This is the accessible text file for GAO report number GAO-04-1062 
entitled 'Maritime Security: Better Planning Needed to Help Ensure an 
Effective Port Security Assessment Program' which was released on 
September 30, 2004.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Requesters:

United States Government Accountability Office:

GAO:

September 2004:

Maritime Security:

Better Planning Needed to Help Ensure an Effective Port Security 
Assessment Program:

GAO-04-1062:

GAO Highlights:

Highlights of GAO-04-1062, a report to congressional requesters

Why GAO Did This Study:

Created in the wake of the September 11, 2001, terrorist attacks, the 
Port Security Assessment Program was designed to evaluate security at 
the nationís 55 most economically and militarily strategic ports. 
Implemented by the U.S. Coast Guard, an agency of the Department of 
Homeland Security, the program focuses on identifying vulnerabilities, 
suggesting approaches to minimize them, and making the information 
available to those responsible for developing and implementing 
portwide security plans. The program has been under way for more than 
2 years and has undergone several sets of changes, including the 
addition of a geographic information system (GIS). GAO was asked to 
discuss why and how the program changed and assess the Coast Guardís 
approach for implementing the program in its current form.

What GAO Found:

Changes in the Port Security Assessment Program reflect attempts to 
deal with two main developments since the programís inception: 
evolving assessment needs at the ports and missteps in how the initial 
assessments were carried out. The program was designed as a 
comprehensive assessment of each port and its critical assets, such as 
passenger terminals, factories, cargo facilities, and bridges. However, 
the need for comprehensive assessments was diminished when many owners 
and operators of these critical assets began conducting their own 
assessments to comply with new regulatory requirements or apply for 
security grants. The programís assessments also proved more expensive 
than expected, and a GAO review conducted at the time found 
shortcomings in their quality and usefulness. The current programís 
assessments are more targeted in scope and nature, including the 
opportunity for local Coast Guard officials to request reviews of 
specific assets they do not know enough about. To help local 
authorities with security planning and response, the Coast Guard 
decided to incorporate a GIS. A GIS is a computer mapping system 
designed to have many information ďlayersĒ that can be easily updated 
and retrieved. The Coast Guard expects to complete the assessments at 
the 55 ports by February 2005, but no timeline exists for making the 
GIS component operational.

Although the revised program holds promise, the implementation 
approach is at increased risk because the Coast Guard is not taking 
sufficient steps in the planning process. Contrary to best practices 
for technology systems development, the GIS is being developed without 
sufficient up-front work to identify how the system will be expected 
to perform. Both the GIS component and the program as a whole also 
lack a project plan detailing tasks, schedules, and costs. In other 
federal agencies, GAO has identified similar projects that failed when 
such steps were not followed. The initial response of local Coast 
Guard officials to the new, targeted assessments is generally positive. 
However, the assessments could be of greater benefit if functional 
requirements for the GIS were more clearly defined, so the Coast Guard 
could use the assessments to address gaps in security knowledge.

A terrorist attack on port assets could result in human casualties, 
economic disruption, and environmental destruction. Assessments of 
assets such as bridges are to identify methods to protect them from 
such an attack.

[See PDF for image]

[End of figure]

What GAO Recommends:

To enhance the programís effectiveness as a tool for improving port 
security, GAO recommends that the Coast Guard define performance 
requirements for the GIS and develop a more comprehensive plan for 
implementing both the GIS and the Port Security Assessment Program as 
a whole. In commenting on a draft of this report, the Coast Guard 
agreed to take steps to define the functional requirements of the GIS 
and to more fully develop a plan for the long-term implementation of 
the program.

www.gao.gov/cgi-bin/getrpt?GAO-04-1062.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Margaret Wrightson at 
(415) 904-2200 or wrightsonm@gao.gov.

[End of section]

Contents:

Letter:

Results in Brief:

Background:

Assessment Program Has Been Extensively Revised:

Absence of Key Management Elements Places Program's Potential to 
Enhance Port Security at Higher Risk:

Conclusions:

Recommendations for Executive Action:

Agency Comments:

Appendix I: Objectives, Scope, and Methodology:

Appendix II: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Staff Acknowledgments:

Figures:

Figure 1: Examples of Layers in a Geographic Information System:

Figure 2: Sample GIS Map of Debris Path from Space Shuttle Columbia:

Figure 3: Timeline of Key Events in the Development of Port Security 
Assessment Program:

Abbreviations:

BLM: Bureau of Land Management:

DHS: Department of Homeland Security:

DTRA: Defense Threat Reduction Agency:

GIS: geographic information system:

MTSA: Maritime Transportation Security Act:

NVIC: Navigation and Vessel Inspection Circular:

United States Government Accountability Office:

Washington, DC 20548:

September 30, 2004:

The Honorable Don Young: 
Chairman: 
Committee on Transportation and Infrastructure: 
House of Representatives:

The Honorable Frank A. LoBiondo: 
Chairman: 
Subcommittee on Coast Guard and Maritime Transportation: 
Committee on Transportation and Infrastructure: 
House of Representatives:

Three years after the terrorist attacks of September 11, 2001, securing 
the nation's ports continues to be a major concern. Ports and 
associated waterways are particularly vulnerable because of their size, 
accessibility, and the many sites and facilities that could be 
targeted. Gathering information about these vulnerabilities is an 
essential step for developing deterrents and responding effectively if 
an incident occurs. One such effort is the Port Security Assessment 
Program, which is designed to assess port vulnerabilities and security 
measures in the nation's 55 most economically and militarily strategic 
ports.[Footnote 1] Since November 2001, nearly $70 million in 
appropriated funds has been and continues to be spent on this project, 
which is administered by the United States Coast Guard, an agency of 
the Department of Homeland Security (DHS).

This program has changed considerably since its inception in the days 
immediately following the September 11 attacks. Among these changes, 
the Coast Guard has added a new feature--a geographic information 
system (GIS). A GIS is a computer mapping system with many information 
"layers" that can be quickly retrieved and displayed and easily 
updated. If, for example, a port received notice of potential threats 
to chemical plants in the area, a well-designed GIS could identify 
locations of these plants, provide a variety of information about them, 
and pinpoint available surveillance and response resources for Coast 
Guard personnel and others involved in port security. This tool is 
intended to provide up-to-date, readily accessible information to help 
develop security plans and respond to specific threats or incidents. 
However, the experience of other federal agencies has shown that 
developing an information technology system, such as a GIS, that 
clearly meets users' needs can be difficult.

Given the role the program is expected to play in enhancing the Coast 
Guard's ability to provide security at our nation's ports, this report 
(1) discusses why and how the program has changed over time and (2) 
assesses the Coast Guard's approach for implementing the program as it 
is currently configured.

