Aviation Security: Federal Action Needed to Strengthen Domestic  
Air Cargo Security (17-OCT-05, GAO-06-76).			 
                                                                 
In 2004, an estimated 23 billion pounds of air cargo was	 
transported within the United States, about a quarter of which	 
was transported on passenger aircraft. Within the Department of  
Homeland Security (DHS), the Transportation Security		 
Administration (TSA) is responsible for ensuring the security of 
commercial aviation, including the transportation of cargo by	 
air. To evaluate the status of TSA's efforts to secure domestic  
air cargo, GAO examined (1) the extent to which TSA used a risk  
management approach to guide decisions on securing air cargo, (2)
the actions TSA has taken to ensure the security of air cargo and
the factors that may limit their effectiveness, and (3) TSA's	 
plans for enhancing air cargo security and the challenges TSA and
industry stakeholders face in implementing these plans. 	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-76						        
    ACCNO:   A39597						        
  TITLE:     Aviation Security: Federal Action Needed to Strengthen   
Domestic Air Cargo Security					 
     DATE:   10/17/2005 
  SUBJECT:   Air transportation 				 
	     Cargo security					 
	     Homeland security					 
	     Inspection 					 
	     Risk assessment					 
	     Security assessments				 
	     Security threats					 
	     Strategic planning 				 
	     Aviation security					 
	     TSA Air Cargo Strategic Plan			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-76

     

     *  
     * Appendix I: Objectives, Scope, and Methodology
     * Appendix II: Federal Agency Roles in Air Cargo Security
     * Appendix III: Timeline of Significant Events Related to Air Cargo
       Security
     * Appendix IV: ASAC Representatives in the 2003 Air Cargo Working Group
     * Appendix V: Testing Explosive Detection System Technologies for
       Inspecting Air Cargo
     * Appendix VI: Testing the Use of TSA-Certified Explosives Detection
       Canine Teams
     * Appendix VII: New Technologies Selected by TSA for Further Development
       and Testing
     * Appendix VIII: Comments from the Department of Homeland Security
     * Appendix IX: GAO Contacts and Staff Acknowledgments

                 United States Government Accountability Office

Report to Congressional Requesters

GAO

October 2005

AVIATION SECURITY

        Federal Action Needed to Strengthen Domestic Air Cargo Security

GAO-06-76

AVIATION SECURITY

Federal Action Needed to Strengthen Domestic Air Cargo Security

  What GAO Found

TSA has taken initial steps toward applying a risk-based management
approach to address air cargo security. A risk-based management approach
entails a continuous process of managing risk through a series of actions,
including setting strategic goals and objectives and assessing risk
through the identification and evaluation of threats, vulnerabilities, and
critical assets. In November 2003, TSA completed an air cargo strategic
plan that outlined a threat-based, risk management approach to secure the
air cargo system by, among other things, targeting elevated risk cargo for
inspection. TSA also completed an updated threat assessment in April 2005.
However, TSA has not yet established a methodology and schedule for
completing assessments of air cargo vulnerabilities and critical
assets-two crucial elements of a risk-based management approach without
which TSA may not be able to appropriately focus its resources on the most
critical security needs.

TSA has taken a number of actions intended to strengthen air cargo
security, but factors exist that may limit their effectiveness. For
example, TSA established a centralized database on people and businesses
that routinely ship air cargo to improve information on known shippers.
However, we identified problems with the reliability of the information in
the database, and how TSA is using the information to identify shippers
who may pose a risk. TSA has also established requirements for air
carriers to randomly inspect air cargo, but has exempted some cargo from
inspection, potentially creating security weaknesses. Further, TSA
conducts audits of air carriers and indirect air carriers to ensure that
they are complying with existing air cargo security requirements. However,
TSA has not developed measures to assess the adequacy of air carrier and
indirect air carrier compliance, systematically analyzed these audit
results to target future inspections, or assessed the effectiveness of its
enforcement actions to ensure compliance with air cargo security
requirements.

TSA's plans for enhancing air cargo security focus on implementing a
system for targeting and inspecting elevated risk cargo, and requiring air
carriers to conduct security threat assessments on thousands of cargo
workers, among other efforts. However, these plans may pose financial,
operational, and technological challenges to the agency and air cargo
industry stakeholders. For example, stakeholders are concerned, and our
analysis identified, that TSA may have underestimated the cost of its
proposed measures.

United States Government Accountability Office

Contents

Letter 1
Results in Brief 4
Background 8
TSA Has Developed a Risk-Based Strategic Plan but Has Not Completed
Assessments of the Risks Posed by Terrorists to the Air Cargo System 16
TSA Has Implemented Actions Intended to Strengthen Air Cargo Security, but
Factors Exist That May Limit Their Effectiveness 28
TSA Plans to Enhance Air Cargo Security, but Implementing These Plans
Poses Challenges to the Agency and Air Cargo Stakeholders 46
Conclusions 64
Recommendations for Executive Action 65
Agency Comments and Our Evaluation 66

Appendix I Objectives, Scope, and Methodology

Appendix II Federal Agency Roles in Air Cargo Security

Appendix III Timeline of Significant Events Related to Air Cargo Security

Appendix IV ASAC Representatives in the 2003 Air Cargo Working Group

Appendix V Testing Explosive Detection System Technologies for Inspecting
Air Cargo

Appendix VI Testing the Use of TSA-Certified Explosives Detection Canine
Teams

Page i GAO-06-76 Aviation Security

Appendix VII New Technologies Selected by TSA for Further Development and
Testing

Appendix VIII Comments from the Department of Homeland Security

Appendix IX GAO Contacts and Staff Acknowledgments

  Tables

T able 1: Elements of a Typical Homeland Security Risk Assessment 15 Table
2: Potential Challenges Associated with Using Current and

New and Emerging Technology to Inspect Air Cargo 57 Table 3: TSA's
Proposed Air Cargo Security Measures 59 Table 4: Federal Agency Roles in
Air Cargo Security 75

  Figures

F igure 1: Flow of Cargo from Shipper to Air Carrier 11 Figure 2: Risk
Management Cycle 14 Figure 3: TSA Air Cargo Security Compliance Inspection
Results

for the Period between January 1, 2003, and January 31,

2005 39 Figure 4: Top 10 Areas in Which Violations Were Found During Air

Cargo Inspections for the Period January 1, 2003, to

January 31, 2005 41 Figure 5: Timeline of Significant Events Related to
Air Cargo

Security 76 Figure 6: EDS Technology Inspecting Break Bulk Cargo 79

Abbreviations

ASAC               Aviation Security Advisory Committee                    
ASI                aviation security inspector                             
ATSA               Aviation and Transportation Security Act                
CBP                U.S. Customs and Border Protection                      
DHS                Department of Homeland Security                         
EDS                explosive detection system                              
ETD                explosive trace detection                               
FBI                Federal Bureau of Investigation                         
FSD                Federal Security Director                               
PARIS              Performance and Results Information System              
STA                security threat assessment                              
SIDA               security identification display area                    
TSA                Transportation Security Administration                  
TWIC                       Transportation Worker Identification Credential 

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office Washington, DC 20548

October 17, 2005

Congressional Requesters

In the aftermath of the September 11, 2001, terrorist attacks, aviation
security, including the security of cargo carried on passenger and
all-cargo aircraft, became a growing concern both to the public and to
members of Congress. Since the attacks, several instances of human
stowaways in the cargo holds of all-cargo aircraft have further heightened
the concern over air cargo security by revealing vulnerabilities that
could potentially threaten the entire air transportation system. The
Aviation and Transportation Security Act (ATSA), enacted in November 2001,
required the screening of all passengers and property, including cargo,
United States mail, and carry-on and checked baggage that is carried
onboard commercial passenger aircraft. 1 It also required that a system be
put in place as soon as practicable to screen, inspect, or otherwise
ensure the security of cargo on all-cargo aircraft. 2 Within the
Department of Homeland Security (DHS), the Transportation Security
Administration (TSA) is responsible for overseeing aviation security to
ensure the security of the air traveling public. While TSA has focused
much of its attention on meeting requirements to screen 100 percent of
passengers and baggage, less attention has been paid to securing air cargo
transported on passenger and all-cargo aircraft.

In 2004, an estimated 23 billion pounds of air cargo were transported
within the United States, with about a quarter of this amount transported
on passenger aircraft. Recently, DHS reported that most cargo on passenger
aircraft is not physically inspected. 3 Specifically, according to
industry estimates, only a very small percentage of the total cargo placed

1

Aviation and Transportation Security Act, Pub. L. No. 107-71, S: 110(b),
115 Stat. 597, 61416 (2001).

2

TSA generally uses the terms "inspecting" and "screening" interchangeably
to denote some level of examination of a person or good, which can entail
a number of different actions, including manual physical inspections to
ensure that cargo does not contain weapons, explosives, or stowaways. When
TSA applies a filter to information or characteristics of cargo, such as
its Known Shipper program, it refers to such processes as screening. For
the purposes of this report, we use the term "inspection" to refer only to
an air carrier's effort to physically examine air cargo.

3

DHS Science and Technology Directorate, Systems Engineering Study of Civil
Aviation Security-Phase I, April 7, 2005.

on passenger aircraft is physically screened or inspected. 4 To enhance
air cargo security, Congress recently enacted legislation authorizing $902
million for air cargo security and required that TSA take additional steps
to secure air cargo, including increasing the percentage of cargo being
inspected on passenger aircraft. 5 We have previously reported on the need
for TSA to strengthen air cargo security, and the challenges TSA faces in
determining how to allocate its resources to manage risks while addressing
threats and enhancing security both within aviation and across all modes
of transportation. 6 This evolving approach, referred to as risk
management, entails a continuous process of managing risk through a series
of actions, including setting strategic goals and objectives and assessing
risk through the identification and evaluation of threats,
vulnerabilities, and critical assets, among other efforts.

To help Congress evaluate the status of TSA's efforts to secure domestic
air cargo, we answered the following questions: (1) To what extent has TSA
used a risk management approach to guide decisions on securing air cargo?
(2) What actions has TSA taken to ensure the security of air cargo, and
what factors may limit their effectiveness? (3) What are TSA's plans for
enhancing air cargo security, and what financial, operational, and other
challenges do TSA and industry stakeholders face in implementing these
plans?

4

The exact percentage of cargo physically screened or inspected is
sensitive security information.

5

Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence
Reform Act), Pub.

L. No. 108-458, 118 Stat. 3638; Department of Homeland Security
Appropriations Act, 2005, Pub. L. No. 108-334, 118 Stat. 1298 (2004). The
fiscal year 2006 DHS appropriations bill,

H.R. 2360, as passed by the House of Representatives on May 17, 2005,
proposes to, among other things, reduce TSA funding by $100,000 per day
until it satisfies the fiscal year 2005 requirement to triple the
percentage of cargo inspected on passenger aircraft, require that DHS
develop screening standards and protocols to more thoroughly screen all
types of cargo on passenger and cargo aircraft, and require that TSA
utilize checked baggage explosive detection equipment and screeners to
screen cargo carried on passenger aircraft to the greatest extent
practicable at each airport. The Senate version of the bill, passed on
July 14, 2005, proposes to direct that DHS research, develop, and procure
certified systems to screen air cargo on passenger aircraft at the
earliest date possible, enhance the known shipper program, and increase
the level of cargo inspected beyond the tripling mandated in fiscal year
2005.

6

GAO, Transportation Security: Systematic Planning Needed to Optimize
Resources, GAO-05-357T (Washington, D.C.: Feb.15, 2005), and GAO, Aviation
Security: Vulnerabilities and Potential Improvements for the Air Cargo
System, GAO-03-344 (Washington, D.C.: Dec. 2002).

To answer these questions, we interviewed TSA headquarters officials
responsible for managing the agency's air cargo security program. We
reviewed laws and regulations related to air cargo security and TSA air
cargo security directives and guidance to determine the requirements
placed on air carriers and indirect air carriers for ensuring air cargo
security. 7 To determine the extent to which TSA has used a risk
management approach to guide decisions on securing air cargo, we compared
the elements of our risk management approach with TSA's efforts to
implement such an approach. A complete risk-based management approach
includes setting strategic goals and objectives; assessing risk (threat,
vulnerabilities, and criticality); evaluating alternatives; selecting
initiatives to undertake; and implementing and monitoring those
initiatives. This report examines the two risk management efforts TSA has
focused on thus far related to air cargo security-setting strategic goals
and objectives and assessing risk. Regarding risk assessment, we
interviewed air cargo industry stakeholders to obtain their views on the
timeliness, specificity, and clarity of threat information provided by
TSA. 8 We also analyzed data on TSA's compliance inspections to determine
the agency's progress in evaluating industry compliance with existing air
cargo security requirements. We discussed the reliability of TSA's
compliance inspection data for fiscal years 2002, 2003, and 2004 with TSA
officials in charge of this effort, and concluded that they were
sufficiently reliable for the purposes of this review. To obtain
information on government and industry actions and plans to secure air
cargo, we interviewed TSA officials and air cargo industry stakeholders.
We also reviewed TSA's Air Cargo Strategic Plan and proposed air cargo
security rule, including comments on the regulation and costs associated
with implementing the proposal. 9 In addition, we

7

Air carriers refers to both commercial passenger air carriers whose
aircraft have been configured to accommodate both passengers and cargo and
all-cargo carriers whose aircraft transport only cargo. Indirect air
carriers, sometimes referred to as freight forwarders, consolidate cargo
from many shippers and deliver it to passenger air carriers. TSA's
proposed air cargo security rule would expand the definition of an
indirect air carrier to include those companies that consolidate and
transport cargo to all cargo carriers. The United States Postal Service,
or its representatives while acting on behalf of the Postal Service, is
not an indirect air carrier.

8 During our review we spoke with 48 air cargo industry stakeholders,
including officials representing 7 air carriers, 4 indirect air carriers,
12 airport authorities, 16 associations representing airport operators,
air carrier pilots, indirect air carriers, passenger air carriers,
all-cargo air carriers, law enforcement agencies, and 9 air cargo security
consultants and experts.

9

Unless otherwise indicated, all cost estimate figures cited in this report
are in discounted dollars.

                                Results in Brief

conducted site visits to 12 United States commercial airports to observe
air cargo security operations and pilot testing of cargo inspection
technology, including explosive detection systems (EDS). 10 We selected
these airports based on several factors, including airport size,
geographical dispersion, and the volume of air cargo transported to and
from these airports. 11 Because we selected a nonprobability sample of
airports, the results from these visits cannot be generalized to other
United States commercial airports. More detailed information on our scope
and methodology is contained in appendix I. We conducted our work between
June 2004 and September 2005 in accordance with generally accepted
government auditing standards. We issued a restricted version of this
report on July 29, 2005. 12 This report contains information presented in
that report with all sensitive security information removed.

TSA has taken steps toward applying a risk-based management approach to
addressing air cargo security, including conducting threat assessments.
However, TSA has not conducted assessments of air cargo vulnerabilities
and critical assets, such as cargo facilities and aircraft. TSA completed
an Air Cargo Strategic Plan in November 2003 that outlined a threat-based
risk management approach to securing the nation's air cargo transportation
system. TSA's plan identifies strategic objectives and priority actions
for enhancing air cargo security based on risk, cost, and deadlines. The
plan describes TSA's commitment to inspect 100 percent of elevated risk
cargo, and ensure the security of the entire air cargo supply chain. 13
The plan focused on two threats to air cargo security-preventing the
introduction of an explosive device on a passenger aircraft and the
hijacking of an all-cargo aircraft, resulting in its use to inflict mass
destruction. To address these threats, the plan highlighted four strategic
objectives: (1) enhancing cargo shipper and cargo supply chain security,

10

An explosive detection system uses probing radiation to examine objects
inside baggage and identify the characteristic signatures of threat
explosives.

11

There are about 450 commercial airports in the United States. TSA
classifies airports into one of five categories (X, I, II, III, and IV)
based on various factors, such as the total number of takeoffs and
landings annually, the extent to which passengers are screened at the
airport, and other special security considerations.

12

GAO, Aviation Security: Federal Action Needed to Strengthen Domestic Air
Cargo Security , GAO-05-446SU, (Washington, D.C.: July 29, 2005).

13

Elevated risk cargo could include cargo that has been determined to pose a
risk to the safety and security of passengers and air cargo operations.

(2) identifying elevated risk cargo through prescreening, (3) identifying
technology for performing inspections of elevated risk cargo, and (4)
strengthening the security of all-cargo aircraft and cargo operation
areas. In November 2004, TSA issued a proposed air cargo security rule
that would implement many of the objectives and associated actions
identified in the strategic plan. These include enhancing the Known
Shipper program, which allows individuals or businesses with established
histories to ship cargo on passenger carriers, and improving the security
of air carriers. TSA expected to issue the final rule by mid-August 2005.
However, as of September 2005, this rule has not been issued. TSA is also
in the process of assessing the risks terrorists pose to air cargo-another
key component of risk management. For example, TSA conducted an air cargo
threat assessment in June 2004 and updated its assessment in April 2005.
However, TSA has not completed a methodology for assessing the
vulnerability and criticality of air cargo assets, or established a
schedule for conducting such assessments because of competing agency
efforts to address other areas of aviation security. Moreover, TSA's
existing tools for assessing vulnerability have not been adapted for use
in conducting air cargo assessments, nor has TSA established a schedule
for when these tools would be ready for use. TSA has also not
systematically collected and used information on air cargo security
breaches, which could provide useful information to identify the full
range of potential air cargo security vulnerabilities. Without fully
assessing the risks posed by terrorists to the air cargo system, TSA is
limited in its ability to identify potential air cargo security
vulnerabilities and focus its resources on those areas representing the
most critical security needs.

TSA has implemented a number of actions intended to strengthen air cargo
security, but factors exist that may limit the effectiveness of these
efforts. For example, TSA has established a centralized Known Shipper
database to streamline the process by which shippers (individuals and
businesses) are made known to carriers with whom they conduct business.
However, the information in this database on the universe of shippers is
incomplete, because participation in this database is currently voluntary
and the information in the database may not be reliable. TSA estimates the
agency's centralized database contains information on about 400,000 known
shippers, or less than one-third of the total population of known
shippers, which is estimated to be about 1.5 million. Moreover, TSA has
not taken needed steps to identify shippers who may pose a security
threat, in part because TSA has incomplete information on known shippers.
Through its proposed air cargo security rule, TSA plans to make the Known
Shipper database mandatory by requiring air carriers and indirect air
carriers to submit information on their known shippers to TSA's Known
Shipper database. According to TSA officials, the agency also plans to
take further steps to identify those shippers who may pose a security
risk. Although TSA has established requirements for passenger and
all-cargo carriers to randomly inspect cargo they transport, the agency
has exempted certain cargo from inspection because of its nature and size.
Local TSA officials and officials representing airports, air carriers, and
indirect air carriers we spoke with recognize that some of these
exemptions may create potential vulnerabilities in the air cargo security
system. To ensure that existing air cargo security requirements are being
implemented, TSA conducts audits, referred to as compliance inspections,
of air carriers and indirect air carriers. These compliance inspections
range from a comprehensive review of the implementation of all air cargo
security requirements by an air carrier or indirect air carrier to a
review of just one or several security requirements. TSA reported
conducting about 37,000 air cargo compliance inspections from January 2003
through January 2005. However, TSA has not determined what constitutes an
acceptable level of performance or compared air carriers and indirect air
carriers' performance against this standard, analyzed the results of
inspections to systematically target future inspections on those entities
that pose a higher security risk to the domestic air cargo system, or
assessed the effectiveness of its enforcement actions taken against air
carriers and indirect air carriers to ensure that they are complying with
air cargo security requirements.

TSA's plans for enhancing air cargo security focus on implementing a
system for targeting and inspecting elevated risk cargo, developing and
testing air cargo inspection technology, and implementing enhancements
proposed in its air cargo security rule. However, these planned
enhancements may pose operational, financial, and technological challenges
to the agency and air cargo industry stakeholders. Specifically, TSA is
developing a system to target elevated risk cargo for inspection that
would minimize the agency's reliance on random inspections. This system,
referred to as Freight Assessment, would compare information on individual
cargo shipments and shippers, among other things, against targeting
criteria to assign a risk level to cargo. Cargo identified as posing an
elevated risk would then be subject to additional inspection through
physical searches or nonintrusive technology, such as X-ray systems. TSA
plans to develop this system because the agency concluded that inspection
of all air cargo would have a negative impact on the flow of commerce and
is currently not technologically feasible. Although the agency
acknowledges that the successful development of the targeting system is
contingent upon having complete, accurate, and current targeting
information, the agency has not yet completed efforts to ensure
information that will be used by the system is reliable. TSA plans to
pilot-test this targeting system in early 2006, with a phased-in
deployment during calendar years 2006 and 2007. TSA is also testing new
and available technologies to determine their applicability to inspecting
air cargo. However, according to TSA officials, the agency will need to
analyze the results of its technology tests before it determines which
technologies will be certified for inspecting elevated risk cargo and
whether it will require carriers to use such technology. Further, through
its proposed air cargo security rule, TSA would require air carriers and
indirect air carriers to secure air cargo facilities, screen all
individual persons boarding all-cargo aircraft, and conduct security
checks on air cargo workers. In commenting on the proposed rule, industry
stakeholders representing air carriers, indirect air carriers, and airport
authorities stated that several of the proposals may be costly and
difficult to implement. Specifically, these industry stakeholders stated
that TSA may have significantly underestimated the costs associated with
implementing these proposed measures, particularly those requiring air
carriers to conduct security threat assessments on thousands of air cargo
workers and random inspections on a percentage of air cargo. TSA estimated
that the proposed air cargo rule will cost $637 million (in discounted
2003 dollars) over a 10year period to implement. Our analysis of TSA's
estimate identified concerns with the agency's methodology and suggests
that TSA's cost figures may have been underestimated. According to TSA
officials, the agency plans to reassess its cost estimates before issuing
its final air cargo security rule. As of September 2005, the final rule
has not been issued.

