Maritime Security: Coast Guard Inspections Identify and Correct  
Facility Deficiencies, but More Analysis Needed of Program's	 
Staffing, Practices, and Data (14-FEB-08, GAO-08-12).		 
                                                                 
To help secure the nation's ports against a terrorist attack,	 
federal regulations have required cargo and other maritime	 
facilities to have security plans in place since July 2004. U.S  
Coast Guard (USCG) guidance calls for an annual inspection to	 
ensure that plans are being followed. Federal law enacted in	 
October 2006 required such facilities to be inspected two times a
year--one of which is to be conducted unannounced. The USCG plans
to conduct one announced inspection and the other as a less	 
comprehensive unannounced "spot check." GAO examined the extent  
to which the USCG (1) has met inspection requirements and found  
facilities to be complying with their plans, (2) has determined  
the availability of trained personnel to meet current and future 
facility inspection requirements, and (3) has assessed the	 
effectiveness of its facility inspection program and ensured that
program compliance data collected and reported are reliable. GAO 
analyzed USCG compliance data, interviewed inspectors and other  
stakeholders in 7 of 35 USCG sectors of varying size, geographic 
location, and type of waterway. 				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-12						        
    ACCNO:   A80790						        
  TITLE:     Maritime Security: Coast Guard Inspections Identify and  
Correct Facility Deficiencies, but More Analysis Needed of	 
Program's Staffing, Practices, and Data 			 
     DATE:   02/14/2008 
  SUBJECT:   Access control					 
	     Coast Guard personnel				 
	     Data integrity					 
	     Documentation					 
	     Emergency response plans				 
	     Facility security					 
	     Federal facilities 				 
	     Homeland security					 
	     Inspection 					 
	     Internal controls					 
	     Investigations by federal agencies 		 
	     Maritime security					 
	     Personnel management				 
	     Port security					 
	     Program evaluation 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-12

   

     * [1]Results in Brief
     * [2]Background

          * [3]MTSA Establishes Security Measures for Maritime Facilities
          * [4]MISLE Database Adapted to Capture MTSA Compliance Data

     * [5]Whether All Facility Inspections Requirements Were Met Is No

          * [6]Coast Guard Officials Report Annual Exams and Spot Checks Ha
          * [7]Deficiencies Identified in about One-Third of Facilities and

               * [8]Facility Deficiencies Were Concentrated in Five
                 Deficiency C
               * [9]Informal Enforcement Actions Generally Used for
                 Deficiencies

     * [10]Data Used in Coast Guard's Assessments of Number of Inspecto

          * [11]Coast Guard Believes It Has Sufficient Inspectors, but Its E
          * [12]Extent to Which Inspectors Are Available for Inspection Duti
          * [13]Spot Check Guidance May Affect the Sufficiency of Inspectors

     * [14]The Coast Guard Has Not Evaluated Its Facility Oversight Pro

          * [15]The Coast Guard Has Not Evaluated the Effectiveness of Overs
          * [16]Database Limitations Hinder Compliance Monitoring and Progra

               * [17]Reporting of MTSA Compliance Activities Could Not Be
                 Replica
               * [18]The Coast Guard Has Taken Some Action to Improve MISLE

     * [19]Conclusions
     * [20]Recommendations for Executive Action
     * [21]Agency Comments
     * [22]GAO Contact
     * [23]Acknowledgments
     * [24]GAO's Mission
     * [25]Obtaining Copies of GAO Reports and Testimony

          * [26]Order by Mail or Phone

     * [27]To Report Fraud, Waste, and Abuse in Federal Programs
     * [28]Congressional Relations
     * [29]Public Affairs
     * [30]Ordering Information.pdf

          * [31]Order by Mail or Phone

Report to the Committee on Commerce, Science and Transportation, U.S.
Senate

United States Government Accountability Office

GAO

February 2008

MARITIME SECURITY

Coast Guard Inspections Identify and Correct Facility Deficiencies, but
More Analysis Needed of Program's Staffing, Practices, and Data

GAO-08-12

Contents

Letter 1

Results in Brief 4
Background 6
Whether All Facility Inspections Requirements Were Met Is Not Clear, but
Those Conducted Identified Deficiencies with Facility Compliance in about
One-Third of All Inspections 9
Data Used in Coast Guard's Assessments of Number of Inspectors Needed Were
Limited and Results Could Be Affected by Additional Factors 20
The Coast Guard Has Not Evaluated Its Facility Oversight Program, and
Problems with Data Complicate Its Ability to Do So 28
Conclusions 38
Recommendations for Executive Action 39
Agency Comments 39
Appendix I Objective, Scope, and Methodology 41
Appendix II Total Nationwide Facility Deficiencies for 2004, 2005, and
2006 by MTSA Regulatory Citation 45
Appendix III GAO Contact and Staff Acknowledgments 50
GAO Related Products 51

Tables

Table 1: Deficiency Narrative Examples in 2006 from Selected Sectors
Visited by GAO in the Top Two Nationwide Deficiency Categories 15
Table 2: Top Five Facility Deficiencies Recorded Nationwide in 2006 18
Table 3: 2006 Nationwide Enforcement Actions Recorded for Top Five
Deficiencies and All Deficiencies 19
Table 4: 2006 Enforcement Actions Recorded in Selected Sectors for Top
Five Recorded Deficiencies 20
Table 5: Total Nationwide Facility Deficiencies for 2004-2006 by MTSA
Regulation Citation 45

Figures

Figure 1: Example of Activities Entered into the Coast Guard's MISLE
Database 9
Figure 2: Recorded Security Spot Checks Performed by the Coast Guard in
2004, 2005, and 2006 and Number of Facilities Receiving Spot Checks 12
Figure 3: Facility Deficiencies Identified in 2006 by Coast Guard
Inspections 14
Figure 4: Example of Neighboring Facility Conditions Facilitating Entry
into a MTSA-Regulated Facility 16
Figure 5: Examples of Other Inspector Responsibilities--Harbor Patrols and
Cargo Inspections 24
Figure 6: Annual Compliance Exam Numbers in Coast Guard's Annual Report to
Congress and GAO Analysis of MISLE Data 35

Abbreviations

DHS Department of Homeland Security
FSO Facility Security Officer
FSP Facility Security Plan
MISLE Maritime Information for Safety & Law Enforcement
MTSA Maritime Transportation Security Act of 2002
OMB Office of Management and Budget
Results Act Government Performance and Results Act
SAFE Port Act Security and Accountability for Every Port Act of 2006

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

February 14, 2008

The Honorable Senator Daniel Inouye: 
Chairman: 
The Honorable Ted Stevens: 
Vice Chairman: 
Committee on Commerce, Science and Transportation: 
United States Senate: 

The security of more than 3,200 terminals, chemical plants, factories, and
power plants plays an important role in the protection of our nation's
ports. Ports and waterways represent attractive targets for terrorist
attack, given their importance to the economy, abundance of specific
targets, proximity to large populations, and accessibility by water and
land. To reduce the opportunity for terrorists to exploit security
vulnerabilities, as well as to help minimize the effects of accidents or
natural disasters, facilities are required to implement security plans to
maintain physical, passenger, cargo, and personnel security and may
utilize measures such as fences, security guards, and monitoring
activities using cameras. Efficiently implementing such plans can reduce
the potential for unauthorized entry and help prevent vulnerabilities from
being exploited to kill people, cause environmental damage, or disrupt
transportation systems and the economy.

Much of the federal framework for port security is contained in the
Maritime Transportation Security Act of 2002 (MTSA).^1 MTSA establishes
requirements for various layers of maritime security, including requiring
a national security plan, area security plans, and facility and vessel
security plans. ^2 The act calls for various types of facilities to
develop and implement a security plan, and it places federal
responsibility for approving and overseeing these plans with the
Department of Homeland Security (DHS). DHS has placed lead responsibility
for this and other MTSA requirements with the U.S. Coast Guard. Subsequent
Coast Guard guidance in 2003-2004 called for conducting annual on-site
inspections to verify a facility's compliance with its security plan. The
guidance also calls for the Coast Guard to provide additional oversight at
any time based on perceived risk.

^1 Pub L. No. 107-295, 116 Stat. 2064 (2002).

^2 In this report, we refer to facilities subject to MTSA regulation
collectively as "MTSA facilities." MTSA also required certain vessels to
have a security plan. Vessel security plans are not discussed in this
report.

In 2004 we reviewed the implementation of these and other MTSA
provisions.^3 We reported that facility owners and operators had made
progress in developing their security plans but expressed concerns about
challenges the Coast Guard faced in ensuring enough well-trained
inspectors and equipping them with adequate guidance to conduct thorough,
consistent reviews. We reported that the Coast Guard was in an initial
"surge" period during which it had to cope with reviewing security plans
submitted at the time for more than 3,000 facilities and over 9,000
vessels. We recommended that after this initial 6-month period, the Coast
Guard use the experience to evaluate its initial compliance strategy and
take steps to strength the compliance process for the long term.

Since 2004, requirements for inspecting maritime facilities have
increased. The Security and Accountability For Every Port Act (SAFE Port
Act), enacted in October 2006, among other things, amended MTSA to direct
the Coast Guard to inspect facility compliance with its approved facility
security plan periodically, but not less than two times per year, at least
one of which shall be an inspection of the facility that is conducted
without notice to the facility.^4 Thus, in effect, under the SAFE Port Act
maritime facility inspection requirements, in addition to an annual
inspection, the Coast Guard is also required to make a second unannounced
inspection of each MTSA facility.^5

You asked us to review the Coast Guard's progress in dealing with these
expanded inspection requirements and developing a sound oversight
strategy. This report addresses the extent to which the Coast Guard

^3 GAO, Maritime Security: Substantial Work Remains to Translate New
Planning Requirements into Effective Port Security, [32]GAO-04-838
(Washington, D.C.: June 2004).

^4 Pub. L. No. 109-347, 120 Stat. 1884, 1888 (2006). The act stipulated
that this inspection requirement was subject to the availability of
appropriations. From fiscal year 2007 DHS appropriations, $4.5 million has
been allocated to implement the unannounced inspection requirement.

^5 In this report we refer to two types of inspections to ensure facility
compliance with their approved security plan. We use the terms annual
compliance exam, or annual exam to indicate a comprehensive annual
inspection of a facility. The annual exam is pre-scheduled with facilities
(announced) unless otherwise indicated. We use the term security "spot
check" adopted by the Coast Guard to refer to an unannounced inspection of
facility compliance less comprehensive than the annual exam.

           o has met its maritime facility inspection requirements and has
           found facilities to be in compliance with their security plans,

           o has determined the availability of trained personnel to meet
           current and future facility inspection requirements, and

           o has assessed the effectiveness of its MTSA facility oversight
           program and ensured that program compliance data collected and
           reported are reliable.

To address these questions, we conducted work at Coast Guard headquarters
and at various ports in seven of the Coast Guard's 35 sectors.^6 Within
each sector, we interviewed Coast Guard officials and inspectors, facility
security officials at 29 selected MTSA facilities, and other port
stakeholders. We obtained and analyzed data from 2004-2006 on Coast
Guard's facility compliance activities from the Marine Information for
Safety and Law Enforcement (MISLE) database, which is the agency's primary
data system for documenting facility oversight and other activities. As
discussed later in this report, we identified some problems with the data,
and worked with agency officials to address these problems to the extent
possible. To assess the reliability of the data, we (1) performed
electronic testing for obvious errors in accuracy and completeness;(2)
reviewed related documentation, such as guidance for entering data in
MISLE; and (3) held meetings and exchanged correspondence with Coast Guard
information systems officials to discuss data entry and analysis and
ensure correct identification of specific data fields. We removed 77
records that Coast Guard indicated to be duplicate records, created a
dataset linking deficiencies and enforcement actions and worked with Coast
Guard to reduce data inconsistencies, and created a new "Sector" field
based on Coast Guard identification of the appropriate sector. Based on
the steps we took to assess data reliability and our work with Coast Guard
officials to resolve problems with the data, we found the data to be
sufficiently reliable to provide a general indication of Coast Guard
compliance activities. We also reviewed a variety of documents, such as
pertinent MTSA provisions, as amended, and their implementing regulations,
Coast Guard circulars, and reports related to port security. A more
detailed description of our scope and methodology is contained in appendix
I.

^6 Coast Guard completed realignment of its field structure in 2006 into
35 sectors based on existing Captain of the Port boundaries. Sectors
combine legacy Marine Safety Offices, Groups, Vessel Traffic Services, and
some Air Stations into a unified command structure. These seven sectors
were selected to reflect diversity in size, type of waterway, and
geographic location, and facilities were selected to reflect sector
diversity. Information on Coast Guard's inspection program from these
sectors cannot be generalized to all Coast Guard sectors.

We conducted this performance audit from May 2006 through February 2008 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.

Results in Brief

Although the Coast Guard has conducted thousands of inspections at MTSA
facilities and identified facility deficiencies in about one-third of
those inspections, we could not confirm whether the Coast Guard has
fulfilled its annual compliance exam requirement each year because the
Coast Guard's database cannot identify all regulated facilities in prior
years that the Coast Guard was required to have inspected. Based on the
number of facility security plans approved by the Coast Guard, officials
estimated that about 3,200 facilities require inspection. Coast Guard
compliance records indicate 2,126 annual inspections were conducted in
2006. Headquarters officials said field units reported that all required
facility annual inspections were conducted, as did officials in the seven
sectors we visited. However, officials also stated that some inspections
conducted may not have been recorded, or inspections were delayed beyond
the end of the year by staff being diverted for higher-priority missions,
such as natural disasters. In addition to the annual exam, our analysis
shows that Coast Guard units had been performing spot checks prior to the
SAFE Port Act's passage, but not at all facilities. In calendar year 2006,
for example, the Coast Guard conducted about 4,500 spot checks at about
1,200 MTSA facilities. The top categories of deficiencies, collectively
accounting for about 35 percent of all recorded deficiencies in 2006, were
access controls (such as unlocked gates) and documentation (such as not
recording a security exercise). In over 80 percent of the cases,
deficiencies were resolved by facility operators without the Coast Guard
applying formal action, such as a written warning or fine. Our analysis
showed differences in the extent to which individual Coast Guard units
took formal enforcement actions.

