Transportation Security: TSA Has Developed a Risk-Based Covert	 
Testing Program, but Could Better Mitigate Aviation Security	 
Vulnerabilities Identified Through Covert Tests (08-AUG-08,	 
GAO-08-958).							 
                                                                 
The Transportation Security Administration (TSA) uses undercover,
or covert, testing to approximate techniques that terrorists may 
use to identify vulnerabilities in and measure the performance of
airport security systems. During these tests, undercover	 
inspectors attempt to pass threat objects through passenger and  
baggage screening systems, and access secure airport areas. In	 
response to a congressional request, GAO examined (1) TSA's	 
strategy for conducting covert testing of the transportation	 
system and the extent to which the agency has designed and	 
implemented its covert tests to achieve identified goals; and (2)
the results of TSA's national aviation covert tests conducted	 
from September 2002 to June 2007, and the extent to which TSA	 
uses the results of these tests to mitigate security		 
vulnerabilities. To conduct this work, GAO analyzed covert	 
testing documents and data and interviewed TSA and transportation
industry officials.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-958 					        
    ACCNO:   A83429						        
  TITLE:     Transportation Security: TSA Has Developed a Risk-Based  
Covert Testing Program, but Could Better Mitigate Aviation	 
Security Vulnerabilities Identified Through Covert Tests	 
     DATE:   08/08/2008 
  SUBJECT:   Airlines						 
	     Airport security					 
	     Airports						 
	     Aviation						 
	     Baggage screening					 
	     Combating terrorism				 
	     Commercial aviation				 
	     Critical infrastructure				 
	     Data collection					 
	     Government information dissemination		 
	     Homeland security					 
	     Inspection 					 
	     Internal controls					 
	     Passenger screening				 
	     Passenger screening systems			 
	     Performance measures				 
	     Product evaluation 				 
	     Program evaluation 				 
	     Program management 				 
	     Risk management					 
	     Search and seizure 				 
	     Security threats					 
	     Strategic planning 				 
	     System vulnerabilities				 
	     Systems testing					 
	     Terrorists 					 
	     Testing						 
	     Transportation planning				 
	     Transportation policies				 
	     Transportation safety				 
	     Transportation security				 
	     program goals or objectives			 
	     Program implementation				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-958
This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 

GAO: 

August 2008: 

Transportation Security: 

TSA Has Developed a Risk-Based Covert Testing Program, but Could Better 
Mitigate Aviation Security Vulnerabilities Identified Through Covert 
Tests: 

Transportation Security: 

GAO-08-958: 

GAO Highlights: 

Highlights of GAO-08-958, a report to the Chairman, Committee on 
Homeland Security, House of Representatives. 

Why GAO Did This Study: 

The Transportation Security Administration (TSA) uses undercover, or 
covert, testing to approximate techniques that terrorists may use to 
identify vulnerabilities in and measure the performance of airport 
security systems. During these tests, undercover inspectors attempt to 
pass threat objects through passenger and baggage screening systems, 
and access secure airport areas. In response to a congressional 
request, GAO examined (1) TSAï¿½s strategy for conducting covert testing 
of the transportation system and the extent to which the agency has 
designed and implemented its covert tests to achieve identified goals; 
and (2) the results of TSAï¿½s national aviation covert tests conducted 
from September 2002 to June 2007, and the extent to which TSA uses the 
results of these tests to mitigate security vulnerabilities. To conduct 
this work, GAO analyzed covert testing documents and data and 
interviewed TSA and transportation industry officials. 

What GAO Found: 

TSA has designed and implemented risk-based national and local covert 
testing programs to achieve its goals of identifying vulnerabilities in 
and measuring the performance the aviation security system, and has 
begun to determine the extent to which covert testing will be used in 
non-aviation modes of transportation. TSAï¿½s Office of Inspection (OI) 
used information on terrorist threats to design and implement its 
national covert tests and determine at which airports to conduct tests 
based on the likelihood of a terrorist attack. However, OI did not 
systematically record the causes of test failures or practices that 
resulted in higher pass rates for tests. Without systematically 
recording reasons for test failures, such as failures caused by 
screening equipment not working properly, as well as reasons for test 
passes, TSA is limited in its ability to mitigate identified 
vulnerabilities. OI officials stated that identifying a single cause 
for a test failure is difficult since failures can be caused by 
multiple factors. TSA recently redesigned its local covert testing 
program to more effectively measure the performance of passenger and 
baggage screening systems and identify vulnerabilities. However, it is 
too early to determine whether the program will meet its goals since it 
was only recently implemented and TSA is still analyzing the results of 
initial tests. While TSA has a well established covert testing program 
in commercial aviation, the agency does not regularly conduct covert 
tests in non-aviation modes of transportation. Furthermore, select 
domestic and foreign transportation organizations and DHS components 
use covert testing to identify security vulnerabilities in non-aviation 
settings. However, TSA lacks a systematic process for coordinating with 
these organizations. 

TSA covert tests conducted from September 2002 to June 2007 have 
identified vulnerabilities in the commercial aviation system at 
airports of all sizes, and the agency could more fully use the results 
of tests to mitigate identified vulnerabilities. While the specific 
results of these tests and the vulnerabilities they identified are 
classified, covert test failures can be caused by multiple factors, 
including screening equipment that does not detect a threat item, 
Transportation Security Officers (TSOs), formerly known as screeners, 
not properly following TSA procedures when screening passengers, or TSA 
screening procedures that do not provide sufficient detail to enable 
TSOs to identify the threat item. TSAï¿½s Administrator and senior 
officials are routinely briefed on covert test results and are provided 
with test reports that contain recommendations to address identified 
vulnerabilities. However, TSA lacks a systematic process to ensure that 
OIï¿½s recommendations are considered and that the rationale for 
implementing or not implementing OIï¿½s recommendations is documented. 
Without such a process, TSA is limited in its ability to use covert 
test results to strengthen aviation security. TSA officials stated that 
opportunities exist to improve the agencyï¿½s processes in this area. 

In May 2008, GAO issued a classified report on TSAï¿½s covert testing 
program. That report contained information that was deemed either 
classified or sensitive. This version of the report summarizes our 
overall findings and recommendations while omitting classified or 
sensitive security information. 

What GAO Recommends: 

To ensure that TSA is more fully using the results of covert tests, GAO 
recommends that TSA document causes of test failures; as TSA explores 
the use of covert testing in non-aviation modes of transportation, 
coordinate with transportation organizations that conduct covert tests; 
and develop a systematic process to evaluate covert testing 
recommendations. DHS and TSA reviewed a draft of this report and 
concurred with GAOï¿½s recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.GAO-08-958]. For more information, contact 
Cathleen A. Berrick at (202) 512-3404 or [email protected]. 

[End of section] 

Report to the Chairman, Committee on Homeland Security, House of 
Representatives: 

Contents: 

Letter: 

Results in Brief: 

Background: 

TSA Has a Risk-Based Covert Testing Strategy to Identify 
Vulnerabilities and Measure the Performance of Selected Aviation 
Security Systems, but Could Strengthen Its Testing Efforts: 

TSA Could More Fully Use the Results of Covert Tests to Mitigate 
Security Vulnerabilities Identified in the Commercial Aviation System: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of Homeland Security: 

Figures: 

Figure 1: TSA's Passenger Checkpoint and Checked Baggage Screening 
Operations and Equipment: 

Figure 2: Diagram of Security Areas at a Typical Commercial Airport: 

Abbreviations: 

AAR: American Association of Railroads: 

AOA: Air Operations Area: 

APTA: American Public Transportation Association: 

ASAP: Aviation Screening Assessment Program: 

ATSA: Aviation and Transportation Security Act: 

CBP: Customs and Border Patrol: 

DHS: Department of Homeland Security: 

DNDO: Domestic Nuclear Detection Office: 

DOT: Department of Transportation: 

EDS: Explosive Detection System: 

ETD: Explosive Trace Detection: 

FAA: Federal Aviation Administration: 

FSD: Federal Security Director: 

IED: Improvised Explosive Device: 

IRD: Internal Reviews Division: 

OI: Office of Inspection: 

OSO: Office of Security Operations: 

SIDA: Security Identification Display Area: 

STEA: Screener Training Exercises and Assessments: 

TSA: Transportation Security Administration: 

TSNM: Transportation Sector Network Management: 

TSO: Transportation Security Officer: 

TS-SSPP: Transportation System Sector Specific Plan: 

United States Government Accountability Office: 

Washington, DC 20548: 

August 8, 2008: 

The Honorable Bennie G. Thompson: 
Chairman: 
Committee on Homeland Security: 
House of Representatives: 

Dear Mr. Chairman: 

The March 2004 bombings of the rail system in Spain, July 2005 bombings 
of London's subway system, and August 2006 alleged terror plot to bring 
liquid explosives through airport security checkpoints in the United 
Kingdom and detonate them on board aircraft bound for the United 
States, are striking reminders that transportation systems have 
continued to be a target for terrorist attack. After the September 11, 
2001 terrorist attacks, the Aviation and Transportation Security Act 
(ATSA) was enacted, creating the Transportation Security Administration 
(TSA) and mandating that it assume responsibility for security in all 
modes of transportation.[Footnote 1] For the last 5 years, TSA has 
spent billions of dollars to screen airline passengers and checked 
baggage and to implement regulations and initiatives designed to 
strengthen the security of commercial aviation. TSA has also taken 
action to strengthen the security of surface modes of transportation, 
which includes mass transit and passenger rail, freight rail, and 
highways. Despite varying levels of progress in these respective areas, 
questions remain about the effectiveness of TSA's security programs and 
procedures. 

One method that can be used to identify and mitigate vulnerabilities, 
measure the effectiveness of security programs, and identify needed 
changes to training procedures and technologies is undercover, or 
covert testing--also known as red team testing--which was advocated by 
the President's July 2002 National Strategy for Homeland Security to 
identify security vulnerabilities in the nation's critical 
infrastructure and to help prepare for terrorist attacks.[Footnote 2] 
Regarding aviation security, and in accordance with requirements 
established in law, TSA conducts covert testing of passenger and 
checked baggage screening operations, as well as airport perimeter 
security and access controls, and requires that Transportation Security 
Officers (TSO) who fail tests to undergo remedial training.[Footnote 3] 
Prior to the creation of TSA, the Federal Aviation Administration (FAA) 
was responsible for ensuring compliance with aviation screening 
regulations and testing the performance of passenger and checked 
baggage systems in detecting threat objects. TSA began conducting 
covert testing in commercial aviation in September 2002. Covert testing 
is conducted at the national level by TSA's Office of Inspection (OI) 
and at the local, or individual airport level by the Office of Security 
Operations (OSO)--the division within TSA responsible for overseeing 
passenger and checked baggage screening at airports. During these 
tests, undercover inspectors attempt to pass threat objects, such as 
simulated explosive devices, through airport passenger screening 
checkpoints and checked baggage screening systems. Inspectors also 
attempt to access secure areas of the airport undetected, such as 
through doorways leading to aircraft and the airport's perimeter. The 
tests are designed to approximate techniques that terrorists may use in 
order to identify vulnerabilities in the people, processes, and 
technologies that comprise the aviation security system. With respect 
to some non-aviation modes of transportation, specifically mass 
transit, passenger rail, and maritime ferries, TSA has initiated pilot 
programs designed to test the feasibility of implementing screening of 
passengers at a centralized checkpoint, similar to the aviation system. 
According to OI officials, during these pilot programs, OI conducted 
covert testing to determine if they could pass threat objects through 
the passenger screening procedures and equipment that was being tested 
in these systems. In addition, TSA's May 2007 Transportation System 
Sector Specific Plan (TS-SSP) for mass transit describes TSA's strategy 
for securing mass transit and passenger rail, and encourages that 
transit and rail agencies should develop covert testing exercises. 

We have previously reported on the results of TSA's national and local 
aviation covert tests, both of which have identified vulnerabilities in 
the aviation security system, and the results of our investigators' 
tests of TSA's passenger checkpoint and checked baggage security 
systems, which have also identified vulnerabilities. The Department of 
Homeland Security (DHS) Office of Inspector General has also conducted 
its own covert testing of airport passenger and checked baggage 
screening, as well as perimeters and access controls, and has also 
identified vulnerabilities in these areas, most recently in March 
2007.[Footnote 4] 

In light of the security vulnerabilities that covert testing has 
identified and concerns regarding the effectiveness of existing 
security procedures, you asked that we review TSA's national and local 
covert testing programs. In response, on May 13, 2008, we issued a 
classified report addressing the following key questions: (1) What is 
TSA's strategy for conducting covert testing of the transportation 
system, and to what extent has the agency designed and implemented its 
covert tests to achieve identified goals? and (2) What have been the 
results of TSA's national aviation covert tests conducted from 
September 2002 to June 2007, and to what extent does TSA use the 
results of these tests to mitigate security vulnerabilities in the 
commercial aviation system? 

