Aviation Security: Implementation of Recommendations Is Under Way, but
Completion Will Take Several Years (Letter Report, 04/24/98,
GAO/RCED-98-102).

Pursuant to a congressional request, GAO provided information on the
tracking, monitoring, and coordinating activities undertaken by the
agencies responsible for implementing recommendations made by the White
House Commission on Aviation Safety and Security and on the Federal
Aviation Administration's (FAA) progress in implementing eight of these
recommendations, focusing on: (1) how federal agencies responsible for
implementing aviation security recommendations track, monitor, and
coordinate their activities; (2) the progress that FAA has made in
implementing three of the Commission's aviation security recommendations
that were scheduled to be completed in fiscal year (FY) 1997 and whether
all implementation issues been resolved; and (3) the progress that FAA
has made in implementing five recommendations that were both recommended
by the Commission and mandated by Congress in 1996, and what major
issues need to be addressed before they can be fully implemented.

GAO noted that: (1) FAA is responsible for implementing 21 of the
Commission's 31 aviation security recommendations and most of the
Reauthorization Act's aviation security mandates; (2) FAA developed a
computerized system to track its progress in implementing each of the
Commission's recommendations; (3) in addition, FAA's Office of the Chief
Counsel established a separate computerized system for tracking the
activities required of the agency under the Reauthorization Act; (4)
eight other federal agencies, each of which is responsible for
implementing the Commission's other aviation security recommendations,
track progress through the operations of their program and budget
offices; (5) although the Department of Transportation's Office of the
Secretary provides quarterly reports to the National Security Council
and sends an annual report to the Vice President, neither the Security
Council nor any other agency is responsible for monitoring all of the
agencies' implementation efforts or ensuring coordination between
agencies; (6) without such oversight and coordination, issues that arise
between agencies may go unresolved; (7) of the three recommendations GAO
reviewed that FAA planned to complete in FY 1997, FAA has totally
implemented only one; (8) this recommendation--to give properly cleared
air carrier and airport security personnel access to classified
information they need to know--was completed on schedule; (9) FAA has
largely implemented the second recommendation--to establish procedures
for identifying passengers before they board an aircraft--through a
series of directives, one of which requires that passengers provide a
valid form of identification at the check-in counter; (10) the third
recommendation--to voluntarily establish a partnership between airport
and air carrier officials and law enforcement agencies to implement
security enhancements--has not been expanded to an additional 200
airports beyond the 41 established as a result of the Commission's
initial report and is 15 months behind schedule; (11) FAA has made
progress but encountered delays in implementing the five recommendations
made by the Commission and the similar mandates contained in the
Reauthorization Act; and (12) these delays have occurred, in large part,
because the recommendations involve new technologies and, in some cases,
require FAA to issue regulations.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  RCED-98-102
     TITLE:  Aviation Security: Implementation of Recommendations Is 
             Under Way, but Completion Will Take Several Years
      DATE:  04/24/98
   SUBJECT:  Transportation safety
             Safety standards
             Airline regulation
             Interagency relations
             Facility security
             Management information systems
             Accident prevention
             Safety regulation
             Airline industry
IDENTIFIER:  FAA Air Carrier Standard Security Program
             FAA Screener Proficiency Evaluation and Reporting System
             FAA Threat Image Projection System
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Report to Congressional Requesters

April 1998

AVIATION SECURITY - IMPLEMENTATION
OF RECOMMENDATIONS IS UNDER WAY,
BUT COMPLETION WILL TAKE SEVERAL
YEARS

GAO/RCED-98-102

Implementing Aviation Security Recommendations

(341536)


Abbreviations
=============================================================== ABBREV

  ACSSP - Air Carrier Standard Security Program
  ATF - Bureau of Alcohol, Tobacco and Firearms
  CAPS - Computer-Assisted Passenger Screening system
  DOT - Department of Transportation
  FAA - Federal Aviation Administration
  FBI - Federal Bureau of Investigation
  OMB - Office of Management and Budget
  SPEARS - Screener Proficiency Evaluation and Reporting System
  TIP - Threat Image Projection

Letter
=============================================================== LETTER


B-277482

April 24, 1998

The Honorable John McCain
Chairman, Committee on Commerce,
 Science, and Transportation
United States Senate

The Honorable Slade Gorton
Chairman, Subcommittee on Aviation,
Committee on Commerce,
 Science, and Transportation
United States Senate

As the threat of terrorist activities has increased in the United
States, the need to improve domestic aviation security has grown. 
Currently, the Federal Aviation Administration (FAA), other federal
agencies, and the aviation industry are implementing 31
recommendations on aviation security made by the White House
Commission on Aviation Safety and Security.  Some of these
recommendations are similar to legislative mandates enacted by the
Congress under the Federal Aviation Reauthorization Act of 1996.  The
expeditious implementation of these recommendations\1 by federal
agencies and the aviation industry is crucial to strengthening the
security of the domestic aviation system. 

This report responds to your request for information on the tracking,
monitoring, and coordinating activities undertaken by the agencies
responsible for implementing the recommendations made by the
Commission and on FAA's progress in implementing eight of these
recommendations, five of which are similar to mandates contained in
the Reauthorization Act of 1996.  As agreed with your offices, this
report addresses the following specific questions:  (1) How do the
federal agencies responsible for implementing aviation security
recommendations track, monitor, and coordinate their activities?  (2)
What progress has FAA made in implementing three of the Commission's
aviation security recommendations that were scheduled to be completed
in fiscal year 1997 and have all implementation issues been resolved? 
(3) What progress has FAA made in implementing five recommendations
that were both recommended by the Commission and mandated by the
Congress in 1996, and what major issues need to be addressed before
they can be fully implemented? 


--------------------
\1 Because these legislative mandates are similar to the
recommendations contained in the Commission's report, we will refer
to both as recommendations throughout this report. 


   RESULTS IN BRIEF
------------------------------------------------------------ Letter :1

FAA is responsible for implementing 21 of the Commission's 31
aviation security recommendations and most of the Reauthorization
Act's aviation security mandates.  FAA developed a computerized
system to track its progress in implementing each of the Commission's
recommendations.  In addition, FAA's Office of the Chief Counsel
established a separate computerized system for tracking the
activities required of the agency under the Reauthorization Act. 
Eight other federal agencies, each of which is responsible for
implementing the Commission's other aviation security
recommendations, track progress through the operations of their
program and budget offices.  Although the Department of
Transportation's Office of the Secretary provides quarterly reports
to the National Security Council and sends an annual report to the
Vice President, neither the Security Council nor any other agency is
responsible for monitoring all of the agencies' implementation
efforts or ensuring coordination between agencies.  Without such
oversight and coordination, issues that arise between agencies may go
unresolved.  For example, the U.S.  Customs Service and the U.S. 
Postal Service, which were designated as co-leads for one
recommendation on Customs' authority to search outbound international
mail, have been unable to resolve their differences on this issue. 

Of the three recommendations we reviewed that FAA planned to complete
in fiscal year 1997, FAA has totally implemented only one.  This
recommendation--to give properly cleared air carrier and airport
security personnel access to classified information they need to
know--was completed on schedule.  FAA has largely implemented the
second recommendation--to establish procedures for identifying
passengers before they board an aircraft--through a series of
directives, one of which requires that passengers provide a valid
form of identification at the check-in counter.  However, FAA has not
incorporated these directives into the air carriers' security
program, as it planned to do by July 31, 1997.  FAA has postponed
amending the security program until it can incorporate information
from other ongoing recommendations.  The third recommendation--to
voluntarily establish a partnership between airport and air carrier
officials and law enforcement agencies (known as a consortium) to
implement security enhancements--has not been expanded to an
additional 200 airports beyond the 41 established as a result of the
Commission's initial report and is 15 months behind schedule. 
Expansion cannot occur until FAA determines whether it can exempt the
members of a consortium from penalties when the consortium
self-discloses security violations. 

FAA has made progress but encountered delays in implementing the five
recommendations made by the Commission and the similar mandates
contained in the Reauthorization Act.  These delays have occurred, in
large part, because the recommendations involve new technologies and,
in some cases, require FAA to issue regulations.  For the first
recommendation, no airline had initiated a computer-assisted
passenger profiling system systemwide by the planned implementation
date of December 31, 1997.  During January and February 1998, three
major air carriers implemented the system.  FAA's revised completion
date for implementation by other major carriers is September 1998--9
months past the agency's original implementation date.  For the
second recommendation, FAA is a year behind schedule in implementing
the deployment of explosives detection equipment.  The delays were
caused, in part, by the inexperience of the contractor hired to
install the equipment, and ongoing or planned construction projects
at certain airports impeded the installation of equipment.  FAA
officials told us that delays also occurred because they extended the
time period to install the equipment since they did not receive any
funding for additional equipment in fiscal year 1998.  The third
recommendation--matching bags with passengers identified through the
profiling system--cannot be completed until FAA analyzes the
operational and economic effects of the recommendation and issues a
final regulation.  For the fourth recommendation, FAA and the Federal
Bureau of Investigation (FBI) have had short delays in implementing
joint threat and vulnerability assessments at major airports because
of the time it took the agencies to develop the approach for
conducting these assessments.  However, FAA and the FBI may still be
able to complete the assessments by October 1999, as required by the
Reauthorization Act.  FAA will require airports and air carriers to
conduct the vulnerability assessments as mandated under the
Reauthorization Act after it has selected a standardized model for
conducting these assessments.  This model is expected to be available
in March 1999.  For the fifth recommendation, FAA has begun to
provide computer-based training for personnel who screen carry-on
bags.  However, it cannot complete this effort until it has issued
regulations for certifying screening companies, which are expected to
be issued in March 2000. 


   BACKGROUND
------------------------------------------------------------ Letter :2

In response to concerns about the crash of TWA Flight 800, the White
House Commission on Aviation Safety and Security was established in
July 1996 to look, first, at the changing security threat and how the
United States can address it and then to examine safety and air
traffic control issues in the aviation industry and how the
government should address them.  In September 1996, the Commission
issued its initial report, which contained 20 recommendations to
enhance the security of air travel.  The Federal Aviation
Reauthorization Act of 1996, enacted in October 1996, mandated some
actions similar to the Commission's recommendations. 

In February 1997, the Commission issued its final report, which
contained a total of 57 recommendations that focused on improving
aviation safety, making air traffic control safer and more efficient,
improving security for travelers, and responding to aviation
disasters.  Because our report deals exclusively with aviation
security, it discusses only the 31 recommendations for improving
aviation security contained in the Commission's report and related
legislative mandates authorized under the Reauthorization Act.  (See
app.  I for lists of the aviation security recommendations in the
Commission's final report and the aviation security mandates in the
1996 Reauthorization Act.)

As agreed with your office, we selected 8 of the 31 aviation security
recommendations for detailed review--3 of which were scheduled for
completion in fiscal year 1997 and 5 of which are similar to mandates
in the Reauthorization Act.  FAA is responsible for implementing 21
of the 31 aviation security recommendations in the Commission's
report.  Eight other federal agencies have the lead role for 1 or
more of the remaining 10 recommendations.  FAA is responsible for
implementing most of the aviation security mandates in the
Reauthorization Act. 


