This is the accessible text file for GAO report number GAO-09-678 entitled 'Transportation Security: Key Actions Have Been Taken to Enhance Mass Transit and Passenger Rail Security, but Opportunities Exist to Strengthen Federal Strategy and Programs' which was released on July 24, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Homeland Security, House of Representatives: United States Government Accountability Office: GAO: June 2009: Transportation Security: Key Actions Have Been Taken to Enhance Mass Transit and Passenger Rail Security, but Opportunities Exist to Strengthen Federal Strategy and Programs: GAO-09-678: GAO Highlights: Highlights of GAO-09-678, a report to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: Terrorist incidents worldwide have highlighted the need for securing mass transit and passenger rail systems. The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) is the primary federal entity responsible for securing these systems. GAO was asked to assess (1) the extent to which federal and industry stakeholders have assessed risks to these systems since 2004, and how TSA has used this information to inform its security strategy; (2) key actions federal and industry stakeholders have taken since 2004 and the extent to which federal actions are consistent with TSA’s security strategy, and the challenges TSA faces in implementing them; and (3) TSA’s reported status in implementing 9/11 Commission Act provisions for mass transit and passenger rail security. GAO reviewed documents including TSA’s mass transit and passenger rail strategic plan, and interviewed federal officials and industry stakeholders from 30 systems and Amtrak—representing 75 percent of U.S. mass transit and passenger rail ridership. What GAO Found: Since 2004, federal and industry stakeholders have conducted assessments of individual elements of risk—threat, vulnerability and consequence—for mass transit and passenger rail systems and this information has informed TSA’s security strategy; however, TSA has not combined information from these three elements to conduct a risk assessment of these transportation systems. By completing a risk assessment, TSA would have reasonable assurance that it is directing its resources toward the highest priority needs. Further, while TSA’s mass transit and passenger rail security strategy contains some information, such as goals and objectives, that is consistent with GAO’ s prior work on characteristics of a successful national strategy, it could be strengthened by including performance measures to help TSA track progress in securing these systems, among other things. Federal and industry stakeholders have taken several key actions to strengthen the security of mass transit and passenger rail systems since 2004, and while federal actions have been generally consistent with TSA’s security strategy, TSA faces coordination challenges, and opportunities exist to strengthen some programs. TSA has deployed surface inspectors to assess industry security programs and worked with DHS to develop security technologies, among other actions. Mass transit and passenger rail systems, including Amtrak, also reported taking actions to increase security, such as implementing passenger and baggage screening programs. Although TSA has taken steps to enhance its efforts, it can further strengthen security programs by, for example, expanding its efforts to obtain and share security technology information with industry. By improving information sharing with industry, TSA can help to ensure that its and industry’s limited resources are used more productively to secure mass transit and passenger rail systems. As of March 2009, TSA reported implementing some of the 9/11 Commission Act provisions related to securing mass transit and passenger rail such as developing a strategy for securing transportation, but had missed deadlines, for example, for issuing new regulatory requirements for mass-transit and passenger-rail employee security training. In addition, TSA’s progress reports that track its implementation of 9/11 Act provisions lack milestones to guide this effort as called for by project management best practices. Additionally, in some cases, TSA progress reports identify challenges to meeting 9/11 Act provisions, but these reports do not include a plan for addressing these challenges. Until TSA develops a plan with milestones, it will be difficult for TSA to provide reasonable assurance that the act’s provisions are being implemented and that a plan is in place for overcoming challenges that arise. Additionally, officials from almost half of the mass transit and passenger rail systems GAO visited reported concerns with the potential costs and the feasibility of implementing pending employee security training requirements. What GAO Recommends: Among other things, GAO recommends that TSA conduct a risk assessment that includes all elements of risk, enhance its security strategy by incorporating performance measures, improve sharing of security technology information, and develop a plan with milestones for meeting 9/11 Act provisions. DHS concurred with GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-09-678] or key components. For more information, contact Cathy Berrick at (202) 512- 3404 or berrickc@gao.gov. [End of section] Contents: Letter: Background: Federal and Industry Stakeholders Have Assessed Individual Elements of Risk, Which Have Informed TSA's Security Strategy, but TSA Could Strengthen Its Approach by Conducting a Risk Assessment and Updating Its Security Strategy: Federal and Industry Stakeholders Have Taken Key Actions to Strengthen Transit Security and Federal Actions Have Been Generally Consistent with TSA's Strategy, but Opportunities Exist to Strengthen Some Programs: TSA Reported Implementing Some 9/11 Commission Act Provisions for Mass Transit and Passenger Rail Security, but Implementing New Regulations May Pose Challenges for TSA and Industry Stakeholders: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: TSA/FTA Security and Emergency Management Action Items: Appendix III: Identifying Characteristics of Successful National Strategies in the Context of Mass Transit and Passenger Rail Security: Appendix IV: Federal Actions Taken to Enhance Mass Transit and Passenger Rail Security since 2004: Appendix V: Modal Annex Objectives and Examples of Actions Taken to Achieve Them as of February 2009: Appendix VI: DHS Mass Transit and Passenger Rail Related Security Technology Pilots Conducted from 2004 to 2009: Appendix VII: Comments from Amtrak: Appendix VIII: Comments from the Department of Homeland Security: Appendix IX: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Summary of Federal and Industry Stakeholders' Assessment Activities since 2004: Table 2: Summary of Federal and Industry Stakeholders' Assistance to Transit Agencies for Risk Assessments Provided since 2004: Table 3: Summary of Desirable Characteristics of Successful National Strategies and Related Executive Order Factors: Table 4: Sector Goals and Passenger Rail and Mass Transit Subordinate Objectives to Complete Sector Goals: Table 5: Key Federal Actions Taken to Enhance Mass Transit and Passenger Rail Security Since 2004: Table 6: Key Selected Provisions of the 9/11 Commission Act for Mass Transit and Passenger Rail Security and TSA's Reported Implementation Status, as of March 2009: Table 7: Mass Transit and Passenger Rail Systems Interviewed: Table 8: Federal Actions Taken to Enhance Mass Transit and Passenger Rail Security since 2004: Table 9: TSA Mass Transit Modal Annex Objectives and Examples of Actions That Have Been Employed to Achieve the Objectives, as of February 2009: Table 10: DHS Mass Transit and Passenger Rail Related Security Technology Pilots Conducted from 2004 to 2009: Figures: Figure 1: Geographic Distribution of Amtrak and Rail Transit Systems in the United States: Figure 2: NIPP Risk Management Framework: Figure 3: Photo of DHS S&T Pilot Technology for a Fare Card Vending Machine with Explosive Trace Detection Capability: Abbreviations: AAR: after-action report: APTA: American Public Transportation Association: ASFD-S: Assistant Federal Security Director-Surface: BASE: Baseline Assessment for Security Enhancement: CI/KR: critical infrastructure and key resource: CONOPS: Concept of Operations: DHS: Department of Homeland Security: DHS S&T: Department of Homeland Security Science and Technology Directorate: DOT: Department of Transportation: FEMA: Federal Emergency Management Administration: FRA: Federal Railroad Administration: FTA: Federal Transit Administration: GCC: Government Coordinating Council: HITRAC: Homeland Infrastructure Threat Reporting and Analysis Center: HSIN: Homeland Security Information Network: HSPD-7: Homeland Security Presidential Directive 7: IED: improvised explosive device: IPT: Integrated Product Team: MOU: memorandum of understanding: NPPD: National Protection and Programs Directorate: NSTS: National Strategy for Transportation Security: NTI: National Transit Institute: ODP: Office of Domestic Preparedness: PAG: Transit Policing and Security Peer Advisory Group: PART: Program Assessment Rating Tool: SAAP: Security Analysis and Action Program: SCC: Sector Coordinating Council: SEMTAP: Security and Emergency Management Technical Assistance Program: SHIRA: Strategic Homeland Infrastructure Risk Assessment: SSA: sector-specific agency: STSIP: Surface Transportation Security Inspection Program: TRAM: Transit Risk Assessment Methodology: TSA: Transportation Security Administration: TSA-OI: TSA Office of Intelligence: TSGP: Transit Security Grant Program: TSI-S: Transportation Security Inspector-Surface: TSNM: Transportation Sector Network Management: TS-SSP: Transportation Systems-Sector Specific Plan: VIPR: Visible Intermodal Prevention and Response: [End of section] United States Government Accountability Office: Washington, DC 20548: June 24, 2009: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: Dear Mr. Chairman: Mass transit and passenger rail systems are vital components of the nation's transportation infrastructure, encompassing rail transit (heavy rail, commuter rail, and light rail), intercity rail, and transit bus systems.[Footnote 1] In the United States, mass transit and passenger rail systems provide approximately 34 million passenger trips each weekday, and commuters rely on these systems to provide efficient, reliable and safe transportation.[Footnote 2] However, terrorist attacks on mass transit and passenger rail systems around the world-- such as the 2006 passenger train bombing in Mumbai, India that resulted in 209 fatalities--highlight the vulnerability of these systems and the need for an increased focus on securing them from terrorism. While there have been no terrorist attacks against U.S. mass transit and passenger rail systems to date, the systems are vulnerable to attack in part because they rely on an open architecture that is difficult to monitor and secure due to its multiple access points, hubs serving multiple carriers, and, in some cases, no barriers to access. Further, an attack on these systems could potentially lead to significant casualties due to the high number of daily transit passengers, especially during peak commuting hours. While several entities play a role in helping to fund and secure U.S. mass transit and passenger rail systems, the Department of Homeland Security's (DHS) Transportation Security Administration (TSA) is the primary federal agency responsible for overseeing security for these systems and for developing a national strategy and implementing programs to enhance their security. Additionally, several DHS components--with assistance from the Department of Transportation's (DOT) Federal Transit Administration (FTA) and Federal Railroad Administration (FRA)--are to conduct threat and vulnerability assessments of mass transit and passenger rail systems, research and develop security technologies for these systems, and develop security training programs for mass transit and passenger rail employees. Day- to-day responsibility for securing mass transit and passenger rail systems falls on mass transit and passenger rail agencies themselves, local law enforcement, and often state and local governments that own a significant portion of the infrastructure. The partnership of federal and non-federal mass transit and passenger rail stakeholders was strengthened following the terrorist attacks of September 11TH, in part, by collaborating to implement a variety of security programs. In addition, the passage of the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act) in August 2007 requires DHS to further expand its roles and responsibilities for securing mass transit and passenger rail in several areas, such as by conducting and updating security assessments and issuing new regulations that will establish new security requirements for mass transit and passenger rail agencies to implement.[Footnote 3] You requested that we evaluate TSA's mass transit and passenger rail security strategy and supporting programs and activities, as well as TSA's efforts to assess the impact of these initiatives on U.S. mass transit and passenger rail systems since TSA's issuance of passenger rail security directives in 2004.[Footnote 4] Specifically, this report addresses the following questions: * To what extent have federal and industry stakeholders assessed or supported assessments of the security risks to mass transit and passenger rail since 2004, and how, if at all, has TSA used risk assessment information to inform and update its security strategy? * What key actions, if any, have federal and industry stakeholders implemented or initiated, since 2004, to strengthen the security of mass transit and passenger rail systems; to what extent are federal actions consistent with TSA's security strategy; and what challenges, if any, does TSA face in implementing them? * What is TSA's reported status in implementing provisions of the Implementing Recommendations of the 9/11 Commission Act of 2007 related to mass transit and passenger rail security, and what challenges, if any, does TSA and mass transit and passenger rail industry face in implementing the actions required by the act? To determine the extent to which federal and industry stakeholders assessed security risks to mass transit and passenger rail systems since 2004, we analyzed various assessment reports from DHS component agencies, including TSA, DHS's Office of Infrastructure Protection within the National Protection and Programs Directorate (NPPD), and the Homeland Infrastructure Threat Reporting and Analysis Center (HITRAC), as well as FTA and stakeholders outside of the federal government. [Footnote 5] Because of the scope of our work, we relied on TSA to identify its assessment activities but did not assess the extent to which its assessment activities meet the National Infrastructure Protection Plan (NIPP) criteria for threat, vulnerability, and consequence assessments. In addition, we analyzed TSA's security strategy for the mass transit and passenger rail systems--the Mass Transit Modal Annex--to determine the extent to which it addressed the threats, vulnerabilities, and consequences identified in the assessments we reviewed. We also analyzed requirements pertaining to mass transit and passenger rail security assessments and strategy including Executive Order 13416: Strengthening Surface Transportation Security, to determine the extent to which TSA's security strategy conformed to requirements.[Footnote 6] We analyzed executive guidance including the NIPP and the Transportation Systems-Sector Specific Plan (TS-SSP) to determine the best practices for effectively implementing a risk management framework and associated best practices for conducting risk assessments. We also reviewed guidance on strategic planning that GAO developed in a previous report.[Footnote 7] To determine key actions federal and industry stakeholders have initiated or implemented since 2004 to strengthen mass transit and passenger rail security, we analyzed documentation on DHS and DOT mass transit and passenger rail security programs, including the Mass Transit Modal Annex, after action reports of TSA security operations, and security technology information on DHS's Homeland Security Information Network (HSIN) Public Transit Portal. We also interviewed federal stakeholders, including DHS representatives from TSA, the DHS Science and Technology Directorate (DHS S&T), and HITRAC, and DOT representatives from FTA and FRA.[Footnote 8] Additionally, we analyzed federal actions against the objectives outlined in TSA's security strategy--the Mass Transit Modal Annex--to determine whether these actions were consistent with the strategy. To identify implementation challenges with these actions, we interviewed federal and transit agency stakeholders involved in either developing or participating in these programs. We conducted site visits, or held teleconferences with, security and management officials from 30 mass transit and passenger rail agencies across the nation. Additionally, we met with officials from two regional transit authorities and Amtrak officials responsible for overall systems security as well as individual station security personnel. The entities we interviewed represent 75 percent of the nation's total mass transit and passenger rail ridership based on information we obtained from the Federal Transit Administration's National Transit Database and the American Public Transportation Association. Because we selected a non-probability sample of mass transit and passenger rail agencies, the results from these visits and teleconferences cannot be generalized to all mass transit and passenger rail agencies; however, information we obtained provided us with an broad overview of the types of key actions taken to strengthen security. To determine TSA's reported status in implementing mass transit and passenger rail provisions of the 9/11 Commission Act and challenges TSA and industry stakeholders may face in implementing actions required by the act, we analyzed TSA documentation outlining the agency's status in fulfilling various requirements and documentation on TSA's Surface Transportation Security Inspection Program. We also interviewed officials from TSA's Surface Transportation Security Inspection Program, including headquarters officials, and inspectors from 13 of 54 field office locations, including 11 of 12 Assistant Federal Security Directors for Surface (supervisors for primary field offices) regarding how the 9/11 Commission Act requirements may affect their job responsibilities. We interviewed officials from all inspection program field locations that have oversight responsibility for the mass transit and passenger rail agencies we interviewed. Because we selected a non- probability sample of TSA's Surface Transportation Security Inspection Program field offices, the results from these interviews cannot be generalized to all Surface Transportation Security Inspection Program field offices; however, information we obtained provided us with an overview of the potential impact of the 9/11 Commission Act on field operations. We conducted this performance audit from September 2007 through June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Overview of U.S. Mass Transit and Passenger Rail Systems: Mass transit and passenger rail systems provided 10.7 billion passenger trips in the United States in fiscal year 2008.