Summary
Transportation Security Administration (TSA) funding for aviation security has totaled about $26 billion since fiscal year 2004. This testimony focuses on TSA's efforts to secure the commercial aviation system through passenger screening, air cargo, and watch-list matching programs, and challenges remaining in these areas. GAO's comments are based on GAO products issued between February 2004 and April 2007, including selected updates in February 2008. This testimony also addresses TSA's progress in developing the Secure Flight program, based on work conducted from August 2007 to January 2008. To conduct this work, GAO reviewed systems development, privacy, and other documentation, and interviewed Department of Homeland Security (DHS), TSA, and contractor officials.
DHS and TSA have undertaken numerous initiatives to strengthen the security of the nation's commercial aviation system, including actions to address many recommendations made by GAO. TSA has focused its efforts on, among other things, more efficiently allocating, deploying, and managing the Transportation Security Officer (TSO) workforce--formerly known as screeners; strengthening screening procedures; developing and deploying more effective and efficient screening technologies; strengthening domestic air cargo security; and developing a government operated watch-list matching program, known as Secure Flight. Specifically, TSA developed and implemented a Staffing Allocation Model to determine TSO staffing levels at airports that reflect current operating conditions, and proposed and implemented modifications to passenger checkpoint screening procedures based on risk information. However, GAO reported that some assumptions in TSA's Staffing Allocation Model did not accurately reflect airport operating conditions, and that TSA could improve its process for evaluating the effectiveness of proposed procedural changes. In response, TSA developed a plan to review Staffing Allocation Model assumptions and took steps to strengthen its evaluation of proposed procedural changes. TSA has also explored new passenger checkpoint screening technologies to better detect explosives and other threats and has taken steps to strengthen air cargo security, including conducting vulnerability assessments at airports and compliance inspections of air carriers. However, TSA has not developed an inspection plan that included performance goals and measures to determine whether air carriers transporting cargo into the United States were complying with security requirements. In response to GAO's recommendations, TSA has since established a working group to strengthen its compliance activities. Finally, TSA has instilled more discipline and rigor into Secure Flight's systems development, including preparing key documentation and strengthening privacy protections. While these efforts should be commended, GAO has identified several areas that should be addressed to further strengthen aviation security. For example, TSA has made limited progress in developing and deploying checkpoint technologies due to planning and management challenges. Further, TSA continues to face some program management challenges in developing Secure Flight. Specifically, TSA has not (1) developed program cost and schedule estimates consistent with best practices; (2) fully implemented its risk management plan; (3) planned for system end-to-end testing in test plans; and (4) ensured that information security requirements are fully implemented. If these challenges are not addressed effectively, the risk of the program not being completed on schedule and within estimated costs is increased, and the chances of it performing as intended are diminished. DHS and TSA lack performance measures to fully evaluate the effectiveness of current processes for passengers who apply for redress due to inconveniences experienced during the check-in and screening process. Without such measures, DHS and TSA lack a sound basis to monitor the effectiveness of the redress process.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
Stephen M. Lord
Government Accountability Office: Homeland Security and Justice
No phone on record
Recommendations for Executive Action
Recommendation: To assist TSA in further strengthening the development and implementation of the Secure Flight program, the Secretary of Homeland Security should direct the Assistant Secretary of the Transportation Security Administration to fully incorporate best practices into the development of Secure Flight life-cycle cost and schedule estimates, to include: (1) updating life-cycle cost and schedule estimates; (2) demonstrating that the Secure Flight schedule has the logic in place to identify the critical path, integrates lower level activities in a logical manner, and identifies the level of confidence in meeting the desired end date; and (3) developing and implementing a plan for managing and mitigating cost and schedule risks, including performing a schedule risk analysis and a cost and schedule risk assessment.
