Transportation Security: Efforts to Strengthen Aviation and	 
Surface Transportation Security are Under Way, but Challenges	 
Remain (16-OCT-07, GAO-08-140T).				 
                                                                 
Within the Department of Homeland Security (DHS), the		 
Transportation Security Administration's (TSA) mission is to	 
protect the nation's transportation network. Since its inception 
in 2001, TSA has developed and implemented a variety of programs 
and procedures to secure commercial aviation and surface modes of
transportation, including passenger and freight rail, mass	 
transit, highways, commercial vehicles, and pipelines. Other DHS 
components, federal agencies, state and local governments, and	 
the private sector also play a role in transportation security.  
GAO examined (1) the progress DHS and TSA have made in securing  
the nation's aviation and surface transportation systems, and (2)
challenges that have impeded the department's efforts to	 
implement its mission and management functions. This testimony is
based on issued GAO reports and testimonies addressing the	 
security of the nation's aviation and surface transportation	 
systems, including a recently issued report (GAO-07-454) that	 
highlights the progress DHS has made in implementing its mission 
and management functions.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-140T					        
    ACCNO:   A77369						        
  TITLE:     Transportation Security: Efforts to Strengthen Aviation  
and Surface Transportation Security are Under Way, but Challenges
Remain								 
     DATE:   10/16/2007 
  SUBJECT:   Air transportation 				 
	     Aviation security					 
	     Biometric identification				 
	     Checked baggage screening				 
	     Commercial aviation				 
	     Ground transportation				 
	     Homeland security					 
	     Passenger screening				 
	     Performance measures				 
	     Program evaluation 				 
	     Risk assessment					 
	     Risk management					 
	     Terrorism						 
	     Transportation policies				 
	     Transportation safety				 
	     Transportation security				 
	     Program implementation				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-140T

   

     * [1]Summary
     * [2]Background

          * [3]DHS Has Made Progress in Securing the Nation's Aviation and
          * [4]Aviation Security
          * [5]Surface Transportation Security

     * [6]Cross-cutting Issues Have Hindered DHS's Efforts in Implemen
     * [7]Concluding Observations
     * [8]GAO Contact and Staff Acknowledgments
     * [9]GAO's Mission
     * [10]Obtaining Copies of GAO Reports and Testimony

          * [11]Order by Mail or Phone

     * [12]To Report Fraud, Waste, and Abuse in Federal Programs
     * [13]Congressional Relations
     * [14]Public Affairs

Testimonybefore the Committee on Commerce, Science, and Transportation, U.
S. Senate

United States Government Accountability Office

GAO

For Release on Delivery
Expected at 10:00 a.m. EDT
Tuesday, October 16, 2007

TRANSPORTATION SECURITY

Efforts to Strengthen Aviation and Surface Transportation Security are
Under Way, but Challenges Remain

Statement of Cathleen A. Berrick, Director
Homeland Security and Justice Issues

GAO-08-140T

Mr. Chairman and Members of the Committee:

I appreciate the opportunity to participate in today's hearing to discuss
the Department of Homeland Security's (DHS) progress and challenges in
securing our nation's transportation systems. The Transportation Security
Administration (TSA), originally established as an agency within the
Department of Transportation in 2001 but now a component within DHS, is
charged with securing the transportation network while also ensuring the
free movement of people and commerce. TSA has primary responsibility for
security in all modes of transportation and since its inception has
developed and implemented a variety of programs and procedures to secure
commercial aviation and surface modes of transportation, including
passenger and freight rail, mass transit, highways, commercial vehicles,
and pipelines. Other DHS components, federal agencies, state and local
governments, and the private sector also play a role in transportation
security. For example, with respect to commercial aviation, the U.S.
Customs and Border Protection (CBP) has responsibility for conducting
passenger prescreening-- in general, the matching of passenger information
against terrorist watch lists prior an aircraft's departure --for
international flights operating to or from the United States, as well as
inspecting inbound air cargo upon its arrival in the United States. In
addition, responsibility for securing rail and other surface modes of
transportation is shared among federal, state, and local governments and
the private sector.

My testimony today will focus on: 1) the progress TSA, and other DHS
components have made in securing the nation's aviation and surface
transportation systems, and 2) challenges which have impeded DHS's (and,
as they relate to transportation security, TSA) efforts to implement its
mission and management functions. My comments are based on issued GAO
reports and testimonies addressing the security of the nation's aviation
and surface transportation systems, including an August 2007 report that
highlights the progress DHS has made in implementing its mission and
management functions.^1 In this report, we reviewed the extent to which
DHS has taken actions to achieve performance expectations in each of its
mission and management areas that we identified from legislation, Homeland
Security Presidential Directives, and DHS strategic planning documents. 
Based primarily on our past work, we made a determination regarding
whether DHS generally achieved or generally did not achieve the key
elements of each performance expectation. An assessment of "generally
achieved" indicates that DHS has taken sufficient actions to satisfy most
elements of the expectation; however, an assessment of "generally
achieved" does not signify that no further action is required of DHS or
that functions covered by the expectation cannot be further improved or
enhanced. Conversely, an assessment of "generally not achieved" indicates
that DHS has not yet taken actions to satisfy most elements of the
performance expectation. In determining the department's overall level of
progress in achieving performance expectations in each of its mission and
management areas, we concluded whether the department had made limited,
modest, moderate, or substantial progress.^2 These assessments of progress
do not reflect, nor are they intended to reflect, the extent to which
actions by DHS and its components have made the nation more secure. We
conducted our work in accordance with generally accepted government
auditing standards.

^1 GAO, Department of Homeland Security: Progress Report on Implementation
of Mission and Management Functions, [15]GAO-07-454 (Washington, D.C.:
August 2007); GAO, Department of Homeland Security: Progress Report on
Implementation of Mission and Management Functions, [16]GAO-07-1081T
(Washington, D.C.: September 2007); and GAO, Department of Homeland
Security: Progress Report on Implementation of Mission and Management
Functions, [17]GAO-07-1240T (Washington, D.C.: September 2007).

Summary

Within DHS, TSA is the agency with primary responsibility for securing the
transportation sector and has undertaken a number of initiatives to
strengthen the security of the nation's commercial aviation and surface
transportation systems. In large part, these efforts have been driven by
legislative mandates designed to strengthen the security of commercial
aviation following the September 11, 2001, terrorist attacks. In August
2007, we reported that DHS had made moderate progress in securing the
aviation and surface transportation networks, but that more work
remains.^3 Specifically, of the 24 performance expectations we identified
for DHS in the area of aviation security, we reported that it has
generally achieved 17 of these expectations and has generally not achieved
7 expectations. With regard to the security of surface modes of
transportation, we reported that DHS generally achieved three performance
expectations and has generally not achieved two others.

^2 Limited progress: DHS has taken actions to generally achieve 25 percent
or less of the identified performance expectations. Modest progress: DHS
has taken actions to generally achieve more than 25 percent but 50 percent
or less of the identified performance expectations. Moderate progress: DHS
has taken actions to generally achieve more than 50 percent but 75 percent
or less of the identified performance expectations. Substantial progress:
DHS has taken actions to generally achieve more than 75 percent of the
identified performance expectations.

^3 [18]GAO-07-454 .

DHS, primarily through TSA, has made progress in many areas related to
securing commercial aviation and surface modes of transportation, and
their efforts should be commended. Meeting statutory mandates to screen
airline passengers and 100 percent of checked baggage alone was a
tremendous challenge. To do this, TSA initially hired and deployed a
federal workforce of over 50,000 passenger and checked baggage screeners,
and installed equipment at the nation's more than 400 commercial airports
to provide the capability to screen all checked baggage using explosive
detection systems, as mandated by law. TSA has since turned its attention
to, among other things, strengthening passenger prescreening--in general,
the matching of passenger information against terrorist watch lists prior
to an aircraft's departure; more efficiently allocating, deploying, and
managing the transportation security officer (TSO)--formerly known as
screener--workforce; strengthening screening procedures; developing and
deploying more effective and efficient screening technologies; and
improving domestic air cargo security. In addition to TSA, CBP has also
taken steps to strengthen passenger prescreening for passengers on
international flights operating to or from the United States, as well as
inspecting inbound air cargo upon its arrival in the United States. DHS's
Science and Technology (S&T) Directorate has also taken actions to
research and develop aviation security technologies. With regard to
surface transportation modes, TSA has taken steps to develop a strategic
approach for securing mass transit, passenger and freight rail, commercial
vehicles, highways, and pipelines; establish security standards for
certain transportation modes; and conduct threat, criticality, and
vulnerability assessments of surface transportation assets, particularly
passenger and freight rail. TSA also hired and deployed compliance
inspectors and conducted inspections of passenger and freight rail
systems. DHS also developed and administered grant programs for various
surface transportation modes.

