Aviation Security: Progress Being Made, but Long-term Attention Is Needed
(Testimony, 05/14/1998, GAO/T-RCED-98-190).

In recent years, GAO and others have reported on vulnerabilities
plaguing the nation's aviation system, the availability and limitations
of explosives detection technologies used at airports, and efforts under
way to improve aviation security. Terrorism was initially considered a
possible cause of the 1996 crash of TWA Flight 800 and helped focus
national attention on the system's vulnerabilities. The President formed
the White House Commission on Aviation Safety and Security following the
crash, and later congressional hearings highlighted continuing
weaknesses in the U.S. aviation security system. Although terrorism has
been since ruled out as a factor in the crash of TWA Flight 800, ensuing
studies found that weaknesses persist. The Federal Aviation
Administration (FAA), other government agencies, and the aviation
industry are now implementing 31 of the Commission's recommendations on
aviation security. Some of these recommendations are similar to
legislative mandates that Congress enacted under the Federal Aviation
Reauthorization Act of 1996. This report provides information on (1) the
tracking, monitoring, and coordinating activities undertaken by the
agencies responsible for implementing the Commission's recommendations
and (2) FAA's progress in implementing eight of these recommendations,
five of which are similar to mandates contained in the Reauthorization
Act of 1996.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-RCED-98-190
     TITLE:  Aviation Security: Progress Being Made, but Long-term
	     Attention Is Needed
      DATE:  05/14/1998
   SUBJECT:  Commercial aviation
	     Facility security
	     Airline industry
	     Safety standards
	     Air transportation operations
	     Accident prevention
	     Terrorism
	     Transportation safety
	     Airports
IDENTIFIER:  Pan Am Flight 103
	     TWA Flight 800
	     FAA Computer Assisted Passenger Screening System

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
GAO/T-RCED-98-190

Cover
================================================================ COVER

Before the Subcommittee on Aviation, Committee on Transportation and
Infrastructure, House of Representatives

For Release
on Delivery
Expected at
9:30 a.m.  EDT
Thursday
May 14, 1998

AVIATION SECURITY - PROGRESS BEING
MADE, BUT LONG-TERM ATTENTION IS
NEEDED

Statement of Keith O.  Fultz,
Assistant Comptroller General,
Resources, Community, and Economic
Development Division

GAO/T-RCED-98-190

(348105)

Abbreviations
=============================================================== ABBREV

  CAPS -
  FAA -
  FBI -
  GAO -

============================================================ Chapter 0

Mr.  Chairman and Members of the Subcommittee:

We commend the Chairman for holding these hearings on aviation
security.  Improving the security of our nation's aviation system is
an extremely important national issue, and we believe aggressive and
strong congressional vigilance will be needed to maintain the
momentum for improving the system.  For this reason, we appreciate
the opportunity to testify on what progress has been made and what
remains to be done.\1 As the events over the last several years have
made us all aware, the threat of terrorism against the United States
has increased.  Aviation is, and will remain, an attractive target
for terrorists, so protecting civil aviation continues to be an
urgent national issue.

During the last several years, we and others have reported and
testified on the numerous vulnerabilities that exist within the
nation's aviation system, the availability and limitations of
explosives detection technologies used at airports, and the efforts
under way to improve aviation security.\2 Terrorism was initially one
of the causes under consideration for the 1996 crash of TWA Flight
800 and was the impetus for focusing national attention on
vulnerabilities in the system.  The President formed the White House
Commission on Aviation Safety and Security following the crash, and
subsequently, congressional hearings were conducted that highlighted
the fact that weaknesses in our aviation security system, known since
the downing of Pan Am Flight 103 in 1988, continued to make the
system vulnerable.  Although terrorism has been ruled out as a factor
in the crash of TWA Flight 800, the ensuing analyses and studies
demonstrated that weaknesses continue.

Currently, the Federal Aviation Administration (FAA), other federal
agencies, and the aviation industry are implementing a number of
recommendations made by the Commission.  Some of these
recommendations are similar to legislative mandates the Congress
enacted under the Federal Aviation Reauthorization Act of 1996, and
FAA is also addressing them.  (We will refer to these recommendations
and mandates as initiatives.) Our testimony today focuses on our
recent review of the implementation of the key initiatives.\3

In summary,

  -- FAA has made some progress in five critical areas as recommended
     by the Commission and mandated by the Congress, but given the
     current implementation schedule, it will take years for FAA and
     the aviation industry to fully implement the initiatives.  These
     five initiatives are passenger profiling, explosives detection
     technologies, passenger-bag matching, vulnerability assessments,
     and the certification of screening companies and the performance
     of security screeners.  To date, FAA has encountered delays of
     up to 12 months in implementing these initiatives, in part
     because they are more complex than originally envisioned and
     involve new and relatively untested technologies.  Delays have
     also been caused by limited funding and problems with equipment
     installation and contractors' performance.

