This is the accessible text file for GAO report number GAO-05-448T 
entitled 'Maritime Security: Enhancements Made, But Implementation and 
Sustainability Remain Key Challenges' which was released on May 17, 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.


Before the Committee on Commerce, Science, and Transportation, U. S. 

United States Government Accountability Office:


For Release on Delivery Expected at 10 a.m. EDT:

Tuesday, May 17, 2005:

Maritime Security:

Enhancements Made, But Implementation and Sustainability Remain Key 

Statement of Margaret T. Wrightson:

Director, Homeland Security and Justice Issues:


GAO Highlights:

Highlights of GAO-05-448T, a testimony before the Committee on 
Commerce, Science, and Transportation, United States Senate: 

Why GAO Did This Study:

More than 3 years after the terrorist attacks of September 11, 2001, 
concerns remain over the security of U.S. seaports and waterways. 
Seaports and waterways are vulnerable given their size, easy 
accessibility by water and land, large numbers of potential targets, 
and close proximity to urban areas. Seaports are also a critical link 
in the international supply chain, which has its own potential 
vulnerabilities that terrorists could exploit to transport a weapon of 
mass destruction to the United States. Federal agencies such as the 
Coast Guard and Customs and Border Protection and other seaport 
stakeholders such as state and local law enforcement officials as well 
as owners and operators of facilities and vessels have taken actions to 
try to mitigate these vulnerabilities and enhance maritime security. 

This testimony, which is based on previously completed GAO work, 
reports on (1) the types of actions taken by the federal government and 
other stakeholders to address maritime security, (2) the main 
challenges that GAO observed in taking these actions, and (3) what 
tools and approaches may be useful in planning future actions to 
enhance maritime security.

What GAO Found:

Federal agencies and local stakeholders have taken many actions to 
secure seaports. For example, federal agencies have stepped up vessel 
monitoring, cargo and container inspection, and security patrol 
activities. Port stakeholders in the private sector and in state and 
local government have taken such actions as conducting security 
assessments of infrastructure and vessels and implementing security 
plans. These actions provide three types of protections: identifying 
and reducing vulnerabilities of seaports, securing the cargo moving 
through seaports, and developing an informed view of maritime 
activities through intelligence, information-sharing, and new 
technologies to identify and respond to threats.

Due in large part to the urgency with which these actions were 
implemented, challenges have been encountered in implementing them. 
While some challenges may be resolved with time, others are more 
difficult to resolve and could hinder the actionsí effectiveness. The 
main challenges GAO has identified include failure to develop necessary 
planning components to carry out the programs; difficulty in 
coordinating the activities of federal agencies and port stakeholders 
to implement programs; and difficulty in maintaining the financial 
support to continue implementation of security enhancements.

As intensified homeland security efforts continue, assessing their 
contribution to security and their sustainability over time will become 
more important. Assessing the progress made in securing seaports is 
difficult, as these efforts lack clear goals defining what they are to 
achieve and measures that track progress toward these goals. As 
Congress and the nation consider how much security is enough, more 
attention will likely be needed to define these goals and measures. 
Doing so is important because no amount of money can totally protect 
seaports from attack by a determined enemy. These realities suggest 
that the future focus in applying resources and efforts needs to 
incorporate an approach to assess critical infrastructure, determine 
what is most at risk, and apply measures designed to make cost 
effective use of resources and funding. 

Seaports are difficult to secure due to their size, ease of 
accessibility by water and land, variety of potential targets, and 
close proximity to urban areas: 

[See PDF for image]

[End of figure]

What GAO Recommends:

This testimony makes no recommendations but cites several reports in 
which recommendations were previously made.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Margaret Wrightson at 
(415) 904-2200 or

[End of section]

Mr. Chairman and Members of the Committee:

I am pleased to be here today to discuss the nation's efforts to 
improve seaport security. More than 3 years after the terrorist attacks 
of September 11, 2001, seaport security continues to be a major concern 
for the nation. For example, many seaport areas are inherently 
vulnerable, given their size, easy accessibility by water and land, 
large numbers of potential targets, and proximity to urban areas. Also, 
the large cargo volumes passing through seaports, such as containers 
destined for further shipment by other modes of transportation such as 
rail or truck, also represent a potential conduit for terrorists to 
smuggle weapons of mass destruction or other dangerous materials into 
the United States. The potential consequences of the risks created by 
these vulnerabilities are significant as the nation's economy relies on 
an expeditious flow of goods through seaports. A successful attack on a 
seaport could result in a dramatic slowdown in the supply system, with 
consequences in the billions of dollars.

Much has been set in motion to address these risks in the wake of the 
September 11, 2001, terrorist attacks. Both Congress and the 
administration have been active, through legislation, presidential 
directives, and international agreements, in enhancing seaport 
security. Key agencies, such as the Coast Guard, the Customs Service, 
and the Transportation Security Administration (TSA), have been 
reorganized under the new Department of Homeland Security (DHS) and 
tasked with numerous responsibilities designed to strengthen seaport 
security. Many of these tasks were required by the Maritime 
Transportation Security Act of 2002 (MTSA).[Footnote 1]

My testimony today draws primarily on the work we have done in 
responding to congressional requests for information and analysis about 
the nation's homeland security efforts (see app. I for a list of recent 
reports and testimonies we have issued). We conducted our work in 
accordance with generally accepted government auditing standards, and 
the scope and methodology for this work can be found in the respective 
products. Over the course of completing this work, we have made a 
number of recommendations for specific agencies, which can be found in 
appendix II. While this body of work does not cover every program or 
action that has been taken, it does encompass a wide range of these 
actions. My testimony will (1) provide an overview of the types of 
actions taken by the federal government and other stakeholders to 
address seaport security, (2) describe the main challenges encountered 
in taking these actions, and (3) describe what tools and approaches may 
be useful in charting a course for future actions to enhance security.

In summary:

Seaports are vulnerable on many fronts and the actions taken to secure 
them can be divided into three main categories: reducing 
vulnerabilities of specific targets within seaports, making the cargo 
flowing through these seaport gateways more secure, and developing what 
is called "maritime domain awareness"--a sufficiently informed view of 
maritime activities by stakeholders involved in security to quickly 
identify and respond to emergencies, unusual patterns or events, and 
matters of particular interest. Within each category, several actions 
have been taken or are underway. For example, assessments of potential 
targets have been completed at 55 of the nation's most economically and 
militarily strategic seaports, and more than 9,000 vessels and over 
3,000 facilities have developed security plans and have been reviewed 
by the Coast Guard. Customs inspectors have been placed at some 
overseas seaports and partnerships struck up with some private sector 
stakeholders to help ensure that the cargo and containers arriving at 
U.S. seaports are free of weapons of mass destruction (WMD) or a 
radiological "dirty bomb." New assets are budgeted and are coming on 
line, including new Coast Guard boats and cutters and communication 
systems. Finally, new information-sharing networks and command 
structures have been created to allow more coordinated responses and 
increase awareness of activities going on in the maritime domain. Some 
of these efforts have been completed and others are ongoing; overall, 
the amount of effort has been considerable.

The efforts we have reviewed over the past 3 years, many of which were 
quickly implemented to address pressing security needs, have 
encountered challenges that could significantly affect their success. 
Some of these challenges are likely to be resolved with time, but some 
reflect greater difficulty and therefore merit more attention. The more 
complex challenges take three main forms:

* Program design and implementation: Some agencies have failed to 
design programs and planning components, such as human capital plans 
and performance measures, that are necessary to successfully implement 
their programs and ensure they are effective. For example, U.S. Customs 
and Border Protection (CBP) started implementation of two key container 
supply chain security initiatives before taking adequate steps to 
develop plans and strategies to effectively manage critical aspects of 
the programs such as human capital and achievement of program 

* Coordinating security efforts with stakeholders: Many private sector 
companies and governmental agencies are involved in seaport security 
efforts, and in some cases progress has been hampered because of 
difficulties in communication and coordination between parties. For 
example, deadlines in the development of an identification card for 
transportation workers have been missed due in part to a lack of 
communication and coordination between TSA and DHS.

* Funding security improvements: Economic constraints, such as 
declining revenues and increased security costs, make it difficult to 
provide and sustain the funding necessary to continue implementing 
security measures and activities by maritime stakeholders including the 
federal government. Consequently, many stakeholders rely heavily on the 
federal government for assistance, and requests for federal grant 
funding far outstrip the funding amounts available. For example, 
although more than $560 million in grants has been awarded to seaport 
stakeholders since 2002 under federal grant programs for implementation 
of security measures and activities, this amount has met only a 
fraction of the amount requested by these stakeholders.

* As actions to enhance homeland security continue, and as it becomes 
clearer that the price of these actions will be measured in the 
billions of dollars, it is likely that increasing attention will turn 
to assessing the progress made in securing seaports and determine where 
future actions and funds should be allocated to further enhance 
security. Although there is widespread agreement that actions taken so 
far have led to a heightened awareness of the need for security and an 
enhanced ability to identify and respond to many security threats, 
assessing the degree of progress in making the nation more secure is 
difficult. Thus far, seaport security actions--and homeland security 
activities in general--lack performance measures to define what these 
activities are intended to achieve and measure progress toward these 
goals. As Congress and the nation continue to evaluate how much 
security is enough, more attention on defining these goals and measures 
will likely be needed by stakeholders. Doing so is all the more 
important because, as groups such as the 9/11 Commission have pointed 
out, no amount of money can totally insulate seaports from attack by a 
well-funded and determined enemy. These realities suggest that the 
future focus in applying resources and efforts also needs to 
incorporate an approach to identify and manage risk--that is, on 
assessing critical infrastructure, determining what is most at risk, 
and applying sound measures designed to make cost-effective use of 
resources and funding.