As our May 2008 report contained information that was deemed to be 
either classified or sensitive, this version of the report is intended 
to generally summarize our overall findings and recommendations while 
omitting classified or sensitive security information about TSA's 
covert testing processes and the results of TSA's covert tests 
conducted from September 2002 to June 2007. As our intent in preparing 
this report is to convey, in a publicly available format, the non- 
classified, non sensitive results of the classified May 2008 report, we 
did not attempt to update the information here to reflect changes that 
may have occurred since the publication of the May 2008 report. 

To identify TSA's strategy for conducting covert testing of the 
transportation system and the extent to which the agency has designed 
and implemented tests to achieve its goals, we reviewed applicable 
laws, regulations, policies, and procedures for national and local 
covert testing. We interviewed TSA OI officials responsible for 
conducting national aviation covert tests, and OSO officials 
responsible for local aviation covert tests, regarding TSA's strategy 
for designing and implementing these tests, including the extent to 
which they used threat information to guide their efforts. We also 
observed OI inspectors during covert tests at seven airports, including 
airports with heavy passenger traffic and those with just a few flights 
per day, as well as airports with both TSOs and contract 
screeners.[Footnote 5] During these covert tests, we accompanied OI 
inspectors during all phases of the test including planning, testing, 
and post-test reviews with TSOs and their supervisors. We interviewed 
TSOs and their supervisors that were involved in covert tests at each 
airport where we observed tests to discuss their experience with the 
national and local covert testing programs. We also interviewed the 
Federal Security Director (FSD) at each airport where we observed 
covert tests to obtain their views of the testing program and the 
results of tests at their airports.[Footnote 6] While these seven 
airports represent reasonable variations in size and geographic 
locations, our observations of OI's covert tests and the perspectives 
provided by TSA officials at these airports cannot be generalized 
across all commercial airports. However, our observations at the seven 
airports provided us with an overall understanding of how OI conducts 
covert tests and useful insights provided by TSOs, their supervisors, 
and FSDs at these airports. We also reviewed TSA's procedures for 
screening passenger and checked baggage to determine how these 
procedures are used in designing and implementing national aviation 
covert tests. We interviewed OI officials and officials from TSA's 
Office of Transportation Sector Network Management (TSNM), which is 
responsible for developing security policies for non-aviation modes of 
transportation, regarding the extent to which covert testing has been 
conducted in non-aviation modes, the applicability of covert testing in 
other modes, and future plans for conducting covert testing in other 
modes. To understand how entities outside of TSA have used covert 
testing in non-aviation modes of transportation, we interviewed 
officials from DHS components and organizations that conduct covert 
testing, including U.S. Customs and Border Protection, DHS Domestic 
Nuclear Detection Office (DNDO), Amtrak, the United Kingdom's 
Department for Transport Security (TRANSEC), and transportation 
industry associations, such as the American Association of Railroads 
and the American Public Transportation Association. 

To determine the results of TSA's national covert tests and the extent 
to which TSA used the results of these tests to mitigate security 
vulnerabilities in the aviation system, we obtained and analyzed a 
database of the results of TSA's national covert tests conducted from 
September 2002 to June 2007. To determine how TSA gathers covert 
testing data, we reviewed the data collection instruments used at the 
airports where we observed covert tests, as well as other methods OI 
uses to gather covert testing data and observations. We also reviewed 
TSA's internal controls for collecting and maintaining the results of 
covert tests. We assessed the reliability of TSA's covert testing data 
and the systems used to produce the data by interviewing agency 
officials responsible for maintaining the database. We determined that 
the data were sufficiently reliable for our analysis and the purposes 
of this report. We also interviewed OI officials regarding how the 
results of covert tests are used in developing their recommendations to 
TSA management. We reviewed OI reports on the results of covert tests 
completed between March 2003 and June 2007 that were submitted to TSA's 
Administrator and OSO to identify OI's recommendations for mitigating 
the vulnerabilities identified during covert tests. We further obtained 
and analyzed a summary of the actions that OSO had taken to address 
OI's recommendations for mitigating vulnerabilities made from March 
2003 to June 2007. More detailed information on our scope and 
methodology is contained in appendix I. 

We conducted this performance audit from October 2006 to May 2008, in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Results in Brief: 

TSA has designed and implemented risk-based national and local covert 
testing programs to achieve its goals of identifying vulnerabilities in 
and measuring the performance of passenger checkpoint and checked 
baggage screening systems and airport perimeters and access controls, 
and has begun to determine the extent to which covert testing will be 
used to identify vulnerabilities and measure the effectiveness of 
security practices related to non-aviation modes of transportation. OI 
used information on terrorist threats to design and implement its 
national covert tests and determine at which airports to conduct tests 
based on analyses of risks. However, OI inspectors did not 
systematically record specific causes for test failures related to 
TSOs, procedures, or screening equipment that did not work properly. 
Standards for Internal Control in the Federal Government identify that 
information should be recorded and communicated to management and 
others in a form and within a time frame that enables them to carry out 
their internal control and other responsibilities.[Footnote 7] OI 
officials stated that they do not record information on equipment 
failures because there is a possibility that the threat item was not 
designed properly and therefore should not have set off the alarm, and 
identifying a single cause for a test failure is difficult since covert 
testing failures can be caused by multiple factors. OI also did not 
systematically collect and analyze information on effective screening 
practices that may contribute to TSOs' ability to detect threat items, 
which could allow TSA to identify actions that may help improve 
screening performance across the system. Without systematically 
recording reasons for test failures, such as failures caused by 
screening equipment not working properly, as well as reasons for test 
passes, TSA is limited in its ability to mitigate identified 
vulnerabilities. Regarding TSA's local aviation covert testing program, 
the agency recently redesigned the program to address the limitations 
of the previous program, such as inconsistent structure and frequency 
of tests across airports. The new program, called the Aviation 
Screening Assessment Program (ASAP), is also risk-based, with tests 
being designed to mirror threat items that may be used by terrorists 
based on threat information. If implemented effectively, ASAP should 
provide TSA with a measure of the performance of passenger and checked 
baggage screening systems and help to identify security 
vulnerabilities. However, since the program was only recently 
implemented, it is too soon to determine whether ASAP will meet its 
goals of identifying vulnerabilities and measuring the performance of 
passenger and checked baggage screening systems. Furthermore, TSA has 
just begun to determine the extent to which covert testing will be used 
to identify vulnerabilities and measure the effectiveness of security 
practices in non-aviation modes of transportation. While TSA 
coordinates with domestic and foreign transportation organizations and 
DHS component agencies regarding its security efforts, they do not have 
a systematic process in place to coordinate with these organizations 
regarding covert testing in non-aviation settings, and opportunities 
for TSA to learn from these organizations' covert testing efforts 
exist. 

TSA's national aviation covert testing program has identified 
vulnerabilities in selected aspects of the commercial aviation security 
system at airports of all sizes, however, the agency is not fully using 
the results of these tests to mitigate identified vulnerabilities. The 
specific results of these tests are classified and are presented in our 
classified May 2008 report. Although national covert test results 
provide only a snapshot of the effectiveness of airport security 
screening and cannot be considered a measurement of performance because 
the tests were not conducted using the principles of probability 
sampling, tests can be used to identify vulnerabilities in the 
commercial aviation security system. Covert test failures have been 
caused by various factors, including TSOs not properly following TSA 
procedures when screening passengers, screening equipment that does not 
detect a threat item, and TSA screening procedures that do not provide 
sufficient detail to enable TSOs to identify a threat item. Senior TSA 
officials, including TSA's Administrator, are routinely briefed on the 
results of covert tests and provided with OI reports that describe the 
vulnerabilities identified by these tests and recommendations to 
correct identified vulnerabilities. However, OSO, the office within TSA 
responsible for passenger and checked baggage screening, lacks a 
systematic process to ensure that OI's recommendations are considered, 
and does not systematically document its rationale for why it did or 
did not implement OI's recommendations. From March 2003 through June 
2007, OI made 43 recommendations to OSO designed to mitigate 
vulnerabilities identified through covert tests. These recommendations 
related to providing additional training to TSOs and revising or 
clarifying existing TSA screening procedures, such as procedures for 
screening passengers and checked baggage. To date, OSO has taken 
actions to implement 25 of OI's 43 recommendations. OSO and OI also do 
not have a process in place to assess whether the corrective action 
implemented mitigated the identified vulnerabilities through follow-up 
national or local covert tests. According to OSO officials, TSA has 
other methods in place to identify whether corrective actions or other 
changes are effective; however, officials did not provide specific 
information regarding these methods. For the remaining 18 of OI's 43 
recommendations, OSO either took no action to address the 
recommendation or it is unclear how the action they took addressed the 
recommendation. Moreover, in those cases where OSO took no action to 
address OI's recommendation, they did not systematically document their 
rationale for why they took no action. Standards for Internal Control 
in the Federal Government identify that managers are to promptly 
evaluate findings, determine proper actions, and complete these actions 
to correct matters. In the absence of a systematic process for 
considering OI's recommendations, documenting their decision-making 
process, and evaluating whether corrective actions mitigated identified 
vulnerabilities, TSA is limited in its ability to use covert testing 
results to improve the security of the commercial aviation system. 
According to OSO officials, opportunities exist to improve OSO's 
internal processes for considering OI's recommendations and documenting 
its rationale for implementing or not implementing these 
recommendations. OSO senior leadership stated that they were committed 
to enhancing its partnership with OI and improving its processes for 
ensuring that OI recommendations are communicated to and considered by 
the appropriate TSA officials. 

To better ensure that TSA is fully using the results of covert tests to 
identify and mitigate vulnerabilities in the transportation security 
system, we recommended in our May 2008 classified report that the 
Secretary of Homeland Security direct the Assistant Secretary for TSA 
to develop a systematic process for gathering and analyzing specific 
causes of all national aviation covert testing failures, record 
information on screening equipment that may not be working properly 
during covert tests, and identify effective practices used at airports 
that perform well on covert tests. In addition, as TSA explores the use 
of covert testing in non-aviation modes of transportation, we 
recommended that the agency coordinate with organizations that already 
conduct these tests to learn from their experiences. Further, we 
recommended that the Secretary of Homeland Security direct the 
Assistant Secretary for TSA to develop a systematic process to ensure 
that OSO considers all recommendations made by OI as a result of covert 
tests and systematically documents their rationale for either 
implementing or not implementing these recommendations. Finally, we 
recommended that when OSO implements OI's recommendations, they should 
evaluate whether the action taken has addressed the vulnerability 
identified through the covert tests, which could include the use of 
follow-up national or local covert tests or through other means 
determined by OSO. 

We provided a draft of this report to DHS and TSA for review. DHS, in 
its written comments, concurred with the findings and recommendations 
in the report. The full text of DHS's comments is included in appendix 
II. 

Background: 

Congress and the Administration have advocated the use of covert or red 
team testing in all modes of transportation. Following the terrorist 
attacks on September 11, 2001, on November 19, 2001, the President 
signed ATSA into law, with the primary goal of strengthening the 
security of the nation's commercial aviation system.[Footnote 8] ATSA 
created TSA within the Department of Transportation (DOT) as the agency 
responsible for securing all modes of transportation. Among other 
things, ATSA mandated that TSA assume responsibility for screening 
passengers and their property, which includes the hiring, training, and 
testing of the screening workforce.[Footnote 9] ATSA also mandated that 
TSA conduct annual proficiency reviews and provide for the operational 
testing of screening personnel, and that TSA provide remedial training 
to any screener who fails such tests. In 2002, the President issued The 
National Strategy for Homeland Security that supports developing red 
team tactics in order to identify vulnerabilities in security measures 
at our Nation's critical infrastructure sectors, including the 
transportation sector. In 2007, TSA issued the TS-SSP that outlines its 
strategy and associated security programs to secure the transportation 
sector.[Footnote 10] While the TS-SSP does not address covert testing 
in aviation, it does identify that mass transit and passenger rail 
operators should develop covert testing exercises. Moreover, the 
Implementing Recommendations of the 9/11 Commission Act of 2007 
requires DHS to develop and implement the National Strategy for 
Railroad Transportation Security, which is to include prioritized 
goals, actions, objectives, policies, mechanisms, and schedules for 
assessing the usefulness of covert testing of railroad security 
systems.[Footnote 11] Furthermore, the explanatory statement 
accompanying Division E of the Consolidated Appropriations Act, 2008 
(the DHS Appropriations Act, 2008), directs TSA to be more proactive in 
red teaming for all modes of transportation.[Footnote 12] Specifically, 
the statement directs approximately $6 million of TSA's appropriated 
funds for red team activities to identify potential vulnerabilities and 
weaknesses in airports and air cargo facilities, as well as in transit, 
rail, and ferry systems. 

