Improvements in the Department of State's Development Process Could Increase the Security of Passport Cards and Border Crossing Cards
GAO-10-589: Published: Jun 1, 2010. Publicly Released: Jul 1, 2010.
In July 2008, the Department of State (State) began issuing passport cards as a lower-cost alternative to passports for U.S. citizens to meet Western Hemisphere Travel Initiative requirements. In October 2008, State began issuing the second generation border crossing card (BCC) based on the architecture of the passport card. GAO was asked to examine the effectiveness of the physical and electronic security features of the passport card and second generation BCC. This report addresses: (1) How effectively State's development process--including testing and evaluation--for the passport card and second generation BCC mitigates the risk of fraudulent use? (2) How are U.S. Customs and Border Protection (CBP) officers using the cards' security features to prevent fraudulent use at land ports of entry? To conduct this work, GAO evaluated the security features of passport cards and second generation BCCs against international standards and guidance and results from testing and evaluation and observed the inspection of these cards at five land ports of entry (POE).
State developed a passport card and second generation BCC that generally meet standards and guidance for international travel documents and include numerous, layered security features that, according to document security experts in the Department of Homeland Security, provide adequate security against fraudulent use. While following standards and guidance helps to ensure the security of these documents, State's development process could be improved. State addressed most problems identified during evaluation and testing; however, it did not address some of the resulting issues and recommendations or did not document its reasons for not doing so. In addition, State tested and evaluated the security of only prototypes of the passport card, which did not include key features such as the background artwork, personalization features, and other security features that were added or changed for the final passport card. Moreover, State did not test the security of the second generation BCC or the updated passport card expected to be issued in the second quarter of 2010. Fully testing the passport card and BCC and addressing identified problems would provide State a more complete understanding of the overall security and performance of its cards and a greater assurance that its cards are adequately secure. CBP officers in primary inspection--the first and most critical opportunity to identify individuals seeking to enter the United States with fraudulent travel documents--use a variety of methods to identify fraudulent documents, but are unable to take full advantage of the security features in passport cards and BCCs because of time constraints, limited use of technology in primary inspection, and the lack of sample documents for training. While CBP has deployed technology tools for primary inspectors to use when inspecting passport cards and BCCs, it could still make better usage of fingerprint data to mitigate the risk of imposter fraud with BCCs, the most common type of fraud. In addition, although CBP provided training on security features of the passport card and second generation BCC to inspecting officers prior to their issuance, the conduct of training without sample passport cards or second generation BCCs at the Vermont POEs visited by GAO indicate that improvements are still needed. State and DHS need to fully implement GAO's prior recommendation to improve training on new documents prior to their issuance, including the provision of exemplars to be used during training to better familiarize officers with the look and feel of the actual documents. GAO recommends that State fully address any problems found during testing and evaluation, including documenting the reasons for not addressing any of them, and test and evaluate the security features on the cards as they will be issued. State agreed with the recommendations.
Recommendations for Executive Action
Comments: State concurred with this recommendation and in its comments to our report, stated that it created a permanent position for a Forensic Document Design and Integrity Coordinator to regularize procedures for testing and evaluation of all secure documents, including documenting results. In July 2011, State officials indicated that they are establishing a design process that will include the creation and approval of a formal action memo to record reasons for not addressing problems encountered. The memo will be approved by several State officials, including the Forensic Document Design and Integrity Coordinator. The process will be implemented when State considers new versions of its travel documents.
Recommendation: To ensure the designs for the passport card and BCC physical security features adequately mitigate the risk of fraudulent use, and to improve the development process when conducting future redesigns or updates to the passport card or BCC, the Secretary of State should fully address any issues or problems encountered during testing, including the documentation of reasons for not addressing any of them.
Agency Affected: Department of State
Comments: State concurred with this recommendation and in its comments to our report, stated that it created a permanent position for a Forensic Document Design and Integrity Coordinator to regularize procedures for testing and evaluation of all secure documents. In July 2011, State officials indicated they plan to implement a design process that will include testing of documents by an independent lab and physical security assessments by the Department of Homeland Security's Forensic Document Laboratory.
Recommendation: To ensure the designs for the passport card and BCC physical security features adequately mitigate the risk of fraudulent use, and to improve the development process when conducting future redesigns or updates to the passport card or BCC, the Secretary of State should fully test or evaluate the security features on the cards as they will be issued, including any significant changes made to the cards' physical construction, security features, or appearance during the development process.
Agency Affected: Department of State