   AGENCIES HAVE ESTABLISHED
   METHODS OF TRACKING, BUT NO ONE
   AGENCY HAS OVERALL
   RESPONSIBILITY FOR MONITORING
   AND COORDINATING
   RECOMMENDATIONS
------------------------------------------------------------ Letter :3

Each of the agencies responsible for implementing the Commission's
recommendations has established its own tracking method.  These
tracking methods vary, as do the agencies' updating practices.  No
single agency is responsible for monitoring all of the agencies'
implementation efforts and ensuring coordination of interagency
issues. 


      FAA HAS ESTABLISHED A
      COMPUTERIZED SYSTEM FOR
      TRACKING ITS IMPLEMENTATION
      OF THE COMMISSION'S
      RECOMMENDATIONS
---------------------------------------------------------- Letter :3.1

FAA's Office of Aviation Policy and Plans developed a computerized
system to track and monitor the status of all 57 recommendations
contained in the Commission's report.  This system is incorporated
into the agency's local area network computer system and, for each
recommendation, was designed to provide data on the responsible lead
agency, the subtasks needed to implement the recommendation, the
target dates, and the status of the recommendation's implementation. 
Currently, FAA tracks only the recommendations for which it has the
lead responsibility.  In the fall of 1997, FAA stopped tracking
recommendations for which other agencies have the lead responsibility
because, according to an FAA official, it did not have control over
the work of other agencies. 

The ability to change data in the tracking system is controlled by
the Office of Aviation Policy and Plans, Planning Analysis Division;
however, anyone within FAA who has access to the agency's local area
network computer system can view the data.  An FAA official told us
that FAA does not validate the data after they have been entered into
the system.  The manager who oversees the system stated that his
office attempts to update information at least once a month.  Our
review of the data indicates that not all recommendations for which
FAA has the lead responsibility are updated monthly. 


      FAA'S OFFICE OF THE CHIEF
      COUNSEL SEPARATELY TRACKS
      MANDATES UNDER THE
      REAUTHORIZATION ACT
---------------------------------------------------------- Letter :3.2

FAA's Office of the Chief Counsel is responsible for tracking and
monitoring the progress of all legislative requirements.  Because the
Reauthorization Act contained many mandates, the Office of the Chief
Counsel established a computerized database; however, this database
is not linked to FAA's local area network computer system.  This
system is accessible only to the Office of the Chief Counsel, and
data are entered by a legislative analyst responsible for tracking
the mandates' implementation. 

The mandates cover a range of issues from acquisition management to
regulatory reform and, in some cases, require specific reports to the
Congress.  According to the responsible legislative analyst, she
updates the system approximately every 1 to 2 months and the Office
takes appropriate actions.  For example, if a mandated report to the
Congress is late on the basis of information provided by the relevant
program office, the Office will follow up to make sure that the
Congress is informed of the delay. 


      OTHER AGENCIES TRACK THEIR
      IMPLEMENTATION OF THE
      COMMISSION'S RECOMMENDATIONS
      THROUGH PROGRAM AND BUDGET
      OPERATIONS
---------------------------------------------------------- Letter :3.3

Agencies other than FAA are responsible for implementing 10 of the 31
aviation security recommendations contained in the Commission's final
report.  The following agencies are responsible for one
recommendation each:  the Department of Defense, the Department of
State, the Federal Bureau of Investigation, the National
Transportation Safety Board, and the Department of Transportation's
(DOT) Office of the Secretary.  The U.S.  Postal Service is
responsible for one recommendation and shares responsibility with the
U.S.  Customs Service (Customs) for another.  The Bureau of Alcohol,
Tobacco and Firearms (ATF) is responsible for the remaining three
recommendations. 

Because most of these agencies are responsible for only one
recommendation, they have not established a computerized tracking
system as FAA has done.  Instead, they track and monitor their
progress while performing routine activities, obtaining and reporting
information when requested by officials in their own agency, FAA, or
DOT's Office of the Secretary.  For example, FBI officials use
reporting mechanisms maintained by the agency's budget office to
track the deployment of additional staff for work on aviation
security, as called for in the Commission's recommendations. 
Similarly, Department of Defense officials told us that they use
meetings and existing internal reporting systems to track the
activities of the four working groups that are implementing the
Department's recommendation. 


      RESPONSIBILITY FOR
      OVERSEEING AGENCIES'
      IMPLEMENTATION OF AVIATION
      SECURITY RECOMMENDATIONS IS
      NOT CENTRALIZED
---------------------------------------------------------- Letter :3.4

While many agencies are involved in implementing the Commission's
recommendations, no single entity has overall responsibility for
managing their implementation and coordinating issues between
agencies.  In March 1997, after the Commission issued its final
report, DOT convened an interagency meeting to discuss lead and
supporting roles related to the Commission's recommendations.  The
agencies represented at that meeting included DOT's Office of the
Secretary, FAA, and the other agencies that might be responsible for
implementation.  No agency assumed responsibility for following up to
ascertain whether agencies were fulfilling the lead and supporting
responsibilities discussed during the interagency meeting. 

Using the tracking system it has developed, FAA prepares reports as
requested by FAA's and DOT's management to summarize its progress in
implementing the Commission's recommendations.  As of March 9, 1998,
managers from FAA and DOT's Office of the Secretary had reviewed the
agency's progress at 10 meetings with the FAA Administrator and other
top-level FAA and DOT officials.  In addition, as of that date, DOT's
Office of Intelligence and Security had prepared four quarterly
reports for the National Security Council's review.  The reports had
been requested by the National Security Council as part of its
counter-terrorism responsibilities.  A National Security Council
official said that the Council is more interested in learning of any
security weaknesses than in tracking the status of the
recommendations' implementation.  For example, this official said
that the Council has been concerned because no funds were provided
for explosives detection equipment in FAA's fiscal year 1998 budget. 
In addition to these reports, the Secretary of Transportation is
directed in the Commission's report to prepare an annual report on
the status of implementing all 57 of the recommendations contained in
the report.  According to the first annual report, which was issued
to the Vice President on February 12, 1998, 8 of the 31
recommendations dealing with aviation security had been completed.\2

Furthermore, the annual report noted that FAA and the other federal
agencies are continuing to make progress on most of the remaining 23
recommendations.  Although a number of the recommendations discussed
in the annual report are similar to mandates contained in the
Reauthorization Act, the report does not jointly discuss the
recommendations and the mandates or the related progress associated
with both. 

An issue that we found in the absence of oversight and coordination
of interagency issues is a disagreement between Customs and the
Postal Service about one Commission recommendation (see app.  I,
table I.1, recommendation 3.4) and its implementation through a
legislative proposal that would allow Customs to search, without a
warrant, domestic mail handled by the U.S.  Postal Service that is
destined for international locations.  Currently, Customs has the
authority to search without a warrant for explosives and other threat
objects on inbound international mail and cargo.  Customs has led
this recommendation's implementation, stating that it has worked with
the Departments of the Treasury and Justice.  However, Customs has
not worked with the Postal Service, the other agency designated at
the interagency meeting as the co-lead for implementing this
recommendation. 

To implement this recommendation, Customs has proposed a provision in
the administration's draft International Crime Control Act to give it
authority to search outbound international mail without a warrant. 
Customs has met with the Office of Management and Budget (OMB) to
coordinate the proposal through the legislative process.  As of April
8, 1998, the proposal was being reviewed by OMB.  This proposed
authority would parallel Customs' current law enforcement authority,
which generally allows Customs to search persons and property
entering or leaving the country.  Customs officials also told us they
already have authority to examine private companies' inbound and
outbound express mail but do not have authority to search U.S. 
Postal Service's outbound international mail.  The Postal Service has
long opposed such authority for searching outbound international mail
as contrary to its authority to protect the mail from unwarranted
searches.  Postal Service officials said that Customs neither
consulted with them nor provided a copy of the legislative proposal
for their review.  Customs officials confirmed that they had not
consulted with the Postal Service on this proposal but stated that
they had consulted a number of times over the last 12 years on
similar proposals.  Postal officials stated that there is no
consensus between Customs and the Postal Service on this issue. 

Several years ago, the Postal Service established an aviation mail
security program for domestic and outbound international mail in
cooperation with FAA.  This program is deployed systemwide in postal
facilities.  Postal Service officials told us that Customs' proposal
would duplicate their efforts to screen outbound international mail
and could delay the delivery of time-sensitive mail.  As to the
possible delays, Customs officials told us that their examination of
inbound U.S.  mail and private companies' outbound express mail has
caused little or no delay.  According to a Customs official, there
are no reasons why the mail would be delayed if the proposal were
enacted.  However, Postal Service officials stated that the inbound
mail program, from their perspective, has not been problem-free and
that the volume of outbound mail is significantly higher than
inbound, which could cause delays. 

According to a Customs official, the agency and the Postal Service
have disagreed over Customs' authority to examine outbound
international mail for at least 12 years.  Neither Customs nor the
Postal Service officials we contacted knew whether there was a focal
point for coordinating the Commission's recommendations.  A Customs
official said that no one has attempted to mediate the opposing
positions between Customs and the Postal Service and that legislative
action appears to be the only way to resolve it.  However, the Postal
Service believes that there is no demonstrated aviation security need
for warrantless outbound search authority and that, therefore, the
legislation is neither needed nor appropriate in connection with this
issue.  Postal Service officials told us that they have expressed
their views to OMB to persuade it not to proceed with the
legislation.  According to Postal Service officials, OMB told them
that it would take their comments and views under advisement. 


--------------------
\2 White House Commission on Aviation Safety and Security - The DOT
Status Report (Feb.  1998). 


   WORK REMAINS ON MOST
   RECOMMENDATIONS THAT WERE
   SCHEDULED FOR COMPLETION IN
   FISCAL YEAR 1997
------------------------------------------------------------ Letter :4

FAA planned to implement three of the Commission's aviation security
recommendations in fiscal year 1997; it fully implemented one of
them.  The agency has substantially implemented the second
recommendation; progress is being made on the third, although it has
fallen 15 months behind schedule.  The recommendations FAA targeted
for completion in fiscal year 1997 built on existing programs and
airport relationships and did not require the development and
deployment of complex technologies.  The purpose of these
recommendations was to quickly enhance the capabilities of airport
and air carrier personnel in identifying and addressing risks.  Table
1 identifies the three recommendations that FAA expected to complete
in fiscal year 1997. 



                                     Table 1
                     
                     Recommendations Scheduled for Completion
                               in Fiscal Year 1997

Commission's recommendations
--------------------------------------------------------------------------------
Give properly cleared airline and airport security personnel access to
classified information they need to know

Work with airline and airport consortia to ensure that all passengers are
positively identified and subjected to security procedures before boarding an
aircraft

Establish consortia at all commercial airports to implement enhancements to
aviation safety and security
--------------------------------------------------------------------------------
FAA implemented the first recommendation by providing security
clearances and granting access to classified information to airport
and airline officials.  However, a majority of the airport officials
we met with questioned the need for clearances, since they believed
that the classified information they received was not useful and
timely.  FAA officials stated that they have attempted to get the
maximum amount of information out in unclassified form by obtaining
declassified versions of originally classified information from the
originating intelligence agencies so that it could be shared with all
airport and air carrier security officials whether or not they had
security clearances. 