The Coast Guard believes it has sufficient numbers of inspectors to
conduct all required inspections, but additional factors could affect the
Coast Guard's estimates of the number of inspectors needed. Headquarters
officials said their assessments of the number of inspectors needed were
based largely on estimates of such things as number of facilities and time
needed to conduct inspections. Coast Guard headquarters has not assessed
the reliability of these estimates and our field visits identified two
potential factors that were not taken into account in making these
estimates. First, staff assigned to inspector positions may not be
available full time to conduct security inspections because they have
other responsibilities. In all seven sectors we visited, inspectors said
they had other duties--such as inspecting cargo or monitoring safety and
pollution incidents. However, the Coast Guard does not have data on how
inspectors' time is allocated. In four of these sectors, inspectors
reported to us that meeting the combined responsibilities was a challenge
that could affect their ability to conduct all required inspections.
Second, inspection requirements themselves have recently changed, and
these changes could affect the amount of time needed to complete
inspections. Until recently, the Coast Guard did not have guidance
specifying how spot checks were to be conducted. We found considerable
variation among sectors in the extensiveness of these spot checks. Some
units, for example, counted visual drive-bys as spot checks, while others
required an on-site presence. As our fieldwork was being completed, the
Coast Guard issued guidance calling for a more detailed review than took
place for some spot checks in the past. Coast Guard officials did not know
what effect these new inspection requirements will have on the inspection
workload.

The Coast Guard has not assessed the effectiveness of its facility
oversight program, and flaws in data in MISLE, the Coast Guard's main
database for inspections, limit the Coast Guard's ability to accurately
portray and appropriately target oversight activities. Basic guidance
provided by headquarters officials grants considerable discretion to local
Coast Guard units in deciding how to conduct facility oversight--for
example, deciding whether a fine is warranted. The Coast Guard has little
or no information, however, on which approaches work better than others.
Our past work has shown that high-performing organizations continuously
assess their performance with information about results based on their
activities. The Coast Guard is limited in its ability to accurately assess
facility oversight activities because its MISLE database suffers from such
problems as missing, duplicate, and inconsistent compliance activity data.
Accurate and complete data are a key component of any assessment of
compliance activities and for management purposes at both the headquarters
and local levels. Compliance data flaws make it difficult to produce
consistent statistics important for an overall assessment of facility
oversight activities and to conduct critical analyses. For example,
officials in the seven Coast Guard sectors we visited said that although
MISLE data are useful in tracking an individual facility's performance,
the data are of limited use in creating useful and reliable reports across
multiple facilities. At the headquarters level, the Coast Guard is
hampered in evaluating compliance activities, such as comparing the extent
to which various units levy fines or discover various types of
deficiencies. Recent Coast Guard guidance calls for improved MISLE data
entry; however, changes made as a result of the guidance are not yet
known, and the guidance does not address other MISLE compliance data flaws
such as lack of consistency in the data.

We recommend that the Secretary of the Department of Homeland Security
direct the Coast Guard to improve its facility inspection program.
Specifically, we recommend that the Coast Guard be directed to:

           o reassess the adequacy of staff to complete required inspections
           in light of changing inspection guidance regarding how inspections
           are conducted,

           o assess the effectiveness of differences in program
           implementation, and

           o assess its MISLE compliance data reliability and identify
           strategies for more effective use of the data.

The Department of Homeland Security concurred with our recommendations.

Background

The importance and potential vulnerability of our nation's ports are well
documented. National ports and waterways are responsible for moving over
99 percent of the volume of overseas cargo, with over $5.5 billion worth
of goods moving in and out of U.S. ports every day, according to the
American Association of Port Authorities. With more than half of the crude
oil and all of the liquefied natural gas used in the country in 2005, any
disruption in the flow of commerce could have major economic consequences.
As vital as ports are to the country, they are susceptible to terrorist
acts due to their size and openness--easily accessible by water and land
and are attractive targets given the proximity of many ports to urban
areas and collocation with power plants, oil refineries, and other energy
facilities.

Efforts to address port vulnerabilities face the challenge of having to
consider the impact that an increase in security may have on the operation
of commerce and the impact on maritime facility operators of costly
security requirements. Particularly with "just in time" deliveries, which
rely on the quick movement of goods, steps added to the process to
increase security may have economic consequences.^7 Actions to improve
security are undertaken with the knowledge that total security cannot be
bought no matter how much is spent on it because of the difficulty of
anticipating and addressing all security concerns.

MTSA Establishes Security Measures for Maritime Facilities

MTSA established a framework to help protect the nation's ports and
waterways from terrorist attacks by mandating a wide range of security
improvements. Among the major requirements included in MTSA were those
related to facilities located in, on, under or adjacent to waters subject
to the jurisdiction of the United States that the Secretary of DHS
believes may be involved in a transportation security incident.^8 MTSA and
Coast Guard implementing regulations establish requirements for owners and
operators currently at about 3,200 select port facilities.^9 In general,
facilities that receive vessels that carry large or hazardous cargo,
vessels subject to international maritime security standards, selected
barges, and passenger vessels certified to carry more than 150 passengers
are subject to MTSA regulations.

Owners or operators of facilities subject to MTSA regulations (MTSA
facilities) were required, among other things, to designate a Facility
Security Officer (FSO), ensure that a facility security risk assessment
was conducted, and ensure that a facility security plan was approved and
implemented. The basic aim of such plans is to develop measures to
mitigate potential vulnerabilities that could otherwise be exploited to
kill people, cause environmental damage, or disrupt transportation systems
and the economy. Facility Security Plans (FSP) encompass a range of
security activities, such as access controls and security training to
prevent a security incident. MTSA and its regulations set out requirements
that are performance-based rather than requiring specific procedures or
equipment, thus allowing flexibility for meeting the law's requirements.
For example, a facility's plan must include measures to control access to
the facility, but how access should be specifically controlled is not
mandated by MTSA or its implementing regulations.

^7 The concern with the cost to facility operators was considered when
MTSA regulations were drafted, and grant funding was made available to
support some facilities with security improvements.

^8 Other MTSA requirements included vulnerability assessments for ports
and vessels, developing a maritime transportation security card to help
control access to secure areas, and establishing a process for assessing
foreign ports from which vessels depart for the United States.

^9 See, e.g., 33 C.F.R. Chapter 1, Subchapter H. Vessels regulated under
MTSA regulations include for example, specified types of cargo ships,
ferries, and tugs and barges.

The Coast Guard is largely responsible for administering MTSA
requirements. For facilities, in addition to issuing regulations, the
Coast Guard is responsible for review and approval of facility security
plans, ensuring that facilities implement the plans, verifying that
facilities continue to adhere to their plans, and for re-approving
facility security plans periodically, which were established by Coast
Guard regulations as valid for 5 years. The Coast Guard reported that
security plans required for over 3,000 MTSA facilities as of July 1, 2004
were approved, and that it had verified that these plans were in place by
December 31, 2004. With the 5-year approval of facility security plans
complete, the focus shifted to ensuring continued compliance with security
measures that have been implemented.

We reviewed the Coast Guard's early MTSA implementation and identified
short- and long-term challenges to the Coast Guard's May 2004 strategy for
monitoring and overseeing security plan implementation. Key concerns were
how the Coast Guard planned to ensure that enough inspectors were
available, that they would have a training program sufficient to overcome
major differences in inspector experience levels, and that inspectors
would be equipped with adequate guidance to help conduct thorough,
consistent reviews. Further, we reported that the Coast Guard faced the
challenge of ensuring that owners and operators continue implementing
their plans and do not mask security problems in ways that do not
represent the normal course of business. In this regard, our work has
shown that there are options the Coast Guard could consider beyond
regularly scheduled visits, such as unscheduled, unannounced visits, and
covert testing. We recommended that the Coast Guard evaluate its initial
compliance efforts and use the information to strengthen the compliance
process for its long-term strategy.

MISLE Database Adapted to Capture MTSA Compliance Data

Coast Guard activities related to MTSA facility security plan approval and
facility oversight are captured in the Coast Guard's MISLE database. MISLE
began operating in December 2001 as the Coast Guard's primary data system
for documenting marine safety and environmental protection activities.
Storage of data on MTSA facility oversight and that of other Coast Guard
activities, such as vessel boardings and incident response have since been
added. The purpose of MISLE is to provide the capability to collect,
maintain, and retrieve information necessary for the administration,
management and documentation of Coast Guard activities. Data on facilities
are entered by inspectors on an intranet website using dropdown menus and
narrative fields related to a specific compliance activity. The
information maintained in MISLE is varied, as shown by the entry screen
reproduced in figure 1.

Figure 1: Example of Activities Entered into the Coast Guard's MISLE
Database

Whether All Facility Inspections Requirements Were Met Is Not Clear, but Those
Conducted Identified Deficiencies with Facility Compliance in about One-Third of
All Inspections

Limitations in Coast Guard's compliance database preclude it from being
able to document whether all facilities received an annual exam each year.
Coast Guard officials said field units report that they are meeting their
inspection requirements, but inspections may not be documented in the
compliance database, or inspections may have been delayed by staff being
diverted to meet higher-priority needs. The available data indicate that
the Coast Guard also conducted many spot checks, but prior to the SAFE
Port Act's requirement for an annual unannounced inspection of each
facility, these spot checks were concentrated in about one-third of
regulated facilities. The types of deficiencies identified most often
during annual exams and spot checks fell into five main categories, with
the top two categories--not adhering to facility plans regarding access
controls (such as gates and fences) and lack of documentation (such as no
record of drills) accounting for over a third of deficiencies. Relatively
few facilities in the Coast Guard sectors we visited had many or
substantial deficiencies, and Coast Guard officials provided anecdotal
evidence that security had generally improved over time. The Coast Guard
sectors varied in the extent to which they resolved deficiencies using
formal enforcement actions such as written warnings or fines, although
overall over 80 percent of deficiencies were resolved without formal
actions.

Coast Guard Officials Report Annual Exams and Spot Checks Have Been Conducted,
but Extent to Which All Regulated Facilities Have Received Both Inspections
Cannot Be Documented

Coast Guard officials at headquarters and the sectors we visited reported
MTSA facilities subject to maritime facility inspection requirements were
being inspected. At sectors we visited, Coast Guard officials based this
assessment on data from MISLE supplemented by knowledge of facilities
under their jurisdiction.^10 Sector officials, like headquarters
officials, cannot use MISLE to identify all facilities that were subject
to inspection because of flaws in the MISLE database. Some sectors
mentioned that they also maintained local spreadsheets documenting exams.
Headquarters officials said that they based their assessment on
information requested from field units regarding whether the units were
meeting annual exam requirements, although they acknowledged that there
were some situations in which annual inspections might not have been
conducted within the year. Reasons this official and others cited for some
facilities possibly not receiving an exam during 2006 included the
following:

           o Inspectors were diverted to a higher-priority mission. Officials
           said that activities conducted after Hurricanes Rita and Katrina
           disrupted inspection activities in the areas affected by the
           hurricanes and diverted Coast Guard resources from other regions.
           In the Upper Mississippi River sector, officials similarly
           reported inspectors being detailed to respond to floods in North
           Dakota. One inspector said it took an additional 6 months to
           complete on-the-job training needed be certified as an inspector
           because of the time she spent detailed away from the sector.

           o MISLE data may not reflect all the annual exams that were
           conducted. For example, officials said that an annual compliance
           exam could have been conducted while inspectors conducted a
           pollution inspection, but the activity was only entered as a
           pollution inspection. No information was available to identify
           annual exams conducted but not recorded.

^10 Throughout this report, the terms "MISLE," "MISLE data," and "MISLE
database" refer to data from just the MTSA facility compliance portion of
MISLE.

Definitive information about the extent to which all facilities were
inspected is not available, because the Coast Guard's MISLE database does
not have the capability to document the extent to which MTSA facilities
received an annual inspection for a particular year. The database can
identify which facilities received annual exams in a particular year, but
it cannot identify those facilities that did not receive exams but should
have. Our analysis of MISLE data on the number of exams reported, however,
indicates the total is less than the number of facilities the Coast Guard
believes it is regulating. The Coast Guard estimates the number of MTSA
facilities at about 3,200 nationwide, based on the number of facility
security plans currently approved. Our analysis of MISLE data indicated
2,126 facilities received exams during 2006.^11

Coast Guard data show that prior to the SAFE Port Act's requirement that
each facility receive an unannounced inspection, Coast Guard units were
conducting unannounced spot checks, but not at every facility. MISLE data
indicate the Coast Guard conducted about 4,500 spot checks in 2006,
covering about 1,200 facilities. The pattern was similar in 2005, the
first full year of facility oversight (see fig. 2). The SAFE Port Act's
requirement for each facility to receive two inspections was not effective
until October 2006.

^11 After completion of our analysis, but before this report was issued,
Coast Guard reported identifying an additional 344 annual exams that were
conducted in 2006, and said that they were investigating why these exams
were not previously identified and included in the data GAO was provided.

Figure 2: Recorded Security Spot Checks Performed by the Coast Guard in
2004, 2005, and 2006 and Number of Facilities Receiving Spot Checks

Coast Guard officials said that, prior to the SAFE Port Act's new
unannounced inspection requirement, units used a combination of risk and
convenience to decide which facilities should receive spot checks. As a
result, some facilities received a number of checks in a year's time,
while others received none. For example, Coast Guard officials at two
sectors said if inspectors are frequently at a facility to examine
arriving vessels, they also have an opportunity to conduct a spot check of
the facility's security measures. Several sectors we visited mentioned
that they had a goal, even before the new requirement took effect, of spot
checking every facility, but officials at these sectors said the
risk-based approach took precedence, leading to numerous checks at
facilities with higher risk.

Given the resources provided in DHS fiscal year 2007 appropriations,
related Coast Guard allocations, and the number of spot checks conducted
in prior years, Coast Guard officials said they expect sectors to
meet--and likely exceed--the spot-check requirements.^12 At sectors we
visited where additional staffing resources (temporary reservists and
permanent staff) were in place, local officials generally agreed with this
assessment. At a sector that did not receive additional permanent staff,
however, officials said they were still determining how to meet the SAFE
Port Act inspection requirements after temporary staff were gone.