To address the first objective, we reviewed Coast Guard documents and 
spoke with officials at Coast Guard headquarters responsible for 
implementing the program. We also visited ports that had been assessed. 
At the ports, we interviewed local Coast Guard personnel as well as 
numerous stakeholders to determine how the assessment process was 
carried out. For part of the history of the program, we also relied on 
our previous work.[Footnote 2] To address our second objective, we 
interviewed Coast Guard officials, including the GIS Program Manager to 
assess progress on the GIS development effort. We also reviewed Coast 
Guard documents, including its systems acquisition guidance, and 
documentation of the Coast Guard's efforts to modify its port security 
GIS. Finally, we reviewed information and documentation related to GIS 
applications and identified standards and best practices for 
information systems acquisition and development to determine best 
practices for managing such a project. Our work, which was conducted 
from June 2003 through August 2004, was done in accordance with 
generally accepted government auditing standards.

Results in Brief:

The changes in the Port Security Assessment Program reflect attempts to 
deal with two main developments since the program's inception: evolving 
assessment needs at the ports and missteps in how the program's initial 
assessments were carried out. As originally designed, the program 
involved hiring an outside contractor to conduct a vulnerability 
assessment encompassing a wide range of port activities and 
installations, including docks, warehouses, shipping facilities, 
bridges, factories and power stations, and other facilities and 
infrastructure. By the time these assessments began in August 2002, 
however, various port stakeholders, including port authorities, and 
owners and operators of boats, factories, and other facilities, had 
begun or completed their own assessments in order to identify security 
vulnerabilities of their assets or apply for federal security grants. 
More security information subsequently became available as new 
regulatory requirements went into effect in 2003 requiring owners or 
operators of specific facilities and vessels in the nation's ports to 
conduct security assessments of those assets. The increased information 
from these stakeholders, combined with higher-than-expected costs for 
the contractor's first 8 assessments, led the Coast Guard to begin 
changing the scope of the contractor's assessments. When our 
examination of the contractor's efforts found shortcomings in the 
quality and usefulness of the assessments, the Coast Guard temporarily 
stopped conducting assessments in order to make further revisions to 
the program. By this time, the Coast Guard had also decided that a GIS 
would be useful for assembling and using the extensive amount of 
security information becoming available, leading to its adoption as 
part of the program. The program now includes four components--GIS and 
three specific types of assessments: a compilation and synopsis of 
other assessments already conducted in the port, an assessment of the 
port's maritime vulnerabilities by former Navy Special Operations 
Forces, and the option for specific assessments of critical 
infrastructure or operations as requested by the local Coast Guard 
Captain of the Port. These assessments are more tailored to specific 
needs than the previous assessments were. The Coast Guard plans to 
complete these assessments so that all 55 of the most strategic ports 
will have received an assessment using either the previous approaches 
or the current approach. Coast Guard officials have not yet determined 
when the GIS will be completed and made available.

The revised program holds promise, but the Coast Guard's implementation 
approach is putting that promise at increased risk, particularly for 
the GIS component. Developing a GIS that can meet the varying security 
requirements of 55 ports is a complex undertaking, and the Coast Guard 
has increased the risk by not using project management principles 
called for by the information technology industry's best practices. 
Specifically,

* The Coast Guard has not yet identified the functional requirements 
for the GIS or taken the steps needed to ensure that Coast Guard 
personnel modifying the system and Coast Guard and other personnel who 
will actually use it have a clear and mutual understanding of these 
requirements. Industry practices call for carefully identifying these 
requirements and documenting how they will be developed. In previous 
work that we have done on other agencies' development of information 
technology systems, we have found systems that had to be abandoned when 
these steps were not followed.

* The Coast Guard is proceeding without first developing a plan that 
clearly indicates how the GIS will be managed, what it is expected to 
cost, or when the various work steps should be completed.

As the Coast Guard is facing these problems for the GIS component, it 
is proceeding to carry out the other three assessment components at 
individual ports. As of early August 2004, these assessment components 
had been performed at twelve ports. Local Coast Guard officials 
responsible for security at those ports indicated that the individual 
components generally appeared to be of value in security planning 
activities. However, because specific functional requirements in the 
GIS have not been defined, Coast Guard officials are not in a position 
to fully use these assessments to help address gaps in the information 
they need for security planning and response. Finally, beyond the GIS 
component, the program as a whole lacks a fully developed plan 
detailing costs, schedule, and overall management strategy. The lack of 
such a plan may negatively affect the usefulness of the assessment 
program in the long term.

To help ensure that the Port Security Assessment Program is operated 
effectively, we are recommending that the Coast Guard define and 
document GIS requirements and develop a plan for implementing both the 
GIS and the program as a whole. In commenting on a draft of this 
report, Coast Guard officials generally agreed with the facts and 
concurred with our recommendations. The Coast Guard also provided 
technical comments which we have incorporated into this report as 
appropriate.

Background:

Creating effective security in the nation's ports in the post-September 
11 world is a challenging task. Ports present attractive targets for 
terrorists: they are sprawling, easily accessible by water and land, 
close to crowded metropolitan areas, and interwoven with complex 
transportation networks. Besides terminals where goods bound for import 
or export are unloaded or loaded onto vessels, ports also contain other 
facilities critical to the nation's economy, such as refineries, 
factories, and power plants. These many facilities, along with the 
ships and barges that ply port waterways, can be vulnerable on many 
fronts. For example, container terminals, where containers are 
transferred between ships and railroad cars or trucks, need ways to 
screen vehicles and routinely check cargo for evidence of tampering. At 
factories and other facilities where hazardous materials are present, 
safeguards must be in place to prevent unauthorized persons from 
gaining access. Similarly, vessels ranging from oil tankers to tugboats 
need effective access control over critical operating areas, such as 
engine and control rooms.

The framework for the nation's collective response to this challenge is 
now found in the Maritime Transportation Security Act (MTSA), passed by 
the Congress in November 2002. MTSA's implementing regulations require 
owners and operators of facilities and vessels to conduct assessments 
that will identify their security vulnerabilities and to develop 
security plans to mitigate these vulnerabilities. Under these 
regulations, these plans are to include such items as measures for 
access control, responses to security threats, and drills and exercises 
to train staff and test the plan. MTSA was enacted after the Coast 
Guard initially began developing the Port Security Assessment Program 
in the wake of the September 11 attacks.

Some basic information about geographic information systems, or GIS, 
may be helpful in understanding this component of the Port Security 
Assessment Program. A GIS can be thought of as a sort of electronic 
map, but with many more capabilities than traditional paper mapping. 
For example, paper maps can provide only a static snapshot of selected 
entities and their locations and cannot be easily updated or changed. 
By contrast, information in a GIS can be easily and continually 
updated. In addition, because a GIS stores information on separate 
"layers" related to such things as roads or buildings, users can 
combine data layers at will, providing the capability to quickly create 
and view maps for specific purposes any time they are needed. Data 
layers in a GIS can be extremely varied. Typical types include the 
following:

* Layers describing location, ownership, and other information about 
real property (called cadastral data).

* Layers that have the characteristics of a map and image qualities of 
a photograph (called digital orthoimagery).

* Layers describing water features such as lakes, ponds, streams and 
rivers, canals, oceans, and coastlines (called hydrographical data).

For the Coast Guard, potential GIS layers could include transportation-
-describing anchorages, bridges, and roadways; utilities--including 
power plants, power lines, and substations; and emergency response--
including police and fire stations, and hospitals. Figure 1 
illustrates, in a simplified way, this concept of layers and how they 
can be integrated.