We are making several recommendations to assist TSA in strengthening the
security of the domestic air cargo transportation system. These include

(1) developing a methodology and schedule for completing assessments of
air cargo vulnerabilities and critical assets; (2) reexamining the
rationale for existing air cargo inspection exemptions; (3) developing
measures to gauge air carrier and indirect air carrier compliance with air
cargo security requirements; (4) developing a plan for systematically
analyzing and using the results of air cargo compliance inspections to
target future inspections and identify systemwide corrective actions; (5)
assessing the effectiveness of enforcement actions in ensuring air carrier
and indirect air carrier compliance with air cargo security requirements;
(6) and ensuring that the data to be used in the Freight Assessment System
are complete, accurate, and current.

We provided a draft of this report to DHS for review. DHS, in its written
comments, generally concurred with the findings and recommendations in the
report. The full text of DHS's comments is included in appendix VIII.

  Background

Safeguarding the nation's air cargo transportation system is a shared
public and private sector responsibility. While TSA enforces statutory and
regulatory requirements, provides guidance on securing air cargo, and
provides some funding, air carriers and indirect air carriers have
operational responsibility for implementing security requirements issued
by TSA. 14 The Aviation and Transportation Security Act (ATSA) charged TSA
with the responsibility for ensuring the security of the nation's
transportation systems, including the transportation of cargo by air. 15
Specifically, TSA's responsibilities include (1) establishing security
rules and regulations covering domestic and foreign passenger carriers
that transport cargo, domestic and foreign all-cargo air carriers, and
domestic indirect air carriers; 16 (2) overseeing implementation of air
cargo security requirements by air carriers and indirect air carriers
through compliance inspections; and (3) conducting research and
development of air cargo security technologies. 17 Section 130 of ATSA
also requires TSA to take actions consistent with the Government
Performance and Results Act of 1993, which states that agencies must use
outcome-oriented goals and measures that assess results, effects, or
impacts of a program or activity compared with its intended purpose. TSA
officials stated that the agency has developed performance goals for the
overall air cargo security

14

Airport operators may also be responsible for air cargo security to the
extent that air cargo operations areas overlap with areas of the airport
designated as security identification display areas (SIDA), pursuant to 49
C.F.R. part 1542. Individuals working in a SIDA must have an
airport-approved photo identification that is displayed at all times above
the waist on the individual's outermost garments. To obtain a SIDA
identification badge, a person must successfully undergo a
fingerprint-based criminal history records check and successfully complete
security training. In addition, SIDA access requirements must include
procedures for challenging all persons not displaying appropriate SIDA
photo identification.

15

Other federal entities involved in safeguarding air cargo include the
Department of Homeland Security-U.S. Customs and Border Protection, the
United States Postal Service, the Department of Commerce, the Department
of Transportation, and the Department of the Treasury. See appendix II for
a description of each entity's role and responsibility in securing air
cargo.

16

TSA regulations governing air cargo security are codified at Title 49,
chapter XII, subchapter C, of the Code of Federal Regulations. These
regulations focus on requiring air carriers and indirect air carriers to
develop measures to deter and prevent the carriage of any unauthorized
explosive or incendiary aboard passenger aircraft, including refusal to
transport any cargo if the shipper does not consent to a search or
inspection of that cargo.

17

Federal Security Directors (FSDs) are responsible for overseeing the
implementation of air cargo security requirements at airports nationwide.
The FSDs work with inspection teams composed of Aviation Security
Inspectors (ASIs) to conduct air cargo compliance inspections.

program consistent with the Government Performance and Results Act. These
goals include the percentage of known shipper cargo inspected on passenger
aircraft, the percentage of regulatory compliance inspections completed,
and the percentage of assets that remain below acceptable levels of risk
for all threat scenarios for air cargo.

Air carriers (passenger and all-cargo) and indirect air carriers are
responsible for implementing TSA security requirements, including
maintaining a TSA-approved security program that describes the security
policies, procedures, and systems the air carrier and indirect air carrier
must implement in order to comply with TSA security requirements. 18 These
requirements include measures related to the acceptance, handling, and
inspection of cargo; training of employees in security and cargo
inspection procedures; testing employee proficiency in cargo inspection;
and access to cargo areas and aircraft. Although TSA screens or inspects
passengers and their baggage, it does not do so for air cargo. Instead,
TSA regulations assign this responsibility to air carriers. TSA also does
not directly regulate individuals or businesses that have their cargo
shipped by air.

Air cargo includes freight and express packages that range in size from
small to very large, and in type from car engines, electronic equipment,
machine parts, apparel, medical supplies, human remains, to fresh-cut
flowers, fresh seafood, fresh produce, tropical fish, and other perishable
goods. Cargo can be shipped in various forms, including in unit-loading
devices, wooden crates, assembled pallets, or individually wrapped/boxed
pieces, known as break bulk cargo. 19

18

TSA-approved security programs include (1) Aircraft Operators Standard
Security Program (AOSSP), which applies to domestic passenger air
carriers; (2) Indirect Air Carrier Standard Security Program (IACSSP),
which applies to domestic indirect air carriers; (3) Domestic Security
Integration Program (DSIP), a voluntary program that applies to domestic
all cargo carriers; (4) the Twelve-Five Program, which applies to certain
operators of aircraft weighing 12,500 pounds of more in scheduled or
charter service that carry passengers, cargo, or both. TSA's proposed air
cargo security rule making proposes to change the 12-5 weight requirement
to "more than 12,500 pounds"; (5) Model Security Program applies to
foreign passenger air carriers; and (6) All-Cargo International Security
Procedures, which applies to each foreign air carrier engaged in the
transportation of cargo to, from, within, or overflying the United States
in all-cargo aircraft with a maximum certified takeoff weight of 12,500
pounds or more.

19

According to the Federal Aviation Administration, up to 60 percent of the
cargo transported by passenger air carriers is made up of break bulk
items. According to TSA, more recent estimates range from 30 to 40
percent.

Participants in the air cargo shipping process include potentially
millions of individuals and businesses that ship their cargo on all-cargo
aircraft; about 1.5 million known entities, such as manufacturers, that
ship their products on passenger aircraft; about 3,800 indirect air
carriers, also known as freight forwarders, who operate about 10,000
facilities nationwide where they consolidate shipments and deliver them to
air carriers; and 285 passenger and all-cargo air carriers that use their
cargo facilities to store cargo until it is placed onboard an aircraft for
transport. There are about 2,800 such facilities or stations at commercial
United States airports. 20 Figure 1 depicts these participants and the two
primary ways in which a shipper can send cargo by air.

Given that the data on the estimated numbers of shippers, air carriers,
and shipping facilities are used for background purposes, we did not
assess the reliability of these data.

Page 10 GAO-06-76 Aviation Security

In 2004, an estimated 23 billion pounds of cargo was shipped within the
United States by air. About three-quarters of this amount, or 17 billion
pounds, traveled aboard all-cargo aircraft, while the remaining 6 billion
pounds traveled aboard passenger aircraft. 21 Typically, about one-half of
the hulls of each passenger aircraft transporting cargo are filled with
cargo. Air cargo is a significant source of revenue to air carriers,
bringing in about $17 billion for passenger airlines in 2004. 22

To support TSA's efforts to address air cargo security, Congress provided
the agency with varying levels of funding over the last 2 fiscal years.
For example, in fiscal year 2004, Congress, through the DHS 2004
Appropriations Act conference report, directed TSA to spend $85 million
for air cargo security, including $55 million for conducting research and
development of air cargo inspection technologies. 23 In fiscal year 2005,
Congress, through the DHS 2005 Appropriations Act conference report,
directed TSA to spend $118 million for air cargo security activities,
including the hiring of additional air cargo inspectors, continued
research and development of technologies to provide more effective and
efficient methods of detecting air cargo threats, and expanding the number
of TSA-certified explosive detection canine teams deployed to inspect air
cargo. 24 The conference report further requires that DHS act
expeditiously to fully obligate and expend the funding provided for air
cargo security, and directs TSA to provide quarterly reports to the House
and Senate Appropriations Committees beginning in December 2004 on the use
of all funds obligated and plans for the use of unobligated balances
related to air cargo security. The Intelligence Reform and Terrorism
Prevention Act of 2004, (Intelligence Reform Act) also authorized $902
million for air cargo security activities for fiscal years 2005 through
2007, including $200 million each year to improve aviation security
related to the transportation of cargo on both passenger and all-cargo
aircraft, $100 million each year for research and development related to
enhanced air cargo security

21

In fiscal year 2003, almost 16 billion pounds of cargo was shipped by air
on international flights to and from the United States.

22

Given that the estimated poundage of cargo shipped on all-cargo and
passenger air carriers and the estimated amount of revenue of air cargo
for air carriers in 2004 are presented for background purposes, we did not
assess the reliability of these data.

23

Department of Homeland Security Appropriations Act, 2004, Pub. L. No.
108-90, 117 Stat. 1137 (2003), H.R. Conf. Rep. No. 108-280, at 37 (2003).

24

Department of Homeland Security Appropriations Act, 2005, Pub. L. No.
108-334, 118 Stat. 1298 (2004), H.R. Conf. Rep. No. 108-774, at 51-52
(2004).

technology and the deployment and installation of such enhanced
technology, and $2 million to support efforts to explore alternative
technologies for minimizing the potential effects of detonating an
explosive device on cargo and passenger aircraft. 25 The President's
fiscal year 2006 budget requested $40 million for TSA to ensure the
security of air cargo. According to the request, this amount includes
funds for supporting the 200 air cargo inspectors, continuing the
development and improvement of the Known Shipper and indirect air carrier
databases, supporting the canine explosive detection program, and
field-testing the agency's air cargo targeting program, among other
things. See appendix III for a timeline of significant events in air cargo
security following the terrorist attacks of September 11, including
additional TSA requirements and enacted legislation.

As we have previously reported, given the vast transportation network and
its importance to commerce, quick and easy access for passengers and cargo
must be maintained while identifying the best possible strategies for
security. 26 Consistent with this goal, we have advocated the need to
implement-at TSA and throughout the federal government-a risk management
approach for prioritizing efforts and focusing resources. A risk
management approach entails a continuous process of managing risk through
a series of actions, including setting strategic goals and objectives,
assessing risk, evaluating alternatives, selecting initiatives to
undertake, and implementing and monitoring those initiatives. The
President's fiscal year 2006 budget request recognizes the need for TSA to
identify, prioritize, and manage risks, and mitigate the impact of
potential incidents, to help ensure that the best security strategies are
pursued. Figure 2 depicts a risk management cycle that is a synthesis of
government requirements and best practices, as previously reported. 27
Elements of strategic planning and risk assessments implemented for air
cargo security are separately identified.

Pub. L. No. 108-458, S:S: 4051-52, 118 Stat. at 3728-29. Congress has yet
to appropriate funds pursuant to this authorization. 26 GAO-05-357T. 27
GAO-05-357T.

Page 13 GAO-06-76 Aviation Security

Figure 2: Risk Management Cycle

Source: GAO.

TSA has committed to implementing a risk management approach for securing
air cargo and has to date focused its efforts on the first two elements of
this approach, setting strategic goals, objectives, and constraints, and
developing a risk assessment.

Setting strategic goals, objectives, and constraints is a key first step
in implementing a risk management approach and helps to ensure that
management decisions are focused on achieving a purpose. These decisions
should take place in the context of an agency's strategic plan that
includes goals and objectives that are clear and concise. These goals and
objectives should identify resource issues and external factors to
achieving the goals. Further, the goals and objectives of an agency should
link to a department's overall strategic plan. The ability to achieve
strategic goals depends, in part, on how well an agency manages risk. The
agency's strategic plan should address risk-related issues that are
central to the agency's overall mission.

Assessing risk, a critical component of a risk management approach in a
homeland security setting, typically involves three key elements-threats,
vulnerabilities, and criticality-that provide input into the
decision-making process for homeland security. A threat assessment
identifies and evaluates potential threats on the basis of factors such as
capabilities, intentions, and past activities. A vulnerability assessment
identifies weaknesses that may be exploited by identified threats and
suggests options to address those weaknesses. A criticality assessment
evaluates and prioritizes assets and functions in terms of specific
criteria, such as their importance to public safety and the economy, as a
basis for identifying which structures or processes are relatively more
important to protect from attack. Information from these three assessments
can lead to a risk characterization, such as high, medium, or low, and
provides input for prioritizing security initiatives. 28 Table 1 describes
the elements of a risk assessment.

        Table 1: Elements of a Typical Homeland Security Risk Assessment

A threat assessment: Threat is defined as a potential intent to cause harm
or damage to an asset (e.g., natural environment, people, manmade
infrastructures, and activities and operations). Threat assessments
consist of the identification of adverse events that can potentially
affect an entity. Threats might be present at the global, national, or
local level, and their sources include terrorists and criminal
enterprises. Specific threat information may indicate vulnerabilities that
are subject to attack or following the completion of a risk management
process, may, for instance, indicate that resources should be temporarily
deployed to protect cargo in a particular region of the country or a
specific airport. Even if updated frequently, a threat assessment might
not adequately capture some emerging threats.

A vulnerability assessment: Vulnerability is defined as the inherent state
(either physical, technical, or operational) of an asset that can be
exploited by an adversary to cause harm or damage. Vulnerability
assessments identify these inherent states and the extent of their
susceptibility to exploitation, relative to the existence of any
countermeasures. A vulnerability assessment is generally conducted by a
team of experts skilled in such areas as engineering, intelligence,
security, information systems, finance, and other disciplines.

A criticality assessment: Criticality is defined as an asset's relative
importance given that an event occurs. Criticality or similar consequence
assessments identify and evaluate an entity's assets based on a variety of
factors, including the importance of its mission or function, the extent
to which people are at risk, or the significance of a structure or system
in terms of, for example, national security, economic activity, or public
safety. Criticality or consequence assessments are important because they
provide, in combination with threat and vulnerability assessments,
information for later stages of the risk management process.

Source: GAO.

28 GAO-05-357T.

  TSA Has Developed a Risk-Based Strategic Plan but Has Not Completed
  Assessments of the Risks Posed by Terrorists to the Air Cargo System

TSA has taken initial steps toward applying a risk-based management
approach to address air cargo security but not yet completed risk
assessments for air cargo security. Specifically, in November 2003, TSA
completed an Air Cargo Strategic Plan that included goals and objectives
that tie into broader aviation and homeland security goals. This plan
incorporates recommendations provided by industry stakeholders and
outlines a threat-based risk management approach for securing the air
cargo transportation system. Specifically, this plan is based on two
primary threats-preventing the introduction of an explosive device on a
passenger aircraft and the hijacking of an all-cargo aircraft resulting in
its use as a weapon to inflict mass destruction. In November 2004, TSA
issued a proposed rule to implement many of the actions identified in the
strategic plan. TSA is also in various stages of assessing the risk posed
by terrorists to the air cargo transportation system-a key aspect of risk
management. However, while TSA has conducted a threat assessment to
identify terrorist threats to the air cargo transportation system, TSA has
not yet conducted assessments to identify air cargo security
vulnerabilities and critical air cargo assets. TSA has acknowledged the
need to conduct these assessments but has not yet completed a methodology
or schedule for completing them. As a result, TSA is limited in its
ability to fully address the risks posed by terrorists because some
potential air cargo security vulnerabilities may have gone undetected.
Further, TSA cannot be assured that it is focusing its resources on those
air cargo assets that are determined to be critical and therefore
represent the most pressing security needs.

    TSA Has Worked with Industry Stakeholders to Develop an Air Cargo Strategic
    Plan

Establishing strategic goals and objectives is the key first component of
a risk management approach. The Government Performance and Results Act of
1993, among other things, requires agencies to prepare an annual
performance plan and directs executive agencies to articulate goals and
strategies for achieving those goals. 29 More specifically, agencies are
required to develop a strategic plan that contains a comprehensive mission
statement covering the major functions and operations of the agency and
outlines how an agency will achieve its goals and objectives. In December
2002, we reported that TSA lacked a comprehensive plan with long-term

29

The Government Performance and Results Act of 1993 (GPRA), Pub. L. No.
103-62, 107 Stat. 285, focuses the federal government on providing
objective, results-oriented information to improve the efficiency and
effectiveness of federal programs, among other things. Under GPRA,
strategic plans are the starting point and basic underpinning for
results-oriented management.

Page 16 GAO-06-76 Aviation Security

goals and performance targets for air cargo security, time frames for
completing security improvements, and risk-based criteria for prioritizing
actions to achieve those goals. 30 We recommended that TSA develop a
comprehensive plan for air cargo security that incorporated a risk
management approach. Specifically, we stated that this plan should provide
a framework for systematically evaluating and prioritizing technological
and operational improvements, and for identifying and implementing
additional improvements. We also stated that such a plan should provide a
framework for developing a system to ensure air cargo security.

In January 2003, TSA partnered with the Aviation Security Advisory
Committee (ASAC) to establish a working group to address air cargo
security issues. 31 TSA officials stated that the establishment of the
working group was a first step in addressing our recommendation calling
for a risk-based approach to enhancing air cargo security. The ASAC
working group consisted of three subgroups that focused on shipper
acceptance procedures, indirect air carriers, and securing all-cargo
aircraft. These groups collectively developed over 40 recommendations for
enhancing air cargo security that were issued to TSA in October 2003.
Representatives from various sectors of the air cargo industry
participated in these working groups, including those from passenger and
all-cargo carriers, indirect air carriers, government agencies, unions
representing pilots and flight attendants, and the victims from Pan Am
flight 103.

In November 2003, TSA issued its Air Cargo Strategic Plan, which
incorporated many of the ASAC working groups' recommendations to enhance
air cargo security. The plan focuses on securing the air cargo supply and
transportation system through the implementation of a layered security
approach. This includes screening, or reviewing specific information on
all cargo shipments, in order to determine their level of relative risk;
ensuring that 100 percent of cargo identified as posing an

30 GAO-03-344.

ASAC was established in 1989 in the wake of the crash of Pan Am flight 103
to provide the federal government with expert consultation on aviation
security issues. ASAC is composed of 27 organizations with a stake in
securing the aviation sector. The ASAC working groups include groups
representing victims and survivors of terrorist acts, indirect air
carriers, aircraft owners, airports, aircraft manufacturers,
representatives of passenger and all-cargo airline management and labor,
and representatives of federal government agencies. A complete list of
ASAC representatives participating in the air cargo working groups can be
found in appendix IV.

    While TSA Has Identified Terrorist Threats, It Has Not Assessed
    Vulnerabilities and Criticality of Air Cargo Assets

elevated risk is physically inspected; pursuing technological solutions to
physically inspect air cargo; and implementing regulations and programs
that support enhanced security measures. To achieve these goals, TSA's
plan identifies strategic objectives and priority actions for enhancing
air cargo security based on risk, cost, and deadlines.

TSA's air cargo security objectives tie into broader aviation and homeland
security goals and objectives contained in TSA's agencywide strategic plan
and the Department of Homeland Security's strategic plan. For example,
TSA's air cargo plan addresses broader agency and departmental goals by
proposing the establishment of a system to identify elevated risk cargo
through prescreening. This goal of the air cargo plan supports one of
TSA's agencywide goals of identifying technology for performing
inspections of elevated risk cargo. In turn, this agencywide goal of TSA
supports DHS's broad goal of safeguarding critical infrastructure,
property, and the nation's economy from terrorism acts or other
emergencies. The air cargo plan also calls for a coordinated effort in
three other strategic areas- enhancing shipper and supply chain security,
identifying technology for performing inspection of elevated risk air
cargo, and securing all-cargo aircraft and operation areas through
appropriate physical security measures. These efforts support TSA's
strategic goal to deter foreign and domestic terrorists and others from
causing harm or disrupting the transportation system by implementing
preventive and protective measures to mitigate risk to this system. DHS's
corresponding strategic goal is to detect, deter, and mitigate threats by
strengthening the security of the nation's transportation systems.

Risk assessment is a systematic process used to analyze threats,
vulnerabilities, and the criticality of assets to better support key
decisions. We have previously reported that without using a risk
management approach, TSA and other federal decision makers cannot know
whether resources are being deployed as effectively and efficiently as
possible to reduce the risk and mitigate the consequences of a terrorist
attack. 32 The importance of a risk management approach was also
highlighted by the National Commission on Terrorist Attacks upon the
United States (also

32 GAO-05-357T.

TSA Has Identified Terrorist Threats to Air Cargo

known as the 9/11 Commission). 33 The commission noted that the United
States government should identify and evaluate the transportation assets
that need to be protected, set risk-based priorities for defending them,
select the most practical and cost-effective ways of doing so, and develop
a plan, budget, and funding to implement the effort. 34 The commission
further reported that the plan should assign related roles and missions to
the relevant federal, state, and local authorities and to private
stakeholders. TSA has acknowledged the need to assess the risks associated
with air cargo security and is in various phases of conducting these
assessments. However, while TSA has completed an assessment of air cargo
threats, the agency has not yet developed a methodology or schedule for
completing assessments of air cargo vulnerabilities or critical assets.