Deficiencies Identified in about One-Third of Facilities and Most Were Addressed
without Formal Coast Guard Enforcement Action

The Coast Guard identified deficiencies in about one-third of the
facilities inspected in 2004-2006, with deficiencies concentrated in a
subset of five deficiency categories, for example, failing to follow
facility security plans for access control. Facilities with many or
substantial deficiencies were relatively few in number, and deficiencies
were identified during both annual exams and spot checks. The extent to
which formal enforcement actions were used was limited nationally, but
varies greatly among Coast Guard sectors. The majority of deficiencies
were addressed by the Coast Guard informally, without formal enforcement
actions.

  Facility Deficiencies Were Concentrated in Five Deficiency Categories

Thirty-six percent of the facilities that the Coast Guard documented as
receiving an annual compliance exam or a spot check in 2006 had at least
one reported deficiency, according to our analysis of information in
MISLE. The previous 2 years were similar, with rates of 30 percent each
year. These figures may not include security weaknesses that are corrected
on the spot. Headquarters and sector officials told us that, in keeping
with Coast Guard policy allowing the practice, inspectors may choose not
to record such deficiencies. For example, a facility security officer at
one oil facility said the Coast Guard gave him a verbal warning about the
failure to display credentials at entrance gates and maintaining better
documentation of security drills conducted at the facility. Similarly, the
security officer at a gypsum facility said inspectors had suggested more
creativity in crafting facility exercise scenarios (which the facility
official said he would try to do) but inspectors had not recorded a
deficiency.

About 70 percent of the 2,500 reported deficiencies identified in 2006
occurred in five categories: access control (such as fences or gates
needing repair), recordkeeping requirements, security for restricted areas
(such as not posting required signs), drill and exercise requirements, and
facility security plan amendment (for example failing to get approval for
changing a security measure) and deficiencies related to the facility
security plan or conducting a facility security audit. As figure 3
indicates, the two top categories, with over one-third of the
deficiencies, were access control and facility recordkeeping
requirements.^13

^12 This expectation, however, was based on spot checks conducted prior to
Coast Guard guidance (discussed in the following section) that establishes
a more comprehensive review than was the case for some of the previously
conducted spot checks.

Figure 3: Facility Deficiencies Identified in 2006 by Coast Guard
Inspections

Access and documentation were also the most common types of deficiencies
at the sectors we visited. Table 1 provides examples of deficiencies in
these two categories from the sectors we visited. As the examples
illustrate, each category can include a variety of violations. Similar
deficiencies were reported by officials at facilities we visited within
the seven sectors. Examples included not constructing a new fence after a
tornado; not screening vehicles, persons, and personal effects; leaving a
gate unlocked; not completing exercise requirements; and lack of
timeliness in documenting training.

^13 These categories correspond to the types of facility responsibilities
cited in the Coast Guard's MTSA regulations. See appendix II for a more
detailed description of deficiencies and the numbers of deficiencies by
category, for 2004, 2005, and 2006.

Table 1: Deficiency Narrative Examples in 2006 from Selected Sectors
Visited by GAO in the Top Two Nationwide Deficiency Categories

Sector: Sector A; 
Security measures for access control: Restricted area fence damaged by 
storm 1 week prior to inspection. Provide work order for repair prior 
to 1 week from date of inspection; 
Facility recordkeeping requirements: Show proper documentation of 
annual facility security plan audit. 

Sector: Sector B; 
Security measures for access control: Facility inspectors found an open 
gate near the rail that had no security measures in place; 
Facility recordkeeping requirements: FSO did not provide certified 
letter of annual audit. 

Sector: Sector C; 
Security measures for access control: Fencing was damaged/pulled away 
from posts in several locations diminishing access control; 
Facility recordkeeping requirements: Documentation not available on 
training for personnel with security duties and personnel without 
security duties, and drill and exercise requirements. 

Sector: Sector D; 
Security measures for access control: Not screening by hand or device 
such as x-ray, all unaccompanied baggage prior to loading onto 
facility; 
Facility recordkeeping requirements: No maintenance, calibration, and 
testing of security equipment logs were able to be produced. 

Sector: Sector E; 
Security measures for access control: No narrative available; 
Facility recordkeeping requirements: Drill and exercise records not in 
FSP specified format or available for Coast Guard inspection. 

Sector: Sector F; 
Security measures for access control: Signage describing security 
measures is not in place. Put sign describing security measures in 
place; 
Facility recordkeeping requirements: Facility has no records of 
facility personnel with security duties. 

Sector: Sector G; 
Security measures for access control: FSO greeted inspection team and 
granted them access to facility without checking ID; 
Facility recordkeeping requirements: No lessons learned were recorded 
for the drills. 

Source: Coast Guard MISLE data verbatim narrative descriptions of facility
deficiencies.

Our visits to facilities in the seven sectors also disclosed instances in
which a regulated facility's access controls would not prohibit access
from a neighboring facility. We observed four instances in which a
neighboring facility's building or stacked-up materials would facilitate
entry over a regulated facility's perimeter fencing. Figure 4 shows one of
those instances.^14 After we pointed out these weaknesses to Coast Guard
officials, they assured us that the weaknesses would be corrected. Coast
Guard officials told us that any vulnerabilities introduced by neighboring
facilities (whether the neighboring facility is a MTSA facility or not)
should be identified in a facility's vulnerability assessment, then
addressed in a facility's security plan.

^14 Coast Guard officials have pointed out that areas may be covered by
surveillance systems that would reduce the risk of entry. In one location
where a building was next to the perimeter, the facility FSO said cameras
were being added (in addition to existing security patrols) to improve
visibility in this area.

Figure 4: Example of Neighboring Facility Conditions Facilitating Entry
into a MTSA-Regulated Facility

While about one-third of all facilities had at least one deficiency
identified and recorded during an annual inspection or spot check,
deficiencies in the seven sectors we visited tended to be concentrated in
relatively few facilities. According to MISLE data, five or fewer
facilities accounted for an average of 61 percent of deficiencies in six
of the seven sectors we visited, and 10 or fewer facilities accounted for
an average of 80 percent.^15 One facility that receives passenger vessels
in one sector we visited was cited for 12 deficiencies during its annual
compliance exam. This facility's deficiencies related primarily to (1)
lack of knowledge about security procedures or equipment on the part of
the security officer or other personnel and (2) failure to conduct or
document security drills and exercises.

Coast Guard officials at the sectors we visited said they thought security
awareness and procedures had improved in the years since MTSA's inception.
Atlantic Area Coast Guard officials cited MTSA as making a difference in
reducing cargo loss as increased security procedures lower theft rates.
Officials cited qualitative changes such as the following:

           o facilities taking more ownership of their own security and being
           more aware of security concerns,

           o fewer trespassers on waterfront property and increasing security
           awareness among maritime workers,

           o decrease in vandalism as a result of additional cameras in port
           areas

           o more informed security personnel, and

           o improved communication with facilities regarding break-ins.

Our analysis of the top deficiencies included in the Coast Guard's
database showed that Coast Guard inspectors identified deficiencies both
in spot checks and in annual exams, but spot checks tended to identify
deficiencies related to access control and control over restricted areas.
As table 2 shows, spot checks accounted for 44 percent of all recorded
access control deficiencies and 19 percent of restricted area
deficiencies, but no more than 9 percent of the other most common
categories of deficiencies--drills, recordkeeping, and plan
amendment/audits. This may occur because spot checks are sometimes
conducted external to the facility and do not involve checking records,
drills, or plans.^16

^15 In the seventh sector, the top 5 facilities accounted for 18 percent of
all deficiencies, and the top 10 accounted for 32 percent.

^16 Recent spot check guidance indicates that less emphasis should be
placed on items that would not change between annual compliance exams,
such as drill/exercise records.

Table 2: Top Five Facility Deficiencies Recorded Nationwide in 2006

Deficiency category: Drill and exercise requirements; 
Deficiencies: 269; 
Percent identified during annual exam: 92; 
Percent identified during spot check: 7; 
Percent identified during other activities[A]: 1. 

Deficiency category: Facility recordkeeping requirements; 
Deficiencies: 418; 
Percent identified during annual exam: 94; 
Percent identified during spot check: 6; 
Percent identified during other activities[A]: 0. 

Deficiency category: Security measures for access control; 
Deficiencies: 458; 
Percent identified during annual exam: 50; 
Percent identified during spot check: 44; 
Percent identified during other activities[A]: 6. 

Deficiency category: Security measures for restricted areas; 
Deficiencies: 364; 
Percent identified during annual exam: 79; 
Percent identified during spot check: 19; 
Percent identified during other activities[A]: 2. 

Deficiency category: Facility Security Plan amendment and audit; 
Deficiencies: 243; 
Percent identified during annual exam: 90; 
Percent identified during spot check: 9; 
Percent identified during other activities[A]: 1. 

Deficiency category: U.S. Total for top five deficiencies; 
Deficiencies: 1,752; 
Percent identified during annual exam: 78; 
Percent identified during spot check: 19; 
Percent identified during other activities[A]: 3. 

Source: GAO analysis of Coast Guard MISLE data.

a Includes monitoring of facility security plan exercises and other
oversight activities.

We attempted to compare deficiencies identified during announced or
unannounced annual compliance exams, but until July 2007, activities in
the database were not required to indicate whether an exam was announced
or unannounced. Headquarters officials acknowledged that there is
variation in whether sectors conduct these exams announced or not, but
could not provide information for all sectors that would allow a
comparison.^17 Furthermore, the Coast Guard has not assessed the
effectiveness of each approach to establish whether one approach is more
effective in identifying deficiencies.

  Informal Enforcement Actions Generally Used for Deficiencies, but Use Varied
  among Sectors Visited

Inspectors told us they generally use Coast Guard guidance in deciding
whether to issue some form of formal enforcement action, taking into
consideration the facility's deficiency history and the risk associated
with the violation. Several Coast Guard sector officials said the Coast
Guard prefers to work cooperatively with facilities to improve security
procedures, instead of taking an adversarial or punitive approach. They
said they often give facilities several weeks during which to fix a
deficiency, instead of issuing an immediate enforcement action.

Most often, a formal enforcement action, such as issuing a letter of
warning, a notice of violation, or a civil penalty such as a fine, is not
applied. Our analysis of MISLE data indicates that inspectors took one of
these formal actions in about 11 percent of recorded deficiencies in 2004,
19 percent in 2005, and 16 percent in 2006. Table 3 shows what types of
enforcement actions were recorded for the top five deficiencies in 2006
and a total for all deficiencies in 2006. Based on MISLE data, of the top
five deficiencies, access control was most likely to result in an
enforcement action. For this type of deficiency, formal action occurred 25
percent of the time.

^17 Toward the end of our work, the Coast Guard issued a Commandant's
message requiring information be entered into MISLE regarding whether the
exam was announced or not.

Table 3: 2006 Nationwide Enforcement Actions Recorded for Top Five
Deficiencies and All Deficiencies

Deficiency category: Security measures for access control; 
Deficiencies: 458; 
Letter of warning issued: 31; 
Notice of violation issued: 57; 
Civil penalty issued: 28; 
Percent of cases in which enforcement action was issued: 25. 

Deficiency category: Facility recordkeeping requirements; 
Deficiencies: 418; 
Letter of warning issued: 15; 
Notice of violation issued: 4; 
Civil penalty issued: 7; 
Percent of cases in which enforcement action was issued: 6. 

Deficiency category: Security measures for restricted areas; 
Deficiencies: 364; 
Letter of warning issued: 11; 
Notice of violation issued: 22; 
Civil penalty issued: 5; 
Percent of cases in which enforcement action was issued: 10. 

Deficiency category: Drill and exercise requirements; 
Deficiencies: 269; 
Letter of warning issued: 4; 
Notice of violation issued: 18; 
Civil penalty issued: 6; 
Percent of cases in which enforcement action was issued: 10. 

Deficiency category: Facility Security Plan amendment and audit; 
Deficiencies: 243; 
Letter of warning issued: 8; 
Notice of violation issued: 9; 
Civil penalty issued: 7; 
Percent of cases in which enforcement action was issued: 10. 

Deficiency category: Total for top five deficiencies; 
Deficiencies: 1,752; 
Letter of warning issued: 69; 
Notice of violation issued: 110; 
Civil penalty issued: 53; 
Percent of cases in which enforcement action was issued: 13. 

Deficiency category: Total for all deficiencies; 
Deficiencies: 2,513; 
Letter of warning issued: 115; 
Notice of violation issued: 181; 
Civil penalty issued: 96; 
Percent of cases in which enforcement action was issued: 16. 

Source: GAO analysis of Coast Guard MISLE data.

Our analysis of MISLE data shows sectors varied in the extent to which
enforcement actions were taken. Coast Guard officials said that sector
management is given discretion to use or not use enforcement actions as
year 2006, the Coast Guard's use of enforcement actions for the top five
nationwide deficiencies in the sectors we visited. Even when the same
deficiency is recorded, the sectors we visited vary greatly in whether or
not they issued an enforcement action. For example, the first sector shown
in the table took no enforcement actions, while the second sector used
enforcement actions in each of the five deficiency categories. Our
analysis could not determine the reasons for these differences, such as
whether the variations reflect different circumstances faced by sectors,
nor could Coast Guard officials explain the differences.

Table 4: 2006 Enforcement Actions Recorded in Selected Sectors for Top
Five Recorded Deficiencies

Sector: Drill and exercise requirements: Number of deficiencies; 
A: 7; 
B: 4; 
C: 10; 
D: 4; 
E: 4; 
F: 34; 
G: 7; 
Total of Selected Sectors: 70. 

Sector: Drill and exercise requirements: Percent of cases in which 
enforcement action was issued; 
A: 0; 
B: 100; 
C: 60; 
D: 75; 
E: 75; 
F: 15; 
G: 0; 
Total of Selected Sectors: 30. 

Sector: Facility recordkeeping requirements: Number of deficiencies; 
A: 7; 
B: 16; 
C: 8; 
D: 2; 
E: 8; 
F: 58; 
G: 19; 
Total of Selected Sectors: 118. 