Figure 1: Examples of Layers in a Geographic Information System:

[See PDF for image]

[End of figure]

The database capabilities of a GIS allow many other kinds of 
information to be embedded on these data layers as well, so that the 
information is easily available. For example, a GIS allows the user to 
know not only the location of a building relative to other buildings or 
roads, but can also provide information such as the building's owner, 
when the building was built, the building's contents, and its 
dimensions and height. This ability to create maps on demand for 
specific purposes, with additional information at the ready, surpasses 
what can be done with traditional mapping approaches.

One illustration of a GIS's usefulness came in connection with efforts 
to recover debris from the space shuttle Columbia when it was lost in 
re-entering the earth's atmosphere on February 1, 2003. Debris from the 
shuttle was spread over at least 41 counties in Texas and Louisiana. In 
Texas, a state-operated GIS provided authorities with precise maps and 
search grids to guide reconnaissance and collection crews in the field. 
Officials in charge of the effort used maps of debris fields, combined 
with GIS data about the physical terrain, to carefully track the pieces 
of debris found. Figure 2 is a map, created from debris data entered 
into the GIS, showing the general west-to-east track of debris data 
across several east Texas counties and the outer boundaries of the area 
in which debris was found.

Figure 2: Sample GIS Map of Debris Path from Space Shuttle Columbia:

[See PDF for image]

[End of figure]

Assessment Program Has Been Extensively Revised:

The Coast Guard has made significant revisions to adapt the Port 
Security Assessment Program to the increasing amount of security 
evaluations performed by port stakeholders and to address shortcomings 
in the program's initial implementation. The Coast Guard initially set 
out to use the program as an assessment of security conditions at 55 
ports. The Coast Guard and the contractor it hired to develop the 
assessment approach and conduct the assessments started the first 
assessments in August 2002, when other assessment efforts were also 
under way. Port stakeholders around the country had begun or already 
completed their own assessments of their facilities or vessels in order 
to identify security vulnerabilities of their assets or obtain federal 
assistance in strengthening their security. Even more security 
information was to become available as new regulatory requirements were 
implemented in 2003 requiring security assessments to be performed by 
the owners or operators of facilities and vessels operating in the 
nation's ports. This changing security environment and higher-than-
expected costs to complete the contractor's initial assessments 
prompted the Coast Guard to revise the scope of the contractor's 
assessments. Our examination of the contractor's initial assessments 
identified additional shortcomings in the quality of the work and the 
assessment approach. In response, the Coast Guard temporarily postponed 
all assessment work to make further revisions, both to take advantage 
of the other sources of assessment information and make the assessments 
more useful in port security planning efforts. The revised program (1) 
added a GIS as a new feature and (2) tailored security assessments for 
particular purposes, such as synthesizing existing assessments or 
assessing certain infrastructure at the direction of local Coast Guard 
personnel. The assessments are to be completed by February 2005--but 
the Coast Guard is still developing its GIS and is uncertain as to when 
the GIS will be ready for use.

Program Initially Focused on Assessing Post-9/11 Vulnerabilities at Key 
Ports:

The Coast Guard began the Port Security Assessment Program to assess 
the vulnerabilities of the nation's most strategic commercial and 
military ports in the aftermath of the September 11, 2001, terrorist 
attacks. (See fig. 3 for a timeline of the program.) To identify which 
ports were most strategic, the Coast Guard considered such factors as 
cargo volume, import/export cargo value, volume of passenger traffic on 
ferries or cruise ships, population density around the port, the 
presence of critical infrastructure or key assets, the presence of 
military forces or bases, and whether the port was designated to 
support major military deployments. From this analysis, 55 ports out of 
361 ports were chosen to be the first to receive port security 
assessments.

Figure 3: Timeline of Key Events in the Development of Port Security 
Assessment Program:

[See PDF for image]

[End of figure]

In April 2002, the Coast Guard selected a contractor to perform the 
assessments. Under this arrangement, the contractor was responsible for 
developing an approach (which the Coast Guard calls "Version 1") to 
assess vulnerabilities of port assets and systems such as cargo 
facilities, manufacturing facilities, passenger terminals, power 
generation and fuelling facilities, as well as other infrastructure 
such as public access areas and bridges. The assessment was to identify 
the relationships between selected assets to port systems, identify the 
vulnerabilities of those assets to terrorist attacks, and recommend 
actions to mitigate the vulnerabilities.[Footnote 3] With oversight 
from the Coast Guard, the contractor had primary responsibility for 
conducting key activities of each assessment, such as identifying which 
assets should be assessed, collecting data from stakeholders, making 
on-site visits, and analyzing the data collected. The final product was 
to be a comprehensive written report of the findings identified during 
the assessment. Primary customers for this work were the local Coast 
Guard Captain of the Port and port stakeholders serving on Area 
Maritime Security Committees, who could use it in such security 
planning efforts as the development of an Area Maritime Security 
Plan.[Footnote 4]

The first assessments began in August 2002; the Coast Guard's goal was 
to complete them at all 55 ports by the end of 2004.[Footnote 5] To 
further refine the approach before assessing "megaports" such as New 
York/New Jersey or Los Angeles/Long Beach, as well as to give the 
program a chance to build additional assessment teams to perform the 
work, the Coast Guard decided to try out the approach at medium-sized 
ports first such as San Diego and Boston. Under the time frame the 
Coast Guard adopted, officials expected to conduct assessments of 8 
ports in 2002, 18 in 2003, and 24 in 2004.[Footnote 6]

Need to Incorporate Work Done by Others and Correct Shortcomings in 
Contractor's Assessments Led to Revisions in the Approach:

Several actions taken by port stakeholders led to substantial changes 
in the approach. One of these developments was that many port 
stakeholders were starting or completing assessments on their own. 
Stakeholders, such as port authorities, and owners and operators of 
facilities and vessels began conducting assessments in order to 
identify security vulnerabilities of their assets or to meet 
application requirements for federal grants. In some cases, initial 
assessments were performed shortly after the September 11, 2001, 
terrorist attacks and were followed by more comprehensive assessments 
conducted either on their own or by contractors. For example, port 
stakeholders such as chemical producers that were members of certain 
industry or trade organizations were required to complete assessments 
of their facilities using approved assessment methodologies as a 
condition of their membership in the organization. Beginning in 
September 2002, the Coast Guard also issued a series of suggested 
guidelines[Footnote 7] for port stakeholders to use in conducting 
security assessments and developing security plans to address any 
identified vulnerabilities.

In addition to the assessment activities that many stakeholders 
voluntarily undertook after the terrorist attacks, more maritime 
security information became increasingly available as the Maritime 
Transportation Security Act began to be implemented. Enacted in 
November 2002, MTSA mandated major changes in the nation's approach to 
maritime security and called for a comprehensive framework that 
includes planning, personnel security, and careful monitoring of 
vessels and cargo. The regulations implementing MTSA required owners or 
operators of specific facilities and vessels in the nation's ports to 
conduct assessments and develop plans to address vulnerabilities. These 
security assessments and plans were to be reviewed and approved by the 
Coast Guard prior to July 1, 2004.[Footnote 8] As a result, facilities 
and vessels that had not already completed a security assessment were 
now required to do so, thereby increasing the amount of assessment 
information available from port stakeholders at the 55 ports as July 1, 
2004, drew nearer.