[Footnote 9] The nation's mass transit and passenger rail systems include all multiple- occupancy vehicle services designed to transport customers on local and regional routes, such as transit buses, heavy rail, commuter rail, and light rail services, and the interconnected facilities and vehicles feeding into the transit systems. Buses are the most widely used form of transit, providing almost two-thirds of all passenger trips. Heavy rail systems--subway systems like New York City's transit system and Washington, D.C.'s Metro--typically operate on fixed rail lines within a metropolitan area and have the capacity for a heavy volume of traffic. Commuter rail systems typically operate on railroad tracks and provide regional service (e.g., between a central city and adjacent suburbs). Light rail systems are typically characterized by lightweight passenger rail cars that operate on track that is not separated from vehicular traffic for much of the way. Mass transit and passenger rail systems in the United States are typically owned and operated by public sector entities, such as state and regional transportation authorities. Amtrak, which reported that it provided 25.8 million passenger trips in fiscal year 2007, operates the nation's primary intercity passenger rail and serves more than 500 stations in 46 states and the District of Columbia.[Footnote 10] Amtrak operates over a 22,000 mile network, primarily over leased freight railroad tracks. In addition to leased tracks, Amtrak owns about 650 miles of track, primarily on the "Northeast Corridor" between Boston and Washington, D.C., which carries about two-thirds of Amtrak's total ridership. Stations are owned by Amtrak, freight carriers, municipalities, and some private entities. Amtrak also operates commuter rail services in certain jurisdictions on behalf of state and regional transportation authorities. Figure 1 identifies the geographic distribution of rail transit systems and Amtrak within the United States. Though not indicated on the map, all of these cities also have bus transit systems. Figure 1: Geographic Distribution of Amtrak and Rail Transit Systems in the United States: [Refer to PDF for image: U.S. map] The map represents the geographic distribution of Amtrak and Rail Transit systems in the United States, specifically depicting: * Amtrak rail network; * Amtrak rail stations along the network. Additionally, for specific cities, the following information is depicted: City: Albuquerque, New Mexico; Number of light rail systems in city: 1. City: Alexandria, Virginia; Number of light rail systems in city: 1. City: Anchorage, Alaska; Number of light rail systems in city: 1. City: Atlanta, Georgia; Number of heavy rail systems in city: 1. City: Baltimore, Maryland; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 1. City: Boston, Massachusetts; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: Buffalo, New York; Number of light rail systems in city: 1. City: Chesterton, Indiana; Number of light rail systems in city: 1. City: Chicago, Illinois; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 2. City: Cleveland, Ohio; Number of heavy rail systems in city: 1; Number of light rail systems in city: 1. City: Dallas, Texas; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: Denver, Colorado; Number of light rail systems in city: 1. City: Detroit; Michigan; Number of light rail systems in city: 1. City: Galveston, Texas; Number of light rail systems in city: 1. City: Harrisburg, Pennsylvania; Number of light rail systems in city: 1. City: Houston, Texas; Number of light rail systems in city: 1. City: Kenosha, Wisconsin; Number of light rail systems in city: 1. City: Los Angeles, California; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: Memphis, Tennessee; Number of light rail systems in city: 1. City: Miami, Florida; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 1. City: Minneapolis, Minnesota; Number of light rail systems in city: 1. City: Nashville, Tennessee; Number of light rail systems in city: 1. City: New Haven, Connecticut; Number of commuter rail systems in city: 1. City: New Jersey cities; Number of light rail systems in city: 3. City: New Orleans, Louisiana; Number of light rail systems in city: 1. City: New York, New York; Number of heavy rail systems in city: 3; Number of commuter rail systems in city: 3. City: Philadelphia, Pennsylvania; Number of heavy rail systems in city: 2; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: Pittsburgh, Pennsylvania; Number of light rail systems in city: 1. City: Portland, Oregon; Number of light rail systems in city: 1. City: Sacramento, California; Number of light rail systems in city: 1. City: Salt Lake City, Utah; Number of light rail systems in city: 1. City: San Diego, California; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: San Francisco, California; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: San Jose, California; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: Seattle, Washington; Number of commuter rail systems in city: 1; Number of light rail systems in city: 1. City: St. Louis, Missouri; Number of light rail systems in city: 1. City: Syracuse, New York; Number of light rail systems in city: 1. City: Tampa, Florida; Number of light rail systems in city: 1. City: Tacoma, Washington; Number of light rail systems in city: 1. City: Washington, DC; Number of heavy rail systems in city: 1; Number of commuter rail systems in city: 2. Source: Amtrak and National Transit Database; Map Resources (map). [End of figure] Mass Transit and Passenger Rail Systems Are Inherently Vulnerable to Terrorist Attacks: To date, U.S. mass transit and passenger rail systems have not been attacked by terrorists. However, these systems have received heightened attention as several alleged terrorists' plots have been uncovered, including multiple plots involving systems in the New York City area. Worldwide, mass transit and passenger rail systems have been the frequent target of terrorist attacks. According to the Worldwide Incidents Tracking System maintained by the National Counter-Terrorism Center, from January 2004 to July 2008, there were 530 terrorist attacks worldwide against mass transit and passenger rail targets, resulting in over 2,000 deaths and over 9,000 injuries. Terrorist attacks include a 2007 attack on a passenger train in India (68 fatalities and over 13 injuries); the 2005 attack on London's underground rail and bus systems (52 fatalities and over 700 injuries); and the 2004 attack on commuter rail trains in Madrid (191 fatalities and over 1,800 injuries). In January 2008, Spanish authorities arrested 14 suspected terrorists who were allegedly connected to a plot to conduct terrorist attacks in Spain, Portugal, Germany, and the United Kingdom, including an attack on the Barcelona metro subway system. The most common means of attack against mass transit and passenger rail systems has been improvised explosive devices (IED), with many of these attacks delivered by suicide bombers.[Footnote 11] According to transit agency officials, certain characteristics of mass transit and passenger rail systems make them inherently vulnerable to terrorist attacks and therefore difficult to secure. By design, mass transit and passenger rail systems are open (i.e., have multiple access points, hubs serving multiple carriers, and, in some cases, no barriers to access) so that they can move large numbers of people quickly. The openness of these systems can leave them vulnerable because operator personnel cannot completely monitor or control who enters or leaves the systems. In addition, other characteristics of mass transit and passenger rail systems--high ridership, expensive infrastructure (more so for passenger rail than bus), economic importance, and location in large metropolitan areas or tourist destinations--also make them attractive targets for terrorists because of the potential for mass casualties, economic damage and disruption. Moreover, some of these same characteristics make them difficult to secure. For example, the number of riders passing through a subway system--especially during peak hours--may make the sustained use of some security measures, such as airport style passenger screening checkpoints, difficult because the measures could disrupt scheduled service. In addition, multiple access points along extended routes may make securing each location difficult because of the costs associated with such actions. Balancing the potential economic impacts of security enhancements with the benefits of such measures is a difficult challenge. Multiple Stakeholders Share Responsibility for Securing Mass Transit and Passenger Rail Systems: Securing the nation's mass transit and passenger rail systems is a shared responsibility requiring coordinated action on the part of federal, state, and local governments; the private sector; and passengers who ride these systems. Since the September 11, 2001 attacks, the role of federal agencies in securing the nation's transportation systems has continued to evolve. In response to the September 11TH terrorist attacks, Congress passed the Aviation and Transportation Security Act of 2001, which created TSA within DOT and conferred to the agency broad responsibility for overseeing the security of all modes of transportation, including mass transit and passenger rail.[Footnote 12] In 2002, Congress passed the Homeland Security Act, which established DHS, transferred TSA from DOT to DHS, and assigned DHS responsibility for protecting the nation from terrorism, including securing the nation's transportation systems. [Footnote 13] Within TSA, the office of Transportation Sector Network Management (TSNM) leads the unified effort to protect and secure the nation's intermodal transportation systems, with divisions dedicated to each transportation mode, including mass transit and passenger rail. Within TSA's Office of Security Operations, the Office of Multi-modal Oversight manages the Surface Transportation Security Inspection Program which coordinates with TSNM to develop and implement security programs, including strategies for conducting and implementing assessments and other actions in mass transit and passenger rail. In addition, TSA's Office of Intelligence (TSA-OI) is responsible for collecting and analyzing threat information related to the transportation network, which includes all modes of transportation. TSA is supported in these efforts by other DHS entities such as the NPPD and the Federal Emergency Management Agency's (FEMA) Grant Programs Directorate and Planning and Assistance Branch. The NPPD is responsible for coordinating efforts to protect the nation's most critical assets across all 18 industry sectors, including surface transportation.[Footnote 14] FEMA's Grant Programs Directorate is responsible for managing DHS grants for mass transit. FEMA's Planning and Assistance Branch is responsible for assisting transit agencies with how to conduct risk assessments. TSA has issued requirements related to the security of mass transit and passenger rail systems. Specifically, in May 2004, TSA issued security directives that mandated passenger rail agencies and Amtrak to implement certain security measures, such as periodically inspecting passenger rail cars for suspicious or unattended items and reporting potential threats or significant security concerns to appropriate law enforcement authorities and TSA.[Footnote 15] In addition to these requirements, in August 2007, the 9/11 Commission Act was signed into law, which included provisions that task TSA with security actions related to mass transit and passenger rail security. Among other things, these provisions include mandates for developing and issuing reports on TSA's strategy for securing public transportation, conducting and updating security assessments of mass transit systems, and establishing a program for conducting security exercises for transit and rail agencies. While TSA is the lead federal agency for overseeing the security of all transportation modes, DOT continues to play a key supporting role in securing mass transit and passenger rail systems. In a 2004 memorandum of understanding (MOU) and a 2005 annex to the MOU, TSA and FTA agreed that the two agencies would coordinate their programs and services, with FTA playing a supporting role by providing technical assistance and assisting DHS with implementation of its security policies, including collaborating in developing regulations affecting transportation security. In particular, FTA has played a role in coordinating and funding security training programs for mass transit and passenger rail employees, and provided dedicated funding to three federal training providers to implement mass transit and passenger rail employee training programs. Additionally, FTA administers the State Safety Oversight program and may withhold federal funding for states' noncompliance with regulations governing state safety oversight agencies.[Footnote 16] As part of this program, state safety oversight agencies are responsible for reviewing and approving rail transit agencies' safety and security plans, among other activities. FTA also promotes mass transit and passenger rail safety and security by providing funding for research, technical assistance, and technology demonstration projects. In addition to FTA, DOT's FRA also has regulatory authority over commuter rail operators and Amtrak and employs over 400 inspectors who periodically monitor the implementation of safety and security plans at these systems. FRA regulations require railroads that operate intercity or commuter passenger train service or that host the operation of that service to adopt and comply with a written emergency preparedness plan approved by FRA.[Footnote 17] State and local governments, mass transit and passenger rail operators, and private industry are also important stakeholders in the nation's mass transit and passenger rail security efforts. State and local governments, in some cases, own or operate a significant portion of mass transit and passenger rail systems. Consequently, the responsibility for responding to emergencies involving systems that run through their jurisdictions often falls to state and local governments. Although all levels of government are involved in mass transit and passenger rail security, the primary responsibility for securing the systems rests with the mass transit and passenger rail operators. These operators, which can be public or private entities, are responsible for administering and managing transit activities and services, including security. They can also directly operate the security service provided or contract for all or part of the total service. We discuss security actions taken by federal agencies and mass transit and passenger rail system operators later in this report. A Risk-Based Approach to Mass Transit and Passenger Rail Security: In recent years, we, along with the Congress, the executive branch, and the 9/11 Commission have recommended that federal agencies with homeland security responsibilities utilize a risk management approach to help ensure that finite national resources are dedicated to assets or activities considered to have the highest security priority.[Footnote 18] We have concluded that without a risk management approach, there is limited assurance that programs designed to combat terrorism would be properly prioritized and focused.[Footnote 19] Thus, risk management, as applied in the homeland security context, can help to more effectively and efficiently prepare defenses against acts of terrorism and other threats. Homeland Security Presidential Directive 7 (HSPD-7) directed the Secretary of Homeland Security to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities. Recognizing that each sector possesses its own unique characteristics and risk landscape, HSPD-7 designates federal government sector specific agencies (SSA) for each of the critical infrastructure sectors that are to work with DHS to improve critical infrastructure security.[Footnote 20] On June 30, 2006, DHS released the National Infrastructure Protection Plan (NIPP), which created--in accordance with HSPD-7--a risk-based framework for the development of SSA strategic plans. [Footnote 21] As the SSA for transportation, TSA developed the Transportation Systems--Sector Specific Plan (TS-SSP) in 2007 to document the process to be used in carrying out the national strategic priorities outlined in the NIPP and the National Strategy for Transportation Security (NSTS).[Footnote 22] The TS-SSP contains supporting modal implementation plans for each transportation mode, including mass transit and passenger rail, which provides information on current efforts to secure mass transit and passenger rail, as well as TSA's overall goals and objectives related to mass transit and passenger rail security.[Footnote 23] The NIPP defines roles and responsibilities for security partners in carrying out critical infrastructure and key resource (CI/KR) protection activities through the application of risk management principles.