Transportation Security: TSA Has Made Progress in Implementing	 
the Transportation Worker Identification Credential Program, but 
Challenges Remain (31-OCT-07, GAO-08-133T).			 
                                                                 
The Transportation Security Administration (TSA) is developing	 
the Transportation Worker Identification Credential (TWIC) to	 
help ensure that only workers who are not known to pose a	 
terrorist threat are allowed to enter secure areas of the	 
nation's transportation facilities. This testimony is based	 
primarily on GAO's September 2006 report on the TWIC program, and
interviews with TSA and maritime industry officials conducted in 
September and October 2007 to obtain updates on the TWIC program.
Specifically, this testimony addresses (1) the progress TSA has  
made since September 2006 in implementing the TWIC program and	 
addressing GAO recommendations; and (2) some of the remaining	 
challenges that TSA and the maritime industry must overcome to	 
ensure the successful implementation of the program.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-133T					        
    ACCNO:   A77848						        
  TITLE:     Transportation Security: TSA Has Made Progress in	      
Implementing the Transportation Worker Identification Credential 
Program, but Challenges Remain					 
     DATE:   10/31/2007 
  SUBJECT:   Access control					 
	     Homeland security					 
	     Port security					 
	     Program evaluation 				 
	     Strategic planning 				 
	     Transportation planning				 
	     Transportation policies				 
	     Transportation security				 
	     Transportation workers				 
	     Biometric identification				 
	     Identification cards				 
	     Program coordination				 
	     Program implementation				 
	     Transportation Worker Identification		 
	     Credential Program 				 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-133T

   

     * [1]Summary
     * [2]Background

          * [3]TWIC Program History
          * [4]Key Components of the TWIC Program

     * [5]TSA Has Made Progress Since September 2006 in Implementing t

          * [6]TSA Issued a TWIC Rule and Awarded a Contract to Begin Enrol
          * [7]TSA Attributes Missed Deadlines to the Need for Additional T
          * [8]TSA Has Taken Steps to Strengthen Contract Planning and Over

     * [9]TSA and Industry Stakeholders Will Need to Address Challenge

          * [10]TSA and Its Contractor Will Have to Enroll and Issue TWIC Ca
          * [11]TSA and Industry Stakeholders Must Ensure That TWIC Access C

     * [12]Concluding Observations
     * [13]Contact Information
     * [14]GAO's Mission
     * [15]Obtaining Copies of GAO Reports and Testimony

          * [16]Order by Mail or Phone

     * [17]To Report Fraud, Waste, and Abuse in Federal Programs
     * [18]Congressional Relations
     * [19]Public Affairs
     * [20]PDF6-Ordering Information-Young-10-25-07.pdf

          * [21]GAO's Mission
          * [22]Obtaining Copies of GAO Reports and Testimony

               * [23]Order by Mail or Phone

          * [24]To Report Fraud, Waste, and Abuse in Federal Programs
          * [25]Congressional Relations
          * [26]Public Affairs

Testimony before the Committee on Homeland Security, House of
Representatives

United States Government Accountability Office

GAO

For Release on Delivery
Expected at 10:00 a.m. EDT
Wednesday, October 31, 2007

TRANSPORTATION SECURITY

TSA Has Made Progress in Implementing the Transportation Worker
Identification Credential Program, but Challenges Remain

Statement of Cathleen A. Berrick, Director
Homeland Security and Justice Issues

GAO-08-133T

Mr. Chairman and Members of the Committee:

Thank you for inviting me to participate in today's hearing on the status
of the Transportation Security Administration's (TSA) Transportation
Worker Identification Credential (TWIC) program. Ensuring that only
workers that do not pose a terrorist threat are allowed access to secure
areas of the nation's transportation facilities is a key measure in
securing the homeland. The TWIC program was created to help protect these
facilities from the threat of terrorism by issuing identification cards
only to workers who are not known to pose a terrorist threat, and allow
these workers unescorted access to secure areas of the transportation
system. To accomplish this objective, the TWIC program will include the
collection of personal and biometric information to validate workers'
identities, background checks on transportation workers to ensure they do
not pose a security threat, issuance of tamper-resistant biometric
credentials that cannot be counterfeited, verification of these
credentials using biometric access control systems before a worker is
granted unescorted access to a secure area, and revocation of credentials
if disqualifying information is discovered, or if a card is lost, damaged,
or stolen. The TWIC program is ultimately intended to support all modes of
transportation, however, TSA, in partnership with the Coast Guard, is
focusing initial implementation in the maritime sector.

In December 2004, September 2006, and April 2007, we reported on the
status of the development and testing of the TWIC program.^1 Our 2004
report identified challenges that TSA faced in developing regulations and
a comprehensive plan for managing the program, as well as several factors
that caused TSA to miss initial deadlines for issuing TWIC cards. In our
September 2006 report, we identified the challenges that TSA encountered
during TWIC program testing, and several problems related to contract
planning and oversight. In August 2006, TSA decided that the TWIC program
would be implemented in the maritime sector using two separate rules. TSA
issued the first rule in January 2007 which requires worker enrollment and
card issuance, and plans to issue a proposed rule on access control
technologies in 2008. Since September 2006, Congress passed the Security
and Accountability for Every (SAFE) Port Act of 2006, which directed TSA,
among other things, to implement the TWIC program at the 10 highest risk
ports by July 1, 2007.^2 In January 2007, TSA awarded a $70 million
contract to begin enrolling workers and issuing TWIC cards to workers at
these 10 ports.

