This is the accessible text file for GAO report number GAO-06-864T 
entitled 'Aviation Security: Management Challenges Remain for the 
Transportation Security Administration's Secure Flight Program' which 
was released on June 14, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony before the Subcommittee on Intelligence, Information Sharing, 
and Terrorism Risk Assessment, Committee on Homeland Security, House of 

United States Government Accountability Office: 


For Release on Delivery Expected at 2:00 p.m. EDT: 

Wednesday, June 14, 2006: 

Aviation Security: 

Management Challenges Remain for the Transportation Security 
Administration's Secure Flight Program: 

Statement of Cathleen A. Berrick, Director, Homeland Security and 
Justice Issues: 


GAO Highlights: 

Highlights of GAO-06-864T, a testimony before the Subcommittee on 
Intelligence, Information Sharing, and Terrorism Risk Assessment, 
Committee on Homeland Security, House of Representatives. 

Why GAO Did This Study: 

After the events of September 11, 2001, the Transportation Security 
Administration (TSA) assumed the function of passenger prescreening —or 
the matching of passenger information against terrorist watch lists to 
identify persons who should undergo additional security scrutiny—for 
domestic flights, which is currently performed by the air carriers. To 
do so, TSA has been developing Secure Flight. This testimony covers 
TSA’s progress and challenges in (1) developing, managing, and 
overseeing Secure Flight; (2) coordinating with key stakeholders 
critical to program operations; (3) addressing key factors that will 
impact system effectiveness; and (4) minimizing impacts on passenger 
privacy and protecting passenger rights. 

What GAO Found: 

For over 3 years, TSA has faced challenges in developing and 
implementing the Secure Flight program, and in early 2006, it suspended 
Secure Flight’s development to reassess, or rebaseline, the program. 
TSA’s rebaselining effort is currently under way, and final decisions 
regarding the future direction of the program have not been made. In 
our most recent report and testimony, we noted that TSA had made some 
progress in developing and testing the Secure Flight program, but had 
not followed a disciplined life cycle approach to manage systems 
development or fully defined system requirements. We also reported that 
TSA was proceeding to develop Secure Flight without a program 
management plan containing program schedule and cost estimates. 
Oversight reviews of the program had also raised questions about 
program management. Secure Flight officials stated that as they move 
forward with the rebaselined program, they will be following a more 
rigorous and disciplined life cycle process for Secure Flight. We 
support TSA’s rebaselining effort, and believe that the agency should 
not move forward with the program until it has demonstrated that a 
disciplined life cycle process is being followed. 

We also reported that TSA had taken steps to collaborate with Secure 
Flight stakeholders whose participation is essential to ensuring that 
passenger and terrorist watch list data are collected and transmitted 
to support Secure Flight. However, key program stakeholders—including 
the U.S. Customs and Border Protection, the Terrorist Screening Center, 
and air carriers—stated that they needed more definitive information 
about system requirements from TSA to plan for their support of the 

In addition, we reported that several activities that will affect 
Secure Flight’s effectiveness were under way or had not yet been 
decided. For example, TSA conducted name-matching tests that compared 
passenger and terrorist screening database information to determine 
what type of passenger data would be needed for Secure Flight’s 
purposes. However, TSA had not yet made key policy decisions that could 
significantly impact program operations, including what passenger data 
it would require air carriers to provide and the name-matching 
technologies it would use. 

Further, Secure Flight’s system development documentation did not fully 
identify how passenger privacy protections were to be met, and TSA had 
not issued the privacy notices that described how it would protect 
passenger data once Secure Flight became operational. As a result, it 
was not possible to assess how TSA is addressing privacy concerns. 
Secure Flight officials stated that they plan to address privacy issues 
and finalize its redress polices in conjunction with rebaselining the 

What GAO Recommends: 

A prior GAO report recommended that the Department of Homeland Security 
(DHS) direct TSA to take several actions to manage risks associated 
with Secure Flight’s development, including finalizing system 
requirements, test plans, privacy and redress requirements, and program 
cost estimates, and establishing plans to obtain data needed to operate 
the system. DHS generally concurred with GAO’s recommendations, but has 
not yet completed the actions it planned to take. TSA’s rebaselining 
effort is reassessing program goals, requirements, and capabilities. 


To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Cathleen Berrick at (202) 
512-3404 or 

[End of Section] 

Mr. Chairman and Members of the Committee: 

Thank you for inviting me to participate in today's hearing on the 
Transportation Security Administration's (TSA) intelligence efforts and 
the integration of its programs that will affect the traveling public, 
such as Secure Flight. The purpose of Secure Flight is to enable our 
government to protect the public and strengthen aviation security by 
identifying and scrutinizing individuals suspected of having ties to 
terrorism, or who may otherwise pose a threat to aviation, in order to 
prevent them from boarding commercial aircraft in the United States, if 
warranted, or by subjecting them to additional security scrutiny prior 
to boarding an aircraft. The program also aims to reduce the number of 
individuals unnecessarily selected for secondary screening while 
protecting passengers' privacy and civil liberties. 

My testimony today summarizes the progress TSA has made to develop and 
implement Secure Flight and the challenges it continues to face as it 
moves forward with (1) developing, managing, and overseeing the Secure 
Flight program; (2) coordinating with federal and private sector 
stakeholders who will play critical roles in Secure Flight operations; 
(3) addressing key factors that will impact system effectiveness; and 
(4) minimizing program impacts on passenger privacy and protecting 
passenger rights. Since I last testified on these issues in February 
2006,[Footnote 1] TSA announced that it was rebaselining the Secure 
Flight program. This rebaselining effort includes reassessing program 
goals to be achieved, expected benefits and capabilities, and estimated 
schedules and costs. 