Coupled with the changes in the amount of information to be generated 
by others, high costs for the first set of assessments prompted the 
Coast Guard to begin reassessing the Version 1 approach for conducting 
the assessments. According to the Coast Guard, assessments for the 
first 8 ports cost nearly three times more than was originally 
expected, exceeding $1 million per port. To address this issue, the 
Coast Guard made changes in the assessment approach, including greater 
emphasis on discussions early on in the assessment process with local 
Coast Guard Captains of the Port in order to better focus on the 
facilities and infrastructure needing to be assessed and the adoption 
of a standardized report outline and format to reduce 
redundancy.[Footnote 9] The Coast Guard decided to pilot-test this new 
approach, which the Coast Guard now calls "Version 2," at two ports in 
the summer of 2003.

As this new approach was being readied, our own review of the 
contractor's assessments disclosed additional shortcomings. In a 
September 2003 testimony before the Senate Committee on Commerce, 
Science, and Transportation, we expressed concern about how the 
assessment program was being implemented.[Footnote 10] In talking with 
some port stakeholders who participated in the assessment, we found 
that many of them saw little usefulness in the assessments beyond what 
they already knew about their vulnerabilities from previously completed 
assessments. Some key port stakeholders declined to participate in the 
assessment after receiving lengthy questionnaires from the contractor 
asking for information stakeholders considered proprietary. Port 
stakeholders also said they had not been given the opportunity to 
review or comment on the draft assessment report, which contained 
errors and inaccuracies. Finally, the contractor was moving to use the 
Version 2 approach in the next set of assessments before the lessons 
learned from the pilot tests could be identified and incorporated into 
the assessment approach.

We shared our findings with Coast Guard officials and suggested that 
the assessment approach be further revised. In addition to giving the 
Captains of the Port and Coast Guard personnel a larger role in 
identifying the critical assets to be assessed, we suggested that the 
Coast Guard reduce duplication and lessen the burden on stakeholders by 
doing more to take into account already-completed assessments of 
facilities and assets. The Coast Guard agreed and postponed conducting 
more assessments until additional changes to address these deficiencies 
were made.

Subsequent Revisions Incorporated the Use of a GIS and More Focused 
Assessments:

While considering what changes needed to be made to the assessment 
program, the Coast Guard also determined that it was essential to 
provide local Coast Guard officials and certain members of the local 
Area Maritime Security Committee a means to retrieve maritime security 
information and display it for planning and response purposes at the 
ports. Although a significant amount of security information was now 
available, it was kept in disparate locations and was not readily 
available. With the regulations implementing MTSA requiring Captains of 
the Port and Area Maritime Security Committees to develop portwide Area 
Maritime Security Plans, access to the available security information 
became increasingly important in order for them to carry out this 
responsibility and improve the protection of the marine transportation 
system.

To provide local Coast Guard officials and certain members of the local 
Area Maritime Security Committee access to this information, the Coast 
Guard decided to incorporate a GIS as a new feature in the assessment 
program. At the local port level, the GIS would integrate the security 
information into a single electronic database that would allow the 
information to be retrieved and displayed within the context of a 
particular port area. Whereas previous assessment results were compiled 
into a published report that would characterize the port's security 
posture at a single point in time, GIS has the capability of being 
updated as new information becomes available. GIS also provides a tool 
for visually depicting the port and for retrieving security or 
assessment information as needed in the development or revision of Area 
Maritime Security Plans. The Coast Guard believes this will benefit the 
Captains of the Port and the Area Maritime Security Committees to 
better visualize the port and enhance their ability to develop security 
plans as well as respond to a security incident, should one occur.

In addition to the GIS component, the revised program has three other 
components, all related to assessments. The Coast Guard revised the 
assessment approach so that it would provide more specialized 
information about port security. The approach, known as Version 3, has 
three different types of assessments that collectively are aimed at 
providing both a synthesis of what is already known about security at a 
port and studies of specific topics or infrastructure that have not 
been fully assessed. When completed, these assessments will provide the 
core security information to populate the GIS. These assessment 
components are as follows:

* Assessment of Assessments--An identification and inventory of 
completed security assessments of port assets and critical 
infrastructure within a port. This inventory is designed to help the 
assessment team minimize the possibility of needlessly duplicating 
previously completed assessments as well as to provide the Captain of 
the Port and the Area Maritime Security Committee with greater 
awareness of existing security information.

* Terrorist Operations Assessment--An assessment utilizing the 
expertise of contractors comprised of former Navy Special Operations 
personnel to provide an outsider perspective on the ports' 
vulnerabilities to a terrorist attack. This assessment is to evaluate 
potential terrorist targets within the ports and identify likely attack 
scenarios for the Captain of the Port and Area Maritime Security 
Committee to consider addressing in the Area Maritime Security Plan.

* Special Assessment--Assessment of specific port assets, 
infrastructure, or operations that are critical to the port but have 
not been previously assessed from a maritime perspective. Performed at 
the request of the Captain of the Port and the Area Maritime Security 
Committee, this assessment is to provide vulnerability, impact, and 
countermeasure information on those assets, infrastructure, or 
operations. Examples include blast impact assessments of commercial 
vessels, plume dispersion assessments of an attack on vessel or 
facility with hazardous materials, and security assessments of 
underwater tunnels.

The Coast Guard has a more definite schedule for completing the 
assessments than for completing the GIS. The Coast Guard resumed 
assessments in March 2004 using the Version 3 approach and plans to 
complete assessments at the remaining ports by February 2005.[Footnote 
11] For the GIS component, the Coast Guard plans to use its own GIS. 
Until this system is operational for port security, the Coast Guard 
plans to lease a commercial GIS that will enable Coast Guard staff to 
familiarize themselves with how a GIS works and identify their specific 
system needs or requirements so the Coast Guard's GIS can be customized 
accordingly. Project officials chose a commercial-off-the-shelf 
software application, iMap,[Footnote 12] that provides the Coast Guard 
access to over 800 layers of data containing information related to the 
nation's ports. Because the Coast Guard's GIS is still in development 
for port security, when the GIS component will be made operational and 
available to all assessed ports is yet to be determined.[Footnote 13]

Absence of Key Management Elements Places Program's Potential to 
Enhance Port Security at Higher Risk:

The Coast Guard's revised approach appears to provide a useful planning 
and response tool for port security, but the implementation of the 
assessment program is at higher risk because of two major problems. 
First, the centerpiece of the new approach, the GIS component, is being 
developed without several key project management steps that are 
critical to success in such projects. Not following these steps 
increases the risk that the data collected will not provide port 
security officials with the information they need to adequately assess, 
identify, and mitigate security risks. Second, for the GIS component 
and the program as a whole, the Coast Guard lacks a strategy that 
clearly defines how the program will be managed, how much it will cost, 
or what activities will continue over the longer term. Lack of a 
strategy increases the risk of cost overruns, missed deadlines, and a 
less-than-effective program. At the same time the Coast Guard is facing 
these problems, it is also conducting security assessments at 
individual ports using the revised approach, and for this part of the 
program, the results to date appear more favorable. Early indications 
from local Coast Guard officials at the ports where the new assessments 
have been performed are that these assessments are of some usefulness 
in current security planning activities. However, not resolving the 
broader planning and management issues could also affect the potential 
value of these assessments to fill in any remaining gaps in the Coast 
Guard's awareness of the security posture in the ports.