The vast U.S. maritime system contains more than 300 seaports and 3,700 
cargo and passenger terminals. These seaports dot not only our 
seacoasts, but also major lakes and rivers (see fig. 1). Much of the 
nation's commercial maritime activities, however, are concentrated in 
about a dozen major seaports, such as Los Angeles-Long Beach, New York- 
New Jersey, and Houston.

Figure 1: Location of U.S. Seaports:

[See PDF for image]

[End of figure]

The nation's seaports are economic engines and a key part of the 
national defense system. More than 95 percent of the nation's non-North 
American foreign trade (and 100 percent of certain commodities, such as 
foreign oil) arrives by ship. Cargo containers, approximately 7 million 
of which entered the country in 2002, are central to an efficient 
transportation network because they can be quickly shifted from ships 
to trains and trucks and back again. Because of these efficiencies, the 
U.S. and world economies have become increasingly reliant on cargo 
containers to transport their goods. With regard to national security, 
the Departments of Defense and Transportation have designated 17 U.S. 
seaports as strategic because they are necessary for use in the event 
of a major military deployment. Thirteen of them are commercial 

While the terrorist attacks of September 11, 2001, did not involve 
seaports, they called attention to ways in which seaports represent an 
attractive and vulnerable terrorist target. Various studies have 
pointed out that significant disruptions could result from a seaport- 
related attack. For example, the Brookings Institution has estimated 
that costs associated with U.S. seaport closures resulting from a 
detonated weapon of mass destruction could amount to $1 trillion. The 
firm of Booz, Allen, and Hamilton studied the potential cost of 
discovering an undetonated weapon of mass destruction at a U.S. seaport 
and placed the cost of a 12-day closure of seaports at approximately 
$58 billion. An actual closure of seaports along the West Coast 
occurred for 10 days in 2002 due to a labor dispute. According to one 
estimate, the cost of this closure to the national economy for the 
first 5 days was estimated at $4.7 billion and increased exponentially 
after that.[Footnote 2] Similarly, if 1 or more of the 17 strategic 
U.S. seaports (or the ships carrying military supplies) were 
successfully attacked, not only could massive civilian casualties be 
sustained and critical infrastructure lost, but the military could also 
lose precious cargo and time and be forced to rely heavily on already 
burdened airlift capabilities.

Many Actions Have Been Taken or Are Underway to Address Seaport 

Since September 11, 2001, a number of actions have been taken or are 
underway to address seaport security by a diverse mix of agencies and 
seaport stakeholders. Federal agencies, such as the Coast Guard, U.S. 
Customs and Border Protection (CBP), and TSA, have been tasked with 
responsibilities and functions intended to make seaports more secure, 
such as monitoring vessel traffic or inspecting cargo and containers, 
and procuring new assets such as aircraft and cutters to conduct 
patrols and respond to threats. In addition to these federal agencies, 
seaport stakeholders in the private sector and at the state and local 
levels of government have taken actions to enhance the security of 
seaports, such as conducting security assessments of infrastructure and 
vessels operated within the seaports and developing security plans to 
protect against a terrorist attack. The actions taken by these agencies 
and stakeholders are primarily aimed at three types of protections: (1) 
identifying and reducing vulnerabilities of the facilities, 
infrastructure, and vessels operating in seaports, (2) securing the 
cargo and commerce flowing through seaports, and (3) developing greater 
maritime domain awareness through enhanced intelligence, information- 
sharing capabilities, and assets and technologies.

Identifying and Reducing the Vulnerabilities of Facilities, 
Infrastructure, and Vessels:

Seaports facilitate the freedom of movement and flow of goods, and in 
doing so they allow people, cargo, and vessels to transit with relative 
anonymity. While seaports contain terminals and other facilities where 
goods bound for import or export are unloaded and loaded, or where 
people board and disembark cruise ships or ferries, seaports also often 
contain other infrastructure critical to the nation's economy and 
defense, such as military installations, chemical factories, 
powerplants, and refineries. The combination of assets, access, and 
anonymity makes for potentially attractive targets. The facilities and 
vessels in seaports can be vulnerable on many fronts. For example, 
facilities where containers are transferred between ships and railroad 
cars or trucks must be able to screen vehicles entering the facility 
and routinely check cargo for evidence of tampering. Chemical factories 
and other installations where hazardous materials are present must be 
able to control access to areas containing dangerous goods or hazardous 
substances. Vessels, ranging from oil tankers and freighters to 
tugboats and passenger ferries, must be able to restrict access to 
certain areas on board the vessel, such as the bridge or other control 
stations critical to the vessel's operation.

Given the wide range of potential targets, an effective security 
response includes identifying targets, assessing risks to them, and 
taking steps to reduce or mitigate these risks. An essential step in 
this process is to conduct a security or vulnerability assessment. This 
assessment, which is needed both for the seaport as a whole and for 
individual vessels and facilities, identifies vulnerabilities in 
physical structures, personnel protection systems, processes, and other 
areas that may lead to a security breach. For example, this assessment 
might reveal weaknesses in an organization's security systems or 
unprotected access points such as a facility's perimeter not being 
sufficiently lighted or gates not being secured or monitored after 
hours. After the vulnerabilities are identified, measures can be then 
be identified that will reduce or mitigate the vulnerabilities when 
installed or implemented.

Most actions to identify and reduce the vulnerabilities within seaports 
were specifically required by the Maritime Transportation Security Act 
of 2002 (MTSA). Passage of MTSA was a major step in establishing a 
security framework for America's seaports. This security framework 
includes assessment of risks, access controls over personnel and 
facilities, and development and implementation of security plans, among 
other activities. Table 1 shows some of the actions that have been 
taken and programs that are in the process of being implemented to 
carry out this framework. [Footnote 3]

Table 1: Examples of Actions Taken and Programs Underway to Identify 
and Reduce Vulnerabilities:

Action or program: Conducting security assessments and developing 
security plans for facilities and vessels; 
Description: MTSA and its implementing regulations require designated 
owners or operators of maritime facilities or vessels to identify 
vulnerabilities and develop security plans for their facilities or 
vessels. The plans were reviewed and approved by the Coast Guard. Since 
July 1, 2004, the Coast Guard has been conducting inspections of these 
facilities and vessels to ensure the plans have been implemented. The 
Coast Guard completed inspections of the facilities by December 31, 
2004, and is scheduled to complete inspections of the vessels by July 
1, 2005.

Action or program: Conducting security assessments and developing 
seaport-wide security plans; 
Description: To meet another MTSA requirement, the Coast Guard led 
efforts to conduct a seaport-wide security assessment of each of the 
nation's seaports and develop a security plan for the seaport zone. In 
carrying out these efforts, the Coast Guard worked with a wide variety 
of stakeholders, such as state and local governments, law enforcement, 
owners and operators of facilities and vessels, and trade and labor 

Action or program: Development of the Transportation Worker 
Identification Credential (TWIC); 
Description: TWIC is designed to respond to various statutory 
provisions relating to transportation related worker identification 
including MTSA, which requires a biometric identification card be 
issued to individuals requiring unescorted access to secure areas of 
seaport facilities or vessels. This credential is being designed to be 
a universally recognized identification card accepted across all modes 
of the national transportation system, including airports, railroad 
terminals, and seaports.

Action or program: Port Security Assessment Program; 
Description: Separate from MTSA requirements, the Coast Guard 
established a program after September 11, 2001, to assess 
vulnerabilities of the nation's 55 most strategic commercial and 
military seaports. The program has changed considerably since its 
inception and now includes a geographic information system (GIS) to 
help identify and provide up-to-date information on threats and 
incidents, as well as provide accessible information to help develop 
security plans.

Source: GAO analysis of Coast Guard and TSA data.

[End of table]

The amount of effort involved in carrying out these actions and 
implementing these programs has been considerable. For example, after 
following an aggressive time frame to develop regulations to implement 
the requirements of MTSA, the Coast Guard reviewed and approved the 
security plans of the over 3,000 facilities and more than 9,000 vessels 
that were required to identify their vulnerabilities and take action to 
reduce them. Six months after July 1, 2004, the date by which the 
security plans were to be implemented, the Coast Guard reported that it 
completed on-site inspections of all facilities and thousands of 
vessels to ensure the plans were being implemented as approved. In 
addition to its work on the security plans and inspections, the Coast 
Guard completed security assessments of the nation's 55 most 
economically and militarily strategic seaports.

Securing the Cargo Flowing through Seaports:

While the facilities, vessels, and infrastructure within seaports have 
vulnerabilities to terrorist attack, the cargoes transiting through 
seaports also have vulnerabilities that terrorists could exploit. 
Containers are of particular concern because they can be filled 
overseas at so many different locations and are transported through 
complex logistics networks before reaching U.S. seaports. From the time 
the container is loaded for shipping to the time the container arrives 
at a seaport, the containers must go through several steps that involve 
many different participants and many points of transfer. Each of these 
steps in the supply chain presents its own vulnerabilities that 
terrorists could take advantage of to place a WMD into a container for 
shipment to the United States. A report prepared by the National 
Defense University's Center for Technology and National Security Policy 
stated that a container is ideally suited to deliver a WMD or a 
radiological "dirty bomb." While there have been no known incidents yet 
of containers being used to transport WMDs, criminals have exploited 
containers for other illegal purposes, such as smuggling weapons, 
people, and illicit substances. Such activities demonstrate the 
vulnerability of the freight transportation industry and suggest 
opportunities for further exploitation of containers by criminals, 
including terrorist groups.