^1GAO, Port Security: Better Planning Needed to Develop and Operate
Maritime Worker Identification Card Program, [27]GAO-05-106 (Washington,
D.C.: December 2004), GAO, Transportation Security: DHS Should Address Key
Challenges before Implementing the Transportation Worker Identification
Credential Program, [28]GAO-06-982 (Washington, D.C.: September 2006), and
GAO, Transportation Security: TSA has made progress in implementing the
Transportation Worker Identification Credential, but Challenges Remain,
[29]GAO-07-681T (Washington, D.C.: April 12, 2007).

My testimony today focuses on: (1) the progress TSA has made since
September 2006 in implementing the TWIC program and addressing GAO
recommendations, and (2) some of the remaining challenges that TSA and the
maritime industry must overcome to ensure the successful implementation of
the program. My comments are based primarily on our September 2006 report
on the TWIC program, which reflects work conducted at TSA and the Coast
Guard, as well as site visits to transportation facilities that
participated in testing the TWIC program. In addition, in September and
October 2007, we interviewed TSA officials regarding the agency's efforts
to implement the TWIC program and our prior recommendations. We also
interviewed officials at port facilities in Wilmington, Delaware and Los
Angeles, California, as well as Maritime Exchange of the Delaware River
and Bay officials, in October 2007 to obtain their views on the TWIC
program. We conducted our work in accordance with generally accepted
government auditing standards.

Summary

Since we reported on the TWIC program in September 2006, TSA has made
progress in implementing the program. Although we have not yet
independently assessed the effectiveness of these efforts, TSA has taken
actions to address legislative requirements to implement and test the
program and our recommendations related to conducting additional systems
testing, strengthening contractor oversight, and improving coordination
with stakeholders. Specifically, TSA has

           o issued a TWIC rule in January 2007 that sets forth the
           requirements for enrolling maritime workers in the TWIC program
           and issuing cards to these workers, and awarded a $70 million
           dollar contract in January 2007 to begin enrolling workers;
           o reported conducting performance testing of the technologies that
           will be used to enroll workers in the TWIC program to ensure that
           they work effectively before implementation;
           o begun planning a pilot program to test TWIC access control
           technologies, such as biometric card readers, at 5 maritime
           locations to address requirements of the SAFE Port Act;
           o begun enrolling workers and issuing TWIC cards at the port of
           Wilmington, Delaware on October 16, 2007, and plans to do so at 11
           additional ports by November 2007;
           o added staff with program and contract management expertise to
           help oversee the TWIC enrollment contract, and developed
           additional controls to help ensure that contract requirements are
           met; and
           o stated that they have taken actions to improve communication and
           coordination with maritime stakeholders, including plans for
           conducting public outreach and education efforts.

^2Pub. L. No.109-347,120 Stat.1884,1889 (2006).

As TSA moves forward with TWIC, it will be important that it work with
maritime industry stakeholders to address the following key challenges
that can affect the programs' successful implementation.

           o TSA and its enrollment contractor will need to transition from
           testing of the TWIC program to successful implementation of the
           program on a much larger scale covering 770,000 workers at about
           3,200 maritime facilities and 5,300 vessels. While TSA and the
           enrollment contractor report conducting performance testing of the
           TWIC enrollment and card issuance systems, it remains to be seen
           how these systems will perform during full scale implementation.
           o TSA and its enrollment contractor will need to educate workers
           on new TWIC requirements, ensure that enrollments begin in a
           timely manner, and effectively and efficiently process background
           checks, appeals, and waivers.
           o TSA and industry stakeholders will need to ensure that TWIC
           access control technologies will work effectively in the maritime
           environment, be compatible with TWIC cards that will be issued,
           ensure that facilities and vessels can effectively and
           economically obtain information on workers that may post a threat,
           and balance security requirements while facilitating maritime
           commerce.

Background

Securing transportation systems and facilities is complicated, requiring
balancing security to address potential threats while facilitating the
flow of people and goods. These systems and facilities are critical
components of the U.S. economy and are necessary for supplying goods
throughout the country and supporting international commerce. U.S.
transportation systems and facilities move over 30 million tons of freight
and provide approximately 1.1 billion passenger trips each day. The Ports
of Los Angeles and Long Beach estimate that they alone handle about 43
percent of the nation's oceangoing cargo. The importance of these systems
and facilities also makes them attractive targets to terrorists. These
systems and facilities are vulnerable and difficult to secure given their
size, easy accessibility, large number of potential targets, and proximity
to urban areas. A terrorist attack on these systems and facilities could
cause a tremendous loss of life and disruption to our society. An attack
would also be costly. According to testimony by a Port of Los Angeles
official, a 2002 labor dispute which led to a 10-day shutdown of West
Coast port operations cost the nation's economy an estimated $1.5 billion
per day.^3 A terrorist attack at a port facility could have a similar or
greater impact.

One potential security threat stems from those individuals who work in
secure areas of the nation's transportation system, including seaports,
airports, railroad terminals, mass transit stations, and other
transportation facilities. It is estimated that about 6 million workers,
including longshoreman, mechanics, aviation and railroad employees, truck
drivers, and others access secure areas of the nation's estimated 4,000
transportation facilities each day while performing their jobs. Some of
these workers, such as truck drivers, regularly access secure areas at
multiple transportation facilities. Ensuring that only workers who are not
known to pose a terrorism security risk are allowed unescorted access to
secure areas is important in helping to prevent an attack. According to
TSA and transportation industry stakeholders, many individuals that work
in secure areas are currently not required to undergo a background check
or a stringent identification process in order to access secure areas. In
addition, without a standard credential that is recognized across modes of
transportation and facilities, many workers must obtain multiple
credentials to access each transportation facility they enter, which could
result in the inconvenience and cost of obtaining duplicate credentials.

