Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: Biometrics

    5 publications with a total of 22 open recommendations including 8 priority recommendations
    Director: Joseph W. Kirschbaum
    Phone: (202) 512-9971

    6 open recommendations
    Recommendation: To enhance enterprise-wide biometric strategic planning, the Under Secretary of Defense for Acquisition, Technology, and Logistics should publish an updated biometric strategic plan to identify enterprise goals and objectives.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enhance enterprise-wide biometric strategic planning, the Under Secretary of Defense for Acquisition, Technology, and Logistics should publish a supporting biometric implementation plan that includes intended outcomes, measures of effectiveness, and responsibilities, among other things.

    Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should assign a milestone decision authority to oversee the Near Real Time Identity Operations solution.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should complete a disposition analysis for the Near Real Time Identity Operations solution before the solution reaches operation and sustainment.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should consider including geographic dispersal as part of the selection criteria for the DOD Automated Biometric Information System (ABIS) follow-on system.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To facilitate more effective and efficient acquisition management of DOD's biometric and forensic enterprises, the Secretary of the Army, in coordination with the Under Secretary of Defense for Acquisition, Technology, and Logistics, should use tradeoff selection criteria, rather than lowest-price technically acceptable criteria, for determining contractor support for DOD ABIS mission-critical functions when it is practicable to do so.

    Agency: Department of Defense: Department of the Army
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Diana Maurer
    Phone: (202) 512-9627