FAA has substantially completed the recommendation to ensure that
passengers are positively identified when boarding an aircraft;
however, delays have occurred that prevent FAA from considering this
recommendation as completed (see fig.  1).  Over the past several
years, FAA has issued a series of security directives designed to
positively identify ticketed passengers and subject them to security
procedures.  For example, one of the directives establishes
procedures for positively identifying passengers by requiring them to
provide a valid form of identification at the check-in counter. 
However, FAA has not yet incorporated these directives and other
procedures, as it had planned, into the air carriers' security
program--the Air Carrier Standard Security Program (ACSSP).  Amending
the ACSSP is taking longer than expected because FAA received many
significant comments from air carriers on proposed changes and had to
obtain a second round of comments on a revised proposal.  FAA also
decided to wait until it had addressed some technological issues,
such as computer-assisted passenger screening procedures, before
completing the ACSSP.  FAA has fallen over 10 months behind its
initial completion date of July 31, 1997, and now plans to complete
this recommendation by May 1998. 

   Figure 1:  Comparison of FAA's
   Planned and Currently Estimated
   Dates for Completing Three
   Recommendations

   (See figure in printed
   edition.)

Similarly, although consortia--a partnership between airport and air
carrier officials and law enforcement agencies to review security
issues--were formed at 41 airports in 1996, shortly after the
Commission issued its initial report, FAA has not expanded the
voluntary consortia program called for in the Commission's final
report.  FAA cannot issue new guidance for consortia until it has
determined whether airports and air carriers will be subject to
penalties when consortia self-disclose security violations.  Air
carrier and airport officials told us that they do not want to
disclose security violations unless they have some assurance that
they will not be penalized.  FAA's Office of the Chief Counsel is
still examining this issue and expects to issue a ruling in April
1998.  FAA plans to issue the guidance shortly after the legal
ruling.  As figure 1 shows, FAA postponed issuing its guidance on
consortia for 12 months and extended its date for fully implementing
the recommendation--to establish consortia at another 200 airports. 
The new completion date, December 1998, is 15 months later than
originally planned. 

Once FAA has implemented these two recommendations, air carriers will
need to follow the revised ACSSP, and airports will need to decide if
they want to establish consortia.  (See app.  II for a more detailed
discussion of each of these recommendations.)


   COMPLEX RECOMMENDATIONS ARE
   TAKING LONGER TO IMPLEMENT THAN
   PLANNED
------------------------------------------------------------ Letter :5

FAA is making progress on the five recommendations we reviewed that
were both recommended by the Commission and mandated by the
Reauthorization Act but has encountered delays of up to 12 months. 
Table 2 lists the five recommendations we reviewed.  While these
recommendations, such as developing computer-assisted passenger
profiling and automated passenger-bag match systems,\3 are critical
for improving security, their implementation is taking longer than
initially planned because they involve new and relatively untested
technologies.  In addition, FAA must develop regulations that set
forth the requirements for these recommendations.  After it has
completed the regulations, others must carry out the requirements. 
Therefore, full implementation cannot occur until airports, air
carriers, and screening companies have established programs that meet
the new regulatory requirements. 



                                     Table 2
                     
                        Commission's Recommendations to Be
                       Completed After Fiscal Year 1997 and
                           Related Legislative Mandates

Commission's recommendations        Reauthorization Act's mandates
----------------------------------  --------------------------------------------
Complement technology with          Assist air carriers in developing computer-
automated passenger profiling       assisted passenger profiling program in
                                    conjunction with other security measures and
                                    technologies

Deploy existing technology          Facilitate the deployment of approved
                                    commercially available explosives detection
                                    devices

Begin implementation of full        Issue a report on the bag match pilot
passenger-bag match\a               program to the Congress

Conduct airport vulnerability       Conduct joint FAA-FBI threat and
assessments and develop action      vulnerability assessments on aviation
plans                               security every 3 years or more frequently,
                                    as necessary, at high-risk airports

                                    Require airports and air carriers to conduct
                                    periodic vulnerability assessments

Certify screening companies and     Certify screening companies and improve the
improve screeners' performance      training and testing of security screeners
                                    through the development of uniform
                                    performance standards
--------------------------------------------------------------------------------
\a The Commission's final report states that bag match should be
initially based on a passenger profiling system.  According to FAA's
interpretation of the Commission's final report, full passenger-bag
match will consist of matching those passengers, who are either
randomly selected or identified through the profiling system, with
their bags. 

Before the Commission issued its final report, FAA started working
with air carrier and airport officials and with private companies to
resolve the technological issues underlying the implementation of the
five recommendations.  These recommendations are interrelated.  For
example, computer-assisted passenger profiling can identify
passengers who should be subjected to additional screening
procedures, which could include physical searches of bags,
examination of bags by explosives detection equipment, and matching
of bags to passengers when they board the aircraft. 

Many of the dates to complete the recommendations were, according to
FAA officials, ambitious because of, among other reasons, the
technological complexities associated with these recommendations and
the time needed to proceed through the regulatory process.  FAA
officials told us that a number of the milestones for completing the
recommendations were initially established by the Commission, the
Secretary of Transportation, or FAA on the basis of their best
estimates of the efforts required to implement them.  As FAA
officials have gained experience, they have revised the milestones to
take into account the complexities and time-consuming activities
associated with the recommendations.  As figure 2 illustrates, FAA
extended the completion dates for most recommendations we reviewed. 

   Figure 2:  Comparison of
   Planned and Currently Estimated
   Milestones for Recommendations
   to Be Completed After Fiscal
   Year 1997 and Related
   Legislative Mandates

   (See figure in printed
   edition.)

\a All but one of the major air carriers plan to have implemented
computer-assisted passenger profiling by September 30, 1998. 

\b The Commission believed that passenger-bag match, initially based
on profiling, should be implemented no later than December 31, 1997. 
FAA plans to issue a final regulation on passenger-bag match in
November 1998; implementation by air carriers will be required within
30 days. 

\c FAA expects to begin deployment of Threat Image Projection (TIP)
systems in April 1998. 

\d TIP systems were deployed to FAA's existing certified systems in
March 1998. 

\e FAA's deployment of Screener Proficiency Evaluation and Reporting
System (SPEARS) for the certified explosives detection systems has
been postponed until a licensing agreement between the system
manufacturer and the program developer has been executed.  While FAA
has not set a firm date for deployment, FAA officials told us that
depending on resolution of the licensing issues and the availability
of funding, they expect to begin deployment of SPEARS in the last
quarter of fiscal year 1998 or the first quarter of fiscal year 1999. 


--------------------
\3 Under the Reauthorization Act, FAA is required to issue a report
on its passenger-bag match pilot program to the Congress. 


      FAA IS MAKING PROGRESS, BUT
      DELAYS HAVE OCCURRED
---------------------------------------------------------- Letter :5.1

FAA has made progress in implementing the five recommendations we
reviewed, but it has not met its target dates because, among other
reasons, implementation involved relatively new and untested
technologies.  The following briefly discusses the status of each of
the five recommendations we reviewed and the actions that FAA and
others need to take before they can be fully implemented.  (See app. 
III for more details on the status of these recommendations;
implementation issues; and, where applicable, observations we made
during field visits to airports.)


         AUTOMATED PASSENGER
         PROFILING
-------------------------------------------------------- Letter :5.1.1

On the basis of the Commission's recommendation for implementing
automated passenger profiling, FAA developed a computer-assisted
passenger screening (CAPS) system that enables air carriers to more
quickly separate passengers into two categories--those who do not
require additional security attention and those who do.  This
automated screening permits the carriers to focus on the small
percentage of passengers who may pose a security risk and whose bags
should be screened by explosives detection equipment or matched with
the boarding passenger.  Northwest Airlines began to develop a CAPS
system with funding from FAA in 1994.  According to FAA's original
plan, all air carriers would have had a CAPS system in place by
December 31, 1997.  No air carriers met this implementation date. 
Northwest Airlines, however, had this system in place the following
month and, in February 1998, two other major air carriers implemented
the system.  Most of the other major carriers are either testing the
system or still integrating it into their reservation systems.  FAA
also needs to issue a regulation governing this system.  FAA's
revised completion date for implementation by all but one of the
other major carriers is September 1998--9 months past the original
implementation date.\4 To facilitate implementation, FAA set aside
funds to subsidize air carriers' costs of integrating CAPS into their
reservation systems. 


--------------------
\4 One major carrier is changing its reservation company and will not
have CAPS available until some time after the switch to the new
reservation company occurs in November 1998. 


         DEPLOY EXISTING
         TECHNOLOGIES
-------------------------------------------------------- Letter :5.1.2

The Congress provided $144.2 million in the Omnibus Consolidated
Appropriations Act of 1997 for the purchase of commercially available
advanced security screening equipment for checked and carry-on
baggage.  FAA planned to deploy 54 certified explosives detection
systems to screen checked bags\5 and 489 trace detection devices\6 to
screen passengers' carry-on bags at major airports by December 1997;
however, it did not meet this goal.  As of March 10, 1998, FAA had
deployed 13 certified explosives detection systems and, as of January
9, 1998, 125 trace detection devices.  FAA plans to have all 54
certified systems and another 22 noncertified devices for screening
checked bags, along with 489 trace detection devices for screening
carry-on bags, installed and operational by December 1998.\7 Thus, by
the time FAA completes this recommendation, it will be a year behind
schedule in achieving the increased security for checked and carry-on
bags that these funds supported. 

FAA's deployment of the explosives detection equipment was delayed
for a number of reasons.  According to FAA officials, they extended
the time period to install the equipment because the agency did not
receive funding for additional equipment in fiscal year 1998.  Also,
they said, ongoing or planned construction at certain airports
impeded the installation of equipment.  In addition, several air
carrier officials and an equipment company representative told us
that delays occurred because the company installing the equipment to
screen checked bags was inexperienced.  Some screening staff told us
that they were not always prepared to operate the equipment when it
was installed. 


--------------------
\5 FAA has only one certified explosives detection system that meets
the certification standards for screening checked bags.  Other
devices that are commercially available have limitations that prevent
them from meeting the required standards. 

\6 Trace detection devices use either a vacuum system or a "wipe" to
sample vapors or pick up particles of explosives on the surfaces of
various objects. 

\7 In addition to the 54 certified systems, FAA has updated three
systems that were used in a demonstration program to match the
improvements made to the 54 being installed.  These 3 systems are
operating at 2 airports, bringing the total number of systems that
will be deployed to 57. 


         BEGIN IMPLEMENTATION OF
         FULL PASSENGER-BAG MATCH
-------------------------------------------------------- Letter :5.1.3

Before the Commission's reports were issued, FAA began examining the
feasibility of matching bags with passengers to ensure that the
baggage of anyone who does not board a plane is removed.  FAA
completed a pilot program at selected airports in June 1997.  The
Reauthorization Act required FAA to report on this pilot program to
the Congress within 30 days after its completion.  FAA planned to
send a report on the program's operational effects to the Congress by
July 31, 1997.  FAA also planned to complete an economic analysis of
the impact of matching passengers and bags systemwide in September
1997.  At the urging of the airline industry, FAA agreed to combine
these reports and issue one report by December 31, 1997.  FAA advised
the Congress of this delay.  This report to the Congress is now
expected to be issued by June 30, 1998--almost a year later than
required by the Reauthorization Act. 

According to FAA, some passengers and bags are being matched for
domestic flights using a manual profiling system.  In addition,
during January and February 1998, three air carriers began matching
bags to passengers selected for additional security measures through
their CAPS system.  According to several of the air carrier officials
we spoke with who had participated in the pilot passenger-bag match
program, they would not be able to match all passengers with their
bags for every flight because too many delays would occur.  They said
that they would not object to a passenger-bag match program based on
a CAPS system that would limit the number of passengers and bags to
be matched. 


         VULNERABILITY ASSESSMENTS
-------------------------------------------------------- Letter :5.1.4

FAA has three separate efforts under way to implement the various
recommendations involving vulnerability assessments.  First, to
conduct vulnerability assessments and develop action plans, as the
Commission recommended, FAA is developing a standardized model for
conducting airport vulnerability assessments.\8 FAA is working with
several companies that are using different vulnerability assessment
models at 14 major airports.  These assessments began in January 1998
and are to be completed by August 1998.  FAA has established a panel
to review the results and select the best model for assessing a
facility's vulnerabilities.  FAA plans to make this model available
to those who have responsibility for performing assessments,
including FAA inspectors, airports, air carriers, and consortia, to
meet the various requirements for conducting assessments and
identifying vulnerabilities at individual airports.  FAA plans to
have this model available in March 1999.  Although some delays have
occurred in starting these assessments, they have not been
significant.  The delays occurred in the course of soliciting and
awarding contracts to six firms and the Department of the Navy, which
will conduct the assessments.  FAA has requested $2 million in its
fiscal year 1999 budget to perform additional assessments at other
airports. 

Second, to address the requirement for joint threat and vulnerability
assessments under the Reauthorization Act, FAA and FBI conducted
their first assessment in December 1997 and began conducting one to
two each month starting in February 1998.  These assessments differ
from the above effort to develop a model because the results of the
joint assessments will be used for comparing threat and
vulnerabilities at different airports.  By having both threat and
vulnerability information, FAA and FBI should be able to determine
which airports and areas of airports present the highest risks. 
Initially, FAA selected a pool of 72 airports, which account for 92
percent of commercial travelers in the United States, as candidates
for the joint assessments.  In January 1998, FAA and FBI agreed to a
schedule for assessing 31 high-risk candidates by the end of calendar
year 1999 from the pool of 72 airports.  Under the Reauthorization
Act, the initial assessments are to be completed by October 9, 1999. 
According to the schedule for the joint vulnerability assessments,
FAA and FBI plan to complete their reviews at 28 of the 31 airports
by this date.  However, an FAA official acknowledged that as the
agencies gain experience in conducting these assessments, they may be
able to conduct more per month than scheduled. 

Third, the Reauthorization Act mandates that FAA require airports and
air carriers to conduct periodic vulnerability assessments.  FAA
plans to implement this requirement through a security program change
rather than through the rulemaking process.  Airports and air
carriers will have to incorporate this requirement into their
individual security programs.  However, before implementing this
change, FAA said, it intends to make the standardized model it is
currently developing available to both airports and air carriers for
use in conducting these assessments.  According to the Director of
the Office of Civil Aviation Security Policy and Planning, FAA
expects the model to be available in March 1999 and the required
implementation of the assessments to begin around mid-1999. 


--------------------
\8 Under the Omnibus Consolidated Appropriations Act for fiscal year
1997, the Congress appropriated $5.5 million to conduct periodic
vulnerability assessments using models and to develop actions plans
for each airport.  Because the Commission's final report in February
1997 also recommended using models to conduct vulnerability
assessments, FAA is implementing both requirements under a
consolidated approach. 


         CERTIFY SCREENING
         COMPANIES AND IMPROVE
         SCREENERS' PERFORMANCE
-------------------------------------------------------- Letter :5.1.5

Certifying the companies that air carriers contract with to provide
security at airport security check points would ensure that these
companies meet established standards and consistent qualifications. 
FAA issued an Advance Notice of Proposed Rulemaking in March 1997 for
certifying screening companies and expected to complete the final
regulation in March 1999, well ahead of its original target date of
December 1999; however, FAA later changed this date to March 2000 to
allow additional time for developing performance standards based on
screener performance data.  Several screening company officials we
spoke with said that certification was a good idea; others had no
comment. 

Improving the training and testing of people hired by these companies
to screen passengers' baggage at airport security checkpoints would
also improve aviation security.  Currently, the people who are hired
to screen baggage attend a standardized classroom training program,
but FAA believes that the use of a computerized, self-paced training
program would have benefits.  FAA began developing such a
computerized training and testing system, called the Screener
Proficiency Evaluation and Reporting System (SPEARS), well before the
Commission issued its initial report and the Reauthorization Act was
enacted.  As of February 1998, FAA had deployed computer-based
training systems for personnel who use X-ray machines for screening
carry-on bags at 17 major airports.  Deployment is planned for two
additional major airports by May 1998.  FAA has also awarded a
contract to deploy these systems at another 60 airports.  As of March
11, 1998, FAA had decided to deploy only 15 of the 60 training
systems because it lacked necessary funding.  If funds are available,
FAA plans to deploy the other 45 systems by the end of fiscal year
1998 or early fiscal year 1999.  The screening companies we spoke
with responded favorably to the computer-based training program. 

A second computer-based training program for the only certified
explosives detection system used to screen checked bags will not be
deployed until after FAA validates the training program, the company
that developed the training program reaches an agreement on the
licensing of the program with the manufacturer of the certified
system, and funding becomes available.  Another computerized system,
the Threat Image Projection system, also known as TIP, which is used
to test screeners' effectiveness, is in the process of being
deployed.  FAA began deploying this testing system during the week of
March 23, 1998, for use by the certified explosives detection systems
that are currently in place.  FAA also plans to deploy 284 of these
testing systems for use with X-ray devices used for screening
carry-on bags at major airports starting in April 1998.  Data from
these systems will be used to develop performance standards that FAA
plans to incorporate into the regulation for certifying screening
companies. 


      COMPLETION OF FIVE
      RECOMMENDATIONS REQUIRES FAA
      AND OTHERS TO TAKE ACTIONS
---------------------------------------------------------- Letter :5.2

FAA or others need to take additional actions before these five
recommendations can be completed.  FAA is currently evaluating new
security technologies.  It has also begun the rulemaking process for
several recommendations.  After FAA completes the evaluations and
rulemaking, air carriers, airports, and screening companies will need
to implement the requirements for programs, such as passenger-bag
match and the certification of screening companies.  Therefore, full
implementation of the recommendations should not be expected
immediately after FAA completes its work.  (App.  III contains a
detailed description of the implementation issues associated with
each recommendation.)


         OPERATIONAL ISSUES NEED
         TO BE ADDRESSED
-------------------------------------------------------- Letter :5.2.1

FAA needs to evaluate several pilot programs that are associated with
specific recommendations.  For example, the deployment of explosives
detection equipment involves several evaluations.  First, FAA needs
to learn more about how well the certified equipment works in the
field, as well as what issues airports confront in installing the
equipment, so that it can decide on future deployment strategies for
screening checked baggage.  FAA's recently completed evaluation of
trace detection equipment for carry-on baggage will guide FAA's
purchase of the remaining pieces of equipment.  Finally, the
effective use of equipment in an airport environment depends on the
effectiveness of the personnel using it.  Currently, two different
methods are being used to train personnel who screen baggage at
security checkpoints:  the traditional classroom training and the new
computer-based training program.  FAA plans to compare the results of
the computer-based training, a pilot program, with the currently used
classroom training program.  FAA must also validate the
computer-based training program for the certified explosives
detection system before the program can be pilot-tested. 

FAA must analyze the results of the various models being used by
contractors to assess the vulnerability of airports.  FAA plans to
complete this analysis, which will include a review by an expert
panel, by the end of calendar year 1998.  As of March 9, 1998, FAA
expected the model to be available for use by March 1999.  FAA will
also need to complete its economic analysis of matching passengers
and bags before it can issue the required report to the Congress. 

The Commission envisioned a federal investment of approximately $100
million annually to enhance aviation security.  The President's 1999
budget requested $100 million to continue the implementation of
explosives detection devices as recommended by the Commission. 
Several air carrier and screening company officials have expressed
concerns about who will pay to maintain the equipment and to upgrade
the software as improvements are made. 


         RULEMAKING HAS SEVERAL
         TIME-CONSUMING STEPS
-------------------------------------------------------- Letter :5.2.2

FAA needs to complete two rulemakings, now scheduled for completion
in December 1998 and March 2000.  Some of the rulemaking depends on
information obtained in the evaluations.  Rulemaking is a multistep
process that results in the issuance of final regulations for
implementing programs.  The rulemaking process may begin with an
Advance Notice of Proposed Rulemaking.  This notice, which FAA has
issued as a first step in developing a regulation for certifying
screening companies, solicits information from affected parties, such
as air carriers, airports, and screening companies.  Next, FAA must
analyze this information and use it to develop a proposed regulation
(called a Notice of Proposed Rulemaking), which it then publishes for
comment.  On the basis of the comments it receives, FAA then revises
the proposed regulation, obtains clearance from OMB, and issues the
regulation.  FAA must issue a regulation within 16 months of the
final day of the public comment period on a Notice of Proposed
Rulemaking.  If the process includes an Advance Notice of Proposed
Rulemaking, FAA must issue a final rule within 24 months of when the
Notice of Proposed Rulemaking is published.  The entire process,
including the drafting of the notice--whether it includes an advance
notice or a notice--can take several years for complex issues. 

Regulations are planned for three recommendations--the automated
passenger profiling and the automated passenger-bag match, both of
which are being addressed under the same regulation, and the
screening company certification and screener training.  FAA has
changed the completion date for issuing the final regulation for
certifying screening companies from March 1999 to March 2000. 
According to FAA officials, they need the extra time to gather data
from the TIP systems to develop and incorporate standards for
screener's performance into the final regulation.  In addition, the
regulatory process will take time, since screening companies have not
previously been regulated by the federal government and screening
company representatives have expressed an interest in how these
regulations will affect their operations.  Some air carriers have
also expressed concerns about how a regulation on matching bags and
passengers might be structured because its implementation could delay
flights.  Figure 3 shows FAA's progress in completing the rulemaking
process for these recommendations. 

   Figure 3:  Status of
   Rulemakings

   (See figure in printed
   edition.)

\a FAA will cover these recommendations under one regulation. 