While these efforts have helped to strengthen the security of the
transportation network, DHS still faces a number of key challenges that
need to be addressed to meet expectations set out for them by Congress,
the Administration, and the Department itself. For example, regarding
commercial aviation, TSA has faced challenges in developing and
implementing its passenger prescreening system, known as Secure Flight,
and has not yet completed development efforts. As planned, this program
would initially assume from air carriers the responsibility for matching
information on airline passengers traveling domestically against
terrorists watch lists. In addition, while TSA has taken actions to
enhance perimeter security at airports, these actions may not be
sufficient to provide for effective security. TSA has also begun efforts
to evaluate the effectiveness of security-related technologies, such as
biometric identification systems. However, TSA has not developed a plan
for implementing such new technologies to meet the security needs of
individual airports and the commercial airport system as a whole. Further,
TSA has not yet deployed checkpoint technologies to address key existing
vulnerabilities, and has not yet developed and implemented technologies
needed to screen air cargo. With regard to surface transportation
security, while TSA has initiated efforts to develop security standards
for surface transportation modes, these efforts have been limited to
passenger and freight rail, and have not addressed commercial vehicle or
highway infrastructure, including bridges and tunnels. TSA has yet to
provide a rationale or explanation for why standards may not be needed for
these modes. Moreover, although TSA has made progress in conducting
compliance inspections of some surface transportation systems, inspectors'
roles and missions have not been fully defined.

A variety of cross-cutting issues have affected DHS's and, as they relate
to transportation security, TSA's efforts in implementing its mission and
management functions. These key issues include agency transformation,
strategic planning and results management, risk management, information
sharing, and stakeholder coordination. In working towards transforming the
department into an effective and efficient organization, DHS and its
components have not always been transparent which has affected our ability
to perform our oversight responsibilities in a timely manner. They have
also not always implemented effective strategic planning efforts, fully
developed performance measures, or put into place structures to help
ensure that they are managing for results. In addition, DHS and its
components can more fully adopt and apply a risk management approach in
implementing its security mission and core management functions.^4 They
could also better share information with federal agencies, state and local
governments and private sector entities, and more fully coordinate their
activities with key stakeholders.

^4 A risk management approach entails a continuous process of managing
risk through a series of actions, including setting strategic goals and
objectives, assessing risk, evaluating alternatives, selecting initiatives
to undertake, and implementing and monitoring those initiatives.

Background

The Aviation and Transportation Security Act (ATSA), enacted in November
2001, created TSA and gave it responsibility for securing all modes of
transportation. ^5 TSA's aviation security mission includes strengthening
the security of airport perimeters and restricted airport areas; hiring
and training a screening workforce; prescreening passengers against
terrorist watch lists; and screening passengers, baggage, and cargo at the
over 400 commercial airports nation-wide, among other responsibilities.
While TSA has operational responsibility for physically screening
passengers and their baggage, TSA exercises regulatory, or oversight,
responsibility for the security of airports and air cargo. Specifically,
airports, air carriers, and other entities are required to implement
security measures in accordance with TSA-issued security requirements,
against which TSA evaluates their compliance efforts.

TSA also oversees air carriers' efforts to prescreen passengers-- in
general, the matching of passenger information against terrorist watch
lists prior to an aircraft's departure --and plans to take over
operational responsibility for this function with the implementation of
its Secure Flight program initially for passengers traveling domestically.
CBP also has responsibility for prescreening airline passengers on
international flights departing from and bound for the United States,^6
while DHS's Science and Technology Directorate is responsible for
researching and developing technologies to secure the transportation
sector.

^5 Pub. L. No. 107-71, 115 Stat. 597 (2001).

^6 Currently, air carriers departing the United States are required to
transmit passenger manifest information to CBP no later than 15 minutes
prior to departure but, for flights bound for the United States, air
carriers are not required to transmit the information until 15 minutes
after the flight's departure (in general, after the aircraft is in
flight). See 19 C.F.R. SS 122.49a, 122.75a. In a final rule published in
the Federal Register on August 23, 2007, CBP established a requirement for
all air carriers to either transmit the passenger manifest information to
CBP no later than 30 minutes prior to the securing of the aircraft doors
(that is, prior to the flight being airborne), or transmit manifest
information on an individual basis as each passenger checks in for the
flight up to but no later than the securing of the aircraft. See 72 Fed.
Reg. 48,320 (Aug. 23, 2007). This requirement is to take effect on
February 19, 2008.

TSA shares responsibility for securing surface transportation modes with
federal, state, and local governments and the private sector. TSA's
security mission includes establishing security standards and conducting
assessments and inspections of surface transportation modes, including
passenger and freight rail; mass transit; highways and commercial
vehicles; and pipelines. The Federal Emergency Management Agency's Grant
Programs Directorate provides grant funding to surface transportation
operators and state and local governments, and in conjunction with certain
grants the National Protection and Programs Directorate conducts risk
assessments of surface transportation facilities. Within the Department of
Transportation (DOT), the Federal Transit Administration (FTA) and Federal
Railroad Administration (FRA) have responsibilities for establishing
standards for passenger rail safety and security. In addition, public and
private sector transportation operators are responsible for implementing
security measures for their systems. For example, the primary
responsibility for securing passenger rail systems rests with the
passenger rail operators. Passenger rail operators, which can be public or
private entities, are responsible for administering and managing passenger
rail activities and services, including security.

DHS Has Made Progress in Securing the Nation's Aviation and Surface
Transportation Systems, but More Work Remains

DHS, primarily through the efforts of TSA, has undertaken numerous
initiatives to strengthen the security of the nation's aviation and
surface transportation systems. In large part, these efforts have been
guided by legislative mandates designed to strengthen the security of
commercial aviation following the September 11, 2001 terrorist attacks.
These efforts have also been affected by events external to the
department, including the alleged August 2006 terrorist plot to blow up
commercial aircraft bound from London to the United States, and the 2004
Madrid and 2005 London train bombings. While progress has been made in
many areas with respect to securing the transportation network, we found
that the department can strengthen its efforts in some key areas outlined
by the Congress, the Administration, and the department itself.
Specifically, regarding commercial aviation, we reported that DHS has
generally achieved 17 performance expectations in this area, and has
generally not achieved 7 expectations. Regarding the security of surface
transportation modes, we reported that DHS has generally achieved three
performance expectations and has generally not achieved two others. We
identified these performance expectations through reviews of key
legislation, Homeland Security Presidential Directives, and DHS strategic
planning documents.

Aviation Security

Since its inception, TSA has focused much of its efforts on aviation
security and has developed and implemented a variety of programs and
procedures to secure commercial aviation. For example, TSA has undertaken
efforts to hire, train and deploy a screening workforce; and screen
passengers, baggage, and cargo. Although TSA has taken important actions
to strengthen aviation security, the agency has faced difficulties in
implementing an advanced, government-run passenger prescreening program
for domestic flights, and in developing and implementing technology to
screen passengers at security checkpoints and cargo placed on aircraft,
among other areas. As shown in table 1, we identified 24 performance
expectations for DHS in the area of aviation security, and found that
overall, DHS has made moderate progress in meeting these expectations.
Specifically, we found that DHS has generally achieved 17 performance
expectations and has generally not achieved 7 performance expectations.

Table 1: Performance Expectations and Progress Made in Aviation Security

Performance Expectation: Aviation security strategic approach: 
Implement a strategic approach for aviation security functions;  
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Airport perimeter security and access 
controls: Establish standards and procedures for effective airport 
perimeter security; 
Assessment: Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
Assessment: No assessment made: [Empty].

Performance expectation: Airport perimeter security and access 
controls: Establish standards and procedures to effectively control 
access to airport secured areas; 
Assessment: Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Airport perimeter security and access 
controls: Establish procedures for implementing biometric identifier 
systems for airport secured areas access control; 
Assessment: Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
Assessment: No assessment made: [Empty].