Sector: Facility recordkeeping requirements: Percent of cases in which 
enforcement action was issued; 
A: 0; 
B: 31; 
C: 13; 
D: 100; 
E: 38; 
F: 5; 
G: 0; 
Total of Selected Sectors: 12. 

Sector: Security measures for restricted access control: Number of 
deficiencies; 
A: 9; 
B: 17; 
C: 25; 
D: 3; 
E: 0; 
F: 7; 
G: 4; 
Total of Selected Sectors: 65. 

Sector: Security measures for restricted access control: Percent of 
cases in which enforcement action was issued; 
A: 0; 
B: 41; 
C: 40; 
D: 67; 
E: -; 
F: 29; 
G: 100; 
Total of Selected Sectors: 38. 

Sector: Security measures for restricted areas: Number of deficiencies; 
A: 18; 
B: 7; 
C: 3; 
D: 0; 
E: 0; 
F: 12; 
G: 0; 
Total of Selected Sectors: 40. 

Sector: Security measures for restricted areas: Percent of cases in 
which enforcement action was issued; 
A: 0; 
B: 57; 
C: 33; 
D: -; 
E: -; 
F: 0; 
G: -; 
Total of Selected Sectors: 13. 

Sector: Facility Security Plan amendment and audit: Number of 
deficiencies; 
A: 6; 
B: 5; 
C: 6; 
D: 0; 
E: 7; 
F: 16; 
G: 10; 
Total of Selected Sectors: 50. 

Sector: Facility Security Plan amendment and audit: Percent of cases in 
which enforcement action was issued; 
A: 0; 
B: 60; 
C: 0; 
D: -; 
E: 43; 
F: 13; 
G: 0; 
Total of Selected Sectors: 16. 

Source: GAO analysis of Coast Guard MISLE data.

Data Used in Coast Guard's Assessments of Number of Inspectors Needed Were
Limited and Results Could Be Affected by Additional Factors

The Coast Guard's assessments of the number of inspectors needed to meet
facility inspection requirements were based on limited data, and since
these assessments were conducted, additional factors have arisen that
could also affect the number of inspectors needed. The original assessment
for meeting MTSA requirements and the subsequent assessment for meeting
additional SAFE Port Act requirements were both estimates that were based
on limited information, and the Coast Guard has not assessed their
reliability. Moreover, our field visits identified two factors that could
affect the estimates. One is that persons in inspector positions have
other responsibilities that may compete with conducting inspections, so
that the amount of time available for inspections may be less than
expected. The Coast Guard does not have data on what portion of
inspectors' time is actually available for conducting inspections. The
second factor is that recently issued guidance for conducting unannounced
spot checks may require inspectors in some locations to spend more time
conducting these spot checks than they had spent in the past. Coast Guard
officials do not know what the effect of the new spot check requirements
will be on resources needed.

Coast Guard Believes It Has Sufficient Inspectors, but Its Estimates Were Based
on Limited Data

Although Coast Guard officials said the number of Coast Guard inspectors
is adequate, their basis for determining the number of inspectors needed,
both for the initial implementation of MTSA and to meet SAFE Port Act
inspection requirements, was limited in several respects. When we reviewed
the approach the Coast Guard used to project staff needed for meeting MTSA
inspection requirements, we found the Coast Guard did not have a great
deal of workload data to use in estimating the additional staff needed,
nor did it have a system in place for determining how much time its
personnel are spending on specific duties.^18 The Coast Guard told us it
established its estimates for the number of inspectors needed using
working groups, panels, and available data, including information about
resources in port security missions since the September 11, 2001,
terrorist attacks.^19 The estimates were also based on experience with
environmental and safety inspections, but whether those types of
inspections were analogous was unclear. Further, the Coast Guard could not
provide documentation of the approach it used, limiting its ability to
assess the adequacy of its decision. We determined that the Coast Guard
had a basis for its estimate, but also that its approach stopped short of
providing demonstrable evidence of its validity. The Coast Guard did not
assess how reliable this estimate was in meeting inspection needs, but
officials noted that sector officials could provide headquarters with
feedback on their needs and request additional staff.

The approach the Coast Guard used for estimating the number of additional
inspectors needed to meet SAFE Port Act requirements had similar
limitations. Coast Guard officials said they also used a general formula
to request funding for personnel to conduct these additional inspections.
They said they had limited time to prepare the request, and estimated the
number needed based on past experience by looking at the number of
inspections currently being conducted and the current number of
inspectors, plus input from Coast Guard area officials. An additional 39
positions were added with resources stemming from DHS fiscal year 2007
appropriations.^20

^18 [33]GAO-04-838 .

^19 The Coast Guard added 282 positions to local marine safety offices to
meet MTSA facility inspection requirements.

Other than field unit feedback, Coast Guard officials do not currently
have a means for determining whether the deployment of staff to inspection
positions is sufficient. In 2004 we recommended that the Coast Guard
formally evaluate its facility inspection program to look at the adequacy
of security inspection staffing, among other things; however, Coast Guard
has not done so. Officials discussed using an existing management tool in
combination with revised training requirements and staffing standards to
be developed in the future as a way to measure the adequacy of staffing
for specific mission areas, but as yet had no estimated date for
completion of this effort.

Extent to Which Inspectors Are Available for Inspection Duties Is Unclear

One factor that may affect the accuracy of the estimates is that
inspectors are also responsible for a variety of other duties, and the
extent to which these inspectors are available to conduct security
inspections is unclear. Coast Guard data indicate that about 600 personnel
have been qualified to conduct MTSA facility inspections. Officials said
that as of August 2007 the Coast Guard had 389 MTSA positions, including
the 39 new positions added with resources stemming from DHS fiscal year
2007 appropriations for unannounced spot checks, and, most of the
positions were filled.^21 Besides these personnel, a July 2007 Commandant
message, indicated that Coast Guard districts were authorized to use
reservists on a short-term basis to meet inspection requirements. In all,
52 reservist positions were authorized for this purpose.

Our field visits showed that staff assigned to inspector positions were
not necessarily working as inspectors, and those that were conducting
inspections were also performing a number of other mission tasks as well.
Data on the extent to which personnel in inspector positions are actually
conducting facility inspections are not available. Coast Guard
headquarters officials said it was difficult to know the extent to which
an inspector was inspecting MTSA facilities because of the flexibility in
how staff are used.^22 Each sector, they said, determines what is needed
for its workload. In all seven sectors we visited, staff in inspector
positions were responsible for tasks other than facility inspections.
Other tasks included responding to pollution incidents, supervising the
handling of explosive cargo, monitoring the transfer of oil, conducting
harbor patrols, boarding vessels, and conducting inspections of vessels or
other matters, such as safety or environmental concerns (see fig. 5).

^20 Comments provided by the Coast Guard in January 2008 to a draft of
this report stated that the Coast Guard is receiving an additional 25
facility inspectors positions to increase its ability to meet the SAFE
Port Act mandate. Positions are expected to be filled during the 2008
summer transfer and assignment season.

^21 The Coast Guard provided data on the number of personnel with MTSA
Facility Inspection qualifications. These may include personnel assigned
to other types of positions, such as logistics or a strike team. Officials
noted that personnel may be qualified for a number of different positions.
See appendix I for further discussion.

^22 Officials said inspectors can be assigned elsewhere temporarily, for a
day or placed full-time in non- inspection billets based on sector needs
that match their qualifications (e.g., as a safety inspector or Marine
Science Technician).

Figure 5: Examples of Other Inspector Responsibilities--Harbor Patrols and
Cargo Inspections

At four of the seven sectors we visited, officials said meeting all
mission requirements for which inspectors were responsible was or could be
a challenge, especially after reservists made available for SAFE Port Act
inspections were no longer available.^23

           o Officials in one sector said they were meeting inspection
           requirements at the expense of other missions, such as inspecting
           containers or monitoring the transfer of oil. They said they make
           a risk-based judgment call on which activities to undertake.

           o In another sector, officials said meeting inspection
           requirements in the long term would be difficult. The new
           inspection requirements effectively doubled the required number of
           facility inspections, and the sector has received only short-term
           assistance.

           o Officials in another sector said available staffing could
           adequately cover only part of the sector's area of responsibility.

           o In another sector, officials said depending on the long-term
           workload, they may be seeking additional inspectors later this
           year, after temporary duty staff has left.

Spot Check Guidance May Affect the Sufficiency of Inspectors to Conduct All
Inspections

A second factor that may affect the reliability of the estimates is that
the Coast Guard based its estimate for the number of inspectors needed in
part on the number of spot checks conducted in the past, but subsequent
spot check guidance may require inspectors to spend more time on these
spot checks than they had previously. After the SAFE Port Act's passage,
Coast Guard officials initially said they did not plan to issue specific
guidance for spot checks, because developing a single inspection form that
encompassed all situations was difficult and because they had not heard
from Captains of the Port that such guidance was needed. In July 2007,
however, the Coast Guard Commandant issued a message to Coast Guard Area
officials that provided some spot check guidance.^24 Among other things,
this guidance:

^23 All but one of the seven sectors we visited reported receiving
short-term authorizations for reserve personnel to assist with SAFE Port
Act requirements, and all but one was allotted one or more full-time
additional positions. Information from the sectors we visited are case
studies representing variation in types and sizes of ports, but cannot be
generalized to all 35 sectors.

           o Defines minimum requirements for security spot checks--for
           example, specifying that the inspector must confirm that the
           facility is compliant with unique requirements for specific types
           of facilities (such as cruise ships) and must provide the facility
           with documentation of the inspection.

           o Identifies activities that do not meet the requirements for a
           security spot check, such as inspections from a vehicle or checks
           conducted while performing certain shoreside patrols or facility
           visits related to vessel boardings (unless the minimum security
           spot check requirements are met during the patrols or boardings).

           o Specified codes for documenting facility inspections in the
           MISLE database.

Our discussions with sector officials indicated that prior to this
guidance, sectors varied considerably in their interpretation of what
constituted a security check.^25 For example, one sector considered asking
facility officials 15 to 30 minutes of knowledge-based questions as a spot
check, while another considered a drive-by with a stop at the gate a type
of spot check. Officials in several sectors mentioned that spot checks
were conducted during other types of facility visits or missions, such as
while escorting a boat, conducting a waterside patrol, or performing a
vessel inspection.^26 For documentation, one sector reported entering a
record of all spot checks conducted, while several others qualified that
"official" spot checks were logged--a drive by or dropping in to check on
a few items might not be recorded. One sector said recording the check or
not depended partly on whether a deficiency was identified during the spot
check.

^24 SAFE Port Act, Waterfront Facility Security R 061821Z. U.S. Coast
Guard Commandant message to Coast Guard Area officials, July 2007. The
Coast Guard is also planning other guidance changes such as revising its
MTSA regulations and MTSA implementation circular. Information was not
available from the Coast Guard on specific changes or how theses changes
might affect the need for facility inspectors.

^25 While practices varied considerably for spot checks, the inspectors
and facilities in the sectors we visited generally reported consistency in
the content and process for conducting annual exams following Coast Guard
guidance contained in the circular Implementation Guidance for the
Regulations Mandated by the Maritime Transportation Security Act of 2002
for Facilities.

^26 Coast Guard headquarters indicated some confusion among inspectors and
that they may be using Operation Neptune Shield guidance where this type
of inspection is acceptable. However, none of the inspectors we spoke with
identified this as a source of guidance to them.

The activities called for in this guidance have potential staffing
implications. Based on our discussion with headquarters officials and
inspectors in all sectors we visited, some of the activities that have
been considered spot checks will no longer be considered adequate, such as
observing facility security procedures from a vehicle while driving by.
Meeting the spot check requirements under the new guidance may thus
require more time from inspectors. This in turn may affect sector
estimates of the level of resources needed to meet inspection requirements
and Coast Guard goals for the number of inspections to be conducted.^27

In Coast Guard comments on this draft, officials reported a total of 9,403
inspections (spot checks and annual exams) were conducted in 2007,
exceeding their internal target of 8,800 inspections. This is an increase
in inspections from prior years. Their comment however, did not indicate
that each facility received a spot check and an annual exam. Further,
since the spot check guidance was not issued until July of 2007, it is not
clear how many of the spot checks were conducted following the new
guidance. Without this information the implications for staffing are still
uncertain.

^27 The Coast Guard is also considering changing its MTSA implementation
circular to include SAFE Port Act requirements, among other things. Coast
Guard officials said they expected any revisions to be published in early
2008. Officials also indicated that the Coast Guard will be proposing a
rule to change the regulations promulgated in 2003 for implementing MTSA.
Among other things, the proposed changes would establish training
standards for security personnel, add regulations related to the
reapproval of facility security plans, and update existing regulations to
conform to various requirements in the SAFE Port Act of 2006. Coast Guard
officials said they are behind in their original schedule for updating the
regulations by late 2008, but the regulations must be completed in time
for the reapproval of facility security plans in 2009.

The Coast Guard Has Not Evaluated Its Facility Oversight Program, and Problems
with Data Complicate Its Ability to Do So

The Coast Guard has not assessed how its MTSA compliance inspection
program is working. Our work across many types of federal programs shows
that for program planning and performance management to be effective,
federal managers need to use performance information to identify
performance problems and look for solutions, develop approaches that
improve results, and make other important management decisions. The Coast
Guard's ability to assess its compliance program is complicated by
omissions, duplications, and other flaws in the data it would most likely
use in measuring and evaluating the effectiveness of different monitoring
and oversight approaches.

The Coast Guard Has Not Evaluated the Effectiveness of Oversight Efforts

In 2004, when we first examined the Coast Guard's efforts to deal with
MTSA requirements, we reported that development of a sound long-term
strategy was a critical step in bringing about effective monitoring and
oversight. Our work assessing such other areas as airport security and
regulatory compliance had identified approaches for ensuring compliance
and strengthening security.^28 These approaches included such steps as
unscheduled and unannounced inspections, and inspections on weekends or
after normal working hours. At the time, local Coast Guard officials said
that unscheduled inspections would be a positive component of a
longer-term strategy because informing owners or operators of annual
inspections can allow them to mask security problems by preparing for
inspections in ways that do not represent the normal course of business.
We recommended that, after the initial "surge" involved in reviewing
security plans and conducting the first round of inspections, the Coast
Guard should conduct a formal evaluation of its efforts and use the
evaluation as a means to strengthen the compliance process for the longer
term.