In general, the actions taken thus far are aimed at identifying, 
tracking, and scrutinizing the container cargo shipments moving into 
the country. Most of these actions are being done by CBP, the DHS 
agency responsible for protecting the nation's borders and official 
ports of entry. CBP uses a layered approach that attempts to focus 
resources on potentially risky cargo containers while allowing other 
cargo containers to proceed without disrupting commerce. This approach 
includes the actions and programs shown in table 2. Several of these 
actions involve a strategy of moving primary reliance for security away 
from control systems at U.S. seaports of entry and toward improved 
controls at points of origin and along the way.[Footnote 4]

Table 2: Examples of Container Security Actions:

Action: Automated Targeting System (ATS); 
Description: A computer model reviews documentation on all arriving 
containers and helps select or target containers for additional 

Action: Supply Chain Stratified Examination; 
Description: Supplements ATS by randomly selecting additional 
containers to be physically examined. The results of the random 
inspection program are to be compared with the results of ATS 
inspections to improve targeting.

Action: Container Security Initiative (CSI); 
Description: Places staff at designated foreign seaports to work with 
foreign counterparts to identify and inspect high-risk containers for 
weapons of mass destruction before they are shipped to the United 

Action: Customs-Trade Partnership Against Terrorism (C-TPAT); 
Description: Cooperative program between CBP and members of the 
international trade community in which private companies agree to 
improve the security of their supply chains in return for a reduced 
likelihood that their containers will be inspected.

Action: Operation Safe Commerce; 
Description: Begun by the private sector and now administered by DHS's 
Office of Domestic Preparedness, efforts center on (1) ensuring that 
containers are loaded in a secure environment at the point of product 
origin, with 100 percent verification of their contents; (2) using such 
technology as pressure, light, or temperature sensors to continually 
monitor containers throughout their overseas voyage to the point of 
distribution in the United States; and (3) using cargo-tracking 
technology to keep accurate track of containers at all points in the 
supply chain, including distribution to their ultimate destinations.

Action: Megaports Initiative; 
Description: In 2003, the Department of Energy (DOE) initiated the 
Initiative to enable foreign government personnel at key seaports to 
use radiation detection equipment to screen shipping containers 
entering and leaving these seaports for nuclear and other radioactive 
material that could be used against the United States or its allies. 
Through the Initiative, DOE installs radiation detection equipment at 
foreign seaports that is then operated by foreign government officials 
and port personnel working at these seaports.

Source: GAO analysis of CBP and DOE data.

[End of table]

The table also shows Operation Safe Commerce, initiated by the private 
sector and now administered by DHS's Office of Domestic Preparedness, 
which employs a similar strategy. This action, in pilot-project form 
that was initially funded by $58 million appropriated by Congress, is 
intended to help strengthen the security of cargo as it moves along the 
international supply chain in containers.[Footnote 5] In late 2004, the 
second of two initial phases of the project was concluded. This phase 
involved identifying the security vulnerabilities of 19 separate supply 
chains and trying out technologies, such as container seals or sensors, 
and their integration with governmental policies, logistic processes 
and procedures that could mitigate those vulnerabilities. The project 
has received additional funding of $17 million that has been targeted 
to conduct a third phase in which the best technologies and practices 
identified in the first two phases will be further tested on a high 
number of containers for their effectiveness and tamper resistance on 
three separate supply chains. A report on the best practices identified 
in the first two phases is expected to be issued in June 2005, and 
completion of the third phase is expected by October 2006.

The other actions taken to enhance the security of cargo and commerce 
have been substantial. In 2002 CBP quickly rolled out the CSI and C- 
TPAT programs shown in table 2 and enlisted the participation of 
several countries and companies. By April 2005, CSI was operational at 
35 seaports, located in 18 countries. Similarly, C-TPAT membership grew 
from about 1,700 companies in January 2003 to over 9,000 companies in 
March 2005. Given the urgency to take steps to protect against 
terrorism after the September 11, 2001, attacks, some of the actions 
were taken using an "implement and amend" approach. That is, CBP had to 
immediately implement the activity with the knowledge it may need to 
modify the approach later. For example, in August 2002, CBP modified 
the already developed Automatic Targeting System with new terrorism- 
related criteria.

Developing Greater Maritime Domain Awareness:

The third main area of activity to enhance seaport security--maritime 
domain awareness--is the understanding by stakeholders involved in 
maritime security of anything associated with the global maritime 
environment that could adversely affect the security, safety, economy 
or environment of the United States. This awareness is essential to 
identify and respond to any unusual patterns or anomalies that could 
portend a possible terrorist attack. To be effective, maritime domain 
awareness must be comprehensive and include information on vessels, 
seaport infrastructures and facilities, shipping lanes and transit 
corridors, waterways, and anchorages, among other things. It must also 
identify threats as soon as possible and far enough away from U.S. 
seaports to eliminate or mitigate the threat. By effectively 
identifying potential threats, this awareness can be used as a force 
multiplier to position resources where they are needed most to respond, 
instead of spreading out limited resources to address all threats, no 
matter how unlikely they are to occur. In addition, when shared, this 
awareness has the potential to facilitate the coordination of efforts 
of local, state, federal, and even international stakeholders in 
responding to potential threats.

After the attacks of September 11, 2001, the Coast Guard took steps 
such as increasing the number of security patrols conducted within 
seaports and waterways that helped contribute to increased maritime 
domain awareness. Although maritime homeland security duties are not 
new to the Coast Guard, the number of hours the Coast Guard used 
resources (such as ships, boats, or aircraft) to carry out seaport, 
waterway, and coastal security activities during fiscal year 2003 
increased by 1,220 percent from their pre-September 11, 2001, level. 
Relative to the rest of the Coast Guard's responsibilities, this 
represented an increase from 4 percent of the Coast Guard's total 
annual resource hours being used for seaport, waterway, and coastal 
security activities before September 11, 2001, to 34 percent by 
September 30, 2003. These activities provide an important input to 
maritime domain awareness as it places Coast Guard personnel out in the 
seaports where they can observe, report, and respond to suspect 
activities or vessels. In addition, these patrols provide the Coast 
Guard with a visible presence out in the seaport that may deter a 
potential terrorist attack from being carried out.

As the lead federal agency responsible for protecting the U.S. maritime 
domain, the Coast Guard has spearheaded an interagency approach for 
establishing maritime domain awareness. Within this approach are 
several activities and actions intended to collect information and 
intelligence, analyze the information and intelligence, and disseminate 
the analyzed information and intelligence to appropriate federal, 
state, local, or private seaport stakeholders. Some of these actions 
were required under MTSA, such as the establishment of an Automatic 
Identification System to track vessels, as well as creation of area 
maritime security committees of local seaport stakeholders who identify 
and address risks within their seaport. In addition to these actions, 
the Department of Defense and DHS formed a Maritime Domain Awareness 
Senior Steering Group in 2004 to coordinate national efforts to improve 
maritime domain awareness. Under Homeland Security Presidential 
Directive 13, issued in December 2004, this steering group is required 
to develop a national plan for maritime domain awareness by June 2005. 
According to the head of the Coast Guard's maritime domain awareness 
program, a draft of this plan is being reviewed before it is submitted 
to the President. Table 3 shows some of the actions currently being 
taken or underway to enhance maritime domain awareness.

Table 3: Examples of Activities to Develop Maritime Domain Awareness:

Maritime Domain Awareness activity: Collection of information and 
Example of activity: Automatic Identification System: AIS uses a device 
aboard a vessel to transmit an identifying signal to a receiver located 
at the seaport and other ships in the area. This signal gives seaport 
officials and other vessels nearly instantaneous information and 
awareness about a vessel's identity, position, speed, and course. The 
Coast Guard intends to provide AIS coverage to meet maritime domain 
awareness requirements in all navigable waters of the United States and 
further offshore. As of May 2005, the Coast Guard has AIS coverage in 
several seaports and coastal areas.[A] In addition to this system, the 
Coast Guard is also working with the International Maritime 
Organization (IMO) to develop functional and technical requirements for 
long-range tracking out to 2,000 nautical miles. The Coast Guard 
proposed an amendment to the International Convention for Safety of 
Life at Sea (SOLAS) for this initiative, which is currently under 
consideration by the international body. However, according to the 
Coast Guard, the issue of long-range tracking is contentious 
internationally and it is uncertain whether the amendment will be 

Maritime Domain Awareness activity: Analysis of information and 
Example of activity: Maritime Intelligence Fusion Centers and Field 
Intelligence Support Teams: Centers have been established by the Coast 
Guard on the East and West Coasts to provide actionable intelligence to 
Coast Guard commanders and units. The teams also conduct initial 
analysis of intelligence in coordination with federal, state, and local 
law enforcement and intelligence agencies.