In TSA's 2003 Air Cargo Strategic Plan, the agency outlined an approach
for securing the air cargo transportation system based on two threats.
These threats include the introduction of an explosive device on a
passenger aircraft and the hijacking of an all-cargo aircraft resulting in
its use as a weapon to inflict mass destruction. 35

In June 2004, a TSA air cargo security threat assessment confirmed the
threats identified in the agency's Air Cargo Strategic Plan and provided
additional information on other general and specific threats to the air
cargo industry. 36 In October 2004, TSA conducted additional threat
assessments, focusing on United States mail and threats to the United
States commercial aviation system. These assessments identified the same
threats to the air cargo transportation system documented in TSA's June
2004 assessment. More recently, in April 2005, TSA briefed a congressional
committee on threats to the nation's entire transportation sector,
including aviation. The briefing included a threat matrix that ranked the
risk associated with the different transportation modes and showed threats
to

33

National Commission on Terrorist Attacks upon the United States, The 9/11
Commission Report: Final Report of the National Commission on Terrorist
Attacks upon the United States (Washington, D.C.: 2004). The 9/11
Commission was an independent, bipartisan commission created in late 2002.

34

Transportation assets include rail and maritime assets, in addition to aviation
                                    assets.

35

Specific information on these threats is considered sensitive security
information and is discussed in more detail in the restricted version of
this report, GAO-05-446SU.

36

Specific information on these threats is considered sensitive security
information and is discussed in more detail in the restricted version of
this report, GAO-05-446SU.

the air cargo system that were consistent with previous threat
assessments. (The details of TSA threat assessments and the briefing are
classified.) TSA officials acknowledged the need to periodically reassess
the terrorist threats to air cargo and stated that the agency's air cargo
threat assessment would be updated as new or additional information on air
cargo security threats is identified. 37 In June 2005, TSA officials
requested that the agency's Transportation Security Intelligence Service
(TSIS) update the air cargo threat assessment. According to TSA officials,
they have not been provided a date for when this assessment will be
completed.

TSA officials stated that because the agency does not independently gather
intelligence information, the agency is dependent upon sources, such as
DHS's Directorate of Information Analysis and Infrastructure Protection,
the Federal Bureau of Investigation (FBI), and the Central Intelligence
Agency, for information on air cargo security-related threats. According
to agency officials, TSA's TSIS reviews intelligence information upon
receipt and analyzes such information to determine whether policy
decisions are needed to address the identified threats. Such policy
decisions could include immediate actions to safeguard air cargo through
the issuance of security directives or long-term strategic planning
efforts to enhance the overall security of the nation's air cargo
transportation system.

Some air cargo industry stakeholders agreed with TSA's decision to focus
efforts on strengthening air cargo security based on the two threats
described in the agency's strategic plan and proposed air cargo security
rule. For example, one passenger air carrier representative said that his
company supported TSA's decision to increase supply chain security in a
post-September 11 environment. However, other air cargo stakeholders noted
that TSA plans to enhance air cargo security do not sufficiently address
another potential threat to the air cargo transportation system.
Specifically, in comments to TSA's proposed air cargo security rule,
associations representing airline pilots, some security technology
experts, airline passenger groups, and airport operators stated that the
third

As we have previously reported, while threat assessments are a key
decision support tool, it should be recognized that even if updated
frequently, threat assessments might not adequately capture emerging
threats posed by some terrorist groups. No matter how much we know about
potential threats, we will never know whether we have identified every
threat or whether we have complete information even about the threats of
which we are aware. Consequently, a risk management approach to help
prepare for terrorism that supplements threat assessments with
vulnerability and criticality assessments can provide better assurance of
preparedness for a terrorist attack.

TSA Disseminates Air Cargo Security Threat Information, but Industry
Stakeholders Have Varying Views on the Quality of the Information Received

threat-the introduction of an explosive device containing a weapon of mass
destruction on an all-cargo aircraft-warrants greater emphasis in the
agency's near- and long-term air cargo security plans. In discussing this
issue, TSA officials stated that the agency decided to focus on the two
threats cited above because they are the most likely scenarios to occur.
TSA officials also stated that they address potential threats as needed.
In June 2005, TSA officials stated that DHS is concerned about a new and
emerging threat to air cargo on a passenger aircraft. 38 According to TSA
officials, the agency is reviewing the likelihood that this threat would
occur and what actions would need to be taken to mitigate the threat.

TSA disseminates threat information related to air cargo security to
relevant stakeholders through several methods. TSA officials stated that
they typically notify the Federal Security Directors (FSDs), who are
responsible for overseeing the implementation of air cargo security
requirements at airports nationwide, of the most updated threat
information related to aviation security, to include the security of air
cargo. 39 In turn, the FSDs and responsible field office staff notify
stakeholders, including passenger and all-cargo carriers, of
threat-related information in person or via electronic mail or telephone.
For example, at one airport we visited, TSA and the law enforcement
community hold a monthly meeting in which both classified and
nonclassified information on threat-related information is exchanged among
the participants. In addition, updated threat information can also be
relayed to industry stakeholders, such as air carrier security managers,
via information circulars, emergency amendments, and security directives
issued by TSA, which typically contain new security requirements or other
prescribed actions to take to mitigate the identified threats. In
recognition that some industry stakeholders with a need to know, such as
indirect air carriers, may not be receiving air cargo security threat
information, TSA is proposing through its air cargo security rule to
implement measures allowing for indirect air carrier personnel to receive
such information. Specifically, this proposal would require indirect air
carriers to designate a security coordinator at the corporate level who
would be responsible for

38

Specific information on this threat is considered sensitive security
information and is discussed in more detail in the restricted version of
this report, GAO-05-446SU.

39

FSDs are responsible for the day-to-day operational direction for federal
security at airports. Additionally, FSDs are the ranking TSA authorities
responsible for the leadership and coordination of TSA security activities
at airports.

Page 21 GAO-06-76 Aviation Security

implementing security programs and serve as the point of contact for
communications with TSA.

Air cargo stakeholders we spoke with, including air carrier officials,
expressed various views on the quality of the air cargo threat information
they received from TSA. An official from one of the seven air carriers we
interviewed stated that the threat information provided by TSA was
adequate, while officials from two other carriers stated that the
information lacked specificity about the locations, targets, and assets
being threatened, and was not communicated directly to all cargo industry
stakeholders who may have a need to know such information, such as
indirect air carrier personnel and airline pilots. Officials from these
two carriers stated that in the absence of quality TSA threat information,
they have taken independent steps to compile and analyze potential air
cargo threat information and use this information as a basis to make
informed decisions on whether additional air cargo security measures are
warranted. For example, officials from one of the two carriers stated that
the all-cargo carrier had assigned a full-time staff person to perform
daily reviews and analyses of government and publicly available
information to identify potential threats to its air cargo personnel,
aircraft, and operations resulting from reports of civil unrest, political
instability, the high presence of extremists and terrorist groups, and
anti-United States sentiment in foreign countries. These officials stated
that this information is communicated to corporate managers to facilitate
operational decisions, which could include increased security measures.
Officials from the remaining four air carriers did not comment on the
quality of threat information provided by TSA.

As we have previously reported, dissemination of timely, specific, and
actionable threat information is a key element of effective risk
communication. Our prior work on aviation security has also shown that TSA
faces challenges in ensuring that threat information is effectively
communicated to relevant stakeholders because intelligence information can
be general. 40 In November 2004, we reported that applying risk
communication principles that focus on relaying to the extent possible,
only timely, specific, and actionable information could provide

GAO, General Aviation Security: Increased Federal Oversight Is Needed, but
Continued Partnership with the Private Sector Is Critical to Long-Term
Success , GAO-05-144 (Washington, D.C. November 2004).

Page 22 GAO-06-76 Aviation Security

TSA Has Not Completed a Methodology or Established a Schedule for
Conducting Assessments of Air Cargo Vulnerabilities and Critical Assets

organizations like TSA with the best opportunity to achieve the desired
result of effectively communicating with stakeholders. 41

We discussed the issues raised by industry stakeholders with TSA
officials, who stated that that the agency is a consumer of intelligence
and a disseminator of related-threat information to stakeholders and thus
can only provide stakeholders with information it receives. In addition,
intelligence information may be classified or sensitive, thus limiting
with whom it can be shared. 42 Specifically, TSA's TSIS receives
information from the United States intelligence and federal law
enforcement communities. For example, the FBI shares intelligence
information and maintains daily contact with TSA through its liaison
responsible for civil aviation. TSA also participates in the FBI's Joint
Terrorism Task Forces in some FBI field office locations. Upon receipt of
threat information, TSIS reviews the information for its applicability to
the transportation sector. According to TSA officials, on the basis of the
credibility of the information, the agency may obtain an unclassified
version of threat-related intelligence so that it may be disseminated to
TSA field office officials and stakeholders.

TSA has not yet completed a methodology or established a schedule for
completing a post-September 11 assessment of air cargo vulnerabilities to
identify the range of security weaknesses that could be exploited by
terrorists or an assessment of critical assets that need to be protected.
TSA is in the early stages of developing a methodology for conducting a
post-September 11 assessment of air cargo security vulnerabilities.
However, according to officials, limited resources and competing
priorities have delayed agency efforts to conduct such an assessment. 43
TSA officials stated that after completing its vulnerability assessments
and analyzing the results, the agency may propose measures to address
identified vulnerabilities. TSA also has not yet developed a methodology
for conducting criticality assessments of air cargo assets. TSA officials

41 GAO-05-357T.

42

For example, Executive Order 13292-Further Amendment to Executive Order
12958, as Amended, Classified National Security Information, March 25,
2003-limits the distribution of classified information, while 49 C.F.R.
part 1520 limits TSA's ability to distribute sensitive security
information to persons with a need to know.

43

In May 2005, TSA staff identified a number of potential vulnerabilities
across the air cargo supply chain, including those related to entities
involved in the air cargo shipping process.

stated that they anticipate conducting three air cargo vulnerability
assessments beginning in June 2005 at locations yet to be determined and
will decide whether additional assessments are needed based on the results
of these initial assessments. However, TSA has not established a schedule
for when it would complete these vulnerability assessments, nor has it
established a schedule for completing criticality assessments. TSA
officials stated that the agency will use vulnerability assessment tools
such as the agency's Transportation Risk Assessment and Vulnerability
Evaluation tool and Web-based Vulnerability Identification Self-Assessment
Tool for conducting its vulnerability assessments of the air cargo system.
44 However, as of September 2005, these tools have not been modified for
use in conducting such assessments. Further, TSA officials did not
establish a schedule for when these tools would be ready for use, thus
raising concerns whether TSA will have the necessary tools available to
begin conducting its vulnerability assessments.

According to TSA's Air Cargo Strategic Plan, the agency's plans for
enhancing air cargo security considered air cargo system vulnerabilities
identified by GAO, the Department of Transportation's Inspector General,
and the Federal Aviation Administration. For example, in October 2001, the
Federal Aviation Administration conducted an assessment of air cargo
security that focused on the pathways by which a terrorist may introduce
an improvised explosive device into the cargo hold of a passenger
aircraft. Some air cargo vulnerability scenarios, however, were not
addressed. Other air cargo vulnerabilities identified relate to the
adequacy of background investigations for all persons handling cargo,
possible tampering with cargo during transport, and the illegal shipment
of hazardous materials. We and others have also reported that the amount
of cargo theft that occurs in these locations, which is estimated to range
into the billions of dollars annually, indicates potential weakness in
security,

According to TSA, its Transportation Risk Assessment and Vulnerability
Evaluation Tool could be used to assess and analyze the vulnerability of
those air cargo system assets TSA determines to be nationally critical.
Specifically, the tool assesses an asset's baseline security system and
that system's effectiveness in detecting, deterring, and preventing
various threats scenarios. Established threat scenarios contained in the
tool outline a potential threat situation, including the target,
threatening act, aggressor type, and tactic/dedication, among other
things. In addition, the tool includes a cost performance component that
compares the costs of implementing a given countermeasure with the
reduction in relative risk to that countermeasure. TSA's Vulnerability
Identification Self-Assessment Tool could be used to assess and analyze
vulnerabilities for assets that TSA determines to be less critical. This
Web-based self-assessment tool is intended to guide the user through a
series of security-related questions to develop a security baseline of the
asset and provide mitigation strategies for use when the national threat
level is increased.

including air cargo security. 45 Recent news reports of air cargo workers
stealing goods from all-cargo aircraft intended for United States military
personnel further illustrates this concern.

Various sources have highlighted the importance of TSA's efforts to assess
air cargo vulnerabilities. Specifically, TSA officials have acknowledged
the need to conduct a post-September 11 vulnerability assessment to both
validate existing vulnerabilities in the air cargo security system and
identify new ones. 46 In addition, air carrier representatives we spoke
with said that a TSA-led vulnerability assessment would facilitate their
efforts to comprehensively document air cargo security weaknesses and
develop measures that would effectively mitigate the identified
weaknesses. These air carrier representatives added that TSA's assessment
process should also be ongoing and repeated as needed to reflect major
changes in the air cargo threat environment. In addition, in December
2003, the President issued a directive calling for assessments of the
vulnerability of critical infrastructure to assist in developing the
nation's homeland security strategy. 47 TSA has also taken the
departmental lead in developing a

45

We previously reported that the National Cargo Security Council, now
referred to as the International Cargo Security Council, a coalition of
public and private transportation organizations, estimates that cargo
theft among all modes of transportation accounts for more than $10 billion
in merchandise losses each year. The FBI estimates that the majority of
cargo theft in the United States occurs in cargo terminals, transfer
facilities, and cargo consolidation areas. GAO, Vulnerabilities and
Potential Improvements for the Air Cargo System , GAO-03-344 (Washington,
D.C.: December 2002).

46

TSA officials stated that air cargo security vulnerabilities were
considered but not fully addressed during joint FBI assessments of airport
security conducted in 2003. As a result, TSA considered these assessment
results of limited value in identifying the vulnerabilities associated
with the air cargo transportation system.

47

On December 17, 2003, President Bush issued a Homeland Security
Presidential Directive (HSPD-7) addressing critical infrastructure
identification, prioritization, and protection. The directive calls for
federal departments and agencies to identify, prioritize, and coordinate
the protection of critical infrastructure and key resources in order to
prevent, deter, and mitigate the effects of deliberate efforts to destroy,
incapacitate, or exploit them. The directive also requires federal
departments and agencies to work with state and local governments and the
private sector to accomplish this objective. DHS's Interim National
Infrastructure Protection Plan was issued in February 2005. Transportation
systems are 1 of 17 sectors identified in the national infrastructure
protection plan.

National Strategy for Transportation Security, for which air cargo
vulnerability assessments may provide critical information. 48

Data on air cargo security breaches could also provide useful information
to identify the full range of potential air cargo security vulnerabilities
by exposing weaknesses in air cargo security procedures that would
otherwise not be detected. However, TSA has not defined what constitutes a
breach of air cargo security, even though it has defined breaches of
security in other areas of aviation security, such as passenger and
airport access controls. 49 Specifically, TSA officials stated that the
agency has not yet determined the difference between a security breach and
a violation of air cargo security requirements identified through its
regulatory oversight of air carriers and indirect air carriers. In our
discussions with TSA officials, TSA agreed that an air cargo security
breach could consist of an event that exposes vulnerabilities in air cargo
security procedures that would not necessarily be detected during a TSA
compliance inspection. TSA officials acknowledged that such events could
include instances of human stowaways in aircraft cargo holds, an event for
which TSA issued security directives calling for random inspection of
cargo on all-cargo aircraft to deter and detect future occurrences.
Although TSA officials agreed that data on air cargo security breaches
could provide useful information to identify potential security
weaknesses, the agency does not have plans to define what constitutes a
breach of air cargo security or compile information on these breaches.

In addition to lacking some data on air cargo vulnerabilities, TSA has not
developed a methodology or schedule for completing assessments to identify
those air cargo assets deemed most critical to protect. Air cargo

48

The Intelligence Reform Act required the Department of Homeland Security
to develop a National Strategy for Transportation Security and
transportation sector specific security plans by April 1, 2005. On April
5, 2005, the Department of Homeland Security issued a letter notifying
Congress that TSA has taken the departmental lead for developing the
national strategy but that its issuance would be delayed by 2 to 3 months
to allow for integration of various other strategic transportation
security documents.

49

A breach of security does not necessarily mean that a threat was imminent
or successful. According to TSA officials, the significance of a breach
must be considered in light of several factors, including the intent of
the perpetrator, and whether existing security measures and procedures
successfully responded to and mitigated the breach so that no harm to
persons, facilities, or other assets resulted. A breach of passenger
security, for example, may occur when a passenger bypasses a security
checkpoint. Regarding airport access controls, a breach may involve an
unauthorized individual gaining access to a runway.

assets could include workers, facilities, aircraft, and airports in
heavily populated areas, among other things. According to TSA officials,
the agency is still in the process of determining the methodology it will
use to conduct criticality assessments of air cargo assets, as well as the
criteria for identifying such assets. The criteria could include factors
such as the number of fatalities that could occur during an attack on an
airport cargo facility or the economic and political importance of the
cargo facility. TSA officials stated that the agency's efforts to identify
critical air cargo assets have been delayed because of limited resources
and competing aviation security priorities. To facilitate the development
of a methodology for identifying critical air cargo assets, such as
indirect air carriers and their facilities, TSA officials stated that the
agency planned to contract with the National Safe Skies Alliance to
compile business and location information on the nation's entire
population of indirect air carriers, and to map out in detail the various
ways cargo can flow through the supply chain. 50 However, TSA officials
stated that they decided not to fund this effort because of its cost.
According to TSA officials, the agency plans to capture information on the
entire population of indirect air carriers and the location of their
facilities through its centralized indirect air carrier database, which
was deployed in May 2005. TSA officials stated that this database will
provide the agency with more detailed information on these critical
assets.

The need for an assessment of critical transportation infrastructure,
which could include the nation's air cargo transportation system, has been
identified by various sources. For example, the 9/11 Commission reported
that the United States government should identify and evaluate the
transportation assets that need to be protected, set risk-based priorities
for defending them, select the most practical and cost-effective ways of
doing so, and develop a plan, budget, and funding to implement the effort.
Moreover, DHS's 2005 Interim National Infrastructure Protection Plan
highlights the need for criticality assessments of transportation
infrastructure, beginning with the identification of critical or key
assets. TSA officials acknowledged that completed criticality assessments
could better enable the agency to prioritize its efforts by focusing on
high-priority or high-value air cargo assets, and by targeting resources
to cost-effectively address the most critical air cargo security risks.
Moreover, criticality assessments could provide the basis for taking
immediate

The National Safe Skies Alliance is a nonprofit organization that tests
technology and often contracts with the federal government.

Page 27 GAO-06-76 Aviation Security

  TSA Has Implemented Actions Intended to Strengthen Air Cargo Security, but
  Factors Exist That May Limit Their Effectiveness

protective actions depending on the threat environment and the need, as
well as future agency decisions related to securing the air cargo supply
chain.

In the absence of completed vulnerability and criticality assessments, TSA
officials stated they are using available threat intelligence, expert
judgment, and information about past terrorist incidents to select and
prioritize their efforts to address air cargo security needs, including
determining where to place TSA's cadre of 200 dedicated air cargo
inspectors. For example, TSA officials said that in 2004, the agency
allocated the first 100 of its 200 dedicated air cargo inspectors to
airports with the highest volume of air cargo. Officials also stated that
other factors considered in determining the allocation of inspectors
included whether the airport was considered high-risk because of its
geographic location, and the number of air carriers and indirect air
carriers operating at that airport, as well as other airport-specific
issues. TSA officials stated that the agency will continue to use such
rationales in determining where to allocate its remaining dedicated air
cargo inspectors until criticality assessments are completed.

TSA has implemented a variety of actions intended to strengthen the
security of air cargo as it works to fully implement a risk management
approach for securing air cargo. Specifically, these measures focus on
four areas: (1) improving the screening and inspection of air cargo, (2)
strengthening the physical security of aircraft and cargo operation areas,

(3) conducting security checks on cockpit crew members, and (4) verifying
and validating the identity of indirect air carriers. However, factors
exist that may limit the effectiveness of these measures. For example, the
information in TSA's database on known shippers is incomplete because
participation is voluntary, and the information in the database may not be
reliable. In addition, exemptions in TSA's random cargo inspection
requirements may leave the air cargo system vulnerable to terrorist
attack. Further, TSA has not developed performance measures to determine
to what extent air carriers and indirect air carriers are complying with
air cargo security requirements, analyzed the results of inspections to
systematically target future inspections on those entities that pose a
higher security risk to the domestic air cargo system, or assessed the
effectiveness of its enforcement actions in ensuring air carrier and
indirect air carrier compliance with air cargo security requirements.