[Footnote 24] Figure 2 illustrates the several interrelated activities of the risk management framework as defined by the NIPP. The NIPP requires that federal agencies use this information to inform the selection of risk-based priorities and the continuous improvement of security strategies and programs to protect people and critical infrastructure by reducing the risk of acts of terrorism. Figure 2: NIPP Risk Management Framework: [Refer to PDF for image: illustration] Utilizing physical, human, and cyber interaction, the following interrelated activities comprise the risk management framework through a feedback loop of continuous improvement to enhance protection of critical infrastructure and key resources: * Set security goals; * Identify assets, systems, networks, and functions; * Assess risks (consequences, vulnerabilities, and threats); * Prioritize; * Implement protective programs; * Measure effectiveness. Source: DHS. [End of figure] Within the risk management framework, the NIPP also establishes baseline criteria for conducting risk assessments. According to the NIPP, risk assessments are a qualitative and/or quantitative determination of the likelihood of an adverse event occurring and are a critical element of the NIPP risk management framework. Risk assessments can also help decision makers identify and evaluate potential risks so that countermeasures can be designed and implemented to prevent or mitigate the potential effects of the risks. The NIPP characterizes risk assessment as a function of three elements: * Threat: The likelihood that a particular asset, system, or network will suffer an attack or an incident. In the context of risk associated with a terrorist attack, the estimate of threat is based on the analysis of the intent and the capability of an adversary; in the context of a natural disaster or accident, the likelihood is based on the probability of occurrence. * Vulnerability: The likelihood that a characteristic of, or flaw in, an asset, system, or network's design, location, security posture, process, or operation renders it susceptible to destruction, incapacitation, or exploitation by terrorist or other intentional acts, mechanical failures, and natural hazards. * Consequence: The negative effects on public health and safety, the economy, public confidence in institutions, and the functioning of government, both direct and indirect, that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack, natural disaster, or other incident. Information from the three elements that assess risk--threat, vulnerability and consequence--can lead to a risk characterization and provide input for prioritizing security goals. Federal and Industry Stakeholders Have Assessed Individual Elements of Risk, Which Have Informed TSA's Security Strategy, but TSA Could Strengthen Its Approach by Conducting a Risk Assessment and Updating Its Security Strategy: Since 2004, federal and industry stakeholders have conducted assessments of individual elements of risk--threat, vulnerability and consequence--and this information has informed TSA's mass transit and passenger rail security strategy. However, TSA could strengthen its approach by using and combining this information to conduct a risk assessment of the mass transit and passenger rail system and by updating its strategy to include characteristics that we identified as desirable practices for successful national strategies and to more fully address elements that are outlined in Executive Order 13416: Strengthening Surface Transportation Security.[Footnote 25] Federal and Industry Stakeholders Have Conducted Assessments of Individual Elements of Risk, but TSA Could Strengthen Its Approach by Conducting a Risk Assessment: While federal and industry stakeholders have conducted assessments of individual elements of risk--threat, vulnerability, and consequence-- TSA could strengthen its security approach by using and combining this information to conduct a risk assessment of the mass transit and passenger rail system. A risk assessment, as required by the NIPP, involves assessing each of the three elements of risk and then combining them together into a single analysis. Since 2004, federal agencies have conducted a range of assessment activities related to the individual elements of risk to help determine their strategy for securing mass transit and passenger rail systems, and provided guidance to mass transit and passenger rail agencies on how to conduct assessments of individual elements of risk. For example, DHS's threat assessments considered potential threats to the mass transit and passenger rail system, while vulnerability assessments focused on mass transit and passenger rail systems' security conditions or specific infrastructure such as tunnels. In addition to DHS assessments, DOT provided assistance to mass transit and passenger rail agencies on how to conduct threat and vulnerability assessments, and transit agencies have reported conducting risk assessments for their own systems or assets. See table 1 for a summary of federal and industry stakeholders' assessment activities related to individual elements of risk. Table 1: Summary of Federal and Industry Stakeholders' Assessment Activities since 2004: DHS Transportation Security Administration (TSA): Entity: Office of Intelligence; Time frame: 2008; Description: Annual Threat Assessments: TSA's Office of Intelligence provides an overview of threats--including key actors and possible attack tactics and targets--to mass transit and passenger rail systems. The assessment includes incidents of interest and suspicious activities targeting mass transit and passenger rail in the United States and overseas; Risk Elements: Threat. Entity: Transportation Sector Network Management (TSNM)/Surface Transportation Security Inspection Program (STSIP); Time frame: 2006-present; Description: Baseline Assessment for Security Enhancement (BASE): Surface inspectors, in coordination with transit agency officials, assess a transit agency's overall security posture, focusing on the implementation and effectiveness of security plans, programs and measures, security gaps, and best practices. Since 2006, TSA reported it has conducted BASE reviews at 91 of the top 100 largest mass transit and passenger rail agencies in the nation and has initiated follow-on BASE reviews to determine if previously identified security shortfalls have been corrected; Risk Elements: Vulnerability. DHS National Protection and Programs Directorate (NPPD): Entity: Homeland Security Threat and Risk Analysis Center (HITRAC); Time frame: 2008; Description: Strategic Homeland Infrastructure Risk Assessment (SHIRA): Annual document assessing risk across each of the 18 CI/KR sectors including mass transit and passenger rail. Includes threat scenarios identified by HITRAC and vulnerability and consequence information provided by each CI/KR sector; Risk Elements: Threat; Vulnerability[A]; Consequence[A]. Entity: Science and Technology Directorate (DHS S&T); Time frame: 2007; Description: DHS Transportation Security Administration (TSA): Transit Tunnel Vulnerability Assessments: DHS S&T, in coordination with TSNM- Mass Transit and National Laboratories, assessed the vulnerabilities of transit tunnels and potential consequences to tunnel structures resulting from various types of explosive threats. S&T also assists transit agencies with planning and implementing protective measures to deter and prevent terrorist attacks; Risk Elements: Vulnerability; Consequence. Industry Stakeholders: Entity: National Railroad Passenger Corporation (Amtrak); Time frame: 2007-present; Description: Risk Assessment: Amtrak has reported conducting risk assessments that incorporate and combine all three elements of risk (threat, vulnerability, and consequence) for all of its systems; Risk Elements: Threat; Vulnerability; Consequence. Entity: Transit Systems; Time frame: 2008-present; Description: DHS Transportation Security Administration (TSA): Risk Assessment: Transit system officials reported conducting risk assessments that incorporate and combine all three elements of risk (threat, vulnerability, and consequence) to their systems and assets; Risk Elements: Threat; Vulnerability; Consequence. Source: GAO analysis of DHS and industry data. [A] Bullets in parentheses represent assessment information provided by TSA-TSNM-Mass Transit to DHS HITRAC for its risk analysis. [End of table] As table 1 shows, DHS developed the Strategic Homeland Infrastructure Risk Assessment (SHIRA) that assessed risk across 18 CI/KR sectors. To develop SHIRA, DHS collaborated with members of the intelligence community to determine threats against various systems and assets in the 18 CI/KR sectors. TSA then assessed the vulnerabilities and consequences that resulted from these threat scenarios and provided this information to HITRAC. Although TSA contributed to DHS's risk assessment effort, it has not conducted its own risk assessment of mass transit and passenger rail systems. TSA officials explained that the threat scenarios that SHIRA provided were general and not specific to mass transit and passenger rail. TSA could, however, use the information it provided for SHIRA to support a risk assessment. Table 1 also shows that mass transit and passenger rail agencies, including Amtrak, have reported conducting risk assessments of their own systems. Officials from 26 of 30 of the transit systems we visited stated that they had conducted their own assessments of their systems, including risk assessments. For example, one transit agency official stated that the agency had conducted risk assessments of its stations since 2003 and had updated them every 2 years. The official explained that his agency uses the risk assessment results to conduct cost benefit analyses that the agency uses before instituting new programs or purchasing equipment for its system. He also said that the assessments help the agency track risk reduction as a result of its security investments. Additionally, Amtrak officials stated that they conducted a risk assessment of all of their systems. As part of the assessment, Amtrak contracted with a private consulting firm to provide a scientific basis for identifying critical points at stations that might be vulnerable to IED attacks or that are structurally weak. Amtrak officials also stated that they gather and analyze threat information obtained from various classified and unclassified sources such as DHS, TSA, and the Federal Bureau of Investigation's Joint Terrorism Task Force. Transit agencies have also received assistance in the form of either guidance or actual risk assessments from several federal and industry stakeholders. Table 2 identifies the various assistance programs available to transit agencies for risk assessment efforts. Table 2: Summary of Federal and Industry Stakeholders' Assistance to Transit Agencies for Risk Assessments Provided since 2004: DHS Transportation Security Administration (TSA). Entity: Office of Security Operations/Surface Transportation Security Inspection Program (STSIP); Timeframe: 2008-present; Description: Risk Assessment Tool: Mass transit and passenger rail risk assessment product to be used by TSA's surface inspectors. This tool is still being developed by the Office of Security Operations (OSO) in coordination with TSNM, TSA Office of Intelligence (TSA-OI), and STSIP. Initial field testing is estimated to commence in July 2009. Entity: Transportation Sector Network Management (TSNM)/Surface Transportation Security Inspection Program (STSIP); Timeframe: 2005-present; Description: Security Analysis and Action Program (SAAP): Upon a transit agency's request, surface inspectors conduct analyses of a transit agency's critical infrastructure and physical systems and, among other things, identify deficiencies, determine the underlying causes, and develop recommendations to the agency to correct the deficiencies. As of November 2008, TSA had completed SAAPs for seven mass transit and passenger rail systems; however, no SAAP has been conducted since November 2008[A]. Vulnerability Identification Self-Assessment Tool (VISAT): Self- assessment risk tool used by surface inspectors to conduct SAAP on transit agencies. The tool is to be used in developing a security baseline evaluation of a transit agency. The tool focuses on the prevention and mitigation of an array of threat scenarios and enables users to assess their security system's effectiveness in direct response to these specific threat scenarios. DHS Federal Emergency Management Agency: Entity: Planning and Assistance Branch; Timeframe: 2004-present; Description: Mass Transit Technical Assistance Program; FEMA officials, through a private consulting firm, assist passenger rail operators in enhancing their capacity and preparedness to respond to terrorist incidents and prioritize countermeasures. As of April 2009, FEMA has provided technical assistance to 36 passenger rail operators. This program was initially administered by DHS's Office of Domestic Preparedness (ODP) but has been managed by DHS-FEMA since March 2007[B]. Transit Risk Assessment Methodology Tool Kit (TRAM): Risk guidance for transit agencies that was part of the Mass Transit Technical Assistance Program. Department of Transportation (DOT): Entity: Federal Transit Administration (FTA); Timeframe: 2004-present; Description: Security and Emergency Management Technical Assistance Program (SEMTAP): Through this program, FTA officials provided guidance to the largest transit agencies on how to conduct threat and vulnerability assessments. Entity: Federal Transit Administration (FTA); Timeframe: 2007; Description: FTA-TSA Security and Emergency Management Action Items for Transit Agencies: Risk guidance for transit agencies including a resource link to a sample methodology. Industry stakeholder: Entity: American Public Transportation Association (APTA); Timeframe: 2008-present; Description: Recommended Practices for the Development and Implementation of a Security and Emergency Preparedness Plan (SEPP): Provides procedures for developing and implementing a security and emergency preparedness plan by transit agencies. Includes threat, vulnerability, and consequence identification and resolution approaches for transit agencies. Source: GAO analysis of DHS, DOT and industry data. Note:Although a few assistance programs started before 2004 (e.g., FEMA's Mass Transit Assistance Program and FTA's SEMTAP), for the purpose of this report, we are limiting our analysis to assistance that has been provided since 2004. [A] The seven SAAP assessments TSA reported conducting were those on the Virginia Railway Express, Portland Tri-Met Light Rail, Alaska Railroad, Amtrak Northeast Corridor power infrastructure, CSX Railroad (Indianapolis), Avon Yards (Indianapolis), and New Mexico Rail Runner Express. [B] In March 2004, the Secretary of Homeland Security consolidated ODP with the Office of State and Local Government Coordination to form the Office of State and Local Government Coordination and Preparedness (SLGCP). In 2007, SLGCP was incorporated under the DHS Preparedness Directorate as OGT and, in March 2007, OGT was incorporated into DHS- FEMA. [End of table] As table 2 shows, federal and industry stakeholders also provided assistance to transit agencies on how to assess risk. For example, FTA provided on-site technical assistance to the nation's 50 largest transit agencies (i.e., those transit agencies with the highest ridership) on how to conduct threat and vulnerability assessments, among other technical assistance needs, through its Security and Emergency Management Technical Assistance Program (SEMTAP). According to FTA officials, although FTA continues providing technical assistance to transit agencies, the on-site SEMTAP program concluded in July 2006. Furthermore, FTA officials stated that on-site technical assistance was transferred to TSA when TSA became the lead agency on security matters for mass transit and passenger rail. Also, from 2004 though 2007, the former DHS Office of Domestic Preparedness (ODP), through a private consulting firm, provided assistance to transit agencies on how to conduct risk assessments through the Mass Transit Technical Assistance Program. Within this program, ODP developed a Transit Risk Assessment Methodology (TRAM) tool kit that provided transit agencies with an instrument to compare relative risks of terrorism against critical assets to better identify and prioritize security enhancements to reduce those risks. We reported in 2005 that officials from transit agencies participating in the Mass Transit Technical Assistance Program valued it and stated that the program was successful in helping them to devise risk-reduction strategies to guide security-related investments.