TWIC Program History

In the aftermath of the September 11, 2001, terrorist attacks, the
Aviation and Transportation Security Act (ATSA) was enacted in November
2001.^4 Among other things, ATSA required TSA to work with airport
operators to strengthen access control points in secure areas and consider
using biometric access control systems to verify the identity of
individuals who seek to enter a secure airport area. In response to ATSA,
TSA established the TWIC program in December 2001 to mitigate the threat
of terrorists and other unauthorized persons from accessing secure areas
of the entire transportation network, by creating a common identification
credential that could be used by workers in all modes of transportation.^5
In November 2002, the Maritime Transportation Security Act of 2002 (MTSA)
was enacted and required the Secretary of Homeland Security to issue a
maritime worker identification card that uses biometrics, such as
fingerprints, to control access to secure areas of seaports and vessels,
among other things.^6 In October 2006, the SAFE Port Act was enacted and
required, among other things, the issuance of regulations to begin
implementing the TWIC program and issuing TWIC cards to workers at the 10
highest-risk ports by July 1, 2007, conduct a pilot program to test TWIC
access control technologies in the maritime environment, issue regulations
requiring TWIC card readers based on the findings of the pilot, and
periodically report to Congress on the status of the program.

^3Testimony of the Director of Homeland Security, Port of Los Angeles,
before the United States Senate Committee on Commerce, Science, and
Transportation, May 16, 2006.

^4Pub. L. No. 107-71, 115 Stat. 597 (2001).

The responsibility for securing the nation's transportation system and
facilities is shared by federal, state, and local governments, as well as
the private sector. At the federal government level, TSA, the agency
responsible for the security of all modes of transportation, has taken the
lead in developing the TWIC program, while the Coast Guard is responsible
for developing maritime security regulations and ensuring that maritime
facilities and vessels are in compliance with these regulations. As a
result, TSA and the Coast Guard are working together to implement TWIC in
the maritime sector. Most seaports, airports, mass transit stations, and
other transportation systems and facilities in the United States are owned
and operated by state and local government authorities and private
companies. As a result, certain components of the TWIC program, such as
installing card readers, will be the responsibility of these state and
local governments and private industry stakeholders.

TSA--through a private contractor--tested the TWIC program from August
2004 to June 2005 at 28 transportation facilities around the nation,
including 22 port facilities, 2 airports, 1 rail facility, 1 maritime
exchange, 1 truck stop, and a U.S. postal service facility. In August
2005, TSA and the testing contractor completed a report summarizing the
results of the TWIC testing. TSA also hired an independent contractor to
assess the performance of the TWIC testing contractor. Specifically, the
independent contractor conducted its assessment from March 2005 to January
2006, and evaluated whether the testing contractor met the requirements of
the testing contract. The independent contractor issued its final report
on January 25, 2006.

^5TSA was transferred from the Department of Transportation to the
Department of Homeland Security pursuant to requirements in the Homeland
Security Act of 2002 (Pub. L. No. 107-296, 116 Stat. 2135 (2002).

^6Pub. L. No. 107-295, 116 Stat. 2064 (2002).

Since its creation, the TWIC program has received about $103 million in
funding for program development. (See table 1.)

Table 1: TWIC Program Funding from Fiscal Years 2002 to 2007 (Dollars in
millions)

Fiscal Year Appropriated Reprogramming Adjustments Total funding 
2002                   0             0           0             0 
2003                $5.0             0         $20         $25.0 
2004               $49.7             0           0         $49.7 
2005                $5.0             0           0          $5.0 
2006                   0         $15.0           0         $15.0 
2007                   0          $4.0        $4.7         $8.7* 
Total              $59.7         $19.0       $24.7        $103.4 

Source: TSA.

*According to TSA, the agency has paid the enrollment contractor about $8
million since January 2007. The remainder of the $70 million enrollment
contract will be paid in the future through user fees collected from
workers that enroll in the TWIC program.

Note: According to TSA, the agency received authority from both the House
and Senate Appropriations Committees to reallocate $20 million in
unassigned carryover funding to the TWIC program in Fiscal Year 2008.
TSA's fiscal year 2008 congressional justification includes $26.5 million
in authority to collect fees from transportation workers for TWIC cards.

Key Components of the TWIC Program

The TWIC program is designed to enhance security using several key
components. These include:

           o Enrollment: Transportation workers will be enrolled in the TWIC
           program at enrollment centers by providing personal information,
           such as a social security number and address, and will be
           photographed and fingerprinted. For those workers who are unable
           to provide quality fingerprints, TSA is to collect an alternate
           authentication identifier.

           o Background checks: TSA will conduct background checks on each
           worker to ensure that individuals do not pose a security threat.
           These will include several components. First, TSA will conduct a
           security threat assessment that may include, for example, checks
           of terrorism databases or watch lists, such as TSA's No-fly and
           selectee lists. Second, a Federal Bureau of Investigation criminal
           history records check will be conducted to identify if the worker
           has any disqualifying criminal offenses. Third, workers'
           immigration status and mental capacity will be checked. Workers
           will have the opportunity to appeal the results of the threat
           assessment or request a waiver in certain limited circumstances.

           o TWIC card production: After TSA determines that a worker has
           passed the background check, the worker's information is provided
           to a federal card production facility where the TWIC card will be
           personalized for the worker, manufactured, and then sent back to
           the enrollment center.

           o Card issuance: Transportation workers will be informed when
           their cards are ready to be picked up at enrollment centers. Once
           a card has been issued, workers will present their TWIC cards to
           security officials when they seek to enter a secure area, and in
           the future will enter secure areas through biometric card readers.