Prior to the creation of TSA, the Department of Transportation's 
Federal Aviation Administration (FAA) monitored the performance of 
airport screeners. FAA created the "red team," as it came to be known, 
to assess the commercial aviation industry's compliance with FAA 
security requirements and to test whether U.S. aviation passenger and 
checked baggage screening systems were able to detect explosives and 
other threat items. TSA began its covert testing program in September 
2002. TSA's covert testing program consists of a nationwide commercial 
aviation testing program conducted by OI, and a local commercial 
airport testing program implemented by OSO and FSDs at each airport. 

TSA's National Covert Testing Program for Commercial Aviation: 

OI conducts national covert tests of three aspects of aviation security 
at a commercial airport: (1) passenger checkpoint; (2) checked baggage; 
and (3) access controls to secure areas and airport perimeters. OI 
conducts covert tests by having undercover inspectors attempt to pass 
threat objects, such as guns, knives, and simulated improvised 
explosive devices (IED), through passenger screening checkpoints and in 
checked baggage, and to attempt to access secure areas of the airport 
undetected. OI officials stated that they derived their covert testing 
protocols and test scenarios from prior FAA red team protocols, but 
updated the threat items used and increased the difficulty of the 
tests. According to OI officials, they also began conducting tests at 
airports on a more frequent basis than FAA. Initially, OI conducted 
tests at all of the estimated 450 commercial airports nationwide on a 3-
year schedule, with the largest and busiest airports being tested each 
year.[Footnote 13] TSA also began using threat information to make 
tests more closely replicate tactics that may be used by terrorists. 

The number of covert tests that OI conducts during testing at a 
specific airport varies by the size of the airport. The size of the OI 
testing teams also varies depending upon the size of the airport being 
tested, the number of tests that OI plans to conduct, and the number of 
passenger checkpoints and access points to secure areas at a particular 
airport. OI testing teams consist of a team leader who observes the 
tests and leads post-test reviews with TSOs, and inspectors who 
transport threat items through passenger checkpoints and secure airport 
areas and record test results. Team leaders usually have previous 
federal law enforcement experience, while inspectors often include 
program analysts, administrative personnel, and other TSA personnel. 
Prior to testing, each team leader briefs their team to ensure that 
everyone understands their role, the type of test to be conducted, and 
the threat item they will be using. For tests at passenger checkpoints 
and in checked baggage, OI uses different IED configurations and places 
these IEDs in various areas of each inspector's body and checked 
baggage to create different test scenarios. Figure 1 provides an 
overview of TSA's passenger checkpoint and checked baggage screening 
operations and equipment. 

Figure 1: TSA's Passenger Checkpoint and Checked Baggage Screening 
Operations and Equipment: 

This figure is a visual depiction of TSA's passenger checkpoint and 
checked baggage screening operations and equipment. 

[See PDF for image] 

Source: GAO and Nova Development Corporation. 

[End of figure] 

According to OI officials, on the day of testing, OI typically notifies 
the airport police about one half hour, and the local FSD 5 minutes, 
before testing begins and instructs them not to notify the TSOs that 
testing is being conducted. OI officials stated that they provide this 
notification for security and safety reasons. 

Covert Testing Procedures at Passenger Checkpoints: 

During passenger checkpoint testing, each team of inspectors carries 
threat items through the passenger checkpoint. If the TSO identifies 
the threat item during screening, the inspector identifies him or 
herself to the TSO and the test is considered a pass. If the TSO does 
not identify the threat item, the inspector proceeds to the sterile 
area of the airport and the test is considered a failure. For each 
test, inspectors record the steps taken by the TSO during the screening 
process and test results, and the team leader assigns any requirements 
for remedial training as a consequence of a failed test. The specific 
types of covert tests conducted by TSA at the passenger checkpoint is 
sensitive security information and cannot be described in this report. 

Covert Testing Procedures for Checked Baggage: 

Covert tests of checked baggage are designed to measure the 
effectiveness of the TSOs' ability to utilize existing checked baggage 
screening equipment, not to test the effectiveness of the screening 
equipment. In covert tests of checked baggage screening, an inspector 
poses as a passenger and checks their baggage containing a simulated 
threat item at the airline ticket counter. The bag is then screened by 
TSOs using one of two checked baggage screening methods. At airports 
that have explosive detection systems (EDS), the TSO uses these 
machines to screen each bag.[Footnote 14] At airports that do not have 
EDS and at airports where certain screening stations do not have EDS, 
such as curbside check-in stations, the TSOs use an Explosive Trace 
Detection (ETD) machine to screen checked baggage. During the ETD 
screening process of both carry-on and checked baggage, TSOs attempt to 
detect explosives on passengers' baggage by swabbing the target area 
and submitting the swab into the ETD machine for chemical 
analysis.[Footnote 15] If the machine detects an explosive substance, 
it alarms, and produces a readout indicating the specific type of 
explosive detected. The TSO is then required to resolve the alarm by 
performing additional screening steps such as conducting a physical 
search of the bag or conducting further ETD testing on and X-raying of 
footwear. When testing EDS and ETD screening procedures, OI uses fully 
assembled objects such as laptop computers, books, or packages. 

Whether using EDS or ETD, if the TSO fails to identify the threat item, 
the inspectors immediately identify themselves to stop the checked 
baggage from being sent for loading onto the aircraft, and the test is 
considered a failure. If the TSO identifies the threat item, the 
inspectors also identify themselves and the test is considered a pass. 
If the OI inspector determines that the test failure was due to the 
screening equipment not working correctly, the test is considered 
invalid. OI conducts two types of checked baggage covert tests: 

* Opaque object: This test is designed to determine if a TSO will 
identify opaque objects on the X-ray screen and conduct a physical 
search of the checked bag. During these tests, OI inspectors conceal a 
threat item that cannot be penetrated by the X-ray and appears on the 
EDS screen as an opaque object among normal travel objects within 
checked baggage. 

* IED in bag: This test is designed to determine if a TSO will identify 
an IED during a search of the bag and use proper ETD procedures to 
identify it as a threat. During these tests, OI inspectors conceal a 
simulated IED within checked baggage. In addition, the IED may be 
contained within other objects inside of the bag. 

Covert Testing Procedures for Access Controls: 

OI inspectors conduct covert tests to determine if they can infiltrate 
secure areas of the airport, such as jet ways or boarding doors to 
aircraft. Each U.S. commercial airport is divided into different areas 
with varying levels of security. Secure areas, security identification 
display areas (SIDA), and air operations areas (AOA) are not to be 
accessed by passengers, and typically encompass areas near terminal 
buildings, baggage loading areas, and other areas that are close to 
parked aircraft and airport facilities, including air traffic control 
towers and runways used for landing, taking off, or surface 
maneuvering. Figure 2 is a diagram of the security areas at a typical 
commercial airport. 

Figure 2: Diagram of Security Areas at a Typical Commercial Airport: 

This figure is a diagram of security areas at a typical commercial 
airport. 

[See PDF for image] 

Source: GAO. 

[End of figure] 

If inspectors are able to access secure areas of the airport or are not 
challenged by airport or airline employees, then the test is considered 
a failure. OI conducts four types of covert tests for airport access 
controls. 

* Access to SIDA: During these tests, OI inspectors who are not wearing 
appropriate identification attempt to penetrate the SIDA through access 
points, such as boarding gates, employee doors, and other entrances 
leading to secure areas to determine if they are challenged by airport 
or airline personnel. 

* Access to AOA: During these tests, OI inspectors who are not wearing 
appropriate identification attempt to penetrate access points leading 
from public areas to secured areas of the AOA, including vehicle and 
pedestrian gates through the perimeter fence, cargo areas, and general 
aviation facilities that provide a direct path to passenger aircraft in 
secure areas to determine if they are challenged by airport or airline 
personnel. 

* Access to Aircraft: During these tests, OI inspectors who are not 
wearing appropriate identification or who do not have a valid boarding 
pass attempt to penetrate access points past the passenger screening 
checkpoint which lead directly to aircraft, including boarding gates, 
employee doors, and jet ways to determine if they are challenged by 
airport or airline personnel. 

* SIDA Challenges: During these tests, OI inspectors attempt to walk 
through secure areas of the airport, such as the tarmac and baggage 
loading areas, without appropriate identification to determine if they 
are challenged by airport personnel. If not challenged, then the test 
is considered a failure. 

Post-Test Reviews and Analysis: 

After testing at the airport is complete, team leaders conduct post- 
test reviews with the TSOs, supervisors, and screening managers 
involved in the testing. These post-test reviews include a hands-on 
demonstration of the threat items used during each test and provide an 
opportunity for TSOs to ask questions about the test. According to OI 
officials, the purpose of these post-test reviews is to serve as a 
training tool for TSOs. Following the post-test review, OI officials 
meet with the airport FSD to discuss the test results and any 
vulnerabilities identified at the airport. OI also provides the FSD 
with the names of each TSO required to undergo remedial 
training.[Footnote 16] OI usually completes all aspects of its covert 
tests at an airport within several days. After completing tests at each 
airport, OI staff document test results on standardized data collection 
instruments and meet to discuss the results and identify the actions 
that they will recommend to TSA management to address the 
vulnerabilities identified by the tests. The airport testing data 
collected are then inputted into a database by OI headquarters staff, 
who develop reports that summarize the tests results and the 
vulnerabilities identified. These reports are then presented to TSA 
management, such as the Administrator. OI staff also regularly brief 
TSA's Administrator and management, such as the Assistant Administrator 
of OSO, on the results of covert tests. Since 2003, when OI completed 
its first covert testing report, most of OI's reports contained 
specific recommendations aimed at addressing the vulnerabilities 
identified during covert testing. 

TSA's Local Covert Testing Program for Commercial Aviation: 

In February 2004, OSO authorized FSDs to conduct their own testing of 
local passenger and checked baggage screening operations at their 
airports to serve as a training tool for the TSOs and to measure their 
performance. Referred to as Screener Training Exercises and Assessments 
(STEA), FSDs conducted these local covert tests using federal 
employees, such as TSOs from other local airports and other federal law 
enforcement officers, and were given discretion to determine the number 
of tests conducted at their airports, the manner with which the tests 
were conducted, and the type of tests conducted. OSO considered STEA a 
tool for training TSOs in detecting threat items, and issued modular 
bomb kits (MBS II kits) containing simulated IEDs to be used during 
local testing.[Footnote 17] During STEA tests, staff placed simulated 
IEDs in passenger and checked baggage to determine if they would be 
detected by TSOs.[Footnote 18] Unlike OI's national covert tests, STEA 
tests did not include tests of airport access controls. TSOs that 
failed STEA tests were required to undergo remedial training. In May 
2005, we reported that TSA officials stated that they had not yet begun 
to use data from STEA testing to identify training and performance 
needs for TSOs because of difficulties in ensuring that local covert 
testing was implemented consistently nationwide.[Footnote 19] For 
example, because FSDs had discretion regarding the number of tests 
conducted, some airports conducted STEA tests regularly, while others 
rarely conducted tests. In addition, we previously reported that FSDs 
had difficulty in finding enough staff to help conduct STEA tests on a 
consistent basis. OSO officials recognized the limitations of the STEA 
program and, as a result, began to re-structure the program in 
September 2006. This local covert testing program was renamed the 
Aviation Screening Assessment Program (ASAP). ASAP is designed to test 
the performance of passenger and checked baggage screening systems and 
identify security vulnerabilities at each airport. 

In April 2007, OSO began its initial 6-month cycle of ASAP, in which 
1,600 tests were conducted in each grouping of airports--Category X (27 
airports), category I (55 airports), and Category II through IV (369 
airports). OSO compliance inspectors at each airport conduct the tests. 
Specific test requirements are distributed to FSDs before the start of 
each 6-month cycle. These test requirements stipulate the percentage of 
tests to conduct during peak and non-peak passenger screening periods; 
the percentage of basic, intermediate, or advanced tests to be 
conducted; and specific types of threat items that should be used 
during each type of test, such as IEDs or weapons. Following each test, 
inspectors are to brief the TSOs, supervisors, and screening managers 
involved in the tests on the results and notify the FSD of the results. 
With the first cycle of tests initiated in April 2007, TSA officials 
plan that any recommendations resulting from ASAP tests will be 
submitted to OSO management and other offices within TSA that need to 
know the test results. Although the testing requirements, including the 
level of frequency and types of tests, will not change during the 
initial 6-month cycle to preserve the validity of the test results, TSA 
officials plan to analyze the results of the tests and evaluate the 
need to revise the structure of the tests or the type of threat items 
used after testing is complete. According to OSO officials, the first 
cycle of ASAP tests are complete, but the results are still being 
analyzed by TSA to determine the overall findings from the tests. 