\b In November 1997, FAA moved the completion date up to March 1999
from December 1999; however, as of March 11, 1998, this date was
changed to March 2000. 


         ACTIONS ARE REQUIRED BY
         OTHERS FOR FULL
         IMPLEMENTATION
-------------------------------------------------------- Letter :5.2.3

Although air carriers, airports, and screening companies are taking
some steps to implement the recommendations, full implementation will
not occur until after FAA has issued various regulations.  For
example, air carriers and their reservation companies will have to
develop and implement a CAPS system and a passenger-bag match program
based on an automated passenger profiling system in accordance with
FAA's regulation.  FAA plans to issue the regulation by December
1998.  As discussed earlier, some air carriers have already
voluntarily implemented both of these actions and others expect to do
so before the regulation is issued.  Screening companies will have to
apply for certification and meet various requirements after FAA
issues its regulation.  Thus, the recommendations will not be fully
implemented until some time after FAA completes its actions. 


   CONCLUSIONS
------------------------------------------------------------ Letter :6

Each of the agencies responsible for implementing the Commission's
recommendations has established its own tracking methods.  This
decentralized approach has generally been adequate to track and
monitor the Commission's recommendations.  Although the Office of the
Secretary of Transportation provides quarterly reports to the
National Security Council and annual reports to the Office of the
Vice President on the implementation of all 57 of the Commission's
recommendations, no single federal agency is responsible for
tracking, monitoring, and coordinating the activities associated with
implementing the recommendations.  Consequently, issues that arise
between agencies may go unresolved.  For one such
recommendation--Customs' authority to search outbound international
mail without a warrant--Customs is proceeding to implement the
recommendation by developing legislation to secure this authority. 
However, the Postal Service strongly opposes such authority being
granted to Customs. 

The Reauthorization Act requires specific reports, such as the report
to the Congress that was due 30 days after the completion of the
pilot program for passenger-bag match.  The act does not require a
comprehensive report--comparable to the Secretary of Transportation's
annual report required by the Commission--on FAA's progress in
implementing the act's aviation security mandates.  Because the
Congress enacted these mandates and provides funds for implementing
both the mandates and some of the Commission's recommendations, it
has an interest in FAA's progress.  If the scope of the annual report
that the Office of the Secretary of Transportation currently provides
to the Office of the Vice President were broadened to include
information on FAA's progress in implementing the Reauthorization
Act's mandates, that expanded report could provide the Congress with
additional information for budgetary and programmatic oversight. 

FAA is making progress in implementing the eight recommendations we
reviewed but has encountered some delays and extended some completion
dates.  Given that these recommendations involve new technologies,
require FAA to follow time-consuming rulemaking processes, and
require the aviation industry to take action, further delays are
possible. 


   MATTER FOR CONGRESSIONAL
   CONSIDERATION
------------------------------------------------------------ Letter :7

To have relevant information for budgetary and programmatic
oversight, the Congress may wish to require the Secretary of
Transportation to provide it with an annual report that combines both
the federal agencies' progress in implementing the Commission's
recommendations, as contained in the Secretary of Transportation's
annual report, and FAA's progress in implementing the Reauthorization
Act's aviation security mandates. 


   AGENCY COMMENTS
------------------------------------------------------------ Letter :8

We provided copies of a draft of this report to the Department of
Transportation (DOT) and the Federal Aviation Administration (FAA)
for their review and comment.  We met with DOT and FAA officials,
including FAA's Associate Administrator for Civil Aviation Security,
its Director of the Office of Civil Aviation Security Policy and
Planning, and its Deputy Director of the Office of Civil Aviation
Security Operations to obtain their comments.  DOT and FAA generally
agreed with the information in our report and provided technical
corrections, which were incorporated into the report where
appropriate.  However, they disagreed with one issue.  During our
review, FAA officials told us that FAA did not plan to initiate a
rulemaking that would require airports and air carriers to conduct
periodic vulnerability assessments as mandated under the
Reauthorization Act.  Instead, FAA planned to let consortia, where
formed, decide whether they wish to conduct the assessments. 
However, FAA's Director of the Office of Civil Aviation Security
Policy and Planning stated that FAA will require these assessments by
changing airports' and air carriers' security programs instead of
going through the rulemaking process.  As a result, we have deleted
our recommendation that FAA either implement the requirement as
mandated by the Congress or inform the Congress of the agency's
intention to deviate from the law's requirements and seek a
legislative remedy. 

We also provided copies of the draft to the Departments of Defense,
State, Treasury, and Justice; the National Transportation Safety
Board; the Postal Service; and the National Security Council.  Except
for the Department of the Treasury and the U.S.  Postal Service, the
other agencies provided comments on our draft which did not require
any change to our report. 

In its comments (see app.  V), the Department of the Treasury states
that our discussion of the dispute between Customs and the Postal
Service should be deleted because it does not address our objective
of determining how federal agencies responsible for implementing
aviation security recommendations track, monitor, and coordinate
their activities.  We disagree and believe that the discussion is
germane to the issue of coordination because the Postal Service was
designated as a co-lead on implementing this recommendation. 
According to Customs officials, they did not consult with the Postal
Service in drafting the proposed legislative section that would grant
authority to Customs to search outbound international mail. 

Treasury also states that our report is misleading by suggesting that
the "disagreement" between Customs and the Postal Service remains
open.  Treasury assumes that because the Commission has made a
recommendation, the differences between Customs and the Postal
Service are resolved and that, therefore, GAO has inappropriately
characterized the status of the recommendation.  We disagree.  We
believe our report characterizes the situation as it currently
exists, that is, the disagreement remains open because the Postal
Service opposes the recommendation.  In its comments on a draft of
this report (see app.  VI), the Postal Service expressed its
continued opposition to recommendation 3.4, which would grant Customs
the authority to search outbound international mail, and presented a
number of concerns it has about the implementation of this
recommendation. 

We recognize that the Department of the Treasury and the Postal
Service have opposing views on the recommendation.  Our report does
not take a position on these views but acknowledges that disagreement
continues to exist.  Regardless of the positions taken by either
agency, it is our obligation to inform the Congress on issues that
could affect its deliberations involving legislative matters that
come before it.  Where appropriate, we have clarified our report on
the basis of the Department of the Treasury's and the Postal
Service's comments. 


   SCOPE AND METHODOLOGY
------------------------------------------------------------ Letter :9

In determining how federal agencies track, monitor, and coordinate
activities for implementing the Commission's recommendations and the
Reauthorization Act's mandates, we secured and analyzed various
status reports generated by FAA.  For the other agencies, we acquired
and analyzed data supporting their activities.  We supplemented these
reports and data through discussions with agency officials.  On the
basis of discussions with your offices, we analyzed the 31 security
recommendations that resulted in the selection of 8 recommendations
for review--3 that were due to be completed in fiscal year 1997 and
another 5 that are similar to mandates contained in the
Reauthorization Act.  To determine the progress made in implementing
these recommendations and the issues remaining to be addressed before
full implementation can occur, we held discussions with FAA officials
at headquarters and in the field.  We also held discussions on the
same topics with airport, air carrier, and screening company
officials at seven airports.  (See app.  IV for further details on
our scope and methodology.) We performed our work from June 1997
through March 1998 in accordance with generally accepted government
auditing standards. 


---------------------------------------------------------- Letter :9.1

As arranged with your offices, unless you publicly announce its
contents earlier, we plan no further distribution of this report
until 7 days after the date of this letter.  At that time, we will
send copies to the cognizant congressional committees; the Office of
the Vice President; the Secretary of Transportation; the
Administrator of the Federal Aviation Administration; the Secretary
of Defense; the Secretary of State; the Director of the Federal
Bureau of Investigation; the Chairman of the National Transportation
Safety Board; the Commissioner of the U.S.  Customs Service; the
Director of the Bureau of Alcohol, Tobacco and Firearms; and the
Postmaster General of the U.S.  Postal Service.  We will also make
copies available to others on request. 

Please call me at (202) 512-2834 if you or your staff have any
questions.  Major contributors to this report are listed in appendix
VII. 

John H.  Anderson, Jr.
Director, Transportation Issues


LIST OF RECOMMENDATIONS AND
LEGISLATIVE MANDATES TO IMPROVE
AVIATION SECURITY
=========================================================== Appendix I



                                        Table I.1
                         
                            Aviation Security Recommendations
                               Contained in the White House
                          Commission's Report on Aviation Safety
                            and Security, With Designated Lead
                                          Agency

                                                                               Lead
Number      Recommendation                                                     agency
----------  -----------------------------------------------------------------  ----------
3.1         The federal government should consider aviation security as a      FAA
            national security issue and provide substantial funding for
            capital improvements.

3.2         FAA should establish federally mandated standards for security     FAA
            enhancements.

3.3         The Postal Service should advise customers that all packages       Postal
            weighing over 16 ounces will be subject to examination for         Service
            explosives and other threat objects in order to move by air.

3.4         Current law should be amended to clarify the U.S. Customs          Customs
            Service's authority to search outbound international mail.         Service;
                                                                               Postal
                                                                               Service

3.5         The FAA should implement a comprehensive plan to address the       FAA
            threat of explosives and other threat objects in cargo and work
            with industry to develop new initiatives in this area.

3.6         The FAA should establish a security system that will provide a     FAA
            high level of protection for all aviation information systems.

=========================================================================================
3.7         The FAA should work with airlines and airport consortia to ensure  FAA
            that all passengers are positively identified and subjected to
            security procedures before they board aircraft.

3.8         Submit a proposed resolution, through the U.S. Representative,     FAA
            that the International Civil Aviation Organization begin a
            program to verify and improve compliance with international
            security standards.

3.9         Assess the possible use of chemical and biological weapons as      FAA
            tools of terrorism.

3.10        The FAA should work with industry to develop a national program    FAA
            to increase the professionalism of the aviation security work
            force, including screening personnel.

3.11        Access to airport controlled areas must be secured and the         FAA
            physical security of aircraft must be ensured.

=========================================================================================
3.12        Establish consortia at all commercial airports to implement        FAA
            enhancements to aviation safety and security.\a,b

=========================================================================================
3.13        Conduct airport vulnerability assessments and develop action       FAA
            plans.\a,b

3.14        Require criminal background checks and FBI fingerprint checks for  FAA
            all screeners, and all airport and airline employees with access
            to secure areas.\a,b

=========================================================================================
3.15        Deploy existing technology.\a,b                                    FAA

3.16        Establish a joint government-industry research and development     FAA
            program.\a,b

3.17        Establish an interagency task force to assess the potential use    Department
            of surface-to-air missiles against commercial aircraft.\a,b        of Defense

3.18        Significantly expand the use of bomb-sniffing dogs.\a,b            FAA

=========================================================================================
3.19        Complement technology with automated passenger profiling.\a,b      FAA

3.20        Certify screening companies and improve screener performance.\a,b  FAA

3.21        Aggressively test existing security systems.\a                     FAA

3.22        Use the Customs Service to enhance security.\a                     FAA

=========================================================================================
3.23        Give properly cleared airline and airport security personnel       FAA
            access to the classified information they need to know.\a

3.24        Begin implementation of full bag-passenger match.\a                FAA

3.25        Provide more compassionate and effective assistance to families    National
            of victims.\a                                                      Transporta
                                                                               tion
                                                                               Safety
                                                                               Board

3.26        Improve passenger manifests.\a                                     Office of
                                                                               the
                                                                               Secretary
                                                                               of
                                                                               Transporta
                                                                               tion

3.27        Significantly increase the number of FBI agents assigned to        FBI
            counter terrorism investigations, to improve intelligence, and to
            crisis response.\a

3.28        Provide anti-terrorism assistance in the form of airport security  Department
            training to countries where there are airports served by airlines  of State
            flying to the U.S.\a

3.29        Resolve outstanding issues relating to explosive taggants and      ATF
            require their use.\a

3.30        Provide regular, comprehensive explosives detection training       ATF
            programs for foreign, federal, state, and local law enforcement,
            as well as FAA and airline personnel.\a

3.31        Create a central clearinghouse within the government to provide    ATF
            information on explosives crime.\a
-----------------------------------------------------------------------------------------
Note:  The recommendations printed in bold are the eight reviewed in
this report. 