    6 open recommendations
    including 6 priority recommendations
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the PIA development process to determine why PIAs were not published prior to using or updating face recognition capabilities, and implement corrective actions to ensure the timely development, updating, and publishing of PIAs before using or making changes to a system.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ officials did not concur with this recommendation, and stated that the FBI has established practices that protect privacy and civil liberties beyond the requirements of the law. DOJ officials stated that it will internally evaluate the PIA process as part of the Department's overall commitment to improving its processes, not in response to our recommendation. In March 2017, we followed up with DOJ to obtain its current position on our recommendation. DOJ continues to believe that its approach in designing the NGI system was sufficient to meet legal privacy requirements and that our recommendation represents a "checkbox approach" to privacy. We disagree with DOJ's characterization of our recommendation. We continue to believe that the timely development and publishing of future PIAs would increase transparency of the department's systems. We recognize the steps the agency took to consider privacy protection during the development of the NGI system. We also stand by our position that notifying the public of these actions is important and provides the public with greater assurance that DOJ components are evaluating risks to privacy when implementing systems. As a result, the recommendation remains open and unimplemented.
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the SORN development process to determine why a SORN was not published that addressed the collection and maintenance of photos accessed and used through NGI for the FBI's face recognition capabilities prior to using NGI-IPS, and implement corrective actions to ensure SORNs are published before systems become operational.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ agreed, in part, with our recommendation and submitted the SORN for publication to the Federal Register on April 21, 2016, and it was published on May 5, 2016. DOJ did not agree that the publication of a SORN is required by law. We disagree with DOJ's interpretation regarding the legal requirements of a SORN. The Privacy Act of 1974 requires that when agencies establish or make changes to a system of records, they must notify the public through a SORN published in the Federal Register. DOJ's comments on our draft report acknowledge that the automated nature of face recognition technology and the sheer number of photos now available for searching raise important privacy and civil liberties considerations. DOJ officials also stated that the FBI's face recognition capabilities do not represent new collection, use, or sharing of personal information. We disagree. We believe that the ability to perform automated searches of millions of photos is fundamentally different in nature and scope than manual review of individual photos, and the potential impact on privacy is equally fundamentally different. By assessing the SORN development process and taking corrective actions to ensure timely development of future SORNs, the public would have a better understanding of how personal information is being used and protected by DOJ components. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Director of the Federal Bureau of Investigation should conduct audits to determine the extent to which users of NGI-IPS and biometric images specialists in FACE Services are conducting face image searches in accordance with Criminal Justice Information Services Division policy requirements.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In March 2017, DOJ provided us with the audit plan the CJIS Audit Unit developed in June 2016 for NGI-IPS users. In addition, DOJ reported that the CJIS Audit Unit began assessing NGI-IPS requirements at participating states in conjunction with its triennial National Identity Services audit and that, as of February 2017, the unit had conducted NGI-IPS audits of four states. Further, DOJ officials said CJIS developed an audit plan of the FACE Services Unit to coincide with the existing triennial FBI internal audit for 2018. However, DOJ did not provide the audit plan for the FACE Services Unit. DOJ officials said the methodology would be the same as the audit plan for NGI-IPS, but that methodology does not describe oversight on use of information obtained from external systems accessed by FACE Services employees. Therefore, we believe DOJ is making progress towards meeting the recommendation, but has not fully implemented our recommendation.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct tests of NGI-IPS to verify that the system is sufficiently accurate for all allowable candidate list sizes, and ensure that the detection and false positive rate used in the tests are identified.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up, as of March 2017, DOJ did not concur with this recommendation. DOJ officials stated that the FBI has performed accuracy testing to validate that the system meets the requirements for the detection rate, which fully satisfies requirements for the investigative lead service provided by NGI-IPS. We disagree with DOJ. A key focus of our recommendation is the need to ensure that NGI-IPS is sufficiently accurate for all allowable candidate list sizes. Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists (between 2 and 50 photos). FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes. According to these officials, a smaller candidate list would likely lower the detection rate because a smaller candidate list may not contain a likely match that would be present in a larger candidate list. However, according to the FBI Information Technology Life Cycle Management Directive, testing needs to confirm the system meets all user requirements. Because the accuracy of NGI-IPS's face recognition searches when returning fewer than 50 photos in a candidate list is unknown, the FBI is limited in understanding whether the results are accurate enough to meet NGI-IPS users' needs. DOJ officials also stated that searches of NGI-IPS produce a gallery of likely candidates to be used as investigative leads, not for positive identification. As a result, according to DOJ officials, NGI-IPS cannot produce false positives and there is no false positive rate for the system. We disagree with DOJ. The detection rate and the false positive rate are both necessary to assess the accuracy of a face recognition system. Generally, face recognition systems can be configured to allow for a greater or lesser number of matches. A greater number of matches would generally increase the detection rate, but would also increase the false positive rate. Similarly, a lesser number of matches would decrease the false positive rate, but would also decrease the detection rate. Reporting a detection rate of 86 percent without reporting the accompanying false positive rate presents an incomplete view of the system's accuracy. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct an operational review of NGI-IPS at least annually that includes an assessment of the accuracy of face recognition searches to determine if it is meeting federal, state, and local law enforcement needs and take actions, as necessary, to improve the system.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: As of March 2017, FBI officials stated they implemented the recommendation by submitting a paper to solicit feedback from users through the Fall 2016 Advisory Policy Board Process. Specifically, officials said the paper requested feedback on whether the face recognition searches of the NGI-IPS are meeting their needs, and input regarding search accuracy. According to FBI officials, no users expressed concern with any aspect of the NGI-IPS meeting their needs, including accuracy. Although FBI's action of providing working groups with a paper presenting GAO's recommendation is a step, the FBI's actions do not fully meet the recommendation. The FBI's paper was presented as informational, and did not result in any formal responses from users. We disagree with the FBI's conclusion that receiving no responses on the informational paper fulfills the operational review recommendation, which includes determining that NGI-IPS is meeting user's needs. As such, we continue to recommend the FBI conduct an operational review of NGI-IPS at least annually.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should take steps to determine whether each external face recognition system used by FACE Services is sufficiently accurate for the FBI's use and whether results from those systems should be used to support FBI investigations.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up in 2017, DOJ officials did not concur with this recommendation and had no plans to implement it. DOJ officials stated that the FBI has no authority to set or enforce accuracy standards of face recognition technology operated by external agencies. In addition, DOJ officials stated that the FBI has implemented multiple layers of manual review that mitigate risks associated with the use of automated face recognition technology. Further, DOJ officials stated there is value in searching all available external databases, regardless of their level of accuracy. We disagree with the DOJ position. We continue to believe that the FBI should assess the quality of the data it is using from state and federal partners. We acknowledge that the FBI cannot and should not set accuracy standards for the face recognition systems used by external partners. We also do not dispute that the use of external face recognition systems by the FACE Services Unit could add value to FBI investigations. However, we disagree with FBI's assertion that no assessment of the quality of the data from state and federal partners is necessary. We also disagree with the DOJ assertion that manual review of automated search results is sufficient. Even with a manual review process, the FBI could miss investigative leads if a partner does not have a sufficiently accurate system. By relying on its external partners' face recognition systems, the FBI is using these systems as a component of its routine operations and is therefore responsible for ensuring the systems will help meet FBI's mission, goals and objectives. The recommendation remains open and unimplemented.
    Director: Cary Russell
    Phone: (202) 512-5431