Covert Testing as a Key Component of TSA's Broader Risk Management 
Approach: 

TSA's national and local aviation covert testing programs contribute to 
TSA's broader risk management approach for securing the transportation 
sector by applying principles of risk assessment to identify 
vulnerabilities in commercial aviation. Risk management is a systematic 
and analytical process to consider the likelihood that a threat will 
endanger an asset, individual, or function, and to identify actions to 
reduce the risk and mitigate the consequences of an attack. Risk 
management, as applied in the homeland security context, can help 
federal decision-makers determine where and how to invest limited 
resources within and among the various modes of transportation. In 
recent years, the President, through Homeland Security Presidential 
Directives (HSPD), and laws such as the Intelligence Reform and 
Terrorism Prevention Act of 2004, have provided that federal agencies 
with homeland security responsibilities should apply risk-based 
principles to inform their decision making regarding allocating limited 
resources and prioritizing security activities.[Footnote 20] The 9/11 
Commission recommended that the U.S. government should identify and 
evaluate the transportation assets that need to be protected, set risk- 
based priorities for defending them, select the most practical and cost-
effective ways of doing so, and then develop a plan, budget, and 
funding to implement the effort.[Footnote 21] In 2002, the President 
issued The National Strategy for Homeland Security that instructs the 
federal government to allocate resources in a balanced way to manage 
risk in our border and transportation security systems while ensuring 
the expedient flow of goods, services, and people. Further, the 
Secretary of DHS has made risk-based decision-making a cornerstone of 
departmental policy. In May 2007, TSA issued the TS-SSP and supporting 
plans for each mode of transportation that establish a system based 
risk management approach for securing the transportation sector. 

We have previously reported that a risk management approach can help to 
prioritize and focus the programs designed to combat 
terrorism.[Footnote 22] A risk assessment, one component of a risk 
management approach, consists of three primary elements: a 
vulnerability assessment, a threat assessment, and a criticality 
assessment. A vulnerability assessment is a process that identifies 
weaknesses in physical structures, personnel protection systems, 
processes, or other areas that may be exploited by terrorists, and may 
suggest options to eliminate or mitigate those weaknesses. TSA uses 
both national and local aviation covert testing as a method to identify 
and mitigate security vulnerabilities in the aviation sector. A threat 
assessment identifies and evaluates threats based on various factors, 
including capability and intentions as well as the lethality of an 
attack. Criticality assessment evaluates and prioritizes assets and 
functions in terms of specific criteria, such as their importance to 
public safety and the economy, as a basis for identifying which 
structures or processes require higher or special protection from 
attack. 

TSA Has a Risk-Based Covert Testing Strategy to Identify 
Vulnerabilities and Measure the Performance of Selected Aviation 
Security Systems, but Could Strengthen Its Testing Efforts: 

TSA has designed and implemented risk-based national and local covert 
testing programs to achieve its goals of identifying vulnerabilities in 
and measuring the performance of passenger checkpoint and checked 
baggage screening systems and airport perimeters and access controls, 
and has begun to determine the extent to which covert testing will be 
used to identify vulnerabilities and measure the effectiveness of 
security practices related to non-aviation modes of transportation. OI 
used information on terrorist threats to design and implement its 
national covert tests and determine at which airports to conduct tests 
based on analyses of risks. However, OI inspectors did not 
systematically record specific causes for test failures related to 
TSOs, procedures, or screening equipment that did work properly. OI 
also did not systematically collect and analyze information on 
effective screening practices that may contribute to TSOs ability to 
detect threat items. Without systematically recording reasons for test 
failures, such as failures caused by screening equipment not working 
properly, as well as reasons for test passes, TSA is limited in its 
ability to mitigate identified vulnerabilities. TSA recently redesigned 
its local covert testing program to address limitations in its previous 
program. The new program, ASAP, should provide TSA with a measure of 
the performance of passenger and checked baggage screening systems and 
help to identify security vulnerabilities. Furthermore, TSA has begun 
to determine the extent to which covert testing will be used to 
identify vulnerabilities and measure the effectiveness of security 
practices in non-aviation modes of transportation. While TSA 
coordinates with domestic and foreign organizations regarding 
transportation security efforts, they do not have a systematic process 
in place to coordinate with these organizations regarding covert 
testing in non-aviation settings, and opportunities for TSA to learn 
from these organizations' covert testing efforts exist. 

TSA Uses a Risk-Based Covert Testing Strategy: 

OI uses threat assessments and intelligence information to design and 
implement national covert tests that meet its goals of identifying 
vulnerabilities in passenger checkpoint and checked baggage screening 
systems, and airport perimeters and access controls. While OI currently 
focuses it covert tests on these three areas of aviation security, it 
has recently begun to establish procedures for the testing of air cargo 
facilities. According to OI officials, as of March 2008, OI has not yet 
conducted any tests of air cargo. In designing its covert tests, OI 
works with DHS's Transportation Security Laboratory to create threat 
items to be used during covert tests. OI also uses threat information 
to replicate tactics that may be used by terrorists. The tactics that 
OI uses are all designed to test the capabilities of passenger 
checkpoint and checked baggage screening systems to identify where 
vulnerabilities exist. The process OI uses to select which airports to 
test has evolved since covert testing began in September 2002 to focus 
more on those airports determined to be at greater risk of a terrorist 
attack. Initially, OI's goals were to conduct covert tests at all 
commercial airports, with tests being conducted more frequently at 
those airports with the largest number of passenger boardings than 
smaller airports with fewer flights. In August 2005, when TSA began 
focusing on the most catastrophic threats, OI changed its testing 
strategy to utilize a risk-based approach to mitigate those threats. 

OI Could Better Identify Vulnerabilities by Recording and Analyzing 
Specific Causes of Covert Testing Failures and Passes of National 
Covert Tests in Its Testing Database: 

OI inspectors record information on the results of national covert 
tests on data collection instruments after each test is conducted, 
including the extent to which TSOs properly followed TSA screening 
procedures and whether the test was passed or failed. After airport 
testing is complete, OI headquarters analysts input the covert test 
results into a centralized database. While analysts input whether the 
test was a pass or a fail and inspectors observations regarding some 
tests, they do not systematically capture OI's assessment of the cause 
of the test failure and include that information in the 
database.[Footnote 23] Test failures could be caused by (1) TSOs not 
properly following existing TSA screening procedures, (2) screening 
procedures that are not clear to TSOs, (3) screening procedures that 
lack sufficient guidance to enable TSOs to identify threat items, and 
(4) screening equipment that does not work properly. Moreover, when 
inspectors determine the cause of a covert test failure to be due to 
screening equipment, such as the walk through metal detector, the hand- 
held metal detector, or ETD not alarming in response to a threat item, 
OI considers these tests to be invalid. While OI officials stated that 
they report instances when equipment may not be working properly to the 
airport FSD and officials from the Transportation Security Laboratory, 
they do not input that equipment caused the failure in the covert 
testing database. TSA management may find this information useful in 
identifying vulnerabilities in the aviation system that relate to 
screening equipment not working properly. OI officials stated that they 
do not record information on equipment failures because there is always 
a possibility that the simulated threat item was not designed properly 
and therefore should not have set off the alarm. Further, they stated 
that DHS's Transportation Security Laboratory is responsible for 
ensuring that screening equipment is working properly. However, the 
Laboratory does not test screening equipment at airports in an 
operational environment. Furthermore, according to OI officials, 
identifying a single cause for a test failure may be difficult since 
covert testing failures can be caused by multiple factors. However, in 
discussions with OI officials about selected individual test results, 
inspectors were able in their view, in most of these cases, to identify 
the cause they believed contributed most to the test failure. According 
to the Standards for Internal Control in the Federal Government, 
information should be recorded and communicated to management and 
others in a form and within a time frame that enables them to carry out 
their internal control and other responsibilities. The Standards 
further call for pertinent information to be identified, captured, and 
distributed in a form and time frame that permits people to perform 
their duties efficiently. By not systematically inputting the specific 
causes for test failures in its database, including failures due to 
equipment, OI may be limiting its ability to identify trends that 
impact screening performance across the aviation security systems 
tested. 

In addition to not identifying reasons the inspectors believed caused 
the test failures, OI officials do not systematically record 
information on screening practices that may contribute to covert test 
passes. However, OI inspectors occasionally captured information of 
effective practices used by TSOs to detect threat items during covert 
tests in the data collection instruments used during these tests. 
Further, during covert tests that we observed, OI inspectors routinely 
discussed with us those practices used during certain tests that they 
viewed as effective, such as effective communication between TSOs and 
supervisors in identifying threat items. In 2006, OSO officials 
requested a TSA internal review of differences in checkpoint screening 
operations at three airports to identify whether the airports employed 
certain practices that contributed to their ability to detect threat 
items during covert tests, among other things. Between June and October 
2006, OI's Internal Reviews Division (IRD) reviewed passenger 
checkpoint covert test results for each airport, observed airport 
operations, interviewed TSA personnel, and reviewed documents and 
information relevant to checkpoint operations. IRD's review identified 
a number of key factors that may contribute to an airport's ability to 
detect threat items. While IRD conducted this one time review of 
effective screening practices that may have led to higher test pass 
rates, OI does not systematically collect information on those 
practices that may lead to test passes. As discussed earlier in this 
report, Standards for Internal Control in the Federal Government stated 
the need for pertinent information to be identified and captured to 
permit managers to perform their duties efficiently. Without collecting 
information on effective screening practices that, based on the 
inspectors' views, may lead to test passes, TSA managers are limited in 
their ability to identify measures that could help to improve screening 
performance across the aviation security system. 

TSA Redesigned Its Local Covert Testing Program to Address Limitations 
of Its Previous Program and to Measure the Performance of Passenger 
Checkpoint and Checked Baggage Screening: 

In April 2007, TSA initiated its local covert testing program, the 
Aviation Screening Assessment Program (ASAP). TSA is planning to use 
the results of ASAP as a statistical measure of the performance of 
passenger checkpoint and checked baggage screening systems, in addition 
as a tool to identify security vulnerabilities. TSA ASAP guidance 
applies a standardized methodology for the types and frequency of 
covert tests to be conducted in order to provide a national statistical 
sample. If implemented as planned, ASAP should provide TSA with a 
measure of the performance of passenger and checked baggage screening 
systems and help identify security vulnerabilities. According to OSO 
officials, the first cycle of ASAP tests were completed, but the 
results are still being internally analyzed by TSA to determine the 
overall findings from the tests. As a result, it is too soon to 
determine whether ASAP will meet its goals of measuring the performance 
of passenger and checked baggage screening systems and identifying 
vulnerabilities. 

Similar to OI's national covert testing program, OSO applies elements 
of risk in designing and implementing ASAP tests. Unlike national 
covert tests, the ASAP program does not use elements of a risk-based 
approach to determine the location and frequency of the tests because, 
according to TSA officials, in order to establish a national baseline 
against which TSA can measure performance, all airports must be tested 
consistently and with the same types of tests. OSO officials plan to 
analyze the results of the tests and evaluate the need to revise the 
tests or the type of threat items used after the first and second 
testing cycle and annually thereafter. Furthermore, OSO officials 
stated that they plan to assess the data, including the types of 
vulnerabilities identified and the performance of the TSOs in detecting 
threat items, and develop recommendations for mitigating 
vulnerabilities and improving screening performance. Officials stated 
that OSO also plans to conduct follow-up testing to determine whether 
vulnerabilities that were previously identified have been addressed or 
if recommendations made were effective. 

According to TSA's ASAP guidance, individuals conducting the ASAP tests 
will be required to identify specific causes for all test failures. In 
addition to identifying test failures attributed to TSOs, such as the 
TSO not being attentive to their duties or not following TSA screening 
procedures, individuals conducting ASAP tests are also required to 
identify and record causes for failures related to TSOs, screening 
procedures that TSOs said were not clear or lack sufficient detail to 
enable them to detect threat items, and screening equipment. 

