Aviation Security:

Airport Perimeter and Access Control Security Would Benefit from Risk Assessment and Strategy Updates

GAO-16-632: Published: May 31, 2016. Publicly Released: May 31, 2016.

Additional Materials:

Contact:

Jennifer Grover
(202) 512-7141
groverj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has made progress in assessing the threat, vulnerability, and consequence components of risk to airport perimeter and access control security (airport security) since GAO last reported on the topic in 2009, such as developing its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment of Airport Security) in May 2013. However, TSA has not updated this assessment to reflect changes in the airport security risk environment, such as TSA's subsequent determination of risk from the insider threat—the potential of rogue aviation workers exploiting their credentials, access, and knowledge of security procedures throughout the airport for personal gain or to inflict damage. Updating the Risk Assessment of Airport Security with information that reflects this current threat, among other things, would better ensure that TSA bases its risk management decisions on current information and focuses its limited resources on the highest-priority risks to airport security. Further, TSA has not comprehensively assessed the vulnerability—one of the three components of risk—of TSA-regulated (i.e., commercial) airports system-wide through its joint vulnerability assessment (JVA) process, which it conducts with the Federal Bureau of Investigation (FBI), or another process. From fiscal years 2009 through 2015, TSA conducted JVAs at 81 (about 19 percent) of the 437 commercial airports nationwide. TSA officials stated that they have not conducted JVAs at all airports system-wide because of resource constraints. While conducting JVAs at all commercial airports may not be feasible given budget and resource constraints, other approaches, such as providing all commercial airports with a self-vulnerability assessment tool, may allow TSA to assess vulnerability at airports system-wide.

Since 2009, TSA has taken various actions to oversee and facilitate airport security; however, it has not updated its national strategy for airport security to reflect changes in its Risk Assessment of Airport Security and other security-related actions. TSA has taken various steps to oversee and facilitate airport security by, among other things, developing strategic goals and evaluating risks. For example, in 2012 TSA developed its National Strategy for Airport Perimeter and Access Control Security (Strategy), which defines how TSA seeks to secure the perimeters and security-restricted areas of the nation's commercial airports. However, TSA has not updated its Strategy to reflect actions it has subsequently taken, including results of the 2013 Risk Assessment and new and enhanced security activities, among other things. Updating the Strategy to reflect changes in the airport security risk environment and new and enhanced activities TSA has taken to facilitate airport security would help TSA to better inform management decisions and focus resources on the highest-priority risks, consistent with its strategic goals.

This is a public version of a sensitive report that GAO issued in March 2016. Information that TSA deems “Sensitive Security Information” has been removed.

Why GAO Did This Study

Incidents of aviation workers using access privileges to smuggle weapons and drugs into security-restricted areas and onto planes has heightened awareness about security at commercial airports. TSA, along with airport operators, has responsibility for securing the nation's approximately 440 commercial airports.

GAO was asked to review TSA's oversight of airport perimeter and access control security since GAO last reported on the topic in 2009. This report examines, for airport security, (1) the extent to which TSA has assessed the components of risk and (2) the extent to which TSA has taken actions to oversee and facilitate security, among other objectives.

GAO examined TSA documents related to risk assessment and security activities; analyzed relevant TSA security event data from fiscal years 2009 through 2015; obtained information from TSA and industry association officials as well as from a nongeneralizable sample of 11 airports, selected based on factors such as size.

What GAO Recommends

GAO is making six recommendations, including that TSA update its Risk Assessment of Airport Security, develop and implement a method for conducting a system-wide assessment of airport vulnerability, and update its National Strategy for Airport Perimeter and Access Control Security . DHS concurred with the recommendations and identified planned actions to address the recommendations.

For more information, contact Jennifer Grover at (202) 512-7141 or groverj@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed.

    Agency Affected: Department of Homeland Security: Transportation Security Administration

 

Explore the full database of GAO's Open Recommendations »

Oct 17, 2017

Oct 11, 2017

Oct 4, 2017

Sep 27, 2017

Sep 26, 2017

Sep 25, 2017

Sep 12, 2017

Sep 11, 2017

Sep 7, 2017

Looking for more? Browse all our products here