[Footnote 26] Subsequently, since the restructuring of ODP in 2007, this program has been transferred to FEMA's Planning and Assistance Branch where it has continued assisting transit agencies with risk assessments. However, according to FEMA's Chief of the Planning and Assistance Branch, because of the high cost of the program--$300,000 to $600,000 per transit agency--the rate of assistance to transit agencies has decreased annually. Also, FEMA is trying to convert the focus of the program from technical assistance to training. As such, FEMA plans to educate transit agencies on how to conduct risk assessments. Additionally, the same FEMA official reported that FEMA is also in the process of conducting a pilot project with one transit agency to evolve the program and the tool kit to an all hazards focus. Furthermore, recognizing the value of this program, officials from four of the 30 transit agencies we interviewed have since contracted with the same private consulting firm that ODP and FEMA used to update security plans or conduct a cost-benefit analysis of new programs or equipment. Multiple Potential Threats to Mass Transit and Passenger Rail Have Been Identified: TSA has reported conducting annual threat assessments of the mass transit and passenger rail systems, and these assessments have provided TSA with an array of information about potential threats to the systems. TSA is responsible for conducting and issuing an annual threat assessment report for the mass transit and passenger rail systems. While it has been widely reported that no specific threats to the mass transit and passenger rail systems currently exist, it has been noted that terrorists tend to target these systems, as overseas attacks on mass transit and passenger rail systems have demonstrated. TSA's Mass Transit Modal Annex identified numerous potential threats to mass transit, including placing a vehicle bomb near a station or track or introducing an IED or lower-yield explosive in a station, train, or bus, or laying explosives on a track. Deploying conventional or improvised explosives would likely result in scores of casualties. Since IEDs were used in the majority of the recent overseas attacks against mass transit and passenger rail systems, TSA and other experts are concerned that extremists may be motivated to employ similar tactics to target mass transit and passenger rail systems. In its Modal Annex, TSA also noted that the threat to heavy and commuter rail (i.e., underground, subway, elevated, rapid rail, or metro) is higher than the threat to buses and light rail (i.e., street cars, trolley) because of the accessibility of the large numbers of people typically found in the confined spaces of a rail system. DHS Components, Including TSA, Conducted Several Vulnerability and Consequence Assessments That Identified Areas for Security Improvements: Several DHS components, including TSA, conducted assessments related to vulnerability and consequence since 2004, which have highlighted areas for security improvement. For example, DHS S&T conducted vulnerability assessments of transit tunnels as well as assessments of the potential consequences that various types of explosives threats would have on tunnel structures (which showed that improving evacuation plans and emergency response efforts, among other things, would improve public safety). Additionally, TSA has gathered vulnerability data through such programs as the Baseline Assessment for Security Enhancement (BASE). TSA officials reported that the BASE assesses the security posture of a mass transit or passenger rail system against the Security and Emergency Management Action Items and is TSA's primary source of vulnerability information.[Footnote 27] For example, through initial assessments of the BASE program, TSA officials identified the need for increased security training at mass transit and passenger rail systems. Furthermore, FEMA has calculated consequence information for mass transit and passenger rail by using proxy data, such as population and national infrastructure indices. This information has been incorporated into the Transit Security Grant Program (TSGP).[Footnote 28] TSA officials also reported using population density and ridership data as information for consequence assessments for mass transit and passenger rail systems and stated that they consider the number of potential casualties when determining consequence, and as a result, have chosen to focus their security efforts on the mass transit and passenger rail systems carrying the most passengers. Officials also mentioned that other factors such as the nature of the infrastructure (underground, underwater tunnels), time of day, and number of mass transit and passenger rail lines are also considered when assessing consequence. TSA Reported Using Existing Assessments to Inform Its Security Strategy, but Its Approach Could Be Strengthened by Conducting a Risk Assessment: TSA has used these various threat, vulnerability, and consequence assessments to inform its security strategy for mass transit and passenger rail--the Mass Transit Modal Annex. TSA reported that its efforts to inform its strategy included using information from TSA-OI's annual mass transit threat assessment report to, for example, highlight the greater threats to underground and underwater passenger rail segments within a transit system. TSA also reported incorporating into its strategy information identified through its BASE reviews, such as the need for increased security training at mass transit and passenger rail systems. While TSA reported using these various assessments to inform its mass transit and passenger rail security strategy, it could further strengthen its approach for securing these systems by combining the results from these assessments to conduct a risk assessment of the mass transit and passenger rail systems. Both the NIPP and TS-SSP establish a risk management framework that includes a process for considering threat, vulnerability, and consequence assessments together to determine the likelihood of a terrorist attack and the severity of its impact. The NIPP states that after the three elements of risk have been assessed, they are factored numerically and combined mathematically to provide an estimate of the expected loss considering the likelihood of an attack or other incident. It also states that when numerical values are not practical, scales could be used to estimate threat, vulnerability, and consequence. Thus, risk can be measured either quantitatively (i.e., numerically) or qualitatively (i.e., descriptively). However, rather than using the methodology established in the NIPP for assessing risk, TSA officials stated that the agency uses an intelligence-driven approach to make strategic investment decisions across the transportation system. Within this intelligence- driven approach for the sector, TSA also developed a tactical, threat- based process known as Objectively Measured Risk Reduction (OMRR) at the program level to help each of its individual divisions manage their day-to-day security operations. These approaches differ from the NIPP in part because they rely primarily on intelligence information to identify threats, prioritize tactics, and guide long-term investments, rather than systematically assessing the vulnerabilities and consequences of a range of threat scenarios. In March 2009, we recommended that TSA work with DHS to validate its risk management approach by establishing a plan and time frame for assessing the appropriateness of TSA's intelligence-driven risk management approach for managing risk and document the results of this review once completed. TSA concurred with this recommendation.[Footnote 29] TSA officials stated that they plan to revise and reissue the TS- SSP, as required by DHS, to reflect the adoption of their intelligence- driven methodology. As on June 2009, TSA reported that the update of the TS-SSP is ongoing, with the goal of completing the effort in 2009. Until TSA works with DHS to validate its risk management approach, TSA lacks assurance that its approach provides the agency and DHS with the information needed to guide investment decisions to ensure resources are allocated to the highest risks. Moreover, as we reported in March 2009, although intelligence is necessary to inform threat assessments, it does not provide all of the information needed to assess risk, in particular information related to vulnerability and consequence assessments.[Footnote 30] In addition, the intelligence-driven approach that TSA uses may be limited because, in contrast with practices adopted by the intelligence community, TSA officials do not plan to assign uncertainty or confidence levels to the intelligence information it uses to identify threats and guide long- range planning and strategic investment. Both Congress and the administration have recognized the uncertainty inherent in intelligence analysis and have required analytic products within the intelligence community to properly caveat and express uncertainties or confidence in analytic judgments. Furthermore, while intelligence can and does help the U.S. security community on an operational or tactical level, uncertainty in intelligence analysis limits its utility for long-range planning and strategic investment. Without expressing confidence levels in its analytic judgments, it will be difficult for TSA to correctly prioritize its tactics and long-term investments based on uncertain intelligence. In March 2009, we recommended that the Assistant Secretary of TSA work with the Director of National Intelligence to determine the best approach for assigning uncertainty or confidence levels to analytic intelligence products and apply this approach to intelligence products. TSA officials agreed that they do not have a risk assessment and expressed the desire to conduct one; however, they reported that a lack of resources and other factors made completing a risk assessment challenging. For example, TSA officials stated that comprehensive vulnerability and consequence assessments are cost-prohibitive and time- intensive to conduct. Specifically, according to TSA officials, the Security Analysis and Action Program conducted by surface inspectors, a program that identifies, among other things, transit agencies' vulnerabilities can take days to complete resulting in a large resource investment. However, the 9/11 Commission Act requires TSA to use existing relevant assessments developed by federal and industry stakeholders, as appropriate, to develop a risk assessment for rail, including passenger rail. Furthermore, as suggested by the NIPP, agencies should consider existing risk measures when assessing risk. In addition to using the information for SHIRA, TSA could use other risk assessments, such as industry stakeholders' risk assessments and federal and industry stakeholders' guidance on how to conduct risk assessments, to potentially support a risk assessment of the mass transit and passenger rail systems. Despite the challenges that TSA officials reported, it is important to note that risk assessment is an accepted and required practice with a long history of use in a wide variety of public and private sector organizations. Completing a risk assessment would provide TSA greater assurance that it is directing its resources toward mitigating the highest priority risks. Moreover, other agencies conduct risk assessments based on threat, vulnerability, and consequences and have overcome the challenges TSA cited. For instance, within DHS, the U.S. Coast Guard, and FEMA use risk assessment methodologies to inform resource allocation.[Footnote 31] * The U.S. Coast Guard, which is responsible for securing the maritime transportation mode, conducts risk assessments using its Maritime Security Risk Analysis Model (MSRAM). Coast Guard units use the Maritime Security Risk Analysis Model to assess the risk of terrorist attack based on scenarios--a combination of target and attack mode--in terms of threats, vulnerabilities, and consequences to more than 18,000 targets. The model combines these assessments and provides analysis to identify security priorities and support risk management decisions at the strategic, operational, and tactical levels. The tool's underlying methodology is designed to capture the security risks facing different types of targets spanning every DHS CI/KR industry sector, allowing comparison between different targets and geographic areas at the local, regional, and national levels. In conducting assessments, the Coast Guard Intelligence Coordination Center quantifies threat as a function of intent (the likelihood of terrorists seeking to attack), capability (the likelihood of terrorists having the resources to attack), and presence (the likelihood of terrorists having the personnel to attack).[Footnote 32] Intelligence Coordination Center officials stated that the Coast Guard uses MSRAM to inform allocation decisions, such as the local deployment of resources and grants. * In June 2008, we reported that FEMA used a reasonable risk assessment methodology--based on a definition of risk as a function of threat, vulnerability, and consequence--to determine grant funding allocations under the Homeland Security Grant Program.[Footnote 33] We found that this program utilized a reasonable methodology to assess risk and allocate grants to states and urban areas even though its assessment of vulnerability was limited. The risk assessment methodology used by FEMA is based on assessments of the threat, vulnerability, and consequence of a terrorist attack to each state and the largest urban areas. FEMA's methodology estimates the threat to geographic areas based on terrorists' capabilities and intentions, as determined by intelligence community judgment and data on credible plots, and planning and threats from international terrorist networks. Because this threat information is recognized as uncertain, threat accounts for 20 percent of the total risk to a geographic area, while vulnerability and consequence account for 80 percent.[Footnote 34] Moreover, the NIPP states that implementing protective programs based on risk assessment and prioritization enables DHS, sector-specific agencies, and other security partners to enhance current CI/KR protection programs and develop new programs where they will offer the greatest benefit. By conducting a risk assessment, TSA would be able to better prioritize risks as well as more confidently assure that its programs are directed toward the highest priority risks. TSA's Security Strategy Could Be Strengthened by Including Key Characteristics of a Successful National Strategy and More Fully Addressing Elements Outlined in Executive Order 13416: TSA's Mass Transit Modal Annex contains some information that is consistent with our prior work on characteristics of a successful national strategy and that is called for by Executive Order 13416: Strengthening Surface Transportation Security. However, the Modal Annex could be strengthened by including additional information that could help TSA and other implementing parties better leverage their resources to achieve the strategy's vision of protecting mass transit and passenger rail systems from terrorist attacks. In February 2004, we identified six characteristics of successful national strategies.[Footnote 35] Additionally, the Executive Order calls for the Secretary of Homeland Security to develop modal annexes for each transportation sector that includes certain elements, many of which are similar to the national strategy characteristics. Table 3 provides a brief description of five of the national strategy characteristics and relevant Executive Order elements that are discussed further below. [Footnote 36] Table 3: Summary of Desirable Characteristics of Successful National Strategies and Related Executive Order Factors: Characteristic: Purpose, scope, and methodology; Description: Addresses why the strategy was produced, the scope of its coverage, and the process by which it was developed. In addition to describing what it is meant to do and the major functions, mission areas, or activities it covers, a national strategy would ideally also outline its methodology, such as discussing the principles or theories that guided its development, what organizations or offices drafted the document, whether it was the result of a working group, or which parties were consulted in its development. Characteristic: Goals, subordinate objectives, activities, and performance measures; Description: Addresses what the strategy is trying to achieve, steps to achieve those results, as well as the priorities, milestones, and performance measures to gauge results. At the highest level, a strategy could provide a description of an ideal "end state," followed by a logical hierarchy of major goals, subordinate objectives, specific activities, and performance measures to achieve results.[A] Executive Order 13416 calls for the annex of each transportation mode, or Modal Annex, to identify processes for assessing compliance with security guidelines and requirements, and for assessing the need for revision of such guidelines and requirements to ensure their continuing effectiveness--something that could be accomplished with defined performance measures. The Order also directs TSA to evaluate the effectiveness and efficiency of current surface transportation security initiatives and calls for the annex to identify processes for assessing compliance with security guidelines and requirements. Characteristic: Resources, investments, and risk management; Description: Addresses what the strategy will cost, the sources and types of resources and investments needed, and where resources and investments should be targeted based on balancing risk reductions with costs. Ideally, a strategy would also identify criteria and appropriate mechanisms to allocate resources, such as grants, in-kind services, loans, and user fees, based on identified needs. Alternatively, the strategy might identify appropriate "tools of government," such as regulations, tax incentives, and standards; or stimulate nonfederal organizations to use their unique resources. Characteristic: Organizational roles, responsibilities, and coordination; Description: Addresses which organizations are to implement the strategy, their roles and responsibilities, and mechanisms for collaboration. This information considers who is in charge, not only during times of crisis but also during all phases of combating terrorism, including prevention, vulnerability reduction, and response and recovery. This entails identifying the specific federal entities involved and, where appropriate, the different levels of government or stakeholders, such as state and local governments and private entities. Executive Order 13416 also calls for the Secretary of Homeland Security to develop modal annexes that include a description of the respective roles, responsibilities, and authorities of federal, state, local, and tribal governments. A strategy could also describe the organizations that will provide the overall framework for accountability and oversight, and identify specific processes for collaboration and address how any conflicts would be resolved. Characteristic: Integration and implementation; Description: Addresses how a national strategy relates to other strategies' goals, objectives, and activities and to subordinate levels of government and their plans to implement the strategy. For example, a national strategy could discuss how its scope complements, expands upon, or overlaps with other national strategies. Also, related strategies could highlight their common or shared goals, subordinate objectives, and activities. Executive Order 13416 requires that the modal annex identify existing security guidelines and requirements. A strategy could address its relationship to other agency strategies using relevant documents from implementing organizations, such as strategic plans, annual performance plans, or annual performance reports that the Government Performance and Results Act of 1993 requires of federal agencies. A strategy might also discuss, as appropriate, various strategies and plans produced by the state, local, or private sectors and could provide guidance, for example, on the development of national standards, to more effectively link the roles, responsibilities, and capabilities of the implementing parties. Source: GAO. [A] A goal (also known as a strategic goal or objective) constitutes a specific set of policy, programmatic, and management objectives for the programs and operations covered in the strategic plan, and serves as a framework from which the annual objectives and activities are derived. A goal is expressed in a manner that allows a future assessment to be made regarding whether the goal was or is being achieved. Subordinate objectives assist in focusing the mode's programs and activities to meet the goals. Activities are specific programs and actions to achieve the subordinate objectives. Performance measures are particular values or characteristics used to measure output or outcome of activities, objectives, and goals. An outcome measure describes the intended result or effect from carrying out a program or activity. It defines an event or condition that is external to the program or activity and that is of direct importance to the intended beneficiaries and/or the public. An output measure describes the level of activity that will be provided over a period of time, including a description of the characteristics (e.g., timeliness) established as standards for the activity. [End of table] The Modal Annex contains information related to three of the characteristics we identified as desirable characteristics for a successful national strategy: (1) purpose, scope and methodology; (2) organizational roles, responsibilities, and coordination; and (3) integration and implementation. For example, the organizational roles, responsibilities, and coordination characteristic, which is also an element in Executive Order 13416, calls for agencies to identify which organizations are to implement the strategy, their roles and responsibilities, and the mechanisms for collaborating.