In the 1990s, a statutory management framework for strengthening
government performance and accountability was enacted into law. In
particular, the Government Performance and Results Act (Results Act) calls
for an increased reliance upon program performance information in
assessing program efficiency and effectiveness.^29 The Results Act notes
that federal managers are seriously disadvantaged in their efforts to
improve program efficiency and effectiveness because of insufficient
articulation of program goals and inadequate information on program
performance, and that spending decisions and program oversight are
seriously handicapped by insufficient attention to program performance and
results. Although the Results Act's provisions apply primarily to tracking
and reporting performance at the overall agency level, the same sound
management principles apply to management of individual programs such as
the facility compliance program. In other work, we have identified
instances in which agencies can use performance information to improve
programs and results. ^30

^28 GAO, Aviation Security: Further Steps Needed to Strengthen the Security
of Commercial Airport Perimeters and Access Controls, [34]GAO-04-728
(Washington, D.C.: June 4, 2004).

In many of its areas of activity, the Coast Guard has devoted extensive
attention to providing sound data on its activities and analyzing what
these data say about what the agency is accomplishing with the resources
it expends. In 2006, for example, we reported that for many of its
non-homeland security programs, the Coast Guard had developed performance
measures that were generally sound and based on reliable data.^31 Further,
the Coast Guard was actively engaged in initiatives to help interpret
these performance measures and use them to link resources to program
results.

The Coast Guard has not, however, applied this same approach to the
facility compliance program. Although the Coast Guard agreed with our
recommendation in 2004 that the agency formally evaluate its MTSA
compliance inspection efforts and use the results as a means to strengthen
its long-term strategy for ensuring facility compliance, it has not
conducted such an evaluation, and has no current plans to do so. In
comments submitted after reviewing a draft of this report, the Coast Guard
indicated that facility security program metrics were discussed during a
November 2007 workshop with field personnel. The comments also indicated
that the Coast Guard is developing performance goals for monthly review by
program management.

^29 Government Performance and Results Act of 1993, Pub. L. No. 103-62,
107 Stat. 285 (1993), as amended, requires executive agencies to develop
strategic plans, prepare annual performance plans, measure progress toward
the achievement of the goals, and report annually on their progress in
program performance reports.

^30 See, for example, GAO, Managing for Results: Enhancing Agency Use of
Performance Information for Management Decision Making, [35]GAO-05-927
(Washington, D.C.: September 2005).

^31 GAO, Coast Guard: Non-Homeland Security Performance Measures Are
Generally Sound, but Opportunities for Improvement Exist, [36]GAO-06-816
(Washington, D.C.: August 2006).

We asked the Coast Guard to provide documentation of any systematic effort
to assess implementation of its facility compliance program since July
2004, when the agency initiated the compliance phase of MTSA facility
oversight. Headquarters officials told us that program managers use MISLE
to see the results of inspectors' data entries and to produce reports, but
the Coast Guard's only formal analysis of the overall success of MTSA
implementation was contained in its Annual Report to Congress.^32 The
information the 2005 and 2006 reports provide, which includes figures on
the number of enforcement actions and the approximate number of facility
security inspections the Coast Guard conducted (included in the 2005
report only), does not include an analysis of the program's operations or
provide a basis to determine what, if anything, might be done to improve
its operations. The program metrics and performance goals the Coast Guard
indicated it is developing may provide data useful for future assessments.

A more thorough evaluation of the facility compliance program could
provide information on, for example, the variations we identified between
Coast Guard units in oversight approaches, the advantages and
disadvantages of each approach, and whether some approaches work better
than the others. The Coast Guard has allowed Captains of the Port
considerable discretion in implementing facility oversight program at the
local level, in order to meet differences in local conditions. An
evaluation could also explore the benefits of the variations that have
resulted. For example, an evaluation could shed light on such issues as
the following:

           o Conducting annual compliance exams unannounced vs. scheduling
           them beforehand. Views we heard from different Coast Guard units
           varied on this issue. Coast Guard policy has encouraged the
           pre-scheduling of these exams, but some units have decided to
           conduct them on an unannounced basis because they believe doing so
           best captures what procedures are normally in place. At some units
           that scheduled the exams with the facility beforehand, however,
           Coast Guard officials said conducting exams unannounced would slow
           the process, because facility personnel would be less prepared
           with information and because officials with the needed information
           might be absent entirely. In such situations, delays might affect
           the unit's ability to complete its inspection workload. An
           evaluation, done with accurate and sufficient data, could provide
           information of the effectiveness of various approaches.

           o The type of enforcement action to take when deficiencies are
           identified. The available data indicate that Coast Guard units
           vary considerably in the extent to which they take formal
           enforcement actions, such as fines or written warnings.
           Headquarters officials told us that they could not explain the
           variation or its impact on continued facility compliance, but that
           units were allowed to determine actions taken based on the factors
           involved. These variations might occur for several reasons.
           Inspectors in sectors we visited told us they rely on Coast Guard
           guidance and take other factors into consideration, such as the
           nature of the deficiency, or history of the facility. They said
           that the decision on what enforcement action is taken depends in
           part on guidance from the sector's Captain of the Port, and the
           judgment of the inspector as to the severity of the incident. For
           example, an inspector is given discretion to decide to issue a
           facility a fine or written warning at a high-volume port where the
           consequences for an incident are high, or to take no formal action
           because it is in a low-volume port where facilities are dispersed
           and the consequences are less severe. An evaluation, done with
           accurate and sufficient data, could analyze such differences as
           possible criteria for deciding when formal or informal actions are
           most appropriate.

           o Variation in establishing the applicable MTSA regulation for a
           specific deficiency. We observed situations in which different
           inspectors cited different MTSA regulations for the same type of
           deficiency. For example, deficiencies in which security personnel
           lacked required training were classified in two different
           ways--sometimes as noncompliance with the regulation requiring
           security personnel to be knowledgeable of security-related areas,
           such as screening, and other times as noncompliance with
           regulations related to the security officer's responsibilities.
           Similarly, failure to log a drill or exercise was sometimes
           categorized as noncompliance with regulations on drills and
           exercises and sometimes as a recordkeeping deficiency. An analysis
           of the differences would help managers determine if sectors have
           varying interpretations, if additional training is needed for
           facility inspectors regarding the applicability of the
           regulations, or if the regulations themselves could be improved.
           The Coast Guard plans to revise its MTSA regulations by 2009, and
           such an analysis could be instructive in that effort.

^32 Annual Report on Compliance with Security Standards Established
Pursuant to the Maritime Transportation Security Plans. Submitted in
accordance with Title VIII, Section 809(i) of the Coast Guard and Maritime
Transportation Act of 2004.

We are not the only independent reviewer to point out the need for such an
evaluation. In 2006, the Office of Management and Budget (OMB) issued an
assessment of Coast Guard performance in meeting goals for the Ports,
Waterways and Coastal Security program, which includes MTSA facility
oversight.^33 OMB noted that there have been no reviews indicating whether
or how the program is achieving results. OMB emphasized the need for the
Coast Guard to evaluate the effectiveness of its program, as well as to
develop analytical methods and processes that provide routine and
objective feedback to program managers.

Database Limitations Hinder Compliance Monitoring and Program Oversight

As we have reported in other work, performance information must meet
users' needs for completeness, accuracy, and consistency if it is to be
useful.^34 Other attributes that affect the usefulness of performance data
include that measures be relevant, accessible, and of value to decisions
made at various organizational levels.^35 In MISLE, however, data and
database fields were missing, duplicative, and inconsistent, with data
entry a particular concern. Specific problems we identified include the
following:

           o Deficiency data may not be entered at all, or entered twice,
           officials said. For example, if a facility corrects a deficiency
           immediately, inspectors can decide not to include it in their
           report. On the other hand, Coast Guard data analysts acknowledged
           that there are duplicate deficiencies and enforcement actions in
           MISLE for example, resulting from the same deficiency being
           recorded at the sector and subunit levels, or lack of coordination
           in conducting an exam so that the activities are entered twice.

           o Headquarters officials said that some units are unclear about
           what to enter into MISLE, and the biggest challenge to consistent
           and comprehensive data is proper data entry. Although inspectors
           choose from a standardized pick-list of enforcement action
           citations, the selection process is subjective and as we discussed
           earlier, a particular violation can fit under multiple citation
           categories.

           o Headquarters officials said that the citation for a deficiency
           is not always provided when inspectors enter the activity into
           MISLE. Not entering this information means that the Coast Guard
           has difficulty showing data on the basis of specific MTSA
           regulatory deficiencies or specific enforcement actions. Coast
           Guard officials voiced varying opinions about whether the
           deficiency citation is a required field for inspectors to enter in
           MISLE, as well as about what MISLE fields to use to identify
           security-related deficiencies and enforcement actions.

^33 The Office of Management and Budget uses a Program Assessment Rating
Tool that is consistent with GPRA objectives as a systematic measure of
agency performance across federal programs. The tool asks a series of
questions to assess different program performance aspects. Agencies
respond to the questions with supporting information and OMB establishes
an overall rating for the program. The Ports, Waterways and Coastal
Security Program received an overall rating of moderately effective (well
managed, but needs improvement).

^34 GAO, Results-Oriented Government: GPRA Has Established a Solid
Foundation for Achieving Greater Results, [37]GAO-04-38 (Washington, D.C.:
Mar. 10, 2004).

^35 [38]GAO-05-927 .

While the data themselves may pose problems, so too do the data fields^36
into which the data are placed. Insufficient data fields in MISLE make it
more difficult for the Coast Guard to conduct critical analyses. We
identified two types of analysis that were limited--comparisons across
sectors and analysis by year.

           o Although the Coast Guard began reorganizing its field units into
           sectors in 2004 and made sectors the primary management unit, data
           continues to be entered into MISLE that cannot readily be
           presented by sector. This limitation makes assessing oversight
           performance, variability, and facility compliance by sector more
           difficult.^37

           o The Coast Guard cannot report the number of facilities it
           regulated under MTSA during a particular period. Although MISLE
           contains a field to indicate whether a facility is currently
           regulated by MTSA, it does not have a field for the facility's
           activation date. (Vessels regulated under MTSA do have an
           activation date.) Without it the Coast Guard cannot establish the
           number of facilities that have been regulated, and is unable to
           calculate a percentage of MTSA facilities that received the
           required annual compliance exam during a particular period. Coast
           Guard indicated that this is an area for improvement, but did not
           identify a specific remedy or time frame.

^36 A data field is a location in a data set where the same information
(such as a facility name) for each case is entered.

^37 GAO's analysis of MISLE data by sector was possible after we created a
sector field and manually distributed data by unit names into sector
designations.

  Reporting of MTSA Compliance Activities Could Not Be Replicated and Is Limited
  in Scope

Due to MISLE data limitations, we were not able to recreate annual report
statistics provided to Congress on Coast Guard compliance activities.
Furthermore, the annual reports did not provide a comprehensive picture of
Coast Guard compliance activities. The Coast Guard and Maritime
Transportation Act of 2004^38 mandated an annual report from the Coast
Guard on the agency's MTSA compliance-related activities, and so far the
agency has issued two reports--one covering part of 2004 and much of 2005
(July 1, 2004 to November 17, 2005), the second covering all of 2006.^39
According to Coast Guard officials, there is no set format for the report,
and the type of information reported varies by reports. The report for
2004-2005, for example, includes information about the number of annual
compliance exams conducted, while the report for 2006 does not. Coast
Guard officials said they did not include information about the number of
exams conducted in 2006 as part of an effort to reduce the annual report's
size. While figures were not provided in the annual report, the Coast
Guard agreed that our analysis of MISLE correctly identified 2,126 annual
exams recorded for 2006.^40

Using three categories of information (annual exams, spot checks, and
enforcement actions) that the Coast Guard reported for one or more of
those years, we attempted to tie the numbers in the annual reports to the
numbers in the MISLE database. Despite working extensively with Coast
Guard personnel to resolve discrepancies, we were unable to fully verify
the numbers reported in any of these categories. Figure 6 shows, for the
annual compliance exam, the totals for 2004 and 2005 as stated in the
annual report and the totals contained in MISLE. For 2004, the total shown
in the annual report was about 500 more than the total supported in MISLE,
and for 2005, the total shown in the annual report was about 179 less.^41

^38 Pub. L. No. 108-293, 118 Stat. 1028 (2004).

^39 Annual Report on Compliance with Security Standards Established
Pursuant to the Maritime Transportation Security Plans. Submitted in
accordance with Title VIII, Section 809(i) of the Coast Guard and Maritime
Transportation Act of 2004. Throughout this section on Coast Guard's
Annual Reports, we used the same reporting periods in our analysis as was
used in Coast Guard's Annual Reports: July 1 - December 31, 2004, January
1 - November 17, 2005, and January 1 - December 31, 2006, although the
2005 Annual Report did not clarify that the enforcement action data
included only part of November 2005.

^40 In October 2007, too late for us to validate as part of this report,
Coast Guard officials indicated that they discovered an additional 344
annual exams were conducted in 2006 that were not in the data provided for
our analysis. Officials said they were investigating why the additional
344 exams were not previously identified.

Figure 6: Annual Compliance Exam Numbers in Coast Guard's Annual Report to
Congress and GAO Analysis of MISLE Data

aWe estimated the Coast Guard's Annual Report Annual compliance exam
figures for 2004 and 2005 from a monthly bar chart without numbers. The
Coast Guard was not able to provide us with precise numbers. A Coast Guard
official informed us that the bar chart was created using MISLE data as
well as sector input due to MISLE query limitations in 2004-2005 and
sector data entry issues in 2004.

The Coast Guard did not provide annual compliance exam figures in its 2006
Annual Report to Congress.

^41 For spot checks and enforcement actions, the differences between the
annual report and MISLE figures were smaller than the differences we found
comparing figures for the annual compliance exam, but we likewise were
unable to determine the reasons for these differences. In both categories,
the figures in the annual reports were higher than the figures in MISLE.