OSO officials further stated that they plan to develop performance 
measures for the ASAP tests after the results of the first 6 month 
cycle of tests are evaluated. However, officials stated that 
performance measures for the more difficult category of tests will not 
be developed because these tests are designed to challenge the aviation 
security system and the pass rates are expected to be low. Furthermore, 
TSA officials stated that the results of ASAP tests will not be used to 
measure the performance of individual TSOs, FSDs, or airports, but 
rather to measure the performance of the passenger checkpoint and 
checked baggage screening system. TSA officials stated that there will 
not be a sufficient number of ASAP tests to measure individual TSO, 
FSD, or airport performance. We previously reported that TSA had not 
established performance measures for its national covert testing 
program and that doing so would enable TSA to focus its improvement 
efforts on areas determined to be most critical, as 100 percent 
detection during tests may not be attainable.[Footnote 24] While TSA 
has chosen not to establish performance measures for the national 
covert testing program, as stated above, they plan to develop such 
measures for only the less difficult ASAP tests. 

Covert Testing in Non-Aviation Modes of Transportation: 

Since the initiation of TSA's covert testing program in 2002, the 
agency has focused on testing commercial aviation passenger 
checkpoints, checked baggage, and airport perimeters and access 
controls. However, TSA in is the early stages of determining the extent 
to which covert testing will be used to identify vulnerabilities and 
measure the effectiveness of security practices in non-aviation modes 
of transportation. In addition, TSA officials stated that it would be 
difficult to conduct covert tests in non-aviation modes because these 
modes typically do not have established security screening procedures 
to test, such as those in place at airports. Specifically, passengers 
and their baggage are not generally physically screened through metal 
detectors and X-rays prior to boarding trains or ferries as they are 
prior to boarding a commercial aircraft, making it difficult to conduct 
tests. OI officials also stated that they do not currently have the 
resources necessary to conduct covert tests in both aviation and non- 
aviation modes of transportation. 

Although OI does not regularly conduct covert tests in non-aviation 
modes of transportation, it has conducted tests during three TSA pilot 
programs designed to test the feasibility of implementing airport style 
screening in non-aviation modes of transportation to include mass 
transit, passenger rail, and maritime ferry facilities. In 2004, TSA 
conducted a Transit and Rail Inspection pilot program in which 
passenger and baggage screening procedures were tested on select 
railways.[Footnote 25] TSA also tested similar screening procedures at 
several bus stations during the Bus Explosives Screening Technology 
pilot in 200[Footnote 26]5. In addition, TSA has also been testing 
screening equipment on ferries in the maritime mode through the Secure 
Automated Inspection Lanes program.[Footnote 27] According to OI 
officials, during these three pilot programs, OI conducted covert 
testing to determine if they could pass threat objects through the 
piloted passenger screening procedures and equipment. However, these 
tests were only conducted on a trial basis during these pilot programs. 
While OI has not developed plans or procedures for testing in non- 
aviation modes of transportation, the office has begun to explore the 
types of covert tests that it might conduct if it receives additional 
resources to test in these modes. 

In addition to OI, TSA's Office of Transportation Sector Network 
Management (TSNM) may have a role in any covert tests that are 
conducted in non-aviation modes of transportation. TSNM is responsible 
for securing the nation's intermodal transportation system and has 
specific divisions responsible for each mode of transportation--mass 
transit, maritime, highway and motor carriers, freight rail, pipelines, 
commercial airports, and commercial airlines. TSNM is also responsible 
for TSA's efforts to coordinate with operators in all modes of 
transportation. A TSNM official stated that TSNM has only begun to 
consider using covert testing in mass transit. In April 2007, TSA 
coordinated with the Los Angeles County Metropolitan Transportation 
Authority, Amtrak, and Los Angeles Sheriff's Department during a covert 
test of the effectiveness of security measures at Los Angeles' Union 
Station. During the test, several individuals carried threat items, 
such as simulated IEDs, into the rail system to determine if K-9 
patrols, random bag checks, and other random procedures could detect 
these items. The official from TSNM's mass transit office stated that 
the agency is incorporating the use of covert testing as a component of 
the mass transit and passenger rail national exercise program being 
developed pursuant to the Implementing Recommendations of the 9/11 
Commission Act of 2007. However, TSNM has not developed a strategy or 
plan for how covert testing will be incorporated into these various 
programs. The TSNM official further stated that he was not aware of 
other mass transit or passenger rail operators that are currently 
conducting or planning covert testing of their systems. Furthermore, 
TSNM does not have a systematic process in place to coordinate with 
domestic or foreign transportation organizations to learn from their 
covert testing experiences. 

The use of covert or red team testing in non-aviation modes of 
transportation has been supported in law. The Implementing 
Recommendations of the 9/11 Commission Act of 2007 directs DHS to 
develop and implement the National Strategy for Railroad Transportation 
Security, which is to include prioritized goals, actions, objectives, 
policies, mechanisms, and schedules for assessing, among other things, 
the usefulness of covert testing of railroad security systems. 
Furthermore, the explanatory statement accompanying the Homeland 
Security Appropriations Act, 2008, directed TSA to be more proactive in 
red teaming for airports and air cargo facilities, as well as in 
transit, rail, and ferry systems. Specifically, the statement directed 
approximately $6 million of TSA's appropriated amount for red team 
activities to identify vulnerabilities in airports and air cargo 
facilities, as well as in transit, rail, and ferry systems. Regarding 
covert testing of non-aviation modes of transportation, the report of 
the House of Representatives Appropriations Committee, which 
accompanies its fiscal year 2008 proposal for DHS appropriations, 
directed TSA to randomly conduct red team operations at rail, transit, 
bus, and ferry facilities that receive federal grant funds to ensure 
that vulnerabilities are identified and corrected.[Footnote 28] 

DHS has also identified covert, or red team, testing as a priority for 
the Department. The President's July 2002 National Strategy for 
Homeland Security identified that DHS, working with the intelligence 
community, should use red team or covert tactics to help identify 
security vulnerabilities in the nation's critical infrastructure, which 
includes the transportation sector. The strategy further identifies 
that red team techniques will help decision makers view vulnerabilities 
from the terrorists' perspective and help to develop security measures 
to address these security gaps. In addition, TSA's May 2007 TS-SSP 
identified that transit agencies should develop meaningful exercises, 
including covert testing, that test the effectiveness of their response 
capabilities and coordination with first responders. However, the TS- 
SSP does not provide any details on the type of covert testing that 
transit agencies should conduct and does not identify that TSA itself 
should conduct covert testing in non-aviation modes of transportation. 

Select Domestic and Foreign Transportation Organizations and DHS 
Component Agencies Use Covert Testing to Identify Vulnerabilities and 
Measure System Effectiveness: 

Domestic and foreign transportation organizations and DHS component 
agencies that we interviewed conduct covert testing to identify and 
mitigate vulnerabilities in non-aviation settings that lack the 
standardized passenger screening procedures found in the commercial 
aviation sector and measure the effectiveness of security measures. Our 
previous work on passenger rail security identified foreign rail 
systems that use such covert testing to keep employees alert about 
their security responsibilities. One of these foreign organizations-- 
the United Kingdom Department for Transport's Transport Security and 
Contingencies Directorate (TRANSEC)--conducts covert testing of 
passenger rail and seaports in addition to aviation facilities to 
identify vulnerabilities related to people, security processes, and 
technologies. According to a TRANSEC official, TRANSEC's non-aviation 
covert testing includes testing of the nation's passenger rail system 
and the United Kingdom's side of the channel tunnel between the United 
Kingdom and France. TRANSEC conducts a number of covert tests to 
determine whether employees are following security procedures 
established by TRANSEC or the rail operator, whether processes in place 
assist employees in identifying threat items, and whether screening 
equipment works properly. A TRANSEC official responsible for the 
agency's covert testing program stated that these tests are carried out 
on a regular basis and are beneficial because, as well as providing 
objective data on the effectiveness of people and processes, they 
encourage staff to be vigilant with respect to security. 

In our September 2005 report on passenger rail security, we recommended 
that TSA evaluate the potential benefits and applicability--as risk 
analyses warrant and as opportunities permit--of implementing covert 
testing processes to evaluate the effectiveness of rail system security 
personnel.[Footnote 29] Like TRANSEC in the United Kingdom, TSA has 
existing security directives that must be followed by passenger rail 
operators that could be tested. TSA generally agreed with this 
recommendation. In responding to the recommendation, TSA officials 
stated that the agency regularly interacts and communicates with its 
security counterparts in foreign countries to share best practices 
regarding passenger rail and transit security and will continue to do 
so in the future. TSA officials further stated that the agency has 
representatives stationed overseas at U.S. embassies that are 
knowledgeable about security issues across all modes of transportation. 
While TSA coordinates with domestic and foreign organizations regarding 
transportation security efforts, they do not have a systematic process 
in place to coordinate with these organizations regarding covert 
testing in non-aviation modes of transportation, and opportunities for 
TSA to learn from these organizations' covert testing efforts exist. 

In the United States, Amtrak has conducted covert tests to identify and 
mitigate vulnerabilities in their passenger rail system. Amtrak's 
Office of Inspector General has conducted covert tests of intercity 
passenger rail systems to identify vulnerabilities in the system 
related to security personnel and Amtrak infrastructure. The results 
from these tests were used to develop security priorities that are 
currently being implemented by Amtrak. According to an Amtrak official, 
as the security posture of the organization matures, the covert testing 
program will shift from identifying vulnerabilities to assessing the 
performance of existing rail security measures. 

Transportation industry associations with whom we spoke, who 
represented various non-aviation modes of transportation, supported the 
use of covert testing as a means to identify security vulnerabilities 
and to test existing security measures. Officials from the American 
Association of Railroads (AAR), which represents U.S. passenger and 
freight railroads, and the American Public Transportation Association 
(APTA), which represents the U.S. transit industry, stated that covert 
testing in the passenger rail and transit industries would help to 
identify and mitigate security vulnerabilities and increase employee 
awareness of established security procedures. AAR and APTA officials 
stated that covert testing might include placing bags and unattended 
items throughout a rail station or system to see if employees or law 
enforcement personnel respond appropriately and in accordance with 
security procedures. AAR and APTA officials further stated that any 
testing conducted by TSA would require close coordination with rail 
operators to determine what should be tested, the testing procedures to 
be used, and the practicality of such testing. 

Within DHS, the U.S. Customs and Border Protection (CBP) also conducts 
covert testing at land, sea, and air ports of entry in the United 
States to test and evaluate CBP's capabilities to detect and prevent 
terrorists and illicit radioactive material from entering the United 
States. According to CBP officials, the purpose of CBP's covert testing 
program is to identify potential technological vulnerabilities and 
procedural weaknesses related to the screening and detection of 
passengers and containers entering the United States with illicit 
radioactive material, and to assess CBP officers' ability to identify 
potential threats. As of June 2008, CBP tested and evaluated two land 
border crossings on their capabilities to detect and prevent terrorists 
and illicit radioactive material from entering the United States. In 
addition, CBP covertly and overtly evaluated the nation's 22 busiest 
seaports for radiation detection and the effectiveness of the non- 
intrusive imaging radiation equipment deployed at the seaports. CBP 
officials also stated that the agency is planning to expand testing to 
address overseas ports that process cargo bound for the United States. 

In addition to CBP, the DHS Domestic Nuclear Detection Office (DNDO) 
conducts red team testing to measure the performance of and identify 
vulnerabilities in equipment and procedures used to detect nuclear and 
radiological threats in the United States and around the world. 
According to DNDO officials, the agency uses the results of red team 
tests to help mitigate security vulnerabilities, such as identifying 
nuclear detection equipment that is not working correctly. DNDO also 
uses red team testing to determine if unclassified information exists 
in open sources, such as on the internet, which could potentially be 
used by terrorists to exploit vulnerabilities in nuclear detections 
systems. DNDO's program, according to its officials, provides a means 
to assess vulnerabilities that an adversary is likely to exploit, and 
to make recommendations to either implement or improve security 
procedures. 

