Skip to main content

Transportation Worker Identification Credential: Progress Made in Enrolling Workers and Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card Readers

GAO-10-43 Published: Nov 18, 2009. Publicly Released: Dec 10, 2009.
Jump To:
Skip to Highlights

Highlights

The Transportation Worker Identification Credential (TWIC) program, which is managed by the Department of Homeland Security's (DHS) Transportation Security Administration (TSA) and the U.S. Coast Guard, requires maritime workers who access secure areas of transportation facilities to obtain a biometric identification card to access these facilities. A federal regulation set a national compliance deadline of April 15, 2009. TSA is conducting a pilot program to test the use of TWICs with biometric card readers in part to inform the development of a second TWIC regulation. The Government Accountability Office (GAO) was asked to evaluate TSA's and the Coast Guard's progress and related challenges in implementing TWIC, and to evaluate the management challenges, if any, TSA, Coast Guard, and DHS face in executing the TWIC pilot test. GAO reviewed TWIC enrollment and implementation documents and conducted site visits or interviewed officials at the seven pilot program sites.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Transportation Security Administration To minimize the effects of any potential losses resulting from TWIC system failures, and to ensure that adequate processes and capabilities are in place to minimize the effects of TWIC system interruptions, the Assistant Secretary for the Transportation Security Administration should direct the TWIC program office to develop an information technology contingency plan for TWIC systems, including the development and implementation of a disaster recovery plan and supporting systems, as required, as soon as possible.
Closed – Implemented
We found that although the Transportation Security Administration (TSA), Coast Guard, and the maritime industry had enrolled over 93 percent of Transportation Worker Identification Credential (TWIC) users by the compliance deadline, TWIC system failures, including a power failure at a facility that processes TWIC data, caused delays in issuing TWICs to some workers. We recommended that TSA develop a contingency plan for TWIC information technology systems, including the development and implementation of a disaster recovery plan and supporting systems. In March 2014, TSA reported that TWIC-related data and system capabilities are to be transferred to the TTAC Infrastructure Modernization (TIM) system by June 2014. Further, legacy TWIC systems are to be retired by July 2014. At that time, the continuity of operations site and disaster recovery capabilities, as described in the TIM contingency plan, will be covered under the TIM system. This addresses the intent of GAO's recommendation.
Transportation Security Administration To help ensure that the TWIC pilot schedule can be reliably used to guide the pilot and identify the pilot's completion date, the Assistant Secretary for the Transportation Security Administration should direct the TWIC program office, in concert with pilot participants to fully incorporate best practices for program scheduling in the pilot schedule to help ensure that (1) all pilot activities are captured; (2) sufficient resources are assigned to all activities; (3) the duration of all activities are established and agreed upon by all stakeholders; (4) a schedule risk analysis is conducted to determine a level of confidence in meeting the planned completion date and impact of not achieving planned activities within scheduled deadlines; and (5) the schedule is correctly updated on a periodic basis.
Closed – Not Implemented
We found that weaknesses in the Transportation Security Administration?s (TSA) scheduling practices, such as not including all pilot activities or establishing the duration of activities, could hinder the usefulness of the pilot?s schedule as a management tool and the ability to obtain a clear insight into each phase of the pilot assessment. As a result, we recommended that TSA fully incorporate best practices, such as ensuring that it captures all pilot activities and assigns sufficient resources, into the pilot schedule. In response, the Department of Homeland Security (DHS) said in March 2010 that the current Transportation Worker Identification Credential (TWIC) reader pilot schedule has implemented best practices and is tailored to specifically meet the management requirements relative to the complex and unique constraints of the pilot program. While TSA made improvements to the TWIC pilot schedule, TSA did not fully implemented the practices that we recommended and the schedule remained unreliable for managing stakeholder participation and projecting the pilot's completion date. According to TSA, the pilot was completed on May 31, 2011. A report on the findings of the pilot was to be issued by April 2010. However, as of November 2011, the report remains to be issued.