My testimony is based on our March 2005 report,[Footnote 2] other past 
reviews of the Secure Flight program (see app. I for a list of GAO 
products issued on Secure Flight), and preliminary results from our 
ongoing review of 10 issues related to the development and 
implementation of Secure Flight, as mandated by Public Law 109-90, and 
as requested by eight congressional committees.[Footnote 3] (See app. 
II for a description of the 10 issues and app. III for additional 
information on the scope and methodology for this review.) In March 
2005, we reported that TSA had made progress in developing and testing 
Secure Flight, but had not completed key system testing, had not 
finalized system requirements or determined how certain aspects of the 
program would operate (such as the basis on which passengers would be 
selected for preflight scrutiny), and had not clearly defined the 
privacy impacts of the program. At the time, we recommended that TSA 
take several actions to manage the risks associated with developing and 
implementing Secure Flight, including finalizing system requirements 
and test plans, privacy and redress requirements, and program cost 
estimates. In February 2006, we testified that TSA had committed to 
take action based on our recommendations that the agency manage the 
risks associated with developing and implementing Secure Flight. 
Although we noted that TSA had made some progress in these areas, we 
reported that it had not completed any of the actions that were 
scheduled to be accomplished and long-standing issues related to 
systems development and testing, program management, and privacy and 
redress protections remained. Following our February 2006 testimony, 
TSA announced a temporary suspension of Secure Flight's development to 
rebaseline the program. 


For over 3 years, TSA has faced significant challenges in developing 
and implementing the Secure Flight program, a federal passenger 
prescreening initiative. As we testified in February 2006: 

* TSA had not conducted critical development activities, such as 
following a disciplined life cycle approach for all phases of 
development, in accordance with best practices for large-scale 
information technology programs, potentially putting the program at 
risk of failure. In addition, TSA had not maintained up-to-date program 
schedules or developed cost estimates for the program. 

* TSA had made progress in coordinating with stakeholders--U.S. Customs 
and Border Protection (CBP), Terrorist Screening Center (TSC), and air 
carriers--but additional information and testing were needed before 
stakeholders could be in a position to provide the support required for 
Secure Flight to function as intended. 

* TSA made some progress in evaluating factors that could influence 
Secure Flight's effectiveness. However, key policy decisions--such as 
what data TSA will require air carriers to collect to support Secure 
Flight operations--and related efforts, to include operational testing, 
had not been completed. 

* Secure Flight's system documentation had not fully addressed how 
passenger privacy protections were to be met, and therefore potential 
impacts on privacy could not be assessed. Such an assessment will not 
be possible until TSA determines, among other things, what passenger 
data it will require for Secure Flight operations. We further reported 
that TSA had not yet determined how it would include a process of 
appeals for travelers erroneously singled out as part of the 
prescreening process. 

TSA has acknowledged these challenges and, based in part on our prior 
recommendations, has been taking corrective actions. In early 2006, TSA 
suspended development of Secure Flight and initiated a reassessment, or 
rebaselining, of the program, to be completed before moving forward. 
This rebaselining effort is currently under way, and decisions 
regarding the future direction of the program have not been made. We 
support TSA's rebaselining effort, and believe that the agency should 
not move forward with the program until it demonstrates that it is 
following a disciplined life cycle process. 


TSA is responsible for securing all modes of transportation while 
facilitating commerce and the freedom of movement for the traveling 
public. Passenger prescreening is one program among many that TSA uses 
to secure the domestic aviation sector. The process of prescreening 
passengers--that is, determining whether airline passengers might pose 
a security risk before they reach the passenger-screening checkpoint-- 
is used to focus security efforts on those passengers that represent 
the greatest potential threat. Currently, U.S. air carriers conduct 
passenger prescreening by comparing passenger names against government- 
supplied terrorist watch lists and applying the Computer-Assisted 
Passenger Prescreening System rules, known as CAPPS rules.[Footnote 4] 

Development of Legacy Passenger Prescreening Systems: 

Following the events of September 11, and in accordance with the 
requirement set forth in the Aviation and Transportation Security Act 
that a computer-assisted passenger prescreening system be used to 
evaluate all passengers before they board an aircraft,[Footnote 5] TSA 
established the Office of National Risk Assessment to develop and 
maintain a capability to prescreen passengers in an effort to protect 
U.S. transportation systems and the public against potential 
terrorists. In March 2003, this office began developing the second- 
generation computer-assisted passenger prescreening system, known as 
CAPPS II, to provide improvements[Footnote 6] over the current 
prescreening process, and to screen all passengers flying into, out of, 
and within the United States. 

Based in part on concerns about privacy and other issues expressed by 
us and others, the Department of Homeland Security (DHS) canceled the 
development of CAPPS II in August 2004. Shortly thereafter, it 
announced that it planned to develop a new passenger prescreening 
program called Secure Flight. In contrast to CAPPS II, Secure Flight, 
among other changes, will only prescreen passengers flying domestically 
within the United States, rather than passengers flying into and out of 
the United States. Also, the CAPPS rules will not be implemented as 
part of Secure Flight, but rather the rules will continue to be applied 
by commercial air carriers. As of February 2006, TSA planned to operate 
Secure Flight on the Transportation Vetting Platform (TVP)[Footnote 7]-
-the underlying infrastructure (hardware and software) developed to 
support the Secure Flight application, including security, 
communications, and data management and, the Secure Flight application 
was to perform the functions associated with receiving, vetting, and 
returning requests related to the determination of whether passengers 
are on government watch lists. This application was also to be 
configurable--meaning that it could be quickly adjusted to reflect 
changes to workflow parameters. In May 2006, TSA officials stated that 
the agency was considering other approaches for integrating the Secure 
Flight TVP and application functions in a different configuration as 
part of rebaselining the program. In its rebaselining effort, this and 
other aspects of Secure Flight are currently being reviewed, and policy 
decisions regarding the operations of the program have not been 
finalized.[Footnote 8] 