GIS Component Seen as Having Great Potential, but Coast Guard Is Not 
Following Established Project Management Practices:

The Captains of the Port and other Coast Guard officials we talked with 
were in agreement in their belief that a GIS with security assessment 
information would greatly facilitate their security planning and 
response efforts. They provided such examples as the following, based 
on their understanding of the tools that would be available with the 
GIS:

* For planning efforts, the visual nature of the GIS would greatly 
enhance the Captain of the Port's and Area Maritime Security 
Committee's understanding of the connections between port facilities, 
assets, and infrastructure that would otherwise not be possible through 
paper reports.

* For incident response efforts, the capability of GIS to store and 
retrieve security information such as plans and assessments of 
particular assets within the port would quicken response times as the 
information can be immediately located and viewed.

A useful, well-designed system does appear to carry great promise. For 
example, if Coast Guard personnel were alerted that a particular port 
may be targeted and that warehouses containing shipping containers were 
at risk, officials could quickly create a map showing the location and 
contents of the warehouses, ingress points located near the warehouses, 
and depth of the nearby waterways throughout the port. Using this 
information, security officials could assess the relative risk to each 
warehouse, prioritize actions based on the risk level, and act almost 
immediately to secure the most vulnerable locations.

However, developing a useful GIS is a significant and complex 
challenge. One reason is that every port has its own unique mix of 
geographic characteristics and operations that must be accurately 
captured. For example, one port may be located along a stretch of river 
while another may sit next to the open ocean, one port may have a high 
volume of cruise ship traffic while another may have a high 
concentration of chemical and petroleum facilities. These different 
characteristics will require a GIS that is flexible enough to be of use 
in a variety of settings. Another reason the GIS can be challenging is 
that some security-related situations, such as potential terrorist 
activities, involve a great deal of unpredictability and the kinds of 
information and analyses needed to address such uncertainty are 
difficult to anticipate.

This complexity places a premium on proper planning. Over the years, we 
have analyzed information technology systems across a broad range of 
federal programs and agencies, and these analyses have repeatedly shown 
that without adequate planning, the risks increase for cost overruns, 
schedule slippages, and systems that are not effective or usable. For 
example, the Bureau of Land Management (BLM) spent more than $67 
million on a system that was never deployed. When the system was tested 
prior to deployment, it was found not to meet users' requirements 
because it did not support BLM's business activities, was too complex, 
and significantly impeded worker productivity. We found this system 
failed because it was developed without a clear understanding of 
requirements and without a credible project schedule with reliable 
milestones.[Footnote 14] In another example, the Centers for Medicare 
and Medicaid Services had similar problems that led to its planned 
Medicare Transaction System being cancelled--the project did not have 
fully defined and agreed-to requirements and had a flawed project 
schedule.[Footnote 15]

These types of problems make it prudent to ensure that planning of GIS 
applications is adequate. Coast Guard officials indicated that they 
viewed the development of the port security GIS database as an add-on 
to existing Coast Guard information systems, not as a new database or 
information system. Within this context, however, it is still important 
to ensure that the steps being taken are likely to produce a 
satisfactory result. In that light, we assessed the Coast Guard's 
development efforts using established best practices in the industry 
for developing information technology systems, including those created 
by the Institute of Electrical and Electronics Engineers/Electronic 
Industries Alliance.[Footnote 16] The Coast Guard's current efforts do 
not apply these criteria in two key ways--defining what the GIS should 
do and establishing sufficient plans to ensure that the requirements 
can be successfully realized. That is, successful implementation of the 
Coast Guard's port security GIS is at higher risk because the Coast 
Guard has not used established project management practices, including 
defining requirements and developing a project schedule, to oversee and 
guide the program.

Actions to Develop GIS Requirements Do Not Meet Standards:

One aspect of developing any information technology system such as a 
GIS involves establishing and maintaining a common and unambiguous 
definition of functional requirements among the project team, system 
users, and software developer. These requirements define what the 
system will be expected to do for its users once it is developed and 
implemented. For example, one requirement could be to ensure that the 
system can link together specified types of geospatial data to provide 
the user with sufficient information. Another requirement could be to 
ensure that the users would be provided the capability of printing 
paper maps and other information found in the GIS. A third could be 
that the GIS be available to its users 24 hours a day, 7 days a week. 
Requirements such as these could be important in ensuring that the 
system will deliver what users need. It is critical that functional 
requirements are carefully defined and that they flow directly from how 
the organization's day-to-day operations are or will be carried out to 
meet mission needs. Improperly defined or incomplete requirements have 
been commonly identified as a root cause for why systems fail or do not 
meet their cost, schedule, or performance goals. Without adequately 
defined requirements, significant risk exists that a system will need 
extensive and costly changes before it will meet the organization's 
needs.

The Coast Guard's actions to develop GIS requirements are not being 
carried out using established practices. The Coast Guard's approach for 
addressing these requirements takes three main forms:

* First, the Coast Guard is using the assessments being conducted at 
the 55 ports to identify requirements for the GIS it is developing.

* Second, the Coast Guard is using feedback from the experiences of 
local officials with the commercial-off-the-shelf software application 
currently in use to help determine what requirements should be 
included.

* Finally, the contractor supporting the interim GIS has been tasked to 
identify the GIS data layers most frequently used by the Coast Guard.

However, these actions fall short of meeting best practices. First, 
there are indications that requirements identified during the 
assessment visits did not necessarily include functional requirements. 
Second, although tasks to identify the data layers accessed by the 
Coast Guard using its interim GIS solution could be used to identify 
requirements for the port security GIS, these tasks have not yet been 
completed and there is no estimate as to when the information will be 
available.

According to Coast Guard officials, the Coast Guard intends to use an 
existing information system instead of building a new GIS database or 
information system that is exclusive to port security. However, while 
the Coast Guard is not developing a new system, greater planning 
efforts appear paramount. To the extent that the Coast Guard and other 
users believe they need to add new kinds of data that do not currently 
exist in the system, both system users and developers need to agree on 
how to define and capture this information so that it can be of maximum 
use. In addition, if the Coast Guard decides to take a more limited 
approach, adding few, if any, new functional requirements, it runs the 
risk that the system will be of only partial use. Rather than taking 
advantage of the powerful planning and analysis capabilities that a 
robust geographic information system could make available, the more 
limited version could only be used to develop static maps of ports and 
their assets. Without effectively identifying and documenting the 
requirements for the new potential functions and data associated with 
the port security portion of its GIS, the Coast Guard faces the risk 
that the GIS will not provide port security officials with the 
functionality and information they need to adequately assess, identify, 
and mitigate security risks.

