Transportation Worker Identification Credential:
Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives
GAO-11-648T, May 10, 2011
- Accessible Text:
This testimony discusses credentialing issues associated with the security of U.S. transportation systems and facilities. Securing these systems requires balancing security to address potential threats while facilitating the flow of people and goods that are critical to the U.S. economy and international commerce. As we have previously reported, these systems and facilities are vulnerable and difficult to secure given their size, easy accessibility, large number of potential targets, and proximity to urban areas. The Maritime Transportation Security Act of 2002 (MTSA) required regulations preventing individuals from having unescorted access to secure areas of MTSA-regulated facilities and vessels unless they possess a biometric transportation security card and are authorized to be in such an area. MTSA further required that biometric transportation security cards be issued to eligible individuals unless determined that an applicant poses a security risk warranting denial of the card. The Transportation Worker Identification Credential (TWIC) program is designed to implement these biometric maritime security card requirements. The TWIC program, once implemented, aims to meet the following stated mission needs: (1) Positively identify authorized individuals who require unescorted access to secure areas of the nation's transportation system. (2) Determine the eligibility of individuals to be authorized unescorted access to secure areas of the transportation system by conducting a security threat assessment. (3) Ensure that unauthorized individuals are not able to defeat or otherwise compromise the access system in order to be granted permissions that have been assigned to an authorized individual. (4) Identify individuals who fail to maintain their eligibility requirements subsequent to being permitted unescorted access to secure areas of the nation's transportation system and immediately revoke the individual's permissions. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) and the U.S. Coast Guard are responsible for implementing and enforcing the TWIC program. In addition, DHS's Screening Coordination Office facilitates coordination among the various DHS components involved in TWIC. This testimony is based on a report we are releasing publicly today on the TWIC program. Like the report, this testimony discusses the extent to which: (1) TWIC processes for enrollment, background checking, and use are designed to provide reasonable assurance that unescorted access to secure areas of MTSA-regulated facilities and vessels is limited to qualified individuals, and (2) DHS has assessed the effectiveness of TWIC, and whether the Coast Guard has effective systems in place to measure compliance.
DHS has established a system of TWIC-related processes and controls. However, internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to meet the program's stated mission needs or provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. Specifically, internal controls in the enrollment and background checking processes are not designed to provide reasonable assurance that (1) only qualified individuals can acquire TWICs; (2) adjudicators follow a process with clear criteria for applying discretionary authority when applicants are found to have extensive criminal convictions; or (3) once issued a TWIC, TWIC holders have maintained their eligibility. To meet the stated program purpose, TSA's focus in designing the TWIC program was on facilitating the issuance of TWICs to maritime workers. However, TSA did not assess the internal controls in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals. For example, controls that the TWIC program has in place to identify the use of potentially counterfeit identity documents are not used to routinely inform background checking processes. Internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. During these tests at several selected ports, our investigators were successful in accessing ports using counterfeit TWICs, authentic TWICs acquired through fraudulent means, and false business cases (i.e., reasons for requesting access). DHS asserted in its 2009 and 2010 budget submissions that the absence of the TWIC program would leave America's critical maritime port facilities vulnerable to terrorist activities. However, to date, DHS has not assessed the effectiveness of TWIC at enhancing security or reducing risk for MTSA-regulated facilities and vessels. Further, DHS has not demonstrated that TWIC, as currently implemented and planned with card readers, is more effective than prior approaches used to limit access to ports and facilities, such as using facility-specific identity credentials with business cases. According to TSA and Coast Guard officials, because the program was mandated by Congress as part of MTSA, DHS did not conduct a risk assessment to identify and mitigate program risks prior to implementation. Further, according to these officials, neither the Coast Guard nor TSA analyzed the potential effectiveness of TWIC in reducing or mitigating security risk--either before or after implementation--because they were not required to do so by Congress. However, internal control weaknesses raise questions about the effectiveness of the TWIC program. Moreover, as we have previously reported, Congress also needs information on whether and in what respects a program is working well or poorly to support its oversight of agencies and their budgets, and agencies' stakeholders need performance information to accurately judge program effectiveness. Therefore, we recommended in our May 2011 report that the Secretary of Homeland Security conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. DHS concurred with our recommendation.