    6 open recommendations
    including 1 priority recommendation
    Recommendation: To enable AFRICOM's component commands to better plan, advise, and coordinate for OCS, the AFRICOM Commander, as part of AFRICOM's ongoing efforts to update related guidance and emphasize the importance of OCS integration at the subordinate command level, should direct the service components to designate elements within their respective staffs to be responsible for coordinating OCS, and consider the establishment of an OCS Integration Cell or similar structure with these dedicated OCS personnel, as needed.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: In July 2016, AFRICOM officials stated that there are clear advantages and benefits to establishing an OCSIC at Service-component level. USAFRICOM, as a geographic combatant command, assigns operational missions to subordinate commands for execution, including operational contract support (OCS) tasks. Joint Pub 4-10, as augmented by AFRICOM Command Instruction (ACI) 4800.01 A, specifies the tasks and functions in support of OCS that Service Components must execute. Service Components determine the most appropriate organizational structure best suited to meet its assigned mission. i.e. establishment of an OCSlC as deemed necessary. However, service components have indicated that guidance clarifying the circumstances under which they should establish OCSICs would be helpful. As such, this recommendation will remain open at this time.
    Recommendation: To enable AFRICOM's component commands to better plan, advise, and coordinate for OCS, the AFRICOM Commander, as part of AFRICOM's ongoing efforts to update related guidance and emphasize the importance of OCS integration at the subordinate command level, should clarify under what conditions a subordinate joint force command, such as Combined Joint Task Force-Horn of Africa, should establish an OCS Integration Cell.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: AFRICOM officials told us that USAFRICOM J4 conducted a staff assistance visit (SA V) at CJTF-HOA from 16-19 August 2015. It was recommended that ClTF-HOA establish an OCS Working Group (OCSWG) that is owned b) the ClTF-HOA J4. The OCSWG is a doctrinal working group and would contain designated cross-functional staff members to enable OCS planning and policy generation as well as Oversee contractor management issues. Other OCS recommendations were made to the CJTF-HOA J4 that included adding permanent OCS billets to the J4 and executing OCSIC tasks. This recommendation will remain open at this time.
    Recommendation: To enable AFRICOM to better identify, address, and mitigate OCS readiness gaps at its component commands before inaccurate information is incorporated into formal defense readiness reporting systems, the AFRICOM Commander should clarify the scorecard process, including assessment standards, for OCS Readiness Scorecards to ensure that evaluators can accurately assess subordinate commands' OCS capabilities.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: In July 2016, AFRICOM officials stated that while the OCS score card may be considered a best practice in the OCS execution in the AFRICOM AOR, it is not a replacement for the Defense Readiness Reporting System (DRRS) to report OCS. This recommendation will remain open at this time.
    Recommendation: To enable AFRICOM to comprehensively and consistently account for contractor personnel in Africa, the Secretary of Defense, in coordination with the Chairman of the Joint Chiefs of Staff, should direct Joint Staff to clarify what types of contractor personnel should be accounted for in its guidance on personnel status reports.