Coast Guard GIS Planning Does Not Meet Established Best Practices:

Information technology project management principles and industry best 
practices[Footnote 17] emphasize that a project management plan is 
needed to define the technical and managerial processes necessary to 
satisfy project requirements. The plan should include, among other 
activities,

* developing a work breakdown structure with a schedule for all of the 
tasks to be performed;

* identifying and addressing project risks, and:

* implementing a security policy.

The planning document identified by the Coast Guard does not meet these 
standards. According to the Port Security Assessment program manager, 
the Coast Guard considers the project's Concept of Operations[Footnote 
18] to be its project plan. However, the Concept of Operations, does 
not include important elements required in a project plan. For example:

* Tasks and schedules: The Concept of Operations identifies seven Port 
Security Assessment Program objectives, one of which is the use of a 
GIS, but does not identify any of the tasks or a schedule for carrying 
them out. It also provides a list of eight high-level activities that 
need to be completed during the project, but again it lists no 
associated implementation tasks and schedule, although it estimates 
that port security assessments will be completed by December 2004. 
Since the document was written in February 2004, the assessment 
completion date has already been postponed by 2 months, and the project 
manager is unsure if the interim GIS contract will need to be renewed 
next spring because he is not sure when the Coast Guard's own port 
security GIS will be completed and ready for implementation.

* Project risk: The Concept of Operations does not address project 
risks. As a result of not identifying potential risks, the project has 
encountered unexpected problems. For example, two of the eight high-
level activities identified in the Concept of Operations, scheduled to 
be completed in April and July 2004, encountered unexpected problems 
that caused delays and could hinder their eventual completion.

* Security Policy and Project costs: The Concept of Operations does not 
address security policy and provides no plan for estimating project 
costs. For example, we asked program officials to provide documented 
cost information associated with the GIS component, and while we 
received some information, it was not sufficient to provide a clear 
indication of how much the GIS component would likely cost.[Footnote 
19]

Creating a plan that meets these requirements is essential to ensuring 
that the port security assessment GIS project can be successfully 
completed in the estimated timeframes with the resources that are 
available. The Coast Guard has already encountered problems caused by 
lack of a reliable project schedule and risk assessment. According to 
Coast Guard Officials, the Coast Guard is adding to an existing system 
rather than building a new one. Adding to an existing system, however, 
does not obviate the need for careful planning. Until the Coast Guard 
develops a project management plan that includes a schedule and 
milestones, it is at increased risk that the GIS component of its port 
security assessment program could be inadequately managed, resulting in 
schedule slippages and inaccurate costs estimates. In addition, without 
identifying and mitigating risks and security concerns, the project 
could encounter unexpected issues that would need to be addressed, 
resulting in additional schedule and cost problems.

Incomplete GIS Planning Places Usefulness of New Assessments at Greater 
Risk:

The Coast Guard has proceeded to carry out the revised assessments of 
individual ports with generally favorable results. The Coast Guard 
resumed its assessment program using the Version 3 assessment 
components in March 2004 and as of August 1, 2004, had completed on-
site assessments of 12 additional ports in 6 Captain of the Port 
zones.[Footnote 20] To provide an indication of the usefulness of these 
assessments, we spoke with the local Captain of the Port or other Coast 
Guard officials that participated in the assessment process at each of 
these zones. In general, all agreed that the assessments were of some 
usefulness. Two said that the assessments provided substantially new 
information that they did not previously have or consider. The other 
four found the completed assessment results useful by bringing an 
outside perspective to look at the port. They said the assessments were 
helpful in validating their previously completed assessments or the 
current awareness of the security posture within their ports.

The value of these assessments could be enhanced, we believe, if the 
Coast Guard addressed the key management practices we have already 
discussed in its approach for developing its GIS. By themselves, the 
current assessments have value to local Coast Guard officials mostly in 
supplementing or validating their knowledge. However, when used with 
the GIS, these assessments also have potential value in helping the 
officials "close the loop" on information they may lack. The three 
assessment components involve mainly data gathering and analysis, the 
results of which are to be fed into the GIS. Without the GIS to 
integrate and organize information gathered from these and other 
sources, those responsible for planning security cannot as easily 
identify the vulnerabilities in their ports and gaps in their awareness 
of the security posture within their ports that need to be addressed. 
At all of the six ports, the Captain of the Ports or other Coast Guard 
officials said the value of the three assessment components would be 
enhanced if used in conjunction with a GIS that would be better able to 
visually display the entire security posture of the port rather than 
having to review individual hard copy assessment reports as they are 
now published. However, the functional requirements need to be first 
defined in order to effectively integrate these assessment components 
into the GIS. Until this planning step is taken, the value of these 
assessments could fail to reach their full potential.

Planning Concerns for GIS Component Extends to Overall Management and 
Direction of the Program:

Finally, the uncertainty brought on by the lack of planning for the GIS 
component is reflected in a similar uncertainty for the Port Security 
Assessment Program as a whole. For the assessment components, future 
plans are unclear beyond fiscal year 2005. Once all assessment reports 
of the 55 strategic ports are completed--a task the Coast Guard expects 
to be done by February 2005--the Coast Guard currently expects the 
assessment of assessments component to be an ongoing effort that will 
be updated by Coast Guard personnel as new assessment information 
becomes available. It expects the special assessments and terrorist 
operations assessments to continue through fiscal year 2005 as ports 
previously assessed under earlier assessment approaches are revisited, 
but it has made no decision about continuing them beyond that time.

Beyond fiscal year 2005, the Coast Guard is currently considering two 
options for what to do with the special assessment and terrorist 
operations assessment components of the program. The options are (1) 
continuing the program at other ports beyond the initial 55 or (2) 
conducting some recurring assessment at the 55 ports. Our discussions 
with Captains of the Port and Coast Guard officials surfaced mixed 
views of the future need for the three assessment components. One 
Captain whose port had been assessed under the Version 3 approach said 
he would like the assessment team to return to his port within 2 years, 
in order to assess the security measures put in place after the 
completion of the last assessment. By contrast, Captains for two other 
ports said they did not think that the team needed to return unless the 
critical infrastructure in their ports changed dramatically. The Coast 
Guard official responsible for the program said that as of July 2004, 
discussions were underway between program officials, other Coast Guard 
teams, and DHS officials as to how the program should proceed in the 
future to best augment port security efforts. The outcome of these 
discussions and future funding provided to the program will largely 
determine the extent to which the three assessment components continue 
to be implemented as part of the program.

Although the GIS component will continue to be enhanced, its schedule 
for completion and implementation is uncertain. Thus, when the various 
program components--GIS and port assessments--are taken together, it is 
not clear what activities will be conducted over the longer term, who 
will do them, or how much they will cost.