\a These recommendations were contained in the initial report of the
White House Commission on Aviation Safety and Security.  The
remaining 11 recommendations were added to the Commission's final
report dated February 12, 1997. 

\b Although the focus of these recommendations remained the same, the
Commission's final report expanded their scope. 



                                        Table I.2
                         
                            Aviation Security Mandates in the
                         Federal Aviation Reauthorization Act of
                                           1996

Section    Legislative mandate
---------  ------------------------------------------------------------------------------
301        FAA is to submit a report, including proposed legislation, if necessary, to
           the Congress, no later than 90 days after the enactment of this Act, on
           responsibilities and sources of funding for airport security.

302        FAA is to certify screening companies and to improve training and testing of
           security screeners through development of uniform training standards.

303        FAA shall enter into an arrangement with the National Academy of Sciences to
           assess available weapons and explosives detection technologies and identify
           the most promising technologies for the improvement of the efficiency and
           cost-effectiveness of weapons and explosive detection.

304        FAA shall require criminal history checks for individuals who will be
           responsible for screening passengers or property, their supervisors, and other
           individuals who exercise security functions associated with baggage or cargo,
           as the FAA Administrator determines necessary.

305        Facilitate the interim deployment of commercially available explosives
           detection equipment that will enhance aviation security significantly while
           FAA is in the process of certifying commercially available equipment.

306        FAA shall provide for the periodic audit of the effectiveness of criminal
           history record checks.

307        FAA, DOT, intelligence community, and law enforcement community assist
           carriers in developing a computer-assisted passenger profiling system.

308        Provides authority to use Airport Improvement Program funds to enhance and
           ensure the safety and security of passengers and other persons involved in air
           travel.

309        FAA and the FBI shall provide for the establishment of an aviation security
           liaison in or near cities served by a designated high-risk airport.

310        FAA and FBI shall carry out joint threat and vulnerability assessments on
           security at high-risk airports every 3 years or more often if necessary.

311        If bag match pilot program is carried out, FAA is required to submit a report
           on safety, effectiveness, and operational effectiveness to the Congress.

312        Air carriers and airports will conduct periodic vulnerability assessments of
           the security systems, and FAA shall perform periodic audits of such
           assessments.

313        The Secretary of Transportation shall, no later than 90 days after enactment
           of this Act, transmit to the Congress a report on any changes recommended and
           implemented as a result of the Commission's report to enhance and supplement
           screening and inspection of cargo, mail, and company-shipped materials
           transported in air commerce.
-----------------------------------------------------------------------------------------
Note:  The mandates printed in bold type are those related to the
five Commission recommendations reviewed in this report. 


STATUS, IMPLEMENTATION ISSUES, AND
FIELD OBSERVATIONS ON THREE OF THE
COMMISSION'S RECOMMENDATIONS
SCHEDULED TO BE IMPLEMENTED IN
FISCAL YEAR 1997
========================================================== Appendix II

The following provides additional information on the status of three
of the Commission's recommendations, FAA's implementation issues, and
our observations during field visits to airports. 

Recommendation 3.23:
-----------------------------------------------------------------------------------------
Give properly cleared airline and airport security personnel access to classified
information they need to know.
-----------------------------------------------------------------------------------------

      STATUS
------------------------------------------------------ Appendix II:0.1

FAA considers this recommendation completed. 

  -- FAA has been providing clearances and classified information to
     airport officials since June 1994.  Although air carriers have
     had cleared personnel under other clearance programs going back
     into the 1980s, it was not until the mid-1990s that FAA began
     providing air carriers with clearances. 

  -- FAA officials told us that in March 1997, FAA invited airports
     and air carriers to recommend personnel for clearances. 

  -- As of March 1998, 234 airport, air carrier, and law enforcement
     personnel had been granted security clearances under this
     program with an additional 35 pending. 

  -- FAA also provides declassified security information to all
     airport and air carrier personnel whether cleared or not.  FAA's
     position is to ensure that as much information as possible is
     given to the industry. 

  -- FAA considers this recommendation completed with the issuance of
     the March 1997 invitation. 


      IMPLEMENTATION ISSUES
------------------------------------------------------ Appendix II:0.2

  -- Obtaining clearances is voluntary, and FAA does not have any
     legal authority to require airports or air carriers to have
     persons with a clearance. 


      FIELD OBSERVATIONS
------------------------------------------------------ Appendix II:0.3

  -- A majority of the airport officials we met with questioned the
     usefulness and timeliness of any classified information they
     have received; therefore, some of these officials do not see a
     need for clearances. 

  -- Many of the airport managers we met with told us that they have
     local sources for obtaining security-related information that
     they believe is more useful than FAA's; an FAA official told us
     that local law enforcement officials may provide very useful
     information and that FAA does not believe that it is the sole
     source of security-related information. 

  -- Five officials from different airports told us they had applied
     for clearances but had not been told whether their clearances
     have been granted.  FAA has followed on up these inquiries and
     most have been resolved. 

Recommendation 3.7
-----------------------------------------------------------------------------------------
FAA should work with airline and airport consortia to ensure that all passengers are
positively identified and subjected to security procedures before they board aircraft.
-----------------------------------------------------------------------------------------

      STATUS
------------------------------------------------------ Appendix II:0.4

FAA has used security directives to establish security procedures for
passengers.  Incorporating those procedures into the Air Carrier
Standard Security Program (ACSSP) is taking longer than expected. 

  -- Many of the procedures to clear passengers have been in place
     since the early 1990s under security directives issued by FAA. 

  -- The only action left to complete this recommendation is to
     incorporate the directives into the ACSSP. 

  -- On March 28, 1997, FAA issued a proposed change to the ACSSP
     incorporating these and other security directives and originally
     planned to complete this process by July 31, 1997. 

  -- Delays have resulted because FAA received many significant
     comments on its proposal to incorporate these changes into the
     ACSSP. 

  -- FAA revised and reissued the proposal in August 1997 for a
     second round of comments, extending the comment period to
     October 1997. 

  -- FAA extended its completion date to May 1998. 


      IMPLEMENTATION ISSUES
------------------------------------------------------ Appendix II:0.5

  -- FAA needs to analyze the comments received on its proposed
     amendments to the ACSSP and revise the ACSSP before it can go
     through the agency's internal review. 

  -- While completing the change to the ACSSP, FAA plans to consider
     other ongoing recommendations, such as automated passenger
     profiling, passenger-bag match, and the use of explosives
     detection equipment. 

  -- Others, such as airports and air carriers, will need to
     implement any changes once FAA completes its process. 

  -- The ACSSP will need to be further amended when an automated
     passenger profiling system replaces the manual process. 


      FIELD OBSERVATIONS
------------------------------------------------------ Appendix II:0.6

  -- FAA field and air carrier officials have expressed concern that
     FAA has operated its security program through security
     directives instead of having a current ACSSP in place. 

  -- The aviation industry would like to see the ACSSP revised as
     quickly as possible because FAA has issued so many security
     directives over the last several years. 

  -- FAA field and air carrier officials stated that security
     directives are not always clear and may lack detailed
     information for implementation. 

Recommendation 3.12:
-----------------------------------------------------------------------------------------
Establish consortia at all commercial airports to implement enhancements to aviation
safety and security.
-----------------------------------------------------------------------------------------

      STATUS
------------------------------------------------------ Appendix II:0.7

Completion has been delayed while FAA resolves a legal issue and
issues guidance on consortia. 

  -- Under the Commission's initial report, FAA helped establish 41
     consortia at major airports in the fall of 1996.\1

  -- These 41 consortia have conducted vulnerability assessments and
     developed action plans; some airports have addressed their
     action plans and are awaiting further guidance from FAA. 

  -- FAA plans to encourage the establishment of consortia at 200
     more airports. 

  -- FAA originally estimated that the airports that wanted to
     voluntarily establish consortia would do so by September 30,
     1997. 

  -- To encourage the establishment of consortia, FAA planned to
     issue guidance in May 1997. 

  -- FAA cannot proceed with guidance until its Office of the Chief
     Counsel rules on whether airports and air carriers will be
     subject to penalties when the consortia self-disclose security
     violations. 

  -- FAA's Office of the Chief Counsel expects to issue its ruling in
     April 1998 and FAA plans to issue the guidance shortly
     thereafter. 

  -- FAA now estimates that the additional consortia should be
     established by December 1998. 


--------------------
\1 This initial recommendation was expanded in the final report,
which recommended the establishment of consortia at all category X
through category III airports by September 30, 1997.  (Categorization
is primarily based on the volume of passengers; category X has the
highest number of passengers.)


      IMPLEMENTATION ISSUES
------------------------------------------------------ Appendix II:0.8

  -- FAA's Office of the Chief Counsel needs to rule on whether
     airports and air carriers are exempt from penalties when they
     self-disclose security violations identified through the
     activities of a consortia. 

  -- Once the legal issue is resolved, FAA will need to issue
     guidelines on the mission, function, activities, and authority
     of consortia to resolve violations discovered through consortia
     efforts. 

  -- FAA does not have any legal basis for requiring airports to
     establish consortia; participation is voluntary. 

  -- Airports will have to decide if they want to form consortia
     after the guidelines are issued. 

  -- FAA recognizes that persuading airports to form consortia may be
     difficult because participation is voluntary. 


      FIELD OBSERVATIONS
------------------------------------------------------ Appendix II:0.9

  -- Of the seven airports we visited, five had formed consortia in
     response to the Commission's initial report. 

  -- At airports we visited, the consortia's ongoing activities are
     mixed.  Some consortia continue to be active; others are
     awaiting future instructions from FAA on how to proceed, given
     that they have performed vulnerability assessments, drafted
     action plans, and implemented corrective actions.  Two others
     have ceased operation or merged their activities with other
     monthly meetings dealing with security issues. 

  -- Some airport and air carrier officials do not see a need for
     consortia because they believe their meetings duplicate other
     airport security meetings.  One airport official told us that he
     will not establish a consortium for this reason unless required
     by law. 