Maritime Domain Awareness activity: Dissemination of information and 
Example of activity: Area Maritime Security Committees: The committees 
serve as forums for local seaport stakeholders from federal agencies, 
state and local governments, law enforcement, and private industries to 
gain a comprehensive perspective of security issues at a seaport 
location. Information is disseminated through regularly scheduled 
meetings, issuance of electronic bulletins on suspicious activities 
around seaport facilities, and sharing key documents. The committees 
also serve as a link for communicating threats and security information 
to seaport stakeholders; Interagency Operational Centers: These centers 
provide information 24 hours a day about maritime activities and 
involve various federal and nonfederal agencies directly in operational 
decisions using this information. Radar, sensors, and cameras offer 
representations of vessels and facilities. Other data are available 
from intelligence sources, including data on vessels, cargo, and crew. 
Unlike the area maritime security committees, these centers are 
operational in nature with a unified or joint command structure 
designed to receive information and act on it. Representatives from the 
various agencies work side by side, each having access to databases and 
other sources of information from their respective agencies. These 
currently exist in three locations: Charleston, South Carolina; 
Norfolk, Virginia; and San Diego, California.

Source: GAO analysis of Coast Guard data.

[A] The Coast Guard currently has AIS coverage in the following areas: 
Alaska (Anchorage, Homer, Nikiski, Seward, Valdez, and Juneau); Puget 
Sound (Seattle, Tacoma, Everett, Port Angeles, and Olympia); the 
Columbia River entrance; San Francisco Bay and approaches; Los Angeles- 
Long Beach Harbor and approaches; San Diego and approaches; Hawaii 
(Honolulu and Pearl Harbor); Gulf of Mexico (Houston-Galveston, Port 
Arthur, Berwick Bay, and Lower Mississippi River-New Orleans-Baton 
Rouge); South Florida (Key West, Miami, and Port Everglades); 
Charleston, South Carolina; Norfolk, Virginia; New York, New York; Long 
Island Sound (New Haven and New London); Boston Harbor and approaches; 
and Sault Ste. Marie, Michigan.

[End of table]

While many of the activities to develop maritime domain awareness are 
still underway, some progress has already been made. One activity in 
this area that we have recently looked at concerns the process of 
information sharing between federal and nonfederal seaport stakeholders 
participating on area maritime security committees.[Footnote 6] The 
Coast Guard organized 43 of these committees, covering the nation's 361 
seaports. While a primary purpose of the committees is to develop a 
seaport-wide security plan for their respective seaports, the 
committees also provide links for communicating threats and security 
information to seaport stakeholders--links that generally did not exist 
prior to the creation of the committees. The types of information 
shared among committee members with security clearances included 
assessments of vulnerabilities at specific seaport locations, 
information about potential threats or suspicious activities, and 
strategies to use in protecting key infrastructure. Our review found 
that the committees improved information sharing among seaport security 
stakeholders, including the timeliness, completeness, and usefulness of 
information shared.

Another aspect of improving maritime domain awareness involves having 
the assets to communicate and conduct patrols, and in this regard, the 
Coast Guard has budgeted for and is in the process of receiving 
substantial new resources. In 1996, the Coast Guard initiated a major 
recapitalization effort--known as the Integrated Deepwater System--to 
replace and modernize the agency's aging and deteriorating fleet of 
aircraft and vessel assets. The focus of the program is not just on new 
ships and aircraft, but also on newer, more capable assets, with 
improved and integrated command, control, communications and computers, 
intelligence, surveillance, and reconnaissance (C4ISR) capabilities. 
Although the program was started before the attacks of September 11, 
2001, the Coast Guard plans to leverage these capabilities of the 20 
year, $17 billion dollar program to enhance its maritime domain 
awareness and seaport security operations such as patrols and response.

Challenges for Improving Maritime Security Take Three Main Forms:

Propelled by a strong sense of urgency to secure the seaports, federal 
agencies, such as the Coast Guard, CBP, and TSA, accomplished a 
considerable amount in a short time. At the same time, these actions 
have also shown the strains that often occur when difficult tasks must 
be done quickly. We have not examined every action that has been 
started or enhanced regarding maritime security, but our work to date 
has covered a number of them. It is not surprising that we have found, 
besides the progress made, a number of missteps, false starts, and 
inefficiencies. These represent challenges to overcome.

While some of these challenges will be resolved with time, analysis, 
and oversight, there are other challenges that bear even more careful 
watching, because they may prove to be considerably more difficult to 
overcome. I would like to highlight three of those challenges, 
providing examples from our recent work. These three challenges involve 
(1) design and implementing programs, (2) coordinating between 
different agencies and stakeholder interests, and (3) determining how 
to pay for these efforts.

Challenges in Program Design and Implementation:

I will discuss today two illustrative examples related to challenges in 
program design and implementation that we have identified from our 
work. These include the (1) lack of planning and performance measures 
for program design and (2) lack of experienced personnel for program 

Lack of Planning and Performance Measures for Program Design:

One effect of having to design programs quickly is that they may lack 
such elements as strategic plans and performance measures needed to set 
program goals and monitor performance. The lack of such tools can 
create problems that need to be resolved as the program unfolds. For 
example, we have reviewed CBP's actions to establish a system meant to 
reliably identify potentially risky cargo containers.

Our work has shown that a need exists for additional efforts in several 
homeland security activities, including securing cargo, in order to 
help ensure the effectiveness of the approach.[Footnote 7] As we noted 
in a July 2003 report, the former U.S. Customs Service, part of which 
is now CBP initiated the Container Security Initiative (CSI) in January 
2002 in response to security vulnerabilities created by ocean container 
trade and the concern that terrorists could exploit these 
vulnerabilities to transport or detonate WMDs in the United States. 
[Footnote 8] During the first year, program officials quickly designed 
and rolled out the initiative, modifying operations over time. The 
service achieved strong initial participation among the countries that 
it sought to enroll in the initiative, reaching agreement with 15 
governments to place U.S. personnel at 24 seaports, and placing teams 
in 5 of these seaports. However, CBP had not taken adequate steps to 
incorporate human capital planning, develop performance measures, and 
plan strategically--factors essential to the program's long-term 
success and accountability. We noted, for example, that:

* More than 1 year into the implementation of the initiative, CBP had 
not developed a systematic human capital plan to recruit, train, and 
assign the more than 120 program staff that would be needed for long- 
term assignments in a wide range of foreign seaports, some of which 
could require language capabilities and diplomatic skills.

* CBP lacked performance measures for the initiative that demonstrated 
program achievements and established accountability. For example, the 
service lacked measures that assessed the impact of collocating U.S. 
and foreign customs officials in foreign seaports to determine which 
containers should be targeted for inspection.

* CBP's focus on short-term operational planning in order to quickly 
implement the program impeded its ability to systematically carry out 
strategic planning. We noted that the service did not have a strategic 
plan for the initiative that describes how it intends to achieve 
program goals and objectives. As a result, CBP lacked elements of 
strategic planning that would improve the management of the program and 
allow CBP to establish accountability for planned expenditures.

As also reported in July 2003, another program that did not take 
adequate steps to incorporate the human capital planning and 
performance measures necessary for the program's long-term success and 
accountability is CBP's Customs-Trade Partnership Against Terrorism (C- 
TPAT) program. Initiated in November 2001, C-TPAT is an initiative that 
attempts to improve the security of the international supply chain. It 
is a cooperative program between CBP and members of the international 
trade community in which private companies agree to improve the 
security of their supply chains in return for a reduced likelihood that 
their containers will be inspected.

During the first year, more than 1,700 companies agreed to participate 
in the program, and most received the key benefit--a reduced likelihood 
of inspections for WMDs. However, we noted similar kinds of problems to 
those in the CSI program. For example, we found that:

* Even as it rolled out new program elements, CBP lacked a human 
capital plan for increasing the number of C-TPAT staff from 10 to more 
than 160.

* CBP had not developed performance measures for C-TPAT that would 
establish accountability and measure program achievements. For example, 
CBP had no performance measure to assess the impact of C-TPAT on 
improving supply chain security practices, possibly resulting in 
benefits being granted to undeserving companies.

* CBP lacked strategic planning in rolling out C-TPAT, failing to 
communicate how it planned to implement critical program elements 
designed to verify that companies have security measures in place and 
follow through with recommended changes.

We are currently reviewing both the CSI and CTPAT programs and will 
soon be issuing reports to update our earlier evaluation of these 

Lack of Experienced Personnel for Program Implementation:

One major challenge in program implementation is the lack of 
experienced personnel, which is to be expected given the rapid increase 
in newly hired personnel since September 11, 2001. Agencies such as the 
Coast Guard expect to see large increases in the number of staff over 
the next few years to help meet new and expanded responsibilities. 
Consequently, they also face a challenge in absorbing this increase and 
training them to be fully productive. We pointed out early on that this 
would be a challenge for the Coast Guard,[Footnote 9] and subsequent 
work has shown this to be the case. For example, after a Coast Guard 
internal review found that readiness of its multi-mission stations--the 
shore-based units whose responsibilities include finding and rescuing 
mariners in danger--had been in decline for an extended period, the 
Coast Guard began efforts to improve the readiness of the stations. 
This effort was complicated by the new homeland security 
responsibilities the stations assumed after the terrorist attacks of 
September 11, 2001. In a recent review of staffing and readiness at 
these multi-mission stations,[Footnote 10] we found that the Coast 
Guard was still in the process of defining new standards for security 
activities and had yet to translate the impact of security-related 
mission responsibilities into specific station readiness requirements, 
such as staffing standards. Consequently, even though station staffing 
had increased 25 percent since 2001, the Coast Guard was unable to 
align staffing resources with mission activities, which resulted in a 
significant number of positions not being filled with qualified 
personnel and station personnel working significantly longer hours than 
are allowed under the Coast Guard's work standards.