TSA Could More Fully Use the Results of Covert Tests to Mitigate 
Security Vulnerabilities Identified in the Commercial Aviation System: 

TSA's national aviation covert testing program has identified 
vulnerabilities in select aspects of the commercial aviation security 
system at airports of all sizes; however, the agency is not fully using 
the results of these tests to mitigate identified vulnerabilities. The 
specific results of these tests are classified and are presented in our 
classified May 2008 report. Covert test failures can be caused by 
various factors, including TSOs not properly following TSA procedures 
when screening passengers, screening equipment that does not detect a 
threat item, or TSA screening procedures that do not provide sufficient 
detail to enable TSOs to identify the threat item. Senior TSA 
officials, including TSA's Administrator, are routinely briefed on the 
results of covert tests and provided with OI reports that describe the 
vulnerabilities identified by these tests and recommendations to 
correct identified vulnerabilities. However, OSO lacks a systematic 
process to ensure that OI's recommendations are considered, and does 
not systematically document its rationale for why it did or did not 
implement OI's recommendations. OSO and OI also do not have a process 
in place to assess whether the corrective action implemented mitigated 
the identified vulnerabilities through follow-up national or local 
covert tests, and if covert test results improved. According to OSO 
officials, TSA has other methods in place to identify whether 
corrective actions or other changes to the system are effective; 
however, officials did not provide specific information regarding these 
methods. Moreover, in those cases where OSO took no action to address 
OI's recommendation, they did not systematically document their 
rationale for why they took no action. In the absence of a systematic 
process for considering OI's recommendations, documenting their 
decision-making process, and evaluating whether corrective actions 
mitigated identified vulnerabilities, TSA is limited in its ability to 
use covert testing results to improve the security of the commercial 
aviation system. OSO senior leadership stated that opportunities exist 
to improve the agency's processes in this area. 

TSA Covert Test Results Identified Vulnerabilities in the Aviation 
Security System: 

Between September 2002 and June 2007, OI conducted more than 20,000 
covert tests of passenger checkpoints, checked baggage screening 
systems, and airport perimeters and access control points collectively 
at every commercial airport in the United States regulated by TSA. The 
results of these tests identified vulnerabilities in select aspects of 
the commercial aviation security system at airports of all sizes. While 
the specific results of these tests and the vulnerabilities they 
identified are classified, covert test failures can be caused by 
multiple factors, including TSOs not properly following TSA procedures 
when screening passengers, screening equipment that does not detect a 
threat item, or TSA screening procedures that do not provide sufficient 
detail to enable TSOs to identify the threat item. TSA cannot 
generalize covert test results either to the airports where the tests 
were conducted or to airports nationwide because the tests were not 
conducted using the principles of probability sampling.[Footnote 30] 
For example, TSA did not randomly select times at which tests were 
conducted, nor did they randomly select passenger screening checkpoints 
within the airports. Therefore, each airport's test results represent a 
snapshot of the effectiveness of passenger checkpoint screening, 
checked baggage screening, and airport access control systems, and 
should not be considered a measurement of any one airport's performance 
or any individual TSO's performance in detecting threat objects. 
Although the results of the covert tests cannot be generalized to all 
airports, they can be used to identify vulnerabilities in the aviation 
security system. TSA officials stated that they do not want airports to 
achieve a 100 percent pass rate during covert tests because they 
believe that high pass rates would indicate that covert tests were too 
easy and therefore were not an effective tool to identify 
vulnerabilities in the system. 

TSA Lacks a Systematic Process to Ensure that Covert Testing 
Recommendations Are Considered and Actions Are Taken to Address Them If 
Determined Necessary: 

After completing its covert tests, OI provides written reports and 
briefings on the test results to senior TSA management, including TSA's 
Administrator, Assistant Administrator of OSO, and area FSDs. In these 
reports and briefings, OI officials provide TSA management with the 
results of covert tests, describe the security vulnerabilities 
identified during the tests, and present recommendations to OSO that OI 
believes will mitigate the identified vulnerabilities. TSA's 
Administrator and senior OSO officials stated that they consider the 
aviation security system vulnerabilities that OI presents in its 
reports and briefings as well as the recommendations made. However, OSO 
officials we spoke with stated that they do not have a systematic 
process in place to ensure that all of OI's recommendations are 
considered or to document their rationale for implementing or not 
implementing these recommendations.[Footnote 31] Furthermore, TSA does 
not have a process in place to assess whether corrective actions taken 
in response to OI's recommendations have mitigated identified 
vulnerabilities. Specifically, in those cases where corrective actions 
were taken to address OI's recommendation, neither OSO nor OI conducted 
follow-up national or local covert tests to determine if the actions 
taken were effective. For example, in cases where OI determined that 
additional TSO training was needed and OSO implemented such training, 
OSO or OI did not conduct follow-up national or local covert testing to 
determine if the additional training that was implemented to address 
the recommendation helped to mitigate the identified vulnerability. 
According to OSO officials, TSA has other methods in place to identify 
whether corrective actions or other changes are effective; however, 
officials did not provide specific information regarding these methods. 

Standards for Internal Control in the Federal Government require that 
internal controls be designed to ensure that ongoing monitoring occurs 
during the course of normal operations. Specifically, internal controls 
direct managers to (1) promptly evaluate and resolve findings from 
audits and other reviews, including those showing deficiencies and 
recommendations reported by auditors and others who evaluate agencies' 
operations, (2) determine proper actions in response to findings and 
recommendations from audits and reviews, and (3) complete, within 
established time frames, all actions that correct or otherwise resolve 
the matters brought to management's attention. The standards further 
identify that the resolution process begins when audit or other review 
results are reported to management, and is completed only after action 
has been taken that (1) corrects identified deficiencies, (2) produces 
improvements, or (3) demonstrates the findings and recommendations do 
not warrant management action. In the absence of a systematic process 
for considering and resolving the findings and recommendations from 
OI's covert tests and ensuring that the effectiveness of actions taken 
to address these recommendations are evaluated, TSA management is 
limited in its ability to mitigate identified vulnerabilities to 
strengthen the aviation security system. 

OI Made 43 Recommendations to OSO to Mitigate Vulnerabilities 
Identified by Covert Tests from March 2003 to June 2007: 

While neither OSO nor OI have a systematic process for tracking the 
status of OI covert testing recommendations, at our request, OSO 
officials provided information indicating what actions, if any, were 
taken to address OI's recommendations.[Footnote 32] From March 2003 to 
June 2007, OI made 43 recommendations to OSO designed to mitigate 
vulnerabilities identified by national covert tests. To date, OSO has 
taken actions to implement 25 of these recommendations. For the 
remaining 18 of OI's 43 recommendations, OSO either took no action to 
address the recommendation, or it is unclear how the action they took 
addressed the recommendation. OI did not make any recommendations to 
OSO related to screening equipment. The specific vulnerabilities 
identified by OI during covert tests and the specific recommendations 
made, as well as corrective actions taken by OSO, are classified. 

Conclusions: 

TSA has developed a risk-based covert testing strategy to identify 
vulnerabilities and measure the performance of select aspects of the 
aviation security system. OI's national covert testing program is 
designed and implemented using elements of a risk-based approach, 
including using information on terrorist threats to design simulated 
threat items and tactics. However, this program could be strengthened 
by ensuring that all of the information from the tests conducted is 
used to help identify and mitigate security vulnerabilities. For 
example, without a process for recording and analyzing the specific 
causes of all national covert test failures, including TSOs not 
properly following TSA's existing screening procedures, procedures that 
are unclear to TSOs, or screening equipment that is not working 
properly, TSA is limited in its ability to identify specific areas for 
improvement, such as screening equipment that may be in need of repair 
or is not working correctly. Moreover, without collecting and analyzing 
information on effective practices used at airports that performed 
particularly well on national covert tests, TSA may be missing 
opportunities to improve TSO performance across the commercial aviation 
security system. TSA has only recently begun to determine the extent to 
which covert testing may be used to identify vulnerabilities and 
measure the effectiveness of security practices in non-aviation modes 
of transportation if it receives additional resources to test in these 
modes. Nevertheless, several transportation industry stakeholders can 
provide useful information on how they currently conduct covert tests 
in non-aviation settings, and systematically coordinating with these 
organizations could prove useful for TSA. 

National aviation covert tests have identified vulnerabilities in the 
commercial aviation security system. However, TSA could better use the 
covert testing program to mitigate these vulnerabilities by promptly 
evaluating and responding to OI's findings and recommendations. We 
recognize that TSA must balance a number of competing interests when 
considering whether to make changes to TSO training, screening 
procedures, and screening equipment within the commercial aviation 
security system, including cost and customer service, in addition to 
security concerns. We further recognize that, in some cases, it may not 
be feasible or appropriate to implement all of OI's recommendations. 
However, without a systematic process in place to consider OI's 
recommendations, evaluate whether corrective action is needed to 
mitigate identified vulnerabilities, and evaluate whether the 
corrective action effectively addressed the vulnerability, OSO is 
limited in the extent to which it can use the results of covert tests 
to improve the security of the commercial aviation system. 

Recommendations for Executive Action: 

To help ensure that the results of covert tests are more fully used to 
mitigate vulnerabilities identified in the transportation security 
system, we recommended in our May 2008 classified report that the 
Assistant Secretary of Homeland Security for TSA take the following 
five actions: 

* Require OI inspectors to document the specific causes of all national 
covert testing failures--including documenting failures related to 
TSOs, screening procedures, and equipment--in the covert testing 
database to help TSA better identify areas for improvement, such as 
additional TSO training or revisions to screening procedures. 

* Develop a process for collecting, analyzing, and disseminating 
information on practices in place at those airports that perform well 
during national and local covert tests in order to assist TSA managers 
in improving the effectiveness of checkpoint screening operations. 

* As TSA explores the use of covert testing in non-aviation modes of 
transportation, develop a process to systematically coordinate with 
domestic and foreign transportation organizations that already conduct 
these tests to learn from their experiences. 

* Develop a systematic process to ensure that OSO considers all 
recommendations made by OI in a timely manner as a result of covert 
tests, and document its rationale for either taking or not taking 
action to address these recommendations. 

* Require OSO to develop a process for evaluating whether the action 
taken to implement OI's recommendations mitigated the vulnerability 
identified during covert tests, such as using follow-up national or 
local covert tests to determine if these actions were effective. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to DHS for review and comment. On 
April 24, 2008, we received written comments on the draft report, which 
are reproduced in full in appendix II. DHS and TSA concurred with the 
findings and recommendations, and stated that the report will be useful 
in strengthening TSA's covert testing programs. In addition, TSA 
provided technical comments, which we incorporated as appropriate. 

Regarding our recommendation that OI document the specific causes of 
all national covert testing failures related to TSOs, screening 
procedures, and equipment in the covert testing database, DHS stated 
that TSA's Office of Inspection (OI) plans to expand the covert testing 
database to all causes of test failures. DHS further stated that the 
specific causes of all OI covert testing failures are documented in 
data collection instruments used during covert tests and within a 
comment field in the covert testing database when the cause can be 
determined. However, TSA acknowledged that covert test failures caused 
by screening equipment not working properly are not recorded in the 
database in a systematic manner. Documenting test failures caused by 
equipment should help OI better analyze the specific causes of all 
national covert testing failures and assist TSA management in 
identifying corrective actions to mitigate identified vulnerabilities. 

Concerning our recommendation that OI develop a process for collecting, 
analyzing, and disseminating information on practices in place at those 
airports that perform well during national and local covert tests in 
order to assist TSA managers in improving the effectiveness of 
checkpoint screening operations, DHS stated that it recognizes the 
value in identifying factors that may lead to improved screening 
performance. TSA officials stated that, while OI or ASAP test results 
can be used to establish a national baseline for screening performance 
at individual airports, the results are not statistically significant. 
As a result, additional assessments would be required to provide a 
statistical measure for individual airports. According to DHS, OI plans 
to develop a more formal process for collecting and analyzing test 
results to identify best practices that may lead to test passes. 
Officials stated that when specific screening practices indicate a 
positive effect on screening performance, TSA plans to share and 
institutionalize best practices in the form of management advisories to 
appropriate TSA managers. Developing a more formal process for 
collecting and analyzing test results to identify best practices that 
may lead to test passes should address the intent of this 
recommendation. 

In response to our recommendation that TSA develop a process to 
systematically coordinate with domestic and foreign transportation 
organizations as the agency explores the use of covert testing in non- 
aviation modes of transportation to learn from their experiences, DHS 
stated that it is taking a number of actions. Specifically, according 
to DHS, TSNM has worked closely with transit agencies and internal TSA 
covert testing experts during red team testing exercises and is 
currently exploring programs in which covert testing may be used to 
evaluate the effectiveness of security measures. For example, TSNM is 
considering incorporating covert testing as a part of its Intermodal 
Security Training and Exercise Program. While considering the use of 
covert testing in its programs should help TSA evaluate the 
effectiveness of security measures, it is also important that TSA 
establish a systematic process for coordinating with domestic and 
foreign organizations that already conduct testing in non-aviation 
modes of transportation to learn from their experiences. 