Agency Affected: Department of Homeland Security
Status: Open
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not fully followed best practices that would ensure reliable and valid cost and schedule estimates, and the program schedule had experienced slippages. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. Specifically related to our February 2008 recommendation, TSA provided us a plan of action, dated April 2009, that details the steps the Secure Flight program management office intends to carry out to address the weaknesses that we identified in the program's cost and schedule estimates and ensure that the development of these estimates is done in accordance with best practices. With regard to the program's cost estimate, TSA's plan has established a timeline of activities that should result in (1) a more detailed work breakdown structure that would define the work necessary to accomplish the program's objectives; (2) the program cost estimate and schedule work breakdown structures being aligned properly; (3) an independent cost estimate performed by a contractor; (4) an assessment of the life-cycle cost estimate by the Department of Homeland Security Cost Analysis Division; and (5) cost uncertainty and sensitivity analyses. With regard to the Secure Flight program's schedule, TSA's plan of action has established a timeline of activities that should result in (1) a sequenced and logical schedule that will accurately calculate float time and a critical path; (2) a fully resource-loaded schedule based on subject-matter-expert opinion that does not overburden resources; (3) a schedule that includes realistic activity duration estimates; and (4) a schedule risk analysis that will be used by TSA leadership to distribute reserves to high-risk activities. According to TSA, this revised schedule will forecast the completion date for the project. In addition, TSA's plan has estimated government costs that were originally missing from its cost estimate. According to TSA, these costs will be addressed in its life-cycle cost estimate documentation. TSA officials stated that the plan should be completed by October 2009.
Recommendation: To assist TSA in further strengthening the development and implementation of the Secure Flight program, the Secretary of Homeland Security should direct the Assistant Secretary of the Transportation Security Administration to fully implement the provisions in the program's risk management plan to include developing an inventory of risks with prioritization and mitigation strategies, report the status of risks and progress to management, and maintain documentation of these efforts.
Agency Affected: Department of Homeland Security
Status: Open
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not yet provided us with evidence that it had implemented all aspects of the Secure Flight risk management plan, including developing an inventory of risks and related information to demonstrate that its risk management tool had been populated and was being used to identify, prioritize, mitigate, and monitor risk. Since the time of our review, TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing our February 2008 recommendation. Specifically, in June 2008, the Department of Homeland Security (DHS) reported that the risk management practices being employed in the development of Secure Flight had been enhanced. For example, the Secure Flight program risk management board (established in December 2007), documented the risk management process and developed and provided updated training for identifying, reporting, and managing risks to the Secure Flight management team. The risk management board subsequently has updated and consolidated an inventory of all program risks, including ranking and mitigation strategies. TSA provided a copy of the July 2008 Secure Flight program risk inventory to GAO.
Recommendation: To assist TSA in further strengthening the development and implementation of the Secure Flight program, the Secretary of Homeland Security should direct the Assistant Secretary of the Transportation Security Administration to finalize and approve Secure Flight's end-to-end testing strategy, and incorporate end-to-end testing requirements in other relevant test plans, to include the test and evaluation master plan. The strategy and plans should contain provisions for: (1) testing that ensures that the interrelated systems that collectively support Secure Flight will interoperate as intended in an operational environment; and (2) defining and setting dates for key milestone activities and identifying who is responsible for completing each of those milestones and when.
Agency Affected: Department of Homeland Security
Status: Closed - implemented
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not fully outlined its plans for end-to-end testing in its overall test and evaluation plan, or other test plans. Secure Flight's test and evaluation master plan only outlined plans for partner organizational entities to test their respective parts of the system on their own (e.g., Customs and Border Protection for integration of international watch-list functions), rather than a coordinated end-to-end testing involving all parties. TSA had developed a preliminary working draft of an end-to-end testing strategy, called the parallel testing strategy. However, the plan did not contain provisions for (1) testing that ensured that supporting systems will operate as intended in an operational environment, (2) definitions and dates for key milestone activities and parties responsible for completing them, or (3) the revision of other test plans, such as the test and evaluation master plan, to reflect the performance of end-to-end tests. Since the time of our review, we found that TSA has made significant progress in implementing our February 2008 recommendation. Specifically, in May 2008, TSA provided GAO with a copy of the Secure Flight Test and Evaluation Master Plan, which contained TSA's plans for end-to-end testing. In July 2008, TSA provided its Parallel Test Strategy and Parallel Test Module plans to GAO, which also contained TSA's plans for end-to-end testing.
Recommendation: Regarding information security for the Secure Flight Program, the Secretary of Homeland Security should direct the TSA Chief Information Officer to coordinate with Secure Flight program officials to ensure security requirements are tested and implemented.