[Footnote 37] The Modal Annex generally addresses this characteristic as it identifies relevant stakeholder roles and responsibilities. Specifically, the Modal Annex states that TSA has primary responsibility for ensuring security for mass transit and passenger rail while other federal and industry stakeholders, such as the FTA, FRA, FBI, private sector, and transit labor representatives have partnership roles. The Modal Annex also describes stakeholders' collaboration efforts. For example, it describes FTA, FRA, APTA, and transit operators' involvement in the development and implementation of security standards and directives. See appendix III for more information on the characteristics the Modal Annex includes. The Modal Annex, however, could be strengthened by addressing the other two desirable characteristics of an effective national strategy: (1) goals, subordinate objectives, activities, and performance measures and (2) resources and investments. Both of these could be useful in achieving the vision articulated in the Modal Annex of securing the mass transit and passenger rail systems. Goals, Subordinate Objectives, Activities, and Performance Measures: In conformance with this characteristic, the Modal Annex identifies sector-wide goals that apply to all modes of transportation as well as subordinate objectives specific to mass transit and passenger rail systems. For instance, one of TSA's transportation sector goals is to enhance resiliency of the U.S. transportation system and presents three subordinate objectives to demonstrate how the agency intends to meet this goal. Further, for each subordinate objective, TSA presents information to explain what TSA, other federal components, or industry stakeholders are doing to meet the subordinate objective. For example, the agency identifies its Explosives Detection Canine Teams as an activity to accomplish assessing, managing, and reducing risk associated with key modes, links, and flows within critical transportation systems. Table 4 provides a complete list of the TSA's goals and their subordinate objectives for the mass transit and passenger rail systems. Table 4: Sector Goals and Passenger Rail and Mass Transit Subordinate Objectives to Complete Sector Goals: Sector Goal: 1) Prevent and deter acts of terrorism using or against the transportation system; Subordinate Objectives: * Implement risk-based, flexible, layered and unpredictable security programs; * Increase vigilance of travelers and transportation workers; * Enhance information and intelligence sharing among transportation sector security partners. Sector Goal: 2) Enhance resiliency of the U.S. transportation system; Subordinate Objectives; * Assess, manage, and reduce risk associated with key nodes, links, and flows within critical transportation systems; * Ensure the capacity for rapid response and recovery to all-hazards events; * Develop, disseminate, and promote the adoption of a standard risk reduction methodology. Sector Goal: 3) Improve the cost-effective use of resources for transportation security. Subordinate Objectives; * Align sector resources with the highest priority transportation security risks using both risk and economic consequences as decision criteria; * Maximize passenger rail and mass transit sector participation as a partner in the developing and implementing of public sector programs for critical infrastructure/key resource protection; * Improve transportation sector security research, development, test, and evaluation resource allocation; * Ensure that public sector funds expended have achieved the expected risk reduction. Source: GAO Analysis of TSA information. [End of table] While the Modal Annex identifies goals, objectives, and activities, it does not contain measures or targets on the effectiveness of the operations of the security programs identified in the Modal Annex. For example, one of TSA's security programs listed in the Modal Annex-- Security Technology Deployment--aligns under one of the sector goals: prevent and deter acts of terrorism using or against the transportation system. However, the Modal Annex contains no measures or targets to assess the effectiveness of this program in achieving this goal. In August 2006, we reported that performance measures are an important tool to communicate what a program has accomplished and provide information for budget decisions. Further, we noted that it is desirable for these measures to be as effective as possible in helping to explain the relationship between resources expended and results achieved because agencies that understand this linkage are better positioned to allocate and manage their resources effectively.[Footnote 38] Although the Modal Annex does not contain specific measures or targets, it does call for developing measures of effectiveness to evaluate mass transit and passenger rail efforts to mitigate risk and increase the resilience of systems and assets. TSA has developed performance measures to track the progress that the surface transportation security program has made in conducting activities to enhance the security of the mass transit and passenger rail systems. Specifically, TSA's Surface Transportation Security Inspection Program fiscal year 2009 Annual Inspection Plan identifies annual and quarterly performance metrics for conducting mass transit and passenger rail-related assessments that TSA plans nationwide: * number of inspections conducted per 1,000 inspector work hours on mass transit, passenger rail, and freight rail systems and[Footnote 39] * number of BASE reviews conducted at the top 100 largest transit agencies. While these measures are useful in tracking activities or actions taken, they are output measures that do not fully inform TSA about how various actions have impacted the security of mass transit and passenger rail systems' goals and objectives. For example, TSA has so far reported the progress in its Visible Intermodal Prevention and Response (VIPR) program in terms of the number of VIPR operations TSA conducted, but has not yet developed measures or targets to report on the effectiveness of the operations themselves.[Footnote 40] However, in June 2009, TSA program officials reported that they are planning the introduction of additional performance measures for no later than the first quarter of fiscal year 2010. These measures would gather information on (1) interagency collaboration by collecting performance feedback from federal, state and local security, law enforcement, and transportation officials prior to and during VIPR deployments; and (2) stakeholder views on the effectiveness and value of the VIPR deployment. In February 2009, TSA reported plans to introduce its first outcome measures for its mass transit and passenger rail security programs. For example, TSA plans to introduce a performance measure for its BASE review program. TSA officials reported that they plan to calculate this measure by comparing the results from the first and second round BASE reviews for the nation's top 100 largest transit mass transit and passenger rail systems. TSA also reported plans to introduce additional outcome performance measures in the future, including an overall risk reduction measure tied to the BASE program. Implementing these new performance measures and including them in future updates of the Mass Transit Modal Annex should better inform decision makers at TSA on the effect of its programs in securing mass transit and passenger rail. Resources and Investments: While the Modal Annex identifies how TSA has allocated funds available to different transit agencies, the Modal Annex provides relatively few details on how grant resources should be targeted. Also, the Modal Annex contains little information on resources and costs associated with mass transit and passenger rail security programs. For example, the Modal Annex identifies as its third sector-goal, as shown on table 4, improve the cost-effective use of resources for transportation security; however, it provides few details on the costs, types, or levels of resources associated with implementation of the security programs that are aligned with this goal. Furthermore, the Modal Annex describes risks to the mass transit and passenger rail systems by discussing overseas attacks and the potential consequences of such attacks in the United States. However, the Modal Annex does not provide information on the cost of the consequences of such attacks and is silent on risk assessment efforts. TSA officials acknowledged the lack of this information and the need to include it in future updates of the Modal Annex. While providing cost estimates may be difficult to do, including resources and costs, to the extent possible, would help implementing parties allocate budgets according to priorities and constraints, and would help stakeholders shift such investments and resources as appropriate. Federal and Industry Stakeholders Have Taken Key Actions to Strengthen Transit Security and Federal Actions Have Been Generally Consistent with TSA's Strategy, but Opportunities Exist to Strengthen Some Programs: Since 2004, federal and industry stakeholders have implemented several key actions to strengthen the security of the nation's mass transit and passenger rail systems and federal actions have generally been consistent with TSA's security strategy. However, federal efforts are largely in the early stages and opportunities exist for TSA to strengthen some programs. Federal Actions to Secure Mass Transit and Passenger Rail Have Been Varied and Generally Consistent with TSA's Security Strategy: Since 2004, federal stakeholders have taken a number of key actions to secure mass transit and passenger rail systems and TSA has been the primary federal agency involved in implementing these actions. In general, these actions can be categorized into three areas: (1) deploying surface inspectors and other personnel to conduct voluntary security assessments and security operations at the nation's largest mass transit and passenger rail systems; (2) establishing and implementing coordination mechanisms between federal entities and mass transit and passenger rail industry stakeholders; and (3) coordinating with the DHS Science and Technology Directorate (DHS S&T) to develop and test new security technology appropriate for deployment in mass transit and passenger rail systems.[Footnote 41] Since 2004, TSA's primary security activity for mass transit and passenger rail has been conducting voluntary security assessments of the nation's top 100 largest mass transit and passenger rail systems through its BASE program.[Footnote 42] TSA has used the BASE results to inform the development of security enhancement programs and to determine priorities for allocating mass transit and passenger rail security grants. In addition, through its VIPR program and its National Explosive Detection Canine Team Program (NEDCTP), TSA has deployed personnel and explosive detection canine teams to augment mass transit and passenger rail systems' security forces to conduct hundreds of random and event-based security operations as a show of force to deter potential terrorist attacks at key mass transit and passenger rail stations. Federal agencies have taken other actions as well to strengthen security by enhancing coordination with transit industry stakeholders. For example, TSA established the monthly Transit Policing and Security Peer Advisory Group (PAG) and FTA initiated the semi-annual Transit Safety and Security Roundtables, both of which provide forums for TSA and mass transit and passenger rail systems, including Amtrak, to share security information and ideas. Additionally, FTA has enhanced mass transit and passenger rail security by funding the development and delivery of security training curriculum and programs for mass transit and passenger rail system employees, and by developing a list of recommended security and emergency action items for mass transit security programs, which it later updated in collaboration with TSA. TSA also collaborates with DHS S&T to pursue research, development, and testing of new security technology appropriate for deployment in mass transit and passenger rail systems. In 2006, DHS reorganized its security technology research and development structure, and under the new structure, TSA is to identify technology priorities to address security gaps and communicate these priorities to DHS S&T, which in turn is to conduct technology research, development, and testing. Table 5 provides descriptions of key federal programs and activities, initiated since 2004, mostly by TSA and FTA, to enhance mass transit and passenger rail system security. For a more extensive list of federal programs and activities, see appendix IV. Table 5: Key Federal Actions Taken to Enhance Mass Transit and Passenger Rail Security Since 2004: Category/Program: Deploying manpower; Surface Transportation Security Inspection Program (STSIP); Lead agency: TSA; Description: Established in 2005, TSA's surface inspectors serve as the agency's field force for conducting non-regulatory security assessments, outreach, and technical assistance with the nation's top 100 largest mass transit and passenger rail agencies, as well as participating in VIPR security operations at key transit and passenger rail locations. TSA reported that, as of February 2009, its surface inspectors had conducted non-regulatory security posture assessments-- or BASE reviews--of 91 mass transit and passenger rail agencies, including 82 of the largest agencies, and had conducted over 1,350 site visits to mass transit rail stations to complete Station Profiles, which gather detailed information on a station's physical security elements, geography, and emergency points of contact. Category/Program: Deploying manpower; Visible Intermodal Prevention and Response (VIPR) Program; Lead agency: TSA; Description: Since late 2005, TSA has reported deploying over 800 teams of TSA personnel to augment the security of mass transit and passenger rail systems and promote the visibility of TSA. Working alongside local security and law enforcement officials, VIPR teams conduct a variety of security tactics to introduce unpredictability and deter potential terrorist actions, including random high visibility patrols at mass transit stations, and passenger and baggage screening operations using specially trained behavior detection officers and explosive detection canine teams and explosive detection technologies. Category/Program: Deploying manpower; National Explosive Detection Canine Team Program (NEDCTP); Lead agency: TSA; Description: TSA implemented the NEDCTP in 2000 for aviation, and in 2005 expanded the program into mass transit and passenger rail. TSA has worked in partnership with transit systems to procure, train, certify, and deploy 88 explosives detection canine teams to 15 participating mass transit and passenger rail systems nationwide to provide mobile and flexible deterrence and explosives detection capabilities. TSA provides the canine training for the handler and the dogs and also allocates funds to cover the costs associated with continued training and maintenance of the capabilities of the team, while the transit system commits a handler to attend the TSA training and receive program certification. Category/Program: Coordinating with federal and industry stakeholders and issuing guidance: DHS/DOT memorandum of understanding (MOU) for coordination of roles/responsibilities; Lead agency: TSA; FTA; Description: Through a 2004 MOU and 2005 annex DOT (FTA) and DHS (TSA) agreed to closely coordinate their mass transit and passenger rail programs and services in developing transit security guidance and regulations. The agreements confirm that TSA has the lead role for