TSA Has Made Progress Since September 2006 in Implementing the TWIC Program and
Addressing GAO Recommendations

Since we reported on the TWIC program in September 2006, TSA has made
progress in implementing the program. Although we have not yet
independently assessed the effectiveness of these efforts, TSA has taken
actions to address legislative requirements to implement and test the
program and our recommendations regarding conducting additional systems
testing to ensure that TWIC technologies work effectively, strengthening
contractor oversight, and improving communication and coordination efforts
with maritime stakeholders. In January 2007, TSA and the Coast Guard
issued a TWIC rule that sets forth the requirements for enrolling workers
and issuing TWIC cards to workers in the maritime sector, and awarded a
$70 million contract for enrolling workers in the TWIC program. TSA missed
the July 1, 2007, SAFE Port Act deadline to implement the TWIC program at
the 10 highest risk ports, citing the need to conduct additional tests to
ensure that the enrollment and card issuance systems work effectively.
However, TSA recently announced that this testing is complete, and began
enrolling and issuing TWIC cards to workers at the port of Wilmington,
Delaware on October 16, 2007. TSA also plans to begin enrolling workers at
11 additional ports by November 2007. In addition, TSA has also begun
planning a pilot program to test TWIC access control technologies in the
maritime environment as required by the SAFE Port Act.

TSA Issued a TWIC Rule and Awarded a Contract to Begin Enrolling Workers and
Issuing TWIC Cards

On January 25, 2007, TSA and the Coast Guard issued a rule that sets forth
the regulatory requirements for enrolling workers and issuing TWIC cards
to workers in the maritime sector. Specifically, the TWIC rule provides
that workers and merchant mariners requiring unescorted access to secure
areas of maritime facilities and vessels must enroll in the TWIC program,
undergo a background check, and obtain a TWIC card before such access is
granted. In addition, the rule requires owners and operators of maritime
facilities and vessels to change their existing access control procedures
to ensure that merchant mariners and any other individual seeking
unescorted access to a secure area of a facility or vessel has a TWIC.
Table 2 describes the specific requirements in the TWIC rule.

Table 2: Requirements in the TWIC Rule

Requirement               Description of requirement                       
Transportation workers    Individuals who require unescorted access to     
                             secure areas of maritime facilities and vessels, 
                             and all merchant mariners, must obtain a TWIC    
                             card before such access is granted.              
Fees                      All workers applying for a TWIC card will pay a  
                             fee of $132.50 to cover the costs associated     
                             with the TWIC program. Workers that have already 
                             undergone a federal threat assessment comparable 
                             to the one required to obtain a TWIC will pay a  
                             reduced fee of $105.25. The replacement fee for  
                             a TWIC card will be $60.                         
Access to secure areas of By no later than September 25, 2008, facilities  
maritime facilities and   and vessels currently regulated by the Maritime  
vessels                   Transportation Security Act must change their    
                             current access control procedures to ensure that 
                             any individual or merchant mariner seeking       
                             unescorted access to a secure area has a TWIC    
                             card.                                            
Newly hired workers and   Newly hired workers, who have applied for, but   
escorting procedures      have not received their TWIC card, will be       
                             allowed access to secure areas for 30 days as    
                             long as they meet specified criteria, such as    
                             passing a TSA name-based background check, and   
                             only while accompanied by another employee with  
                             a TWIC card. Individuals that need to enter a    
                             secure area but do not have a TWIC card must be  
                             escorted at all times by individuals with a TWIC 
                             card.                                            
Background checks         All workers applying for a TWIC card must        
                             provide certain personal information and         
                             fingerprints to TSA so that they can conduct a   
                             security threat assessment, which includes a     
                             Federal Bureau of Investigation                  
                             fingerprint-based criminal history records       
                             check, and an immigration status check. In order 
                             to receive a TWIC card, workers must not have    
                             been incarcerated or convicted of certain crimes 
                             within prescribed time periods, must have legal  
                             presence or authorization to work in the United  
                             States, must have no known connection to         
                             terrorist activity, and cannot have been found   
                             as lacking mental capacity or have been          
                             committed to a mental health facility.           
Appeals and waiver        All TWIC applicants will have the opportunity to 
process                   appeal a background check disqualification       
                             through TSA, or apply to TSA for a waiver,       
                             either during the application process or after   
                             being disqualified for certain crimes, mental    
                             incapacity, or if they are aliens in Temporary   
                             Protected Status. Applicants who apply for a     
                             waiver and are denied a TWIC card by TSA, or     
                             applicants who are disqualified based on         
                             connections to terrorism, may seek review by a   
                             Coast Guard administrative law judge.            
Access control systems    The Coast Guard will conduct unannounced checks  
                             to confirm the identity of TWIC card holders     
                             using hand-held biometric card readers to check  
                             the biometric on the TWIC card against the       
                             person presenting the card. In addition,         
                             security personnel will conduct visual           
                             inspections of the TWIC cards and look for signs 
                             of tampering or forgery when a worker enters a   
                             secure area.                                     

Source: GAO analysis of TWIC rule and TSA information.

The TWIC rule does not include requirements for owners and operators of
maritime facilities and vessels to purchase and install TWIC access
control technologies, such as biometric TWIC card readers. As a result,
the TWIC card will initially serve as a visual identity badge until TSA
requires that access control technologies be installed to verify the
credentials when a worker enters a secure area. According to TSA, during
the program's initial implementation, workers will present their TWIC
cards to authorized security personnel, who will compare the cardholder to
his or her photo and inspect the card for signs of tampering. In addition,
the Coast Guard will verify TWIC cards when conducting vessel and facility
inspections and during spot checks using hand-held biometric card readers
to ensure that credentials are valid. According to TSA, the requirements
for TWIC access control technologies will be set forth in a second
proposed rule to be issued during 2008, at which time TSA will solicit
public comments and hold public meetings.