  -- Air carrier and airport officials are concerned that they may be
     held liable if they report violations under the consortia. 

  -- Airports and air carriers are concerned about the lack of
     direction from FAA on the activities of consortia and how they
     should proceed since completing the work under the initial
     Commission's recommendation.  Although FAA plans to issue
     guidance for consortia, an FAA official told us that the agency
     sees its role as providing support to local consortia. 


STATUS OF FIVE AVIATION SECURITY
RECOMMENDATIONS, IMPLEMENTATION
ISSUES, AND FIELD OBSERVATIONS
========================================================= Appendix III

The following provides additional information on the status of five
aviation security recommendations made by the Commission and
authorized under the Reauthorization Act, implementation issues, and
our field observations during visits to airports. 

Commission's recommendation                  Reauthorization Act's mandate
-------------------------------------------  --------------------------------------------
Recommendation 3.19:                         Sec. 307:

Complement technology with automated         Assist air carriers in developing computer-
passenger profiling.                         assisted passenger profiling programs in
                                             conjunction with other security measures and
                                             technologies.
-----------------------------------------------------------------------------------------

      STATUS
----------------------------------------------------- Appendix III:0.1

FAA planned to have an automated passenger profiling system completed
and in place by December 31, 1997.  As of February 1998, three major
air carriers have the system in place.  All but one major carrier are
expected to have the system implemented by September 30, 1998. 

  -- A computer-assisted passenger screening (CAPS) system was
     developed by Northwest Airlines with funding from FAA. 

  -- The Department of Justice has reviewed the system and ruled that
     it does not discriminate on the basis of factors such a invasion
     of personal privacy or unreasonable search and seizure. 

  -- Justice will periodically review the system to ensure that it is
     functioning as intended and is not discriminatory. 

  -- FAA planned to have this system completed and in place by
     December 31, 1997. 

  -- No air carrier met the completion date. 

  -- FAA has not issued a final regulation requiring air carriers to
     implement this system; however, air carriers have begun to
     voluntarily integrate the system into their reservation systems. 

  -- Among the major air carriers, Northwest Airlines implemented the
     system in January 1998 and two others--United Airlines and
     TWA--implemented the system in February 1998. 

  -- FAA believes other major air carriers will have the system
     integrated into their reservation systems by September 30, 1998,
     with the exception of one carrier that will make the transition
     to a new reservation system in November 1998. 

  -- Final regulations establishing this program and the bag match
     program are due to be published in November 1998. 


      IMPLEMENTATION ISSUES
----------------------------------------------------- Appendix III:0.2

  -- FAA needs to issue the final regulation for the CAPS system. 

  -- FAA will need to amend the ACSSP to incorporate the requirements
     of the CAPS system. 

  -- Air carriers and their reservation companies will need to
     integrate the CAPS system into their reservation systems. 

  -- FAA will need to coordinate the implementation of the CAPS
     system with the passenger-bag match program and the use of
     explosives detection equipment. 


      FIELD OBSERVATIONS
----------------------------------------------------- Appendix III:0.3

  -- Air carriers support the CAPS concept. 

Commission's recommendation                  Reauthorization Act's mandate
-------------------------------------------  --------------------------------------------
Recommendation 3.15:                         Sec. 305:

Deploy existing technology.                  Facilitate the deployment of approved
                                             commercially available explosives detection
                                             devices.
-----------------------------------------------------------------------------------------

      STATUS
----------------------------------------------------- Appendix III:0.4

FAA has deployed a number of explosives detection systems and
devices; however, delays have occurred and installation will take
longer than planned. 

  -- FAA has begun to purchase and deploy 54 CTX-5000s (plus FAA
     updated 3 units used in demonstration projects), 22 noncertified
     advanced technology units, and 489 trace detection devices, as
     provided for under the Omnibus Consolidated Appropriations Act
     for Fiscal Year 1997. 

  -- FAA planned to have most of the explosives detection equipment
     in place by September 1997 and to complete the installation by
     December 1997. 

  -- As of March 10, 1998, 13 of the 54 certified systems had been
     deployed at airports.  As of January 9, 1998, 125 of the 489
     trace detection devices had been deployed and 2 of the 22
     noncertified advanced technology devices were being deployed. 

  -- Deployment has been delayed by about 9 months with the equipment
     now planned to be in place by September 1998 and fully
     operational, including training of screeners, by December 1998. 

  -- Deployment of the CTX-5000 was late because (1) the contractor
     hired to install the CTX did not have the required experience,
     (2) FAA extended the deployment schedule because it did not
     receive funding in fiscal year 1998 for additional explosives
     detection equipment, and (3) ongoing or planned construction and
     the reconfiguration of baggage systems at certain airports
     impeded deployment. 

  -- Trace equipment was purchased in several phases, enabling FAA to
     evaluate the devices deployed and determine which types of
     equipment met security needs and should be purchased next. 

  -- Contracts have been awarded for purchasing 22 noncertified
     advanced technology devices. 

  -- The Office of Management and Budget has agreed to reprogram
     moneys for fiscal year 1998 to continue deployment during the
     current fiscal year. 


      IMPLEMENTATION ISSUES
----------------------------------------------------- Appendix III:0.5

  -- If FAA is to deploy additional equipment, additional funds will
     be needed. 

  -- FAA needs to establish performance criteria for the amount and
     types of explosives to be detected by trace detection equipment. 

  -- Deployment of most explosives detection equipment is under a
     pilot program.  This equipment is continuously being evaluated
     to assess its capabilities and to guide further purchases and
     deployment. 

  -- FAA will need to coordinate the use of explosives detection
     equipment with its implementation of the passenger-bag match
     program and the CAPS system. 


      FIELD OBSERVATIONS
----------------------------------------------------- Appendix III:0.6

  -- The certified explosives detection systems have encountered a
     number of problems during deployment--for example, inadequate
     electrical wiring to handle the system's electrical needs or the
     inability to get the unit into a terminal because of its size. 

  -- Airport, air carrier, and FAA field officials believe that the
     initial deployment occurred too rapidly because FAA was trying
     to meet target dates established in the Commission's report or
     by the Secretary of Transportation. 

  -- One airport received up to three different pieces of equipment
     at the same time without being notified in advance of its
     arrival.  FAA officials told us that this could have been true
     during our field visits in October and November 1997, but they
     believe this problem has been corrected by increased
     communications between FAA, the contractor installing the
     equipment, each air carriers' headquarters, and the individual
     airports receiving the equipment. 

  -- Air carriers have unresolved questions about who will pay to
     maintain and upgrade the software for the equipment that FAA is
     deploying once it turns the responsibility for the equipment
     over to the air carriers. 

Commission's recommendation                  Reauthorization Act's mandate
-------------------------------------------  --------------------------------------------
Recommendation 3.24:                         Sec. 311:

Begin implementation of full passenger-bag   Issue report on bag match pilot program to
match.                                       the Congress.
-----------------------------------------------------------------------------------------

      STATUS
----------------------------------------------------- Appendix III:0.7

Matching bags is shifting from manual to computerized operations as
major air carriers implement the CAPS system.\1 FAA is currently
drafting a report to the Congress on the operational and economic
effects of the passenger-bag match recommendation on the airline
industry. 

  -- The pilot program on matching bags to passengers who board an
     aircraft was completed on June 3, 1997. 

  -- The report to the Congress, which was due July 31, 1997, has
     been delayed, in part, because the aviation industry requested
     that the economic and operational effects of bag matching be
     included in one report instead of two separate ones. 

  -- This report is scheduled to be released on June 30,
     1998--approximately 11 months past the original due date. 

  -- Bag matching is occurring on some domestic flights through the
     use of either the manual screening or the CAPS systems.  In
     January and February 1998, three major air carriers implemented
     the CAPS system, which allows them to bag match. 

  -- FAA is preparing a Notice of Proposed Rulemaking that will cover
     the CAPS system and bag match. 

  -- FAA plans to issue the final regulations for the CAPS system and
     bag match program in November 1998. 


--------------------
\1 The Commission's final report states that bag match should
initially be based on automated passenger profiling and should be
implemented no later than December 31, 1997.  By that date, the bags
of those selected either at random or through the use of an automated
passenger profiling system must be either screened or matched to a
boarded passenger. 


      IMPLEMENTATION ISSUES
----------------------------------------------------- Appendix III:0.8

  -- FAA needs to complete an economic analysis of the passenger-bag
     match pilot program. 

  -- FAA needs to issue the required bag match report to the
     Congress. 

  -- The economic impact of bag matching needs to be considered when
     drafting the notice of rulemaking. 

  -- FAA needs to publish a Notice of Proposed Rulemaking, address
     comments, and issue the final regulation. 

  -- After the final regulation is published, air carriers will need
     to implement a passenger-bag match program according to the
     regulation. 

  -- FAA will need to coordinate its implementation of the
     passenger-bag match program with the use of explosives detection
     equipment and with the CAPS system. 


      FIELD OBSERVATIONS
----------------------------------------------------- Appendix III:0.9

  -- Air carriers favor passenger-bag match if it is used with the
     CAPS system so that they are not required to match all
     passengers and bags. 

  -- Air carriers believe that matching all bags to every passenger
     is not economically and operationally feasible. 

Commission's recommendation                  Reauthorization Act's mandate
-------------------------------------------  --------------------------------------------
Recommendation 3.13:                         Sec. 310:

Conduct airport vulnerability assessments    Conduct joint FAA-FBI threat and
and develop action plans.                    vulnerability assessments on aviation
                                             security every 3 years or more frequently,
                                             as necessary, at high-risk airports.

                                             Sec. 312:
                                             Require airports and air carriers to conduct
                                             periodic vulnerability assessments of
                                             security systems and FAA to perform periodic
                                             audits of such assessments.
-----------------------------------------------------------------------------------------
The following two sections--Status and Implementation Issues--are
divided into the three efforts that FAA has under way for
vulnerability assessments--developing a model, conducting joint
threat and vulnerability assessments, and requiring air carriers and
airports to conduct vulnerability assessments. 

MODEL DEVELOPMENT


      STATUS
---------------------------------------------------- Appendix III:0.10

FAA is developing a standardized model for use in conducting
vulnerability assessments. 

  -- FAA has contracted with six private-sector firms and one federal
     agency to conduct vulnerability assessments using a variety of
     models.  A total of 14 airports will be covered by these
     assessments. 

  -- FAA initially planned to start these assessments in November
     1997, but delays in awarding the contracts delayed their start
     until January 1998. 

  -- FAA estimates that these assessments will be completed by August
     1998. 

  -- On the basis of these assessments, FAA hopes to develop a
     standardized model for use by FAA inspectors, airports, air
     carriers, and consortia for their vulnerability assessments. 


      IMPLEMENTATION ISSUES
---------------------------------------------------- Appendix III:0.11

  -- Using the contractors' assessments, FAA has established a panel
     to select a best practices model. 

JOINT THREAT AND VULNERABILITY
ASSESSMENTS


      STATUS
---------------------------------------------------- Appendix III:0.12

FAA and FBI are conducting joint threat and vulnerability assessments
at 31 selected airports. 