Performance expectation: Airport perimeter security and access 
controls: Ensure the screening of airport employees against terrorist 
watch lists; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Hire and deploy a 
federal screening workforce; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Develop standards 
for determining aviation security staffing at airports; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Establish 
standards for training and testing the performance of airport screener 
staff; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Establish a 
program and requirements to allow eligible airports to use a private 
screening workforce; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Train and deploy 
federal air marshals on high-risk flights; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Establish 
standards for training flight and cabin crews; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Aviation security workforce: Establish a 
Program to allow authorized flight deck officers to use firearms to 
defend against any terrorist or criminal acts. 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Passenger screening: Establish policies and 
procedures to ensure that individuals known to pose, or suspected of 
posing, a risk or threat to security are identified and subjected to 
appropriate action; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Passenger screening: Develop and implement an 
advanced prescreening system to allow DHS to compare domestic passenger 
information to the Selectee List and No Fly List; 
Assessment: Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Checkpoint screening: Develop and implement 
processes and procedures for physically screening passengers at airport 
checkpoints; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Checkpoint screening: Develop and test 
checkpoint technologies to address vulnerabilities; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Checkpoint screening: Deploy checkpoint 
technologies to address vulnerabilities; 
Assessment: Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Checked Baggage screening: Deploy explosive 
detection systems (EDS) and explosive trace detection (ETD) systems to 
screen checked baggage for explosives; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: ; 
Assessment: No assessment made: . 

Performance expectation: Checked Baggage screening: Develop a plan to 
deploy in-line baggage screening equipment at airports; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Checked Baggage screening: Pursue the 
deployment and use of in-line baggage screening equipment at airports; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Air Cargo security: Develop a plan for air 
cargo security; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Air Cargo security: Develop and implement 
procedures to screen air cargo; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Performance expectation: Air Cargo security: Develop and implement 
technologies to screen air cargo; 
Assessment: Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
Assessment: No assessment made: [Empty]. 

Total; 
Assessment: Generally achieved: 17; 
Assessment: Generally not achieved: 7; 
Assessment: No assessment made: 0. 

Source: GAO analysis.

Aviation Security Strategic Approach. We concluded that DHS has generally
achieved this performance expectation. In our past work, we reported that
TSA identified and implemented a wide range of initiatives to strengthen
the security of key components of the commercial aviation system. These
components are interconnected and each is critical to the overall security
of commercial aviation.^78 More recently, in March 2007, TSA released its
National Strategy on Aviation Security and six supporting plans that
provided more detailed strategic planning guidance in the areas of systems
security; operational threat response; systems recovery; domain
surveillance; and intelligence integration and domestic and international
outreach. According to TSA officials, an Interagency Implementation
Working Group was established under TSA leadership in January 2007 to
initiate implementation efforts for the 112 actions outlined in the
supporting plans.

Airport Perimeter Security and Access Controls. We concluded that DHS has
generally achieved one, and has generally not achieved three, of the
performance expectations in this area. For example, TSA has taken action
to ensure the screening of airport employees against terrorist watch lists
by requiring airport operators to compare applicants' names against the No
Fly and Selectee Lists. However, in June 2004, we reported that although
TSA had begun evaluating commercial airport perimeter and access control
security through regulatory compliance inspections, covert testing of
selected access procedures, and vulnerability assessments at selected
airports, TSA had not determined how the results of these evaluations
could be used to make improvements to the nation's airport system as a
whole. We further reported that although TSA had begun evaluating the
controls that limit access into secured airport areas, it had not
completed actions to ensure that all airport workers in these areas were
vetted prior to being hired and trained.^9  More recently, in March 2007,
the DHS Office of Inspector General, based on the results of its access
control testing at 14 domestic airports across the nation, made various
recommendations to enhance the overall effectiveness of controls that
limit access to airport secured areas.^10 In March through July 2007, DHS
provided us with updated information on procedures, plans, and other
efforts it had implemented to secure airport perimeters and strengthen
access controls, including a description of its Aviation Direct Access
Screening Program. This program provides for TSOs to randomly screen
airport and airline employees and employees' property and vehicles as they
enter the secured areas of airports for the presence of explosives,
incendiaries, weapons, and other items of interest as well as improper
airport identification. However, DHS did not provide us with evidence that
these actions provide for effective airport perimeter security, nor
information on how the actions addressed all relevant requirements
established by law and in our prior recommendations.

^7 For more information, see GAO, Aviation Security: Enhancements Made in
Passenger and Checked Baggage Screening, but Challenges Remain,
GAO-06-371T (Washington, D.C: April 2006).

^8 For more information, see GAO, Aviation Security: Transportation
Security Administration Has Made Progress in Managing a Federal Security
Workforce and Ensuring Security at U.S. Airports, but Challenges Remain,
[19]GAO-06-597T , (Washington, D.C.: April 2006) and GAO, Aviation
Security: Further Steps Needed to Strengthen the Security of Commercial
Airport Perimeters and Access Controls, [20]GAO-04-728 (Washington, D.C.:
June 2004).

^9 [21]GAO-06-597T and [22]GAO-04-728 .

Regarding procedures for implementing biometric identification systems, we
reported that TSA had not developed a plan for implementing new
technologies to meet the security needs of individual airports and the
commercial airport system as a whole^.11 In December 2004 and September
2006, we reported on the status of the development and testing of the
Transportation Worker Identification Credential program (TWIC)12 --DHS's
effort to develop biometric access control systems to verify the identity
of individuals accessing secure transportation areas. Our 2004 report
identified challenges that TSA faced in developing regulations and a
comprehensive plan for managing the program, as well as several factors
that caused TSA to miss initial deadlines for issuing TWIC cards. In our
September 2006 report, we identified the challenges that TSA encountered
during TWIC program testing, and several problems related to contract
planning and oversight. Specifically, we reported that DHS and industry
stakeholders faced difficult challenges in ensuring that biometric access
control technologies will work effectively in the maritime environment
where the Transportation Worker Identification Credential program is being
initially tested. In October 2007, we testified that TSA had made progress
in implementing the program and addressing our recommendations regarding
contract planning and oversight and coordination with stakeholders. For
example, TSA reported that it added staff with program and contract
management expertise to help oversee the contract and developed plans for
conducting public outreach and education efforts.13 However, DHS has not
yet determined how and when it will implement a biometric identification
system for access controls at commercials airports. We have initiated
ongoing work to further assess DHS's efforts to establish procedures for
implementing biometric identifier systems for airport secured areas access
control.

^10 Department of Homeland Security Office of Inspector General, Audit of
Access to Airport Secured Areas (Unclassified Summary), OIG-07-35
(Washington, D.C.: March 2007).

^11 [23]GAO-06-597T and [24]GAO-04-728 .

^12 GAO, Port Security: Better Planning Needed to Develop and Operate
Maritime Worker Identification Card Program, [25]GAO-05-106 (Washington,
D.C.: December 2004), and Transportation Security: DHS Should Address Key
Challenges before Implementing the Transportation Worker Identification
Credential Program, [26]GAO-06-982 (Washington, D.C.: September 2006).

Aviation Security Workforce. We concluded that DHS has  generally achieved
all 7 performance expectations in this area. For example, TSA has hired
and deployed a federal screening workforce at over 400 commercial airports
nationwide, and has developed standards for determining TSO staffing
levels at airports. TSA also established numerous programs to train and
test the performance of its TSO workforce, although we reported that
improvements in these efforts can be made. Among other efforts, in
December 2005, TSA reported completing enhanced explosives detection
training for over 18,000 TSOs, and increased its use of covert testing to
assess vulnerabilities of existing screening systems. TSA also established
the Screening Partnership Program which allows eligible airports to apply
to TSA to use a private screening workforce. In addition, TSA has trained
and deployed federal air marshals on high-risk flights; established
standards for training flight and cabin crews; and established a Federal
Flight Deck Officer program to select, train, and allow authorized flight
deck officers to use firearms to defend against any terrorist or criminal
acts. Related to flight and cabin crew training, TSA revised its guidance
and standards to include additional training elements required by law and
improve the organization and clarity of the training. TSA also increased
its efforts to measure the performance of its TSO workforce through
recertification testing and other measures.

^13 GAO, Port Security: Better Planning Needed to Develop and Operate
Maritime Worker Identification Card Program, [27]GAO-05-106 (Washington,
D.C.: December 2004), and Transportation Security: DHS Should Address Key
Challenges before Implementing the Transportation Worker Identification
Credential Program, [28]GAO-06-982 (Washington, D.C.: September 2006).

Passenger Prescreening. We reported that DHS has generally achieved one,
and has not generally achieved two, of the performance expectations in
this area. For example, TSA established policies and procedures to ensure
that individuals known to pose, or suspected of posing, a risk or threat
to security are identified and subjected to appropriate action.
Specifically, TSA requires that air carriers check all passengers against
the Selectee List, which identifies individuals that represent a higher
than normal security risk and therefore require additional security
screening, and the No Fly List, which identifies individuals who are not
allowed to fly.^14 However, TSA has faced a number of challenges in
developing and implementing an advanced prescreening system, known as
Secure Flight, which will allow TSA to take over the matching of passenger
information against the No Fly and Selectee lists from air carriers, as
required by law^15. In 2006, we reported that TSA had not conducted
critical activities in accordance with best practices for large-scale
information technology programs and had not followed a disciplined life
cycle approach in developing Secure Flight.^16  In March 2007, DHS
reported that as a result of its rebaselining efforts, more effective
government controls were developed to implement Secure Flight and that TSA
was following a more disciplined development process. DHS further reported
that it plans to begin parallel operations with the first group of
domestic air carriers during fiscal year 2009 and to take over full
responsibility for watch list matching in fiscal year 2010. We are
continuing to assess TSA's efforts in developing and implementing the
Secure Flight program. We have also reported that DHS has not yet
implemented enhancements to its passenger prescreening process for
passengers on international flights departing from and bound for the
United States.^17 Although CBP recently issued a final rule that will
require air carriers to provide passenger information to CBP prior to a
flight's departure so that CBP can compare passenger information to the
terrorist watch lists before a flight takes off, this requirement is not
scheduled to take effect until February 2008. In addition, while DHS plans
to align its international and domestic passenger prescreening programs
under TSA, full implementation of an integrated system will not occur for
several years.

^14 In accordance with TSA-issued security requirements, passengers on the
No Fly List are denied boarding passes and are not permitted to fly unless
cleared by law enforcement officers. Similarly, passengers who are on the
Selectee List are issued boarding passes, and they and their baggage
undergo additional security measures.

^15 See 49 U.S.C. S 44903(j)(2)(C).

^16 GAO, Aviation Security: Management Challenges Remain for the
Transportation Security Administration's Secure Flight Program,
[29]GAO-06-864T (Washington, D.C.: June 2006).

^17 GAO, Aviation Security: Progress Made in Systematic Planning to Guide
Key Investment Decisions, but More Work Remains, [30]GAO-07-448T
(Washington, D.C.: February 2007) and GAO, Aviation Security: Efforts to
Strengthen International Passenger Prescreening Are Under Way, but
Planning and Implementation Issues Remain, [31]GAO-07-346 (Washington,
D.C.: May 2007).

Checkpoint Screening. We reported that DHS has generally achieved two, and
has not generally achieved one, of the performance expectations in this
area. For example, we reported that TSA has developed processes and
procedures for screening passengers at security checkpoints and has worked
to balance security needs with efficiency and customer service
considerations.^18 More specifically, in April 2007, we reported that
modifications to standard operating procedures were proposed based on the
professional judgment of TSA senior-level officials and program-level
staff, as well as threat information and the results of covert testing.
However, we found that TSA's data collection and analyses could be
improved to help TSA determine whether proposed procedures that are
operationally tested would achieve their intended purpose. We also
reported that DHS and its component agencies have taken steps to improve
the screening of passengers to address new and emerging threats. For
example, TSA established two recent initiatives intended to strengthen the
passenger checkpoint screening process: (1) the Screening Passenger by
Observation Technique program, which is a behavior observation and
analysis program designed to provide TSA with a nonintrusive means of
identifying potentially high- risk individuals; and the (2) Travel
Document Checker program which replaces current travel document checkers
with TSOs who have access to sensitive security information on the threats
facing the aviation industry and check for fraudulent documents. However,
we found that while TSA has developed and tested checkpoint technologies
to address vulnerabilities that may be exploited by identified threats
such as improvised explosive devices, it has not yet effectively deployed
such technologies. In July 2006, TSA reported that it installed 97
explosives trace portal machines--which use puffs of air to dislodge and
detect trace amounts of explosives on persons--at 37 airports. However,
DHS identified problems with these machines and has halted their
deployment. TSA is also developing backscatter technology, which
identifies explosives, plastics and metals, giving them shape and form and
allowing them to be visually interpreted.^19 However, limited progress has
been made in fielding this technology at passenger screening checkpoints.
The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11
Commission Act), enacted in August 2007, restates and amends a requirement
that DHS issue a strategic plan for deploying explosive detection
equipment at airport checkpoints and requires DHS to expedite research and
develop efforts to protect passenger aircraft from explosives devices.^20
We are currently reviewing DHS and TSA's efforts to develop, test and
deploy airport checkpoint technologies.^21

^18 For more information, see GAO, Aviation Security: Risk, Experience, and
Customer Concerns Drive Changes to Airline Passenger Screening Procedures,
but Evaluation and Documentation of Proposed Changes Could Be Improved,
[32]GAO-07-634 (Washington, D.C.: May 2007); GAO, Aviation Security: TSA's
Change to Its Prohibited Items List Has Not Resulted in Any Reported
Security Incidents, but the Impact of the Change on Screening Operations
Is Inconclusive, [33]GAO-07-623R (Washington, D.C.: April 2007); GAO,
Airport Passenger Screening: Preliminary Observations on Progress Made and
Challenges Remaining, [34]GAO-03-1173 (Washington, D.C.: September 2003);
and GAO, Aviation Security: Enhancements Made in Passenger and Checked
Baggage Screening, but Challenges Remain, [35]GAO-06-371T (Washington,
D.C.: April 2006).

Checked Baggage Screening. We concluded that DHS has generally achieved
all three performance expectations in this area. Specifically, from
November 2001 through June 2006, TSA procured and installed about 1,600
Explosive Detection Systems (EDS) and about 7,200 Explosive Trace
Detection (ETD) machines to screen checked baggage for explosives at over
400 commercial airports.^22 In response to mandates to field the equipment
quickly and to account for limitations in airport design, TSA generally
placed this equipment in a stand-alone mode--usually in airport
lobbies--to conduct the primary screening of checked baggage for
explosives^23. Based in part on our previous recommendations, TSA later
developed a plan to integrate EDS and ETD machines in-line with airport
baggage conveyor systems. The installation of in-line systems can result
in considerable savings to TSA through the reduction of TSOs needed to
operate the equipment, as well as increased security. Despite delays in
the widespread deployment of in-line systems due to the high upfront
capital investment required, TSA is pursuing the installation of these
systems and is seeking creative financing solutions to fund their
deployment. In March 2007, DHS reported that it is working with airport
and air carrier stakeholders to improve checked baggage screening
solutions to enhance security and free up lobby space at airports. The
installation of in-line baggage screening systems continues to be an issue
of congressional concern. For example, the 9/11 Commission Act reiterates
a requirement that DHS submit a cost-sharing study along with a plan and
schedule for implementing provisions of the study, and requires TSA to
establish a prioritization schedule for airport improvement projects such
as the installation of in-line baggage screening systems.^24

^19 [36]GAO-06-371T .

^20 See Pub. L. No. 110-53, SS1607, 1610, 121 Stat. 266, 483-85 (2007).

^21 For more information, see [37]GAO-06-371T .

^22 Explosive detection systems (EDS) use specialized X-rays to detect
characteristics of explosives that may be contained in baggage as it moves
along a conveyor belt. Explosive trace detection (ETD) works by detecting
vapors and residues of explosives. Human operators collect samples by
rubbing swabs along the interior and exterior of an object that TSOs
determine to be suspicious, and place the swabs in the ETD machine, which
then chemically analyzes the swabs to identify any traces of explosive
materials.

^23 For more information, see GAO, Aviation Security: TSA Oversight of
Checked Baggage Screening Procedures Could Be Strengthened, [38]GAO-06-869
(Washington, D.C.: July 2006), [39]GAO-06-371T , and [40]GAO-07-448T

Air Cargo Security. We reported that TSA has generally achieved two, and
has not generally achieved one, of the performance expectations in this
area. Specifically, TSA has developed a strategic plan for domestic air
cargo security and has taken actions to use risk management principles to
guide investment decisions related to air cargo bound for the United
States from a foreign country, referred to as inbound air cargo, but these
actions are not yet complete. For example, TSA plans to assess inbound air
cargo vulnerabilities and critical assets--two crucial elements of a
risk-based management approach--but has not yet established a methodology
or time frame for how and when these assessments will be completed. ^25
TSA has also developed and implemented procedures to screen domestic and
inbound air cargo. We reported in October 2005 that TSA had significantly
increased the number of domestic air cargo inspections conducted of air
carrier and indirect air carrier compliance with security requirements.
However, we also reported that TSA exempted certain cargo from random
inspection because it did not view the exempted cargo as posing a
significant security risk, although air cargo stakeholders noted that such
exemptions may create potential security risks and vulnerabilities since
shippers may know how to package their cargo to avoid inspection.^26 In
part based on a recommendation we made, TSA is evaluating existing
exemptions to determine whether they pose a security risk, and has removed
some exemptions that were previously allowed. The 9/11 Commission Act
requires, no later than 3 years after its enactment, that DHS have a
system in place to screen 100 percent of cargo transported on passenger
aircraft.^27 Although TSA has taken action to develop plans for securing
air cargo and establishing and implementing procedures to screen air
cargo, DHS has not yet developed and implemented screening technologies.
DHS is pursuing multiple technologies to automate the detection of
explosives in the types and quantities that would cause catastrophic
damage to an aircraft in flight. However, TSA acknowledged that full
development of these technologies may take 5 to 7 years. In April 2007, we
reported that TSA and DHS's S&T Directorate were in the early stages of
evaluating and piloting available aviation security technologies to
determine their applicability to the domestic air cargo environment. We
further reported that although TSA anticipates completing its pilot tests
by 2008, it has not yet established time frames for when it might
implement these methods or technologies for the inbound air cargo system.
^28

^24 See Pub. L. No. 110-88. 1603-04, 121 Stat. at 480-81.

^25 For more information, see GAO, Aviation Security: Federal Action
Needed to Strengthen Domestic Air Cargo Security, , (Washington, D.C.:
October 2005) and GAO, Aviation Security: Federal Efforts [41]GAO-06-76 to
Secure U.S.-Bound Air Cargo Are in the Early Stages and Could Be
Strengthened, [42]GAO-07-660 (Washington, D.C.: April 2007).

Surface Transportation Security

Although TSA has devoted the vast majority of its resources to securing
commercial aviation and to meeting related statutory requirements, it has
more recently increased its focus on the security of surface modes of
transportation. However, these efforts are still largely in the early
stages. International events such as the March 2004 Madrid and July 2005
London train bombings, have, in part, contributed to this increased focus.
Specifically, TSA and other DHS components have developed an approach for
securing surface modes of transportation, have taken steps to conduct risk
assessments of surface transportation assets; and have administered
related grant programs. However, TSA has not issued standards for securing
all surface transportation modes, and is still defining what its
regulatory role will be. Moreover, although TSA has made progress in
conducting compliance inspections of some surface transportation systems,
inspectors' roles and missions have not been fully defined. As shown in
table 2, we identified five performance expectations for DHS in the area
of surface transportation security and found that, overall, DHS primarily
through the efforts of TSA has made moderate progress in meeting these
expectations. Specifically, we found that DHS has generally achieved three
performance expectations and has generally not achieved two performance
expectations.

^26 [43]GAO-06-76 .

^27 See Pub. L. No. 110-53, S 1602, 121 Stat. at 477-79.This provision
defines screening as a physical examination or non-intrusive method of
assessing whether cargo poses a threat to transportation security that
includes the use of technology, procedures, personnel, or other methods to
provide a level of security commensurate with the level of security for
the screening of passenger checked baggage. Methods such as solely
performing a review of information about the contents of cargo or
verifying the identity of a shipper of the cargo, including whether a
known shipper is registered in TSA's known shipper database, do not
constitute screening under this provision.

^28 [44]GAO-07-660 .

Table 2: Performance Expectations and Progress Made in Surface
Transportation Security

Performance expectation: Develop and adopt a strategic approach for 
implementing surface transportation security functions; 
Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
No assessment made: [Empty]. 

Performance expectation: Conduct threat, criticality, and vulnerability 
assessments of surface transportation assets; 
Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
No assessment made: [Empty]. 

Performance expectation: Issue standards for securing surface 
transportation modes; 
Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
No assessment made: [Empty]. 

Performance expectation: Conduct compliance inspections for surface 
transportation systems; 
Generally achieved: [Empty]; 
Assessment: Generally not achieved: [Check]; 
No assessment made: [Empty]. 

Performance expectation: Administer grant programs for surface 
transportation security; 
Generally achieved: [Check]; 
Assessment: Generally not achieved: [Empty]; 
No assessment made: [Empty]. 

Performance expectation: Total; 
Generally achieved: 3; 
Assessment: Generally not achieved: 2; 
No assessment made: 0. 

Source: GAO analysis.

Strategic Approach for Implementing Security Functions. We concluded that
DHS has generally achieved this performance expectation. In May 2007, DHS
issued the sector-specific plan for transportation systems and supporting
annexes for surface transportation modes, and reported taking actions to
adopt the strategic approach outlined by the plan. The Transportation
Systems Sector-Specific Plan and its supporting modal implementation plans
and appendixes establish a strategic approach for securing surface
transportation modes based on the National Infrastructure Protection Plan
and Executive Order 13416, Strengthening Surface Transportation Security.
The Transportation Systems Sector-Specific Plan describes the security
framework that is intended to enable sector stakeholders to make effective
and appropriate risk-based security and resource allocation decisions.
During the course of our work assessing freight rail, commercial vehicles,
and highway infrastructure security, we identified that TSA has begun to
implement some of the security initiatives outlined in the sector-specific
plan and supporting modal plans. While DHS has issued a strategy for
securing all transportation modes, and has demonstrated that it has begun
to take actions to implement the goals and objectives outlined in the
strategy, we have not yet analyzed the overall quality of the plan or
supporting modal annexes, the extent to which efforts outlined in the plan
and annexes have been implemented, or the effectiveness of identified
security initiatives. In addition, we recognize that the acceptance of
DHS's approach by federal, state and local, and private sector
stakeholders is crucial to its successful implementation. We also have not
assessed the extent to which the plan and supporting modal annexes were
coordinated with or adopted by these stakeholders. We will continue to
assess DHS's efforts to implement its strategy for securing surface
transportation modes as part of our ongoing reviews of mass transit,
passenger and freight rail, commercial vehicle, and highway infrastructure
security.

Threat, Criticality and Vulnerability Assessments. We reported that DHS
has generally achieved this performance expectation. TSA has taken actions
to conduct threat, criticality, and vulnerability assessments of surface
transportation assets, particularly for mass transit, passenger rail, and
freight rail, but we have not yet reviewed the quality of many of these
assessments. TSA uses threat assessments and information as part of its
surface transportation security efforts. For example, TSA has conducted
threat assessments of mass transit, passenger rail, and freight rail
transportation modes. TSA has also conducted assessments of the
vulnerabilities associated with surface transportation assets, to varying
degrees, for most surface modes of transportation. For freight rail, for
example, we found that TSA has conducted vulnerability assessments of High
Threat Urban Area rail corridors where toxic inhalation hazard shipments
are transported. However, TSA's vulnerability assessment efforts are still
ongoing and in some instances, are in the early stages, particularly for
commercial vehicles and highway infrastructure. With regard to criticality
assessments, DHS has conducted such assessments for some surface
transportation modes. For example, TSA has conducted Corporate Security
Reviews with 38 state Department of Transportation highway programs. In
addition, the National Protection and Programs Directorate's Office of
Infrastructure Protection conducts highway infrastructure assessments that
look at critical highway infrastructure assets. We testified in January
2007 that TSA had reported completing an overall threat assessment for
mass transit and passenger and freight rail modes, and had conducted
criticality assessments of nearly 700 passenger rail stations. In
addition, we further reported that the Grant Programs Directorate
developed and implemented a risk assessment tool to help passenger rail
operators better respond to terrorist attacks and prioritize security
measures. We will continue to review threat, criticality and vulnerability
assessments conducted by TSA and other DHS components for surface modes of
transportation during our ongoing work assessing mass transit, passenger
and freight rail, highway infrastructure, and commercial vehicle
security.^29

Issuance of Security Standards. We found that DHS has generally not
achieved this performance expectation. TSA has taken actions to develop
and issue security standards for mass transit, passenger rail, and freight
rail modes. However, TSA did not provide us with evidence of its efforts
to develop and issue security standards for all surface transportation
modes, or provided a rationale or explanation why standards may not be
needed for other modes. Specifically, TSA has developed and issued
security directives, security action items--recommended measures for
passenger rail and mass transit operators to implement in their security
programs to improve both security and emergency preparedness, and a
proposed rule in December 2006 on passenger and freight rail security
requirements.^30 In April 2007, DHS reported that TSA uses field
activities to assess compliance with security directives and
implementation of noncompulsory security standards and protective measures
with the objective of a broad-based enhancement of passenger rail and rail
transit security. TSA also reported that in its December 2006 notice of
proposed rulemaking on new security measures for freight rail carriers, it
proposed requirements designed to ensure 100 percent positive handoff of
toxic inhalation hazard shipments that enter high threat urban areas, as
well as security protocols for custody transfers of toxic inhalation
hazard rail cars in high-threat urban areas. TSA also reported that its
High Threat Urban Area rail corridor assessments supported the development
of the Recommended Security Action Items for the Rail Transportation of
Toxic Inhalation Materials issued by DHS and the Department of
Transportation in June 2006.

^29  For more information, see [45]GAO-06-181T ; GAO, Passenger Rail
Security: Enhanced Federal Leadership Needed to Prioritize and Guide
Security Efforts, [46]GAO-07-225T (Washington, D.C.: January 2007); and
[47]GAO-06-181T .

^30 See 71 Fed. Reg. 76,852 (Dec. 21, 2006).

Compliance Inspections. We concluded that DHS has generally not achieved
this performance expectation. TSA has made progress in conducting
compliance inspections, particularly in hiring and deploying inspectors,
but inspectors' roles and missions have not yet been fully defined. TSA
officials have reported that the agency has hired 100 surface
transportation inspectors whose stated mission is to, among other duties,
monitor and enforce compliance with TSA's rail security directives.
However, some mass transit and passenger rail operators have expressed
confusion and concern about the role of TSA inspectors and the potential
that these inspections could duplicate other federal and state rail
inspections. In March and April 2007, with respect to freight rail, TSA
reported visiting terminal and railroad yards to measure implementation of
7 of 24 DHS recommended security action items for the transportation of
toxic inhalation hazard materials. Through its Surface Transportation
Security Inspection program, TSA reported that its inspectors conduct
inspections of key facilities for rail and transit systems to assess
transit systems' implementation of core transit security fundamentals and
comprehensive security action items; conduct examinations of stakeholder
operations, including compliance with security directives; identify
security gaps; and develop effective practices. Although TSA has deployed
inspectors to conduct compliance inspections and carry out other security
activities in the mass transit, passenger rail, and freight rail modes,
TSA did not provide us with evidence that it has conducted compliance
inspections for other surface transportation modes or information on
whether the department believes compliance inspections are needed for
other modes.

The 9/11 Commission Act authorizes funds to be appropriated for TSA to
employ additional surface transportation inspectors and requires that
surface transportation inspectors have relevant transportation experience
and appropriate security and inspection qualifications.^31  The Act also
requires DHS to consult periodically with surface transportation entities
on the inspectors' duties, responsibilities, authorities, and mission. We
will continue to assess TSA's inspection efforts during our ongoing
work.^32

^31 See Pub. L. No. 110-53, S 1304, 121 Stat. at 393-94.

^32 For more information, see [48]GAO-07-225T ; [49]GAO-06-181T ; and GAO,
Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize
and Guide Security Efforts, [50]GAO-05-851 (Washington, D.C.: October
2005).

Grant Programs. We reported that DHS generally achieved this performance
expectation. More specifically, DHS has developed and administered grant
programs for various surface transportation modes. However, some industry
stakeholders have raised concerns regarding DHS's current grant process,
such as time delays and other barriers in the provision of grant funding.
We have not yet assessed DHS's provision of grant funding or the extent to
which DHS monitors the use of the funds. In March 2007, we reported that
the DHS Office of Grants and Training, now called the Grant Programs
Directorate, has used various programs to fund passenger rail security
since 2003.^33 Through the Urban Area Security Initiative grant program,
the Grant Programs Directorate has provided grants to urban areas to help
enhance their overall security and preparedness level to prevent, respond
to, and recover from acts of terrorism. The Grant Programs Directorate
used fiscal year 2005, 2006, and 2007 appropriations to build on the work
under way through the Urban Area Security Initiative program, and create
and administer new programs focused specifically on transportation
security, including the Transit Security Grant Program and the Intercity
Passenger Rail Security Grant Program. The 9/11 Commission Act requires
DHS to establish grant programs for security improvements in the public
transportation, passenger and freight rail, and over-the-road bus modes
and requires DHS to take certain actions in implementing the grant
programs.^34  For example, the Act requires that DHS determine the
requirements for grant recipients and establish the priorities for which
grant funding may be used, and it requires that DHS and DOT determine the
most effective and efficient way to distribute grant funds, authorizing
DHS to transfer funds to DOT for the purpose of disbursement. We will be
assessing grants distributed for mass transit and passenger rail as part
of our ongoing work.^35

^33 GAO, Passenger Rail Security: Federal Strategy and Enhanced
Coordination Needed to Prioritize and Guide Security Efforts
[51]GAO-07-583T (Washington, D.C.: March 2007).

^34  See Pub. L. No. 110-53, SS 1406, 1513, 1532, 121 Stat. at 405-08,
433-35, 457-60.

^35 For more information, see [52]GAO-06-181T and [53]GAO-07-583T .

Cross-cutting Issues Have Hindered DHS's Efforts in Implementing Its Mission and
Management Functions

Our work has identified homeland security challenges that cut across DHS's
mission and core management functions. These issues have impeded the
department's progress since its inception and will continue as DHS moves
forward. While it is important that DHS continue to work to strengthen
each of its mission and core management functions, to include
transportation security, it is equally important that these key issues be
addressed from a comprehensive, department wide perspective to help ensure
that the department has the structure and processes in place to
effectively address the threats and vulnerabilities that face the nation.
These issues include: (1) transforming and integrating DHS's management
functions; (2) establishing baseline performance goals and measures and
engaging in effective strategic planning efforts; (3) applying and
strengthening a risk management approach for implementing missions and
making resource allocation decisions; (4) sharing information with key
stakeholders; and (5) coordinating and partnering with federal, state and
local, and private sector agencies. We have made numerous recommendations
to DHS and its components to strengthen these efforts, and the department
has made progress in implementing some of these recommendations.

DHS has faced a variety of difficulties in its efforts to transform into a
fully functioning department. We designated DHS's implementation and
transformation as high-risk in part because failure to effectively address
this challenge could have serious consequences for our security and
economy. DHS continues to face challenges in key areas including
acquisition, financial, human capital, and information technology
management. This array of management and programmatic challenges continues
to limit DHS' ability to effectively and efficiently carry out its
mission. In addition, transparency plays an important role in helping to
ensure effective and efficient transformation efforts. We have reported
that DHS has not made its management or operational decisions transparent
enough so that Congress can be sure it is effectively, efficiently, and
economically using the billions of dollars in funding it receives
annually. More specifically, in April 2007, we testified that we have
encountered access issues during numerous engagements at DHS, including
significant delays in obtaining requested documents that have affected our
ability to do our work in a timely manner.^36 The Secretary of DHS and the
Under Secretary for Management have stated their desire to work with us to
resolve access issues and to provide greater transparency. It will be
important for DHS and its components to become more transparent and
minimize recurring delays in providing access to information on its
programs and operations so that Congress, GAO, and others can
independently assess its efforts.

^36 GAO, Department of Homeland Security: Observations on GAO Access to
Information on Programs and Activities, [54]GAO-07-700T , (Washington,
D.C.: April 2007).

In addition, DHS has not always implemented effective strategic planning
efforts and has not yet fully developed performance measures or put into
place structures to help ensure that the agency is managing for results.
We have identified strategic planning as one of the critical success
factors for new organizations, and reported that DHS as well as TSA and
other component efforts in this area have been mixed. For example, with
regards to TSA's efforts to secure air cargo, we reported that TSA
completed an Air Cargo Strategic Plan in November 2003 that outlined a
threat-based risk management approach to securing the nation's domestic
air cargo system, and that this plan identified strategic objectives and
priority actions for enhancing air cargo security based on risk, cost, and
deadlines. However, we reported that TSA had not developed a similar
strategy for addressing the security of inbound air cargo--cargo
transported into the United States from foreign countries, including how
best to partner with CBP and international air cargo stakeholders. In
another example, we reported that TSA had not yet developed outcome-based
performance measures for its foreign airport assessment and air carrier
inspection programs, such as the percentage of security deficiencies that
were addressed as a result of TSA's on-site assistance and
recommendations, to identify any aspects of these programs that may need
attention. We recommended that DHS direct TSA and CBP to develop a
risk-based strategy, including specific goals and objectives, for securing
air cargo;^37 and develop outcome-based performance measures for its
foreign airport assessment and air carrier inspection programs.^38 DHS
generally concurred with GAO's recommendations.

^37 [55]GAO-07-660 .

^38 GAO, Aviation Security: Foreign Airport Assessments and Air Carrier
Inspections Help Enhance Security, but Oversight of These Efforts Can Be
Strengthened, [56]GAO-07-729 (Washington, D.C.: May 11, 2007).

DHS has also not fully adopted and applied a risk management approach in
implementing its mission and core management functions. Risk management
has been widely supported by the President and Congress as an approach for
allocating resources to the highest priority homeland security
investments, and the Secretary of Homeland Security and the Assistant
Secretary for Transportation Security have made it a centerpiece of DHS
and TSA policy. Several DHS component agencies and TSA have worked towards
integrating risk-based decision making into their security efforts, but we
reported that these efforts can be strengthened. For example, TSA has
incorporated certain risk management principles into securing air cargo,
but has not completed assessments of air cargo vulnerabilities or critical
assets--two crucial elements of a risk-based approach without which TSA
may not be able to appropriately focus its resources on the most critical
security needs. TSA has also incorporated risk-based decision making when
making modifications to airport checkpoint screening procedures, to
include modifying procedures based on intelligence information and
vulnerabilities identified through covert testing at airport checkpoints.
However, in April 2007 we reported that TSA's analyses that supported
screening procedural changes could be strengthened. For example, TSA
officials based their decision to revise the prohibited items list to
allow passengers to carry small scissors and tools onto aircraft based on
their review of threat information--which indicated that these items do
not pose a high risk to the aviation system--so that TSOs could
concentrate on higher threat items.^39 However, TSA officials did not
conduct the analysis necessary to help them determine whether this
screening change would affect TSO's ability to focus on higher-risk
threats.^40

We have further reported that opportunities exist to enhance the
effectiveness of information sharing among federal agencies, state and
local governments, and private sector entities. In August 2003, we
reported that efforts to improve intelligence and information sharing need
to be strengthened, and in 2005, we designated information sharing for
homeland security as high-risk.^41 In January 2005, we reported that the
nation still lacked an implemented set of government-wide policies and
processes for sharing terrorism-related information, but DHS has issued a
strategy on how it will put in place the overall framework, policies, and
architecture for sharing information with all critical partners--actions
that we and others have recommended.^42  DHS has taken some steps to
implement its information sharing responsibilities. States and localities
are also creating their own information "fusion" centers, some with DHS
support. With respect to transportation security, the importance of
information sharing was recently highlighted in the 9/11 Commission Act
which requires DHS to establish a plan to promote the sharing of
transportation security information among DHS and federal, state and local
agencies, tribal governments, and appropriate private entities.^43 The Act
also requires that DHS provide timely threat information to carriers and
operators that are preparing and submitting a vulnerability assessment and
security plan, including an assessment of the most likely methods that
could be used by terrorists to exploit weaknesses in their security.^44

^39 GAO, Aviation Security: Risk, Experience, and Customer Concerns,
[57]GAO-07-634 (Washington, D.C.: May 2007).

^40  GAO, Aviation Security: Risk, Experience, and Customer Concerns Drive
Changes to Airline Passenger Screening Procedures, but Evaluation and
Documentation of Proposed Changes Could Be Improved, [58]GAO-07-634
(Washington, D.C.: April 16, 2007).

In addition to providing federal leadership with respect to homeland
security, DHS also plays a large role in coordinating the activities of
key stakeholders, but has faced challenges in this regard. To secure the
nation, DHS must form effective and sustained partnerships between legacy
component agencies and a range of other entities, including other federal
agencies, state and local governments, the private and nonprofit sectors,
and international partners. We have reported that successful partnering
and coordination involves collaborating and consulting with stakeholders
to develop and agree on goals, strategies, and roles to achieve a common
purpose; identify resource needs; establish a means to operate across
agency boundaries, such as compatible procedures, measures, data, and
systems; and agree upon and document mechanisms to monitor, evaluate, and
report to the public on the results of joint efforts.^45 We have found
that the appropriate homeland security roles and responsibilities within
and between the levels of government, and with the private sector, are
evolving and need to be clarified. For example, we reported that
opportunities exists for TSA to work with foreign governments and industry
to identify best practices for securing passenger rail, and air cargo, and
recommended that TSA systematically compile and analyze information on
practices used abroad to identify those that may strengthen the
department's overall security efforts.^46  Further, regarding efforts to
respond to in-flight security threats, which depending on the nature of
the threat could involve more than 15 federal agencies and agency
components, we recommended that DHS and other departments document and
share their respective coordination and communication strategies and
response procedures.^47  In September 2005, we reported that TSA did not
effectively involve private sector stakeholders in its decision making
process for developing security standards for passenger rail assets.^48 We
recommended that DHS develop security standards that reflect industry best
practices and can be measured, monitored, and enforced by TSA rail
inspectors and, if appropriate, rail asset owners. DHS agreed with these
recommendations. In addition, the 9/11 Commission Act includes provisions
designed to improve coordination with stakeholders. For example, the Act
requires DHS and the Department of Transportation to develop an annex to
the Memorandum of Understanding between the two departments governing the
specific roles, responsibilities, resources, and commitments in addressing
motor carrier transportation security matters, including the processes the
departments will follow to promote communications and efficiency, and
avoid duplication of effort.^49 The Act also requires DHS in consultation
with the Department of Transportation to establish a program to provide
appropriate information that DHS has gathered or developed on the
performance, use, and testing of technologies that may be used to enhance
surface transportation security to surface transportation entities.^50

^41 GAO, Homeland Security: Efforts to Improve Information Sharing Need to
Be

Strengthened, [59]GAO-03-760 . Washington, D.C.: August 2003, and GAO,
HIGH- RISK SERIES: An Update [60]GAO-05-207 (Washington, D.C.: January
2005).

^42 [61]GAO-07-454 .

^43 See Pub. L. No. 110-53, S 1203, 121 Stat. at 383-86.

^44  See Pub. L. No. 110-53, SS 1512(d)(2), 1531(d)(2), 121 Stat. at 430,
455.

^45 [62]GAO-07-660 .

^46 [63]GAO-07-660 and [64]GAO-05-851 ^..

^47 GAO, Aviation Security: Federal Coordination for Responding to
In-flight Security Threats Has Matured, but Procedures Can Be
Strengthened, (Washington, D.C.: July 31, 2007). [65]GAO-07-891R

^48 [66]GAO-05-851 .

^49  See Pub. L. No. 110-53, S 1541, 121 Stat. at 469.

^50 See Pub. L. No. 110-53, S 1305, 121 Stat. at 394-95.

Concluding Observations

The magnitude of DHS's and more specifically TSA's responsibilities in
securing the nation's transportation system is significant, and we commend
the department on the work it has done and is currently doing to secure
this network. Nevertheless, given the dominant role that TSA plays in
securing the homeland, it is critical that its programs and initiatives
operate as efficiently and effectively as possible. In the almost 6 years
since its creation, TSA has had to undertake its critical mission while
also establishing and forming a new agency. At the same time, a variety of
factors, including threats to and attacks on transportation systems around
the world, as well as new legislative requirements, have led the agency to
reassess its priorities and reallocate resources to address key events,
and to respond to emerging threats. Although TSA has made considerable
progress in addressing key aspects of commercial aviation security, more
work remains in the areas of checkpoint and air cargo technology, airport
security, and passenger prescreening. Further, although TSA has more
recently taken actions in a number of areas to help secure surface modes
of transportation, its efforts are still largely in the early stage, and
the nature of its regulatory role, and relationship with transportation
operators, is still being defined. As DHS , TSA, and other components move
forward, it will be important for the department to work to address the
challenges that have affected its operations thus far, including
developing results-oriented goals and measures to assess performance;
developing and implementing a risk-based approach to guide resource
decisions; and establishing effective frameworks and mechanisms for
sharing information and coordinating with homeland security partners. A
well-managed, high-performing department is essential to meeting the
significant challenge of securing the transportation network. As DHS, TSA,
and other components continue to evolve, implement their programs, and
integrate their functions, we will continue to review their progress and
performance and provide information to Congress and the public on these
efforts.

Mr. Chairman this concludes my statement. I would be pleased to answer any
questions that you or other members of the committee may have at this
time.

GAO Contact and Staff Acknowledgments

For further information on this testimony, please contact Cathleen Berrick
at (202) 512- 3404 or at [email protected]. Individuals making key
contributions to this testimony include Steve D. Morris, Assistant
Director, Gary Malavenda, Susan Langley, and Linda Miller.

