TSA Is Enhancing Its Oversight of Air Carrier Efforts to Screen Passengers against Terrorist Watch-List Records, but Expects Ultimate Solution to Be Implementation of Secure Flight
GAO-08-1136T, Sep 9, 2008
Domestic air carriers are responsible for checking passenger names against terrorist watch-list records to identify persons who should be denied boarding (the No Fly List) or who should undergo additional security scrutiny (the Selectee List). The Transportation Security Administration (TSA) is to assume this function through its Secure Flight program. However, due to program delays, air carriers retain this role. This testimony discusses (1) TSA's requirements for domestic air carriers to conduct watch-list matching, (2) the extent to which TSA has assessed compliance with watch-list matching requirements, and (3) TSA's progress in developing Secure Flight. This statement is based on GAO's report on air carrier watch-list matching (GAO-08-992) being released today and GAO's previous and ongoing reviews of Secure Flight. In conducting this work, GAO reviewed TSA security directives and TSA inspections guidance and results, and interviewed officials from 14 of 95 domestic air carriers.
TSA's requirements for domestic air carriers to conduct watch-list matching include a requirement to identify passengers whose names are either identical or similar to those on the No Fly and Selectee lists. Similar-name matching is important because individuals on the watch list may try to avoid detection by making travel reservations using name variations. According to TSA, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA's security directives did not specify what types of similar-name variations were to be considered. Thus, in interviews with 14 air carriers, GAO found inconsistent approaches to conducting similar-name matching, and not every air carrier reported conducting similar-name comparisons. In January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar-name matching. Thus, in April 2008, TSA revised the No Fly List security directive to specify a baseline capability for conducting watch-list matching and reported that it planned to similarly revise the Selectee List security directive. While recognizing that the new baseline capability will not address all vulnerabilities, TSA emphasized that establishing the baseline capability should improve air carriers' performance of watch-list matching and is a good interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers' compliance with watch-list matching requirements; however, until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability. In 2005, for instance, TSA evaluated the capability of air carriers to identify names that were identical--but not similar--to those in terrorist watch-list records. Also, TSA's internal guidance did not specifically direct inspectors to test air carriers' similar-name-matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA's database for regular inspections conducted during 2007 made reference to name-match testing in only 61 of the 1,145 watch-list-related inspections that GAO reviewed. During the course of GAO's review, and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers' compliance with security directives. Although TSA has plans to strengthen its oversight efforts, it is too early to determine the extent to which TSA will provide oversight of air carriers' compliance with the revised security directives. In February 2008, GAO reported that TSA has made progress in developing Secure Flight but that challenges remained, including the need to more effectively manage risk and develop more robust cost and schedule estimates (GAO-08-456T). If these challenges are not addressed effectively, the risk of the program not being completed on schedule and within estimated costs is increased, and the chances of it performing as intended are diminished. TSA plans to begin assuming watch-list matching from air carriers in January 2009.