Coast Guard officials who worked with us to resolve the discrepancies gave
several possible reasons for differences:

           o The totals in the annual report included a combination of MISLE
           data and other data reported by officials in field units.^42

           o The annual report inspection data could have included some
           safety-related activities.

           o Some of the information in MISLE may have changed between the
           time the Coast Guard used the database to prepare numbers for the
           annual report and the time the Coast Guard provided the data for
           us.

We were not able to determine the extent, if any, to which these factors
contributed to the discrepancies. The more significant issue, however, is
not resolving the effect of these three factors, but rather recognizing
the fundamental limitation reflected in being unable to reconcile
differences between the numbers in the annual report with the numbers in
the database. The ability to monitor and oversee a program is limited if
officials cannot rely on the accuracy of the information they have at
hand.

At some sectors we visited, Coast Guard officials voiced similar concerns
about having to rely on MISLE data for assessing trends. Inspectors in all
seven sectors said they use MISLE to track compliance activities at
individual facilities, but several reported that using MISLE to produce
accurate aggregated information and trend data for the sector was more
difficult. Inspectors in four sectors mentioned creating their own
spreadsheets outside MISLE to more easily produce reports on
administrative information (such as facility addresses and phone numbers),
to check for MISLE report errors, and to track additional information not
requested in MISLE. They indicated a variety of ways in which MISLE could
be improved for use, including allowing MISLE to capture facility-specific
security enhancements and weaknesses and linking MISLE data with
information on security vulnerabilities captured by the maritime security
risk assessment model.

^42 Coast Guard officials explained that 2004 and 2005 annual report
inspection numbers included field unit input because, at the time, MISLE
queries were unable to relate an inspection type with an inspection date.
Field unit input was also included in the 2004 Annual Report inspection
numbers because, during 2004, Annual Compliance Exams were sometimes not
recorded as inspections, but rather as part of the initial Facility
Security Plan review.

A second concern about the annual report compliance data is its limited
scope that does not provide a complete picture of Coast Guard compliance
activities or a relevant context for reviewing them. Annual compliance
exams were not reported in 2006, and the number of deficiencies identified
by Coast Guard oversight was not included in either the 2005 or 2006
report. Further, the total number of inspections that the Coast Guard
conducted is not provided within the context of the total number of
facilities regulated, and the number of spot checks is presented without
the number of facilities that received the checks. As we pointed out
earlier in this report, some of this information, such as the number of
facilities subject to MTSA regulation, is not available in MISLE. To the
degree that relevant information is not available or is difficult to
extract, decision makers may not be able to see the Coast Guard's
activities in full or in context.

The annual report's presentation may also under-represent the Coast
Guard's actions in ensuring that facilities comply with security plans.
The annual report presents enforcement actions issued, but does not report
deficiencies identified. As we discussed earlier in this report, only 16
percent of deficiencies in 2006 resulted in enforcement actions. Since the
Coast Guard prefers a strategy of working with facilities to improve
facility compliance, rather than a punitive strategy, there are many
facility deficiencies that are identified and corrected without an
enforcement action, and therefore are not reported in the Annual Report.
While enforcement actions generally represent the most severe instances of
noncompliance, the extent of the Coast Guard's activity in identifying
deficiencies is not presented.

  The Coast Guard Has Taken Some Action to Improve MISLE

The Coast Guard has acknowledged improvement is needed in MISLE compliance
data and has taken initial steps to reduce some of the database concerns
identified during the course of our review. Coast Guard officials at all
levels we spoke to said problems introduced during data entry to MISLE
were a concern. As we were conducting our review, the Coast Guard took
some steps to improve the data.

           o In July 2007, in a message to all units about implementing the
           SAFE Port Act maritime facility inspection requirements, the
           Commandant mentioned the issue of entering data into MISLE on a
           timely basis. The message states, "To minimize the need for
           frequent data calls and to ensure an accurate picture of Coast
           Guard facility inspection performance, sectors must ensure that
           MISLE data is entered promptly and that the activity, subactivity
           data, and AOR (area of responsibility) are accurate." The message
           also details that inspection records should indicate whether
           annual exams or spot checks were performed on an announced or
           unannounced basis.

           o During a 3-day Coast Guard workshop on MTSA and the
           Transportation Worker Identification Card held in November 2007,
           MISLE data entry and performance measures were discussed,
           according to an after action report of the workshop. No action
           items were detailed that related to changes in MTSA compliance
           data.

These initial efforts may help to improve MISLE, but they do not address
all of the concerns we identified. For example, Coast Guard area officials
stated a need for more consistency in how data are entered across
violations, noting that inspection dates are fine, but the violations are
hard to categorize accurately, leading to the question of whether the data
collected is accurate. The steps announced so far do not involve actions
for resolving such inconsistencies. Further, as we pointed out, MISLE
contains duplicate records, and information is not always complete. The
Coast Guard's initial steps do not include solutions to such problems.

Conclusions

Since 2004, the Coast Guard has made progress in shifting the inspection
program from one that emphasized putting security procedures in place to
one that focuses on continued facility compliance with security
procedures. Thus far, the Coast Guard's estimates the number of inspectors
has been and will be sufficient to meet inspection requirements, but the
multiple roles of many inspectors and the new requirements for spot checks
at all facilities could affect the reliability of these estimates. Coast
Guard officials currently cannot document how much of inspectors' time is
spent on the facility enforcement program versus conducting other tasks.
New spot check requirements may pose additional workload requirements, not
only because spot checks must now be conducted of all facilities, but also
because the Coast Guard's recent guidance calls for placing an inspector
inside the facility rather than just driving by. Plans for adding an
additional 25 staff will help meet these needs, but without considering
all factors, the Coast Guard is at additional risk of inspection
requirements not being met.

The Coast Guard gives considerable leeway to sectors and local units in
deciding how to implement requirements, and as this report has shown,
units have gone in somewhat different directions. For example, some have
decided to conduct the annual compliance exam unannounced, while others
announce them in advance, and some use formal enforcement actions such as
written warnings or fines while others do not. The inspection program's
growing maturity heightens the importance of being able to determine what
it is accomplishing and to assess alternative practices sectors have
adopted to ensure facility compliance. Coast Guard headquarters, however,
has not evaluated these various approaches to determine which ones produce
greater results or yield greater efficiency. Finally, whether establishing
that basic inspection requirements are being met, comparing the various
approaches used in individual sectors, or evaluating other aspects of the
facility compliance program, the Coast Guard is handicapped without
complete and accurate compliance data. Coast Guard officials acknowledge
these data problems, and initiated some improvements; however, efforts
have not yet remedied all problems that have been identified.

Recommendations for Executive Action

To help ensure that MTSA facility-related inspection requirements are
being implemented effectively, we recommend that the Secretary of Homeland
Security direct the Commandant of the Coast Guard to take the following
three actions:

           o Reassess the adequacy of resources for facility inspections,
           given changing inspection guidance and the multiple duties of
           sector personnel.

           o Assess the effectiveness of differences in program
           implementation by sector to identify best practices, including the
           use of unannounced annual compliance exams and the varying use of
           enforcement actions.

           o Assess MISLE compliance data, including the completeness of the
           data, data entry, consistency, and data field problems, and make
           any changes needed to more effectively utilize MISLE data.

Agency Comments

We requested comments on a draft of this report from the Secretary of DHS
and from the Coast Guard. The Department declined to provide official
written comments to include in our report. However, in an e-mail received
January 23, 2008, the DHS liaison stated that DHS concurred with our
recommendations. Written technical comments were provided by the Coast
Guard that were incorporated into the report as appropriate.

As we agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution of it until 30
days from the date of this letter. We will then send copies to others who
are interested and make copies available to others who request them. In
addition, the report will be available at no charge on GAO's website at
[39]http://www.gao.gov .

If you or your staffs have any questions about this report, please contact
me at (202) 512-9610 or at [40][email protected] . Contact points for our
Office of Congressional Relations and Public Affairs may be found on the
last page of this report. Key contributors to this report are listed in
appendix III.

Stephen L. Caldwell
Director, Homeland Security and Justice Issues

Appendix I: Objective, Scope, and Methodology

This report addresses the Coast Guard's implementation of the Maritime
Transportation Security Act of 2002 (MTSA) facility security requirements,
as amended by, among other things, the Security and Accountability For
Every Port Act (SAFE Port Act). Specifically, our objectives included
determining the extent to which the Coast Guard:

           o has met its maritime facility inspection requirements under MTSA
           and the SAFE Port Act and has found facilities to be in compliance
           with their security plans,

           o has determined the availability of trained personnel to meet
           current and future facility inspection requirements, and

           o has assessed the effectiveness of its MTSA facility oversight
           program and ensured that program compliance data collected and
           reported are reliable.

To determine whether the Coast Guard has met its inspection requirements
and has found facilities to be in compliance with their security plans, we
analyzed 2004-2006 compliance activity data from the Coast Guard's Marine
Information for Safety and Law Enforcement (MISLE) database. Over a period
of 5 months, we requested and obtained data from MISLE to document Coast
Guard compliance and enforcement activities related to MTSA facilities
from July 1, 2004, the deadline for facilities to be operating under a
Coast Guard-approved facility security plan, to December 31, 2006. The
Coast Guard extracted three types of data and provided them as data
spreadsheets, including:

           o Inspections: Annual Compliance Exams, Security Spot Checks, and
           Facility Exercise Monitoring at specific MTSA facilities.

           o Deficiencies: the number and nature of deficiencies recorded
           during the inspections.

           o Enforcement Actions: sanctions and remedial actions directed by
           the Coast Guard for incurring deficiencies.

To assess the reliability of MISLE data, we (1) performed electronic
testing for obvious errors in accuracy and completeness; (2) reviewed
related documentation, such as MISLE user guides; and (3) held extensive
meetings and exchanged correspondence with Coast Guard information systems
officials to discuss data entry and analysis and ensure correct
identification of specific data fields regarding the data. When we found
discrepancies, we brought these to the Coast Guard's attention and worked
with agency officials to correct them to the extent possible before
conducting our analyses. Given the discrepancies we identified, we took
several steps prior to our analysis to improve the accuracy and usefulness
of the data the Coast Guard supplied. These included:

           o Removing 77 records from facility deficiencies that were "opened
           in error," which Coast Guard indicated generally were duplicate
           records.

           o Creating a dataset linking deficiencies and enforcement actions.
           We performed several checks on the merged file and worked with the
           Coast Guard to reduce data inconsistencies.

           o Creating a new "Sector" field based on Coast Guard documentation
           and interviews on the new sector breakdowns, and for 2006
           consolidated the existing "Unit" field into the appropriate
           sector.

Coast Guard data analysts acknowledged that there are duplicate
deficiencies and enforcement actions in MISLE and that MISLE has no
automated process to accurately determine which duplicate activity to
remove--the process would involve looking at individual narratives to
attempt to determine which activity was a duplicate. We used the following
approach to identify duplicates: when we identified activities that had
the same deficiency identification number and citation, we checked 21
other data fields in MISLE for duplication. If two or more observations
had the same values in all of these fields, we retained one observation,
designating the others as duplicates. Using this process, we classified 32
of 7,620 total observations, or less than 1 percent of deficiencies in
each year, as duplicative. We chose to keep the observations in the
analyses because it was not clear which activity to delete because we
lacked a more reliable means for identifying duplicates that were not
identical for all fields examined, and because of the small number of
observations our approach identified.

After conducting the above steps, we determined that the data were
sufficiently reliable to provide a general indication of the magnitude and
relative frequencies of compliance activities. The corrected data sets
were used to analyze national and sector-based Coast Guard MTSA compliance
activities, including inspections, deficiencies, and enforcement actions.
Our report discusses MISLE data problems in more detail, along with the
steps we believe are needed to address them.

To supplement our analysis of MISLE data in understanding the Coast
Guard's progress on inspection requirements, we selected 7 of the Coast
Guard's 35 sectors for more detailed review. We selected sectors that
would provide a range of Coast Guard environments in which MTSA is being
implemented, and to ensure a broad representation of types of ports, we
chose sectors with ports that varied in size, varied in types of waterway
(ocean, river, and lake), and geographic diversity. While results from
these seven sectors cannot be generalized to all Coast Guard sectors, we
determined that the selection of these sites was appropriate for our
design and objectives and that the selection would provide valid and
reliable evidence. In each sector, we interviewed Coast Guard inspectors
responsible for oversight of MTSA facility plans, facility security
officers at MTSA facilities (28 facilities overall), and other port
stakeholders in each port, such as port authority personnel and facilities
adjacent to MTSA facilities. Sectors we visited included Hampton Roads,
Virginia; Honolulu, Hawaii; Lake Michigan, Michigan; Los Angeles/Long
Beach, California; New York/New Jersey; Seattle, Washington; and Upper
Mississippi River, Missouri. We conducted our visits--as well as some
follow-up discussions by phone--from December 2006 through August 2007.

We also met with the Coast Guard Atlantic and Pacific area officials to
discuss compliance activities, and with headquarters program and
information system officials multiple times to discuss our analysis. We
reviewed relevant sections of the Maritime Transportation Security Act,
the SAFE Port Act, Coast Guard implementing regulations, Navigation and
Vessel Inspection circulars, prior GAO reports, and MISLE documentation.

To establish whether the Coast Guard has determined the availability of
trained personnel to meet current and future facility inspection
requirements, we summarized data provided by the Coast Guard from its
Direct Access database on the number of personnel trained to conduct MTSA
inspections. Direct Access is the Coast Guard's Human Resource system,
used for a variety of personnel functions. The Coast Guard provided a
spreadsheet of personnel certified with one or more Maritime Security
Qualifications from this database. To assess the reliability of the
spreadsheet data, we looked for obvious errors and inconsistencies in the
data, and requested information from Coast Guard officials to understand
limitations in the data and make corrections where possible. We identified
limitations in the data related to duplicate entries and certifications
not yet entered into the system. Duplicate entries result, for example,
because staff may be listed twice if they are employed as both a reservist
and civilian Coast Guard employee, or may be listed under a sector and
under a pre-sector unit. We deleted duplicate entries identified by Coast
Guard to arrive at the number of trained personnel, but we were unable to
determine how many certifications had not yet been entered in the system.
Given this limitation, we found the Direct Access data to be sufficiently
reliable to provide only an approximate number of personnel qualified to
conduct MTSA facility inspections.