Overview of TSA's Plans to Operate Secure Flight as of February 2006: 

As envisioned under Secure Flight, when a passenger made flight 
arrangements, the organization accepting the reservation, such as the 
air carrier's reservation office or a travel agent, would enter 
passenger name record (PNR) information obtained from the passenger, 
which would then be stored in the air carrier's reservation 
system.[Footnote 9] While the government would be asking for only 
portions of the PNR, the PNR data could include the passenger's name, 
phone number, number of bags, seat number, and form of payment, among 
other information. Approximately 72 hours prior to the flight, portions 
of the passenger data contained in the PNR would be sent to Secure 
Flight through a secure network connection provided by DHS's CBP. 
Reservations or changes to reservations that were made less than 72 
hours prior to flight time would be sent immediately to TSA through 

Upon receipt of passenger data, TSA planned to process the passenger 
data through the Secure Flight application running on the TVP. During 
this process, Secure Flight would determine if the passenger data 
matched the data extracted daily from TSC's Terrorist Screening 
Database (TSDB)--the information consolidated by TSC from terrorist 
watch lists to provide government screeners with a unified set of 
terrorist-related information. In addition, TSA would screen against 
its own watch list composed of individuals who do not have a nexus to 
terrorism but who may pose a threat to aviation security.[Footnote 10] 

In order to match passenger data to information contained in the TSDB, 
TSC planned to provide TSA with an extract of the TSDB for use in 
Secure Flight and provide updates as they occur. This TSDB subset would 
include all individuals classified as either selectees (individuals who 
are selected for additional security measures prior to boarding an 
aircraft) or no-flys (individuals who would be denied boarding unless 
they are cleared by law enforcement personnel).[Footnote 11] To perform 
the match, Secure Flight was to compare the passenger data, TSDB, and 
other watch list data using automated name-matching technologies. When 
a possible match was generated, TSA and potentially TSC analysts would 
conduct a manual review comparing additional law enforcement and other 
government information with passenger data to determine if the person 
could be ruled out as a possible match. TSA was to return the matching 
results to the air carriers through CBP. Figure 1 illustrates how 
Secure Flight was intended to operate as of February 2006. 

Figure 1: Planned Operation of Secure Flight as of February 2006: 

[See PDF for image] 

[A] Information about confirmed no-flys and certain selectees are 
shared with appropriate federal agencies which coordinate the 
appropriate law enforcement response. 

[End of figure] 

As shown in figure 1, when the passenger checked in for the flight at 
the airport, the passenger was to receive a level of screening based on 
his or her designated category. A cleared passenger was to be provided 
a boarding pass and allowed to proceed to the screening checkpoint in 
the normal manner. A selectee passenger was to receive additional 
security scrutiny at the screening checkpoint.[Footnote 12] A no-fly 
passenger would not be issued a boarding pass. Instead, appropriate law 
enforcement agencies would be notified. Law enforcement officials would 
determine whether the individual would be allowed to proceed through 
the screening checkpoint or if other actions are warranted, such as 
additional questioning of the passenger or taking the passenger into 
custody. Based on its rebaselining effort, TSA may modify this concept 
of operations for Secure Flight. 

TSA Had Not Followed a Disciplined Life Cycle Approach or Fully Defined 
System Requirements, Schedule, and Costs: 

As we testified in February 2006, TSA had not conducted critical 
activities in accordance with best practices for large-scale 
information technology programs. Further, TSA had not followed a 
disciplined life cycle approach in developing Secure Flight, in which 
all phases of the project are defined by a series of orderly phases and 
the development of related documentation. Program officials stated that 
they had instead used a rapid development method that was intended to 
enable them to develop the program more quickly. However, as a result 
of this approach, the development process had been ad hoc, with project 
activities conducted out of sequence. For example, program officials 
declared the design phase complete before requirements for designing 
Secure Flight had been detailed. 

Our evaluations of major federal information technology programs, and 
research by others, have shown that following a disciplined life cycle 
management process decreases the risks associated with acquiring 
systems. As part of the life cycle process, TSA must define and 
document Secure Flight's requirements--including how Secure Flight is 
to function and perform, the data needed for the system to function, 
how various systems interconnect, and how system security is achieved. 
We found that Secure Flight's requirements documentation contained 
contradictory and missing information. TSA officials acknowledged that 
they had not followed a disciplined life cycle approach in developing 
Secure Flight, but stated that in moving forward, they would follow 
TSA's standard development process. We also found that while TSA had 
taken steps to implement an information security management program for 
protecting Secure Flight information and assets, its efforts were 
incomplete, based on federal standards and industry best practices. We 
reported that without a completed system security program, Secure 
Flight may not be adequately protected against unauthorized access and 
use or disruption, once the program becomes operational. 

Further, TSA had proceeded with Secure Flight development without an 
effective program management plan that contained up-to-date program 
schedules and cost estimates. TSA officials stated they had not 
maintained an updated schedule in part because the agency had not 
promulgated a necessary regulation requiring commercial air carriers to 
submit certain passenger data needed to operate Secure Flight, and air 
carrier responses to this regulation would impact when Secure Flight 
would be operational and at what cost. While we recognized that program 
unknowns introduce uncertainty into the program-planning process, 
uncertainty is a practical reality in planning all programs and is not 
a reason for not developing plans, including cost and schedule 
estimates that reflect known and unknown aspects of the program. 

