Transportation Worker Identification Credential:

Progress Made in Enrolling Workers and Activating Credentials but Evaluation Plan Needed to Help Inform the Implementation of Card Readers

GAO-10-43: Published: Nov 18, 2009. Publicly Released: Dec 10, 2009.

Additional Materials:

Contact:

Stephen M. Lord
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Transportation Worker Identification Credential (TWIC) program, which is managed by the Department of Homeland Security's (DHS) Transportation Security Administration (TSA) and the U.S. Coast Guard, requires maritime workers who access secure areas of transportation facilities to obtain a biometric identification card to access these facilities. A federal regulation set a national compliance deadline of April 15, 2009. TSA is conducting a pilot program to test the use of TWICs with biometric card readers in part to inform the development of a second TWIC regulation. The Government Accountability Office (GAO) was asked to evaluate TSA's and the Coast Guard's progress and related challenges in implementing TWIC, and to evaluate the management challenges, if any, TSA, Coast Guard, and DHS face in executing the TWIC pilot test. GAO reviewed TWIC enrollment and implementation documents and conducted site visits or interviewed officials at the seven pilot program sites.

TSA, Coast Guard, and the maritime industry took a number of steps to enroll 1,121,461 workers in the TWIC program, or over 93 percent of the estimated 1.2 million users, by the April 15, 2009, national compliance deadline, but experienced challenges that resulted in delays. TSA and the Coast Guard implemented a staggered compliance approach whereby each of 42 regions impacted by TWIC were required to meet TWIC compliance prior to the national compliance date. Further, based on lessons learned from its early experiences with enrollment and activation, and to prepare for an expected surge in TWIC enrollments and activations as compliance dates approached, TSA and its contractor increased the number of stations available for TWIC enrollment and activation. While 93 percent of users were enrolled in TWIC by the compliance date, TSA data shows that some workers experienced delays in receiving TWICs. Among reasons for the delays, a power failure in October 2008 occurred at the government facility that processes TWIC data. The power failure resulted in credential activations being halted until late November 2008, and the inability to set new personal identification numbers (PIN) on 410,000 TWICs issued prior to the power failure. While TSA officials stated that they are taking steps to develop a disaster recovery plan by next year and a system to support disaster recovery by 2012, until such a plan and system(s) are put in place, TWIC systems remain vulnerable to similar disasters. While the full cost of this power failure is unknown, based on TSA provided figures, it could cost the government and industry up to approximately $26 million to replace all affected TWIC cards. While TSA has made progress in incorporating management best practices to execute the TWIC pilot, TSA faces two management challenges in ensuring the successful execution of the pilot test aimed at informing Congress and the development of the second TWIC regulation. First, TSA has faced challenges in using the TWIC pilot schedule to guide the pilot and accurately identify the pilot's completion date. TSA has improved its scheduling practices in executing the pilot, but weaknesses remain, such as not capturing all pilot activities in the schedule, that may adversely impact the schedule's usefulness as a management tool and for communicating with pilot participants in the maritime industry. Second, shortfalls in TWIC pilot planning have hindered TSA and Coast Guard's efforts to ensure that the pilot is broadly representative of deployment conditions and will yield the information needed--such as information on the operational impacts of deploying biometric card readers and their costs--to accurately inform Congress and the second rule. This is in part because these agencies have not developed an evaluation plan that fully identifies the scope of the pilot and specifies how the information from the pilot will be analyzed. The current evaluation plans describe data collection methods but do not identify the evaluation criteria and methodology to be used in analyzing the pilot data once collected. A well-developed, sound evaluation plan would help TSA and the Coast Guard determine how the data are to be analyzed to measure the project's performance.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We found that although the Transportation Security Administration (TSA), Coast Guard, and the maritime industry had enrolled over 93 percent of Transportation Worker Identification Credential (TWIC) users by the compliance deadline, TWIC system failures, including a power failure at a facility that processes TWIC data, caused delays in issuing TWICs to some workers. We recommended that TSA develop a contingency plan for TWIC information technology systems, including the development and implementation of a disaster recovery plan and supporting systems. In March 2014, TSA reported that TWIC-related data and system capabilities are to be transferred to the TTAC Infrastructure Modernization (TIM) system by June 2014. Further, legacy TWIC systems are to be retired by July 2014. At that time, the continuity of operations site and disaster recovery capabilities, as described in the TIM contingency plan, will be covered under the TIM system. This addresses the intent of GAO's recommendation.