The Coast Guard provided verbal information on the number of personnel
currently in facility inspection positions. We conducted several
interviews with relevant Coast Guard headquarters managers regarding the
number of inspectors that have been trained, the allocation of staff to
inspection positions, the training provided to current inspectors, and
plans for future training and resources for conducting facility
inspections. We also discussed current and planned guidance for conducting
facility inspections with headquarters officials. In the seven sectors we
visited, we met with facility inspectors to discuss facility inspector
training, the adequacy of inspection resources, guidance used to conduct
inspections, and other inspector responsibilities. We discussed the
consistency of inspections with facility security officers in facilities
located in the seven sectors. We also reviewed written Coast Guard
guidance related to MTSA facility inspections, such as relevant circulars,
memos, and on-line resources, and documents on planned revisions to
facility oversight regulations.

To determine the extent to which the Coast Guard has assessed its MTSA
facility oversight program and ensured that program compliance data is
accurate, we requested the Coast Guard provide documentation of any
evaluation of activities related to facility oversight and reviewed the
two annual reports that the Coast Guard provided. We reviewed Office of
Management and Budget documents and prior GAO reports on assessing program
effectiveness. Our assessment of the accuracy of the Coast Guard
compliance data was based on our reliability assessment of MISLE data we
conducted as part of objective 1. We also discussed the accuracy and
utility of MISLE data with facility inspectors during our site visits to
seven sectors.

We conducted this performance audit from May 2006 through February 2008 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.

Appendix II: Total Nationwide Facility Deficiencies for 2004, 2005, and
2006 by MTSA Regulatory Citation

This appendix summarizes GAO's analysis of deficiencies identified by
Coast Guard facility inspectors nationwide from 2004-2006 based on the
MTSA regulatory citation associated with each deficiency. Facility
security plans are written to meet requirements established by MTSA
regulations, and the deficiency documentation in the Coast Guard's
compliance data includes the citation for the associated MTSA regulation.

Under a specific citation, in most cases there are a number of
sub-elements. We summarized the deficiency data at the general citation
level because the data collected on facility compliance did not
consistently identify deficiencies at a more detailed level.^1

The data in table 5 is presented based on the frequency the of the
deficiency citation for 2006.

Table 5: Total Nationwide Facility Deficiencies for 2004-2006 by MTSA
Regulation Citation

MTSA regulation citation: 33CFR105.255; Security measures for access 
control; 
Citation description: Requires security measures to deter the 
introduction of unauthorized dangerous substances and devices, to check 
the identity of persons seeking entry, and to identify restricted 
areas, among other requirements; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 696; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 445; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 458. 

MTSA regulation citation: 33CFR105.225; Facility recordkeeping 
requirements; 
Citation description: Requires facility records be kept for 2 years on 
measures such as security training, security equipment calibration, 
drills and exercises, and security breaches; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 248; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 336; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 418. 

MTSA regulation citation: 33CFR105.260; Security measures for 
restricted areas; 
Citation description: Requires measures for protection of restricted 
areas, such as shore areas, areas with sensitive security information, 
and areas with dangerous cargo; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 545; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 344; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 364. 

MTSA regulation citation: 33CFR105.220; Drill and exercise 
requirements; 
Citation description: Requires quarterly drills and annual exercises to 
test personnel performance of security duties and effective 
implementation of the facility security plan, for example, a drill of 
personnel responses to a security alarm, or an exercise of security 
plan communication procedures; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 56; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 180; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 269. 

MTSA regulation citation: 33CFR105.415; Facility Security Plan 
amendment and audit; 
Citation description: Facility security plan amendments, such as a 
change in a security procedure, must be approved by the Coast Guard 
following certain procedures, and an annual audit of the plan must be 
conducted; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 37; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 190; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 243. 

MTSA regulation citation: 33CFR105.205; Facility Security Officer; 
Citation description: Establishes facility security officer 
qualifications, such as knowledge of vessel and facility operations, 
and other responsibilities, such as ensuring adequate training of 
security personnel, and that the plan is exercised, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 167; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 114; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 152. 

MTSA regulation citation: 33CFR105.200; Owner or operator; 
Citation description: Requires owner or operator to comply with 
facility security requirements such as to identify a facility security 
officer, and ensure coordination of shore leave for vessel personnel, 
among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 76; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 86; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 108. 

MTSA regulation citation: 33CFR105.210; Facility personnel with 
security duties; 
Citation description: Requires security personnel to have knowledge in 
security-related areas, such as techniques used to circumvent security 
procedures, emergency procedures, and relevant security plan 
provisions, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 144; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 97; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 80. 

MTSA regulation citation: 33CFR105.250; Security systems and equipment 
maintenance; 
Citation description: Requires security systems and equipment to be in 
good working order, and be properly tested and maintained, among other 
things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 63; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 68; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 53. 

MTSA regulation citation: 33CFR105.405; Format and general content of 
the Facility Security Plan; 
Citation description: Establishes a required structure and content for 
the facility plan, such as the order for sections, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 49; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 34; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 53. 

MTSA regulation citation: 33CFR105.215; Security training for all other 
facility personnel; 
Citation description: Requires certain knowledge for non-security 
personnel, for example, the meaning of varying maritime security levels 
that apply to them, and emergency procedures.[B]; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 94; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 80; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 48. 

MTSA regulation citation: 33CFR105.245; Declaration of Security; 
Citation description: Requires the facility owner or operator, among 
other things, to document security procedures for coordinating security 
with vessels, such as the transfer of cargo or passengers; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 37; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 34; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 34. 

MTSA regulation citation: 33CFR105.270; Security measures for delivery 
of vessel stores and bunkers; 
Citation description: Requires that security measures are in place for 
the delivery of vessel stores and bunkers, such as requiring material 
be inspected before it is accepted; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 42; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 17; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 33. 

MTSA regulation citation: 33CFR105.275; Security measures for 
monitoring; 
Citation description: Requires security measures be in place that allow 
continuous monitoring, for example of the facility and approaches to 
it, and monitoring vessels using the facility; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 89; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 44; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 29. 

MTSA regulation citation: 33CFR105.145; Maritime Security Directive; 
Citation description: Requires that facility owner or operator must 
comply with instructions contained in an applicable maritime security 
directive issued by the Coast Guard; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 42; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 26; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 25. 

MTSA regulation citation: 33CFR105.235; Communications; 
Citation description: A facility security officer must have the means 
to effectively notify facility personnel and others, such as the 
police, of changes in security conditions, and effectively communicate 
with others, such as the police, and meet certain requirements, such as 
having a backup for internal and external communications; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 31; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 35; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 23. 

MTSA regulation citation: 33CFR105.400; Facility Security Plan, 
General; 
Citation description: Requires a facility plan be developed and 
implemented by the facility security officer, and related requirements, 
such as the procedures for preventing unauthorized electronic 
amendment, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 17; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 30; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 21. 

MTSA regulation citation: 33CFR105.125; Noncompliance; 
Citation description: Requires that the Coast Guard be notified if the 
facility deviates from procedures outlined in their approved security 
plan, and that the facility stop operations or obtain approval to 
continue operating; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 29; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 15; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 18. 

MTSA regulation citation: 33CFR105.120; Compliance documentation; 
Citation description: After July 1, 2004, documentation of the Coast 
Guard-approved facility plan or alternative security plan must be 
available to the Coast Guard on request; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 15; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 20; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 18. 

MTSA regulation citation: 33CFR105.280; 
Security incident procedures; 
Citation description: The owner or operator must ensure that the 
facility security officer and security personnel are able to respond to 
security breaches, and evacuate the facility, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 26; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 10; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 17. 

MTSA regulation citation: 33CFR105.265; Security measures for handling 
cargo; 
Citation description: Requires that security measures relating to cargo 
handling are implemented, for example to deter tampering, and to ensure 
cargo is released only to the correct carrier; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 67; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 15; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 13. 

MTSA regulation citation: 33CFR105.295; Additional requirements-- 
Certain Dangerous Cargo facilities; 
Citation description: Additional requirements for facilities handling 
certain dangerous cargo include, for example, all security personnel 
must record or report their presence at key patrol points, and parking 
and unloading of vehicles is controlled; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 27; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 7; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 7. 

MTSA regulation citation: 33CFR105.140; Alternative Security Program; 
Citation description: Sets the criteria for operating under an approved 
alternative security plan, for example, if it is appropriate to the 
facility and is adopted in its entirety; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 2; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 1; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 6. 

MTSA regulation citation: 33CFR105.230; Maritime Security Level 
coordination and implementation; 
Citation description: Requires that a facility operate consistent with 
the security level established for the port overall, sets time frames 
for having higher security level measures in place, and identifies 
possible additional security measures at higher security levels; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 28; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 8; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 5. 

MTSA regulation citation: 33CFR105.410; Facility Security Plan 
submission and approval; 
Citation description: Required that facility security plans be 
submitted by December 31, 2003, or within 60 days before beginning 
operations, if operations start after the initial deadline, and 
outlines the steps for review and approval of the plan; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 12; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 4; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 3. 

MTSA regulation citation: 33CFR105.305; Facility Security Assessment 
requirements; 
Citation description: Establishes information and analysis requirements 
for facility security assessments, such as requiring an "on-scene" 
survey of the facility, requiring key security information be included 
such as the location of evacuation routes, and that vulnerabilities be 
identified, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 9; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 3. 

MTSA regulation citation: 33CFR105.310; Facility Security Assessment 
submission requirements; 
Citation description: Requires that the security assessment be 
submitted with the facility security plan, allows one assessment be 
submitted for multiple facilities, and the assessment must be approved 
by the Coast Guard and updated with security plan reapprovals or 
revisions; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 6; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 2. 

MTSA regulation citation: 33CFR105.105; Applicability; 
Citation description: Sets the applicability criteria for facilities 
subject to MTSA regulations, for example, foreign cargo vessels over a 
certain weight; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 2; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 4; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 2. 

MTSA regulation citation: 33CFR105.290; Additional requirements-- 
cruise ship terminals; 
Citation description: Additional cruise ship requirements include for 
example, screening all persons, baggage and personal effects for 
dangerous substances or devices; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 2; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 12; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 2. 

MTSA regulation citation: 33CFR105.300; Facility Security Assessment, 
General; 
Citation description: Establishes the assessment as a written document, 
that an assessment can cover multiple facilities, and that third 
parties with expertise in areas such as contingency planning can be 
involved in the assessment; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 2. 

MTSA regulation citation: 33CFR105.240; Procedures for interfacing with 
vessels; 
Citation description: Requires facility owner or operator to ensure 
that there are measures for interfacing with vessels at all security 
levels; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 4; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 4; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 1. 

MTSA regulation citation: 33CFR105.100; Definitions; 
Citation description: Establishes that the definitions in the general 
maritime security section apply to the maritime facility section as 
well; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 1; see Note. 

MTSA regulation citation: 33CFR105.110; Exemptions; 
Citation description: Establishes the exemption criteria from maritime 
facility requirements, for example, some shipyard facilities are 
exempt; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 2; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 1. 

MTSA regulation citation: 33CFR105.296; Additional requirements--barge 
fleeting facilities; 
Citation description: Barge fleeting facilities are also required to 
designate restricted areas to handle certain dangerous cargoes, and 
ensure that a certain number of towing vessels are available for a 
given number of barges, among other things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 1; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 1. 

MTSA regulation citation: 33CFR105.285; Additional requirements-- 
passenger and ferry facilities; 
Citation description: Passenger and ferry facilities are also required 
to segregate unchecked persons and personal effects from checked 
persons, and screen unaccompanied vehicles before loading, among other 
things; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 8; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 1; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 0. 

MTSA regulation citation: 33CFR105.135; Equivalents; 
Citation description: Allows facility owner or operator to propose an 
equivalent security measure if it is equal or exceeds the effectiveness 
of the required measures; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 4; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 0. 

MTSA regulation citation: 33CFR105.106; Public access areas; 
Citation description: Allows the designation of a public access area 
within a MTSA facility serving passenger vessels of a certain size, 
other than cruise ships; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 0; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 1; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 0. 

MTSA regulation citation: Total; 
Citation description: [Empty]; 
Number of facility deficiencies for each MTSA regulation citation: 
2004[A]: 2,674; 
Number of facility deficiencies for each MTSA regulation citation: 
2005: 2,265; 
Number of facility deficiencies for each MTSA regulation citation: 
2006: 2,513. 

Source: GAO analysis of Coast Guard compliance data.

Note: Our work identified reliability issues with Coast Guard's data, such
as a lack of consistency and missing information. Given these concerns,
these figures are presented to provide an indication of the relative
frequency that different deficiencies were identified, and not as a
precise measure. As one example, the single deficiency identified under 33
C.F.R. 105.100 Definitions, was miscoded, based on the narrative for the
deficiency, which indicated the "facility failed to implement proper
security measures for monitoring by neglecting to have facility personnel
on site at all times while a vessel was moored at the facility."

[a]Facilities were not required to have a facility security plan in place
until July 1, 2004, therefore, the reporting period is from July 1, 2004,
to December 31, 2004.

[b]Maritime security levels are set by the Commandant of the Coast Guard to
reflect level of risk to the maritime transportation system, a higher
level reflecting greater risk. Facility security plans incorporate
security measures to be taken at varying maritime security levels.

^1 For example, under 33 C.F.R.105.210 Facility personnel responsible for
security duties, there are 13 specific areas that personnel are required
to have knowledge, such as the ability to recognize and detect dangerous
substances and crowd management and control techniques. However, a number
of the narrative descriptions for this deficiency indicated a general need
for security personnel training, rather than specific training needs.

Appendix III: GAO Contact and Staff Acknowledgments

GAO Contact

Stephen L. Caldwell, Director, (202) 512- 9610 or [41][email protected]

Acknowledgments

This report was completed under the direction of Steven Calvo, Assistant
Director. Other key contributors included Geoffrey Hamilton, Dawn Hoff,
Monica Kelly, Dan Klabunde, Rebecca Taylor, Jerome Sandau, and Stan
Stenersen.