Prior to TSA's rebaselining effort of Secure Flight, several oversight 
reviews of the program had been conducted that raised questions about 
program management, including the lack of fully defined requirements. 
DHS and TSA had executive and advisory oversight mechanisms in place to 
oversee Secure Flight, including the DHS Investment Review Board-- 
designed to review certain programs at key phases of development to 
help ensure they met mission needs at expected levels of costs and 
risks. However, the DHS Investment Review Board and other oversight 
groups had identified problems with Secure Flight's development. 
Specifically, in January 2005, the Investment Review Board withheld 
approval of the TVP, which supported Secure Flight operations, to 
proceed from development and testing into production and deployment 
until a formal acquisition plan, a plan for integrating and 
coordinating Secure Flight with other DHS people-screening programs, 
and a revised acquisition program baseline had been completed. In 
addition, an independent working group within the Aviation Security 
Advisory Committee, composed of government, privacy, and security 
experts, reported in September 2005 that TSA had not produced a 
comprehensive policy document for Secure Flight that could define 
oversight or governance responsibilities, nor had it provided an 
accountability structure for the program. 

TSA has taken actions that recognize the need to instill more rigor and 
discipline into the development and management of Secure Flight, and 
suspended its development efforts while it rebaselines the program. 
This rebaselining effort includes reassessing program goals and 
capabilities and developing a new schedule and cost estimates. Although 
TSA officials stated that they will use a disciplined life cycle 
approach when moving forward with the rebaselined program, officials 
have not identified when their rebaselining effort will be completed. 

TSA Had Made Progress in Coordinating with Critical Stakeholders, but 
More Work Remains: 

As we testified in February 2006, TSA had taken steps to collaborate 
with Secure Flight stakeholders--CBP, TSC, and domestic air carriers-- 
whose participation is essential to ensuring that passenger and 
terrorist watch list data are collected and transmitted for Secure 
Flight operations, but additional information and testing are needed to 
enable stakeholders to provide the necessary support for the program. 
TSA had, for example, drafted policy and technical guidance to help 
inform air carriers of their Secure Flight responsibilities, and had 
begun receiving feedback from the air carriers on this information. TSA 
was also in the early stages of coordinating with CBP and TSC on 
broader issues of integration and interoperability related to other 
people-screening programs used by the government to combat terrorism. 

Prior to its rebaselining effort, TSA had conducted preliminary network 
connectivity testing between TSA and federal stakeholders to determine, 
for example, how information would be transmitted from CBP to TSA and 
back. However, these tests used only dummy data and were conducted in a 
controlled environment, rather than in a real-world operational 
environment. According to CBP, without real data, it was not possible 
to conduct stress testing to determine if the system could handle the 
volume of data traffic that would be required by Secure Flight. TSA 
acknowledged it had not determined what the real data volume 
requirements would be, and could not do so until the regulation for air 
carriers was issued and their data management role had been finalized. 

All key program stakeholders we interviewed stated that additional 
information was needed before they could finalize their plans to 
support Secure Flight operations. Although CBP, TSC, and air carrier 
officials we interviewed through January 2006 acknowledged TSA's 
outreach efforts, they cited several areas where additional information 
was needed from TSA before they could fully support Secure Flight. 
Several CBP officials stated, for example, that they could not proceed 
with establishing connectivity with all air carriers until DHS 
published the rule--the regulation that would specify what type of 
information was to be provided for Secure Flight--and the air carriers 
submitted their plans for providing this information. In addition, a 
TSC official stated that until TSA provided estimates of the volume of 
potential name matches that TSC would be required to screen, TSC could 
not make decisions about required resources. 

TSA's ongoing coordination of prescreening and name-matching 
initiatives with CBP and TSC could impact how Secure Flight is 
implemented and require stakeholders to alter their plans made to 
support the program. In January 2006, TSA officials stated that they 
are coordinating more closely with CBP's international prescreening 
initiatives for passengers on flights bound for the United States. The 
Air Transport Association and the Association of European Airlines-- 
organizations representing air carriers--had requested, among other 
things, that both domestic and international passenger prescreening 
function through coordinated information connections and avoid 
unnecessary duplication of communications, programming, and information 
requirements.[Footnote 13] In addition, TSC has an initiative under way 
to, among other things, better safeguard watch list data. At present, 
TSC exports watch list data to other federal agencies for use in their 
screening efforts or processes for examining documents and records 
related to terrorism. However, TSC is currently developing a new 
system, Query, whereby watch list data would not be exported, but 
rather would be maintained by TSC. Query would serve as a common shared 
service that would allow agencies to directly search the TSDB using 
TSC's name-matching technology for their own purposes. If TSC chooses 
to implement Query, TSA may be required to modify the system 
architecture for Secure Flight in order to accommodate the new system. 

Due to delays in Secure Flight's development and uncertainty about its 
future, officials from two air carriers told us after our February 2006 
testimony that they were enhancing their respective name-matching 
systems because they were unsure when and whether TSA would be taking 
over the name-matching function through Secure Flight.[Footnote 14] 
While these efforts may improve the accuracy in each air carrier's 
individual name-matching system, the improvements will only apply to 
their respective systems and could further exacerbate differences that 
currently exist among the various air carriers' systems. These 
differences may result in varying levels of effectiveness in the 
matching of passenger names against terrorist watch lists, which was a 
primary factor that led to the government's effort to take over the 
name-matching function through Secure Flight. 