    TSA Has Implemented Various Actions Aimed at Strengthening Air Cargo
    Security

Prior to the events of September 11, the Federal Aviation Administration
was responsible for overseeing the security of domestic air cargo.
Security regulations and rules in place at that time focused on preventing
the introduction and transport of any unauthorized explosive or incendiary
via cargo aboard passenger aircraft and included requirements related to
the acceptance, handling, and inspection of cargo, and access to cargo
areas and aircraft, among other things. Since its establishment in
November 2001, TSA has implemented additional actions intended to
strengthen domestic air cargo security, several of which built upon
preexisting requirements. According to TSA, the new actions were
implemented in the aftermath of the terrorist attacks on September 11, to
address general threats to the nation's aviation transportation system,
specific threats to air cargo, and incidences of exploited vulnerabilities
in existing air cargo security programs and requirements. Specifically,
these actions focus on four areas: (1) improving the screening of air
cargo, including prohibiting shipments from unknown shippers on passenger
aircraft, and requiring air carriers to perform random cargo inspections
for weapons, explosives, and stowaways; (2) strengthening the physical
security of aircraft and cargo operation areas, including controlling
access around aircraft; (3) conducting security checks on cockpit crew
members, among others, consisting of checks against TSA no-fly and
selectee lists, and other terrorist-related law enforcement or
intelligence databases; and (4) verifying the identity of indirect air
carriers to identify entities potentially posing a security risk.
According to TSA officials, while some of these actions, such as random
cargo inspections, are designed to serve as interim measures until a more
comprehensive risk management approach to air cargo security can be
implemented, others, such as the centralized Known Shipper database and
system to verify indirect air carriers, will be used to support their
planned risk management approach. 51

TSA has implemented requirements for conducting security checks on cockpit
crew members for both passenger and all-cargo aircraft. This requirement
was implemented to ensure that individuals who pose a potential terrorist
threat are not permitted to board or access an aircraft. In addition, TSA
implemented an automated system to recertify indirect air carriers, and
took steps to verify the accuracy of information for each

51

Specific actions TSA has taken or required air carriers and indirect air
carriers to take to enhance the security of the nation's air cargo
transportation system are considered sensitive security information and
have therefore been removed from this report. A description of these
actions is provided in the restricted version of this report,
GAO-05-446SU.

Page 29 GAO-06-76 Aviation Security

indirect air carrier to identify entities posing a security risk. 52 TSA
took these steps in recognition that indirect air carriers could pose a
potentially serious vulnerability in the air cargo transportation system
and because the historic paper-based process for certifying indirect air
carriers was time-consuming and cumbersome. 53 Specifically, in May 2004,
TSA began operating a Web-based system that allowed indirect air carriers
the option of electronically submitting information to revalidate their
status in lieu of submitting paper renewal forms. The system also informs
indirect air carriers via e-mail when their certification is due to
expire. According to TSA officials, in May 2005, the agency allowed
indirect air carriers to submit initial certification applications
on-line. TSA's proposed air cargo security rule would require indirect air
carriers to use the agency's automated system to obtain initial indirect
air carrier certification and to apply for recertification.

Air cargo industry stakeholders have also independently taken measures to
enhance air cargo security. However, several officials representing air
carriers and indirect air carriers we spoke to stated that they were
generally reluctant to invest resources on implementing security measures
beyond those required by TSA. Specifically, these representatives stated
that they were waiting for TSA to finalize its proposed air cargo security
rule, due in mid-August 2005, before spending funds on security measures
that may differ from those that would be required by TSA. As of September
2005, this rule has not been issued. We did, however, identify some
examples of air carriers and indirect air carriers that have taken actions
to address air cargo security that went beyond implementing measures
currently required by TSA. Specifically, officials representing 8 of the
11 air carriers and indirect air carriers we spoke with stated that they
had implemented security measures beyond those required by TSA. According
to some of the 8 air carrier and indirect air carrier officials, while
some of these actions focus on safeguarding cargo from theft, they also
have applicability to cargo security and mitigating terrorist threats.
These actions include inspecting a higher percentage of air cargo than
required

52

To become a certified TSA indirect air carrier, an entity must provide TSA
with a written application and meet certain eligibility criteria.

53

Specific TSA actions taken to identify indirect air carriers who may pose
a security risk are sensitive security information and described in the
restricted version of this report, GAO-05-446SU.

Page 30 GAO-06-76 Aviation Security

    Known Shipper Program May Not Provide Adequate Assurance That Shippers Are
    Trustworthy and That Air Cargo Transported on Passenger Aircraft Is Secure

by TSA and conducting recurring security training for air cargo workers,
among other things. 54

ATSA requires the screening of all passengers and property, including
cargo, United States mail, and carry-on and checked baggage that is
brought aboard commercial passenger aircraft. TSA has primarily relied on
its Known Shipper program to ensure that cargo transported on passenger
air carriers is screened in accordance with this requirement. 55 The Known
Shipper program allows individuals or businesses with established
histories to ship cargo on passenger carriers. 56 However, the Known
Shipper program has weaknesses and may not provide adequate assurance that
shippers are trustworthy and that air cargo transported on passenger air
carriers is secure. 57

As part of the Known Shipper program, in February 2004, TSA deployed a
voluntary centralized Known Shipper database designed to streamline the
process by which shippers are made known to carriers with whom they
conduct business. 58 As of May 2005, TSA reported that the database is
being used by 89 air carriers and over 500 indirect air carriers and
contains

54

Details on security actions and measures reported by air carriers and
indirect air carriers that exceed TSA requirements are discussed in the
restricted version of this report, GAO-05-446SU.

55

According to TSA's Chief Counsel, screening is not limited to inspection
but may include a variety of methods for evaluating persons and property.
On the basis of the Chief Counsel's definition, TSA has taken the position
that identifying cargo as coming from a known shipper constitutes
screening.

56

The Known Shipper program was created prior to the events of September 11
to establish procedures for differentiating between shippers that are
known and unknown to an indirect air carrier or air carrier. ATSA
acknowledged that the Known Shipper program is a mechanism for screening
cargo placed on passenger aircraft. TSA security requirements do not allow
for unknown shipments to be placed on passenger aircraft.

57

Specific Known Shipper program requirements are considered sensitive
security information and are described in more detail in the restricted
version of this report, GAO-05-446SU.

58

Prior to September 11, indirect air carriers were allowed to accept cargo
from unknown shippers for transport on passenger aircraft. At that time,
cargo from unknown shippers was required to be screened by the indirect
air carrier or identified to the passenger aircraft operator so that the
aircraft operator could screen the cargo. After September 11, security
directives and emergency amendments were issued to both indirect air
carriers and aircraft operators; these precluded the transport of unknown
shipper cargo on passenger aircraft. The prohibition regarding unknown
shipper cargo on passenger aircraft is still in place today.

information on approximately 400,000 known shippers. Prior to the database
being implemented, each air carrier and indirect air carrier was
responsible for maintaining its own information on its known shippers. As
a result, each carrier had to repeat the process of making new shipping
customers known when that shipper was already known to another carrier.
The centralized database allows carriers and indirect air carriers to
electronically ascertain the status of shippers unknown to carriers and
indirect air carriers. Specifically, an electronic message is provided to
the air carrier or indirect air carrier indicating whether or not the
shipper is a known shipper. If the shipper is known, a unique shipper
identification number is electronically provided to the carrier, and the
cargo can be accepted from that shipper as known shipper cargo and shipped
on a passenger aircraft. TSA officials stated that these known shipper
data are automatically compared with the names of restricted entities. If
the shipper is a restricted entity, the carrier would receive a warning
against receiving shipments from that entity. Local TSA officials at
airports we visited and associations representing air carriers, law
enforcement, and pilots we spoke with stated that while the Known Shipper
program may provide some security benefit, it is by itself an insufficient
security safeguard and must be supplemented by other security measures. 59

Following the terrorist acts of September 11, TSA issued security
directives which require that passenger air carriers only transport cargo
from shippers who meet certain eligibility criteria. 60 However, these
requirements may not by themselves deter or prevent terrorists from
meeting the Known Shipper program's basic eligibility criteria and thus
becoming known shippers. 61 According to TSA officials, the new Known
Shipper program requirements are one of several layers of air cargo
security-including random cargo inspections conducted by air carriers,
comparing information on cargo cockpit members against terrorist watch

59

Specific Known Shipper program weaknesses identified by local TSA
officials and air cargo industry associations are considered sensitive
security information and described in more detail in the restricted
version of this report, GAO-05-446SU.

60

TSA security directives also require that passenger air carriers only
transport cargo from shippers that could either be verified through the
agency's automated Known Shipper database or from shippers that meet other
known shipper criteria.

61

Specific problems identified with the Known Shipper program are considered
sensitive security information and described in more detail in the
restricted version of this report, GAO-05-446SU.

lists, and securing access to aircraft and cargo operation areas-aimed at
deterring and preventing terrorists from doing harm. 62

TSA currently estimates that the agency's centralized database contains
information on about 400,000 known shippers, or less than one-third of the
total population of known shippers, which TSA estimates at about 1.5
million known shippers. 63 Moreover, we determined that the information
contained in the agency's database may not be reliable. 64 TSA is planning
to address the problems associated with the Known Shipper database by,
among other things, proposing that air carriers and indirect air carriers
be required to submit information on their known shippers into the
database. According to TSA officials, information in the Known Shipper
database could be used in a variety of ways to identify shippers who pose
a risk to the air cargo transportation system. 65 For example, analyses of
known shipper data could include those already being conducted for
indirect air carriers. 66

62

Terrorist watch lists provide decision makers with information about
individuals who are known or suspected of being a terrorist, among other
things. These lists are developed, maintained, or used by federal, state,
and local government entities, as well as by private sector entities, and
contain various types of data.

63

According to some industry estimates, the total population of known
shippers may range up to 3 million.

64

Specific problems with TSA's Known Shipper database are considered
sensitive security information and described in the restricted version of
this report, GAO-05-446SU.

65

The conference report accompanying the fiscal year 2005 Department of
Homeland Security Appropriations Act directs TSA to work more aggressively
to strengthen air cargo security by strengthening the Known Shipper
program to include regular security checks on all known shippers to ensure
that they are not compromising security standards.

66

Information on other types of analyses that could be performed to identify
known shippers posing an elevated security risk is considered sensitive
security information and is discussed in more detail in the restricted
version of this report, GAO-05-446SU.

    TSA Implemented Random Air Cargo Inspection Requirements as an Interim
    Security Measure, but Inspection Exemptions May Leave the Air Cargo System
    Vulnerable to Terrorist Attack

In November 2003, TSA required air carriers to conduct random inspections
of air cargo transported on passenger and all-cargo aircraft. 67 TSA
officials stated that the agency views random inspections as an interim
security measure until a risk-based approach that targets elevated risk
cargo for inspection is implemented. As previously noted, inspection
refers to some level of examination of cargo, which can include manual
physical searches and the use of nonintrusive technology to ensure that
cargo does not contain an improvised explosive device or stowaway. TSA
established the requirements for random inspection to address threats to
the nation's aviation transportation system and to reflect the agency's
position that inspecting 100 percent of air cargo was not technologically
feasible and was potentially disruptive to the flow of air commerce. TSA
officials stated that through these random inspection requirements, the
agency attempted to balance the need for increased security with the need
to allow for the flow of air commerce. TSA officials added that the random
nature of the inspections adds an additional layer of security to the air
cargo transportation system by inserting a level of uncertainty into the
inspection process, thus creating a deterrent effect to terrorists.

As of May 2005, TSA required that passenger carriers randomly inspect a
specific percentage of nonexempt items, and that all-cargo carriers
randomly inspect a different percentage of nonexempt items. 68 According
to TSA officials, the agency issued an amendment to air carriers' security
programs on April 25, 2005, to triple the percentage of cargo inspected on
passenger aircraft to address a provision in the fiscal year 2005
Department of Homeland Security Appropriations Act. 69 According to TSA
officials, the increase in the percentage of nonexempt cargo items
inspected was to be phased in by the end of July 2005. TSA officials
stated that they chose to exempt certain cargo from the requirement for
random

67

TSA requirements described in aircraft operator standard security programs
and security directives allow air carriers to use several methods and
technologies to inspect air cargo, including manual physical searches,
X-ray systems, explosive trace detection systems, decompression chambers,
and explosive detection systems and TSA-certified explosives detection
canines for use in inspecting checked baggage, among other methods.

68

Details on the percentage of cargo required to be randomly inspected are
considered sensitive security information and described in the restricted
version of this report, GAO-05-446SU.

69

Pub. L. No. 108-334, S: 513, 118 Stat. at 1317.

inspection because it did not view the exempted cargo as posing a
significant security risk. 70

In an effort to address the threats identified for all-cargo aircraft, TSA
focused its inspection requirements for all-cargo air carriers on specific
areas that address known threats. Similarly, in an effort to address the
threats identified for passenger aircraft, TSA focused its inspection
requirements for passenger air carriers on items that could potentially
contain an explosive device. Four local TSA officials and airport and air
carrier officials we spoke with at airports we visited stated that
existing inspection exemptions could pose a potential vulnerability to the
air cargo security system. According to industry stakeholders, including
two air carriers and four local TSA officials we spoke to, while the
rationale for exempting certain types of cargo from inspection is
understandable, the exemptions may create potential security risks and
vulnerabilities. 71

Without examining the rationale of current air cargo inspection exemptions
in light of potential vulnerabilities associated with these exemptions,
TSA cannot be assured that increasing the percentage of cargo inspected by
air carriers, as required by recent legislation, will enhance air cargo
security. Airport, air carrier, and indirect air carrier officials we
interviewed agreed that the rationale for these exemptions should be
reviewed and potentially reconsidered in light of the potential
vulnerability associated with the exemptions. According to TSA officials,
the agency has no plans to revise its current inspection exemptions for
cargo transported on passenger air carriers.

Further, because of existing inspection exemptions for cargo transported
on passenger air carriers, a significant portion of this cargo is not
subject to physical inspection. Specifically, at 4 of the 12 airports we
visited, we observed cargo being loaded and unloaded onto both passenger
and all-cargo aircraft. During these four visits, a considerable amount of
cargo we

70

Details on the types of cargo transported on passenger and all-cargo
carriers exempt from TSA random inspection requirements are considered
sensitive security information. A description of these exemptions is
provided in the restricted version of this report, GAO-05-446SU.

71

Details on the specific items to be inspected by air carriers and on how
existing inspection exemptions may create potential risks security risks
and vulnerabilities are considered to be sensitive security information
and discussed in the restricted version of this report, GAO-05-446SU.

    TSA's Inspection Program May Not Be Effective in Ensuring Air Carrier and
    Indirect Air Carrier Compliance with Air Cargo Security Requirements

TSA's Air Cargo Security Compliance Inspection Program

observed being loaded and unloaded was exempt from inspection. 72 While we
did not directly observe cargo inspections conducted by air carriers, we
discussed the quality of the inspections with air cargo industry
stakeholders, including air carriers. Officials from four air carriers we
spoke with stated that the quality and thoroughness of cargo inspections
on passenger aircraft varied. 73 The quality of air cargo inspections is
also the subject of an ongoing Department of Homeland Security Inspector
General review.

As discussed previously, air carriers and indirect air carriers have the
primary responsibility for implementing domestic air cargo security
requirements, in contrast to the screening of passengers and baggage, for
which TSA has operational responsibility. For air cargo, TSA's role is to
ensure that air carriers and indirect air carriers are complying with TSA
security requirements. TSA determines industry compliance with existing
air cargo security requirements through regulatory audits or inspections.
74 Although the agency has significantly increased the number of
inspections it conducts, TSA has not (1) developed performance measures to
determine to what extent air carriers and indirect air carriers are
complying with air cargo security requirements; (2) analyzed the results
of inspections to systematically target future inspections on those
entities that pose a higher security risk to the domestic air cargo
system; or (3) assessed the effectiveness of its enforcement actions in
ensuring air carrier and indirect air carrier compliance with air cargo
security requirements.

TSA inspections can include reviews of documentation, interviews of
carrier personnel, direct observations of air cargo operations, and
testing by inspectors to determine whether air carriers and indirect air
carriers are in compliance with air cargo security requirements. TSA's 950
inspectors are responsible for inspecting 285 passenger and all-cargo air

72

Estimates of the percentage of cargo inspected by air carriers are
considered sensitive security information and discussed in the restricted
version of this report, GAO-05-446SU.

73

Details on the quality of air cargo inspections are considered sensitive
security information and discussed in the restricted version of this
report, GAO-05-446SU.

74

TSA compliance inspections are fundamentally different from air carriers'
inspections of cargo. TSA inspections are designed to ensure air carrier
compliance with air cargo security requirements, while air carrier
inspections focus on ensuring that cargo does not contain weapons,
explosives, or stowaways.

TSA Has Not Developed Performance Measures to Determine an Acceptable
Level of Compliance with Air Cargo Security Requirements

carriers with about 2,800 cargo facilities nationwide, as well as 3,800
indirect air carriers with about 10,000 domestic locations. Of TSA's 950
aviation security inspectors located at airports throughout the United
States, 750 are considered generalists who conduct a variety of aviation
security inspections, and 200 are dedicated to conducting air cargo
inspections.

Domestic passenger air carriers have 11 separate areas of cargo security
that are subject to inspection, while indirect air carriers have 12 areas
that are subject to inspection. All-cargo carriers that have implemented
the voluntary all-cargo security program have 24 areas that are subject to
inspection. These areas of inspection include access to cargo, cargo
acceptance, including cargo from known shippers, and security training and
testing. In TSA's Annual Inspection and Assessment Plan for fiscal year
2004, the agency revised its approach for ensuring compliance with air
cargo security regulations by increasing the number of inspections yet
narrowing the focus. Specifically, prior to fiscal year 2004, TSA's goals
were to inspect each air carrier and indirect air carrier once a year and
cover all aspects of air cargo security (known as comprehensive
inspections). Beginning in fiscal year 2004, TSA's new approach involved
visiting air carriers and indirect air carriers but inspecting only some
of the air cargo specific inspection areas (known as supplementary
inspections). According to TSA officials, the new inspection process uses
risk management principles that consider threat factors, local security
issues, and input from law enforcement to target key vulnerabilities and
critical assets. TSA added that the new process also takes into account
how to use the agency's limited inspection resources most effectively. As
a result, TSA's approach provides the local FSD at each airport the
responsibility for determining the scope and emphasis of the inspections,
as well as discretion for how to assign local inspection staff. TSA
provides local airport FSDs and inspectors with goals for the number of
inspections to be conducted per quarter. TSA's Annual Inspection and
Assessment Plan for fiscal year 2005 established air cargo inspection
goals.

According to TSA officials, following the terrorist attacks of September
11, the primary focus of inspectors was to monitor passenger and baggage
screening operations rather than to conduct air cargo compliance
inspections. Officials added that the agency was not able to conduct a
large number of inspections of air carriers and indirect air carriers
prior to January 2003 because of limited personnel assigned to perform
these tasks and agency decisions to direct these resources to address
other areas of aviation security. More recently, TSA has focused on
increasing the number of air cargo inspections. Our analysis of TSA data
shows that the number of inspections conducted in 2004 rose over 10-fold
from the number conducted in 2003. TSA officials stated that several
factors account for the increase in the number of inspections, including
the hiring, training, and deployment of dedicated cargo inspectors, and a
shift in the agency's focus from conducting comprehensive inspections that
cover all aspects of air cargo security to supplemental inspections that
cover only some of the 24 air cargo specific inspection areas.

TSA established an automated Performance and Results Information System
(PARIS) to compile the results of cargo inspections and the actions taken
when violations are identified. 75 Our analysis of PARIS inspection
records shows that between January 1, 2003, and January 31, 2005, TSA
conducted 36,635 cargo inspections of air carriers and indirect air
carriers and found 4,343 violations. 76 Figure 3 shows TSA's air cargo
security compliance inspection volumes by month, from January 1, 2003, to
January 31, 2005. 77

75

The PARIS database, established in July 2003, provides TSA a Web-based
method for entering, storing, and retrieving performance activities and
information on TSA-regulated entities, including air carriers and indirect
air carriers. PARIS includes profiles for each entity, inspections
conducted by TSA, incidents that occur throughout the nation, such as
instances of bomb threats, and investigations that are prompted by
incidents or inspection findings.

76

We requested all of TSA's compliance inspection data, starting in November
2001. According to TSA, agency efforts to conduct air cargo compliance
inspections during calendar years 2001 and 2002 were minimal. Moreover,
documentation of inspection results for that period was problematic in
part because of the way the Federal Aviation Administration reported
compliance inspection data, which made it difficult to migrate the Federal
Aviation Administration's data into TSA's PARIS system.

77

TSA reported conducting 40,372 inspections during the same period, but we
removed duplicate information found in the data. TSA did not provide
unique identification numbers for each inspection; therefore, we developed
a methodology for counting individual inspections based on factors
including type of inspection, entity inspected, and location and date of
inspection.

Figure 3: TSA Air Cargo Security Compliance Inspection Results for the
Period between January 1, 2003, and January 31,

Number of inspections 3,500

3,000

2,500

2,000

1,500

      1,000

500

0 Jan. Feb. Mar. April May June July Aug. Sept. Oct. Nov. Dec. Jan. Feb.
Mar. April May June July Aug. Sept. Oct. Nov. Dec. Jan.

2003 2004 2005

Inspections Source: GAO analysis of TSA data.

Although TSA has compiled information on the number of air cargo security
compliance inspections conducted and the number of violations identified,
the agency has not determined what constitutes an acceptable level of
performance or compared air carriers' and indirect air carriers'
performance against this standard. As previously noted, TSA officials
stated that the agency has developed performance goals for the overall air
cargo security program consistent with the Government Performance and
Results Act. The agency, however, has not established performance measures
to determine an acceptable level of compliance by air carriers and
indirect air carriers with air cargo security requirements. Performance
measures are indicators used to gauge performance and are meant to address
key aspects of performance for a program and help decision makers assess
program accomplishments and improve program performance. Such measures are
also called for by our internal controls standards to enable agencies to
compare and analyze actual performance data against expected or planned
goals. Without such measures, TSA cannot assess the performance of
individual air carriers or indirect air carriers against national
performance averages or goals that would allow TSA to target inspections
and other actions on those that fall below acceptable levels of
compliance. According to TSA officials, the agency is

TSA Has Not Yet Analyzed the Results of Inspections to Systematically
Target Future Inspections Of Those Entities That Pose a Higher Security
Risk to the Domestic Air Cargo System

currently working on developing short-term and long-term outcome measures
for air cargo security, but they could not provide a timetable for when
this effort would be completed. In addition, TSA officials acknowledged
that the agency will need to compile sufficient data to determine the
agency's progress in meeting such measures. Until these measures are
established, TSA cannot readily determine how carriers' compliance
compares with a set standard of acceptable performance.