  -- While progress is being made in strengthening aviation security,
     the completion of the current initiatives will require
     additional financial resources and a sustained commitment by the
     federal government and the aviation industry.  For example,
     current funding is sufficient to provide only a limited
     percentage of the flying public at selected airports with
     protection against concealed explosives in checked baggage.
     Additional explosives detection equipment is needed to provide
     this protection to all the flying public.

  -- Because momentum and public attention began to subside after the
     downing of Pan Am Flight 103, sufficient progress did not occur.
     To avoid a similar situation, congressional oversight and
     commitment are important.  None of us wants that to happen
     again; we must ensure that the momentum is not lost.

--------------------
\1 GAO will be issuing a report and testifying later this month
before the Senate Governmental Affairs Committee on the computer
security problems of the Federal Aviation Administration's air
traffic control system.

\2 Aviation Security:  Additional Actions Needed to Meet Domestic and
International Challenges (GAO/RCED-94-38, Jan.  27, 1994); Aviation
Security:  Development of New Security Technology Has Not Met
Expectations (GAO/RCED-94-142, May 19, 1994); Aviation Security:  FAA
Can Help Ensure That Airports' Access Control Systems are
Cost-Effective (GAO/RCED-95-25, Mar.  1, 1995); Aviation Security:
Immediate Action Needed to Improve Security (GAO/T-RCED/NSIAD-96-237,
Aug.  1, 1996); Aviation Security:  Technology's Role in Addressing
Vulnerabilities (GAO/T-RCED/NSIAD-96-262, Sept.  19, 1996).

\3 Aviation Security:  Implementation of Recommendations Is Under
Way, but Completion Will Take Several Years (GAO/RCED-98-102, Apr.
24, 1998).

   BACKGROUND:  AVIATION SECURITY
   SYSTEM HAS SIGNIFICANT
   VULNERABILITIES
---------------------------------------------------------- Chapter 0:1

Before discussing FAA's efforts to implement a number of security
initiatives, it is important to discuss some of the vulnerabilities
that exist within the nation's aviation security system.  In our
previous reports and testimonies, we highlighted a number of these
vulnerabilities.  Since the 1988 bombing of Pan Am Flight 103,
security reviews by FAA, audits conducted by GAO and the Department
of Transportation's Inspector General, and the work of a presidential
commission have shown that the system continues to be flawed.  In
fact, nearly every major aspect of the system--ranging from screening
passengers, checked and carry-on baggage, mail, and cargo to
controlling the access to secured areas within an airport
environment--has weaknesses that could be exploited.  For example,
for those bags that are screened, we reported in March 1996 that
conventional X-ray screening systems had performance limitations and
offer little protection against a moderately sophisticated explosive
device.

According to the intelligence community, the threat of terrorism
against the United States has increased.  The World Trade Center
bombing and the emergence in the United States of more dangerous
international terrorist groups revealed that the threat of attacks in
the United States is more serious and more extensive than previously
believed.  On the basis of information provided by the intelligence
community, FAA makes judgments about the threat to aviation and
decides which procedures would best address the threat.  Among these
procedures are methods to identify passengers who pose potential
risks and who are then subjected to additional security measures.
Such procedures can, at FAA's discretion, be instituted for a limited
period or made permanent by incorporating them into the agency's
security procedures.

Our 1994 reports criticized FAA for its lack of progress in
addressing identified vulnerabilities and in deploying new explosives
detection systems and for related weaknesses in its security research
program, such as insufficient attention to integrating different
technologies.  Past experience has demonstrated that concepts that
make sense in a laboratory may not work in an airport environment.

Because of this, we recommended that FAA pilot test new equipment and
procedures to determine if they improve security before implementing
them systemwide in the nation's airports.  We also recommended that
FAA pay greater attention to human factors issues, such as security
screeners' performance.