GAO Related Products

Maritime Security: Federal Efforts Needed to Address Challenges in
Preventing and Responding to Terrorist Attacks on Energy Commodity
Tankers. [42]GAO-08-141 . Washington, D.C.: Dec. 10, 2007.

Homeland Security: TSA Has Made Progress in Implementing the
Transportation Worker Identification Credential Program, but Challenges
Remain. [43]GAO-08-133T . Washington, D.C.: Oct. 31, 2007.

Maritime Security: The SAFE Port Act: Status and Implementation One Year
Later. [44]GAO-08-126T . Washington, D.C.: Oct. 30, 2007.

Department of Homeland Security: Progress Report on Implementation of
Mission and Management Functions. [45]GAO-07-454 . Washington, D.C.: Aug.
17, 2007.

Maritime Security: Information on Port Security in the Caribbean Basin.
[46]GAO-07-804R . Washington, D.C.: June 29, 2007.

Coast Guard: Observations on the Fiscal Year 2008 Budget, Performance,
Reorganization, and Related Challenges. [47]GAO-07-489T . Washington,
D.C.: Apr. 18, 2007.

International Trade: Persistent Weaknesses in the In-Bond Cargo System
Impede Customs and Border Protection's Ability to Address Revenue, Trade,
and Security Concerns. [48]GAO-07-561 . Washington, D.C.: Apr. 17, 2007.

Port Risk Management: Additional Federal Guidance Would Aid Ports in
Disaster Planning and Recovery. [49]GAO-07-412 . Washington, D.C.: Mar.
28, 2007.

Maritime Security: Public Safety Consequences of a Terrorist Attack on a
Tanker Carrying Liquefied Natural Gas Need Clarification. [50]GAO-07-316 .
Washington, D.C.: Feb. 23, 2007.

Transportation Security: DHS Should Address Key Challenges before
Implementing the Transportation Worker Identification Credential Program.
[51]GAO-06-982 . Washington, D.C.: Sept. 29, 2006.

Coast Guard: Observations on the Preparation, Response, and Recovery
Missions Related to Hurricane Katrina. [52]GAO-06-903 . Washington, D.C.:
July 31, 2006.

Maritime Security: Information Sharing Efforts Are Improving.
[53]GAO-06-933T . Washington, D.C.: July 10, 2006.

Coast Guard: Observations on Agency Performance, Operations, and Future
Challenges. [54]GAO-06-448T . Washington, D.C.: June 15, 2006.

Cargo Container Inspections: Preliminary Observations on the Status of
Efforts to Improve the Automated Targeting System. [55]GAO-06-591T .
Washington, D.C.: Mar. 30, 2006.

Combating Nuclear Smuggling: DHS Has Made Progress Deploying Radiation
Detection Equipment at U.S. Ports-of-Entry, but Concerns Remain.
[56]GAO-06-389 . Washington, D.C.: Mar. 22, 2006.

Risk Management: Further Refinements Needed to Assess Risks and Prioritize
Protective Measures at Ports and Other Critical Infrastructure.
[57]GAO-06-91 . Washington, D.C.: Dec. 2005.

Combating Nuclear Smuggling: Efforts to Deploy Radiation Detection
Equipment in the United States and in Other Countries. [58]GAO-05-840T .
Washington, D.C.: June 21, 2005.

Homeland Security: Key Cargo Security Programs Can Be Improved.
[59]GAO-05-466T . Washington, D.C.: May 26, 2005.

Maritime Security: Enhancements Made, but Implementation and
Sustainability Remain Key Challenges. [60]GAO-05-448T . Washington, D.C.:
May 17, 2005.

Container Security: A Flexible Staffing Model and Minimum Equipment
Requirements Would Improve Overseas Targeting and Inspection Efforts.
[61]GAO-05-557 . Washington, D.C.: Apr. 26, 2005.

Maritime Security: New Structures Have Improved Information Sharing, but
Security Clearance Processing Requires Further Attention. [62]GAO-05-394 .
Washington, D.C.: Apr. 15, 2005.

Preventing Nuclear Smuggling: DOE Has Made Limited Progress in Installing
Radiation Detection Equipment at Highest Priority Foreign Seaports.
[63]GAO-05-375 . Washington, D.C.: Mar. 31, 2005.

Coast Guard: Observations on Agency Priorities in Fiscal Year 2006 Budget
Request. [64]GAO-05-364T . Washington, D.C.: Mar. 17, 2005.

Cargo Security: Partnership Program Grants Importers Reduced Scrutiny with
Limited Assurance of Improved Security. [65]GAO-05-404 . Washington, D.C.:
Mar. 11, 2005.

Coast Guard: Station Readiness Improving, but Resource Challenges and
Management Concerns Remain. [66]GAO-05-161 . Washington, D.C.: Jan. 31,
2005.

Homeland Security: Process for Reporting Lessons Learned from Seaport
Exercises Needs Further Attention. [67]GAO-05-170 . Washington, D.C.:
Jan.14, 2005.

Maritime Security: Better Planning Needed to Help Ensure an Effective Port
Security Assessment Program. [68]GAO-04-1062 . Washington, D.C.: Sept. 30,
2004.

Maritime Security: Partnering Could Reduce Federal Costs and Facilitate
Implementation of Automatic Vessel Identification System. [69]GAO-04-868 .
Washington, D.C.: July 23, 2004.

Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. [70]GAO-04-838 . Washington,
D.C.: June 30, 2004.

Coast Guard: Key Management and Budget Challenges for Fiscal Year 2005 and
Beyond. [71]GAO-04-636T . Washington, D.C.: Apr. 7, 2004.

Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. [72]GAO-04-557T . Washington, D.C.: Mar.
31, 2004.

Maritime Security: Progress Made in Implementing Maritime Transportation
Security Act, but Concerns Remain. [73]GAO-03-1155T . Washington, D.C.:
Sept. 9, 2003.

Combating Terrorism: Interagency Framework and Agency Programs to Address
the Overseas Threat. [74]GAO-03-165 . Washington, D.C.: May 23, 2003.

Combating Terrorism: Actions Needed to Improve Force Protection for DOD
Deployments through Domestic Seaports. [75]GAO-03-15 . Washington, D.C.:
Oct. 22, 2002.

Coast Guard: Vessel Identification System Development Needs to Be
Reassessed. [76]GAO-02-477 . Washington, D.C.: May 24, 2002.

Coast Guard: Budget and Management Challenges for 2003 and Beyond.
[77]GAO-02-538T . Washington, D.C.: Mar. 19, 2002.

(440511)

To view the full product, including the scope
and methodology, click on [78]GAO-08-12 .

For more information, contact Stephen Caldwell at (202) 512-8777,
[email protected].

Highlights of [79]GAO-08-12 , a report to the Committee on Commerce,
Science and Transportation, U.S. Senate

February 2008

MARITIME SECURITY

Coast Guard Inspections Identify and Correct Facility Deficiencies, but
More Analysis Needed of Program's Staffing, Practices, and Data

To help secure the nation's ports against a terrorist attack, federal
regulations have required cargo and other maritime facilities to have
security plans in place since July 2004. U.S Coast Guard (USCG) guidance
calls for an annual inspection to ensure that plans are being followed.
Federal law enacted in October 2006 required such facilities to be
inspected two times a year--one of which is to be conducted unannounced.
The USCG plans to conduct one announced inspection and the other as a less
comprehensive unannounced "spot check." GAO examined the extent to which
the USCG (1) has met inspection requirements and found facilities to be
complying with their plans, (2) has determined the availability of trained
personnel to meet current and future facility inspection requirements, and
(3) has assessed the effectiveness of its facility inspection program and
ensured that program compliance data collected and reported are reliable.
GAO analyzed USCG compliance data, interviewed inspectors and other
stakeholders in 7 of 35 USCG sectors of varying size, geographic location,
and type of waterway.

[80]What GAO Recommends

GAO recommends the USCG reassess the number of inspection staff needed,
compare varying approaches taken by local units in conducting inspections,
and improve its facility compliance data. The Department of Homeland
Security agreed with GAO's recommendations.

We could not determine the extent to which the USCG has met inspection
requirements because its compliance database does not identify all
regulated facilities to establish how many should have been inspected.
While the USCG estimates there are about 3,200 facilities requiring
inspection, their records indicate 2,126 annual inspections were conducted
in 2006. Headquarters officials said field units reported that all
required facility inspections were conducted. However, officials also said
some inspections may not have been recorded, or were delayed by staff
being diverted for natural disasters. The USCG identified deficiencies in
about one-third of inspections, mainly for problems with access controls
or missing documentation. Over 80 percent of deficiencies identified by
the USCG were resolved by facility operators without the USCG applying
formal enforcement actions.

Although USCG officials believe they have enough trained inspectors to
conduct current and future inspections, two additional factors could
affect the USCG's estimates of the number of inspectors needed. First,
facility inspectors balance security inspections with other competing
duties, such as safety or pollution checks, and giving priority to
security inspections could affect these other duties, inspectors said.
Second, new guidance for spot checks calls for these checks to be more
detailed--and perhaps more time-consuming--than some USCG units conducted
in the past. For example, the guidance now requires an on-site visit,
whereas some units had allowed the check to be a drive-by observation. The
effect of the new guidance on resource requirements in these units is
unknown.

The USCG has not assessed the effectiveness of its facility inspection
program. Headquarters guidance gives considerable discretion to local USCG
units in deciding how to conduct facility inspections--for example,
deciding whether a fine is warranted. The USCG has little or no
information, however, on which approaches work better than others and is
therefore limited in being able to make informed decisions in guiding the
program. Flaws in USCG's database, including missing, duplicate, and
inconsistent information, complicate the USCG's ability to conduct such
analyses or provide other information for making management decisions.

Types of Deficiencies Noted by the USCG in Facility Inspections during
2006

GAO's Mission

The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [81]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[82]www.gao.gov and select "E-mail Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548

To order by Phone:
Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: [83]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [84][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Ralph Dawn, Managing Director, [85][email protected] , (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
DC 20548

Public Affairs

Chuck Young, Managing Director, [86][email protected] , (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
DC 20548

References

Visible links
  32. http://www.gao.gov/cgi-bin/getrpt?GAO-04-838
  33. http://www.gao.gov/cgi-bin/getrpt?GAO-04-838
  34. http://www.gao.gov/cgi-bin/getrpt?GAO-04-728
  35. http://www.gao.gov/cgi-bin/getrpt?GAO-05-927
  36. http://www.gao.gov/cgi-bin/getrpt?GAO-06-816
  37. http://www.gao.gov/cgi-bin/getrpt?GAO-04-38
  38. http://www.gao.gov/cgi-bin/getrpt?GAO-05-927
  39. http://www.gao.gov/
  40. mailto:[email protected]
  41. mailto:[email protected]
  42. http://www.gao.gov/cgi-bin/getrpt?GAO-08-141
  43. http://www.gao.gov/cgi-bin/getrpt?GAO-08-133T
  44. http://www.gao.gov/cgi-bin/getrpt?GAO-08-126T
  45. http://www.gao.gov/cgi-bin/getrpt?GAO-07-454
  46. http://www.gao.gov/cgi-bin/getrpt?GAO-07-804R
  47. http://www.gao.gov/cgi-bin/getrpt?GAO-07-489T
  48. http://www.gao.gov/cgi-bin/getrpt?GAO-07-561
  49. http://www.gao.gov/cgi-bin/getrpt?GAO-07-412
  50. http://www.gao.gov/cgi-bin/getrpt?GAO-07-316
  51. http://www.gao.gov/cgi-bin/getrpt?GAO-06-982
  52. http://www.gao.gov/cgi-bin/getrpt?GAO-06-903
  53. http://www.gao.gov/cgi-bin/getrpt?GAO-06-933T
  54. http://www.gao.gov/cgi-bin/getrpt?GAO-06-448T
  55. http://www.gao.gov/cgi-bin/getrpt?GAO-06-591T
  56. http://www.gao.gov/cgi-bin/getrpt?GAO-06-389
  57. http://www.gao.gov/cgi-bin/getrpt?GAO-06-91
  58. http://www.gao.gov/cgi-bin/getrpt?GAO-05-840T
  59. http://www.gao.gov/cgi-bin/getrpt?GAO-05-466T
  60. http://www.gao.gov/cgi-bin/getrpt?GAO-05-448T
  61. http://www.gao.gov/cgi-bin/getrpt?GAO-05-557
  62. http://www.gao.gov/cgi-bin/getrpt?GAO-05-394
  63. http://www.gao.gov/cgi-bin/getrpt?GAO-05-375
  64. http://www.gao.gov/cgi-bin/getrpt?GAO-05-364T
  65. http://www.gao.gov/cgi-bin/getrpt?GAO-05-404
  66. http://www.gao.gov/cgi-bin/getrpt?GAO-05-161
  67. http://www.gao.gov/cgi-bin/getrpt?GAO-05-170
  68. http://www.gao.gov/cgi-bin/getrpt?GAO-04-1062
  69. http://www.gao.gov/cgi-bin/getrpt?GAO-04-868
  70. http://www.gao.gov/cgi-bin/getrpt?GAO-04-838
  71. http://www.gao.gov/cgi-bin/getrpt?GAO-04-636T
  72. http://www.gao.gov/cgi-bin/getrpt?GAO-04-557T
  73. http://www.gao.gov/cgi-bin/getrpt?GAO-03-1155T
  74. http://www.gao.gov/cgi-bin/getrpt?GAO-03-165
  75. http://www.gao.gov/cgi-bin/getrpt?GAO-03-15
  76. http://www.gao.gov/cgi-bin/getrpt?GAO-02-477
  77. http://www.gao.gov/cgi-bin/getrpt?GAO-02-538T
  78. http://www.gao.gov/cgi-bin/getrpt?GAO-08-12
  79. http://www.gao.gov/cgi-bin/getrpt?GAO-08-12
  81. http://www.gao.gov/
  82. http://www.gao.gov/
  83. http://www.gao.gov/fraudnet/fraudnet.htm
  84. mailto:[email protected]
  85. mailto:[email protected]
  86. mailto:[email protected]
*** End of document. ***