    Agency: Department of Defense
    Status: Open

    Comments: DOD has taken steps to clarify what types of contractor personnel should be accounted for in its guidance on personnel status reports, but revision of that guidance is ongoing. According to Joint Staff officials in August 2016, USAFRICOM has not yet incorporated its local policies and standards into the CJCSM 3150.13C as the manual is up for review by the Joint Staff and is projected to be completed by Spring 2017. Additionally, in February 2016, a class deviation became effective for the USAFRICOM area of responsibility (AOR). This deviation superseded Class Deviations 2014-O0005, and 2015-O0003. The deviation stated that contracting officers shall incorporate clause 252.225-7980, Contractor Personnel Performing in the United States Africa Command Area of Responsibility, in lieu of the clause at DFARS 252.225-7040, Contractor Personnel Supporting U.S. Armed Forces Deployed Outside the United States, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items that will require contractor personnel to perform in the United States Africa Command (USAFRICOM) area of responsibility. In addition, to the extent practicable, contracting officers shall modify current, active contracts with performance in the USAFRICOM AOR to include the clause 252.225-7980. The USAFRICOM Commander has identified a need to utilize the Synchronized Pre-deployment and Operational Tracker for all contracts performed in the AOR during all operational phases (including Phase 0), not limited to declared contingency operations. However, until guidance clarifying what types of contractor personnel is finalized, this recommendation will remain open.
    Recommendation: To enable AFRICOM to comprehensively and consistently account for contractor personnel in Africa, the AFRICOM Commander should develop area of responsibility-wide contractor personnel accountability guidance on or before December 2015, when the current guidance expires, that clarifies which types of contractor personnel should be accounted for using SPOT, and when SPOT accountability requirements should be incorporated into contracts.

    Agency: Department of Defense: U.S. Africa Command
    Status: Open

    Comments: In July 2016, AFRICOM officials told us Defense Federal Acquisition Regulation Supplement (DFARS) 252.225-7980 (Class Deviation 2016-00008), Contractor Personnel Performing in the United States Africa Command Area of Responsibility was published in June 2016. This clause requires the use of the Synchronized Pre-Deployment and Operational Tracker (SPOT) to account for all Contractor Authorized to Accompany the Force (CAAF), United States and third-country national contractors (TCNs), all private security contractors. and all other contractor personnel authorized to carry weapons when performing in the AFRICOM AOR on all DoD contracts, regardless of the contract amount or period of performance. Furthermore. the DoD contractor is required to submit to the cognizant contracting officer for SPOT reporting and aggregate count of all local national employees performing in the AFRICOM AOR. by country of performance, for 30 days or longer under a contract valued at or above $150.000. This recommendation will remain open at this time.
    Recommendation: To ensure that combatant commands are not contracting with entities that may be connected to or supporting prohibited organizations, the Secretary of Defense, in coordination with the Chairman of the Joint Chiefs of Staff, should develop guidance that clarifies the conditions under which combatant commands should have a foreign vendor vetting process or cell in place to determine whether potential vendors actively support any terrorist, criminal, or other sanctioned organizations, including clarifying when combatant commands should develop procedures for transmitting the names of any vendors identified through this process for inclusion in prohibited entities lists in the appropriate federal contracting databases, such as the System for Award Management.

    Agency: Department of Defense
    Status: Open
    Priority recommendation

    Comments: As of October 2016, DOD has taken steps to develop foreign vendor vetting guidance, but that guidance is in the process of being drafted. According to Joint Staff officials in August 2016, as required by NDAA for FY2015, Section 841(d)(1), the Director, Defense Procurement & Acquisition Policy, issued Class Deviation 2015-O0016, Prohibition on Providing Funds to the Enemy and Authorization of Additional Access to Records, effective September 15, 2015. Also, Joint Staff has drafted a Directive Type Memorandum (DTM)on foreign vendor vetting. When issued, the DTM will assign responsibility to each of the Combatant Commanders to establish a foreign vendor program in their respective Areas of Responsibility in accordance with NDAA for FY2015, Sections 841, 842 and 843. However, until the DTM is issued, this recommendation will remain open.
    Director: Lepore, Brian J
    Phone: (202)512-3000

    1 open recommendations
    Recommendation: To determine the viability and cost-effectiveness of reducing transmission times for biometrics data, the Secretary of Defense should direct the Assistant Secretary of Defense for Research and Engineering, through the Under Secretary of Defense for Acquisition, Technology, and Logistics, to comprehensively assess and then address, as appropriate, the factors that contribute to transmission time for biometrics data.