Following the issuance of the TWIC rule in January 2007, TSA awarded a $70
million contract to a private company to enroll the estimated 770,000
workers required to obtain a TWIC card. According to TSA officials, the
contract costs include $14 million for the operations and maintenance of
the TWIC identity management system that contains information on workers
enrolled in the TWIC program, $53 million for the cost of enrolling
workers, and $3 million designated to award the enrollment contractor in
the event of excellent performance.

TSA Attributes Missed Deadlines to the Need for Additional Testing and Has Begun
Planning a Pilot Program to Test TWIC Access Control Technologies

TSA did not meet the July 1, 2007 deadline in the SAFE Port Act to
implement the TWIC program at the 10 highest risk ports. According to TSA
officials, the deadline was not met because the agency and the TWIC
enrollment contractor needed to conduct additional tests of the software
and equipment that will be used to enroll and issue cards to workers to
ensure that they work effectively before implementation. In our September
2006 report, we recommended that TSA conduct testing to ensure that the
TWIC program will be capable of efficiently enrolling and issuing TWIC
cards to large number of workers before proceeding with implementation.
TSA officials stated that such testing was needed to ensure that these
systems will work effectively when implemented and will be able to handle
the capacity of enrolling as many as 5,000 workers per day, conducting
background checks on these workers in a timely manner, and efficiently
producing TWIC cards for each worker. In October 2007, TSA announced that
this testing was complete and began enrolling and issuing TWIC cards to
workers at the Port of Wilmington, Delaware on October 16, 2007. TSA also
plans to begin implementing TWIC at 11 additional ports by November 2007.
In addition, TSA and Port of Wilmington officials stated that the
enrollment contractor has already successfully enrolled and issued TWIC
cards to those individuals that will be responsible for enrolling port
workers as well as certain federal employees, such as TSA and Coast Guard
officials.

TSA has also begun planning a pilot to test TWIC access control
technologies, such as biometric card readers, in the maritime environment
as required by the SAFE Port Act. According to TSA, the agency is
partnering with the Port Authorities of Los Angeles, Long Beach,
Brownsville, and New York and New Jersey, in addition to Watermark Cruises
in Annapolis, Maryland, to test the TWIC access control technologies in
the maritime environment and is still seeking additional participants.
TSA's objective is to include pilot test participants that are
representative of a variety of facilities and vessels in different
geographic locations and environmental conditions. TSA officials stated
that pilot participants will be responsible for paying for the costs of
the pilot and will likely use federal port security grant funds for this
purpose. According to TSA officials, the agency plans to begin the pilot
in conjunction with the issuance of TWIC cards so the access control
technologies can be tested with the cards that are issued to workers. In
addition, in September 2007, TSA published the TWIC card reader
specifications, which outline the requirements for biometric TWIC card
readers that will be used by maritime locations participating in pilot
testing. These specifications will enable these maritime locations to
begin purchasing and installing card readers in preparation for testing.
TSA officials stated that the results of the pilot program will help the
agency issue future regulations that will require the installation of
access control systems necessary to read the TWIC cards.

TSA Has Taken Steps to Strengthen Contract Planning and Oversight and Better
Coordinate with Maritime Industry Stakeholders

Since we issued our report in September 2006, TSA has taken several steps
designed to strengthen contract planning and oversight, although we have
not yet independently assessed the effectiveness of these efforts. We
previously reported in September 2006 that TSA experienced problems in
planning for and overseeing the contract to test the TWIC program, which
contributed to a doubling of TWIC testing contract costs and a failure to
test all key components of the TWIC program. We recommended that TSA
strengthen contract planning and oversight before awarding a contract to
implement the TWIC program. TSA acknowledged these problems and has taken
steps to address our recommendations. Specifically, TSA has taken the
following steps designed to strengthen contract planning and oversight:

           o Added staff with expertise in technology, acquisitions, and
           contract and program management to the TWIC program office.
           o Established a TWIC program control office to help oversee
           contract deliverables and performance.
           o Established monthly performance management reviews and periodic
           site visits to TWIC enrollment centers to verify performance data
           reported by the contractor.
           o Required the enrollment contactor to survey customer
           satisfaction as part of contract performance.

In addition to these steps, TSA established a TWIC quality assurance
surveillance plan that is designed to allow TSA to track the enrollment
contractor's performance in comparison to acceptable quality levels. This
plan is designed to provide financial incentives for exceeding these
quality levels and disincentives, or penalties, if they are not met.
According to the plan, the contractor's performance will be measured
against established milestones and performance metrics that the contractor
must meet for customer satisfaction, enrollment time, number of failures
to enroll, and TWIC help desk response times, among others. TSA plans to
monitor the contractor's performance through monthly performance reviews
and by verifying information on performance metrics provided by the
contractor. In addition, TSA officials stated that they have hired an
independent contractor to help provide oversight of the enrollment
contract and ensure that the enrollment contractor fulfills contract
requirements and achieves established performance metrics.

In addition to contract planning and oversight, TSA has also taken steps
to address our previous recommendations regarding improving communication
and coordination with maritime stakeholders. We previously reported that
stakeholders at all 15 TWIC testing locations that we visited cited poor
communication and coordination by TSA during testing of the TWIC program.
For example, according to stakeholders, TSA never provided the final
results or report on TWIC testing to stakeholders that participated in the
test. Some stakeholders also stated that communication from TSA would stop
for months at a time during testing. We recommended that TSA closely
coordinate with maritime industry stakeholders and establish a
communication and coordination plan to capture and address the concerns of
stakeholders during implementation. TSA acknowledged that the agency could
have better communicated with stakeholders at TWIC testing locations and
has reported taking several steps to strengthen communication and
coordination since September 2006. For example, TSA officials told us that
the agency developed a TWIC communication strategy and plan that describes
how the agency will communicate with the owners and operators of maritime
facilities and vessels, TWIC applicants, unions, industry associations,
Coast Guard Captains of the Port, and other interested parties. In
addition, TSA required that the enrollment contractor establish a plan for
communicating with stakeholders.