Agency Affected: Department of Homeland Security
Status: Closed - implemented
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not adequately completed steps to ensure that Secure Flight security requirements were tested. For example, security requirements planned for the Secure Flight program's Release 1 did not always trace to test activities for this release. Program officials stated that some security requirements were deferred until future releases due to delays in funding for acquiring specific hardware, and other requirements required coordination with the information security official to verify whether they would be tested as part of security test and evaluation. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program (including Statutory Conditions 5 and 6 which required TSA to build in sufficient operational safeguards to reduce opportunities for abuse and to ensure substantial security measures are in place to protect the Secure Flight system from unauthorized abuse by hackers and other intruders) and conditionally achieved 1 condition. Specifically, related to our prior recommendation, in June 2008, the Department of Homeland Security (DHS) reported that TSA's Chief Information Officer (CIO) would provide continuous monitoring of the Secure Flight system to ensure that the system remains in compliance with Federal Information Security Management Act requirements, as outlined by DHS. DHS noted that certification and accreditation serves as a living process and the CIO would validate the Secure Flight system by performing Security Testing and Evaluation and periodic auditing activities. In May 2009, GAO reported that TSA had performed several key security steps for the Secure Flight program's Release 1, including testing and evaluating security controls for the Secure Flight system and incorporating identified weaknesses in remedial action plans. Further, GAO reported that TSA had completed security testing for Release 3, the version of Secure Flight that was placed into production. GAO concluded that TSA had generally achieved the Secure Flight's statutory requirements related to systems information security.
Recommendation: Regarding information security for the Secure Flight Program, the Secretary of Homeland Security should direct the TSA Chief Information Officer to maintain and update security documentation to align with the current or planned Secure Flight computing environment, including interconnection agreements, in support of certification and accreditation activities.
Agency Affected: Department of Homeland Security
Status: Closed - implemented
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not adequately completed steps pertaining to preparing Secure Flight program security documentation and that the documentation contained incorrect or incomplete information. For example, the systems security plan did not identify all interconnecting systems that Secure Flight would interface with, such as those operated by the Department of Homeland Security (DHS) Watch-List Service, the organization that will transmit the watch-list to Secure Flight. According to Secure Flight program officials, the security documentation was outdated or incorrect because there was insufficient time to update the documentation for changes in the computing environment and security requirements. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program (including Statutory Conditions 5 and 6 which required TSA to build in sufficient operational safeguards to reduce the opportunities for abuse and to ensure substantial security measures are in place to protect the Secure Flight system from unauthorized access by hackers and other intruders) and conditionally achieved 1 condition. Specifically related to our February 2008 recommendation, in June 2008, DHS reported that TSA's Chief Information Officer (CIO) would ensure that the Secure Flight security documentation is in alignment with the operational Secure Flight system. DHS stated that the Secure Flight Operations and Maintenance team would maintain Certification and Accreditation as outlined by DHS, ensuring that the Secure Flight system complies with all required security controls, as outlined in National Institute of Standards and Technology Special Publication 800-53. DHS also stated that the Secure Flight Operations and Maintenance team, working with the Secure Flight Information Systems Security Officer, will maintain and update system and program documentation to ensure alignment with current and future Secure Flight computing environments. In August 2008, TSA and U.S. Customs and Border Protection (CBP) signed a formal interconnection security agreement establishing individual and organizational security responsibilities for the protection and handling of unclassified information between the DHS Router operated by CBP and TSA's Secure Flight program. In May 2009, GAO reported that TSA had completed several key security steps for the Secure Flight program's Release 1, including preparing security documentation such as a system security plan and loading security requirements into the developer's security management tool. Further, GAO reported that TSA had updated security documents for Release 3, the version of Secure Flight that was placed into production. GAO concluded that TSA had generally achieved the Secure Flight program's statutory requirements related to systems information security.
Recommendation: Regarding information security for the Secure Flight Program, the Secretary of Homeland Security should direct the TSA Chief Information Officer to correct identified high and moderate risk vulnerabilities, as addressed in remedial action plans, and assess changes to the computing environment to determine whether re-accreditation of the system is warranted.