    Agency: Department of Defense
    Status: Open

    Comments: In January 2016, DOD published Directive 8521.01E, Defense Biometrics, which directs the Secretary of the Army to measure the health and performance of the DOD Biometrics Enterprise and generate results for the Biometrics Principal Staff Assistant and the DOD Biometrics Executive Committee. OUSD(AT&L) and Army officials also noted that the department is required to obtain a favorable evaluation from the Director, Operational Test and Evaluation (DOT&E) and the Army Test and Evaluation Command in order to obtain approval for extending the service life of DOD's authoritative biometric system. These officials note that the tests and evaluations required for such approval will include an assessment of transmission and response times against approved requirements for the biometrics system. However, Marine Corps officials highlighted continued biometrics data transmission and synchronization issues with a currently fielded biometric capability that uses some of the same technology we identified issues with during the course of our review. In Summer 2017, DOD informed GAO that the department will soon issue a report to address these issues, so GAO is keeping this recommendation open until such time as DOD's report becomes available for GAO review.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In April 2013, DHS reported that it had taken a number of steps to address our recommendations. For example, it had refreshed and reissued fraudulent document detection training to enrollment personnel; created a mechanism for enrollment personnel to send detailed information of suspected fraud to adjudication personnel; benchmarked TWIC enrollment processes with passport enrollment processes; and defined guidance for adjudicators on the application of discretionary authority. As we reported in May 2013, to determine if the internal control weaknesses identified in our May 2011 report still exist, we conducted limited covert testing in late 2012. Our investigators again acquired an authentic TWIC through fraudulent means and were able to use this card and counterfeit TWIC cards to access areas of ports or port facilities requiring a TWIC for entry at four ports. In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. In January 2017 TSA awarded a contract for an internal control assessment of the TWIC program, including the TWIC program?s internal controls of the enrollment, background checking, and credential issuance processes. The assessment, however, is to exclude an assessment of Coast Guard?s role in TWIC enforcement. The project held a kickoff meeting in March of 2017 and is expected to produce final recommendations by August 2017. We believe that this is a positive step towards addressing our recommendation. However, the assessment does not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. We continue to believe that the internal control assessment inclusive of TWIC use and the interrelationship between acquiring a TWIC and using it in the maritime environment is needed. For the reasons noted above, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. In March 2012, DHS reported that it agreed that the results and progress of the internal control actions should be used to further evaluate the effectiveness of the TWIC program. They further noted that as the different long term actions progress, DHS will develop specific plans to address this action. In May 2013 (see GAO-13-198), we reported that DHS had not addressed this recommendation. On January 17, 2014, the explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the assessment that we recommended within 90 days after enactment (April 17, 2014). In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. As of March 2017, the internal control assessment we recommended as the basis for initiating the effectiveness assessment had not been completed. However, on January 15, 2016, Coast Guard reported that it had completed its effectiveness assessment. Specifically, DHS completed an effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers." However, the effectiveness assessment did not substantively address the risk concerns identified in our report. For example, the effectiveness assessment lacked the internal control assessment we deem to be the critical first step for fully understanding the TWIC program's controls, costs, and risks. Further, while the effectiveness assessment presented a comparison of alternative credentialing approaches, the assessment did not fully consider, as discussed in our 2011 and 2013 reports, an approach wherein federal security threat assessments could be leveraged in concert with site-specific credentials. The analysis did consider the benefits of updating the TWIC credential to new federal credentialing standards. However, absent from the analysis is a risk-informed basis for disallowing site-specific credentials. While TWIC credentials are developed based on standards aligned with those used by federal entities, each federal entity continues to use site-specific credentials that have varying appearances, rather than a single credential for granting access to all federal entities. This is important, especially because Coast Guard's risk assessment does not include an evaluation of the security benefits and shortfalls that a single credential used nation-wide provide. Absent effectiveness assessment that meets the intent of our recommendation, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and needed corrective actions could better inform and enhance the reliability of the new regulatory analysis. Moreover, these actions could help DHS identify and assess the full costs and benefits of implementing the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks, and help ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. We therefore recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In March 2012, DHS reported that upon completion of the internal control and effectiveness assessments, DHS will evaluate the results to determine any subsequent actions, and that any applicable data or risks will be communicated to the Coast Guard for consideration during their regulatory analysis. However, DHS has not implemented the internal control assessment we recommended, which is to be the basis for the effectiveness assessment and addressing this recommendation. Further, the January 15, 2016 effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers" did not substantively address the risk concerns identified in our report. Given shortfalls that remain in addressing our internal control assessment and effectiveness assessment recommendations, this recommendation remains open pending DHS taking corrective actions. As of March 2017, no further action has been taken.