TSA, the Coast Guard, and the enrollment contractor have taken additional
steps designed to ensure needed coordination and communication with the
maritime industry. These steps include

           o posting frequently asked questions on the TSA and Coast Guard
           Web-sites;
           o participating in maritime stakeholder conferences and briefings.
           o working with Coast Guard Captains of the Ports and the National
           Maritime Security Advisory Committee to communicate with local
           stakeholders;
           o conducting outreach with maritime facility operators and port
           authorities, including informational bulletins and fliers; and
           o creating a TWIC stakeholder communication committee chaired by
           TSA, the Coast Guard, and enrollment contractor, with members from
           15 maritime industry stakeholder groups. According to TSA, this
           committee will meet twice per month during the TWIC
           implementation.

Stakeholders from the Ports of Wilmington, Delaware; Los Angeles,
California; and the Maritime Exchange of the Delaware River and Bay with
whom we spoke in October 2007 stated that TSA and its enrollment
contractor have placed a greater emphasis on communicating and
coordinating with stakeholders and on correcting past problems. For
example, an official from the Port of Wilmington stated that, thus far,
communication, coordination, and outreach by TSA and its enrollment
contractor have been excellent, and far better than during TWIC testing.
In addition, TSA reported that the TWIC enrollment contactor has hired a
separate subcontractor to conduct a public outreach campaign to inform and
educate the maritime industry and individuals that will be required to
obtain a TWIC card about the program. Port of Wilmington officials stated
that the subcontractor is developing a list of trucking companies that
deliver to the port so that information on the TWIC enrollment
requirements can be mailed to truck drivers.

TSA and Industry Stakeholders Will Need to Address Challenges to Ensure the TWIC
Program Is Implemented Successfully

As we reported in September 2006 and April 2007, TSA and maritime industry
stakeholders will need to address several challenges to help ensure that
the TWIC program will be implemented successfully. As we reported in
September 2006, TSA and its enrollment contractor must transition from
testing of the TWIC program to successful implementation of the program on
a much larger scale covering 770,000 workers at about 3,200 maritime
facilities and 5,300 vessels. While TSA and the enrollment contractor
report conducting performance testing of the TWIC enrollment and card
issuance systems, it remains to be seen how these systems will perform as
TSA begins enrolling large numbers of workers at ports nationwide. In
addition, maritime stakeholders with whom we spoke in September and
October 2007 identified the need for TSA and its enrollment contractor to
educate workers on the new TWIC requirements, ensure that the contractor
conducts enrollments in a timely manner, and process numerous background
checks, appeals, and waiver applications. Furthermore, TSA and industry
stakeholders will need to ensure that TWIC access control technologies
work effectively in the maritime environment, will be compatible with TWIC
cards that will be issued soon, and balance security requirements while
facilitating maritime commerce. As a result, it will be important that
TSA's TWIC access control technology pilot comprehensively test the TWIC
program in an operational environment to ensure that it works effectively
with the least negative impact on maritime commerce.

TSA and Its Contractor Will Have to Enroll and Issue TWIC Cards to Large
Populations of Workers at Numerous Port Facilities and Vessels

In September 2006, we reported that TSA faced the challenge of enrolling
and issuing TWIC cards to a significantly larger population of workers in
a timely manner than was done during testing of the TWIC program. In
testing the TWIC program, TSA enrolled and issued TWIC cards to only about
1,700 workers at 19 facilities, well short of its goal of 75,000.
According to TSA and the testing contractor, the lack of volunteers to
enroll in the TWIC program testing and technical difficulties in enrolling
workers, such as difficulty in obtaining workers' fingerprints to conduct
background checks, led to fewer enrollments than expected. TSA reports
that it used the testing experience to make improvements to the enrollment
and card issuance process and has taken steps to address the challenges
that we previously identified. For example, TSA officials stated that the
agency will use a faster and easier method of collecting fingerprints than
was used during testing, and will enroll workers individually during
implementation, as opposed to enrolling in large groups as was done during
testing. In addition, the TWIC enrollment contract Statement of Work
required the contractor to develop an enrollment test and evaluation
program to ensure that enrollment systems function as required under the
contract. As previously stated, TSA officials reported that the enrollment
contractor and the agency have conducted performance testing of the TWIC
enrollment systems to ensure that they work effectively and are able to
handle the full capacity of enrollments during implementation. In
September 2006, we also reported that TSA will need to ensure that workers
are not providing false information and counterfeit identification
documents when they enroll in the TWIC program. According to TSA, the TWIC
enrollment process to be used during implementation will use document
scanning and verification software to help determine if identification
documents are fraudulent, and personnel responsible for enrolling workers
will be trained to identify fraudulent documents.

In March and April 2007, and again in October 2007, we spoke with some
maritime stakeholders that participated in TWIC testing and that will be
involved in the initial implementation of the program to discuss their
views on the enrollment and issuance of TWIC cards to workers. These
stakeholders expressed concerns related to the following issues:

Educating workers: TSA and its enrollment contractor will need to identify
all workers that are required to obtain a TWIC card, educate them about
how to enroll and receive a TWIC card, and ensure that they enroll and
receive a TWIC card by the deadlines to be established by TSA and the
Coast Guard. For example, while longshoremen who work at a port every day
may be aware of the new TWIC requirements, truck divers that deliver to
the port may be located in different states or countries, and may not be
aware of the requirements.