TSA has taken initial steps to compile information on the results of its
compliance inspections of air carriers and indirect air carriers and
identify the most frequent types of violations found. For example, from
January 1, 2003, to January 31, 2005, TSA identified violations committed
by air carriers and indirect air carriers involving noncompliance with air
cargo security requirements in several areas, including those TSA
determined to be high-risk because they would pose the greatest risk to
the safety and security of air cargo operations. Specifically, these
violations covered areas such as cargo acceptance procedures, access
control to cargo facilities, and physical cargo inspections. TSA
identified indirect air carriers' failure to comply with their own
security programs as the area with the most violations. According to TSA
officials, the large number of violations by indirect air carriers is due,
in part, to their unfamiliarity with air cargo security requirements.
Figure 4 shows the top 10 violations found during inspections of air
carriers and indirect air carriers as determined by TSA. 78

78

The restricted version of this report, GAO-05-446SU, provides information
on the most frequently occurring violations by risk level, as determined
by TSA.

Page 40 GAO-06-76 Aviation Security

Figure 4: Top 10 Areas in Which Violations Were Found During Air Cargo
Inspections fo r the Period January 1, 2003, to January 3 1, 2005

Number of violations 600

565

500

399

400

369 329 288 285

300

239 212

200

168 159

100

0

                           Documentation of air cargo

ogram

                                    ocedures

                   Adherence to air carrierOthera ogramdance

                         Carwith security requirements

aining

go inspection tr

Carided to air carrier workers

                       ity trainingided to workers lling

                        controaccess to cargogo security

                            directives and emergency

                     go inspected in accoramendments dance

                           with security requirements

Adherence to indirect air

                              go accepted in accor

carrier security pr

                                  security pr

                            notification prgo secur

                           Adherence to air caroperly

                                      prov

                                       Pr

                                      prov

                                      Car

                                      Car

      Violation area

Source: TSA.

a

According to TSA officials, "other" includes information on violations not
specifically identified in the agency's PARIS database.

While TSA has identified frequently occurring violations, it has not yet
determined the specific area of violation for a large number of
inspections completed from January 1, 2003, to January 31, 2005. For
example, TSA reported its third most frequent type of air cargo security
violations was "other." According to TSA officials, the "other" category
includes violations that could not be easily categorized by one of the
violation area fields listed in the agency's PARIS database. Moreover, our
analysis found 540 additional violations for which no specific violation
area was reported. When combined with the "other" violations, these two
violation areas account for about 21 percent of the total number of air
cargo security violations identified by TSA during this period.

In addition, TSA could not identify how many of its 36,635 inspections
covered each air cargo security requirement, including those in the top 10
violation areas identified in figure 4. As a result, TSA cannot determine
the compliance rate for each specific area inspected. For example, TSA
found 288 violations related to cargo acceptance procedures but could not
identify how many of its inspections examined these procedures. Without
complete information on the specific air cargo security requirements that
air carriers and indirect air carriers violated, as well as the number of
times each topic area was inspected, TSA is limited in its ability to
determine the compliance rates for specific air cargo security
requirements and effectively target future inspections for air cargo
security requirements that are most frequently violated and the carriers
and indirect air carriers that violate them. In June 2005, TSA officials
informed us that in the future they intend to compile information on the
number of instances in which specific air cargo security requirements are
inspected.

While TSA has compiled information on the results of its compliance
inspections, the agency has not yet systematically analyzed these results
to target future inspections on security requirements and entities that
pose a higher risk. Analyzing inspection results would be consistent with
our internal control standards calling for comparisons of data to identify
relationships that could form the basis for corrective actions, if
necessary. 79 TSA officials and the agency's fiscal year 2005 annual
domestic inspection and assessment plan identified the need for such
analyses. According to TSA officials, the agency has recently hired one
staff person to begin analyzing inspection data. In June 2005, TSA
officials also stated that the agency is working to revise its PARIS
database to allow for more accurate recording of inspection violations.
However, the agency has not systematically analyzed the results of its
inspections to target future inspections of those entities that pose an
increased security risk. Without an analysis of the results of its
inspections, TSA has a limited basis to determine how best to allocate its
inspection resources.

Analyzing key program performance data and using the results of this
analysis to effectively allocate resources are consistent with elements of
a risk management approach. Specifically, analyzing the results of
compliance inspection data could help focus limited inspection resources

79 GAO Internal Control Management and Evaluation Tool, GAO-01-1008G
(Washington, D.C.: August 2001).

Page 42 GAO-06-76 Aviation Security

on those entities posing a higher security risk. Such targeting is
important because TSA may not have adequate resources to inspect all air
carriers and indirect air carriers on a regular basis. According to TSA
inspection data for the period from January 1, 2003, to January 31, 2005,
compliance inspections identified a greater incidence of violations by
indirect air carriers than by air carriers. Specifically, violations found
in inspections of indirect air carriers accounted for 72 percent of the
total violations identified (3,116 out of 4,343). In addition, the
percentage of inspections of air carriers that did not identify a
violation of air cargo security requirements was significantly higher than
that for indirect air carriers.

Specifically, TSA found violations in over 40 percent in its domestic
indirect air carrier inspections during this period, while it found
violations in less than 10 percent of its domestic air carrier cargo
inspections. In addition, our analysis of TSA's compliance inspection data
from November 1, 2001, through September 30, 2004, determined that the
agency had conducted compliance inspections of about 83 percent of the
approximately 2,800 domestic air carrier stations, but for less than half
(49 percent) of the estimated 10,000 indirect air carrier facilities
nationwide during the same period. 80

According to TSA officials, the agency is taking steps to enhance its
ability to conduct compliance inspections of indirect air carriers. 81
Specifically, in May 2005, TSA established a centralized database to
capture information on indirect air carriers and required each indirect
air carrier to provide information on corporate and satellite locations.
82 The agency's ability to inspect indirect air carrier compliance could
also be affected by the agency's proposed change in the definition of what
constitutes an indirect air carrier. According to TSA's proposed air cargo
security rule,

80

The percentages of air carrier and indirect air carrier facilities
inspected by TSA are estimates. In calculating these estimates, we assumed
that none of the indirect air carrier facilities inspected in fiscal year
2004 were inspected before and that there were no discrepancies or missing
information in the data for fiscal years 2002 and 2003. As a result, the
percentage of air carrier's stations and indirect air carrier's facilities
inspected during this period may be lower. TSA did not provide us data to
calculate the number of stations and facilities visited for the period
beginning in fiscal year 2005.

81

Factors accounting for the limited number of TSA compliance inspections of
indirect air carrier facilities are sensitive security information and
discussed in the restricted version of this report, GAO-05-446SU.

82

Since September 1999, each indirect air carrier was required to annually
submit and maintain information on all its corporate and satellite
offices.

TSA Has Not Yet Assessed the Effectiveness of Its Enforcement Actions in
Ensuring Air Carrier and Indirect Air Carrier Compliance with Air Cargo
Security Requirements

the definition of indirect air carriers would be amended to include not
only those companies transporting goods on passenger aircraft, but also
those transporting goods via all-cargo aircraft. This change in definition
will increase the number of regulated indirect air carriers TSA will be
responsible for overseeing.

As part of its compliance inspection process, TSA recently began
implementing a testing program to identify air cargo security weaknesses,
referred to as special emphasis assessments. 83 On the basis of its review
of compliance inspection results for the period of January 2003 and
January 2005, TSA identified 25 indirect air carriers and 11 air carriers
with a history of violations related to air cargo security requirements.
TSA officials stated that the agency began conducting tests on these air
carriers and indirect air carriers in April 2005. 84 TSA officials stated
that the agency plans to conduct additional tests. TSA officials further
stated that the agency has not yet determined how it will use the results
of its testing program to help interpret the results from its other
compliance inspection efforts. TSA has also not analyzed inspection
results to identify additional targets for future testing. Such analysis
could include focusing compliance testing efforts on air carriers and
indirect air carriers with a history of air cargo security violations
related to high risk areas.

According to TSA officials, the agency corrects minor violations of air
cargo security requirements collaboratively with air carriers and indirect
air carriers through on-site counseling and training. TSA reserves the use
of civil enforcement actions, which include administration actions and
civil monetary penalties, for the most serious security risks identified
during TSA inspections. Administrative actions range from a warning notice
suggesting corrective steps to a letter of correction that requires the
carrier to take immediate action to avoid civil penalties. TSA is
authorized

83

According to TSA, special emphasis assessments are distinct from agency
efforts to conduct covert testing by TSA's office of Internal Affairs and
Program Review. Covert testing is typically done by undercover TSA agents
and includes testing the security procedures at passenger check points and
airport access controls.

84

Results of TSA's tests are considered sensitive security information and
described in the sensitive security version of this report, GAO-05-446SU.

Page 44 GAO-06-76 Aviation Security

to issue civil monetary penalties when air carriers and indirect air
carriers fail to correct serious violations of air cargo security
requirements. 85

TSA officials stated that the majority of air cargo security violations
identified from January 1, 2003, to January 31, 2005, were addressed
through on-site counseling and training. Specifically, of the 4,343 air
cargo security violations identified during this period, TSA resolved
almost 60 percent (2,590) through on-site counseling and training. TSA
enforcement action data covering this period, however, did not specify the
actions the agency took in resolving approximately 1,600 (about 35
percent) of the 4,343 air cargo security violations. 86 TSA also
recommended civil penalties for 185 violations, of which 11 were issued
and 15 were resolved through administrative actions or no action.
Enforcement actions on the remaining 159 violations are still pending. 87

According to TSA officials, the agency has not assessed the effectiveness
of its enforcement actions, including on-site counseling and civil
penalties, in ensuring air carrier and indirect air carrier compliance
with air cargo security requirements. Our reviews of agency compliance
inspection programs have cited the need for evaluations of enforcement
activities and have noted the effectiveness of using sanctions such as
civil penalties to increase compliance. 88 Moreover, ATSA requires TSA to
conduct ongoing assessments of the effectiveness of penalties in ensuring
airport compliance with security procedures. Without assessing the
effectiveness

85

The statutory authority for TSA to issue fines and penalties to individual
air carriers and indirect air carriers for not complying with established
security procedures is 49 U.S.C. S: 46301. The penalty for an aviation
security violation is found at 49 U.S.C. S: 46301(a)(4) and states that
the maximum civil penalty for violating chapter 449 (49 U.S.C. S:S: 44901
et seq.) or another requirement under this title administered by the TSA's
administrator shall be $10,000 except that the maximum civil penalty shall
be $25,000 in the case of a person operating an aircraft for the
transportation of passengers or property for compensation.

86

This percentage is based on TSA enforcement action data, which include
data for the period October 1, 2002, to December 31, 2002. TSA's data on
civil enforcement actions were provided by fiscal year and not by month.
Not including the data for October 1, 2002, to December 31, 2002, could
potentially increase the percentage of cases for which TSA could not
specify the action it took to resolve identified security violations.

87

These figures include data for the period October 1, 2002, to December 31,
2002, as TSA's data on civil enforcement actions were provided by fiscal
year and not by month.

88

GAO, Aviation Security: Better Management Controls are Needed to Improve
FAA's Safety Enforcement and Compliance Efforts, GAO-04-646 (Washington
D.C.: July 2004), and GAO, Pipeline Safety: Management of the Office of
Pipeline Safety Enforcement Program Needs Further Strengthening,
GAO-04-801 (Washington D.C.: July 2004).

  TSA Plans to Enhance Air Cargo Security, but Implementing These Plans Poses
  Challenges to the Agency and Air Cargo Stakeholders

of its enforcement actions, TSA cannot be assured that its current
cooperative approach to addressing issues of noncompliance is resulting in
increasing carrier compliance with air cargo security requirements.

TSA has developed plans aimed at enhancing air cargo security, but the
agency and industry face challenges in effectively implementing these
plans. Specifically, TSA is developing a system to target elevated risk
air cargo for inspection that would minimize the agency's reliance on
random inspections. This system would compare information on individual
air cargo shipments as well as information from the Known Shipper,
indirect air carrier, and PARIS databases against targeting criteria to
assign a risk level to cargo. Cargo identified as posing an elevated risk
would then be subject to additional inspection by air carrier personnel
through physical searches or other nonintrusive means. Elevated risk cargo
could include cargo that has been determined to pose a risk to the safety
and security of passengers and air cargo operations. Although the agency
acknowledges that the successful development of the targeting system is
contingent upon having complete and accurate targeting information in a
timely manner, the agency has not yet completed efforts to ensure that
these data are complete, accurate, and current. Moreover, the agency has
not yet determined the criteria that will be used to identify elevated
risk cargo. TSA plans to pilot-test this targeting system beginning in
early 2006 and phase in deployment of the system during calendar years
2006 and 2007. 89 TSA is also testing and developing technologies to
assess their applicability to air cargo-a key component of the agency's
Air Cargo Strategic Plan. According to TSA officials, the results of its
technology tests will need to be analyzed before the agency determines
which technologies will be certified for inspecting cargo, and whether it
will require air carriers to use such technology. Further, TSA's proposed
air cargo security rule would require air carriers and indirect air
carriers to

(1) include all known shippers in a centralized database, (2) secure air
cargo facilities, and (3) conduct security checks on air cargo workers. A
number of industry stakeholders, including passenger and all-cargo
carriers that commented on the proposed rule, stated that TSA
underestimated the costs associated with implementing the proposed

89

On September 22 2005, TSA announced that the agency's planned targeting
system would undergo a "proof of concept" phase" before being piloted.
This phase would entail evaluating the system's potential effectiveness in
identifying elevated risk cargo, assessing data quality related to cargo
shipments, and recommending any necessary modifications to the system.

Page 46 GAO-06-76 Aviation Security

    TSA Is Working to Develop a System to Target Elevated Risk Cargo, but Has
    Not Yet Ensured That Data to Be Used to Target Cargo Are Complete, Accurate,
    and Current

measures and that some of these proposals may be difficult to implement.
Our analysis of TSA's proposed air cargo security rule cost estimate, $637
million (in discounted 2003 dollars) over a 10-year period, identified
concerns with the agency's methodology for calculating the cost estimate
and suggests that TSA's cost figure may have been underestimated.
According to TSA officials, the agency plans to reassess its cost
estimates before issuing its final air cargo security rule.

According to TSA officials, the agency decided to develop a system to
target elevated risk cargo after concluding that physically inspecting 100
percent of the cargo boarded onto passenger aircraft was not feasible
using currently available technology without significantly impeding the
flow of commerce. Specifically, TSA officials stated that currently
available technology does not have the capability to inspect various types
and sizes of cargo in a timely manner and that the cost associated with
inspecting 100 percent of air cargo could be significant. A Federal
Aviation Administration analysis conducted in 2001 determined that only a
small portion of the nation's air cargo could be inspected effectively or
efficiently with available technology, for similar reasons. In its
analysis, the Federal Aviation Administration estimated that 8,000 federal
screeners and $500 million (in the first year) would be required to
implement a federally managed cargo inspection program for passenger
aircraft. Further, in June 2002, TSA estimated that it would cost air
carriers and the federal government up to $3.61 billion (in discounted
2001 dollars) over 10 years to physically inspect all cargo placed in the
cargo hold of commercial passenger aircraft, primarily because of the
expense associated with inspection equipment and personnel costs.
Moreover, according to TSA, delays associated with inspecting 100 percent
of cargo would significantly affect the air cargo operations on passenger
carriers by potentially delaying cargo delivery schedules. Delays
associated with cargo inspection could also affect cargo shippers who may
be required by air carriers to deliver cargo sooner so it can be properly
inspected before being loaded onto aircraft. In addition, air cargo
stakeholders contend that additional security costs related to 100 percent
cargo inspection could adversely affect the financial status of air
carriers.

TSA is in the early stages of developing a system to target elevated risk
cargo for additional scrutiny, including physical inspection through
manual searches and the use of nonintrusive inspection technologies. TSA
officials anticipate that the agency's targeting system, referred to as
Freight Assessment, will minimize the reliance on the random physical
inspections currently conducted by air carriers. TSA officials stated that
the development of the Freight Assessment System will also help the agency
to address one of its key objectives in the agency's Air Cargo Strategic
Plan-identifying elevated risk cargo. TSA's planned Freight Assessment
System would use information maintained in the agency's Known Shipper,
indirect air carrier, and PARIS databases to target elevated risk cargo
for inspection. Cargo that is identified by the Freight Assessment System
as posing an elevated risk will then be physically inspected either
through the use of inspection technology or other methods. 90

According to agency plans, air carriers would receive targeting
information from TSA on specific cargo items identified as posing an
elevated risk. Upon notification by TSA's Freight Assessment System,
carrier personnel would be responsible for conducting the inspection of
cargo identified as elevated risk. Thus, cargo inspection would continue
to differ from current passenger and baggage inspection in that cargo
inspection would be performed by the employees of air carriers, rather
than by a federal workforce. Air carrier and indirect air carrier
officials we spoke with have raised concerns about their role in cargo
inspection and have questioned the skill level and adequacy of inspection
training provided to air carrier employees.

TSA and CBP officials stated that they had agreed to jointly develop and
deploy the Freight Assessment System and the rules that would be used to
identify elevated risk cargo for inspection. TSA officials stated that the
goal of this interagency coordination is to minimize the cost of the
Freight Assessment System's development by leveraging existing DHS
capabilities, and reduce the administrative burden on the air cargo
industry by not requiring stakeholders to submit the same data to multiple
government agencies. CBP is responsible for preventing terrorists and
terrorist weapons from entering the United States. To target elevated risk
international cargo, CBP systems store data on international cargo
shipments, assign a risk score to a specific cargo shipment, and update
stored information with the latest risk scoring for specific shipments. 91
In addition, all commercial air carriers transporting international cargo
must

90

Details on TSA's planned Freight Assessment System are sensitive security
information. A description of the system is provided in the restricted
version of this report, GAO-05-446SU.

91

CBP currently uses the Automated Targeting System to target elevated risk
international cargo for additional review or inspection.

Page 48 GAO-06-76 Aviation Security

now transmit specific cargo information to CBP through an automated
system. 92 This cargo information is screened to identify elevated risk
cargo based on certain criteria. Upon arrival in the United States, cargo
that is deemed as posing an elevated risk is to be inspected either
physically or with nonintrusive inspection technology by CBP inspectors.

According to TSA and CBP officials, most of the components needed for
TSA's Freight Assessment System already exist within CBP. To use these
components, however, TSA will need to further develop its air cargo
databases to identify and target elevated risk air cargo and develop the
criteria and rules necessary to assign a risk score to domestic air cargo
shipment. TSA's databases will also need to be linked to the systems
housed within CBP. According to TSA officials, the preliminary design
phase of the Freight Assessment System, incorporating components already
existing within CBP, was completed on April 12, 2005. 93

In addition to collaborating with CBP, TSA has worked with the air cargo
industry to develop the overall design of the Freight Assessment System.
For example, in September 2004, the Aviation Security Advisory Committee
created an industry working group to advise TSA on the development of a
Freight Assessment System. On April 28, 2005, the working group presented
the Aviation Security Advisory Committee with four recommendations to be
formally provided to TSA. The working group recommended (1) extending the
life of the working group to enable the industry to have adequate input
into the Freight Assessment System process as it evolves over time; (2)
designing the Freight Assessment System to include processes for sharing
threat information; (3) establishing a pilot program to determine whether
the proper system elements are in place, and whether the communication
between government and industry allows for the inspection of elevated risk
cargo without disrupting the air cargo supply chain; and (4) obtaining
public comment on the proposed Freight Assessment System through a notice
of public rule making, and implementing the system through amendments to
each regulated party's security program. During the April 28, 2005,

92

Commercial air carriers must submit specific cargo information to CBP by
"wheels up" in the case of aircraft departing for the United States from
any foreign place in North America, north of the equator only. Aircraft
departing for the United States from any other foreign area must provide
information electronically no later than 4 hours prior to arrival in the
United States.

93

TSA officials could not provide us with details on the Freight Assessment
System because such details have not yet been finalized within DHS.

meeting, the Freight Assessment System working group members noted that in
addition to the targeting and physical inspection of elevated risk air
cargo, random physical inspection should continue as an additional layer
of security and stressed that once elevated risk air cargo is identified,
inspection of such cargo should be performed by TSA employees. TSA
officials stated that they would consider the working group's
recommendations and that most of the group's recommendations have been
accepted and incorporated into the Freight Assessment System design. In
addition, TSA officials agreed to continue the life of the Freight
Assessment System working group to extend through the implementation of
the pilot. TSA further requested that once the pilot program was complete,
the working group draft additional recommendations on the implementation
of the system. According to TSA officials, however, the agency does not
plan to use TSA employees to inspect air cargo because of the cost
associated with using federal screeners and because the number of
full-time equivalent screeners is capped at 45,000.