We also identified personnel or human capital challenges such as lack 
of experienced personnel related to the Coast Guard's program to 
oversee implementation of MTSA-required security plans by owners and 
operators of maritime facilities and vessels. These security plans are 
performance-based, meaning the Coast Guard has specified the outcomes 
it is seeking to achieve and has given seaport stakeholders 
responsibility for identifying and delivering the measures needed to 
achieve these outcomes. While this approach provides flexibility to 
owners and operators in designing and implementing their plans, it also 
places a premium on the skills and experience of inspectors to identify 
deficiencies and recommend corrective action. Because the Coast Guard 
had to review and assess for compliance more than 12,000 security plans 
for facilities and vessels, it had to rely heavily on reservists, which 
varied greatly in the level of their skills and experience in this 
area. For example, some reservists had graduate degrees in security 
management while others had no formal security training or experience. 
In June 2004, we recommended that the Coast Guard carefully evaluate 
its efforts during the initial surge period for inspections.[Footnote 
11] The Coast Guard has adjusted its inspection program to make its 
compliance assessments more relevant and useful, but it has not yet 
determined the overall effectiveness of its compliance actions.

Challenges in Coordinating Actions:

Coordinating massive new homeland security actions has been an 
acknowledged challenge since the events of September 11, 2001, and 
seaport security has been no exception. On the federal side alone, we 
have for several years designated implementing and transforming the new 
DHS as a high-risk area.[Footnote 12] Since the agency's inception in 
March 2003, DHS leadership has provided a foundation to maintain 
critical operations while undergoing transformation, and the agency has 
begun to put systems in place to operate more effectively and 
efficiently as an agency. In managing its transformation, however, DHS 
still faces such issues as forming effective partnerships with other 
governmental and private-sector entities.

We have made numerous recommendations related to information sharing, 
particularly as it relates to fulfilling federal critical 
infrastructure protection responsibilities.[Footnote 13] For example, 
we have reported on the practices of organizations that successfully 
share sensitive or time-critical information, including establishing 
trust relationships, developing information-sharing standards and 
protocols, establishing secure communications mechanisms, and 
disseminating sensitive information appropriately. Federal agencies 
such as DHS and the Coast Guard have concurred with our recommendations 
that they develop appropriate strategies to address the many potential 
barriers to information sharing. However, as of January 2005, many 
federal efforts to do this remain in the planning or early 
implementation stages especially in the area of homeland security 
information sharing, including establishing clear goals, objectives, 
and expectations for the many participants in information-sharing 
efforts; and consolidating, standardizing, and enhancing federal 
structures, policies, and capabilities for the analysis and 
dissemination of information. In this regard, the issue of information- 
sharing across agency and stakeholder lines has emerged as a 
significant enough challenge that we have also designated it as a high- 
risk area. Here are three examples that illustrate the kinds of 
problems and challenges that remain related to seaport security.

Obtaining Security Clearances:

While coordination of information-sharing at the seaport level appears 
to have improved, seaports are experiencing challenges with regards to 
nonfederal officials obtaining security clearances. For some time, 
state and local seaport and law enforcement personnel have reported 
problems in obtaining federally generated intelligence information 
about their jurisdictions because they did not have a federal security 
clearance. However, as of February 2005--over 4 months after the Coast 
Guard had developed a list of over 350 nonfederal area maritime 
security committee participants as having a need for a security 
clearance--only 28 had submitted the necessary paperwork for the 
background check. Local Coast Guard officials told us they did not 
clearly understand their responsibility for communicating with state 
and local officials about the process for obtaining a security 
clearance. After we expressed our concerns to Coast Guard officials in 
headquarters in February 2005, officials took action and drafted 
guidelines clarifying the role that local Coast Guard officials play in 
the program.

Sharing Information about Security Exercises:

In a January 2005 report,[Footnote 14] we reported that improvement in 
the coordination of state, local, and federal entities during seaport 
exercises was needed. While it was still too early to determine how 
well entities will function in coordinating an effective response to a 
seaport-related threat or incident, we identified four operational 
issues that needed to be addressed in order to promote more effective 
coordination. We found that more than half of the seaport exercises and 
after-action reports we examined raised communication issues, including 
problems with information sharing among first responders and across 
agency lines. We also found that over half of the exercises raised 
concerns with communication and the resources available, including 
inadequate facilities or equipment, differing response procedures, and 
the need for additional training in joint agency response. To a lesser 
extent, we found concerns with participants' ability to coordinate 
effectively and know who had the proper authority to raise security 
levels, board vessels, or detain passengers.

Developing a Transportation Worker Identification Credential:

Beyond information-sharing, a host of challenges remain in coordinating 
across agency lines and in resolving issues that cut across a wide 
range of stakeholder perspectives. In this regard, there is perhaps no 
better example in our recent work than the delayed attempts to develop 
a major component of the security framework envisioned under MTSA--an 
identification card for maritime workers. The transportation worker 
identification credential (TWIC) was initially envisioned by TSA before 
it became part of DHS to be a universally recognized identification 
card accepted across all modes of the national transportation system, 
including airports, seaports, and railroad terminals, using biological 
metrics, such as fingerprints, to ensure individuals with such an 
identification card had undergone an assessment verifying that they do 
not pose a terrorism security risk. TSA initially projected that it 
would test a prototype of such a card system in 2003 and issue the 
first of the cards in August 2004. After TSA became part of DHS, 
testing of the prototype was delayed because of the difficulty in 
obtaining a response from DHS policy officials who also subsequently 
directed the agency to reexamine additional options for issuing the 
identification card. In addition to coordinating within DHS, TSA has 
had to coordinate with over 800 national level transportation-related 
stakeholders. Several stakeholders at seaports and seaport facilities 
told us that, while TSA solicited their input on some issues, TSA did 
not respond to their input or involve them in making decisions 
regarding eligibility requirements for the card.[Footnote 15] In 
particular, some stakeholders said they had not been included in 
discussions about which felony convictions should disqualify a worker 
from receiving a card, even though they had expected and requested that 
DHS and TSA involve them in these decisions. Obtaining stakeholder 
involvement is important because achieving program goals hinges on the 
federal government's ability to form effective partnerships among many 
public and private stakeholders. If such partnerships are not in place-
-and equally important, if they do not work effectively--TSA may not be 
able to test and deliver a program that performs as expected. Until TSA 
and DHS officials agree on a comprehensive project plan to guide the 
remainder of the project and work together to set and complete 
deadlines, and TSA can effectively manage its stakeholders' interests, 
it may not be able to successfully develop, test, and implement the 
card program. We issued a report on TWIC in December 2004[Footnote 16] 
and the Senate Committee on Homeland Security and Governmental Affairs 
has asked us to review the program again.

Challenges in Providing Funding for Seaport Security Actions and 

Our reviews indicate that funding is a pressing challenge to putting 
effective seaport security measures in place and sustaining these 
measures over time. This is the view of many transportation security 
experts, industry representatives, and federal, state, and local 
government officials with whom we have spoken. While some security 
improvements are inexpensive, most require substantial and continuous 
funding. For example, a preliminary Coast Guard estimate placed the 
cost of implementing the International Maritime Organization security 
code and the security provisions in MTSA at approximately $1.5 billion 
for the first year and $7.3 billion over the succeeding decade. This 
estimate should be viewed more as a rough indicator than a precise 
measure of costs, but it does show that the cost is likely to be 
substantial.[Footnote 17]

At the federal level, more than $560 million in grants has been made 
available to seaports, localities, and other stakeholders since 2002 
under the Port Security Grant Program and the Urban Area Security 
Initiative. The purpose of these programs was to reduce the 
vulnerability of seaports to potential terrorist attacks by enhancing 
facility and operation security. The programs funded several projects, 
including security assessments; physical enhancements, such as gates 
and fences; surveillance equipment, such as cameras; and the 
acquisition of security equipment, such as patrol vessels or vehicles. 
Awardees have included seaport authorities, local governments, vessel 
operators, and private companies with facilities in seaport areas. 
Interest in receiving port security grants has been strong, and, as 
figure 2 shows, applicant requests have far exceeded available funds. 
We are currently examining the Port Security Grant Program at the 
request of several Members of Congress, and we are focusing this review 
on the risk management practices used in comparing and prioritizing 
applications. Our work is under way, and we expect to issue our report 
later this year.[Footnote 18]

Figure 2: Comparison of Requests and Awards for Funding, Port Security 
Grant Program, Fiscal Years 2002-2004:

[See PDF for image]

Note: Figure 2 does not include $75 million that was awarded to 14 high-
risk seaport areas under the Urban Area Security Initiative (UASI) by 
the Office of Domestic Preparedness. This program is separate from its 
basic UASI program, which provided formula grants to 50 urban areas for 
equipment, training, planning, exercise, operational needs, and 
critical infrastructure.