Key Factors That Could Influence the Effectiveness of Secure Flight 
Remain to Be Finalized or Resolved: 

As of February 2006, several activities were under way, or were about 
to be decided, that would affect Secure Flight's effectiveness. For 
example, TSA had tested name-matching technologies to determine what 
type of passenger data would be needed to match against terrorist watch 
list data. These tests had been conducted using historical data in a 
controlled, rather than real-world environment, but additional testing 
was needed to learn more about how these technologies would perform in 
an operational environment. TSA also had not yet conducted stress 
testing to determine how the system would handle peak data volumes. 
Further, due to program delays and the program rebaselining, TSA had 
not conducted a comprehensive end-to-end testing to verify that the 
entire system would function as intended, although it had planned to do 
so by the middle of 2005. 

Prior to its rebaselining effort, we further reported that TSA had not 
made key policy decisions for determining the passenger information 
that air carriers would be required to collect, the name-matching 
technologies that would be used to vet passenger names against 
terrorist watch list data, and thresholds that would be set to 
determine the relative volume of passengers who are to be identified as 
potential matches against the database. For example, TSA will need to 
decide which data attributes air carriers will be required to provide 
in passenger data to be used to match against data contained in the 
TSDB, such as full first, middle, and last name plus other discrete 
identifiers, such as date of birth. Using too many data attributes can 
increase the difficulty of conducting matching, while using too few 
attributes can create an unnecessarily high number of incorrect matches 
due to, among other things, the difficulty in differentiating among 
similar common names without further information. In addition, TSA must 
determine what type or combination of name-matching technologies to 
acquire and implement for Secure Flight, as different technologies have 
different capabilities. For example, earlier TSA PNR testing showed 
that some name-matching technologies are more capable than others at 
detecting significant name modifications allowing for the matching of 
two names that contain some variation. Detecting variation is important 
because passengers may intentionally make alternations to their names 
in an attempt to conceal their identities. In addition, unintentional 
variations can result from different translations of non-native names 
or data entry errors. TSA had planned to finalize decisions on these 
factors as system development progressed. However, until TSA completes 
its program rebaselining, data requirements for the program will remain 

As we reported in February 2006, two additional factors will play an 
important role in the effectiveness of Secure Flight. These factors 
include (1) the accuracy and completeness of data contained in TSC's 
TSDB and in passenger data submitted by air carriers, and (2) the 
ability of TSA and TSC to identify false positives and resolve possible 
mistakes during the data-matching process to minimize inconveniencing 
passengers. Regarding data quality and accuracy, in a review of the 
TSC's role in Secure Flight, the Department of Justice Office of 
Inspector General found that TSC could not ensure that the information 
contained in its TSDB was complete or accurate. To address accuracy, 
TSA and TSC had planned to work together to identify false positives-- 
passengers inappropriately matched against data contained in the 
terrorist-screening database--by using intelligence analysts to monitor 
the accuracy of data matches. Related to the accuracy of PNR data, we 
reported that TSA had planned to describe the required data attributes 
that must be contained in passenger data provided to TSA in a 
forthcoming rule. However, the accuracy and completeness of the 
information contained in the passenger data record will still be 
dependent on the air carriers' reservations systems, the passengers 
themselves, and the air carriers' modifications of their systems for 
transmitting the data in the proper format. Prior TSA testing found 
that many passenger data records submitted by air carriers were found 
to be inaccurate or incomplete, creating problems during the automated 
name-matching process. 

Prior to its rebaselining effort, TSA had also reported that it planned 
to work with TSC to identify false positives as passenger data are 
matched against data in the TSDB, and to resolve mistakes to the extent 
possible before inconveniencing passengers. The agencies were to use 
intelligence analysts during the actual matching of passenger data to 
data contained in the TSDB to increase the accuracy of data matches. 
When TSA's name-matching technologies indicated a possible match, TSA 
analysts were to manually review all of the passenger data and other 
information to determine if the passenger could be ruled out as a match 
to the TSDB. If a TSA analyst could not rule out a possible match, the 
record would be forwarded to a TSC analyst to conduct a further review 
using additional information. Until TSA completes its rebaselining 
effort, it is uncertain whether this or another process will be used to 
help mitigate the misidentification of passengers. An additional factor 
that could impact the effectiveness of Secure Flight in identifying 
known or suspected terrorists is the system's inability to identify 
passengers who assume the identity of another individual by committing 
identity theft, or who use false identifying information. Secure Flight 
was neither intended nor designed to address these vulnerabilities. 

Secure Flight Privacy Notices and Passenger Redress Process Cannot Be 
Finalized Until Program Requirements Are More Fully Defined: 

TSA is aware of, and plans to address, the potential for Secure Flight 
to adversely affect travelers' privacy and their rights. However, as we 
testified in February 2006, TSA, as part of its requirements 
development process, had not clearly identified the privacy impacts of 
the envisioned system or the full actions it planned to take to 
mitigate them. Because Secure Flight's system development documentation 
did not fully address how passenger privacy protections were to be met, 
it was not possible to assess potential system impacts on individual 
privacy protections, as of February 2006. Further, such an assessment 
will not be possible until TSA determines what passenger data will be 
required and how privacy protections will be addressed in the 
rebaselined program. 