  -- FAA-FBI planned to develop protocols for conducting joint threat
     and vulnerability assessments by April 1997 and begin the
     assessments in June 1997. 

  -- The protocols were developed by December 1997 and field tested
     at four airports by mid-March 1998. 

  -- FAA-FBI plan to conduct joint threat and vulnerability
     assessments at 31 airports that the FAA and FBI have designated
     as high-risk candidates. 

  -- FAA-FBI plan to conduct one to two assessments per month. 


      IMPLEMENTATION ISSUES
---------------------------------------------------- Appendix III:0.13

  -- FAA-FBI are legally required to complete these joint assessments
     by October 1999.  Currently, FAA plans to complete 28 of 31
     assessments by October 1999. 

REQUIRED ASSESSMENTS


      STATUS
---------------------------------------------------- Appendix III:0.14

FAA plans to begin amending its security program that will require
airports and air carriers to conduct vulnerability assessments. 

  -- FAA plans to recommend that airports and air carriers use the
     standardized model it is currently developing. 

  -- FAA expects the model to be available in March 1999 and the
     implementation of the required assessments to begin around
     mid-1999. 


      IMPLEMENTATION ISSUES
---------------------------------------------------- Appendix III:0.15

  -- Implementation is dependent on FAA developing a standardized
     model and amending its security program. 


      FIELD OBSERVATIONS
---------------------------------------------------- Appendix III:0.16

  -- Airport officials have expressed concern that too many and
     possibly duplicative vulnerability assessments have already been
     done or are being planned.  They include (1) the 41 assessments
     done by consortia under a recommendation in the Commission's
     initial report, (2) the contractor's assessments to develop a
     standardized model, (3) the joint FAA-FBI assessments, and (4)
     the legal requirement for airports and air carriers to conduct
     assessments. 

Commission's recommendation                  Reauthorization Act's mandate
-------------------------------------------  --------------------------------------------
Recommendation 3.20:                         Sec. 302:

Certify screening companies and improve      Certify screening companies and improve the
screeners' performance.                      training and testing of security screeners
                                             through the development of uniform
                                             performance standards.
-----------------------------------------------------------------------------------------
CERTIFY SCREENING COMPANIES


      STATUS
---------------------------------------------------- Appendix III:0.17

FAA has started the rulemaking process to develop regulations for
certifying screening companies and plans to complete this
recommendation by March 2000. 

  -- In March 1997, FAA issued an Advance Notice of Proposed
     Rulemaking soliciting information on certifying screening
     companies and improving screeners' training. 

  -- FAA analyzed the comments received and has prepared a Notice of
     Proposed Rulemaking with specific regulatory proposals. 

  -- FAA originally estimated that it would complete the rulemaking
     process by December 1999.  This date has changed twice:  once to
     March 1999 and more recently to March 2000.  This change,
     according to FAA officials is to allow for the inclusion of
     performance standards for testing screeners. 

  -- This proposed rule is now undergoing internal review at FAA. 


      IMPLEMENTATION ISSUES
---------------------------------------------------- Appendix III:0.18

  -- After completing the internal review, FAA will need to issue the
     Notice of Proposed Rulemaking for comment, currently scheduled
     for March 1999. 

  -- These comments will have to be analyzed and incorporated into
     the final regulation. 

  -- The regulatory process will take time, since screening companies
     have not previously been regulated by the federal government. 

  -- After the regulation is completed, screening companies will have
     to apply for certification. 

  -- Screening companies will have to implement programs to comply
     with the new regulation. 


      FIELD OBSERVATIONS
---------------------------------------------------- Appendix III:0.19

  -- Air carriers and screening companies believe that certifying
     screening companies is needed. 

TRAINING OF SCREENERS


      STATUS
---------------------------------------------------- Appendix III:0.20

FAA is currently pilot-testing several training programs designed to
enhance screeners' performance. 

  -- Efforts to improve screeners' training had already started when
     the Commission issued its initial report and the Reauthorization
     Act was enacted. 

  -- SPEARS (a computer-based program for training screeners who
     screen baggage is being deployed and had been installed at 17
     airports as of February 1998. 

  -- Each of the 17 airports has received 12 training units, which
     are located at a single location within the airport. 

  -- FAA has contracted to deploy the computer-based training program
     at another 60 airports; however, FAA has decided to deploy the
     training program at only 15 of the 60 airports because it lacks
     the necessary funds.  Depending on the availability of funds
     from its request to reprogram fiscal year 1998 moneys, FAA plans
     to deploy the training program at the remaining 45 airports by
     the end of fiscal year 1998 or early fiscal year 1999. 

  -- The Advance Notice of Proposed Rulemaking for certifying
     screening companies, issued in March 1997, also solicited input
     on the methods and curriculum for training screeners. 

  -- FAA's evaluation of another computer-based program that will
     train screeners to use the only FAA-certified explosives
     detection system, which screens checked bags, has been postponed
     until a licensing agreement between the system manufacturer and
     the program developer has been executed. 

  -- As of March 10, 1998, FAA had deployed the threat image
     projection system, called TIP, at four airports for testing. 
     TIP is a computerized system used to test screeners'
     effectiveness in identifying explosives and other threat
     objects. 

  -- FAA began deploying TIP at other major airports during the week
     of March 23, 1998, for use by the certified explosives detection
     systems that are currently in place.  FAA also plans to deploy
     284 of these testing systems for use with X-ray devices used for
     screening carry-on bags at major airports starting in April
     1998. 


      IMPLEMENTATION ISSUES
---------------------------------------------------- Appendix III:0.21

  -- FAA needs to complete the evaluations of its computer-based
     training program and the threat image projection program. 

  -- FAA needs to decide where to place the computer-based training
     equipment in airports. 

  -- FAA needs to issue clear guidelines on the various training
     programs being deployed and on the relationship of the new
     computer-based training programs to the current classroom-type
     training program, especially in view of the fact that the
     "older" classroom training program needs updating. 

  -- FAA will have to acquire funding; await completion of the
     licensing agreement between the system manufacturer and the
     program developer; and complete its validation of the
     computer-based training program for the certified explosives
     detection system before the computer-based training program can
     be deployed. 


      FIELD OBSERVATIONS
---------------------------------------------------- Appendix III:0.22

  -- Screening companies have received the computer-based training
     favorably. 

  -- Not all the air carriers and screening companies we met with had
     received FAA's April 1997 computer-based training program
     guidance. 

  -- Several screening companies have expressed concern about the
     lack of clear guidance on using either the computer-based
     training program or the standardized classroom training program
     for carry-on bags. 

  -- Two screening companies refused to send their screeners to the
     computer-based training location because (1) it is too far from
     their work location, (2) it takes a considerable amount of time
     to reach the training site, (3) it is located in another
     screening company's work area, and (4) it requires a supervisor
     to go along with the screeners, leaving them short-handed at
     check points. 

  -- Most screening companies suggested placing the equipment in
     several locations to make it easily accessible to everyone; they
     said this would require more units at each airport. 

  -- FAA needs to replace SPEARS equipment that was stolen from one
     airport. 


SCOPE AND METHODOLOGY
========================================================== Appendix IV

To determine how federal agencies track, monitor, and coordinate
activities designed to implement the Commission's aviation security
recommendations and the Reauthorization Act's mandates, we obtained
and analyzed the status reports that FAA's computerized tracking
systems generated between May 1997 and February 1998, as well as the
quarterly status reports covering all the Commission's aviation
security recommendations made to federal agencies, which the
Department of Transportation's (DOT) Office of the Secretary compiled
and sent to the National Security Council for the same period.  We
did not independently verify the reliability of FAA's computerized
databases for tracking the status of the Commission's recommendations
and the act's mandates.  However, when appropriate, we did obtain
supporting documentation and discuss the accuracy of the data and
their related reports with FAA officials on those recommendations we
reviewed.  We also discussed the procedures for preparing these
reports with the responsible offices in FAA and DOT.  We met with
officials of the departments of Defense and State, FBI, the National
Transportation Safety Board, the U.S.  Postal Service, U.S.  Customs
Service, and Bureau of Alcohol, Firearms and Tobacco to obtain
information on how they track the recommendations for which they are
responsible and obtained and analyzed data supporting the status of
their recommendations.  We also met with an official of the National
Security Council to determine if it had a role in overseeing actions
on all the recommendations. 

We analyzed the 31 aviation security recommendations to determine
which ones FAA expected to complete in fiscal year 1997.  We reviewed
three of the five recommendations in FAA's tracking system that the
reports and other documents targeted for completion in fiscal year
1997.  We did not review two other recommendations because one
involved an agency other than FAA and the other involved an
international security issue.  We discussed the status of these
recommendations with officials from FAA's policy and operating
offices, analyzed related documents, and discussed their status with
airport, air carrier, and screening company officials at the seven
airports we visited. 

To determine the progress FAA had made in implementing the key
recommendations that were both recommended by the Commission and
mandated by the Congress in 1996 and the major issues that needed to
be addressed before these recommendations could be fully implemented,
we used the requesters' criteria to determine which of the
Commission's recommendations and the act's mandates covered the same
issues.  We identified seven issues in which the recommendations and
mandates were substantially similar.  We selected five of the seven
for review because of their interrelationships and high visibility in
improving aviation security.  We discussed the status of these
recommendations with officials of FAA's policy and operating offices
and analyzed related documents.  We also discussed the status of
recommendations with airport, air carrier, and screening company
officials at seven airports we visited.  We met with headquarters
officials of Northwest Airlines to discuss the status of the CAPS
system. 

We selected the seven airports in order to obtain a wide coverage of
airports' and air carriers' involvement in implementing the
recommendations.  Five were major airports that had considerable
involvement in implementing the recommendations.  Visiting these
airports enabled us to obtain the views of airport, air carrier, and
screening company officials who had experience with implementing the
recommendations and to observe the explosives detection and training
equipment in place and the operation of that equipment.  Two airports
were smaller and had no involvement with the recommendations at the
time of our field work.  Visiting these airports enabled us to obtain
the views of airport, air carrier, and screening company officials on
recommendations such as obtaining clearances and forming consortia
that were voluntary on the airports' and air carriers' part, as well
as their views on those recommendations that they would eventually be
required to implement.  Because of the sensitive nature of aviation
security and ongoing efforts at specific airport locations, we are
not listing the seven airports we visited. 




(See figure in printed edition.)Appendix V
COMMENTS FROM THE DEPARTMENT OF
THE TREASURY
========================================================== Appendix IV



(See figure in printed edition.)




(See figure in printed edition.)Appendix VI
COMMENTS FROM THE U.S.  POSTAL
SERVICE
========================================================== Appendix IV



(See figure in printed edition.)


MAJOR CONTRIBUTORS TO THIS REPORT
========================================================= Appendix VII

RESOURCES, COMMUNITY, AND ECONOMIC
DEVELOPMENT DIVISION, WASHINGTON,
D.C. 

J.  Michael Bollinger
Elizabeth R.  Eisenstadt
Barry Kime
Marnie S.  Shaul


*** End of document. ***