Conclusions:

As the Coast Guard attempts to determine the future of the Port 
Security Assessment Program, it needs to ensure that the program 
provides maximum effectiveness to its main customers, Captains of the 
Port and Area Maritime Security Committees. The initial program had 
shortcomings that created a product of marginal value. The revised 
program has potential to be more useful because it intends to integrate 
all of the assessment information collected by the Coast Guard and 
other relevant security authorities and place this information in a 
GIS. However, the Coast Guard risks producing a system that is not as 
useful as it could be, because its approach lacks a defined management 
strategy, specific cost estimates, and a clear implementation schedule. 
Developing the program's GIS component in this way is of particular 
concern, given the problems that have resulted when other agencies used 
the same approach in attempting to develop their information technology 
systems. And without a clear development strategy for GIS, the 
usefulness of the three assessment components may also be limited, 
because local Coast Guard officials and Area Maritime Security 
Committees will be less able to use them to fill the remaining gaps in 
their awareness of the security posture within their ports. Getting 
this project right is important, because the prospect of a well 
functioning GIS has great appeal to many Coast Guard and other port 
stakeholders, who believe such a tool will be of considerable help in 
providing effective port security.

Recommendations for Executive Action:

To help ensure that the revised Port Security Assessment Program 
provides the most effective tool possible for security planning and 
response, we recommend that the Secretary of Homeland Security direct 
the Commandant of the Coast Guard to (1) define and document the GIS 
functional requirements and (2) develop a long-term project plan for 
the GIS and the Port Security Assessment Program as a whole (including 
cost estimates, schedule, and management responsibilities).

Agency Comments:

We provided a draft of this report to the Department of Homeland 
Security and the Coast Guard for their review and comment. The Coast 
Guard's Marine Safety, Security And Environmental Protection 
Directorate generally agreed with our recommendations, including the 
need to finalize data types and develop a detailed work plan for adding 
map layers. Coast Guard officials provided a number of technical 
clarifications, which we incorporated where appropriate to ensure the 
accuracy of our report.

The Coast Guard commented in detail on two aspects of our report:

* The Coast Guard said our report tended to overlook many of the 
program's significant achievements, particularly the value of the three 
assessment components. The Coast Guard emphasized the progress that it 
had made on tailoring assessments, completing them on schedule, and 
reducing their cost from more than $1 million per port to about 
$200,000 per port.

* The Coast Guard also said our characterization of its GIS made it 
appear that the Coast Guard was developing an entirely new information 
technology system. The Coast Guard emphasized that its GIS was part of 
an existing information technology system.

Regarding these concerns, we would make the following points:

* First, the amount of emphasis the report places on GIS reflects our 
review of Coast Guard documents and interviews with numerous local 
Coast Guard officials, which showed that when compared with the three 
assessment components, the GIS had the potential to provide 
substantially more value. The program's Concept of Operations contains 
multiple references to the critical and central role the GIS component 
will hold in providing a dynamic tool to its users (Captains of the 
Port and Area Maritime Security Committees) for port security planning 
and response. Further, the end users we talked with expressed near 
unanimous need for a dynamic GIS planning and response tool to increase 
maritime domain awareness.

* Second, we acknowledge that the Coast Guard's GIS is part of a pre-
existing information technology system. In our view, however, this is 
not the key point. The point is the need for GIS planning and 
functional requirements. When we assessed the Coast Guard's development 
efforts against established industry best practices for developing 
information technology systems, we found the Coast Guard's current 
efforts do not apply two key practices: defining what the GIS system 
should do and establishing plans sufficient to ensure that the 
functional requirements can be successfully realized. Our past work has 
shown that when other agencies tried to develop systems without these 
practices, problems resulted. In short, without adequate planning, we 
believe that the GIS--and with it, the Port Security Assessment 
Program--is at risk of foundering. Hence, the aim of our recommendation 
is to produce a more effective GIS tool for port security officials. If 
the Coast Guard does establish functional requirements and a clear 
strategy for its GIS, the system will more likely meet its potential, 
and port security officials will be more likely to use it effectively.

We are sending copies of this report to relevant congressional 
committees and subcommittees, the Secretary of Homeland Security, the 
Commandant of the Coast Guard, and other interested parties.

If you or your staffs have any questions about this report, please 
contact me at (415) 904-2200 or at wrightsonm@gao.gov or Steve Calvo, 
Assistant Director, at (206) 287-4800 or at calvos@gao.gov. Key 
contributors to this report are listed in appendix II. This report will 
also be available at no charge on the GAO Web site at http://
www.gao.gov.

Signed by: 

Margaret T. Wrightson:

Director, Homeland Security and Justice Issues:

[End of section]

Appendix I: Objectives, Scope, and Methodology:

Our two objectives for this report were to (1) discuss why and how the 
Port Security Assessment Program has changed over time and (2) assess 
the Coast Guard's approach for implementing the Port Security 
Assessment Program as it is currently configured. 

To address why and how the assessment program changed, we reviewed 
Coast Guard documents, interviewed officials at Coast Guard 
headquarters responsible for implementing the program, and visited 
three ports that had been assessed under the previous program 
assessment approach. At these ports, we interviewed local Coast Guard 
personnel as well numerous stakeholders to determine their views about 
how the assessment process was carried out. These stakeholders 
included, for example, operators of container terminals, power plants, 
cruise ship terminals, port authorities, and chemical facilities. We 
also relied on our previous work related to the program.[Footnote 21] 
For background information on the role of the geographic information 
system (GIS) as a tool for planning and response, we identified city 
and state government agencies that have GIS's in place and talked with 
GIS managers and experts from these agencies. We also met with federal 
government GIS experts who had experience with implementing GIS within 
the federal environment. They included experts from the Federal 
Emergency Management Agency, Bureau of Customs and Border Patrol, and 
United States Geological Survey. Finally, we met with GIS experts at 
universities and elsewhere to further our understanding.

To assess the Coast Guard's approach for implementing the Port Security 
Assessment Program in its current form, we interviewed a variety of 
Coast Guard and other officials. For GIS, we interviewed the Coast 
Guard's GIS Program Manager and others to determine the progress made 
to date. For the assessment portion of the program, we interviewed 
Coast Guard officials from the six Captain of the Port zones that are 
responsible for the security of the 12 ports assessed under the most 
recent program approach. To establish criteria for assessing the 
program's current approach, we reviewed Coast Guard documents. We also 
reviewed information and documentation related to GIS applications and 
identified industry best practices for information systems acquisition 
and development to determine criteria for managing such a project. We 
reviewed documentation of the Coast Guard's efforts to modify its port 
security GIS to determine whether the progress made met the criteria we 
established. In conducting our assessment, we also relied upon our work 
on the development of major information technology systems throughout 
the federal government.[Footnote 22]

Our work, which was conducted from June 2003 through August 2004, was 
done in accordance with generally accepted government auditing 
standards.

[End of section]

Appendix II: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Margaret Wrightson (415) 904-2200 Steven Calvo (206) 287-4800:

Staff Acknowledgments:

In addition to those named above, Chuck Bausell, Jason Berman, 
Christopher Hatscher, Nicholas Larson, Elizabeth Roach, and Stan 
Stenersen made key contributions to this report.

FOOTNOTES

[1] There are a total of 361 ports in the United States.

[2] GAO, Maritime Security: Progress Made in Implementing Maritime 
Transportation Security Act, but Concerns Remain, GAO-03-1155T 
(Washington, D.C.: Sept. 9, 2003).