TSA officials anticipate pilot-testing the Freight Assessment System in
early 2006. According to TSA officials, two airlines and five indirect air
carriers have agreed to participate in the pilot test. TSA officials
expect to expand the pilot test to include cargo transported on all-cargo
carriers but have yet to make a final determination on when the agency
will expand the pilot. TSA officials also plan to phase in implementation
and deployment of the targeting system for cargo transported on passenger
carriers during calendar years 2006 and 2007. Until such time, TSA
officials stated that the agency will rely on the Known Shipper program
and random inspection requirements as the primary means for screening and
inspecting air cargo.

Although TSA has identified data elements that could be used in its
Freight Assessment System, the agency has not yet ensured that these data
are complete, accurate, and current. TSA acknowledges that the successful
development of the targeting system is contingent upon having complete and
accurate information on shippers and cargo shipments, among other things.
However, as we have previously noted, there are problems with the
information contained in the TSA Known Shipper database and how TSA uses
this information to identify shippers who may pose a risk. TSA plans to
make the Known Shipper database mandatory, allowing the agency to compile
and verify information on the entire population of known shippers and take
other actions to identify high-risk shippers. In December 2004, TSA
contracted for a study to review the information contained in the Known
Shipper database. However, as of June 2005, the study has not yet been
completed. TSA officials stated that they intend to conduct a follow-on
study to examine how to use known shipper data as part of the Freight
Assessment System once privacy issues are addressed. Further, while TSA
plans to use the results of its compliance inspection program to help
target elevated risk cargo, the agency has not yet fully analyzed its
compliance inspection results data or required air carriers to provide
data of their inspection activities. In addition, TSA does not currently
require carriers to submit information on individual domestic cargo
shipments, as is done by CBP for international shipments in transit to the
United States. TSA anticipates requiring domestic air carriers to submit
such information under the proposed Freight Assessment System.

Complete and accurate shipment and compliance inspection information is
essential for the development of an effective system to target elevated
risk cargo. Further, as we have recently reported, efforts to target
elevated cargo will only be as good as the data used to conduct such
targeting. 94 Specifically, we reported on limitations associated with the
information used by CBP in targeting oceangoing cargo. CBP uses manifest
information as one of several data sources to assess the risk level of
United States-bound shipments, but our review identified problems with
this information. 95 We found that without complete and accurate
information on shipments, it is difficult for CBP's Automated Targeting
System to accurately assess the risk of shipments and to conduct thorough
targeting. 96 Similarly, TSA plans to develop a system to target elevated
risk domestic air cargo based on the use of information from existing
agency databases, as well as information contained in air carrier's cargo
airway bills. The limitations we identified with CBP's efforts highlight
the need for TSA to evaluate the accuracy and reliability of information
it plans on using to target elevated risk domestic air cargo. Without
quality information, TSA's ability to effectively target cargo for
inspection will be limited, regardless of the system being used. According
to TSA officials, the agency is working to address issues of quality and
availability for both industry-provided data and data from government
sources. TSA

94 GAO, Homeland Security: Challenges Remain in the Targeting of
Oceangoing Cargo Containers for Inspection, GAO-04-325NI (Washington,
D.C.: Feb. 20, 2004), and GAO , Container Security: A Flexible Staffing
Model and Minimum Equipment Requirements Would Improve Overseas Targeting
and Inspection Efforts, GAO-05-187SU (Washington, D.C.: April 2005).

95

According to CBP officials, they continue to work on improving the
completeness and accuracy of oceangoing cargo manifest data. The mandatory
transmission of manifest data for U.S.-bound air cargo shipments was not
finalized until December 2004.

96

CBP's Automated Targeting System uses targeting criteria to assign a risk
score to cargo shipments.

    TSA Is Testing Inspection Technologies to Determine Their Applicability to
    Air Cargo

anticipates using the results of this analysis as well as the results of
its Freight Assessment pilot, which is currently scheduled for early 2006,
to adjust the information that will be used to identify elevated risk
cargo.

Finally, TSA is still deliberating on the criteria it will use to define
elevated risk cargo during the pilot test of its Freight Assessment
System. While TSA is considering various factors for determining an air
cargo shipment's risk, the agency has not yet determined whether these or
other criteria will be used to define elevated risk cargo. According to
TSA officials, the Freight Assessment System has been designed to
accommodate changes in targeting criteria to identify elevated risk cargo.
Establishing clear criteria for identifying elevated risk cargo will be
essential for the development, testing, and implementation of an effective
system to target such cargo for further inspection.

TSA is currently developing and testing technologies to assess their
applicability to the inspection of air cargo. According to TSA officials,
the agency will determine whether it will certify or require the use of
air cargo inspection technologies once the agency has completed its
assessments of various technologies and the results have been analyzed.
Testing and developing technology is also one of TSA's key objectives in
the agency's strategic plan for enhancing air cargo security and is also a
key component of TSA's plans to inspect elevated risk cargo. Recognizing
the importance of researching and developing inspection technology, TSA
obligated about $700,000 in fiscal year 2003 and was directed by the
conference report for the DHS's fiscal year 2004 appropriations act to
spend $55 million for air cargo security research and development
activities. The fiscal year 2005 Department of Homeland Security
Appropriations Act also directed the Secretary of Homeland Security to
research, develop, and procure certified systems to inspect and screen air
cargo on passenger aircraft at the earliest date possible. 97 To
accomplish this, the accompanying conference report directed TSA to spend
an additional $75 million to research and develop air cargo security
technologies. 98

97

Pub. L. No. 108-334, S: 513, 118 Stat. at 1317.

98

In the past TSA received research and development (R&D) funding. For
fiscal year 2006, TSA's R&D programs are permanently transferred to the
DHS Office of Science and Technology (S&T). A small amount of resources
will remain within TSA to assist with EDS testing, and liaison with S&T
for operational integration.

Page 52 GAO-06-76 Aviation Security

TSA is currently developing performance criteria for technology to inspect
air cargo and considering whether to establish a certification standard
for such technology. At present, TSA is not required to certify technology
for air cargo inspection. Until such technology is certified, TSA
officials stated that the agency will continue to allow air carriers to
use the technologies and methods described in the air carrier standard
security program and TSA security directives. These technologies and
methods include manual physical searches, X-ray systems, explosive trace
detection (ETD) equipment, explosive detection systems, TSA-certified
explosives detection canine teams, and decompression chambers, among other
methods. 99 TSA security programs contain procedures and training
requirements for air carrier personnel when using X-ray systems or
performing manual searches of air cargo. TSA also established protocols
for air carriers to follow when using ETD equipment to inspect air cargo.
These protocols include testing procedures, operating instructions, alarm
resolution guidance, and training requirements.

TSA has recently completed a pilot program focused on testing the
applicability of EDS technology to inspect individual pieces of air cargo,
referred to as break bulk cargo. 100 According to TSA officials, the
agency decided to test EDS's applicability for inspecting air cargo, in
part because this technology is already used to inspect checked baggage.
EDS pilot- testing criteria included detection rates, false alarm rates,
and throughput rates. 101 Although EDS is currently an approved method for
inspecting air cargo, it had not been tested by TSA to determine its
effectiveness in inspecting air cargo. According to TSA officials, EDS was
approved by the Federal Aviation Administration for inspecting air cargo,
but TSA still needs to review the results of its EDS pilot test before the
agency will determine whether to certify EDS for inspecting air cargo.
Although TSA has not yet finalized its evaluation of the results of the
EDS pilot, agency

99

ETD technology requires human operators to collect samples of items to be
inspected with swabs, which are chemically analyzed to identify any traces
of explosive material. Decompression chambers simulate the pressures
acting on aircraft which cause explosives that are attached to barometric
fuses to detonate.

100

In addition to TSA's efforts to test current EDS technology, one airport
we visited was undertaking an independent air cargo inspection pilot
testing the effectiveness of different versions of X-ray technology.
According to airport officials, the inspection process was time-consuming.
Airport authority officials stated that they planned to conduct additional
inspection technology testing sometime in 2005.

101

Throughput means the amount of cargo screened during a given period of
time, for example, per hour.

officials stated that preliminary data suggest that EDS technology is well
suited to inspect break bulk cargo under a range of environmental and
climactic conditions, but limitations exist with using such technology.
TSA has not yet established time frames, however, for when the agency will
decide whether or not to certify EDS technology for air cargo or require
air carriers to use this technology to inspect air cargo. For a
description of TSA's evaluation of EDS technology, see appendix V.

TSA also recently completed an operational test and evaluation to
determine the applicability of explosives detection canine teams to
inspect air cargo. There are currently 370 TSA-certified explosives
detection canine teams authorized and 333 assigned for use in inspecting
passengers' checked baggage. According to TSA, the agency chose to test
the effectiveness of TSA-certified explosives detection canine teams in
inspecting air cargo in part because these teams are already used as part
of the agency's multifaceted approach to airport security. As with EDS
technology, existing TSA security programs allow air carriers to use
canines for inspecting air cargo. According to TSA officials, the agency,
however, has not yet certified the use of canines for inspecting air
cargo. TSA officials stated that the canine operational test and
evaluation was designed to determine the effectiveness of canine detection
teams in the air cargo environment. Although TSA has not fully evaluated
the results of the pilot tests, according to TSA, the data suggest that
even without prior training, the canine teams performed effectively in
inspecting various types of cargo. They added that the results of these
tests will be used to determine whether canines will be certified for
inspecting air cargo. TSA has not yet established time frames, however,
for when such decisions will be made. For a description of the recently
completed TSA canine pilot program, see appendix VI.

TSA is also testing other forms of currently available cargo inspection
technologies, as well as identifying and developing new and emerging
technologies. In February 2004, for example, TSA solicited information
from vendors on new and emerging technology concepts for inspecting cargo
containers and United States mail. According to TSA officials, the agency
is pursuing multiple technologies that will automate the detection of
explosives in the types and quantities that will cause catastrophic damage
to an aircraft in flight. On the basis of responses to its solicitation,
TSA identified nine technologies to finance for further development and
testing. According to TSA, the technologies selected will go through four
phases of development: (1) a preliminary design phase, consisting of
activities in which the concept of operations will be clearly defined and
the system components will be clearly identified; (2) a critical design
phase, consisting of further definition of system design features and
analysis of overall detection and false alarm performance; (3) a system
development phase, consisting of the final design and fabrication of the
system, including developmental tests and evaluations; and (4) a prototype
evaluation phase, consisting of a series of laboratory tests using threats
and cargo to evaluate the detection and false alarm performance for a
variety of threat scenarios. TSA plans to develop working prototypes of
these technologies by September 2006 and complete operational testing by
2008. TSA acknowledges that full development of these technologies may
take 5 to 7 years. For a description of the new and emerging technologies
selected by TSA for further development and testing, see appendix VII.

TSA also has other efforts under way to develop and deploy technology in
the air cargo environment. For example, in January 2005, TSA solicited
information on technology systems that could be used to inspect break bulk
air cargo. According to TSA officials, the agency will identify and
evaluate commercial off-the-shelf systems that could be used to inspect
break bulk cargo. TSA plans to begin laboratory and field tests of these
technologies in the summer of 2005. In April 2005, TSA issued another
solicitation for information on air cargo inspection technology. This
solicitation specifically requested information on explosives detection
systems for inspection of cargo containers or palletized air cargo and
will cover the use of unit load devices placed on passenger aircraft.
According to TSA, the agency is currently reviewing the responses to this
solicitation.

In addition to cargo inspection technology, hardened cargo containers are
being considered as a means to mitigate the threat of an improvised
explosive device. The Federal Aviation Administration previously had a
research program on blast-resistant containers to examine their
effectiveness in containing the effects of an improvised explosive device.
Air carriers have raised concerns regarding the weight of these containers
and the potentially significant affect their use would have on airlines by
increasing fuel costs, reducing flight range, and decreasing payload
capacity for revenue-generating passengers and cargo. Other challenges
associated with deploying hardened cargo containers include purchasing
costs (which, according to TSA can range from $20,000 to $40,000 per
container), durability, and potentially higher maintenance costs for
hardened container materials. Although the purchase, deployment, and use
of such containers may prove to be challenging, the Intelligence Reform
and Terrorism Prevention Act of 2004 required that TSA begin to carry out
a pilot program to evaluate the use of blast-resistant containers for
cargo and baggage on passenger aircraft to minimize the potential effects
of an explosive device's detonation. The act authorized $2 million to
conduct such a pilot program. According to TSA officials, the agency is
currently conducting a pilot program with two airlines on the use of
hardened containers.

Finally, according to its Air Cargo Strategic Plan, TSA is also
considering whether the agency's Transportation Worker Identification
Credential (TWIC) Program would be beneficial to incorporate into the air
cargo environment. 102 The TWIC Program is intended to establish a uniform
identification credential for 6 million workers who require unescorted
physical or cyber access to secured areas of transportation facilities.
The program is intended to combine standard background checks and new and
emerging biometric technology so that a worker can be positively matched
to his or her credential. As of June 2005, TSA had not yet determined
whether the TWIC Program would be incorporated as part of the agency's
overall effort to enhance air cargo security. We currently have an
on-going review of the TWIC Program.

According to TSA officials and air carrier and airport representatives,
the federal government and the air cargo industry face several challenges
that must be overcome to effectively implement technology to inspect air
cargo for explosives. These challenges include factors such as the nature,
type, and size of the cargo; environmental and climatic conditions;
inspection throughput rates; screener staffing and training issues; the
location of air cargo facilities (centralized versus decentralized); cost
and availability; and employee health and safety concerns. For example,
cargo weighing several tons may be too large to be inspected by currently
available technology. The heat and humidity at certain airport locations
may affect the functioning of inspection technology. Furthermore, trained
staff must be available to operate the technology, and health and safety
concerns such as worker exposure to radiation must be addressed. We have
also previously reported on the need for TSA and DHS to better manage
their research and development programs to ensure effective use of
technology research funds. Specifically, we recommended that DHS and TSA
implement a risk management approach for their research and

We previously reported on the challenges associated with developing and
operating a maritime worker identification card program. GAO, Port
Security: Better Planning Needed to Develop and Operate Maritime Worker
Identification Card Program, GAO-05-106 (Washington, D.C.: December 2004).

Page 56 GAO-06-76 Aviation Security

development programs. 103 Table 2 describes the potential challenges with
using current and new and emerging technology to inspect air cargo that
were identified by TSA officials and officials representing airports and
air carriers.

Table 2: Potential Challenges Associated with Using Current and New and Emerging
                        Technology to Inspect Air Cargo

                   Potential challenge Challenge description

Nature, type, and size of air cargo Air cargo ranges in size from less
than 1 pound to several tons, and in type from perishables to engines,
including electronic equipment, machine parts, apparel, medical supplies,
fresh-cut flowers, fresh seafood, tropical fish, live animals, and human
remains. Cargo can be shipped in various forms including unit-loading
devices, wooden crates, and assembled pallets, or as break bulk.

Environmental and climatic conditions Different environmental conditions
may have an effect on different types of technology. For example,
technology may need to perform under very cold and very hot conditions,
which may affect its performance.

Inspection throughput rates Technology must have the capacity to inspect a
large quantity of cargo in a timely manner to meet the delivery schedules
of the air cargo industry and the needs of shippers.

Screener staffing and training Depending on the type of technology,
operators may require rigorous training. It may be financially burdensome
to hire, train, and retrain staff to operate the inspection technology.

Logistics Construction of centralized inspection facilities for storing
and using inspection equipment may be challenging. Larger airports may be
in a better position to handle the financial burden of additional security
measures but may not have the space for inspection equipment. Smaller
airports would probably have difficulty paying for new inspection
equipment and staff but may have the space to add the equipment.

Cost and availability The overall cost of technology may be a challenge.
For example, one EDS machine can cost up to $1.2 million. TSA canine units
can cost up to $120,000 per team annually. Newer technologies, such as
current models of pulsed fast neutron analysis systems, cost between $10
million and $25 million. In addition, cargo handling is usually performed
at separate cargo facilities either on airport property or off-site.

                           Employee health and safety

Air carriers contend that certain inspection technologies, such as pulsed
fast neutron analysis, may pose potential health risks to operators and
handlers consolidating and loading cargo. Air carriers also contend that
once items are inspected they may not be safe to handle for some period of
time, which could affect delivery time. According to TSA, the technologies
they are considering for explosives detection for cargo do not present
these problems. Other inspection technologies using neutron beams may also
pose similar health risks.

                  Source: GAO summary of reported challenges.

103

GAO, Transportation Security R&D: TSA and DHS Are Researching and
Developing Technologies, but Need to Improve R&D Management, GAO-04-890
(Washington, D.C.: September 2004).

Page 57 GAO-06-76 Aviation Security

    TSA Plans to Issue New Air Cargo Security Requirements, but Some Industry
    Stakeholders Have Expressed Concern Over Their Cost and Feasibility

TSA noted that given the challenges of inspecting air cargo using
currently available technologies, the agency's goal is to develop an
approach to inspect air cargo using a combination of technologies. TSA's
strategic plan states that the agency envisions developing a "tool box" of
technologies that can be used by air carriers to inspect cargo of various
types of sizes under different operating environments. Although the agency
recognizes the challenges associated with inspecting air cargo, has
completed some technology evaluations, and plans to conduct further
technology testing, TSA has not decided whether it will certify or require
air carriers to use specific technologies. TSA officials stated that they
will make these decisions after evaluating the results of the cargo
inspection technology assessments, but the agency has not established time
frames for making such decisions. To effectively inspect cargo that TSA
deems to be an elevated risk, the agency will need to make decisions
regarding the use of air cargo inspection technologies prior to full
implementation of its Freight Assessment System, which is currently
scheduled for the end of calendar year 2007.

In addition to developing a system to target and inspect elevated risk
cargo, TSA has proposed additional requirements to enhance air cargo
security in its proposed rule, issued on November 10, 2004. Many of the
measures outlined in the proposed rule are initiatives that are outlined
in TSA's Air Cargo Strategic Plan, as discussed earlier in this report.
Specifically, the proposed rule making would require the adoption of
security measures that focus on inspecting cargo, securing air cargo
facilities, and conducting security checks on air cargo workers. TSA
received 676 comments to its proposed rule from 134 commentators
representing air carriers, indirect air carriers, and airports, among
others. The agency has reviewed these comments as it determines how to
finalize its proposals aimed at enhancing air cargo security. TSA
estimated in its proposed rule that implementing these proposals,
including random inspection of air cargo, will cost $637 million (in
discounted 2003 dollars) over a 10-year period from 2004 to 2013. Table 3
describes TSA's proposed measures.

Table 3: TSA's Proposed Air Cargo Security Measures

              TSA-proposed measure Description of proposed measure

Security threat assessments (STA) for air Persons who have unescorted
access to air cargo, but do not have unescorted security

cargo workers identification display area access, to undergo a STA to
verify that they do not pose a security threat. Specifically, TSA will
conduct checks of air cargo workers against intelligence records and
databases, including terrorist watch lists. An estimated $39 fee per
applicant would be imposed to conduct the STA. TSA estimates that 28,225
of the estimated 63,000 air cargo workers would be affected by this new
requirement.

Inspecting cargo Codifying existing requirements for aircraft operators to
inspect air cargo, including that offered by known shippers.

Applying or extending airport security Applying or extending airport SIDA
requirements to air cargo operating areas. This identification display
area (SIDA) proposal does not call for the creation of a SIDA at airports
where there currently is not requirements to air cargo operations areasa
one. In these situations, all-cargo operators will be required to
institute other security

                    measures to prevent unauthorized access.

                       Known Shipper program and database

Codify and strengthen the Known Shipper program. Specifically,
participation in the Known Shipper database would be mandatory for all
domestic operators, foreign air carriers, and indirect air carriers. Air
carriers and indirect air carriers would be required to submit information
on a known shipper applicant electronically to TSA for vetting against
terrorist and law enforcement data. Aircraft operators, foreign air
carriers, and indirect air carriers will be required to submit known
shipper information electronically and update it as needed.

Accepting cargo directly from shippers or Authorize aircraft operators
under full or all-cargo programs to accept cargo only from from entities
with security programs entities with security programs comparable to the
aircraft operators'.

Enhanced indirect air carrier security requirements, including training
and personnel requirements Expand the definition of indirect air carrier
to include businesses engaged in the indirect transport of cargo on larger
commercial aircraft, whether conducted with a passenger aircraft or an
all-cargo aircraft. Vet businesses more thoroughly before they are
authorized to do business as indirect air carriers, strengthen a
requirement for periodic recertification of indirect air carrier status,
and strengthen security requirements for accepting and processing air
cargo. TSA is developing a Web-based centralized system for validating and
revalidating indirect air carriers. Upon its implementation, TSA proposes
to require all business to use the system to obtain initial indirect air
carrier approval and to renew their approval. Indirect air carriers would
also be required to use the system to notify TSA of any changes to their
corporate structure and to renew their status annually. Proposes
procedures for withdrawing indirect air carrier security program approval
and requiring a comprehensive and recurrent training program for indirect
air carriers to ensure that indirect air carrier employees understand and
are trained to implement their security responsibilities. Requires
indirect air carriers to designate a security coordinator at the corporate
level (as currently required by airport and aircraft operators) to serve
as the indirect air carrier's primary point of contact for communications
with TSA, including receipt of threat information.