[End of figure]

Where the money will come from for all of the funding needs is unclear. 
In our 2002 statement on national preparedness,[Footnote 19] we 
highlighted the need to examine the sustainability of increased funding 
not only for seaport security, but for homeland security efforts in 
general. The current economic environment makes this a difficult time 
for private industry and state and local governments to make security 
investments and sustain increased security costs. According to industry 
representatives and experts we contacted, most of the transportation 
industry operates on a very thin profit margin, making it difficult to 
pay for additional security measures. Budgetary and revenue 
constraints, coupled with increasing demands on resources, makes it 
more critical that federal programs be designed carefully to match the 
priorities and needs of all partners--federal, state, local, and 
private--and provide the greatest results for the expenditure.

Setting Performance Goals and Measures and Assessing Risk Are Important 
Next Steps:

The final purpose of my testimony today is to offer observations, based 
on the work we have done to date, about important next steps for 
decision makers in charting a course for future actions. The terrorist 
attacks of September 11, 2001, evoked with stunning clarity the face 
and intent of enemies very different from those the nation has faced 
before--terrorists such as al Qaeda, willing and able to attack us in 
our territory using tactics designed to take advantage of our 
relatively open society and individual freedoms. The amount of activity 
in response has been considerable, and although there have been no 
serious incidents in the United States in the interim, the threat of 
terrorism will likely persist well into the 21st century. Thus, it is 
important to continue to make progress in our efforts. Beyond 
addressing the kinds of challenges discussed above, however, two other 
matters stand out. One involves developing a better understanding of 
how much progress has actually been made to secure our seaports; the 
other involves developing a better strategy to manage risk and 
prioritize what areas need further progress and how resources can be 
best allocated.

Lack of Goals and Measures Makes Determining Progress Difficult:

Although there is widespread agreement that actions taken so far have 
led to a heightened awareness of the need for security and an enhanced 
ability to identify and respond to many security threats, it is 
difficult to translate these actions into a clear sense of how far we 
have progressed in making seaports more secure. One reason is that 
seaport security efforts, like homeland security efforts in general, 
lack measurable goals, as well as performance measures to measure 
progress toward those goals. As others such as the Gilmore Commission 
have stated, a continuing problem for homeland security has been the 
lack of clear strategic guidance about the definition and objectives of 
preparedness.[Footnote 20] For example, the Coast Guard has a set of 
performance indicators for each of its nonsecurity missions. It 
regularly reports on how well it is doing in rescuing mariners at sea, 
interdicting foreign fishing boats attempting to fish the in U.S. 
exclusive economic zone, or maintaining aids to navigation on the 
nation's waterways. However, although it has been more than 3 years 
since the September 11, 2001, attacks, the Coast Guard is still in the 
process of developing a performance indicator for its seaport security 
activities that can be used to indicate what progress has been made to 
secure seaports. Completion of this indicator and careful tracking of 
it over the long term is essential to help ensure that taxpayer dollars 
are being spent wisely to make seaports more secure. Similarly, as 
discussed earlier in describing the actions taken to secure the cargo 
transiting through seaports in containers, performance measures are 
needed to determine the progress such actions are making to reduce 
vulnerabilities of the international supply chain.

A challenge exists in measuring progress in this area, because seaport 
security, like many aspects of homeland security, relies upon the 
coordinated actions of many stakeholders and, in many cases, upon 
"layers" of defenses. In this regard, we have pointed out that systems 
and service standards--which focus on the performance, design, and 
overall management of processes and activities--hold great potential to 
improve coordination across such dimensions and enhance measurement of 
continued preparedness.[Footnote 21] While such standards are already 
being used in many parts of the private sector, creation of performance 
and results measures for national security in general, and seaport 
security in particular, remains a work in progress.

Risk Management Is an Essential Tool for Focusing Efforts Effectively:

Even with clear goals and effective performance measures, it seems 
improbable that all risk can be eliminated, or that any security 
framework can successfully anticipate and thwart every type of 
potential terrorist threat that highly motivated, well skilled, and 
adequately funded terrorist groups could think up. This is not to 
suggest that security efforts do not matter--they clearly do. However, 
it is important to keep in mind that total security cannot be bought no 
matter how much is spent on it. We cannot afford to protect everything 
against all threats--choices must be made about security priorities. 
Thus, great care needs to be taken to assign available resources to 
address the greatest risks, along with selecting those strategies that 
make the most efficient and effective use of resources.

One approach to help ensure that resources are assigned and appropriate 
strategies are selected to address the greatest risks is through risk 
management--that is, defining and reducing risk. A risk management 
approach is a systematic process for analyzing threats and 
vulnerabilities, together with the criticality (that is, the relative 
importance) of the assets involved. This process consists of a series 
of analytical and managerial steps, basically sequential, that can be 
used to assess vulnerabilities, determine the criticality (that is, the 
relative importance) of the assets being considered, determine the 
threats to the assets, and assess alternatives for reducing the risks. 
Once these are assessed and identified, actions to improve security and 
reduce the risks can be chosen from the alternatives for 
implementation. To be effective, however, this process must be repeated 
when threats or conditions change to incorporate any new information to 
adjust and revise the assessments and actions.

Some elements of risk management have been incorporated into seaport 
security activities. For example, to meet the requirements of MTSA, 
security plans for seaports, facilities, and vessels have been 
developed based on assessments that identify their vulnerabilities. In 
addition, the Coast Guard is using the Port Security Risk Assessment 
Tool, which is designed to prioritize risk according to a combination 
of possible threat, consequence, and vulnerability. Under this 
approach, seaport infrastructure that is determined to be both a 
critical asset and a likely and vulnerable target would be a high 
priority for security enhancements or funding. By comparison, 
infrastructure that is vulnerable to attack but not as critical or 
infrastructure that is very critical but already well protected would 
be lower in priority. In a homeland security setting, possible uses of 
data produced from risk management efforts include informing decisions 
on where the federal government might spend billions of dollars within 
and between federal departments, as well as informing decisions on 
grants awarded to state and local governments.

As the nation moves ahead with seaport security efforts, there are 
plans to incorporate risk management as part of the nation's larger 
homeland security strategy. Homeland Security Presidential Directive 7, 
issued in December 2003, charged DHS with integrating the use of risk 
management into homeland security activities. The directive called on 
the Department to develop policies, guidelines, criteria, and metrics 
for this effort. To meet this requirement, the Coast Guard has taken 
steps to use risk management in prioritizing the protection of key 
infrastructure within and between seaports. We are currently in the 
process of assessing the progress the Coast Guard has made in these 
efforts. In addition, we are reviewing the extent to which a risk 
management approach is being used by other DHS agencies, such as the 
Information Analysis and Infrastructure Protection Directorate, to 
evaluate the relative risk faced by key infrastructure within seaports 
and across broad sectors of national activity, such as seaports and 
aviation, to help ensure funding and resources are allocated to where 
they are needed most. Our work is still under way and not far enough 
along to discuss at this time. It is likely, however, that attention to 
risk management will be a key part of the ongoing dialogue about the 
nation's homeland security actions in general, and its seaport security 
actions in particular.

Concluding Observations:

Managing the risks associated with securing our nation's seaports 
involves a careful balance between the benefits of added security and 
the potential economic impacts of security enhancements. While there is 
broad support for greater security, the national economy is heavily 
dependent on keeping goods, trucks, trains, and people flowing quickly 
through seaports, and bringing commerce to a crawl in order to be 
completely safe carries its own serious economic consequences. Striking 
the right balance between increased security and protecting economic 
vitality is an important and difficult task. Considering this, three 
things stand out as important from the work we have conducted:

* Seaports are not retreating as a homeland security issue. They are an 
attractive terrorist target and are likely to remain so, because by 
their nature they represent a vulnerability that is always open to 
potential exploitation.

* Seaport security has lived up to its billing as an area in which 
security measures can be difficult to implement. The range of activity 
in seaport areas can be extremely wide, as can the range of 
stakeholders and the fragmentation of responsibility among them. Many 
of the problems we have identified with individual programs and efforts 
can likely be overcome with time and effort, but success is not 
assured. We are already seeing some efforts, such as the TWIC 
identification card, becoming deeply mired in problems. These 
activities will thus continue to demand close attention.

* The national dialogue on this issue is likely to focus increasingly 
in trying to determine what we are getting for our efforts and where we 
should invest the dollars we have. Therefore, it is critical that 
federal programs be designed carefully to try to match the priorities 
and needs of all partners--federal, state, local, and private--and use 
performance measures to effectively allocate funds and resources. On 
this point, there is work to do, because agencies such as the Coast 
Guard currently lack a systematic approach for explaining the 
relationship between the expenditure of resources and performance 
results in seaport security, limiting its ability to critically examine 
its resource needs and prioritize program efforts. Providing answers 
also requires an ability to carefully assess what the key 
vulnerabilities are and what should be done to protect them. Only by 
doing this will we have reasonable assurance that we are doing the best 
job with the dollars we have.

Mr. Chairman, this concludes my prepared statement. I would be pleased 
to answer any questions that you or other Members of the Committee may 

Contacts and Acknowledgments:

[End of section]

For information about this testimony, please contact Margaret 
Wrightson, Director, Homeland Security and Justice Issues, at (415) 904-
2200, or Other individuals making key contributions 
to this testimony include Steve Calvo, Geoffrey Hamilton, Christopher 
Hatscher, Sara Margraf, and Stan Stenersen.

[End of section]

Appendix I: Related GAO Products:

Coast Guard: Preliminary Observations on the Condition of Deepwater 
Legacy Assets and Acquisition Management Challenges. GAO-05-307T. 
Washington, D.C.: April 20, 2005.