[3] In addition to conducting port vulnerability assessments of the 
ports identified as strategic commercial and military seaports, the 
contractor was to develop model port security guidelines and a port 
vulnerability self-assessment tool for ports that did not receive a 
port vulnerability assessment. We did not examine the development of 
these components of the Coast Guard's program.

[4] The Captain of the Port is a Coast Guard officer who provides 
direction to Coast Guard law enforcement activities within the general 
proximity of the zone in which assigned. Under the regulations 
implementing the Maritime Transportation Security Act of 2002, the 
Captain of the Port develops the Area Maritime Security Plan for his or 
her zone in consultation with the Area Maritime Security Committee that 
is comprised of members from federal, local, and state governments; law 
enforcement agencies; maritime industry and labor organizations; and 
other port stakeholders that may be affected by security policies. The 
Plan is to provide a communication and coordination framework for the 
port stakeholders and law enforcement officials to follow in addressing 
security vulnerabilities and responding to any incidents. Prior to the 
Maritime Transportation Security Act of 2002, this committee and plan 
were known generically as port security committees and port security 
plans.

[5] The original program goal, as stated in the Contract Request for 
Proposals and Statement of Work, was to complete assessments at the 55 
ports by March 2005. That goal was accelerated subsequent to contract 
award in an effort to complete assessments sooner.

[6] In addition to the assessments being performed under the Port 
Security Assessment Program, the Coast Guard considers five assessments 
conducted by the Defense Threat Reduction Agency (DTRA) as completed 
assessments for the purposes of meeting this deadline. DTRA is an 
agency within the Department of Defense. 

[7] These guidelines were contained in Navigation and Vessel Inspection 
Circulars (NVICs), an approach the Coast Guard uses to provide detailed 
guidance about enforcement or compliance with certain federal marine 
safety regulations and Coast Guard marine safety programs.

[8] For more information on these security plans and assessments 
requirements see GAO, Maritime Security: Substantial Work Remains to 
Translate New Planning Requirements into Effective Port Security, 
GAO-04-838 (Washington, D.C.: June 30, 2004). 

[9] These changes came out of a process improvement workshop the Coast 
Guard conducted for the assessment program in April 2003. Participants 
in this workshop included a Captain of the Port representative that had 
received an assessment of their port, a Captain of the Port who had not 
yet received an assessment of their port, DHS representatives, and 
other Coast Guard officials involved in port security.

[10] See GAO, Maritime Security: Progress Made in Implementing Maritime 
Transportation Security Act, but Concerns Remain, GAO-03-1155T 
(Washington, D.C.: Sept. 9, 2003).

[11] With the start of the new Version 3 assessment approach, the 
assessment program had $36 million in appropriated funds remaining. 
According to the program manager, this amount will be sufficient to 
complete the three non-GIS components at the ports yet to be assessed. 

[12] iMap can be used to collect information, merge it analytically, 
and provide it interactively to users.

[13] According to Coast Guard officials, a "beta"-or test-version was 
available by the end of August 2004 for the ports of Charleston, 
Boston, and New York/New Jersey, using the commercial GIS as the 
platform.

[14] See GAO, Land Management Systems: Progress and Risks in Developing 
BLM's Land and Mineral Record System, GAO/AIMD-95-180 (Washington, 
D.C.: Aug. 31, 1995); Land Management Systems: BLM Faces Risks in 
Completing the Automated Land and Mineral Record System, GAO/AIMD-97-42 
(Washington, D.C.: Mar. 19, 1997); Land Management Systems: Actions 
Needed in Completing the Automated Land and Mineral Record System 
Development, GAO/AIMD-98-107 (Washington, D.C.: May 15, 1998); and Land 
Management Systems: Major Software Development Does Not Meet BLM's 
Business Needs, GAO/AIMD-99-135 (Washington, D.C.: Apr. 30, 1999).

[15] Medicare Transaction System: Success Depends Upon Correcting 
Critical Managerial and Technical Weaknesses, GAO/AIMD-97-78 
(Washington, D.C.: May 16, 1997).

[16] Institute of Electrical and Electronics Engineers/Electronic 
Industries Alliance, IEEE/EIA Guide for Information Technology (IEEE/
EIA 12207.1 - 1997), April 1998. The Institute and Alliance developed 
this guidance to provide a common framework for developing and managing 
software. IEEE standards are developed within the IEEE Societies and 
the Standards Coordinating Committees of the IEEE Standards Board. The 
standards developed within IEEE represent a consensus of the broad 
expertise on the subject within the Institute as well as those outside 
of IEEE that have expressed an interest in participating in the 
development of the standard. The Alliance is a national trade 
organization whose mission is promoting the market development and 
competitiveness of the U.S. high-tech industry through domestic and 
international policy efforts.

[17] Institute of Electrical and Electronics Engineers/Electronic 
Industries Alliance, IEEE/EIA Guide for Information Technology (IEEE/
EIA 12207.1 - 1997), April 1998. 

[18] A concept of operations is a statement, in broad outline, of a 
commander's assumptions or intent in regard to an operation or series 
of operations. The concept is designed to give an overall picture of 
the operation and provide additional clarity of purpose. This written 
Concept of Operations was dated February 2, 2004.

[19] The Coast Guard indicated to us that for fiscal years 2005-2007, 
expected program costs for the Port Assessment Program as a whole will 
total about $30.8 million. Of this amount, $5.4 million is for the GIS 
component. For fiscal year 2004, the Coast Guard indicated that $1.5 
million was supplied towards the development of its own GIS and that an 
estimated $900,000 will be spent for the use of the commercial GIS that 
the Coast Guard is using on an interim basis. The Coast Guard projected 
costs for continued development and implementation of the GIS for 
fiscal years 2005 to 2007 to total $3 million. However, the 
documentation we received lacks sufficient detail to indicate whether 
these amounts are all that will be spent, and the information the Coast 
Guard supplied is silent on any costs beyond fiscal year 2007. 

[20] There are a total of 45 Captains of the Port zones nationwide. 
These zones may contain more than one port depending on how their 
geographic boundaries are defined.

[21] See GAO, Maritime Security: Progress Made in Implementing Maritime 
Transportation Security Act, but Concerns Remain, GAO-03-1155T 
(Washington, D.C.: Sept. 9, 2003).

[22] See GAO, Land Management Systems: Progress and Risks in Developing 
BLM's Land and Mineral Record System, GAO/AIMD-95-180 (Washington, 
D.C.: Aug. 31, 1995); Land Management Systems: BLM Faces Risks in 
Completing the Automated Land and Mineral Record System, GAO-AIMD-97-42 
(Washington, D.C.: Mar. 19, 1997); Land Management Systems: Actions 
Needed in Completing the Automated Land and Mineral Record System 
Development, GAO-AIMD-98-107 (Washington, D.C.: May 15, 1998); Land 
Management Systems: Major Software Development Does Not Meet BLM's 
Business Needs, GAO-AIMD-99-135 (Washington, D.C.: Apr. 30, 1999); and 
Medicare Transaction System: Success Depends Upon Correcting Critical 
Managerial and Technical Weaknesses, GAO/AIMD-97-78 (Washington, D.C.: 
May 16, 1997).

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548:

To order by Phone:

	

Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: