, D.C.: Mar. 28, 2005).
5TSC was established in accordance with Homeland Security Presidential
Directive/HSPD-6 to consolidate the government's approach to terrorism
screening, including the use of terrorist information for screening
purposes. TSC is an interagency effort involving DHS, Department of
Justice, Department of State, and intelligence community representatives,
and is administered by the Federal Bureau of Investigation. TSC maintains
the terrorist screening database, which consolidates information from
terrorist watch lists to provide government screeners with a unified set
of antiterrorist information.
Results in Brief
Overall, TSA is making progress in addressing key areas of congressional
interest related to the development and testing, system effectiveness,
program management and oversight, and privacy protections for the Secure
Flight program, as outlined in Public Law 108-334. Table 1 provides a
summary of TSA's status in addressing each of the ten areas of
congressional interest. However, TSA has not yet completed these efforts
or fully addressed these areas, due largely to the current stage of the
program's development. Specifically, initial tests have only recently been
completed, and key policy decisions-including what data will be collected
and how it will be transmitted-have not yet been made. Until requirements
are fully defined, operating policies are finalized, and testing is
completed-scheduled for later in the system's development-we cannot
determine whether TSA will fully address these areas of interest.
Table 1: Summary of TSA's Status in Addressing Ten Areas of Congressional
Interest Included in Public Law 108-334 as of March 15, 2005
Areas of congressional interest TSA status in addressing area of (short
title and page number in report that further describes status)
congressional interest
a
Stress test system and demonstrate efficacy and accuracy (page 25) Under
way
Assess accuracy of databases (page 27) Under way
Modifications with respect to intrastate travel to accommodate states with
unique air Under way transportation needs (page 34, also see GAO-05-445SU)
Establish internal oversight board (page 39) Addressedb
Establish effective oversight of system use and operation (page 43) Under
way
Install operational safeguards to protect system from abuse (page 48)
Under way
Install security measures to protect system from unauthorized access (page
48) Under way
Life-cycle costsand expenditure plans (page 50)c Under way
Address all privacy concerns (page 54) Under way
Create redress process for passengers to correct erroneous Under way
information (page 56)
Source: GAO analysis.
aUnder way indicates that TSA provided evidence that it has begun to
address this issue.
bAddressed indicates that TSA provided evidence that it has addressed this
issue.
cTSA officials stated that they plan to develop life-cycle cost estimates
after system requirements have been defined, and that they recently
finalized an expenditure plan.
TSA is making progress in the development and testing of Secure Flight and
is attempting to build in more rigorous processes than those used for
CAPPS II. Specifically, TSA has drafted a number of key documents to
assist in providing program oversight, including a draft concept of
operations, a draft requirements document, and a draft project schedule.
However, TSA has not yet finalized these documents. Further, although TSA
uses a working milestone chart to coordinate its many activities, key
milestones for the Secure Flight program have slipped. For example, the
date when Secure Flight is expected to achieve initial operational
capability with two air carriers slipped by about 4 months. TSA is also
completing initial Secure Flight testing to determine data needs and
system functions, which are basic to defining how Secure Flight will
operate. However, key system testing including stress testing-to verify
that the entire system will function as intended in an operational
environment-has not been completed. Further, although TSA expects to
complete stress testing prior to initial operational deployment, scheduled
for August 2005, it has not yet designed the procedures it will use to
conduct these tests. Until TSA finalizes key program documents and
completes additional system testing, it is uncertain whether Secure Flight
will perform as intended, and whether it will be ready for initial
operational deployment by August 2005.
TSA has begun, or has plans to initiate, a number of actions designed to
improve the ability of Secure Flight to identify passengers who should
undergo additional security scrutiny, in place of prescreening currently
conducted by air carriers. Specifically, TSA recently completed initial
testing to identify those elements that will be used to match air carrier
passenger data to data contained in the TSC's terrorist screening
database, and the effectiveness of these data in making accurate matches.
According to TSA officials, initial test results showed that the Secure
Flight system was effective in matching PNR data with data contained in
the terrorist screening database, and that data matching can be improved
by adding additional information to PNR data, such as date of birth.
However, because this testing has only recently been completed and test
results have not been fully documented and analyzed, we were unable to
independently assess these results. TSA also plans to use intelligence
analysts to help resolve discrepancies in the matching of passenger data
to data contained in the terrorist screening database. In addition, TSA
recently modified the CAPPS I rules, which are currently being implemented
and may also be used in Secure Flight, to facilitate more targeted
screening of individuals. Although TSA is taking these actions, the
effectiveness of Secure Flight in identifying passengers who should
undergo additional security scrutiny has not been fully determined, and it
can be affected by data quality and other factors. For example, TSA has
not resolved how passenger data will be transmitted from air carriers to
TSA to support Secure Flight operations. Further, the ability of Secure
Flight to make accurate matches between passenger data and data contained
in the terrorist screening database is dependent on the type and
quality of the data. Although the TSC and TSA have taken, or plan to take,
a number of actions to improve the quality of the data in the terrorist
screening database, the accuracy of this data has not been fully
determined. Another factor that could impact the effectiveness of Secure
Flight in identifying known or suspected terrorists is the system's
ability to identify passengers who assume the identity of another
individual by committing identity theft.
DHS and TSA have also taken steps to strengthen their oversight and
management of Secure Flight, including coordinating with key stakeholders.
However, a number of important issues will need to be resolved as program
requirements are finalized and system testing is completed, and before
Secure Flight becomes operational. DHS and TSA have provided oversight
through a number of bodies designed to manage Secure Flight's development
and implementation. TSA also reported strengthening its oversight of
Secure Flight contractors through various methods, including increasing
the number of TSA staff with contract oversight responsibilities. TSA
officials also reached out to key external stakeholders, such as air
carriers, whom they identified as integral to the successful
implementation and operations of Secure Flight. These efforts should help
DHS and TSA in managing its development and implementation efforts.
Although DHS and TSA have taken these actions, however, TSA has not yet
finalized oversight policies governing the use and operation of Secure
Flight, or completed performance measures to measure program results.
Further, although TSA has reached out to key external stakeholders who
will be integral to Secure Flight operations, officials from these
organizations expressed concerns regarding the uncertainty of Secure
Flight system and data requirements, and the impact these requirements may
have on the airline industry in terms of system modifications and costs.
Data requirements and associated impacts on air carriers will need to be
resolved before TSA can begin its initial operations with two air carriers
in August 2005. TSA also has not finalized a security risk assessment and
security plan, due largely to the early stage of the system's development.
In addition, TSA did not develop life-cycle cost estimates and only
recently completed an expenditure plan. Life-cycle cost estimates and
expenditure plans are critical components of sound program management for
the development of any major investment. Without fully developed plans
addressing Secure Flight operations, security, and costs, individuals
responsible for overseeing the program may not have the information needed
to manage program risks and allocate resources.
Additionally, TSA has recognized that Secure Flight has the inherent
potential to adversely affect the privacy rights of the traveling public
because of the use of passenger data, and has begun to take steps to
minimize potential impacts on passengers and to protect passenger rights
during the testing phase of Secure Flight. However, TSA has not yet
clearly defined the privacy impacts of Secure Flight in an operational
environment, or all of the actions TSA plans to take to mitigate potential
impacts. TSA also drafted a redress process to provide passengers who
believe they were inappropriately delayed from boarding their scheduled
flights because of Secure Flight a means by which to appeal these
decisions and possibly correct erroneous data found in the terrorist
screening database or in commercial databases, should TSA decide to use
commercially available data. However, TSA has not yet clearly defined how
it plans to implement its redress process for Secure Flight, such as how
errors, if identified, will be corrected, particularly if commercial
databases are used. In addition, although DHS and TSA have taken steps to
address international privacy concerns in developing Secure Flight, such
as limiting Secure Flight to prescreening only domestic passengers, issues
remain, particularly with regard to the European Union. Specifically, TSA
has acknowledged that the use of passenger data that originates in
reservations made in a European Union country may create concerns under
that country's privacy laws. Until TSA fully defines its operational plans
for Secure Flight-which officials stated they plan to do later in the
system's development-and addresses international privacy concerns, it will
remain difficult to determine whether the planned system will offer
reasonable privacy protections to passengers who are subject to
prescreening or mitigate potential impacts on passengers' privacy.
To help manage risks associated with Secure Flight's continued development
and implementation, and to assist TSA in developing a framework from which
to support its efforts in addressing congressional areas of interest
outlined in Public Law 108-334, we are making a number of recommendations
to the Secretary of the Department of Homeland Security. These
recommendations include finalizing requirements and test plans, developing
a plan for transmitting data from and to air carriers to support Secure
Flight operations, developing performance goals and measures and
life-cycle costs, and finalizing policies and issuing associated
documentation detailing privacy protections and a system of redress.
We provided a draft of this report to DHS for its review and comment. DHS,
in its written comments, generally agreed with our findings and
recommendations, and identified some actions it has initiated to
implement the recommendations. For example, DHS stated that TSA plans to
complete the Secure Flight concept of operations by March 2005, and system
requirements by April 2005. DHS also noted that TSA is currently
finalizing a redress process for passengers who feel they have been
unfairly or incorrectly singled out for additional screening.
DHS also provided technical comments related to the program's development,
testing, and implementation. These comments were incorporated as
appropriate. A copy of DHS's comments is included in appendix II.
The Transportation Security Administration is responsible for securing all
modes of transportation while facilitating commerce and ensuring the
freedom of movement for the traveling public. Passenger prescreening is
one program among many that TSA uses to secure the aviation sector. The
process of prescreening passengers-that is, determining whether airline
passengers pose a security risk before they reach the passenger screening
checkpoint-is used to focus security efforts on those passengers
representing the greatest potential threat. Currently, U.S. air carriers
conduct passenger prescreening using the Computer-Assisted Passenger
Prescreening System, known as CAPPS I, and by comparing passenger names
against government-supplied terrorist watch lists.
Background
Current Passenger Prescreening
Passenger prescreening is used to identify passengers who may pose a
higher risk to aviation security than other passengers and therefore
should receive additional and more thorough security scrutiny. The current
prescreening process consists of two components. First, after a passenger
makes a reservation, the air carrier checks the passenger's reservation
information contained in the air carrier's passenger name record (PNR) 6
against a set of established system rules, referred to as the CAPPS I
rules. 7 Second, the air carrier checks the passenger's name against
governmentsupplied watch lists that contain the names of individuals who,
for certain
6The PNR contains data related to a passenger's reservation and travel
itinerary and is contained in an air carrier's reservation system. Such
data can include the passenger's name, phone number, number of bags, seat
number, and form of payment, among other information.
7CAPPS I rules are characteristics that are used to select passengers who
require additional security scrutiny.
reasons, are either not allowed to fly (the no-fly list) or pose a higher
than normal risk and therefore require additional security attention (the
selectee list). Passengers on the no-fly list are denied boarding passes
and are not permitted to fly unless cleared by law enforcement officers.
Passengers who are selected by the CAPPS I rules or who are on the
selectee list are issued boarding passes, and they and their baggage
undergo additional security measures. Approximately 99 percent of all
passengers on domestic flights are screened under the air
carrier-operated, automated CAPPS I system. 8
CAPPS II
Following the events of September 11, and in accordance with the
requirement set forth in the Aviation and Transportation Security Act that
a computer-assisted passenger prescreening system be used to evaluate all
passengers before they board an aircraft, 9 TSA established the Office of
National Risk Assessment to develop and maintain a capability to prescreen
passengers in an effort to protect U.S. transportation systems and the
public against potential terrorists. In March 2003, this office began
developing the second-generation computer-assisted passenger prescreening
system, known as CAPPS II, to provide improvements over the current
prescreening process, and to screen all passengers flying into, out of,
and within the United States. Under the CAPPS II program, the
responsibility and financial costs of passenger prescreening were to be
transferred from the air carriers to the government. In addition, CAPPS II
was to perform different analyses and access more diverse data, including
data from government and commercial databases, to classify passengers
according to their level of risk (i.e., acceptable risk, unknown risk, or
unacceptable risk), which would in turn be used to determine the level of
security screening each passenger would receive. Table 2 lists the
specific capabilities that TSA planned to incorporate into CAPPS II, which
the agency believed were needed to strengthen passenger prescreening. 10
8The remaining 1 percent of passengers are manually screened by air
carriers who do not have an automated system.
9Pub. L. No. 107-71, S: 136, 115 Stat. 597, 637 (2001).
10TSA planned to incorporate eight capabilities into the CAPPS II program.
We have only listed seven of these capabilities, because one is Sensitive
Security Information.
Table 2: System Capabilities Planned for CAPPS II
Capability Description
Watch list Comparison of data contained in the passenger's reservation
(PNR)
matching with information contained in government watch lists (selectee
and no-fly lists) to identify potential threats to aviation security and
other individuals of interest to the counterterrorism community
CAPPS I rules Matching information in the PNR to CAPPS I rules to identify
application individuals who should be subject to additional security
screening
Identity Checking PNR data against commercial databases to assist in
authentication confirming the passenger's identity
Criminal checks Matching PNR data against lists of international fugitives
and government "wanted lists" to identify known criminals
Intelligence-Using algorithms developed through intelligence modeling to
identify based search for unknown terrorists previously unknown terrorists
by searching for patterns in an individual's travel or transaction history
that are indicative of terrorist activities
Use of opt-in lists Maintaining a list of individuals, who have been
previously cleared under credentialing programs, such as registering
passengers in advance of making reservations, to minimize the volume of
passengers that must be prescreened
Use of alert lists Providing the capability to create a temporary watch
list based on information extracted from current intelligence reports,
such as blocks of stolen passports
Source: TSA.