transportation security and DOT has a supporting role in providing technical assistance and with assisting DHS in implementation of its security policies. Category/Program: Coordinating with federal and industry stakeholders and issuing guidance: Transit, Commuter and Long Distance Rail Government Coordinating Council (GCC) and Mass Transit Sector Coordinating Council (SCC) Joint Working Groups; Lead agency: TSA; FTA; Description: In 2007, under the Transit, Commuter and Long Distance Rail Government Coordinating Council (GCC) and Mass Transit Sector Coordinating Council (SCC) framework, TSA and FTA collaborated with the American Public Transportation Association to establish working groups composed of federal and industry mass transit and passenger rail security stakeholders to serve as a modal coordinating council for mass transit and passenger rail systems. Working groups were established in three substantive areas: security training, security technology, and grants. Category/Program: Coordinating with federal and industry stakeholders and issuing guidance: Transit Policing and Security Peer Advisory Group (PAG); Lead agency: TSA; Description: In late 2006, TSA established the monthly Transit Policing and Security Peer Advisory Group (PAG) to bring together 16 transit police chiefs and security directors from Amtrak and major transit systems across the nation to act as a consultative forum for advancing the security concerns of transit systems. Category/Program: Coordinating with federal and industry stakeholders and issuing guidance: Transit Safety and Security Roundtables; Lead agency: TSA; FTA; Description: Administered in 2003 and 2004 by FTA and jointly administered since 2005, TSA and FTA have convened semi-annual Transit Safety and Security Roundtables to serve as a means for representatives of the 50 largest mass transit agencies to share security-related ideas and information. Category/Program: Coordinating with federal and industry stakeholders and issuing guidance: Security Standards; Lead agency: TSA; FTA; Description: In accordance with the DOT/DHS MOU annex, FTA is leading an initiative with TSA to develop security standards for mass transit and passenger rail systems, with a focus on recommended procedures and practices. FTA has funded APTA to administer this initiative, and as of March 2009, APTA had issued six security standards related to security emergency management, security infrastructure, and security risk management. Category/Program: Developing security technology and providing technology information: Security technology research and development (R&D); Lead agency: DHS S&T/; TSA; Description: DHS S&T and TSA collaborate to research, develop, and test various security technologies for applicability in mass transit and passenger rail systems, including explosive trace detection technologies, infrastructure protection measures, and behavior based and advanced imaging technologies. Category/Program: Developing security technology and providing technology information: Transportation Research Board; Lead agency: FTA; Description: FTA sponsors academic research from the Transportation Research Board (TRB) which is one of six divisions within the National Research Council. The National Research Council serves as an independent adviser to the federal government and others on scientific and technical questions of national importance. TRB has produced several reports on public transportation security, such as a report on mass transit passenger security inspections procedures and technology. Source: GAO analysis of TSA and FTA programs. [End of table] Federal Mass Transit and Passenger Rail Security Actions Are Generally Consistent with TSA's Security Strategy: Federal actions to secure mass transit and passenger rail systems generally have been consistent with those that TSA outlined in its security strategy for mass transit, the Mass Transit Modal Annex. The Modal Annex describes TSA's strategic objectives and associated federal programs and activities to meet these objectives. For example, one objective calls for conducting security readiness assessments, which TSA has been doing since August 2006 through its BASE review program. Another objective calls for a public awareness program, which TSA reported implementing through its Employee Awareness Poster Program. [Footnote 43] See appendix V for a list of all of the Modal Annex mass transit objectives and TSA's reported actions to achieve these objectives. Mass Transit and Passenger Rail Systems Have Taken Key Actions to Enhance Security: Mass transit and passenger rail systems, including Amtrak, reported taking key actions since 2004 to improve their security. Most systems reported making operational enhancements to their security programs, such as adding security personnel or transit police. Moreover, some of the largest systems have implemented varying types of random passenger or baggage inspection screening programs. These programs include deploying security personnel at checkpoints to conduct visual observation of passengers for suspicious behaviors as well as non- invasive baggage checks. Since 2004, Amtrak reported taking additional actions to secure its system, focusing particularly on securing stations on its Northeast Corridor. Among other things, Amtrak introduced new passenger and baggage screening operations, increased its own explosive detection canine capacity, and deployed an armed mobile tactical team to respond to threats and conduct deterrent operations. Further, Amtrak provided security training to all of its frontline employees and conducted additional security risk assessments on its system as the baseline for developing its corporate security strategy. Officials from 24 of 25 passenger rail systems we interviewed and Amtrak also reported taking actions to strengthen the security of their systems in response to TSA's 2004 passenger rail security directives. These actions included removing trash receptacles from high-risk platform areas and deploying explosive detection canine units to patrol their systems. Amtrak also initiated identification checks for adult passengers. However, TSA's security directives contained limited requirements for passenger rail, and TSA has not enforced their implementation.[Footnote 44] Additionally, TSA released a report summarizing results of the BASE reviews it had conducted of mass transit and passenger rail systems during fiscal year 2007.[Footnote 45] This report showed that almost all transit agencies reported providing some type of security training to their frontline employees; however, the extent of the training provided varied greatly--with a majority providing an introductory level of safety and security training for new hires, but not refresher training.[Footnote 46] Many mass transit and passenger rail agencies also reported making capital improvements to secure their systems. For example, since 2004, 19 of the 30 transit agencies we interviewed had embarked on programs to upgrade their existing security technology, including upgrading closed-circuit television at key station locations with video surveillance systems that alert personnel to suspicious activities and abandoned packages and installing chemical, biological, radiological, nuclear, and explosives detection equipment and laser intrusion detection systems in critical areas. For bus transit agencies, capital improvements have included installing automatic vehicle location tracking, silent alarms, and engine disabling systems to counter potential hijacking threats. While mass transit and passenger rail systems as a whole have taken actions to enhance their security, TSA's BASE reviews indicated that rail transit agencies were implementing a wider range of security programs than bus only transit agencies.[Footnote 47] For example, according to TSA's initial findings from its BASE reviews of the 50 largest transit agencies, conducted during fiscal year 2007, rail transit agencies implemented more of the TSA/FTA security and emergency management action items than bus-only systems. TSA officials attributed the differences to three factors. First, passenger rail agencies have been required to comply with FTA's triennial State Safety Oversight audits that require passenger rail agencies to have both a safety and security plan in place and TSA's 2004 security directives. In contrast, bus-only transit agencies have not been required to implement such FTA security requirements, and no federal agency has issued bus-specific security requirements or directives. Second, bus-only transit agencies tend to be smaller than rail only or rail and bus transit agencies and have fewer financial resources available to invest in security activities. Finally, because passenger rail has been the target of recent high profile terrorist attacks overseas and rail is considered a higher security risk to terrorist attack than bus-only systems, passenger rail transit security has received greater focus--both by the transit industry and the federal government. Opportunities Exist for TSA to Strengthen Management and Coordination of Three Mass Transit and Passenger Rail Security Programs: DHS is Exploring New Security Technologies, but Expanding Outreach and Improving Information Sharing Could Strengthen Future Research and Development Endeavors: As part of its research and development (R&D) strategy, DHS has been exploring new explosive detection technologies, particularly those that deter, detect, defeat, and protect against the use of IEDs in or around transit infrastructure. Accordingly, DHS technology pilot projects for mass transit and passenger rail have sought to identify and develop technologies that can effectively detect explosive weapons or compounds while causing minimal delays to passengers, such as fare card vending machines capable of detecting explosive residue on passengers' bodies or bags (see figure 3). Although DHS has worked to develop some security technologies specific to mass transit and passenger rail systems, most technologies that it has pursued could work across different transportation modes, including aviation, maritime, mass transit, and passenger rail. DHS has also pursued several infrastructure protection projects that address the threat of IEDs, with a particular focus on addressing the vulnerabilities of underground and underwater transit tunnels. Unlike its role in commercial aviation, TSA does not procure or deploy security technologies for mass transit and passenger rail systems. Instead, TSA partners with mass transit and passenger rail systems to conduct pilot projects and demonstrations of commercially available technologies and technologies from DHS laboratories. The mass transit and passenger rail systems themselves determine which security technologies to procure and deploy.[Footnote 48] See appendix VI for a list of ongoing and completed TSA and DHS mass transit and passenger rail security-related technology pilot programs. Figure 3: Photo of DHS S&T Pilot Technology for a Fare Card Vending Machine with Explosive Trace Detection Capability: [Refer to PDF for image: photograph] Source: DHS Science and Technology Directorate. [End of figure] A 2006 pilot test by DHS S&T involved a fare card vending machine capable of detecting trace amounts of explosives residue on the fingertips of passengers. Though successfully demonstrating the technology, the machines were estimated to cost 75 to 100 percent more than standard fare-card vending machines. Since 2007, TSA, like other DHS components, has been responsible for articulating the technology needs of all transportation sector end- users--including mass transit and passenger rail agency operators--to DHS S&T for development.[Footnote 49] TSA has taken some initial actions to reach out to mass transit and passenger rail systems regarding their security R&D needs; however, these efforts could be expanded and improved by more fully leveraging existing forums to solicit a wider range of input. This effort is important because, as we reported in September 2004, stakeholders are more likely to use research results if they are involved in the R&D process from the beginning.[Footnote 50] The Mass Transit Modal Annex states that DHS S&T and TSA will identify security technology needs in full partnership with the mass transit community. To achieve this, TSA officials told us that TSA leverages existing forums for communication, such as the semi- annual Transit Security Roundtables, to identify technology capability gaps and to solicit input and feedback on its technology priorities. Additionally, in 2008, TSA headquarters officials reported that they sought input from transit industry representatives through the Transit Policing and Security Peer Advisory Group and the Mass Transit Sector Coordinating Council Security Technology Working Group. Nonetheless, in a September 2008 draft report, the Mass Transit Sector Coordinating Council Security Technology Working Group reported that other than occasional telephone discussions, there was no ongoing structure that brought the federal government and transit industry together to discuss transit security technology priorities, needs, and areas of potential interest for technology advancement and research.[Footnote 51] In September 2004, we recommended that DHS and TSA improve their outreach to the transportation industry (including mass transit and passenger rail systems) to ensure that the industry's R&D security needs have been identified and considered. DHS agreed that this recommendation was key to a successful R&D program and since that time, DHS and TSA have made some preliminary efforts to outreach on R&D security issues. [Footnote 52] However, by continuing to expand these efforts and getting input early on in the project selection process, TSA should be able to ensure that DHS has adequately considered and addressed the full scope of the industry's R&D needs. TSA has taken initial actions to share information on available security technologies, but could strengthen its approach by providing more information to support transit agencies that are considering deploying new security technologies. Consistent with a recommendation we made in September 2005, TSA established the Public Transit Portal of DHS's Homeland Security Information Network (HSIN), a secure Web site that serves as a clearinghouse of information on available security technologies that have been tested and evaluated by DHS, in addition to providing security alerts, advisories, and information bulletins. [Footnote 53] In February 2009, TSA reported that it had established HSIN accounts for 75 of the 100 largest mass transit and passenger rail systems. However, officials from 11 of 17 mass transit and passenger rail systems who discussed HSIN told us that they did not use it for guidance on available security technologies when considering security technology investments. These officials said that they did not use HSIN when considering such investments because HSIN did not contain product details that would support these decisions, including details on product capabilities, maintenance, ease of use, and the suitability of the products in a bus or rail venue. We reviewed HSIN and found that for a given security product, TSA's listing provides a categorical definition (such as video motion analysis), a sub-category (such as day/night camera), and the names of products within those categories. However, HSIN neither provides nor indicates how transit agencies can obtain information beyond the product's name and function. A senior program official with TSA's TSNM mass transit division told us that mass transit and passenger rail system officials would already know whom to contact at TSA for more information on a product. However, the official acknowledged that the product listing could be enhanced by including the contact information of the TSA officials capable of providing that information. In the absence of more detailed information on security-related technologies, officials from 19 of 30 mass transit and passenger rail systems we interviewed told us that they either (1) asked other operators about their experiences with a particular technology; (2) performed their own research via the Internet or trade publications; or (3) performed their own testing. Making the results of research testing available to industry stakeholders could be a valuable use of federal resources by reducing the need for multiple industry stakeholders to perform the same research and testing. The senior TSA program official with the TSNM mass transit division also acknowledged that HSIN contained limited technology information but noted that the site's content was largely in the early stages of development. The official attributed some of the limitations to TSA's reluctance to provide substantive details regarding any particular product, since TSA officials did not want to be perceived as endorsing any particular vendor. Nonetheless, TSA stated that its goal for HSIN was to provide a way for transit agencies to share, receive, and find information on security technology as well as to provide a technology database with performance standards and product capabilities so that mass transit and passenger rail agencies would be well prepared to interact with vendors. Although TSA has set this goal for HSIN, there was no set deadline for the content-related improvements. By taking action to address mass transit and passenger rail agencies' need for more information, TSA could help provide transit agencies with a consolidated source of information on security technologies and help ensure that limited resources are not used to duplicate research and testing efforts. TSA Reported Taking Steps to Respond to Transit Industry Concerns and Improve the Effectiveness of its VIPR Program: In response to mass transit and passenger rail industry concerns about its VIPR program, TSA reported taking steps to work with the industry to improve the effectiveness of the program. TSA conducts VIPR operations as a way to introduce security measures (such as random bag searches) at mass transit and passenger rail systems to deter potential terrorist threats, augment local security forces, and promote the visibility of TSA resources.