Department of Homeland Security To ensure that the information needed to assess the technical, business, and operational impacts of deploying TWIC biometric card readers at Maritime Transportation Security Act (MTSA)-regulated facilities and vessels is acquired prior to the development of the card reader rule, the Assistant Secretary for the Transportation Security Administration and Commandant of the U.S. Coast Guard should direct their respective TWIC program offices to develop an evaluation plan to guide the remainder of the pilot that includes performance standards, a clearly articulated evaluation methodology--including the unit of analysis and criteria--and a data analysis plan.
Closed – Not Implemented
We reported that the Transportation Security Administration (TSA) and Coast Guard had not developed an evaluation plan that fully identified the scope of the pilot and specified how information from the pilot would be analyzed. This shortfall partly hindered their efforts to ensure that the pilot is broadly representative of deployment conditions and will yield the information needed. We recommended that TSA and Coast Guard develop an evaluation plan to guide the remainder of the pilot that includes performance standards, a clearly articulated evaluation methodology, and a data analysis plan. However, as we reported in May 2013, while TSA developed a data analysis plan, TSA and USCG reported that they did not develop an evaluation plan with an evaluation methodology or performance standards, as we recommended. The data analysis plan was a positive step because it identified specific data elements to be captured from the pilot for comparison across pilot sites. If accurate data had been collected, adherence to the data analysis plan could have helped yield valid results. However, TSA and the independent test agent did not utilize the data analysis plan. According to officials from the independent test agent, they started to use the data analysis plan but stopped using the plan because they were experiencing difficulty in collecting the required data and TSA directed them to change the reporting approach. TSA officials stated that they directed the independent test agent to change its collection and reporting approach because of TSA's inability to require or control data collection to the extent required to execute the data analysis plan. We are therefore closing this recommendation as not implemented.
Department of Homeland Security To ensure that the information needed to assess the technical, business, and operational impacts of deploying TWIC biometric card readers at MTSA-regulated facilities and vessels is acquired prior to the development of the card reader rule, the Assistant Secretary for the Transportation Security Administration and Commandant of the U.S. Coast Guard should direct their respective TWIC program offices to identify how they will compensate for areas where the TWIC reader pilot will not provide the necessary information needed to report to Congress and implement the card reader rule. The information to collected and approach for obtaining and evaluating information obtained through this effort should be documented as part of an evaluation plan. At a minimum, areas for further review include the potential requirements identified in the TWIC Reader Advanced Notice of Proposed Rulemaking but not addressed by the pilot. Sources of information to consider include investigating the possibility of using information resulting from the deployment of TWIC readers at non-pilot port facilities to help inform the development of the card reader rule.
Closed – Not Implemented
We reported that the Transportation Worker Identification Credential (TWIC) reader pilot was to, among other things, test the technology, business processes, and operational impacts required to deploy card readers at secure areas of the marine transportation system. However, we found that the Transportation Security Administration (TSA) had not developed a detailed evaluation plan to describe how the collected data was to be used to track the program's performance and evaluate the effectiveness of using TWIC with biometric card readers. We recommended that that TSA and Coast Guard identify how they will compensate for areas where the TWIC reader pilot will not provide the necessary information needed to report to Congress and implement the card reader rule. In April 2013, Coast Guard further reported that it augmented TWIC pilot data by conducting additional studies regarding physical access control systems and congestion delays, as well as other analyses, which it used to complete the TWIC reader Notice of Proposed Rulemaking published in March of 2013. As we reported in May 2013, the studies did not compensate for all of the challenges we identified in our November 2009 report. We are therefore closing this recommendation as not implemented.

Full Report

Office of Public Affairs

Topics

Best practicesBiometric identificationBiometricsData collectionDisaster recovery plansDocumentationFederal regulationsHomeland securityIdentification cardsInformation resources managementLessons learnedMaritime securityPerformance measuresPort securityProgram evaluationProgram managementRequirements definitionSchedule slippagesSecurity assessmentsStrategic information systems planningTransportation industryTransportation securityTransportation workersComplianceProgram implementation