Security measures for persons     Codify requirements for physically       
boarding an                       screening persons other than passengers  
                                     boarding                                 
all-cargo aircraft                all-cargo aircraft with a maximum        
                                     certified takeoff weight greater than    
                                     12,500 pounds.                           
Establish a required standardized Require additional steps for securing    
security                          all-cargo aircraft weighing more than    
                                     45,500                                   
program for all-cargo carriers    kilograms (100,309 pounds). The proposal 
                                     would institute security measures for    
                                     all-                                     
                                     cargo aircraft comparable to passenger   
                                     aircraft of the same size and be         
                                     incorporated                             
                                     into a mandatory All-Cargo Aircraft      
                                     Operator Standard Security Program.      

Source: GAO analysis of Air Cargo Notice of Proposed Rule Making and
Industry Comments.

aIndividuals working in SIDA must have an airport's approved photo ID; the
ID must be displayed at all times above the waist on the individual's
outermost garments; to obtain a SIDA ID, a person must successfully
undergo a fingerprint-based criminal history records check, and
successfully complete security training. In addition, procedures must be
in place for challenging all persons not displaying appropriate ID.

Although most industry members who commented on the proposed air cargo
rule were pleased that TSA is taking steps to enhance air cargo security,
many pointed out various issues related to implementing these measures,
particularly cost. 104 Specifically, officials representing air carriers,
indirect air carriers, and airports have expressed concern that they would
incur approximately 97 percent of the projected cost of the air cargo
security procedures described in TSA's proposed air cargo security rule.
Air carriers also contend that the additional air cargo security costs
will ultimately be borne by shippers and passed on to their customers.
Officials representing passenger and all-cargo carriers also commented
that the overall estimate to implement these proposed procedures was low.
For example, cost projections developed by one stakeholder suggest that
implementing TSA's proposals could cost more than double what TSA
estimated. A major reason for this higher cost estimate was that the
stakeholder assumed a tripling in the estimated percentage of air cargo
required to be inspected on passenger aircraft, as mandated in the fiscal
year 2005 Department of Homeland Security Appropriations Act. 105
According to TSA officials, the agency's cost estimate for implementing
its proposed security measures did not assume the tripling of the
inspection percentage, as required by the Act, because the fiscal year
2005 Department of Homeland Security Appropriations Act was signed shortly
before the proposed rule was issued. 106 Therefore, TSA based its proposed

104

TSA's proposed air cargo rule also includes measures for enhancing the
security of cargo transported by foreign air carriers entering the United
States. According to CBP, air carriers arriving from foreign counties that
are already members of the Customs-Trade Partnership Against Terrorism
program are required to have security plans.

105

Pub. L. No. 108-334, S: 513, 118 Stat. at 1317.

106

The conference report accompanying the fiscal 2005 Department of Homeland
Security Appropriations Act, which also contained the requirement for
tripling the inspection percentage, was available approximately 1 month
prior to the publication of TSA's proposed rule.

rule's cost estimates for cargo inspection on existing requirements at the
time. 107

Our analysis of TSA's costs estimates identified four ways in which the
agency had likely underestimated the costs of air cargo inspections.
First, TSA's estimate did not take into consideration the tripling in the
percentage of inspections for cargo transported on passenger aircraft.
Second, TSA is proposing to expand the definition of indirect air carriers
to include those transporting goods on all-cargo aircraft in addition to
those transporting goods on passenger aircraft, a change that would
increase the cost of implementing the proposed rule. Third, earlier TSA
analyses assumed a range of costs for inspection technology, yet in TSA's
cost analysis for its proposed rule, the agency chose to use a cost
estimate for this technology at the lower end of this range. Incorporating
the full range of possible inspection technology costs raises the expected
cost of the proposed regulation. Fourth, our analysis of the proposed
regulation also indicated that there is no allowance for the cost of any
delay. For instance, added time spent inspecting cargo could mean missing
delivery deadlines for shippers or flight delays. This could affect
industries, whose costs of production are tied to inventories being
delivered on time. We discussed these issues with TSA officials, who
stated that the agency will consider revising its costs estimates as it
reviews industry comments to these security proposals.

In addition to concerns about the overall cost of TSA's proposed rule, air
cargo industry stakeholders expressed concern about the cost and
feasibility of implementing specific proposals described in TSA's proposed
rule. For example, in commenting on the proposed rule, some air carriers
and indirect air carriers acknowledged the need for TSA's proposal for
conducting security threat assessments on air cargo workers but expressed
concern that TSA may have underestimated the total number of workers
affected, as well as the total costs to perform these checks.
Specifically, one air cargo stakeholder estimated that the population
affected by TSA's proposal is more than twice as large as the agency

TSA determined that the proposed regulatory action is not a major rule
within the definition of Executive Order 12866, as annual costs to all
affected parties do not pass the order's $100 million threshold in any
year. If the proposed cost estimates had exceeded the $100 million
threshold, TSA would have had to comply with Executive Order 12866's
requirement that TSA's analysis of its proposed air cargo security rule
consider the costs and benefits of reasonable alternative courses of
action and adequately explain the reasons for the proposed action.

estimated, thus potentially more than doubling the estimated cost of $3.2
million (in discounted 2003 dollars) over 10 years. Air carrier
representatives also questioned why TSA would propose a different type of
check than is already required for workers with unescorted access to an
airport's SIDA. 108 These air carrier representatives stated that
requiring a single type of check for workers with access to either an
airport SIDA or air cargo would provide for a more uniform level of worker
security. According to TSA officials, the agency's preliminary review of
the comments on its proposed rule indicates that industry stakeholders may
have misunderstood the scope of this proposal, particularly as it relates
to the number and type of workers affected. According to TSA officials,
the agency will clarify these requirements in the agency's final air cargo
security rule.

Several stakeholders also commented on TSA's proposal to apply or extend
airport SIDA requirements to air cargo operations areas. While three air
carrier and indirect air carrier representatives we spoke with were
supportive of this proposal and stated that extending the airport SIDA
should enhance the physical security of cargo shipments and aircraft,
other air carriers and indirect air carriers expressed concern over the
implementation of this proposal. For example, officials from two air
carrier associations we spoke with stated that this proposal would
transfer responsibility for cargo operations areas from the air carrier to
the airport authority. One airport official we spoke with stated that he
did not want the additional responsibility associated with implementing
this proposal, and that air carriers should be responsible for overseeing
the implementation of this requirement. According to TSA officials, the
agency's preliminary review of comments to its proposed rule indicates
that industry stakeholders may have misunderstood the air carriers' and
airport operators' role in implementing this proposed requirement,
particularly as it relates to their role in overseeing all-cargo
operations within the SIDA. According to TSA officials, the agency will
clarify these requirements in the agency's final air cargo security rule.

Air cargo industry stakeholders, also expressed concern about the cost and
feasibility of implementing TSA's proposal to put into regulation existing
requirements for air carriers to inspect a portion of air cargo. For

An airport's SIDA is not to be accessed by passengers and typically
encompasses areas near terminal buildings, baggage loading areas, and
other areas that are close to parked aircraft and airport facilities,
including air traffic control towers and runways used for landing, taking
off, or surface maneuvering.

Page 62 GAO-06-76 Aviation Security

example, a representative from one industry association we spoke with
stated that TSA's proposal to screen a percentage of air cargo does not
ensure that air cargo is secure and suggested that most, if not all, cargo
should be screened. Air carrier representatives noted that the inspection
of air cargo should be considered a national security issue and therefore
funded and conducted by the federal government. In addition, several
stakeholders who represent air carriers and indirect air carriers we spoke
with stated that TSA has not adequately defined what an inspection will
entail and who will be responsible for such an inspection. Further, three
of the air cargo stakeholders we spoke with stated that TSA's
interchangeable use of the terms "screening" and "inspection" created
confusion about the actions they were required to take regarding the
examination of air cargo. Specifically, they noted that they were unsure
whether inspection meant conducting a physical search, while screening
meant using nonintrusive methods such as X-ray machines. These three
stakeholders added that clearer definitions of the terms "screening" and
"inspection" would help ensure that the appropriate type of examination
was conducted.

Finally, air carrier and indirect air carrier representatives, in general,
concurred with TSA's proposals to strengthen the security of indirect air
carriers. Some indirect air carriers noted that more information is needed
on who will now be defined as an indirect air carrier, who will receive
security training, and what the training will entail. Similarly, air
carrier representatives agreed with TSA's proposals regarding security
measures for individuals boarding an all-cargo aircraft and establishing a
required standardized security program for all-cargo carriers, but they
said that they would like clarification on what these measures would
entail.

TSA officials told us that the agency is evaluating industry stakeholders'
comments to its proposed security measures and may revise these proposals
prior to issuing its final air cargo security rule. The Intelligence
Reform and Terrorism Prevention Act of 2004 provides that TSA must issue a
final air cargo rule no later than 240 days from its date of enactment
(August 14, 2005). 109 As of September 2005, this rule has not been
issued.

Pub. L. No. 108-458, S: 4053, 118 Stat. at 3729.

  Conclusions

Securing all aspects of the aviation system is a daunting task. The
nature, size, and complexity of the nation's air cargo transportation
system highlights the need for the federal government and the private
sector to work together to secure this system and enhance security. While
the cost of enhancing air cargo security can be significant, the potential
costs of a terrorist attack, in terms of both the loss of life and
property and long-term economic impacts, would also be significant
although difficult to predict and quantify. The importance of the nation's
air cargo security system and the limited resources available to protect
it underscore the need for a risk management approach to prioritize
security efforts so that a proper balance between costs and security can
be achieved. In December 2002, we recommended, and TSA committed to,
implementing a risk management approach for securing air cargo. By
developing a strategic plan, TSA established strategic goals and
objectives, a key first step in implementing a risk management approach.
TSA also took another key step in implementing a risk management approach
by assessing threats to air cargo security.

While these efforts represent achievements, more work remains to be done
to fully address the risks posed to air cargo security. By not yet fully
evaluating the risks posed by terrorists to the air cargo transportation
system through assessments of systemwide vulnerabilities and critical
assets, including analyzing information on air cargo security breaches,
TSA is limited in its ability to focus its resources on those air cargo
vulnerabilities that represent the most critical security needs and assure
Congress that existing funds are being spent in the most efficient and
effective manner. Further, without examining the rationale of current air
cargo inspection exemptions in light of potential vulnerabilities
associated with these exemptions, TSA cannot be assured that tripling the
amount of cargo on passenger aircraft that is inspected, as required by
recent legislation, will enhance air cargo security.

Without performance measures to gauge air carrier and indirect air carrier
compliance with air cargo security requirements, TSA cannot effectively
focus its inspection resources on those entities posing the great risk. In
addition, without systematically analyzing the results of its air cargo
compliance inspections, TSA will be limited in its ability to effectively
target future inspections and fulfill its oversight responsibilities for
this essential area of aviation security. TSA also cannot be assured that
its current cooperative approach to addressing issues of noncompliance is
resulting in increased air carrier and indirect air carrier compliance
with air cargo security requirements without assessing the effectiveness
of its enforcement actions. Finally, TSA's goal of developing a system to
target

  Recommendations for Executive Action

elevated risk cargo for inspection without impeding the flow of air
commerce will be difficult to achieve without ensuring that the
information used to target such cargo is complete, accurate, and current.
By addressing these areas, TSA would build a better basis for
strengthening air cargo security in the future as it moves forward in
implementing risk-based security initiatives.

To help ensure that the Transportation Security Administration has a
comprehensive risk-based approach for securing the domestic air cargo
transportation system, we recommend that the Secretary of Homeland
Security direct the Assistant Secretary of Homeland Security for the
Transportation Security Administration to take the following six actions:

(1)
           develop a methodology and schedule for completing assessments of
           air cargo vulnerabilities and critical assets, as well as
           defining, gathering, and analyzing information on air cargo
           security breaches, and use the information resulting from these
           assessments as a basis for prioritizing the steps necessary to
           enhance the security of the nation's air cargo transportation
           system;

(2)
           reexamine the rationale for existing air cargo inspection
           exemptions, determine whether such exemptions leave the air cargo
           system unacceptably vulnerable to terrorist attack, and make any
           needed adjustments to the exemptions;

(3)
           develop measures to gauge air carrier and indirect air carrier
           compliance with air cargo security requirements to assess and
           address potential security weaknesses and vulnerabilities;

(4)
           develop a plan for systematically analyzing the results of air
           cargo compliance inspections and use the results to target future
           inspections and identify systemwide corrective actions;

(5)
           assess the effectiveness of enforcement actions, including the use
           of civil penalties, in ensuring air carrier and indirect air
           carrier compliance with air cargo security requirements; and

(6)
           ensure that the data to be used in the Freight Assessment System
           to identify elevated risk cargo are complete, accurate, and
           current.

  Agency Comments and Our Evaluation

We provided a draft of this report to DHS for review and comment. On
September 30, 2005, we received written comments on the draft report,
which are reproduced in full in appendix VIII. DHS generally concurred
with the findings and recommendations in the report.

With regard to our recommendation to develop a methodology and schedule
for completing assessments of air cargo vulnerabilities and critical
assets, as well as defining, gathering, and analyzing information on air
cargo security breaches, DHS stated that it intends to perform a
vulnerability assessment to assess the relative significance of
vulnerabilities associated with domestic air cargo operations and
services. Specifically, DHS stated that this assessment will identify
weaknesses with the nation's air cargo operations that may be exploited by
terrorists and that this assessment will be tied into the department's
work to identify critical assets. Completing a vulnerability assessment is
an important step in applying a risk management approach to securing air
cargo. While DHS identified that the vulnerability assessment will tie
into the department's criticality work, it has not indicated when a
vulnerability or criticality assessment of air cargo assets will be
conducted or whether it intends to define, gather, and analyze information
on air cargo security breaches as part of this assessment. Taking these
steps would more fully address our recommendation.

Concerning our recommendation to reexamine the rationale for existing air
cargo inspection exemptions, DHS stated that it is already in consultation
with industry stakeholders regarding reevaluating current cargo inspection
exemptions as it designs and develops the Freight Assessment System, and
will soon launch a broad-based review of current air cargo policies and
processes. While conducting such a review may provide useful information
on security processes and policies that need to be improved, it is
important that the exemptions specifically be reviewed to determine
whether they leave the air cargo system unacceptably vulnerable to
terrorist attack. This assessment, as well as any resulting adjustments to
the exemptions, should be completed as soon as practical and should not be
exclusively tied to the design and development of the Freight Assessment
System. Taking this step would more fully address our recommendation.

In addressing our recommendation to develop measures to gauge air carrier
and indirect air carrier compliance with air cargo security requirements,
DHS stated that TSA is committed to focusing compliance inspection
resources on regulated parties that have greater security weaknesses and
vulnerabilities and will enhance current efforts to gauge air carrier and
indirect air carrier compliance with air cargo security requirements.
Although these efforts should help TSA in performing its oversight
responsibilities, developing specific performance measures to gauge air
carrier and indirect air carrier compliance with air cargo security
requirements will be important to fulfilling the agency's oversight
commitment. Taking such action would more fully address the intent of this
recommendation.

Regarding our recommendation to develop a plan for systemically analyzing
the results of air cargo compliance inspections, DHS stated that TSA has
taken steps to compile information results from past compliance
inspections and will analyze the results of its inspection activities to
target future inspections and develop systematic and localized corrective
action as appropriate. In addition, DHS stated that TSA recently formed an
advisory group to assist in developing the agency's annual compliance work
plan which will identify and direct further inspection efforts. If
properly implemented, these actions should address the intent of this
recommendation.

Concerning our recommendation to assess the effectiveness of enforcement
actions to ensure air carrier and indirect air carrier compliance with air
cargo security requirements, DHS stated that TSA will use compliance
inspection results generated by the PARIS database, in addition to
reviewing formal enforcement actions and adjudications rendered through
the legal process, to assess enforcement action effectiveness. Developing
specific details on how compliance inspection results will be evaluated to
determine the effectiveness of the agency's enforcement actions will be
necessary for the agency to ensure that these actions result in increased
air carrier and indirect air carrier compliance with air cargo security
requirements.

With regard to our recommendation to ensure that the data to be used in
the Freight Assessment System to identify elevated risk cargo are
complete, accurate, and current, DHS stated that TSA is developing a plan
to ensure the integrity of all data that will be used in the Freight
Assessment System. Specifically, TSA plans to implement a continuous
monitoring process to alert TSA of significant data changes to ensure that
the Freight Assessment System is provided with the most complete,
accurate, and current information. Additionally, DHS stated that TSA has
enlisted industry's assistance, through the Aviation Security Advisory
Committee, in the development of standards for shipment data. If properly
implemented, these actions should help ensure that the critical
information necessary to target elevated risk cargo for inspection will be
complete, accurate, and current.

DHS also offered technical comments and clarifications, which we have
considered and incorporated where appropriate.

As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will provide copies of this report
to the Secretary of the Department of Homeland Security, the Assistant
Secretary of the Transportation Security Administration, and interested
congressional committees.

If you have any further questions about this report, please contact me at
(202) 512-3404 or [email protected]. Key contributors to this report are
listed in appendix IX.

Sincerely,

Cathleen A. Berrick Director Homeland Security and Justice Issues

List of Congressional Requesters

The Honorable Tom Davis Chairman Committee on Government Reform House of
Representatives

The Honorable Peter T. King Chairman The Honorable Bennie G. Thompson
Ranking Minority Member Committee on Homeland Security House of
Representatives

The Honorable Christopher Shays Chairman Subcommittee on National
Security, Emerging Threats,

and International Relations Committee on Government Reform House of
Representatives

The Honorable Daniel E. Lungren Chairman The Honorable Loretta Sanchez
Ranking Minority Member Subcommittee on Economic Security, Infrastructure

Protection, and Cybersecurity Committee on Homeland Security House of
Representatives

The Honorable Edward J. Markey House of Representatives

Appendix I: Objectives, Scope, and Methodology

Our objectives were to answer the following questions: (1) To what extent
has the Transportation Security Administration (TSA) used a risk
management approach to guide decisions on securing air cargo? (2) What
actions has TSA taken to ensure the security of air cargo, and what
factors may limit their effectiveness? (3) What are TSA's plans for
enhancing air cargo security, and what financial, operational, and other
challenges do TSA and industry stakeholders face in implementing these
plans?

To answer these questions, we interviewed TSA headquarters officials
responsible for managing the agency's air cargo security program. We also
interviewed headquarters' officials at the Department of Homeland
Security's (DHS) U.S. Customs and Border Protection (CBP), the Federal
Bureau of Investigation, and the United States Postal Service to obtain
information about their role in air cargo security. In addition, we
interviewed 48 air cargo industry stakeholders, including officials
representing 7 air carriers, 4 indirect air carriers, 12 airport
authorities, 16 associations representing airport operators, air carrier
pilots, indirect air carriers, passenger air carriers, all-cargo air
carriers, law enforcement agencies, and 9 air cargo security consultants
and experts. The majority of these industry stakeholders participated in
the Aviation Security Advisory Committee working groups that developed
recommendations for enhancing air cargo security. We also conducted site
visits at 12 United States commercial airports. 1 Because we selected a
nonprobability sample of airports, the results from these visits cannot be
generalized to other U.S. commercial airports. During our site visits, we
met with Federal Security Directors and inspections staff at each airport
and observed pilot testing of air cargo inspection technology, including
explosive detection systems at select airports. 2 We also met with CBP
officials at 4 of the airports we visited. 3 In addition, we met with
airport authorities at each airport we visited and interviewed air carrier
and indirect air carrier officials at

1

We selected 12 airports based on airport size, geographical dispersion,
and volume of cargo operations, based on cargo statistics prepared by an
industry stakeholder and the Federal Aviation Administration. Information
on the specific airports we visited is sensitive security information and
is listed in the restricted version of this report, GAO-05-446SU.

2

We observed testing of inspection technology pilot programs at Boston
Logan International Airport and Miami International Airport.

3

We met with CBP officials based on the volume of cargo operations at the
airports we visited in which CBP has a service port. A service port is a
CBP location that has a full range of cargo-processing functions,
including inspections, entry, collections, and verification. Information
on specific service ports we visited is sensitive security information and
is listed in the restricted version of this report, GAO-05-446SU.

Appendix I: Objectives, Scope, and Methodology

several airports we visited. Specifically, we interviewed officials from
four passenger and three all-cargo air carriers. To gain an understanding
of current and planned air cargo security requirements, we reviewed air
cargo security-related laws and regulations as well as TSA's air cargo
security strategic plan and proposed air cargo security rule. Moreover, we
reviewed and analyzed stakeholders' comments to TSA's proposed rule. We
also reviewed reports on air cargo security previously issued by GAO, the
Congressional Research Service, the Federal Aviation Administration, and
the Department of Transportation Inspector General. To determine the
amount of air cargo transported and the revenue that major, national, and
large regional air carriers received from transporting air cargo for the
year 2004, we obtained and reviewed information from TSA and the
Department of Transportation's Bureau of Transportation Statistics.

To determine the extent to which TSA has used a risk management approach
to guide decisions on securing air cargo, we compared a synthesis of
government requirements and best practices that represents GAO's risk
management approach with TSA's efforts to implement such an approach.
Specifically, we focused on the strategic planning and objectives and risk
assessment elements of the risk management framework. To identify the
extent to which TSA's air cargo strategic goals and objectives support
broader departmental and agency strategic goals and objectives, we
reviewed and analyzed Department of Homeland Security and TSA strategic
planning documents, including TSA's Air Cargo Strategic Plan. Regarding
TSA's efforts to assess risk, we reviewed threat assessments prepared by
TSA in 2004 and 2005. We did not assess the quality of the threat
assessments completed. To obtain information on how threat information is
shared and TSA's efforts to address threats, we met with officials from
TSA's Transportation Security and Intelligence Service, Federal Bureau of
Investigation, and air cargo industry stakeholders. We also obtained these
stakeholders' views on the timeliness, specificity, and clarity of threat
information TSA disseminates.