    Recommendation: To minimize the effects of any potential losses resulting from TWIC system failures, and to ensure that adequate processes and capabilities are in place to minimize the effects of TWIC system interruptions, the Assistant Secretary for the Transportation Security Administration should direct the TWIC program office to develop an information technology contingency plan for TWIC systems, including the development and implementation of a disaster recovery plan and supporting systems, as required, as soon as possible.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  2. Status: Closed - Not Implemented

    Comments: We found that weaknesses in the Transportation Security Administration?s (TSA) scheduling practices, such as not including all pilot activities or establishing the duration of activities, could hinder the usefulness of the pilot?s schedule as a management tool and the ability to obtain a clear insight into each phase of the pilot assessment. As a result, we recommended that TSA fully incorporate best practices, such as ensuring that it captures all pilot activities and assigns sufficient resources, into the pilot schedule. In response, the Department of Homeland Security (DHS) said in March 2010 that the current Transportation Worker Identification Credential (TWIC) reader pilot schedule has implemented best practices and is tailored to specifically meet the management requirements relative to the complex and unique constraints of the pilot program. While TSA made improvements to the TWIC pilot schedule, TSA did not fully implemented the practices that we recommended and the schedule remained unreliable for managing stakeholder participation and projecting the pilot's completion date. According to TSA, the pilot was completed on May 31, 2011. A report on the findings of the pilot was to be issued by April 2010. However, as of November 2011, the report remains to be issued.

    Recommendation: To help ensure that the TWIC pilot schedule can be reliably used to guide the pilot and identify the pilot's completion date, the Assistant Secretary for the Transportation Security Administration should direct the TWIC program office, in concert with pilot participants to fully incorporate best practices for program scheduling in the pilot schedule to help ensure that (1) all pilot activities are captured; (2) sufficient resources are assigned to all activities; (3) the duration of all activities are established and agreed upon by all stakeholders; (4) a schedule risk analysis is conducted to determine a level of confidence in meeting the planned completion date and impact of not achieving planned activities within scheduled deadlines; and (5) the schedule is correctly updated on a periodic basis.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  3. Status: Closed - Not Implemented

    Comments: We reported that the Transportation Security Administration (TSA) and Coast Guard had not developed an evaluation plan that fully identified the scope of the pilot and specified how information from the pilot would be analyzed. This shortfall partly hindered their efforts to ensure that the pilot is broadly representative of deployment conditions and will yield the information needed. We recommended that TSA and Coast Guard develop an evaluation plan to guide the remainder of the pilot that includes performance standards, a clearly articulated evaluation methodology, and a data analysis plan. However, as we reported in May 2013, while TSA developed a data analysis plan, TSA and USCG reported that they did not develop an evaluation plan with an evaluation methodology or performance standards, as we recommended. The data analysis plan was a positive step because it identified specific data elements to be captured from the pilot for comparison across pilot sites. If accurate data had been collected, adherence to the data analysis plan could have helped yield valid results. However, TSA and the independent test agent did not utilize the data analysis plan. According to officials from the independent test agent, they started to use the data analysis plan but stopped using the plan because they were experiencing difficulty in collecting the required data and TSA directed them to change the reporting approach. TSA officials stated that they directed the independent test agent to change its collection and reporting approach because of TSA's inability to require or control data collection to the extent required to execute the data analysis plan. We are therefore closing this recommendation as not implemented.

    Recommendation: To ensure that the information needed to assess the technical, business, and operational impacts of deploying TWIC biometric card readers at Maritime Transportation Security Act (MTSA)-regulated facilities and vessels is acquired prior to the development of the card reader rule, the Assistant Secretary for the Transportation Security Administration and Commandant of the U.S. Coast Guard should direct their respective TWIC program offices to develop an evaluation plan to guide the remainder of the pilot that includes performance standards, a clearly articulated evaluation methodology--including the unit of analysis and criteria--and a data analysis plan.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Not Implemented

    Comments: We reported that the Transportation Worker Identification Credential (TWIC) reader pilot was to, among other things, test the technology, business processes, and operational impacts required to deploy card readers at secure areas of the marine transportation system. However, we found that the Transportation Security Administration (TSA) had not developed a detailed evaluation plan to describe how the collected data was to be used to track the program's performance and evaluate the effectiveness of using TWIC with biometric card readers. We recommended that that TSA and Coast Guard identify how they will compensate for areas where the TWIC reader pilot will not provide the necessary information needed to report to Congress and implement the card reader rule. In April 2013, Coast Guard further reported that it augmented TWIC pilot data by conducting additional studies regarding physical access control systems and congestion delays, as well as other analyses, which it used to complete the TWIC reader Notice of Proposed Rulemaking published in March of 2013. As we reported in May 2013, the studies did not compensate for all of the challenges we identified in our November 2009 report. We are therefore closing this recommendation as not implemented.

    Recommendation: To ensure that the information needed to assess the technical, business, and operational impacts of deploying TWIC biometric card readers at MTSA-regulated facilities and vessels is acquired prior to the development of the card reader rule, the Assistant Secretary for the Transportation Security Administration and Commandant of the U.S. Coast Guard should direct their respective TWIC program offices to identify how they will compensate for areas where the TWIC reader pilot will not provide the necessary information needed to report to Congress and implement the card reader rule. The information to collected and approach for obtaining and evaluating information obtained through this effort should be documented as part of an evaluation plan. At a minimum, areas for further review include the potential requirements identified in the TWIC Reader Advanced Notice of Proposed Rulemaking but not addressed by the pilot. Sources of information to consider include investigating the possibility of using information resulting from the deployment of TWIC readers at non-pilot port facilities to help inform the development of the card reader rule.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Sep 8, 2014

Jul 31, 2014

Jul 29, 2014

Looking for more? Browse all our products here