[Footnote 54] TSA, to date, has conducted over 800 VIPR operations at mass transit and passenger rail systems. TSA also reported that almost all operations were deployed on a random basis or to enhance security at special events or on holidays, rather than in response to specific threat information.[Footnote 55] Mass transit and passenger rail system officials we interviewed had varying opinions on the effectiveness of the VIPR operations that TSA had conducted on their systems. For example, security and management officials from 5 of the 30 mass transit and passenger rail systems we visited told us that they generally welcomed the additional security resources that the VIPRs provided. In contrast, officials from four other mass transit and passenger rail systems reported that because they were already deploying their own transit police and security personnel on their systems on a daily basis, the addition of a largely unarmed VIPR team on a single day did not add significant security value especially with the additional planning and costs incurred by these operations. In response to VIPR planning and implementation concerns raised by large mass transit and passenger rail systems, in October 2007 TSA issued a Concept of Operations (CONOPS) for its VIPR program that established general guidelines for the planning and execution of a VIPR deployment. TSA developed the guidance in coordination with members of the Transit Policing and Security Peer Advisory Group and issued the guidance to both its field personnel and the mass transit industry. The CONOPS includes general guidelines for 10 core components of collaboration, such as coordination, planning, and communications. [Footnote 56] In June 2008, the DHS Inspector General (DHS-IG) reported on VIPR planning and implementation concerns and noted that transit system officials reported that TSA's issuance of the VIPR guidance had led to improvements that addressed many of the VIPR implementation concerns.[Footnote 57] Nevertheless, our review of TSA after-action reports for 104 VIPR operations TSA conducted from November 2007 through July 2008 on mass transit and passenger rail systems--a nine month period after TSA issued the CONOPS guidance--identified insufficient interoperable radio communications as a key challenge faced during many VIPR operations. According to the after-action reports, TSA's key challenge has been ensuring that its VIPR teams have reliable interoperable radio communications--both among TSA personnel and with local law enforcement. According to the CONOPS, ensuring interoperable radio communications between VIPR team members and local law enforcement is essential to the safe and effective execution of VIPR programs, including ensuring their ability to communicate information on potential threats encountered during operations. However, in almost half of the after-action reports we reviewed (49 of 104), VIPR participants reported that a lack of reliable communications equipment had hindered their ability to conduct real-time communications with local law enforcement. This challenge has existed since TSA expanded the VIPR program into mass transit and passenger rail systems, where cell phone or other communications systems that previously worked in airports did not effectively operate in a transit environment. In many cases, TSA field personnel reported requests for new interoperable radio systems, but had not had those requests fulfilled by TSA headquarters. These reports indicated the need for a more comprehensive solution in which TSA procures communications systems capable of real time interoperability with security partners in mass transit and passenger rail systems. TSA managers of the VIPR program acknowledged the challenges that the VIPR program had experienced since it expanded into mass transit and passenger rail systems and stated that the agency was taking actions to address them. Examples include: * Communications Improvements: TSA reported deploying additional communications equipment to field locations and working with DHS S&T to test new technologies for enhancing communications capability and interoperability in a mass transit or passenger rail environment. * Coordination and Awareness: TSA reported that it developed and made available to mass transit and passenger rail systems a brochure with information on scheduling and deploying VIPR operations, including a description of the different options available for systems in utilizing VIPR teams and the planning and operational roles and responsibilities of participating TSA personnel.[Footnote 58] Further, to improve nationwide coordination of VIPR operations, TSA established a coordination center dedicated solely to VIPR operations and has established dedicated mobile VIPR teams in 10 cities. TSA has reported that it plans to expand the number of these teams nationwide by 2010. * Training TSA Personnel: TSA reported in February 2009 that the agency had begun requiring VIPR team personnel to participate in system orientation and safety training from mass transit and passenger rail systems where they deploy in order to familiarize VIPR team members with both the transit agency's physical structure and operating procedures. TSA also reported offering additional training on surface- based law enforcement tactics and legal authorities. Because TSA plans to further expand the VIPR program in 2009, effectively implementing these actions should better ensure that TSA uses its limited security resources to maximize the security benefit of VIPR operations in mass transit and passenger rail. TSA Established a Program to Expand Security Training for Mass Transit and Passenger Rail Employees, but Opportunities Exist to Strengthen It: In February 2007, TSA established a training program to assist mass transit and passenger rail agencies in expanding security training for their frontline transit employees. However, opportunities exist for TSA to strengthen its process for ensuring consistency in the performance of non-federal training vendors that mass transit and passenger rail agencies use to obtain training through the program. After TSA's initial BASE reviews revealed wide variations in the extent of training that transit agencies were providing to their employees, including limited recurrent training, TSA established a Mass Transit Security Training program to provide curriculum guidelines for basic and follow- on security training areas--training programs and courses largely developed and funded by FTA. It also specified areas in which particular categories of employees should receive recurrent training as well as a matrix tool to enable transit agencies to determine the costs and timelines for implementing the training. To support delivery of the training courses, TSA aligned the program with the DHS Transit Security Grant Program. The Transit Security Grant Program has made transit agency grant funding for security training a top priority and offers mass transit and passenger rail agencies the option of using grant funding to cover costs for training to employees that is supplied by either (1) training providers that are federally funded or sponsored or (2) other training providers.[Footnote 59] While TSA has reported that the Mass Transit Security Training Program is providing opportunities for mass transit and passenger rail systems to expand security training to their employees, senior officials from FTA's Safety and Security Office expressed concern that TSA had not established the necessary criteria to effectively manage the program. According to TSA's Mass Transit Security Training Program guidance, TSA allows transit systems to obtain DHS grant funding to contract with private security training vendors if TSA has determined that the performance of the vendors' training curriculum and delivery services is equal to those of the federally sponsored providers.[Footnote 60] As a result, TSA assumed new responsibility for evaluating whether these security training vendors met the performance standards of federally sponsored training providers and whether they could be used by transit agencies for training under the Transit Security Grant Program. [Footnote 61] However, opportunities exist for TSA to strengthen its process for making this evaluation. According to TSA, transit agency requests to use non-federally funded or sponsored training vendors under the Transit Security Grant Program are reviewed by TSA's mass transit training specialist and by FEMA's Grants Program Directorate for approval. This review includes an analysis of course documentation, such as a description of the course syllabus, cost estimate, and justification for why the course was the preferred solution. However, both FTA and TSA officials acknowledged that additional criteria are needed for TSA to properly evaluate the selection of the training vendors. As the lead federal agency for developing and implementing mass transit employee safety training programs since 1971, FTA is in the process of issuing guidance that could be relevant to TSA's evaluation of training vendors. According to FTA's 2009 Training Curriculum Development Guidelines, scheduled for release in 2009, criteria for evaluating the quality of training services should include, among other things, a review of the credentials of the instructors who would deliver the training course, the training vendor's experience in providing the security course, and any performance evaluations or feedback obtained from organizations and students who previously received training from the vendor. [Footnote 62] Additionally, as we reported in March 2004, agencies should try to develop clear criteria when determining whether to contract with vendors for training.[Footnote 63] We identified factors that agencies should consider include the prior experience, capability, and stability of the vendors offering the training. Since implementing the Mass Transit Security Training Program in 2007, TSA reported that about 50 mass transit and passenger rail systems had applied for Transit Security Grant Program funding for employee security training, including one agency that applied to use training vendors that are not federally funded or sponsored. However, more applications for this option are expected as additional grant funding for training becomes available. TSA and FTA officials both noted their preference for transit agencies to use federally-sponsored training providers and expressed concerns that increased demands on the providers may make scheduling training with federally funded or sponsored providers more difficult. Enhancing criteria for evaluating the quality of training services could strengthen DHS's ability to ensure that the grant money DHS is awarding to mass transit and passenger rail agencies is consistently funding sound and valid security training programs for these employees. In October 2005, we reported that collaborating agencies can identify opportunities to leverage each other's resources, thus obtaining additional benefits that would not be available by working separately.[Footnote 64] By coordinating the enhancement of these criteria with other agencies conducting similar efforts, such as FTA, TSA could also leverage the expertise of other agencies to better ensure its efforts result in sound criteria. TSA Reported Implementing Some 9/11 Commission Act Provisions for Mass Transit and Passenger Rail Security, but Implementing New Regulations May Pose Challenges for TSA and Industry Stakeholders: In March 2009, TSA reported that it had implemented some of the 9/11 Commission Act's provisions related to mass transit and passenger rail security. While most mass transit and passenger rail industry security actions have been voluntary to date, the 9/11 Commission Act sets forth mandatory requirements for federal and industry stakeholders, and implementing those requirements may pose challenges for TSA and industry stakeholders, particularly for TSA's Surface Transportation Security Inspection Program. TSA has more than doubled the size of its Surface Transportation Security Inspection Program over the past year, but has not completed a workforce plan to address current and future program needs, and surface inspectors have reported concerns with organizational changes that TSA has made to the program that may affect implementation of new responsibilities. Additionally, officials from the mass transit and passenger rail industry have reported concerns with the cost and feasibility of implementing pending 9/11 Commission Act regulations. TSA Reported Implementing Some Provisions of the 9/11 Commission Act for Mass Transit and Passenger Rail Security: The 9/11 Commission Act, enacted in August 2007, contains many provisions that task TSA with implementing various actions related to surface transportation, including mass transit and passenger rail security. Among other things, these provisions identify mandates for developing and issuing reports on TSA's strategy for securing public transportation, conducting and updating security assessments of mass transit systems, and establishing a program for conducting security exercises for transit and rail agencies. In March 2009, TSA reported that it had satisfied some provisions of the 9/11 Commission Act pertaining to mass transit and passenger rail, including some through actions that had been taken prior to the enactment of the 9/11 Commission Act. For example, TSA reported that it had issued a report on the transportation security enforcement process and that its Mass Transit Modal Annex satisfied the requirement to develop a strategy for securing public transportation. However, TSA also reported that it had not yet implemented a number of other 9/11 Commission Act provisions, including several requiring TSA to issue regulations that would place new requirements on the mass transit and passenger rail industry. The 9/11 Commission Act requires TSA to develop and issue several different regulations for mass transit and passenger rail, including regulations for employee security training programs and requiring high- risk rail carriers to develop and implement security plans. TSA reported that it was in the process of developing these regulations and that for some required regulations it had sought feedback from the transit industry as it developed new regulations. However, as of March 2009, TSA had missed several legislative deadlines for issuing the required mass transit and passenger rail regulations, and in some cases had not established time frames for when it would ultimately do so. For example, TSA was required to issue interim regulations outlining requirements for a mass transit employee security training program by November 2007, with final regulations due by August 2008. TSA was also required to issue regulations by August 2008 requiring high-risk rail carriers to develop and implement security plans. However, TSA did not meet these deadlines. TSA reported that deadlines in the act for developing and issuing new regulations have been difficult to meet because of different factors, including the comprehensive scope of the requirements, the need to coordinate them with various entities, and a lack of resources for completing certain tasks. See table 6 below for a list of key selected 9/11 Commission Act mass transit and passenger rail provisions mandating actions by TSA, along with TSA's reported status in doing so, as of March 2009. Table 6: Key Selected Provisions of the 9/11 Commission Act for Mass Transit and Passenger Rail Security and TSA's Reported Implementation Status, as of March 2009: Strategies: Section: § 1404; Requirement: Develop and implement the National Strategy for Public Transportation Security; TSA reported status: TSA reported that the Mass Transit Modal Annex to the Transportation System - Sector Specific Plan meets this requirement. Section: § 1511; Requirement: Establish a task force to complete (by Feb. 2008) a risk assessment of a terrorist attack on railroad carriers, and based on the assessment, develop and implement the National Strategy for Railroad Transportation Security; TSA reported status: TSA reported that the task force has been established and that the National Strategy for Railroad Transportation Security is under development. For passenger rail, TSA reported that the Mass Transit Modal Annex to the Transportation System - Sector Specific Plan meets the requirement to develop and implement a security strategy. Vulnerability assessments and security plans: Section: § 1405; Requirement: Review and update FTA security assessments of high-risk public transportation agencies, require high-risk public transportation agencies to develop security plans and review, amend as necessary, and approve the security plans; TSA reported status: TSA reported that FTA security assessments were provided to TSA and that TSA used the BASE program to update the assessments. TSA stated that it will use the BASE results in developing regulations implementing this requirement. TSA reported that a regulatory project has been initiated. Section: § 1405(b); Requirement: Conduct security assessments to determine the specific needs of local bus-only transportation systems; TSA reported status: TSA reported that the assessments have been completed and that information is being prepared for use by the transportation system operators. Section: § 1512; Requirement: Issue regulations (by Aug. 2008) that require each railroad carrier, including passenger rail carriers, determined to be high-risk to conduct a vulnerability assessment and to prepare, submit for approval, and implement a security plan; TSA reported status: TSA reported that a regulatory project has been initiated. Exercise programs: Section: § 1407, § 1516; Requirement: Establish a program for conducting security exercises for public transportation agencies and for railroad carriers. Establish a program for conducting security exercises for railroad carriers, including passenger rail carriers; TSA reported status: TSA reported that its Intermodal Security Training and Exercise Program meets this requirement. The agency further reported a multi-phased, multi-jurisdictional pilot of this exercise program was held in the National Capitol Region from January through June 2008, northern New Jersey in September 2008, and Los Angeles from February to June 2009. Training programs: Section: § 1408, § 1517; Requirement: Issue interim (by Nov. 2007) and final regulations (by Aug. 2008) for a public transportation security training program and issue regulations (by Feb. 2008) for a security training program for frontline railroad, including passenger railroad, employees; TSA reported status: TSA reported that a consolidated regulatory project including public transportation, railroad, and over-the-road bus has been initiated. TSA reported that it anticipates issuing a Notice of Proposed Rulemaking in late calendar year 2009 or early calendar year 2010. Background checks: Section: § 1411, § 1520; Requirement: Complete a name-based security background check for all public transportation frontline employees and frontline railroad employees; TSA reported status: TSA reported that it has begun to develop a project plan for a rulemaking needed to satisfy this requirement, but that significant funding and time will be required to meet this requirement. Source: GAO analysis of TSA data. [End of table] TSA reported that it tracks the implementation status of mass transit and passenger rail security provisions of the 9/11 Commission Act on a monthly basis as part of a DHS-managed working group and was identifying processes needed to implement the provisions. TSA provided us with progress reports for completing these provisions which, in certain cases, identified challenges it faced in doing so, including a lack of resources. But the reports did not include a plan for addressing these challenges or milestones for implementing several 9/11 Act Commission provisions, as called for by project management best practices.