The Privacy Act and the Fair Information Practices--a set of 
internationally recognized privacy principles that underlie the Privacy 
Act--limit the collection, use, and disclosure of personal information 
by federal agencies.[Footnote 15] TSA officials have stated that they 
are committed to meeting the requirements of the Privacy Act and the 
Fair Information Practices. However, it is not evident how this will be 
accomplished because TSA has not decided what passenger data elements 
it plans to collect, how such data will be provided by stakeholders, or 
how a restructuring that may result from its program rebaselining will 
impact its requirements for passenger data. Prior to the rebaselining 
effort, TSA was in the process of developing but had not issued the 
systems-of-records notice required by the Privacy Act, or the privacy 
impact assessment required by the E-Government Act, that would describe 
how TSA will protect passenger data once Secure Flight becomes 
operational.[Footnote 16] Moreover, privacy requirements had not been 
incorporated into the Secure Flight system development process to 
explain whether personal information would be collected and maintained 
in the system in a manner that complies with privacy and security 
requirements. In our review of Secure Flight's system requirements 
prior to TSA announcing its rebaselining, we found that privacy 
concerns were broadly defined in functional requirements documentation, 
which states that the Privacy Act must be considered in developing the 
system. However, these broad functional requirements had not been 
translated into specific system requirements. Until TSA determines the 
relevancy of these requirements and notices, privacy protections and 
impacts cannot be assessed. 

Further, Congress mandated that Secure Flight include a process whereby 
aviation passengers determined to pose a threat to aviation security 
may appeal that determination and correct erroneous information 
contained within the prescreening system.[Footnote 17] While TSA has 
not yet determined how it will meet this congressional mandate, it 
currently has a process in place that allows passengers who experience 
delays under the current prescreening conducted by air carriers to 
submit a passenger identity verification form to TSA and request that 
the agency place their names on a cleared list. If, upon review, TSA 
determines that the passenger's identity is distinct from the person on 
a watch list, TSA will add the passenger's name to its cleared list, 
and will forward the updated list to the air carriers. TSA will also 
notify the passenger of his or her cleared status and explain: 

that in the future the passenger may still experience delays.[Footnote 
18] Recently, TSA has automated the cleared list process, enabling the 
agency to further mitigate inconvenience to travelers on the cleared 
list. GAO has an ongoing review examining TSA's redress process for 
assisting passengers misidentified under the screening program. 

According to TSA officials, no final decisions have been made regarding 
how TSA will address redress requirements, but information on the 
process will be contained within the privacy notices released in 
conjunction with the forthcoming regulation. In May 2006, Secure Flight 
officials stated that concerns for privacy and redress were being 
addressed as part of their rebaselining effort. 

Concluding Observations: 

TSA has recognized the challenges it faces in developing Secure Flight 
and has undertaken efforts to rebaseline the program. We believe this 
rebaselining effort is a positive step in addressing the issues facing 
the program. To make and demonstrate progress on any large-scale 
information technology program, such as Secure Flight, an agency must 
first adequately define program capabilities that are to be provided, 
such as requirements related to performance, security, privacy, and 
data content and accuracy. These requirements can then in turn be used 
to produce reliable estimates of what these capabilities will cost, 
when they will be delivered, and what mission value or benefits will 
accrue as a result. For Secure Flight, well-defined requirements would 
provide a guide for developing the system and a baseline to test the 
developed system to ensure that it delivers necessary capabilities, and 
would help to ensure that key program areas--such as security, system 
connectivity, and privacy and redress protections--are appropriately 

When we reported on Secure Flight in March 2005, TSA had committed to 
take action on our recommendations to manage the risks associated with 
developing and implementing Secure Flight, including finalizing the 
concept of operations, system requirements, and test plans; completing 
formal agreements with CBP and air carriers to obtain passenger data; 
developing life cycle cost estimates and a comprehensive set of 
critical performance measures; issuing new privacy notices; and putting 
a redress process in place. When we testified in February 2006, TSA had 
made some progress in all of these areas, including conducting further 
testing of factors that could influence system effectiveness and 
corroborating with key stakeholders. However, TSA had not completed any 
of the actions it had scheduled to accomplish. In particular, TSA had 
not developed complete system requirements or conducted important 
system testing, made key decisions that would impact system 
effectiveness, or developed a program management plan and a schedule 
for accomplishing program goals. 

In conjunction with its rebaselining effort, TSA has taken actions that 
recognize the need to instill more rigor and discipline into the 
development and management of Secure Flight, including hiring a program 
director to administer Secure Flight and a program manager with 
information systems program management credentials. We support these 
efforts and believe that proceeding with operational testing and 
completing other key program activities should not be pursued until TSA 
demonstrates that it has put in place a more disciplined life cycle 
process as part of its rebaselining effort. 

Mr. Chairman, this concludes my prepared statement. I will be pleased 
to respond to any questions that you or other members of the committee 
have at the appropriate time. 

GAO Contacts and Staff Acknowledgments: 

For further information about this testimony, please contact Cathleen 
Berrick, at 202-512-3404 or at, or Randolph C. Hite at 
202-512-6256 or at 

Other key contributors to this statement were J. Michael Bollinger, Amy 
Bernstein, Mona Nichols Blake, Christine Fossett, and Allison G. Sands. 

[End of section] 

Appendix I: Related GAO Products: 

Aviation Security: Significant Management Challenges May Adversely 
Affect Implementation of the Transportation Security Administration's 
Secure Flight Program. GAO-06-374T. Washington, D.C.: February 9, 2006. 

Aviation Security: Transportation Security Administration Did Not Fully 
Disclose Uses of Personal Information during Secure Flight Program 
Testing in Initial Privacy Notices, but Has Recently Taken Steps to 
More Fully Inform the Public. GAO-05-864R. Washington, D.C.: July 22, 

Secure Flight Development and Testing Under Way, but Risks Should Be 
Managed as System Is Further Developed. GAO-05-356 Washington, D.C.: 
March 28, 2005. 

TSA's Modifications to Rules for Prescreening Passengers. GAO-05-445SU 
Washington D.C.: March 28, 2005. 

Measures for Testing the Impact of Using Commercial Data for the Secure 
Flight Program. GAO-05-324 Washington, D.C.: February 23, 2005. 

Aviation Security: Improvement Still Needed in Federal Aviation 
Security Efforts. GAO-04-592T Washington D.C.: March 30, 2004. 

Aviation Security: Challenges Delay Implementation of Computer- 
Assisted Passenger Prescreening System. GAO-04-504T Washington, D.C.: 
March 17, 2004. 

Computer-Assisted Passenger Prescreening System Faces Significant 
Implementation Challenges. GAO-04-385 Washington, D.C.: February 12, 

[End of section] 

Appendix II: Legislatively Mandated Secure Flight Issues to be 
Certified by DHS and Reviewed by GAO: 

Legislative mandated issue (short title): Redress process; 
Description of mandated issue: A system of due process exists whereby 
aviation passengers determined to pose a threat are either delayed or 
prohibited from boarding their scheduled flights by TSA may appeal such 
decisions and correct erroneous information contained in CAPPS II or 
Secure Flight or other follow-on/successor programs. 

Legislative mandated issue (short title): Accuracy of databases and 
effectiveness of Secure Flight; 
Description of mandated issue: The underlying error rate of the 
government and private databases that will be used to both establish 
identity and assign a risk level to a passenger will not produce a 
large number of false positives that will result in a significant 
number of passengers being treated mistakenly or security resources 
being diverted. 

Legislative mandated issue (short title): Stress testing; 
Description of mandated issue: TSA has stress-tested and demonstrated 
the efficacy and accuracy of all search technologies in CAPPS II or 
Secure Flight or other follow-on/successor programs and has 
demonstrated that CAPPS II or Secure Flight or other follow-
on/successor programs can make an accurate predictive assessment of 
those passengers who may constitute a threat to aviation. 

Legislative mandated issue (short title): Internal oversight; 
Description of mandated issue: The Secretary of Homeland Security has 
established an internal oversight board to monitor the manner in which 
CAPPS II or Secure Flight or other follow-on/successor programs are 
being developed and prepared. 

Legislative mandated issue (short title): Operational safeguards; 
Description of mandated issue: TSA has built in sufficient operational 
safeguards to reduce the opportunities for abuse. 

Legislative mandated issue (short title): Security measures; 
Description of mandated issue: Substantial security measures are in 
place to protect CAPPS II or Secure Flight or other follow-on/successor 
programs from unauthorized access by hackers or other intruders. 

Legislative mandated issue (short title): Oversight of system use and 
Description of mandated issue: TSA has adopted policies establishing 
effective oversight of the use and operation of the system. 

Legislative mandated issue (short title): Privacy concerns; 
Description of mandated issue: There are no specific privacy concerns 
with the technological architecture of the system. 

Legislative mandated issue (short title): Modifications with respect to 
intrastate travel to accommodate states with unique air transportation 
Description of mandated issue: TSA has, in accordance with the 
requirements of section 44903 (j)(2)(B) of title 49, United States 
Code, modified CAPPS II or Secure Flight or other follow-on/successor 
programs with respect to intrastate transportation to accommodate 
states with unique air transportation needs and passengers who might 
otherwise regularly trigger primary selectee status. 

Legislative mandated issue (short title): Life cycle cost estimates and 
expenditure plans; 
Description of mandated issue: Appropriate life cycle cost estimates 
and expenditure and program plans exist. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix III: Scope and Methodology: 

The results discussed in this testimony are based on our review of 
available documentation on Secure Flight's systems development and 
oversight, policies governing program operations, our past reports on 
the program, and interviews with Department of Homeland Security 
officials, TSA program officials and their contractors, and other 
federal officials who are key stakeholders in the Secure Flight 
program. Throughout our ongoing reviews of Secure Flight, we have 
reviewed TSA's System Development Life Cycle Guidance for developing 
information technology systems and other federal reports describing 
best practices in developing and acquiring these systems. We also 
reviewed draft TSA documents containing information on the development 
and testing of Secure Flight, including concept of operations, 
requirements, test plans, and test results. We also reviewed reports 
from the U.S. Department of Justice Office of the Inspector General 
that reviewed the Secure Flight program and reports from two oversight 
groups that provided advisory recommendations for Secure Flight: DHS's 
Privacy and Data Integrity Advisory Committee and TSA's Aviation 
Security Advisory Committee Secure Flight Working Group. We interviewed 
senior-level TSA officials, including representatives from the Office 
of Transportation Threat Assessment and Credentialing, which is 
responsible for Secure Flight, and the Office of Transportation 
Security Redress, to obtain information on Secure Flight's planning, 
development, testing, and policy decisions. We also interviewed 
representatives from the U.S. Customs and Border Protection and 
Terrorist Screening Center[Footnote 19] to obtain information about 
stakeholder coordination. We also interviewed officials from several 
air carriers and representatives from aviation trade organizations 
regarding issues related to Secure Flight's development and 
implementation. In addition, we attended conferences on name-matching 
technologies sponsored by MITRE (a federally funded research and 
development corporation) and the Office of the Director of National 

This testimony includes work accomplished for our March 2005 
report[Footnote 20] and our February 2006 testimony,[Footnote 21] and 
work conducted from February 2006 to June 2006 in accordance with 
generally accepted government auditing standards. 


[1] GAO, Aviation Security: Significant Management Challenges May 
Adversely Affect Implementation of the Transportation Security 
Administration's Secure Flight Program, GAO-06-374T (Washington, D.C.: 
Feb. 9, 2006). 

[2] GAO, Aviation Security: Secure Flight Development and Testing Under 
Way, but Risks Should Be Managed as System Is Further Developed, GAO-05-
356 (Washington, D.C.: March 2005). 