Providing effective security is a complex and difficult task because
of the size of the U.S.  aviation system, the differences among
airlines and airports, and the unpredictable nature of terrorism.
FAA was attempting to build consensus with the aviation community on
how to improve aviation security when, in 1996, TWA Flight 800
crashed.  Because the crash was initially suspected to be a terrorist
act, national attention focused on the need to address aviation
security vulnerabilities.  The President created a Commission to
review aviation safety and security issues, and the Congress held
hearings.  The Commission made a total of 31 recommendations for
improving aviation security at our nation's airports.  In the 1996
Reauthorization Act, the Congress mandated that FAA take several
actions to improve aviation security, and the Congress provided
$144.2 million in the Omnibus Consolidated Appropriations Act of 1997
to purchase commercially available advanced security equipment for
screening checked and carry-on baggage and to conduct related
activities.

   FAA HAS MADE PROGRESS, BUT FULL
   IMPLEMENTATION WILL TAKE YEARS
---------------------------------------------------------- Chapter 0:2

As we reported in April 1998, FAA has made progress in a number of
critical areas to improve aviation security as recommended by the
Commission and mandated by the Reauthorization Act.  However, the
agency has experienced delays of up to 12 months in completing the
five efforts we reviewed:  passenger profiling, explosives detection
technologies, passenger-bag matching, vulnerability assessments, and
the certification of screening companies and the performance of
security screeners.  FAA officials said many of the expected
completion dates were ambitious, and they have extended them to take
into account the complexities and time-consuming activities involved.
We found that delays were caused by the new and relatively untested
technologies, limited funds, and problems with equipment installation
and contractors' performance.  In some cases, FAA must develop
regulations to establish new requirements.  Airports, air carriers,
and screening companies then must establish programs to meet those
requirements.  Based on FAA's current schedule and milestones, this
whole process for enhancing the nation's aviation security system
will take years to fully implement.

I will briefly discuss the status of these five initiatives and the
actions that FAA and others need to take before they can be fully
implemented.

      AUTOMATED PASSENGER
      PROFILING
-------------------------------------------------------- Chapter 0:2.1

Automated passenger profiling is a computer-based method that permits
air carriers to focus on the small percentage of passengers who may
pose security risks and whose bags should be screened by explosives
detection equipment or matched with the boarding passengers.  The
system developed to screen passengers is known as the
computer-assisted passenger screening (CAPS) system.  It is designed
to enable air carriers to more quickly separate passengers into two
categories--those who do not require additional security attention
and those who do.  None of the major carriers had an automated system
in place by December 31, 1997, as FAA originally planned.  However,
as of February 1998, three major air carriers had voluntarily
implemented the system, and all but one major carrier are expected to
have voluntarily implemented it by September 1998.  FAA still needs
to issue a regulation to require this type of screening.

Concerns have been raised about the potential of this system to
function in a discriminatory manner.  However, the Department of
Justice has determined that the screening process used by the system
does not discriminate against travelers because it does not record or
give any consideration to the race, color, national or ethnic origin,
religion, or gender of passengers.  Nor does it include as a
screening factor any passenger traits, such as a passenger's name or
mode of dress, that may be directly associated with discriminatory
judgments.  To ensure the system is run in a nondiscriminatory
manner, the system will be reviewed periodically by FAA and the
Department of Justice.

      EXPLOSIVES DETECTION
      TECHNOLOGIES
-------------------------------------------------------- Chapter 0:2.2

Explosives detection technologies are screening devices that have the
capability to detect the potential existence of explosives that can
be concealed in carry-on or checked baggage.  This area is one that
recently has seen a substantial increase in funding.  FAA is a year
behind schedule in deploying this equipment.  These delays have been
caused, in part, by the inexperience of the contractor hired to
install the equipment and the ongoing or planned construction
projects that must be completed before the equipment can be installed
at certain airports.  By December 1997, FAA originally planned to
deploy 54 certified explosives detection systems to screen checked
bags\4 and 489 trace detection devices\5 to screen passengers'
carry-on bags at major airports.  However, as of the end of April
1998, FAA had deployed only 21 of the certified explosives detection
systems and only about 250 of the trace detection devices.  FAA now
plans to have all of them installed and operational by December
1998.\6 At that time, still only a limited number of airports and a
fraction of the flying public would be covered.