DHS further stated that it plans to take action to address our 
recommendation that the agency develop a systematic process to ensure 
that OSO considers all recommendations made by OI as a result of covert 
tests in a timely manner, and documents its rationale for either taking 
or not taking action to address these recommendations. Specifically, 
DHS stated that OSO is coordinating with OI to develop a directive 
requiring that OI's covert testing recommendations be formally reviewed 
and approved by TSA management, and OSO is establishing a database to 
track all OI recommendations and determine what action, if any, has 
been taken to address the recommendation. Taking these steps should 
address the intent of this recommendation and help TSA to more 
systematically record whether OI's covert testing recommendations have 
been addressed. 

Concerning our recommendation that OSO develop a process to evaluate 
whether the action taken to implement OI's recommendations mitigated 
the vulnerability identified during covert tests, such as using follow- 
up national or local covert tests or information collected through 
other methods, to determine if these actions were effective, DHS stated 
that OSO established a new program to study various aspects of TSO and 
screening performance in 2007 that considers recommendations 
originating from OI national covert tests and ASAP tests. According to 
DHS, after completing each study, recommendations resulting from this 
analysis will be provided to TSA leadership for consideration. DHS 
further stated that the results of ASAP tests will also likely be a 
focus of these future studies. While these actions should help to 
address the intent of this recommendation, it is also important that 
OSO assess whether the actions taken to mitigate the vulnerabilities 
identified by OI's national covert tests are effective. 

As agreed with your office, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
after its issue date. At that time, we will send copies of this report 
to the Secretary of Homeland Security, Assistant Secretary of DHS for 
the Transportation Security Administration, and the Ranking Member of 
the Committee on Homeland Security, House of Representatives, and other 
interested congressional committees as appropriate. We will also make 
this report available at no charge on GAO's Web site [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-3404 or at [email protected]. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Other key contributors to this report 
were John Hansen, Assistant Director; Chris Currie; Yanina Golburt; 
Samantha Goodman; Art James; Wendy Johnson; Thomas Lombardi; and Linda 
Miller. 

Sincerely yours, 
 
Signed by: 

Cathleen A. Berrick: 

Director, Homeland Security and Justice Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

This report addresses the following questions: (1) what is the 
Transportation Security Administration's (TSA) strategy for conducting 
covert testing of the transportation system, and to what extent has the 
agency designed and implemented its covert tests to achieve identified 
goals? and (2) what have been the results of TSA's national aviation 
covert tests conducted from September 2002 to June 2007, and to what 
extent does TSA use the results of these tests to mitigate security 
vulnerabilities in the commercial aviation system? 

To identify TSA's strategy for conducting covert testing of the 
transportation system and the extent to which the agency has designed 
and implemented its covert tests to achieve identified goals, we 
reviewed applicable laws, regulations, policies, and procedures to 
determine the requirements for conducting covert testing in the 
transportation sector. To assess TSA's strategy specifically in the 
aviation covert testing program, we interviewed TSA Office of 
Inspection (OI) officials responsible for conducting national covert 
tests and Office of Security Operations (OSO) officials responsible for 
local covert tests regarding the extent to which information on risks 
is included in the design and implementation of tests. We also 
interviewed the Transportation Security Officers (TSO), supervisors, 
screening managers, and Federal Security Directors (FSD) who 
participated in covert tests at each airport where we observed tests to 
discuss their experience with the national and local covert testing 
programs. We observed OI inspectors during covert tests at seven 
airports including airports with heavy passenger traffic and those with 
just a few flights per day, as well as airports with both federal and 
contract TSOs. During these observations, we accompanied OI inspectors 
during all phases of the covert test including planning and 
observations, testing, and post test reviews with TSOs, supervisors, 
and screening managers. While these seven airports represent reasonable 
variations in size and geographic locations, our observations of OI's 
covert tests and the perspectives provided by TSA officials at these 
airports cannot be generalized across all commercial airports. However, 
our observations at the seven airports provided us an overall 
understanding of how OI conduct covert tests and useful insights 
provided by TSOs, their supervisors, and FSDs at these airports. We 
analyzed TSA documents including established protocols for national and 
local covert testing, procedures for screening passengers and checked 
baggage, and OI covert testing reports issued from 2002 to 2007 to 
identify procedures for designing and implementing TSA's covert testing 
program. Furthermore, to determine the extent to which TSA met the 
goals of the program, we conducted a detailed analysis of the data 
collection instrument and methods that OI used to collect covert 
testing data for the seven airports where we observed covert tests. We 
also assessed the adequacy of TSA's internal controls for collecting 
and maintaining the results of covert tests by evaluating TSA's 
processes for collecting covert testing data and inputting this data 
into its database. In assessing the adequacy of internal controls, we 
used the criteria in GAO's Standards for Internal Control in the 
Federal Government, GAO/AIMD 00-21.3.1, dated November 1999. These 
standards, issued pursuant to the requirements of the Federal Managers' 
Financial Integrity Act of 1982 (FMFIA), provide the overall framework 
for establishing and maintaining internal control in the federal 
government. Also pursuant to FMFIA, the Office of Management and Budget 
issued Circular A-123, revised December 21, 2004, to provide the 
specific requirements for assessing the reporting on internal controls. 
To assess TSA's strategy for conducting covert tests in non-aviation 
modes of transportation, we interviewed officials from TSA's Office of 
Transportation Sector Network Management (TSNM) regarding the extent to 
which TSA has conducted covert testing in non-aviation modes of 
transportation, the applicability and potential use of covert testing 
in other modes, and their future plans for conducting covert testing in 
other modes. To understand how other organizations and federal agencies 
have used covert testing in the non-aviation arena, we interviewed 
officials from selected federal agencies and organizations that conduct 
covert testing including Amtrak, the United Kingdom Department for 
Transport Security (TRANSEC), U.S. Customs and Border Protection (CBP), 
DHS Domestic Nuclear Detection Office (DNDO), and select transportation 
industry associations. We reviewed the president's National Strategy 
for Homeland Security and TSA's Transportation Systems Sector Specific 
plan, including individual plans for each mode of transportation, to 
determine the role and use of covert testing across the transportation 
system. We also reviewed the fiscal year 2008 DHS appropriations 
legislation, enacted as Division E of the Consolidated Appropriations 
Act, 2008, and associated committee reports and statements to identify 
any funding allocated to TSA to conduct covert testing in non-aviation 
modes. 

To determine the results of TSA's national covert tests and the extent 
to which TSA used the results of these tests to mitigate security 
vulnerabilities in the aviation system, we obtained and analyzed a 
database of the results of TSA's national covert tests conducted from 
September 2002 to June 2007. We analyzed the test data according to 
airport category, threat item, and type of test conducted between 
September 2002 and June 2007. We also examined trends in pass and 
failure rates when required screening steps were or were not followed 
and examined differences in covert test results between private and 
federal airports. We assessed the reliability of TSA's covert testing 
data by reviewing existing information about the data and the systems 
used to produce them, and by interviewing agency officials responsible 
for maintaining the database. We determined that the data were 
sufficiently reliable for our analysis and the purposes of this report. 
TSA provided us with a copy of their covert testing database which 
contained a table with one record, or entry, per test for all of the 
tests conducted between 2002 and 2007. In order to accurately interpret 
the data, we reviewed information provided by OI officials regarding 
each of the fields recorded in the database and information about how 
they enter test results into the database. We also conducted manual 
testing of the data, conducting searches for missing data and outliers. 
To further assess the reliability of the data, we reviewed the source 
documents used to initially collect the data as well as OI's published 
reports. We also interviewed OI officials regarding how the results of 
covert tests are used in developing their recommendations to TSA 
management. We reviewed OI reports on the results of covert tests 
issued between March 2003 and June 2007 that were submitted to TSA's 
Administrator and OSO to identify OI's recommendations for mitigating 
the vulnerabilities identified during covert tests. We obtained and 
analyzed a summary of the actions that OSO had taken to address OI's 
recommendations for mitigating vulnerabilities made from March 2003 to 
June 2007. We also asked officials to discuss the extent to which OSO 
has addressed and implemented recommendations made by OI based on 
covert test results, and we analyzed information provided by TSA 
regarding the status of each covert testing recommendation made by OI 
from 2003 to 2007. 

We conducted this performance audit from October 2006 to May 2008, in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on out audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

Homeland Security: 

April 24, 2008: 

Ms. Cathleen A. Berrick: 
Director, Homeland Security and Justice Issues: 
Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Ms. Herrick: 

Thank you for the opportunity to comment on GAO-08-958 draft report 
entitled, TSA Has Developed a Risk-Based Covert Testing Program, but 
Could Better Mitigate Aviation Security Vulnerabilities Identified 
Through Covert Testing. The findings in the report will be useful in 
strengthening our testing programs. This letter replicates the 
Department of Homeland Security's response to the classified version of 
this report. 

As you are well aware through your previous work with us on this topic, 
covert testing results are only one of many inputs into our security 
evaluation strategy. Given the nonlinear nature of the risks to 
transportation security, and our strategy to manage them, the 
Transportation Security Administration (TSA) relies upon a wide variety 
of input, including intelligence and workforce feedback, to evaluate 
and respond to security vulnerabilities. 

As your report demonstrates, TSA's Office of Inspection (01) has a very 
robust testing program designed to identify systemic vulnerabilities in 
transportation security systems. Through the 01 program, subject matter 
experts develop and test specific hypotheses regarding potential system 
vulnerabilities. These tests are not designed to be performance 
measures. Rather, they are evaluations of system vulnerabilities that 
can be used to design countermeasures. When viewed in this light, the 
qualitative results from these experiments are highly valuable in 
analyzing vulnerabilities, with the conclusions from these experiments 
informing decisions at the strategic level. 

TSA has also recognized the need for a more systematic framework to 
accurately assess the effectiveness of our screening process and 
identify areas for improvement. In April 2007, TSA therefore 
established the Aviation Screening Assessment Program (ASAP) to greatly 
expand our internal covert testing, provide statistically sound data to 
support operational decisions, and create a framework to systematically 
review and report the data. As a result, ASAP runs thousands of covert 
tests at hundreds of airports nationwide every six months. The 
information produced from these tests provides data necessary to make 
more informed decisions on improving the screening process. ASAP 
analysis also focuses on particular areas of screening for targeted 
improvement including: operations; procedures; technology; training; 
and management. Through ASAP, we have established a formal process to 
thoroughly assess the screening process and implement appropriate 
courses of action addressing concerns revealed through expansive covert 
testing. The increased pace of ASAP's testing and review cycles also 
permits TSA to evaluate the effectiveness of actions taken in response 
to both ASAP and 01 recommendations. 

While TSA has utilized the results of 01 covert testing to make 
adjustments to the screening process, we do not rely solely on them to 
make screening process changes. Rather, it is one of many data points 
used in evaluating system vulnerabilities. Nevertheless, we understand 
the need for accurate data collection, reporting, and follow-through 
from all of our testing programs, and will continue program 
improvements in those areas as recommended. 

With respect to testing in other modes, TSA values the relationships 
that have been fostered with industry stakeholders in non-aviation 
modes. These relationships have proven valuable over the years in 
establishing necessary protocols for national security. We will 
continue to work with our industry partners to obtain lessons learned 
and best practices to enable the development of testing protocols in 
various modes of transportation to improve security. 

The following are TSA's responses to the specific recommendations: 

Recommendation 1: Require 01 to document the specific causes of all 
national covert testing failuresï¿½including documenting failures related 
to TSOs, screening procedures, and equipmentï¿½in the covert testing 
database to help TSA better identify areas for improvement. 

Concur: Specific causes of all Office of Inspection (01) covert testing 
failures are documented (on testing documents and in the covert testing 
database as a comment field) when that cause can be determined. To 
date, specific causes of equipment failure have not been recorded in 
the database in a uniform manner. OI will expand the covert testing 
database to document test failures related to screening equipment. 

Recommendation 2: Develop a process for collecting, analyzing, and 
disseminating information on practices in place at those airports that 
perform well during national and local covert tests in order to assist 
TSA managers in improving the effectiveness of checkpoint screening 
operations. 

Concur: TSA recognizes the value in identifying the elements that lead 
to improved performance at the checkpoint. Through the Aviation 
Screening Assessment Program (ASAP) TSA has already begun to establish 
a national baseline, by detection point, for screening performance. 
Using 01 covert testing data or ASAP data alone to draw conclusions as 
to which airports are high- and low-performing is not statistically 
sound, as additional assessments would be required to provide a 
statistical "scorecard" for individual airport locations, but covert 
testing data will be used as a data point in these evaluations. 01 will 
develop a more formal process to uniformly collect and analyze test 
results to identify best practices attributed to test passes. When 
specific screening programs or national practices indicate a positive 
effect on screening performance, TSA will take steps to share and 
institutionalize best practices in the form of management advisories to 
appropriate TSA managers. TSA will explore additional means to 
effectively disseminate this information. 