In February 2004, we reported-in response to a mandate in the fiscal year
2004 Department of Homeland Security Appropriation Act 11 -that TSA had
not yet developed critical elements associated with sound project planning
for CAPPS II, including a plan for the specific functionality to be
delivered and the costs expected to be incurred throughout the system's
development. 12 We also reported that TSA had not fully addressed seven of
eight issues identified by Congress as key areas of interest related to
the development and implementation of CAPPS II, such as privacy
protection, passenger redress, and system security. Following our
evaluation and congressional oversight hearings, DHS initiated an internal
review of the CAPPS II program.
11The Department of Homeland Security Appropriations Act, 2004, Pub. L.
No. 108-90, S: 519, 117 Stat. 1137, 1155-56 (2003), mandated that GAO
review eight areas related to the development and implementation of CAPPS
II, including system development and security, privacy, redress, and
oversight.
12GAO, Aviation Security: Computer-Assisted Passenger Prescreening System
Faces Significant Implementation Challenges, GAO-04-385 (Washington, D.C.:
Feb. 12, 2004).
Further, in July 2004, the National Commission on Terrorists Attacks upon
the United States, commonly known as the 9/11 Commission, reported that
the current air carrier-operated passenger prescreening system-CAPPS I and
watch list matching-needed improvements, and that the watch lists used by
the air carriers did not include all terrorists or terrorism suspects
because of concerns about the government sharing intelligence information
with private firms and foreign countries. The commission recommended that
passenger prescreening be performed by the federal government and make use
of the larger consolidated watch list database maintained by the
government. 13 Taking into consideration the commission's recommendations
and the results of DHS's internal review of CAPPS II, among other factors,
TSA cancelled the development of CAPPS II in August 2004.
Secure Flight
Shortly after the CAPPS II program was cancelled, TSA announced that it
planned to develop a new passenger prescreening program called Secure
Flight. TSA plans to operate Secure Flight on the Transportation Vetting
Platform-the development of which began under CAPPS II and includes the
software for watch list matching and CAPPS I rules analysis. 14 According
to TSA, Secure Flight will leverage the system development efforts already
accomplished for CAPPS II, but will have several fundamental differences.
Specifically, TSA is designing Secure Flight to incorporate only some of
the capabilities planned for CAPPS II such as the core capabilities of
watch list matching and CAPPS I rules application. 15 Secure Flight will
also only prescreen passengers flying domestically within the United
States, rather than passengers flying into and out of the United States.
Table 3 provides a summary of the capabilities planned for
13The 9/11 Commission Report.
14TSA plans to use this centralized vetting capability to identify
terrorist threats in support of various DHS and TSA programs. Further, TSA
plans to use the platform to ensure that persons working at sensitive
locations; serving in trusted positions with respect to the transportation
infrastructure; or traveling as cockpit and cabin crew into, within, and
out of the United States are properly screened depending on their activity
within the transportation system. In addition to supporting the Secure
Flight and Crew Vetting programs, TSA expects to leverage the platform
with other applications such as TSA Screeners and Screener applicants,
commercial truck drivers with Hazardous Materials Endorsements, aviation
workers with access to secure areas of the airports, alien flight school
candidates, and applicants for TSA's domestic Registered Traveler program.
15TSA planned to incorporate eight capabilities into the CAPPS II program.
We have only listed seven of these capabilities, since one is Sensitive
Security Information.
CAPPS II, as compared with the capabilities currently provided by the
current passenger prescreening program and those planned for the Secure
Flight program. As shown in table 3, TSA does not plan to add additional
features beyond the current passenger prescreening program, with the
exception of matching PNR data against an expanded terrorist watch list,
which will be provided by the TSC. TSA is also exploring the feasibility
of using commercial data as part of Secure Flight if the data are shown,
through testing, to increase the effectiveness of the watch list matching
feature. TSA does not currently plan for Secure Flight to include checking
for criminals, performing intelligence-based searches, or using alert
lists. 16 TSA has not yet determined whether Secure Flight will assume the
application of CAPPS I rules from the air carriers, or if an opt-in list
capability will be used as part of Secure Flight. 17
16While TSA does not plan to include criminal checks within Secure Flight,
it does plan to incorporate this capability into the platform, where it
may be used by other vetting applications, such as Crew Vetting.
17An opt-in list could include passengers participating in TSA's
Registered Traveler program, which is currently operating in the pilot
phase at five airports. Under this program, frequent travelers at select
airports are able to volunteer for the program. Volunteers are asked to
submit information, including biometrics, necessary for TSA to determine
eligibility. The biometric information, such as fingerprints, is used for
identity verification purposes and, in conjunction with a security
assessment, allows passengers at the pilot airport locations to go through
an expedited security screening process. The results of the five-airport
pilot program will determine future applications of the Registered
Traveler concept at other airports.
Table 3: Key Capabilities for Passenger Prescreening Programs Capability
included in program
Current
prescreening
Capability program CAPPS II Secure Flight
Watch list matching
*** End of document. ***