During the deployment of this equipment, FAA plans to gather
information and evaluate how well the equipment is working in the
field.  This is important because we previously reported that there
were significant differences between how these certified systems
performed in the field and in the laboratory.  Both the cost of the
equipment--two units in one place costing about $2 million are
required to meet FAA's certification standard--and the speed at which
the equipment can screen bags have been concerns to the aviation
industry.  FAA is interested in identifying and certifying less
expensive and faster equipment and has continued to fund research to
develop more equipment that could potentially meet FAA's
certification standard.

--------------------
\4 Only one certified explosives detection system has met the
certification standard for screening checked bags.  Other devices
that are commercially available have limitations that prevent them
from meeting the required standard.

\5 Trace detection devices use either a vacuum system or a "wipe" to
sample vapors or pick up particles of explosives on the surfaces of
various objects.

\6 In addition to the 54 certified systems, FAA has updated 3 systems
that were used in a demonstration program to match the improvements
made to the 54 being installed.  These 3 systems are operating at two
airports, bringing the total number of systems that will be deployed
to 57.

      PASSENGER-BAG MATCH
-------------------------------------------------------- Chapter 0:2.3

Matching checked bags to the passengers who actually board a flight
allows airlines to reduce the risk from concealed explosives because
they can remove the bags of people who do not board the aircraft.
According to FAA, when passenger-bag matching is fully implemented,
the system will match some passengers, who are either randomly
selected or who have been identified through the profiling system,
with their bags.  FAA began examining the feasibility of matching
bags with passengers before the Commission's final report was issued
and the Reauthorization Act was passed.  In June 1997, the agency
completed a pilot program at selected airports.  Although FAA was
required by the Reauthorization Act to report to the Congress on the
pilot program within 30 days after its completion, it did not do so.
In the fall of 1997, FAA notified the Congress that the report would
be delayed because FAA had agreed with the airline industry to
combine this report with an economic analysis of the impact of
matching passengers and bags systemwide.  Some air carriers have
already voluntarily begun to match some passengers and bags for their
domestic flights.  In November 1998, FAA expects to issue a
regulation that will require air carriers to implement such a program
within 30 days--about 1 year later than the Commission expected.

      VULNERABILITY ASSESSMENTS
-------------------------------------------------------- Chapter 0:2.4

In both the Reauthorization Act and the Commission's final report,
FAA was directed to conduct a number of vulnerability assessments in
an airport environment to identify weaknesses in security measures
that could allow threats to be successfully carried out.  In August
1996, recognizing the vital role of vulnerability assessments, we
recommended that steps be taken to conduct a comprehensive review of
the safety and security of all major airports and air carriers to
identify the strengths and weaknesses of their procedures to protect
the flying public and to identify vulnerabilities in the system.  FAA
has three separate efforts under way.

First, FAA is developing a standardized model for conducting airport
vulnerability assessments, as the Commission recommended.  FAA is
working with several companies that are using different models for
assessing the vulnerabilities at 14 major airports.  FAA has
established a panel to review the assessment results and to select
the best model for assessing a facility's vulnerabilities.  The
agency plans to make this model available to airlines and airports in
March 1999.  Although some delays have occurred in starting the
assessments, they have not been significant.

Second, to address the Reauthorization Act's requirement for FAA and
the Federal Bureau of Investigation (FBI) to jointly assess threats
and vulnerabilities at high-risk airports, FAA and FBI officials
conducted their first assessment in December 1997.  In February 1998,
FAA officials said they would begin conducting one to two assessments
each month.  The results of the joint assessments will be used for
comparing threats and vulnerabilities at different airports.  By
having both threat and vulnerability information, FAA and FBI
officials should be able to determine which airports and which areas
of airports present the highest risks.  FAA and FBI have agreed to a
schedule for assessing 31 airports considered to be high-risk
candidates by the end of calendar year 1999.  The Reauthorization
Act, however, called for the initial assessments to be completed by
October 9, 1999.  The schedule FAA and FBI agreed to calls for their
reviews at 28 of the 31 airports to be completed by this date.

Third, the Reauthorization Act mandates that FAA require airports and
air carriers to conduct periodic vulnerability assessments.  FAA
plans to require that airports and air carriers incorporate periodic
assessments into their individual security programs.  However, FAA
stated that before implementing this change, it intends to make the
standardized model that it is developing available to both airports
and air carriers for use in conducting these assessments.  As
mentioned previously, FAA expects the model to be available in March
1999.  Implementation of the periodic assessments is to begin around
mid-1999.

