Summary
Numerous incidents around the world have highlighted the vulnerability of commercial vehicles to terrorist acts. Commercial vehicles include over 1 million highly diverse truck and intercity bus firms. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary federal responsibility for ensuring the security of the commercial vehicle sector, while vehicle operators are responsible for implementing security measures for their firms. GAO was asked to examine: (1) the extent to which TSA has assessed security risks for commercial vehicles; (2) actions taken by key stakeholders to mitigate identified risks; and (3) TSA efforts to coordinate its security strategy with other federal, state, and private sector stakeholders. GAO reviewed TSA plans, assessments, and other documents; visited a nonrandom sample of 26 commercial truck and bus companies of varying sizes, locations, and types of operations; and interviewed TSA and other federal and state officials and industry representatives.
TSA has taken actions to evaluate the security risks associated with the commercial vehicle sector, including assessing threats and initiating vulnerability assessments, but more work remains to fully gauge security risks. Risk assessment uses a combined analysis of threat, vulnerability, and consequence to estimate the likelihood of terrorist attacks and the severity of their impact. TSA conducted threat assessments of the commercial vehicle sector and has also cosponsored a vulnerability assessment pilot program in Missouri. However, TSA's threat assessments generally have not identified the likelihood of specific threats, as required by DHS policy. TSA has also not determined the scope, method, and time frame for completing vulnerability assessments of the commercial vehicle sector. In addition, TSA has not conducted consequence assessments, or leveraged the consequence assessments of other sectors. As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs. Moreover, TSA has not developed a plan or time frame to complete a risk assessment of the sector. Nor has TSA completed a report on commercial trucking security as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act). Key government and industry stakeholders have taken actions to strengthen the security of commercial vehicles, but TSA has not assessed the effectiveness of federal programs. TSA and the Department of Transportation (DOT) have implemented programs to strengthen security, particularly those emphasizing the protection of hazardous materials. States have also worked collaboratively to strengthen commercial vehicle security through their transportation and law enforcement officials' associations, and the establishment of fusion centers. TSA also has begun developing and using performance measures to monitor the progress of its program activities to secure the commercial vehicle sector, but has not developed measures to assess the effectiveness of these actions in mitigating security risks. Without such information, TSA will be limited in its ability to measure its success in enhancing commercial vehicle security. While TSA has also taken actions to improve coordination with federal, state, and industry stakeholders, more can be done to ensure that these coordination efforts enhance security for the sector. TSA signed joint agreements with DOT and supported the establishment of intergovernmental and industry councils to strengthen collaboration. TSA and DOT completed an agreement to avoid duplication of effort as required by the 9/11 Commission Act. However, some state and industry officials GAO interviewed reported that TSA had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies. TSA has not developed a means to monitor and assess the effectiveness of its coordination efforts. Without enhanced coordination with the states, TSA will have difficulty expanding its vulnerability assessments.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
Stephen M. Lord
Government Accountability Office: Homeland Security and Justice
(202) 512-4379
Recommendations for Executive Action
Recommendation: To promote the effective use of risk management at TSA, and to help provide assurances that resources are allocated to the highest priority risks across the transportation sector, the the Assistant Secretary of TSA should better ensure that its risk management approach includes (1) adopting security goals that define specific outcomes, conditions, end points, and performance targets; and (2) conducting comprehensive risk assessments for the transportation sector that meet the NIPP criteria and combine individual assessments of threat, vulnerability, and consequence and analyzing these assessments to produce a comparative analysis of risk across the entire transportation sector to guide current and future investment decisions.
Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To promote the effective use of risk management at TSA, the Assistant Secretary of TSA should establish an approach for gathering data on state and private sector security partners' investments in transportation security
Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To promote the effective use of risk management at TSA, the Assistant Secretary of TSA should establish a plan and milestones for conducting risk assessments for the transportation sector that identify the scope of the assessments and resource requirements for completing them.
Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To promote the effective use of risk management at TSA, the Assistant Secretary of TSA should work with DHS to validate its risk management approach by establishing a plan and time frame for assessing the appropriateness of TSA's intelligence-driven risk management approach for managing risk at TSA and document the results of this review once completed.
Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To promote the effective use of risk management at TSA, the Assistant Secretary of TSA should work with the Director of National Intelligence to determine the best approach for assigning uncertainty or confidence levels to analytic intelligence products and apply this approach to intelligence products.
Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To promote the effective use of risk management at TSA, the Assistant Secretary of TSA should establish internal controls, including (1) a focal point and clearly defined roles and responsibilities for ensuring the risk management framework is implemented; (2) policies, procedures, and guidance that require the implementation of its framework and completion of related work activities; and (3) a system to monitor and improve how effectively the framework is being implemented.
Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