Agency Affected: Department of Homeland Security
Status: Closed - implemented
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not adequately completed steps pertaining to conducting certification and accreditation activities. We reported that Secure Flight program officials granted an authorization to operate, although the Secure Flight system had 46 known vulnerabilities, including 11 high-risk and 27 moderate-risk vulnerabilities and the controls had not yet been implemented. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program (including Conditions 5 and 6 which required TSA to build in sufficient operational safeguards to reduce the opportunities for abuse, and to ensure substantial security measures are in place to protect the Secure Flight system from unauthorized access by hackers and other intruders) and conditionally achieved 1 condition. Specifically, related to our February 2008 recommendation, in June 2008, Department of Homeland Security (DHS) reported that the TSA Chief Information Officer (CIO) would work with the Secure Flight team to remediate the identified low, moderate, and high-risk vulnerabilities identified by the IT Security Branch and make informed decisions on when the Secure Flight system needed to be re-accredited. DHS stated that the Secure Flight team would ensure that all high, moderate, and low-risk vulnerabilities would be addressed as identified in the Plan of Action and Milestones associated with each vulnerability. DHS stated that all audit findings would be tracked in the Trusted Agent Federal Information Security Act (FISMA) Tool and the Secure Flight case management system to ensure that all findings would be addressed and properly traced through execution and closure. DHS also stated that the Secure Flight Information Systems Security Officer would perform random assessments and periodic review of the Secure Flight environment to ensure that the Secure Flight system is being maintained in accordance with DHS guidelines and FISMA requirements. In May 2009, GAO reported that TSA had performed several key security steps for the Secure Flight program's Release 1, including conducting certification and accreditation activities. Further, GAO reported that TSA had mitigated the high- and moderate-risk vulnerabilities related to Release 1 and 60 high- and moderate-risk vulnerabilities associated with Release 3, the version of Secure Flight that was placed into production. GAO concluded that TSA had generally achieved the Secure Flight program's statutory requirements related to systems information security.
Recommendation: Finally, to ensure that DHS is able to fully assess the effectiveness of the current redress process for passengers who may have been misidentified during the watch-list matching process, the Secretary of Homeland Security and the Assistant Secretary of the Transportation Security Administration should re-evaluate redress performance measures and consider creating and implementing additional measures that, consistent with best practices, demonstrate results, cover multiple priorities, and provide useful information for decision making. These measures should further address all program goals, to include the accuracy of the redress process.
Agency Affected: Department of Homeland Security
Status: Closed - implemented
Comments: In February 2008, we reported that the Transportation Security Administration (TSA) had not developed a complete set of performance measures to assess the effectiveness of the redress process for passengers inconvenienced as a result of watch-list matching. At that time, we also noted that the Department of Homeland Security (DHS) and TSA were developing additional measures for the redress process that they planned to implement once the Secure Flight passenger prescreening system became operational. In May 2009, we reported that TSA had developed performance measures to monitor the timeliness and accuracy of the Secure Flight redress process to be introduced once Secure Flight became operational. These measures include the percent of individuals who submit a redress number who are automatically cleared and the time it takes to process a redress request. Further, in May 2009, we reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program (including Statutory Condition 1 which required that a system of due process exist whereby aviation passengers determined to pose a threat who are either delayed or prohibited from boarding their schedule flights by TSA may appeal such decisions and correct erroneous information contained in the Secure Flight program). Our conclusion that TSA had generally achieved Statutory Condition 1 (Redress) was based, in part, on our review of the additional performance measures for the Secure Flight redress process as well as other actions taken by TSA and DHS to address our recommendation that they consider creating and implementing additional measures for the current redress process. Specifically, in June 2008, DHS reported that it sent participants from its Traveler Redress Inquiry Program (TRIP) to participate in the first meeting of the Redress Timeliness Working Group at the Terrorist Screening in March 2008 to address timeliness issues related to the redress process. DHS also established a Redress Request Assurance Review process to improve the accuracy of redress request intake and processing. The data collected from this review process will provide for an appropriate metric for quality assurance and accuracy. Also, TSA's Office of Transportation Security Redress was working with a case management application contractor to develop a new case management system for TRIP. According to DHS, this system will provide reporting features for tracking performance measures, including a new measure to assess the accuracy of the redress process.