      CERTIFICATION OF SCREENING
      COMPANIES AND IMPROVEMENT OF
      SCREENERS' PERFORMANCE
-------------------------------------------------------- Chapter 0:2.5

Both the Reauthorization Act and the Commission's report directed FAA
to certify the screening companies that air carriers contract with to
provide security at airport checkpoints and to improve the training
of the personnel doing the screening.  Certifying the companies would
ensure that these companies and their employees meet established
standards and have consistent qualifications.  FAA plans to complete
the final regulation for certifying screening companies and screener
performance in March 2000.  According to FAA officials, they need
time to develop performance standards based on screener performance
data and to incorporate those standards into the final regulation.

Improving the training and testing of people hired by these companies
to screen passengers' baggage at airport security checkpoints would
also improve aviation security.  Regardless of advances in
technology, the people who operate the equipment are the last and
best line of defense against the introduction of any dangerous object
into the aviation system.  Currently, the people who are hired to
screen baggage attend a standardized classroom training program.  FAA
is deploying a computerized, self-paced training and testing system,
called the Screener Proficiency Evaluation and Reporting System
(SPEARS).  This effort was begun well before the Commission issued
its initial report and the Reauthorization Act was enacted.  As of
February 1998, FAA had deployed computer-based training systems for
personnel who use X-ray machines for screening carry-on bags at 17
major airports.  Deployment is planned for two additional major
airports by May 1998.  FAA had also awarded a contract to deploy
these systems at another 60 airports, but as of March 1998, the
agency had decided to deploy only 15 of the 60 systems because it
lacked necessary funding.  If funds are available, FAA plans to
deploy the other 45 systems by the end of fiscal year 1998 or early
fiscal year 1999.

   FURTHER IMPROVEMENTS MAY
   REQUIRE ADDITIONAL FUNDING AND
   CONGRESSIONAL OVERSIGHT
---------------------------------------------------------- Chapter 0:3

Although no system can guarantee full protection against the threat
of terrorist activities, security improvements can help to reduce
that threat.  Further improvements in the nation's aviation security
system will need long-term efforts by FAA and the aviation industry.
To maintain momentum, it is important for the Congress to provide
continual oversight and to address funding issues.

Funding for aviation security improvements is an issue that the
Congress will be faced with for a number of years.  The Commission
envisioned a federal investment of approximately $100 million
annually to enhance aviation security.  The President's 1999 budget
requested $100 million to continue the purchase and installation of
explosives detection devices, as recommended by the Commission, and
an additional $2 million for vulnerability assessments.  The amount
of funding appropriated to date, as well as FAA's request in fiscal
year 1999, represents only a fraction of the funding needed to fully
implement security improvements throughout the nation's aviation
system.  For example, several years ago, FAA estimated that the cost
of acquiring and installing the certified systems at the nation's 75
busiest airports could range from $400 million to $2.2 billion,
depending on the number and the cost of machines installed.

In 1996, we stressed that it is important for the Congress to oversee
the implementation of FAA's security measures.  We recommended that
the Congress require the responsible agencies to establish consistent
goals and performance measures.  This is consistent with the purpose
behind the Government Performance and Results Act, which requires
agencies to set goals and measure their performance against those
goals so that the Congress can hold the agencies accountable for
results.  Starting with fiscal year 1998, FAA began including such
goals and specific performance measures for its security programs in
its annual budget submissions.  FAA is also incorporating goals and
performance measures into its 1998 Strategic Plan, which should be
issued shortly.  Using these established goals and performance
measures, the Congress can then oversee FAA's progress in improving
aviation security.

In closing, Mr.  Chairman, vulnerabilities in our aviation security
system still exist.  While FAA has made some progress in addressing
these vulnerabilities, it is crucial that the Congress maintain
vigilant oversight of the agency's efforts.  When we testified before
several committees nearly 20 months ago following the crash of TWA
Flight 800, a parallel was drawn between actions taken following Pan
Am Flight 103 and TWA Flight 800.  In both instances, presidential
commissions were formed, vulnerabilities were identified, and a
period of heightened activity by the government, the aviation
industry, and the media ensued.  Regrettably, after the commission
investigating Pan Am Flight 103 issued its report, activity began to
wane and not much progress was made.  Although improvements have been
made since the crash of TWA Flight 800, we must ensure that momentum
will not be lost.

-------------------------------------------------------- Chapter 0:3.1

Mr.  Chairman, this concludes our prepared statement.  We would be
glad to respond to any questions that you or any Member of the
Subcommittee may have.
*** End of document ***