Recommendation 3: As TSA explores the use of covert testing in non-
aviation modes of transportation, the agency should work closely with 
transportation industry stakeholders to develop protocols for 
conducting tests and coordinate with domestic and foreign organizations 
that already conduct these tests to learn from their experiences. 

Concur: TSA has established an excellent rapport with industry 
stakeholders to allow a free flow of information sharing. Specifically 
in Mass Transit, TSA follows these practices in approaching systems for 
"red team" exercises and developing exercise protocols to execute 
covert testing. In the covert testing exercises TSA Mass Transit has 
participated in, we have worked closely with the transit agencies being 
tested, TSA's internal covert testing program experts, as well as those 
who have established programs and lessons learned from their on 
activities. TSA Mass Transit is currently exploring several programs 
where covert testing may be used as a means for evaluating the 
effectiveness of various security measures. One example is the I-STEP 
(Intermodal Security Training and Exercise Program), where TSA is 
working to develop a model table top exercise to foster the use of 
similar type exercises around the country. This current effort is 
centered on the National Capital Region. In subsequent phases of I-
STEP, when the program culminates in full scale exercises, 
opportunities to include covert testing may present themselves. 

Another area TSA is exploring is the Visible Intermodal Prevention and 
Response (VIPR) team activity in support of mass transit and passenger 
rail security. TSA mass transit is looking at ways to enhance the 
training and effectiveness of this random, unpredictable deterrence 
measure. Covert testing could play an appropriate role in this effort. 
As we move forward in working with our transit security partners, 
covert testing of VIPR activities, to demonstrative how they integrate 
into overall security activities, could be important to our collective 
efforts. 

These efforts outlined for Mass Transit will be explored in other non-
aviation modes to glean all valuable information concerning lessons 
learned and other experiences. 

Recommendation 4: Develop a systematic process to ensure that OSO 
considers all recommendations made by 01 in a timely manner as a result 
of covert tests, and document its rationale for either taking or not 
taking action to address these recommendations. 

Concur: TSA's Procedures Division is currently coordinating an 
Operations Directive with the Office of Inspection to formally approve 
the recommendation and review process for handling recommendations made 
by 01. In addition the Procedures Division is establishing an access 
database to track all incoming recommendations and final outcome for 
incorporating the recommendations into the Standard Operating 
Procedures. 

Recommendation 5: Require OSO to develop a process or use information 
collected through other methods, for evaluating whether the action 
taken to implement 01's recommendations mitigated the vulnerability 
identified during covert tests, such as using follow-up national or 
local covert tests to determine if these actions were effective. 

Concur: In 2007, the Office of Security Operations established a new 
program to study various aspects of Transportation Security Officer 
(TSO) and program performance. Topics of the study include, but are not 
limited to, recommendations originating from ASAP as well as OI 
recommendations. Upon the conclusion of each study, recommendations 
resulting from analysis are provided to TSA leadership for adoption. 
The program includes: 

* Identifying and correlating TSA TSO and/or program data elements, 
(i.e., scores for Threat Image Projection, Image Interpretation Test, 
Image Mastery Test; Performance Accountability and Standards System, 
etc.); 

* Conducting related studies, interviews, evaluations, observations, 
and surveys; 

* Convening best practice focus groups; and: 

* Providing recommendations for improved performance, effectiveness 
and/or efficiency. 

The first study focused on evaluating the effectiveness of the IED 
Checkpoint Drills, a nationally implemented program originating from an 
OI recommendation, Results of this study are expected FY08 Q3. 
Depending upon the nature of the recommendation, ASAP may also be used 
to evaluate the national effectiveness of recommendations targeting a 
specific detection point. 

Once again, DHS and TSA appreciate the work GAO has done in the review 
of TSA's covert testing program. 

Sincerely,

Signed by: 

Jerald E. Levine: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Footnotes: 

[1] See Pub. L. No. 107-71, 115 Stat. 597 (2001). 

[2] TSA defines a covert test at domestic airports as any test of 
security systems, personnel, equipment, and procedures to obtain a 
snapshot of the effectiveness of airport passenger security checkpoint 
screening, checked baggage screening, and airport access controls to 
improve airport performance, safety, and security. 

[3] As used in this report and unless otherwise specifically stated, 
the term TSO, which ordinarily refers only to the federal screening 
workforce, includes the private screening workforce at airports in the 
screening partnership program. 

[4] Department of Homeland Security Office of Inspector General, Audit 
of Access to Airport Secured Areas, OIG-07-35 (March 2007). The results 
of TSA's, GAO's, and the DHS Office of Inspector General's covert tests 
are all classified and cannot be presented in this report. 

[5] In accordance with ATSA, TSA began allowing all commercial airports 
to apply to TSA to transition from a federal to a private screening 
workforce in November 2004. See 49 U.S.C. ï¿½ 44920. To support this 
effort, TSA created the Screening Partnership Program to allow all 
commercial airports an opportunity to apply to TSA for permission to 
use qualified private screening contractors and private sector 
screeners. Currently, private screening companies provide passenger and 
checked baggage screening at 11 airports. 

[6] Federal Security Directors (FSD) are the ranking TSA authorities 
responsible for leading and coordinating TSA security activities at the 
nation's commercial airports. TSA had 122 FSD positions at commercial 
airports nationwide, as of January 2008. Although FSDs are responsible 
for security at all commercial airports, not every airport has an FSD 
dedicated solely to that airport. Most large airports have an FSD 
responsible for that airport alone. Other smaller airports are arranged 
in a "hub and spoke" configuration, in which an FSD is located at or 
near a hub airport but also has responsibility over one or more spoke 
airports of the same or smaller size. 

[7] GAO, Internal Control: Standards for Internal Control in the 
Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 
1999). 

[8] Pub. L. No. 107-71, 115 Stat. 597 (2001). 

[9] In accordance with ATSA, TSA assumed operational responsibility 
from air carriers for screening passengers and checked baggage for 
explosives at more than 450 commercial airports by November 19, 2002. 
Passenger screening is a process by which authorized personnel inspect 
individuals and property at designated screening locations to deter and 
prevent carriage of any unauthorized explosive, incendiary, weapon, or 
other dangerous item into a sterile area or aboard an aircraft. Sterile 
areas are located within the terminal and generally include areas past 
the screening checkpoint where passengers wait to board, or into which 
passengers deplane from, a departing or arriving aircraft. Checked 
baggage screening is a process by which authorized personnel inspect 
checked baggage to deter, detect, and prevent the carriage of any 
unauthorized object on board an aircraft. The Homeland Security Act of 
2002, signed into law on November 25, 2002, transferred TSA from DOT to 
DHS. See Pub. L. No. 107-296, ï¿½ 403, 116 Stat. 2135, 2178. 

[10] TSA's TS-SSP describes the security framework that will enable TSA 
to prevent and deter acts of terrorism using or against the 
transportation system, enhance the resilience of the transportation 
system, and improve use of resources for transportation security, among 
other things. TS-SSP establishes TSA's strategic approach to securing 
the transportation sector in accordance with the National 
Infrastructure Protection Plan (NIPP) that obligates each critical 
infrastructure and key resources sector, such as transportation sector, 
to develop a sector specific plan. 

[11] See Pub. L. No. 110-53, ï¿½ 1511(b), 121 Stat. 266, 426-29. See also 
49 U.S.C. ï¿½ 114(t). 

[12] See explanatory statement accompanying Division E of the 
Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. E, 121 
Stat. 1844 (2007), at 1054. 

[13] TSA classifies the commercial airports in the United States into 
one of five categories (X, I, II, III, and IV) based on various 
factors, such as the total number of takeoffs and landings annually and 
other special security considerations. In general, Category X airports 
have the largest number of passenger boardings, and category IV 
airports have the smallest. TSA periodically reviews airports in each 
category and, if appropriate, updates airport categorizations to 
reflect current operations. Until August 2005, OI conducted covert 
testing at category X airports once per year, category I and II 
airports once every 2 years, and category III and IV airports at least 
once every 3 years. 

[14] EDS machines use specialized X-rays to detect characteristics of 
explosives that may be contained in passengers' checked baggage as it 
moves along a conveyor belt. 

[15] ETD machines can detect chemical residues that may indicate the 
presence of explosives on a passenger or within passengers' baggage. 

[16] ATSA requires that each TSO who failed a covert test has to 
undergo remedial training for the function, such as X-ray screening, 
that he or she failed before returning to that function. The TSO can 
perform a different function, such as manual or ETD searches, while 
undergoing the remedial training. 

[17] The MBS II weapons training kits were provided to airports to 
address the identified training gap by allowing TSOs to see and feel 
the threat objects they were looking for. According to OSO officials, 
these kits contained some of the test objects used by OI to conduct 
covert testing. 

[18] STEA included seven types of tests conducted at the passenger 
checkpoint: IED in property disassembled, IED in property assembled, 
stimulant on torso, weapon at an angle in property, weapon in property, 
weapon on individual, and weapon on inner thigh. There is one type of 
STEA test conducted at the checked baggage screening system--assembled 
IED in baggage. 

[19] GAO, Aviation Security: Enhancements Made in Passenger and Checked 
Baggage Screening, but Challenges Remain, GAO-06-371T (Washington, 
D.C.: Apr. 4, 2006). 

[20] See, e.g., 49 U.S.C. ï¿½ 114(t). 

[21] National Commission on Terrorist Attacks upon the United States, 
the 9/11 Commission Report: Final Report of the National Commission on 
Terrorist Attacks upon the United States (Washington, D.C.: 2004). The 
9/11 Commission was an independent, bipartisan commission created in 
late 2002, to prepare a complete account of the circumstances 
surrounding the September 11, 2001 terrorist attacks, including 
preparedness for and the immediate response to the attacks. The 
Commission was also mandated to provide recommendations designed to 
guard against future attacks. 

[22] GAO, Passenger Rail Security: Enhanced Federal Leadership Needed 
to Prioritize and Guide Security Efforts, GAO-05-851 (Washington, D.C.: 
Sept. 9, 2005); and GAO, Aviation Security: Federal Efforts to Secure 
U.S.-Bound Air Cargo Are in the Early Stages and Could Be Strengthened, 
GAO-07-660 (Washington, D.C.: Apr. 30, 2007). 

[23] While some test entries recorded in the database include 
observations made by inspectors, OI officials told us that these 
observations are not intended to identify the reason for a test 
failure. Moreover, these observations are not consistently recorded in 
the database to allow OI to analyze trends in test outcomes. 

[24] GAO, Aviation Security: Screener Training and Performance 
Measurement Strengthened, but More Work Remains, GAO-05-457 
(Washington, D.C.: May 2, 2005). 

[25] The goal of TSA's Transit and Rail Inspection Pilot program was to 
evaluate the use of existing and emerging technologies in the rail 
environment to screen passengers' carry-on items, checked baggage, 
cargo, and parcels for explosives. The pilot was conducted in three 
phases. Phase I evaluated the use of screening technologies to screen 
passengers and baggage prior to boarding trains at the New Carrollton, 
Maryland, train station. Phase II tested screening of checked and 
unclaimed baggage and cargo prior to loading on board Amtrak trains at 
Union Station in Washington, D.C. Phase III evaluated the use of 
screening technologies installed on a rail car to screen passengers and 
their baggage while the rail car was in transit on a Shoreline East 
commuter rail car. 

[26] The Bus Explosives Screening Technology pilot tested emerging and 
existing technologies to screen passengers, baggage, and cargo for 
explosives prior to boarding buses. The pilot was conducted at the 
Greyhound Bus terminal in Washington, D.C. 

[27] TSA's Secure Automated Inspection Lanes pilot program tested 
portable screening equipment and explosive detection technologies on 
maritime ferry passengers to identify traces of explosive residue on 
papers and documents carried by passengers. 

[28] H.R. Rpt. No. 110-181, at 62-63 (2007), accompanying H.R. 2638, 
110th Cong. (as passed by House of Representatives. June 15, 2007). 

[29] See GAO-05-851. 

[30] A well-designed probability sample would enable failure rates to 
be generalized to the airports in which the tests were conducted and to 
all airports. In a probability sample, each item in the population 
being studied has a known, non-zero probability of being selected. 

[31] According to TSA officials, recommendations made as a result of 
ASAP tests are provided in a report to senior TSA leadership, who make 
the decision whether or not to implement the recommendation, and the 
status of each recommendation is tracked in the ASAP database. 

[32] OSO officials told us that they did not systematically monitor the 
status of OI's recommendations prior to our request. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***