[3] Section 518 of the Department of Homeland Security Appropriations 
Act, 2006 (Pub. L. No. 109-90) requires GAO to report to the Committees 
on Appropriations of the Senate and House of Representatives on the 10 
issues listed in § 522(a) the Department of Homeland Security 
Appropriations Act, 2005 (Pub. L. No. 108-334), not later than 90 days 
after the Secretary of the Department of Homeland Security certifies to 
the above-named committees that Secure Flight has satisfied the 10 
issues. These 10 issues relate to system development and 
implementation, effectiveness, program management and oversight, and 
privacy and redress. We are also conducting our ongoing review in 
response to requests from the United States Senate: the Committee on 
Commerce, Science, and Transportation, and its Subcommittee on 
Aviation; Committee on Appropriations, Subcommittee on Homeland 
Security; Committee on Homeland Security and Governmental Affairs; 
Committee on Judiciary; also the House of Representatives: Committee on 
Transportation and Infrastructure, Committee on Homeland Security; and 
the Chairman of the Committee on Government Reform. 

[4] CAPPS rules are characteristics that are used to select passengers 
who require additional security scrutiny. CAPPS rules are Sensitive 
Security Information. 

[5] Aviation and Transportation Security Act, Pub. L. No. 107-71, § 
136, 115 Stat. 597, 637 (2001). 

[6] The second generation passenger screening system anticipated 
improvements in security by moving the watch list screening process 
within the federal government so that comparisons could be made using a 
single system, rather than the multiple matching programs now utilized 
by individual air carriers. Further, security would be enhanced by 
vetting passengers against the expanded watch lists produced by TSC, 
instead of the more limited lists currently transmitted to air 

[7] TSA planned to use this centralized vetting capability to identify 
terrorist threats in support of various DHS and TSA programs. In 
addition to Secure Flight, TSA planned to use the platform to ensure 
that persons working at sensitive locations; serving in trusted 
positions with respect to the transportation infrastructure; or 
traveling as cockpit and cabin crew into, within, and out of the United 
States are properly screened depending on their activity within the 
transportation system. In addition to supporting the Secure Flight and 
Crew Vetting programs, TSA expected to leverage the platform with other 
applications such as TSA screeners and screener applicants, commercial 
truck drivers with hazardous materials endorsements, aviation workers 
with access to secure areas of the airports, alien flight school 
candidates, and applicants for TSA's domestic Registered Traveler 

[8] The Intelligence Reform and Terrorism Prevention Act of 2004 
requires that TSA begin to assume responsibility for the passenger 
prescreening function within 180 days after the completion of testing. 
Pub. L. No. 108-458 § 4012, 118 Stat. 3638, 3714-19 (codified as 
amended at 49 U.S.C. § 44903(j)(2)). 

[9] This description of the Secure Flight system, as well as the 
graphic illustrating the system in figure1, is based on TSA's draft 
June 9, 2005, concept of operations, a document that gives a high-level 
overview of the Secure Flight system. 

[10] TSA also planned to utilize a cleared list as part of the watch 
list matching process; the cleared list was to be composed of 
individuals who are frequently misidentified as being on the TSDB and 
who have applied, and been approved, to be on the list. 

[11] These measures may include additional screening or other law 
enforcement actions. 

[12] Some selectees were to receive a boarding pass from air carriers, 
but be required to undergo secondary screening prior to boarding the 
aircraft, while other selectees were to first be met by law enforcement 
personnel, who would determine if the individual should receive a 
boarding pass. In addition, air carriers, through their application of 
the CAPPS rules, could also designate a passenger as a selectee. 

[13] Correspondence to the Honorable Michael Chertoff, Secretary, 
Department of Homeland Security, October 27, 2005. 

[14] The interviews with officials from the two air carriers is part of 
on-going work that includes collecting information about name-matching 
systems currently used by air carriers to match passenger names with 
those on the no-fly and selectee lists in the TSDB. Information 
provided by the officials from the two air carriers cannot be 
generalized to other air carriers. 

[15] Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 (codified 
as amended at 5 U.S.C. § 552a). 

[16] The E-Government Act of 2002 requires agencies to conduct a 
privacy impact assessment before developing systems that collect, 
maintain, or disseminate information in an identifiable form. Pub. L. 
No. 107-347, 116 Stat. 2899. 

[17] See Pub. L. Nos. 108-334, § 522(a)(1); and 109-90, § 518(a). 

[18] In our February 2006 testimony, we stated that TSA's Office of 
Transportation Security Redress (OTSR) managed redress for the current 
watch list matching process conducted by the air carriers. At that time 
OTSR was developing an agency-wide policy for redress and had 
interviewed TSA officials as part of that effort, but found that Secure 
Flight requirements were not sufficiently defined for use in drafting 
the new policy. TSA officials stated that they would continue to 
discuss the Secure Flight redress process with OSTR. 

[19] TSC was established in accordance with Homeland Security 
Presidential Directive-6 to consolidate the government's approach to 
terrorism screening, including the use of terrorist information for 
screening purposes. TSC is an interagency effort involving DHS, 
Department of Justice, Department of State, and intelligence community 
representatives and is administered by the Federal Bureau of 

[20] GAO, Aviation Security: Significant Management Challenges May 
Adversely Affect Implementation of the Transportation Security 
Administration's Secure Flight Program, GAO-06-374T (Washington, D.C.: 
February 9, 2006). 

[21] GAO, Aviation Security: Secure Flight Development and Testing 
Under Way, but Risks Should Be Managed as System Is Further Developed, 
GAO-05-356 (Washington, D.C.: March 2005). 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 


Web site: 


Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149