Timely enrollments: Maritime stakeholders expressed concern about the
ability of the enrollment contactor to enroll workers at his port in a
timely manner. For example, at this port, the enrollment contactor has not
yet begun to lease space to install enrollment centers--which at this port
could be a difficult and time-consuming task due to the shortage of space.
Stakeholders with whom we spoke also suggested that until TSA establishes
a deadline for when TWIC cards will be required at ports, workers will
likely procrastinate in enrolling, which could make it difficult for the
contractor to enroll large populations of workers in a timely manner.

Background checks: Some maritime organizations are concerned that many of
their workers will be disqualified from receiving a TWIC card by the
background check. These stakeholders emphasized the importance of TSA
establishing a process to ensure timely appeals and waivers processes for
the potentially large population of workers that do not pass the check.
According to TSA, the agency has already established processes for
conducting background checks, appeals, and waivers for other background
checks of transportation workers. In addition, TSA officials stated that
the agency has established agreements with the Coast Guard to use their
administrative law judges for appeal and waiver cases, and plans to use
these processes for the TWIC background check.

TSA and Industry Stakeholders Must Ensure That TWIC Access Control Technologies
Work Effectively and Balance Security with the Flow of Maritime Commerce

In our September 2006 report, we noted that TSA and maritime industry
stakeholders faced significant challenges in ensuring that TWIC access
control technologies, such as biometric card readers, work effectively in
the maritime sector. Few facilities that participated in TWIC testing used
biometric card readers that will be required to read the TWIC cards in the
future. As a result, TSA obtained limited information on the operational
effectiveness of biometric card readers, particularly when individuals use
these readers outdoors in the harsh maritime environment, where they can
be affected by dirt, salt, wind, and rain. In addition, TSA did not test
the use of biometric card readers on vessels, although they will be
required on vessels in the future. Also, industry stakeholders with whom
we spoke were concerned about the costs of implementing and operating TWIC
access control systems, linking card readers to their local access control
systems, obtaining information from TSA on workers who may pose a threat
to security, how biometric card readers would be implemented and used on
vessels, and how these vessels would obtain information on workers that
may post a threat. For example, in October 2007, we spoke with maritime
industry officials from the Port of Wilmington and the Maritime Exchange
of the Delaware River and Bay regarding the process for obtaining
information from TSA on workers that may pose a threat to security. TSA
plans to provide a secure Web site, whereby port officials can log in and
obtain the most recent list of workers enrolled in the TWIC program that
have been subsequently identified as a threat to security. Maritime
industry officials stated that it was not clear how often they will have
to access this Web site and whether the list provided by TSA could be
efficiently compared to workers with access to secure areas of the port
facility or vessel to ensure that none of these workers are granted access
to secure areas. Instead, port officials will have to manually compare the
list of workers to those at the port or provide the list to security
guards to check each worker as they enter secure areas of the port
facility or vessel--a labor intensive and potentially costly process.
Maritime officials stated that TSA should clarify these requirements and
develop a process to allow port facilities and vessels to regularly update
their access control systems, in an automated fashion, with lists of
workers that may pose a threat in the second rule pertaining to TWIC
access control technologies.

Because of comments regarding TWIC access control technologies that TSA
received from maritime industry stakeholders on the TWIC proposed rule,
TSA decided to exclude all access control requirements from the TWIC rule
issued in January 2007. Instead, TSA plans to issue a second proposed rule
pertaining to access control requirements some time during 2008, which
should allow more time for maritime stakeholders to comment on the
technology requirements and TSA to address these comments.

In September 2006, we reported that TSA and industry stakeholders will
need to consider the security benefits of the TWIC program and the impact
the program could have on maritime commerce. If implemented effectively,
the security benefits of the TWIC program in preventing a terrorist attack
could save lives and avoid a costly disruption in maritime commerce.
Alternatively, if key components of the TWIC program, such as biometric
card readers, do not work effectively, they could slow the daily flow of
commerce. For example, if workers or truck drivers have problems with
their fingerprint verifications on biometric card readers, they could
create long queues delaying other workers or trucks waiting in line to
enter secure areas. Such delays could be very costly in terms of time and
money to maritime facilities. Some stakeholders we spoke to also expressed
concern with applying TWIC access control requirements to small facilities
and vessels. For example, smaller vessels could have crews of less than 10
persons, and checking TWIC cards each time a person enters a secure area
may not be necessary. TSA acknowledged the potential impact that the TWIC
program could have on the flow of commerce, and stated that it plans to
obtain additional public comments on this issue from industry stakeholders
in the second rulemaking on access control technologies.

In our September 2006 report, we recommended that TSA conduct additional
testing to ensure that TWIC access control technologies work effectively
and that the TWIC program balances the security benefits of the program
with the impact that it could have on the flow of maritime commerce. As
required by the SAFE Port act, TSA plans to conduct a pilot program to
test TWIC access control technologies in the maritime environment.
According to TSA, the pilot will test the performance of biometric card
readers at various maritime facilities and on vessels, as well as the
impact that these access control systems have on facilities and vessel
business operations. TSA plans to use the results of this pilot to develop
the requirements and procedures for implementing and using TWIC access
control technologies in the second rulemaking. The SAFE Port Act requires
TSA to issue a final rule containing the requirements for installing and
using TWIC access control technologies no later than two years after the
initiation of the pilot.