Maritime Security: New Structures Have Improved Information Sharing, 
but Security Clearance Processing Requires Further Attention. GAO-05- 
394. Washington, D.C.: April 15, 2005.

Preventing Nuclear Smuggling: DOE Has Made Limited Progress in 
Installing Radiation Detection Equipment at Highest Priority Foreign 
Seaports. GAO-05-375. Washington, D.C.: March 31, 2005.

Coast Guard: Observations on Agency Priorities in Fiscal Year 2006 
Budget Request. GAO-05-364T. Washington, D.C.: March 17, 2005.

Homeland Security: Process for Reporting Lessons Learned from Seaport 
Exercises Needs Further Attention. GAO-05-170, Washington, D.C.: 
January 14, 2005.

Port Security: Planning Needed to Develop and Operate Maritime Worker 
Identification Card Program. GAO-05-106. Washington, D.C.: December 10, 

Maritime Security: Better Planning Needed to Help Ensure an Effective 
Port Security Assessment Program. GAO-04-1062. Washington, D.C.: 
September 30, 2004.

Maritime Security: Partnering Could Reduce Federal Costs and Facilitate 
Implementation of Automatic Vessel Identification System. GAO-04-868. 
Washington, D.C.: July 23, 2004.

Maritime Security: Substantial Work Remains to Translate New Planning 
Requirements into Effective Port Security. GAO-04-838. Washington, 
D.C.: June 30, 2004.

Coast Guard: Deepwater Program Acquisition Schedule Update Needed. GAO- 
04-695. Washington, D.C.: June 14, 2004.

Coast Guard: Key Management and Budget Challenges for Fiscal Year 2005 
and Beyond. GAO-04-636T. Washington, D.C.: April 7, 2004.

Homeland Security: Summary of Challenges Faced in Targeting Oceangoing 
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 
31, 2004.

Coast Guard Programs: Relationship between Resources Used and Results 
Achieved Needs to Be Clearer. GAO-04-432. Washington, D.C.: March 22, 

Contract Management: Coast Guard's Deepwater Program Needs Increased 
Attention to Management and Contractor Oversight. GAO-04-380. 
Washington, D.C.: March 9, 2004.

Homeland Security: Preliminary Observations on Efforts to Target 
Security Inspections of Cargo Containers. GAO-04-325T. Washington, 
D.C.: December 16, 2003.

Posthearing Questions Related to Aviation and Port Security. GAO-04- 
315R. Washington, D.C.: December 12, 2003.

Maritime Security: Progress Made in Implementing Maritime 
Transportation Security Act, but Concerns Remain. GAO-03-1155T. 
Washington, D.C.: September 9, 2003.

Container Security: Expansion of Key Customs Programs Will Require 
Greater Attention to Critical Success Factors. GAO-03-770. Washington, 
D.C.: July 25, 2003.

Homeland Security: Challenges Facing the Department of Homeland 
Security in Balancing Its Border Security and Trade Facilitation 
Missions. GAO-03-902T. Washington, D.C.: June 16, 2003.

Coast Guard: Challenges during the Transition to the Department of 
Homeland Security. GAO-03-594T. Washington, D.C.: April 1, 2003.

Transportation Security: Post-September 11th Initiatives and Long-Term 
Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003.

Coast Guard: Comprehensive Blueprint Needed to Balance and Monitor 
Resource Use and Measure Performance for All Missions. GAO-03-544T. 
Washington, D.C.: March 12, 2003.

Homeland Security: Challenges Facing the Coast Guard as It Transitions 
to the New Department. GAO-03-467T. Washington, D.C.: February 12, 2003.

Container Security: Current Efforts to Detect Nuclear Materials, New 
Initiatives, and Challenges. GAO-03-297T. Washington, D.C.: November 
18, 2002.

Coast Guard: Strategy Needed for Setting and Monitoring Levels of 
Effort for All Missions. GAO-03-155. Washington, D.C.: November 12, 

Port Security: Nation Faces Formidable Challenges in Making New 
Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002.

Combating Terrorism: Preliminary Observations on Weaknesses in Force 
Protection for DOD Deployments through Domestic Seaports. GAO-02- 
955TNI. Washington, D.C.: July 23, 2002.

[End of section]

Appendix II: Previous GAO Recommendations:

Agency/program: Automatic Identification System (AIS); 
GAO Recommendations to the U.S. Coast Guard: 
* To seek and take advantage of opportunities to partner with 
organizations willing to develop AIS systems at their own expense in 
order to help reduce federal costs and speed development of AIS 
nationwide. (GAO-04-868).

Agency/program: Deepwater acquisition; 
GAO Recommendations to the U.S. Coast Guard: 
* Take the necessary steps to make integrated product team (IPT) 
members effective, including (1) training IPTS in a timely manner, (2) 
chartering the sub-IPTs, and (3) making improvements to the electronic 
information system that would result in better information sharing 
among IPT members who are geographically dispersed. (GAO-04-380); 
* Follow the procedures outlined in the human capital plan to ensure 
that adequate staffing is in place and turnover among Deepwater 
personnel is proactively addressed. (GAO-04-380); 
* Ensure that field operators and maintenance personnel are provided 
with timely information and training on how the transition will occur 
and how maintenance responsibilities are to be divided between system 
integrator and Coast Guard personnel. (GAO-04-380); 
* Develop and adhere to measurable award fee criteria consistent with 
the Office of Federal Procurement Policy's guidance. (GAO-04-380); 
* Ensure that the input of contracting officer's technical 
representatives (COTR) is considered and set forth in a more rigorous 
manner. (GAO-04-380); 
* Hold the system integrator accountable in future award fee 
determinations for improving the effectiveness of IPTs. (GAO-04-380); 
* Establish a time frame for when the models and metrics will be in 
place with the appropriate degree of fidelity to be able to measure the 
contractor's progress toward improving operational effectiveness. (GAO-
* Establish a total ownership cost (TOC) baseline that can be used to 
measure whether the Deepwater acquisition approach is providing the 
government with increased efficiencies compared to what it would have 
cost without this approach. (GAO-04- 380); 
* Establish criteria to determine when the TOC baseline should be 
adjusted and ensure that the reasons for any changes are documented. 
* Develop a comprehensive plan for holding the system integrator 
accountable for ensuring an adequate degree of competition among second-
tier suppliers in future program years. This plan should include 
metrics to measure outcomes and consideration of how these outcomes 
will be taken into account in future award fee decisions. (GAO-04-380); 
* For subcontracts over $5 million awarded by Integrated Coast Guard 
Systems LLC (ICGS) to Lockheed Martin and Northrop Grumman, require 
Lockheed Martin and Northrop Grumman to notify the Coast Guard of a 
decision to perform the work themselves rather than contracting it out. 
* To update the original 2002 Deepwater acquisition schedule in time to 
support the fiscal year 2006 Deepwater budget submission to DHS and 
Congress and at least once a year thereafter to support each budget 
submission, which should include the current status of asset 
acquisition phases, interim phase milestones, and the critical paths 
linking the delivery of individual components to particular assets. 

Agency/program: MTSA security plans; 
GAO Recommendations to the U.S. Coast Guard: 
* Conduct a formal evaluation of compliance inspection efforts taken 
during the initial 6-month surge period, including the adequacy of 
security inspection staffing, training, and guidance, and use this 
evaluation as a means to strengthen the compliance process for the 
longer term. (GAO- 04-838); 
* Clearly define the minimum qualifications for inspectors and link 
these qualifications to a certification process. (GAO-04-838); 
* Consider including unscheduled and unannounced inspections and covert 
testing as part of its inspection strategy to provide better assurance 
that the security environment at the nation's seaports meets the 
nation's expectations. (GAO-04-838).

Agency/program: Multi-mission station readiness; 
GAO Recommendations to the U.S. Coast Guard: 
* Revise the Boat Forces Strategic Plan to (1) reflect the impact of 
homeland security requirements on station needs and (2) identify 
specific actions, milestones, and funding needs for meeting those 
needs. (GAO-05-161); 
* Develop measurable annual goals for stations. (GAO-05-161); 
* Revise the processes and practices for estimating and allocating 
station personal protection equipment (PPE) funds to reliably identify 
annual funding needs and use this information in making future funding 
decisions. (GAO-05-161).

Agency/program: Obtaining security clearances; 
GAO Recommendations to the U.S. Coast Guard: 
* Develop formal procedures so that local and headquarters officials 
use the Coast Guard's internal databases of state, local, and industry 
security clearances for area maritime committee members as a management 
tool to monitor who has submitted applications for a security clearance 
and to take appropriate action when application trends point to 
possible problems. (GAO-05-394); 
* Raise awareness of state, local, and industry officials about the 
process of applying for security clearances. (GAO-05-394).

Agency/program: Port security assessment program; 
GAO Recommendations to the U.S. Coast Guard: 
* To define and document the geographic information system (GIS) 
functional requirements. (GAO-04-1062); 
* Develop a long-term project plan for the GIS and the Port Security 
Assessment Program as a whole (including cost estimates, schedule, and 
management responsibilities). (GAO-04-1062).

Agency/program: Resource effectiveness; 
GAO Recommendations to the U.S. Coast Guard: 
* To develop a time frame for expeditiously proceeding with plans for 
implementing a system that will accurately account for resources 
expended in each of its program areas. (GAO-04-432); 
* Ensure that the strategic planning process and its associated 
documents include a strategy for (1) identifying intervening factors 
that may affect program performance and (2) systematically assessing 
the relationship between these factors, resources used, and results 
achieved. (GAO-04- 432).