(440668)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [67]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[68]www.gao.gov and select "E-mail Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548

To order by Phone:
Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: [69]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [70][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [71][email protected] , (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548

Public Affairs

Susan Becker, Acting Manager, [72][email protected] , (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
DC 20548

To view the full product, including the scope

and methodology, click on [73]GAO-08-140T .For more information, contact
Cathleen Berrick at (202) 512-3404 or [email protected].

Highlights of [74]GAO-08-140T , testimony before the U.S. Senate Committee
on Commerce, Science and Transportation

October 16, 2007

TRANSPORTATION SECURITY

Efforts to Strengthen Aviation and Surface Transportation Security are
Under Way, but Challenges Remain

Within the Department of Homeland Security (DHS), the Transportation
Security Administration's (TSA) mission is to protect the nation's
transportation network. Since its inception in 2001, TSA has developed and
implemented a variety of programs and procedures to secure commercial
aviation and surface modes of transportation, including passenger and
freight rail, mass transit, highways, commercial vehicles, and pipelines.
Other DHS components, federal agencies, state and local governments, and
the private sector also play a role in transportation security. GAO
examined (1) the progress DHS and TSA have made in securing the nation's
aviation and surface transportation systems, and (2) challenges that have
impeded the department's efforts to implement its mission and management
functions. This testimony is based on issued GAO reports and testimonies
addressing the security of the nation's aviation and surface
transportation systems, including a recently issued report (GAO-07-454)
that highlights the progress DHS has made in implementing its mission and
management functions.

[75]What GAO Recommends

In prior reports, GAO made a number of recommendations to DHS and TSA to
strengthen their efforts to secure the transportation network. DHS and TSA
generally agreed with the recommendations and have taken steps to
implement some of them.

In August 2007, GAO reported that DHS had made moderate progress in
securing the aviation and surface transportation networks, but that more
work remains. Specifically, of the 24 performance expectations GAO
identified in the area of aviation security, GAO reported that DHS had
generally achieved 17 of these expectations and had generally not achieved
7 expectations. With regard to the security of surface modes of
transportation, GAO reported that DHS generally achieved three performance
expectations and had generally not achieved two others. DHS and TSA have
made progress in many areas related to securing commercial aviation. For
example, TSA has undertaken efforts to strengthen airport security;
provide and train a screening workforce; prescreen passengers against
terrorist watch lists; and screen passengers, baggage, and cargo. With
regard to surface transportation modes, TSA has taken steps to develop a
strategic approach for securing mass transit, passenger and freight rail,
commercial vehicles, highways, and pipelines; establish security standards
for certain transportation modes; and conduct threat, criticality, and
vulnerability assessments of surface transportation assets, particularly
passenger and freight rail. TSA also hired and deployed compliance
inspectors and conducted inspections of passenger and freight rail
systems.

While these efforts have helped to strengthen the security of the
transportation network, DHS and TSA still face a number of key challenges
in further securing these systems. For example, regarding commercial
aviation, TSA has faced difficulties in developing and implementing its
advanced passenger prescreening system, known as Secure Flight, and has
not yet completed development efforts. In addition, TSA's efforts to
enhance perimeter security at airports may not be sufficient to provide
for effective security. TSA has also initiated efforts to evaluate the
effectiveness of security-related technologies, such as biometric
identification systems, but has not developed a plan for implementing new
technologies to meet the security needs of individual airports. TSA has
also not yet effectively deployed checkpoint technologies to address key
existing vulnerabilities, and has not yet developed and implemented
technologies needed to screen air cargo. Further, while TSA has initiated
efforts to develop security standards for surface transportation modes,
these efforts have been limited to passenger and freight rail, and have
not addressed commercial vehicles or highway infrastructure, including
bridges and tunnels. GAO also reported that a number of issues have
impeded DHS's efforts in implementing its mission and management
functions, including not always implementing effective strategic planning,
or fully adopting and applying a risk management approach with respect to
transportation security.

References

Visible links
  15. http://www.gao.gov/cgi-bin/getrpt?GAO-07-454
  16. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1081T
  17. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1240T
  18. http://www.gao.gov/cgi-bin/getrpt?GAO-07-454
  19. http://www.gao.gov/cgi-bin/getrpt?GAO-06-597T
  20. http://www.gao.gov/cgi-bin/getrpt?GAO-04-728
  21. http://www.gao.gov/cgi-bin/getrpt?GAO-06-597T
  22. http://www.gao.gov/cgi-bin/getrpt?GAO-04-728
  23. http://www.gao.gov/cgi-bin/getrpt?GAO-06-597T
  24. http://www.gao.gov/cgi-bin/getrpt?GAO-04-728
  25. http://www.gao.gov/cgi-bin/getrpt?GAO-05-106
  26. http://www.gao.gov/cgi-bin/getrpt?GAO-06-982
  27. http://www.gao.gov/cgi-bin/getrpt?GAO-05-106
  28. http://www.gao.gov/cgi-bin/getrpt?GAO-06-982
  29. http://www.gao.gov/cgi-bin/getrpt?GAO-06-864T
  30. http://www.gao.gov/cgi-bin/getrpt?GAO-07-448T
  31. http://www.gao.gov/cgi-bin/getrpt?GAO-07-346
  32. http://www.gao.gov/cgi-bin/getrpt?GAO-07-634
  33. http://www.gao.gov/cgi-bin/getrpt?GAO-07-623R
  34. http://www.gao.gov/cgi-bin/getrpt?GAO-03-1173
  35. http://www.gao.gov/cgi-bin/getrpt?GAO-06-371T
  36. http://www.gao.gov/cgi-bin/getrpt?GAO-06-371T
  37. http://www.gao.gov/cgi-bin/getrpt?GAO-06-371T
  38. http://www.gao.gov/cgi-bin/getrpt?GAO-06-869
  39. http://www.gao.gov/cgi-bin/getrpt?GAO-06-371T
  40. http://www.gao.gov/cgi-bin/getrpt?GAO-07-448T
  41. http://www.gao.gov/cgi-bin/getrpt?GAO-06-76
  42. http://www.gao.gov/cgi-bin/getrpt?GAO-07-660
  43. http://www.gao.gov/cgi-bin/getrpt?GAO-06-76
  44. http://www.gao.gov/cgi-bin/getrpt?GAO-07-660
  45. http://www.gao.gov/cgi-bin/getrpt?GAO-06-181T
  46. http://www.gao.gov/cgi-bin/getrpt?GAO-07-225T
  47. http://www.gao.gov/cgi-bin/getrpt?GAO-06-181T
  48. http://www.gao.gov/cgi-bin/getrpt?GAO-07-225T
  49. http://www.gao.gov/cgi-bin/getrpt?GAO-06-181T
  50. http://www.gao.gov/cgi-bin/getrpt?GAO-05-851
  51. http://www.gao.gov/cgi-bin/getrpt?GAO-07-583T
  52. http://www.gao.gov/cgi-bin/getrpt?GAO-06-181T
  53. http://www.gao.gov/cgi-bin/getrpt?GAO-07-583T
  54. http://www.gao.gov/cgi-bin/getrpt?GAO-07-700T
  55. http://www.gao.gov/cgi-bin/getrpt?GAO-07-660
  56. http://www.gao.gov/cgi-bin/getrpt?GAO-07-729
  57. http://www.gao.gov/cgi-bin/getrpt?GAO-07-634
  58. http://www.gao.gov/cgi-bin/getrpt?GAO-07-634
  59. http://www.gao.gov/cgi-bin/getrpt?GAO-03-760
  60. http://www.gao.gov/cgi-bin/getrpt?GAO-05-207
  61. http://www.gao.gov/cgi-bin/getrpt?GAO-07-454
  62. http://www.gao.gov/cgi-bin/getrpt?GAO-07-660
  63. http://www.gao.gov/cgi-bin/getrpt?GAO-07-660
  64. http://www.gao.gov/cgi-bin/getrpt?GAO-05-851
  65. http://www.gao.gov/cgi-bin/getrpt?GAO-07-891R
  66. http://www.gao.gov/cgi-bin/getrpt?GAO-05-851
  67. http://www.gao.gov/
  68. http://www.gao.gov/
  69. http://www.gao.gov/fraudnet/fraudnet.htm
  70. mailto:[email protected]
  71. mailto:[email protected]
  72. mailto:[email protected]
  73. http://www.gao.gov/cgi-bin/getrpt?GAO-08-140T
  74. http://www.gao.gov/cgi-bin/getrpt?GAO-08-140T
*** End of document. ***