Concluding Observations

Preventing unauthorized persons from entering secure areas of the nation's
ports and other transportation facilities is a key component of securing
the homeland. The TWIC program was initiated in December 2001 to mitigate
the threat of terrorists accessing secure areas. Since we reported on this
program in September 2006, TSA has made progress towards implementing the
program, including issuing a TWIC rule, taking steps to implement
requirements of the SAFE Port Act, awarding a contract to enroll workers
in the program, and beginning to enroll workers in the TWIC program. TSA
has also taken actions to address legislative requirements to implement
and test the program and our previous recommendations to improve the TWIC
program regarding conducting additional testing, strengthening contractor
oversight, and improving communication and coordination with maritime
stakeholders. While the additional testing that TSA reports conducting and
the actions it has taken should help address the problems that we have
previously identified, the effectiveness of these efforts will not be
clear until the program further matures. In addition, TSA and its
contractor must enroll about 770,000 persons at about 3,200 facilities in
the TWIC program. As a result, it is important that TSA and the enrollment
contractor effectively communicate and coordinate to help ensure that all
individuals and organizations affected by the TWIC program are aware of
their responsibilities. Finally, it will be critical that TSA ensures that
the TWIC access control technology pilot fully tests the TWIC program in
an operational maritime environment and the results be used to help ensure
a successful implementation of these technologies in the future.

Mr. Chairman, this concludes my statement. I would be pleased to answer
any questions that you or other members of the committee may have at this
time.

Contact Information

For further information on this testimony, please contact Cathleen A.
Berrick at (202) 512- 3404 or at [email protected]. Individuals making key
contributions to this testimony include John Hansen, Chris Currie, and
Geoff Hamilton.

(440666)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

To view the full product, including the scope
and methodology, click on [30]GAO-08-133T .

For more information, contact Cathleen A. Berrick, (202) 512-3404 or
[email protected].

Highlights of [31]GAO-08-133T , a testimony to the Committee on Homeland
Security, House of Representatives

October 31, 2007

TRANSPORTATION SECURITY

TSA Has Made Progress in Implementing the Transportation Worker
Identification Credential Program, but Challenges Remain

The Transportation Security Administration (TSA) is developing the
Transportation Worker Identification Credential (TWIC) to help ensure that
only workers who are not known to pose a terrorist threat are allowed to
enter secure areas of the nation's transportation facilities. This
testimony is based primarily on GAO's September 2006 report on the TWIC
program, and interviews with TSA and maritime industry officials conducted
in September and October 2007 to obtain updates on the TWIC program.
Specifically, this testimony addresses (1) the progress TSA has made since
September 2006 in implementing the TWIC program and addressing GAO
recommendations; and (2) some of the remaining challenges that TSA and the
maritime industry must overcome to ensure the successful implementation of
the program.

[32]What GAO Recommends

GAO has previously recommended that TSA develop a comprehensive plan for
managing the TWIC program, conduct additional testing of the TWIC program
to help ensure that all key components work effectively, strengthen
contract planning and oversight practices, and develop a plan for
communicating and coordinating with stakeholders. TSA agreed with these
recommendations and has initiated actions to address them.

Since GAO reported on TWIC in September 2006, TSA has made progress in
implementing the program. Although GAO has not yet independently assessed
the effectiveness of these efforts, TSA has taken actions to address
legislative requirements to implement and test the program as well as
address GAO's recommendations related to conducting additional systems
testing, strengthening contractor oversight, and improving coordination
with stakeholders. Specifically, TSA has

           o issued a rule in January 2007 that sets forth the requirements
           for enrolling maritime workers in the TWIC program and issuing
           cards to these workers, and awarded a $70 million dollar contract
           to begin enrolling workers;
           o reported conducting performance testing of the technologies that
           will be used to enroll workers in the TWIC program to ensure that
           they work effectively before implementation;
           o begun planning a pilot program to test TWIC access control
           technologies at 5 maritime locations in accordance with the
           Security and Accountability for Every Port Act;
           o begun enrolling workers and issuing TWIC cards at the port of
           Wilmington, Delaware on October 16, 2007, and plans to do so at 11
           additional ports by November 2007;
           o added additional staff with program and contract management
           expertise to help oversee the TWIC enrollment contract; and
           o stated that they have taken actions to improve communication and
           coordination with maritime stakeholders.

As TSA moves forward with TWIC, it and maritime industry stakeholders will
be faced with addressing the following key challenges that can affect the
programs' successful implementation.

           o TSA and its contractor will need to transition from testing of
           the TWIC program to successful implementation of the program on a
           larger scale covering 770,000 workers at about 3,200 maritime
           facilities and 5,300 vessels.
           o TSA and its contractor will need to educate workers on new TWIC
           requirements, ensure that enrollments begin in a timely manner,
           and efficiently process background checks, appeals, and waivers.
           o TSA and industry stakeholders will need to ensure that TWIC
           access control technologies work effectively in the maritime
           environment, and balance new security requirements while
           facilitating maritime commerce.

GAO's Mission

The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [33]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[34]www.gao.gov and select "E-mail Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: [35]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [36][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [37][email protected] , (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, [38][email protected] , (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
DC 20548

References

Visible links
  27. http://www.gao.gov/cgi-bin/getrpt?GAO-05-106
  28. http://www.gao.gov/cgi-bin/getrpt?GAO-06-982
  29. http://www.gao.gov/cgi-bin/getrpt?GAO-07-681T
  30. http://www.gao.gov/cgi-bin/getrpt?GAO-08-133T
  31. http://www.gao.gov/cgi-bin/getrpt?GAO-08-133T
  33. http://www.gao.gov/
  34. http://www.gao.gov/
  35. http://www.gao.gov/fraudnet/fraudnet.htm
  36. mailto:[email protected]
  37. mailto:[email protected]
  38. mailto:[email protected]
*** End of document. ***