Agency/program: Seaport exercises; 
GAO Recommendations to the U.S. Coast Guard: 
* To help ensure that reports on terrorism-related exercises are 
submitted in a timely manner that complies with all Coast Guard 
requirements, the Commandant of the Coast Guard should review the Coast 
Guard's actions for ensuring timeliness and determine if further 
actions are needed. (GAO-05-170).

Agency/program: Megaports Initiative; 
GAO Recommendations to the Department of Energy: 
* Develop a comprehensive long-term plan to guide the future efforts of 
the Initiative that includes, at a minimum, (1) performance measures 
that are consistent with DOE's desire to install radiation detection 
equipment at the highest priority foreign seaports, (2) strategies to 
determine how many and which lower priority ports DOE will include in 
the Initiative if it continues to have difficulty installing equipment 
at the highest priority ports, (3) projections of the anticipated funds 
required to meet the Initiative's objectives, and (4) specific time 
frames for effectively spending program funds. (GAO-05-375); 
* Evaluate the accuracy of the current per port cost estimate of $15 
million, make any necessary adjustments to the Initiative's long-term 
cost projection, and inform Congress of any changes to the long-term 
cost projection for the Initiative. (GAO-05-375).

Agency/program: Container Security Initiative (CSI); and Customs-Trade 
Partnership Against Terrorism (C-TPAT); 
GAO Recommendations to the U.S. Customs and Border Protection: 
* Develop human capital plans that clearly describe how CSI and C-TPAT 
will recruit, train, and retain staff to meet their growing demands as 
they expand to other countries and implement new program elements. 
These plans should include up-to-date information on CSI and C-TPAT 
staffing and training requirements and should be regularly used by 
managers to identify areas for further human capital planning, 
including opportunities for improving program results. (GAO-03-770); 
* Expand efforts already initiated to develop performance measures for 
CSI and C-TPAT that include outcome-oriented indicators. These measures 
should be tangible, measurable conditions that cover key aspects of 
performance and should enable agencies to assess accomplishments, make 
decisions, realign processes, and assign accountability. Furthermore, 
the measures should be used to determine the future direction of these 
Customs' programs. (GAO-03-770); 
* Develop strategic plans that clearly lay out CSI and C-TPAT goals, 
objectives, and detailed implementation strategies. These plans should 
not only address how the strategies and related resources, both 
financial and human, will enable Customs to secure ocean containers 
bound for the United States, but also reinforce the connections between 
these programs' objectives and both Customs' and the Department of 
Homeland Security's long-term goals. (GAO-03- 770); 
* Use its resources to maximize the effectiveness of its automated 
targeting strategy to reduce the uncertainty associated with 
identifying cargo for additional inspection. (GAO-04-557T); 
* Institute a national inspection reporting system. (GAO-04-557T); 
* Test and certify CBP officials that receive the targeting training. 
(GAO-04- 557T); 
* Resolving the safety concerns of longshoremen unions. (GAO-04- 557T).

Agency/program: Transportation worker identification card (TWIC); 
GAO Recommendations to the U.S. Transportation Security Administration: 
* Develop a comprehensive project plan for managing the remaining life 
of the TWIC project. (GAO-05-106); 
* Develop specific, detailed plans for risk mitigation and cost-benefit 
and alternatives analyses. (GAO-05-106).

Source: GAO.

[End of table]


[1] Pub. L. No. 107-295, 116 Stat. 2064 (2002).

[2] Zeigert, Amy, et. al. "Port Security: Improving Emergency Response 
Capabilities at the Ports of Los Angeles and Long Beach." California 
Policy Options 2005. University of California Los Angeles, School of 
Public Affairs (Los Angeles, Calif. 2005). 

[3] None of the listings in this testimony is meant to be exhaustive of 
all the efforts under way. The Coast Guard has a range of activities 
underway for reducing seaport vulnerabilities that extends beyond the 
actions shown here. Such activities include, among others the use of 
armed boarding officers, formerly known as sea marshals, who board high-
interest vessels arriving or departing U.S. seaports and stand guard in 
critical areas of the vessels; the establishment of Maritime Safety and 
Security Teams (MSST) to provide antiterrorism protection for strategic 
shipping, high-interest vessels, and critical infrastructure; and the 
underwater port security system, which uses trained divers and robotic 
cameras to check ship hulls and piers and an underwater intruder 
detection system. We have not evaluated the effectiveness of these 

[4] Another program to help secure the overseas supply chain process is 
the Coast Guard's International Port Security Program. In response to 
being required under MTSA to assess antiterrorism measures maintained 
at foreign seaports, the Coast Guard established this program in April 
2004 to protect the global shipping industry by helping foreign nations 
evaluate security measures in their seaports. Through bilateral or 
multilateral discussions, the Coast Guard and the host nations review 
the implementation of security measures against established security 
standards, such as the International Maritime Organization's ISPS Code. 
To conduct the program, the Coast Guard has assigned officials to three 
regions (Asia-Pacific, Europe/Africa/Middle East, and Central/South 
America) to facilitate the discussions. In addition, a Coast Guard team 
has been established to conduct country/port visits, discuss security 
measures implemented, and develop best practices between countries. 
Each year the Coast Guard seeks to visit approximately 45 countries 
that conduct maritime trade with the United States.

[5] The nation's three largest container port regions (Los Angeles/Long 
Beach, New York/New Jersey, and Seattle/Tacoma) are involved in the 
Operation Safe Commerce pilot project. 

[6] GAO, Maritime Security: New Structures Have Improved Information 
Sharing, but Security Clearance Processing Requires Further Attention, 
GAO-05-394 (Washington, D.C.: April 15, 2005). 

[7] GAO, Container Security: Expansion of Key Customs Programs Will 
Require Greater Attention to Critical Success Factors, GAO-03-770 
(Washington, D.C.: July 2003); and GAO, Homeland Security: Summary of 
Challenges Faced in Targeting Oceangoing Cargo Containers for 
Inspection, GAO-04-557T (Washington, D.C.: March 2004). In addition, we 
have additional work underway regarding the Container Security 
Initiative program and expect to issue our report in May.

[8] GAO, Container Security: Expansion of Key Customs Programs Will 
Require Greater Attention to Critical Success Factors, GAO-03-770 
(Washington, D.C: July 2003).

[9] GAO, Homeland Security: Challenges Facing the Coast Guard as It 
Transitions to the New Department, GAO-03-467T (Washington, D.C.: 
February 2003). 

[10] GAO, Coast Guard: Station Readiness Improving, but Resource 
Challenges and Management Concerns Remain, GAO-05-161 (Washington, 
D.C.: Jan. 31, 2005).

[11] GAO, Maritime Security: Substantial Work Remains to Translate New 
Planning Requirements into Effective Port Security, GAO-04-838 
(Washington, D.C.: June 30, 2004).

[12] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
Jan. 2005).

[13] GAO, Homeland Security: Information Sharing Responsibilities, 
Challenges, and Key Management Issues, GAO-03-1165T (Washington, D.C.: 
Sept. 17, 2003); and Homeland Security: Information-Sharing 
Responsibilities, Challenges, and Key Management Issues, GAO-03-715T 
(Washington, D.C.: May 8, 2003).

[14] GAO, Homeland Security: Process for Reporting Lessons Learned from 
Seaport Exercises Needs Further Attention, GAO-05-170 (Washington, 
D.C.: January 2005).

[15] Of the facilities testing TSA's prototype, we visited ports and 
facilities in the Delaware River Region, including Wilmington Port 
Authority, the Philadelphia Maritime Exchange, and the South Jersey 
Port. We also visited ports and facilities on the West Coast, including 
those in the Port of Seattle, Port of Los Angeles, and Port of Long 
Beach as well as ports and facilities in Florida, including Port 
Everglades and the Port of Jacksonville.

[16] GAO, Port Security: Better Planning Needed to Develop and Operate 
Maritime Worker Identification Card Program, GAO-05-106 (Washington, 
D.C.: December 2004).

[17] GAO, Maritime Security: Substantial Work Remains to Translate New 
Planning Requirements into Effective Port Security, GAO-04-838 
(Washington, D.C.: June 2004).

[18] DHS has proposed consolidating homeland grant programs into a 
single program. Known as the Targeted Infrastructure Protection Program 
(TIPP), the program would lump together grant funding for transit, port 
security and other critical infrastructure, and eliminate specific 
grant programs for port, rail, truck, intercity bus, and 
nongovernmental organizations security. In its fiscal year 2006 budget 
request, the administration proposed $600 million for TIPP, a $260- 
million increase in overall funding from fiscal year 2005 for the 
specific transportation security grant programs. In fiscal year 2005, 
funding for port, rail, truck, intercity bus, and non-governmental 
organizations security totaled $340 million.

[19] GAO, National Preparedness: Integration of Federal, State, Local, 
and Private Sector Efforts Is Critical to an Effective National 
Strategy for Homeland Security, GAO-02-621T (Washington, D.C.: April 

[20] The Advisory Panel to Assess Domestic Response Capabilities for 
Terrorism Involving Weapons of Mass Destruction, V. Forging America's 
New Normalcy (Arlington, VA: Dec. 15, 2003).

[21] GAO, Homeland Security: Observations on the National Strategies 
Related to Terrorism, GAO-04-1075T (Washington, D.C.: Sept. 22, 2004).