To determine the actions TSA has taken to ensure the security of domestic
air cargo and the factors that may limit their effectiveness, we reviewed
and analyzed TSA security requirements including current air cargo-
related regulations, security directives, and program policies. In
addition, we reviewed the Aviation Security Advisory Working Group's
committee's recommendations to TSA, TSA's air cargo security strategic
plan, and TSA's proposed air cargo security rule to gain an understanding
of the similarities, differences, and weaknesses among these plans. We
also analyzed information on TSA's compliance testing program to determine
the agency's progress in evaluating existing air cargo security

Appendix I: Objectives, Scope, and Methodology

requirements. Further, we reviewed TSA's compliance inspection process and
results to determine air carriers' and indirect air carriers' compliance
with existing air cargo security measures. Specifically, we reviewed TSA's
annual inspection plans for fiscal years 2004 and 2005 and available data
on the results of inspections, including civil penalties, conducted from
November 1, 2001, through January 31, 2005. To determine the percentage of
air cargo transported on passenger and all-cargo air carriers that is
exempt from TSA random inspection requirements, we used industry estimates
that a very small percentage of all cargo carried on passenger and
all-cargo air carriers is inspected. We assumed that passenger and
all-cargo air carriers were fully compliant with TSA random inspection
requirements in place as of May 2005.

To identify TSA's plans for enhancing air cargo security and the
financial, operational, and other challenges TSA and industry stakeholders
face in implementing air cargo security plans, we interviewed TSA and air
cargo industry stakeholders. In our discussions, we obtained their views
on the challenges related to developing and implementing air cargo
security enhancements, including air cargo inspection technologies. We
also reviewed TSA's proposed air cargo security rule and analyzed
stakeholders' comments to the rule to identify stakeholder concerns with
TSA's proposal. To identify the costs of implementing TSA's existing and
additional measures proposed to enhance air cargo, we analyzed TSA and
industry studies, models, and documents outlining the economic cost and
other challenges associated with implementing the proposed security
measures as well as other possible measures. Specifically, we reviewed
TSA's methodology, assumptions, and findings related to cost projections
and economic impacts associated with its proposed enhancements. To
determine how sensitive TSA cost estimates were to various cost
assumptions, we conducted Monte Carlo simulations. 4 We also interviewed
TSA's Director of Regulatory and Economic Analysis, who was responsible
for preparing the economic analysis of the proposed air cargo security
rule.

To obtain an understanding of TSA's efforts to develop a system to target
and inspect elevated risk cargo, we met with TSA and CBP officials who are
responsible for developing TSA's planned air cargo targeting and
inspection systems. We discussed TSA's development of the Freight

Our analysis was conducted using what is called Monte Carlo simulation,
which uses random numbers to measure the effects of uncertainty.

Page 72 GAO-06-76 Aviation Security

                                Data Reliability

Appendix I: Objectives, Scope, and Methodology

Assessment System, including its air cargo data systems that are to be
used to target elevated risk cargo. In addition we reviewed documentation
on CBP's policies and procedures for targeting elevated risk cargo as well
as its automated targeting system. In addition we observed CBP's targeting
efforts at its National Targeting Center. We did not assess the
effectiveness of CBP's targeting efforts. Regarding TSA's research and
development to identify inspection technology, we spoke with officials in
TSA's Chief Technology Office and reviewed TSA's research and development
plans, including the scope, methodology, and implementation time frames
and results of their pilot programs. We also reviewed private industry's
efforts to develop and test available inspection technologies. While we
did not assess the effectiveness of inspection technologies, we spoke with
TSA and private sector officials regarding the limitations of the
technology.

We conducted our work between June 2004 and September 2005 in accordance
with generally accepted government auditing standards. We issued a
restricted version of this report on July 29, 2005. 5 This report contains
information presented in that report with all sensitive security
information removed.

To assess the reliability of TSA's data on the number, type, and location
of their compliance inspections, we (1) obtained data on TSA's compliance
inspection activities conducted from November 2001 to January 2005, (2)
discussed discrepancies identified through our review of the data with TSA
officials, and (3) obtained TSA headquarters' responses to our
questionnaire regarding the reliability of the data. Although our initial
reliability testing indicated that there were some inconsistencies in the
data provided by TSA, we were able to resolve most of the discrepancies.
For example, TSA inspection data did not include unique identification
numbers for each inspection. As a result, TSA data could have counted
duplicate inspections. We developed a methodology to count individual
inspections based on entity name, location of the facility, type of
inspection being conducted, inspector conducting the inspection, and the
date of the inspection. Further, we were unable to replicate the
methodology TSA used to group violation topics and to count the number of
violations for each topic in its reporting of high-risk violations from
January 1, 2003, to January 31, 2005, including violations identified as
"other" or violations for which no specific topic area was provided. We

5 GAO-05-446SU.

Appendix I: Objectives, Scope, and Methodology

interviewed TSA officials to discuss how the agency defines violations
identified as "other" and to what extent the agency will address
violations for which no specific topic area was identified.

After reviewing the compliance data, we determined that the data were
reasonable for identifying general trends in TSA's inspection violations.
Additionally, we were unable to determine the number of indirect air
carrier facilities inspected from November 1, 2001, to September 30, 2004,
and we used TSA inspection data to provide a maximum range of indirect air
carrier facilities that TSA inspected for this time period. These
discrepancies, however, did not affect our overall findings related to the
compliance inspection data. Therefore, we determined that the compliance
inspection data were sufficiently reliable for use in supporting our
findings regarding TSA's efforts to monitor air carrier and indirect air
carrier compliance with air cargo security requirements. Further, TSA
provided us information on the number of civil penalty enforcement cases
recommended and issued from November 1, 2001, to January 31, 2005. We
discussed how these data were compiled and maintained with TSA officials
and determined that this information was sufficient for counting the
number of civil penalties recommended and issued for violations of air
cargo security requirements by air carriers and indirect air carriers.

Appendix II: Federal Agency Roles in Air Cargo Security

As part of the Aviation and Transportation Security Act, Congress gave the
Transportation Security Administration responsibility for ensuring the
security of cargo carried aboard passenger and all-cargo air carriers. In
addition to TSA, other federal agencies have a role in securing air cargo.
These roles cover a broad range of issues, including the enforcement of
import, export, customs, transportation, and economic and trade
regulations. For example, the Departments of Commerce, Homeland Security,
and the Treasury are responsible for oversight and enforcement of
international customs and trade laws. The United States Postal Service
also has responsibility for mail that is placed on an aircraft. Last, the
Department of Transportation has responsibility for, among other things,
ensuring the security of hazardous materials being transported on air
carriers. Table 4 describes federal agency roles in air cargo security.

              Table 4: Federal Agency Roles in Air Cargo Security

                   Federal agency Role in air cargo security

                    U.S. Customs and Border Protection (CBP)

CBP's mission is to prevent terrorists and terrorist weapons from entering
the United States. This involves security at and between United States
ports of entry, as well as its security zone beyond its physical borders.
To stop terrorists and terrorist weapons from entering United States
borders, CBP screens air cargo data prior to the air carrier's arrival at
a United States airport in order to target the use of domestically based
technologies, physical inspection methods, and inspection staff against
high-risk shipments.

United States Postal Service USPS has an Aviation Security Program that    
(USPS)                       incorporates TSA's security regulations to    
                                secure mail that is being transported via     
                                surface and air.                              
Department of Transportation DOT, through the Federal Aviation             
(DOT)                        Administration, regulates the transportation  
                                of hazardous materials and other cargo by air 
                                and through the Innovative Technology         
                                Administration is responsible for developing, 
                                managing, and evaluating programs and         
                                research activities for the security of       
                                passengers and cargo in the transportation    
                                system.                                       
Department of the Treasury   The Office of Foreign Assets Control (OFAC)   
                                of the U.S. Department of the Treasury        
                                administers and enforces economic and trade   
                                sanctions based on United States foreign      
                                policy and national security goals against    
                                targeted foreign countries, terrorists,       
                                international narcotics traffickers, and      
                                those engaged in activities related to the    
                                proliferation of weapons of mass destruction. 
                                United States air carriers and indirect air   
                                carriers are not permitted to conduct         
                                business with businesses and individuals      
                                banned by OFAC.                               

Department of Commerce (DOC) Air cargo is subject to DOC jurisdiction to
the extent the cargo or the aircraft are subject to export controls, i.e.,
the Export Administration Regulations (EAR). The export control provisions
of the EAR are intended to serve the national security, foreign policy,
nonproliferation, and short supply interests of the United States.

  Source: GAO prepared based on review of other federal agencies' roles in air
                                cargo security.

Appendix III: Timeline of Significant Events Related to Air Cargo Security

The following timeline reflects significant events in air cargo security
following the terrorist attacks in the United States involving four jet
airliners on September 11, 2001. These key events include the enactment of
the Aviation and Transportation Security Act; the development of the Known
Shipper database; additional TSA air cargo security requirements; three
reported incidences of stowaways; the release of the Air Cargo Security
Strategic Plan; release of the air cargo security proposed rule; and
initial development of TSA's air cargo targeting system. The timeline also
includes established time frames for issuing the final air cargo security
rule and the commencement of the air cargo targeting system pilot.

     Figure 5: Timeline of Significant Events Related to Air Cargo Security

                                   1/31/04 -

                                Three stowaways

                             shipped themselves in

shrink-wrapped pallet 9/2003 -

from Dominican Man ships Republic to Miami, FL 11/10/2004 -

himself in cargo

Air Cargo 2/06 -

from Newark, NJ 12/12/2003 -

Security Notice TSA scheduled

of Proposed to start pilot test

to Dallas, TX Vision 100-Century of Aviation

Rule Making of cargo 9/11/01 -11/19/01 -

targeting system

Reauthorization Act Terrorist Aviation and

(P.L. 108-176)attacks Transportation

8/2004 - Woman

11/03 -1/05 -

ships herself inTSA required random

Security Act

TSA began

cargo crate from inspection of cargo

enacted

developing cargo

Nassau, Bahamas, on passenger and

(P.L. 107-71)

targeting system all-cargo aircraft

to Miami, FL

2001

2002 2003

                                      2004

2005

2006

                 10/1/2003 -11/17/2003 -2/3/2004 -10/18/2004 -

8/14/05 -

                Dept. of Air Cargo TSA Expands Dept. of Homeland

Approximate date for TSA

Homeland Strategic Federal Flight Security Appropriations 9/13/01 -

issuance of Air Cargo

Security Plan Deck Officer Act, 2005 (P.L. 108-334)

Security Final Rule

U.S. national 10/02 -Appropriations program to pilots

airspace TSA developed Act, 2004

of all-cargo aircraft reopened to voluntary (P.L. 108-90) commercial Known
Shipper

12/17/2004 -

aviation after database

Intelligence Reform

2-day shutdown 10/1/2003 -

and Terrorism Aviation Security Prevention Act Advisory Committee of 2004
recommendations (P.L. 108-458)

                                  Source: GAO.

Appendix IV: ASAC Representatives in the 2003 Air Cargo Working Group

American Association of Airport Executives (AAAE) Air Courier Conference
of America (ACCA) Airports Council International-North America (ACI-NA)
Air France (AF) Association of Flight Attendants (AFA) Air Forwarders
Association (AFA) Airport Law Enforcement Action Network (ALEAN) Air Line
Pilots Association (ALPA) Allied Pilots Association (APA) Air Transport
Association (ATA) American Trucking Associations (ATruckA) British Airways
(BA) Cargo Airline Association (CAA) Coalition of Airline Pilots
Association (CAPA)

U.S. Customs and Border Protection (CBP) Federal Aviation Administration
(FAA) Federal Bureau of Investigation (FBI) International Airline
Passenger Association (IAPA) Lufthansa Airlines (LCAG) National Air
Carrier Association (NACA) National Air Transportation Association (NATA)
National Customs Brokers and Forwarders Association of America

(NCBFAA) National Industrial Transportation League (NITL) Regional Airline
Association (RAA) Transportation Intermediaries Association (TIA) Untied
States Postal Service (USPS) Victims of Pan Am Flight 103

Appendix V: Testing Explosive Detection System Technologies for Inspecting Air
Cargo

TSA began phase I testing to evaluate the effectiveness of explosive
detection system (EDS) (technologies currently certified for use in
inspecting passenger baggage) to screen air cargo in January 2004 at 6
airports. 1 According to TSA, the objectives of phase I of the pilot were
to determine the expected performance of the explosive detection system
for inspecting outbound break bulk air cargo onboard commercial air
carriers for the threat of improvised explosive devices (IED) within the
air cargo operational environment, examine the resource requirements
(including manpower and support equipment) that could be expected with
deployment of EDS in the cargo environment, and examine the potential
affect on air cargo operations. Figure 6 shows explosive detection system
technology being used to screen break bulk cargo as part of TSA's pilot
test. 2

1

Phase I testing of the EDS pilot program took place at Ted Stevens
Anchorage International Airport, Atlanta Hartsfield-Jackson International
Airport, Chicago O'Hare International Airport, Dallas Fort Worth
International Airport. Los Angeles International Airport, and Miami
International Airport.

2

The fiscal year 2006 Department of Homeland Security appropriations bill,
H.R. 2360, as passed by the House of Representatives on May 17, 2005,
proposes to require that TSA utilize existing checked baggage explosive
detection equipment and screeners to screen cargo carried on passenger
aircraft to the greatest extent practical, and would require that TSA
report monthly on the amount of cargo screened by TSA. The Senate version
of the bill, passed on July 14, 2005, proposes to direct that DHS
research, develop, and procure certified systems to screen air cargo on
passenger aircraft at the earliest date possible.

Appendix V: Testing Explosive Detection System Technologies for Inspecting
Air Cargo

              Figure 6: EDS Technology Inspecting Break Bulk Cargo

Source: TSA.

In August 2004, TSA began phase II of the EDS pilot at 6 additional
airports. Phase II operational testing studied the effectiveness of EDS
technologies by two vendors in the following cargo environments and cargo
configurations-mail screening, all-cargo aircraft, and break bulk.
According to TSA, the 12 airports selected for phases I and II of the
pilot program were based on variances in the type and volume of cargo
being transported as well as differences in climatic and environmental
conditions. Although TSA has not yet finalized its evaluation of the
results of the EDS pilot, agency officials stated that preliminary data
suggest that EDS technology is well suited to inspect break bulk cargo
under a range of environmental and climactic conditions, but limitations
exist with using such technology. TSA officials noted that such
limitations would be discussed in its final evaluation report of the EDS
pilot.

According to TSA, the report for phase II testing will be finalized in
July 2005. Based on the results of the tests, TSA has extended the use of
EDS for an additional year. TSA stated that during the extended field
tests, the air carriers will screen break bulk air cargo using EDS.

Appendix VI: Testing the Use of TSA-Certified Explosives Detection Canine Teams

The objective of the first phase of the pilot was to assess the
performance and determine the effectiveness of TSA-certified explosives
detection canine teams when used to inspect three air cargo configurations
(break bulk, palletized, and cookie sheet) under operational conditions.
This pilot test was conducted at six airports over the course of 6 weeks
and involved 18 TSA-certified explosives detection canine teams. According
to TSA's evaluation report of the pilot issued in October 2004, the
average detection rates were relatively high for break bulk cargo,
palletized configurations, and cookie sheet configurations. According to
TSA, the results of this study can be used to draw a number of conclusions
regarding the use of TSA-certified explosives detection canine teams to
inspect break bulk, palletized, and cookie sheet configurations. Overall,
the data suggest that even without prior training, the teams performed
well on all three cargo configurations. This illustrates the teams'
abilities to adapt to new and different environments and tasks.

The second phase of the canine cargo inspection operational test and
evaluation was conducted at six additional airports and involved 18
TSA-certified explosives detection canine teams. The objective of this
phase of the pilot was to determine and examine the effectiveness of
TSA-certified canine teams in inspecting additional air cargo
configurations (break bulk, containers, and ground support equipment) and
two United States Postal Service mail configurations (break bulk and
rolling stock equipment). 1 According to the pilot program's evaluation
report, issued in November 2004, the observed detection rates were
relatively high for break bulk cargo, containers, and ground support
equipment. Overall, the data suggest that even without prior training, the
canine teams performed reasonably well, illustrating the ability of the
teams to adapt to new and different environments and tasks. According to
TSA officials, the results of both phases of the pilot program
demonstrated that canines offer promising alternatives to inspecting air
cargo.

1

Ground support equipment is a wheeled cart, maneuvered by airline tugs,
used to move air cargo between airline cargo facilities and aircraft.
Rolling stock equipment is a bulk mail container used to transport mail
sacks and outside packages from a mail facility to the airline mail
screening location and then to the aircraft.

Appendix VII: New Technologies Selected by TSA for Further Development and
Testing

                      Page 81 GAO-06-76 Aviation Security

                                                     Estimated length of time
                           Items to be                            needed for  
                                                                  completing  
Technology name          inspected  Technology description     technology  
                                                                  testing     
XR/PFNA X-ray combined   Cargo      Uses a beam of neutrons to 24 months   
with                                          excite           
pulsed fast neutron                 common elements (hydrogen, 
analysis as a                       carbon,                    
confirmation system                  nitrogen, and oxygen) in  
                                               cargo and          
                                       generates a                
                                       three-dimensional map of   
                                          the elements from which 
                                                   explosives and 
                                       drugs can be detected and  
                                       located. In                
                                       September 2004, Total cost 
                                                   of the project 
                                       is $12 million.            
Miniature explosives and Cargo       Utilizes sensors based on 24 months   
toxic                                            Micro Electro 
chemical detector                    Mechanical Systems (MEMS) 
                                                       technology 
                                       to detect traces of        
                                       explosives and toxic       
                                       chemicals.                 
Pressure-activated       Cargo/mail  Items are placed inside a 24 months   
sampling                                        steel pressure 
system                                  vessel. The chamber is 
                                                then pressurized, 
                                         allowing the air to be   
                                            forced into the       
                                       package contents. The air  
                                       exhaust is                 
                                       then sampled and analyzed  
                                       using an                   
                                       approved trace detector.   
Low-cost Quadruple       Cargo      A container placed on the  22 months   
Resonance                                   transport          
(QR) explosives                              mechanism will be 
detection for                              automatically moved 
containerized air cargo             into the scanning chamber, 
                                       positioned,                
                                           and examined by QR and 
                                                  trace detection 
                                       technologies.              
Megavolt computed        Cargo       Uses high-energy computed 24 months   
tomography for                                      tomography 
air cargo container                        to generate         
inspection                           high-resolution, three-   
                                            dimensional images of 
                                                 oversized boxes, 
                                       palletized cargo, and      
                                       cargo containers.          
                                        This system is based on   
                                                the same          
                                              principles as those 
                                             employed for checked 
                                       luggage, but is large      
                                       enough to inspect          
                                       air cargo containers.      
Neutron resonance        Cargo      An imaging system that     25 months   
radiography for                     uses medium                
containerized cargo                 energy neutrons to         
inspection                          effectively measure        
                                         the neutron absorption   
                                             through thick        
                                       objects and determine the  
                                                relative          
                                                concentrations of 
                                         different materials from 
                                       which explosives can be    
                                       detected in air            
                                            cargo containers with 
                                                  checked baggage 
                                       or mail as contents.       
Mail inspection sensor   Mail         A detection method based 24 months   
system                                           on the highly 
based on micro                      sensitive micro cantilever 
cantilevers                         sensors that               
                                        can detect explosives in  
                                               mail at an         
                                            estimated rate of 300 
                                               pieces of mail per 
                                       hour.                      

Appendix VII: New Technologies Selected by TSA for Further Development and
Testing

                                                     Estimated length of time
                             Items to be                          needed for  
                                                                  completing  
Technology name            inspected  Technology description   technology  
                                                                  testing     
Terahertz                  Cargo       Combines a particle and 24 months   
spectrometer-based                              vapor sampling 
trace detection system for             system with a Terahertz 
cargo                                          detector, which 
                                               will analyze trace 
                                          residues based on their 
                                         rotational spectra.      
Material specific          Cargo/mail Accurately measures the  22 months   
explosives and                        elements and             
nuclear material detection            their ratios in a        
system                                container.               
for cargo and United                  The elemental densities  
States mail                                 are used to        
                                         indicate the presence of 
                                                   explosives and 
                                         other contraband.        

                                  Source: TSA.

        Appendix VIII: Comments from the Department of Homeland Security

Appendix VIII: Comments from the Department of Homeland Security Appendix VIII:
 Comments from the Department of Homeland Security Appendix VIII: Comments from
the Department of Homeland Security Appendix VIII: Comments from the Department
                              of Homeland Security

Appendix IX: GAO Contacts and Staff Acknowledgments

Cathleen A. Berrick, (202) 512-8777

  Contacts

In addition to those named above, John C. Hansen, Assistant Director; Leo

Barbour; C. Jenna Battcher; Charles W. Bausell; Katherine Davis; Scott
Farrow; Stanley J. Kostyla; Tom Lombardi; Jeremy Manion; Steve Morris; Meg
Ullengren; and Nicolas Zitelli made key contributions to this report.

(440449)

  GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov) . Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To

have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

                             Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

  E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Relations
Washington, D.C. 20548

Paul Anderson, Managing Director, [email protected] (202) 512-4800

  Public Affairs

U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

    PRINTED ON

RECYCLED PAPER
*** End of document. ***