[Footnote 65] TSA officials reported that before they could move forward on the 9/11 Commission Act requirements, they needed to allow the new administration time to review TSA's efforts to date. However, until TSA develops a plan with milestones, it will be difficult to provide reasonable assurance that the provisions of the act are being developed and that a strategy is in place for overcoming identified challenges. While Industry Security Actions Have Largely Been Voluntary, New 9/11 Commission Act Requirements Outline a Mandatory Approach and Pose Challenges for TSA's Inspectors: While the majority of industry actions to secure mass transit and passenger rail have been taken on a voluntary basis, the pending 9/11 Commission Act regulations outline a new approach that sets forth mandatory requirements, the implementation of which may create challenges for TSA and industry stakeholders. With the exception of the 2004 passenger rail security directives, TSA had not, until recently, imposed security requirements on the mass transit and passenger rail industry. Instead TSA took a collaborative approach in encouraging passenger rail systems to voluntarily participate and address security gaps through its BASE review program.[Footnote 66] With TSA's pending issuance of regulations required by the 9/11 Commission Act, TSA will fundamentally shift this approach, and establish a new regulatory regime for mass transit and passenger rail security. Once TSA issues the pending regulations for mass transit and passenger rail security, TSA's Surface Transportation Security Inspection Program would have responsibility for enforcing industry compliance--further expanding and evolving the roles and responsibilities these inspectors have for mass transit and passenger rail, in addition to their responsibilities for other surface modes, such as freight rail, highway, and motor carrier security. TSA officials have raised concerns about their ability to meet the growing inspection requirements for mass transit and passenger rail and other surface modes that will be incurred by the new regulations required by the 9/11 Commission Act, particularly because TSA's Surface Transportation Security Inspection Program is already challenged to meet its existing workload. For example, 10 of 11 Surface Transportation Security Inspection Program field office supervisors--Assistant Federal Security Directors for Surface Transportation (AFSD-S)--whom we interviewed reported that while they were meeting their primary inspection responsibilities for mass transit and other surface modes, resource constraints were routinely leading them to delay secondary activities, such as conducting stakeholder outreach with mass transit and passenger rail agencies.[Footnote 67] These field office supervisors attributed their resource constraints to a significantly expanded Surface Transportation Security Inspection Program workload from fiscal year 2006 through 2008 without a corresponding increase in its workforce. During this time, TSA expanded the responsibilities of the surface transportation security inspectors to include additional surface transportation modes, including conducting various voluntary security inspections for mass transit bus and freight rail, and participating in VIPR operations.[Footnote 68] TSA's Surface Transportation Security Inspection Program is at risk of being unable to meet its expanding responsibilities if it does not plan for how to meet them. TSA reported that the agency had been appropriated funding to hire an additional 125 surface inspectors that would more than double its surface inspector workforce--including 75 in fiscal year 2008 and 50 more in fiscal year 2009--and planned to complete their hiring, training, and deployment by the end of fiscal year 2009.[Footnote 69] TSA reported plans to largely dedicate its newly hired surface inspectors to conducting VIPR activities, assessing security activities on surface modes, and monitoring newly issued freight rail security rules, such as ensuring a secure chain of custody for certain hazardous materials.[Footnote 70] However, as reported by the DHS Inspector General, beyond supporting current activities, the additional manpower TSA plans to put into its Surface Transportation Security Inspection Program may provide only limited relief.[Footnote 71] As a result, even with these additional resources, TSA's surface inspectors may face challenges in fulfilling their responsibilities. GAO guidance on strategic human capital management reinforces that high performing organizations conduct workforce planning and analysis to identify and prepare for current and future workforce needs.[Footnote 72] Accordingly, a workforce plan that includes an analysis of a program's workforce needs can help to ensure that the program has the right amount of resources to achieve program goals, allowing program managers to spotlight areas for attention before problems develop. In February 2009, we reported that TSA did not have a human capital or other workforce plan for its Transportation Security Inspection Program, but the agency had plans to conduct a staffing study to identify the optimal workforce size to address its current and future program needs.[Footnote 73] TSA reported that it had hired a contractor to conduct a full workforce analysis of its security inspectors, including both its aviation and surface inspectors, to determine the number needed to fulfill expanded roles and responsibilities and ensure effective deployment. TSA reported that it had initiated the study in January 2009 to be completed in late fiscal year 2009.[Footnote 74] This study, if completed, should provide TSA with a more reasonable basis for determining the surface inspector workforce needed to achieve its current and future workload needs in light of the new requirements of the 9/11 Commission Act.[Footnote 75] Stakeholders Have Raised Concerns Regarding Changes to TSA's Surface Transportation Security Inspection Program Field Office Command Structure: Surface inspectors have raised concerns about recent organizational changes that TSA has made to the Surface Transportation Security Inspection Program that may affect the implementation of its expanded roles and responsibilities. These concerns were reported by Surface Transportation Security Inspection Program field officials we interviewed, two recent DHS-IG reports, and an internal TSA report prepared by several Surface Transportation Security Inspection Program field officials.[Footnote 76] Specifically, in April 2008, TSA announced plans to expand the number of Surface Transportation Security Inspection field offices nationwide, from 22 to 54. Under a re- organized reporting structure, TSA placed 31 of the 32 new field offices under the command of Federal Security Directors and Assistant Federal Security Directors for Inspections--aviation-focused positions that historically have not had an active role in conducting mass transit, passenger rail, or other surface transportation inspection duties. TSA's Surface Transportation Security Inspection Program headquarters officials continue to set strategy and annual goals, while in most field offices the surface inspectors report to the Federal Security Directors and Assistant Federal Security Directors for Inspections, who have day-to-day management lead and hiring responsibilities for surface inspectors. Reported field official concerns include: * Balancing aviation and surface transportation priorities: A January 2008 report that 6 of 12 of TSA's Assistant Federal Security Directors for Surface submitted to TSA headquarters cited concerns that placing the Surface Transportation Security Inspection program under the Federal Security Directors had resulted in the surface transportation mission being diluted by TSA's aviation mission. The report also stated that the current reporting line of surface inspectors is less efficient and may create confusion among surface inspectors, because Federal Security Directors' priorities and needs differ from those of the surface program. * Establishing and maintaining credibility with industry stakeholders: Eight of the 11 Assistant Federal Security Directors for Surface we interviewed reported concerns that Federal Security Directors were not sufficiently focused on mass transit and passenger rail and the different challenges that surface inspectors face in overseeing the industry's voluntary participation in non-regulatory security assessment activities. For example, one Assistant Federal Security Director for Surface commented that Federal Security Directors had tasked aviation security officers to participate in surface assessments and that doing so had caused some frustration among transit agency officials because of their lack of knowledge about the transit environment. A June 2008 DHS-IG report also noted surface inspectors' concerns that Federal Security Directors were hiring surface inspectors who had no prior surface transportation experience, and that in some cases, Assistant Federal Security Directors reported that they were not included in hiring decisions. TSA disagreed with the DHS-IG and Assistant Federal Security Directors reports' findings that the present Surface Transportation Security Inspection Program field office command structure had inhibited the program's effectiveness. For example, TSA did not concur with the DHS- IG's recommendation that TSA place the Surface Transportation Security Inspection Program under the direct authority of a TSA headquarters official responsible for surface transportation, rather than under the Federal Security Directors. TSA reported that they had selected their current command structure because Federal Security Directors were best equipped to make full use of the security network in their geographical location because they frequently interacted with state and local law enforcement and mass transit operators, and were aware of vulnerabilities in these systems. Transit Industry Stakeholders Expressed Concern about the Cost and Feasibility of Implementing Pending Regulatory Requirements: While TSA has not yet issued the new 9/11 Commission Act regulations for mass transit and passenger rail, 12 of 30 mass transit and passenger rail agencies we interviewed raised potential implementation concerns associated with one expected regulatory requirement regarding training for mass transit and passenger rail employees. Among other comments, mass transit and passenger rail agency officials reported that unless these new regulations were accompanied by funding to address implementation costs, they would be challenged to comply since mass transit agencies face tight budgetary constraints. For example, one transit agency official reported in feedback to TSA that an agency with 5,000 employees would incur labor costs of $1.5 million to have its employees participate in an 8-hour training program. Another transit agency official reported that it would be an achievement to get 30 to 40 percent of frontline employees through training in a year due, in part, to the costly overtime for backfilling those employees' positions while they are in training. Additionally, these 12 agencies also reported concerns about the logistical feasibility of implementing the training requirement. For instance, under the act, mass transit and passenger rail agencies would be required to complete security training for all of their frontline employees within one year of DHS's approving the transit agency's training program. However, several mass transit and passenger rail agencies reported having thousands of employees and said it would be difficult to schedule training for all employees within one year without disrupting operations because they did not have the staff needed to backfill the positions of the employees undergoing training. Conclusions: As terrorist attacks on mass transit and passenger rail systems overseas have made clear, even with a variety of security precautions in place, mass transit and passenger rail systems that move high volumes of passengers on a daily basis remain vulnerable to attack. Since 2004, TSA has introduced a variety of initiatives aimed at enhancing the security of the nation's mass transit and passenger rail systems, including conducting security assessments, implementing new security programs, and implementing some provisions of the 9/11 Commission Act. However, given the importance of the mass transit and passenger rail systems, the inherent vulnerabilities that could be exploited by terrorist threats, and the broadening requirements that will result in a shift to a regulatory approach, addressing management and coordination challenges should help ensure that current and future actions effectively improve the security of these systems. TSA has taken key steps to help secure the nation's mass transit and passenger rail systems; however, additional actions to more effectively target resources would strengthen TSA's security approach. To ensure that TSA's efforts best prioritize and address risks, TSA should conduct a risk assessment for the mass transit and passenger rail systems that combines the results of threat, vulnerability, and consequence assessments. Until the overall risk to the entire system is identified through such an assessment, TSA cannot best determine how and where to target its limited resources to achieve the greatest security gains. TSA's 2007 Mass Transit Modal Annex represents a positive step toward documenting TSA's strategy for securing the mass transit and passenger rail systems, but further refinements to the strategy documented in future updates to the Modal Annex would help ensure that it provides all stakeholders with a clear and measurable path forward. For example, including relevant performance metrics will allow stakeholders to better evaluate their progress in achieving the strategy's vision. In addition, incorporating information on what the strategy will cost, to the extent possible, would help implementing parties allocate budgets according to priorities and constraints, and would help stakeholders shift such investments and resources as appropriate. Federal and industry efforts to work together in securing mass transit and passenger rail in the absence of any significant federal security regulations have been commendable. In particular, TSA's BASE reviews have been a positive step as they enhanced the awareness of security vulnerabilities at mass transit and passenger rail agencies throughout the country, while strengthening relationships among transit stakeholders. Notwithstanding TSA's progress, TSA's efforts remain largely in the early stages and opportunities exist for TSA to strengthen the implementation of some of its security programs. Expanding its outreach with mass transit and passenger rail officials will be particularly important for TSA in gathering security technology information and disseminating it to the systems and enabling officials to identify and deploy new security technologies to better secure their systems. In addition, with HSIN, TSA already has a venue in place for expanding the dissemination process and should explore the feasibility of populating this site with better and more relevant technology information to help meet the needs of mass transit and passenger rail agencies regarding information on available security technology. Such action should help ensure that limited resources are not used to duplicate research and testing efforts. Finally, by providing guidance and funding to cover mass transit and passenger rail agency costs for providing employee security training, TSA has taken steps to reduce a key vulnerability it identified during its BASE reviews. However, with the anticipated increase in demand for employee security training, it is important that TSA have an effective evaluation process in place to ensure it is consistently funding sound and valid training programs for mass transit and passenger rail agencies seeking funding to pay for non- federal training providers. Finally, a significant transition lies ahead. While TSA reports making progress in implementing the provisions of the 9/11 Commission Act, the agency has fallen behind in issuing required mass-transit and passenger- rail security regulations. The implementation of these regulations will be a fundamental shift in approach for TSA as it assumes more of a regulatory role in securing mass transit and passenger rail. This shift--combined with an expanding Surface Transportation Security Inspector workforce that has more than doubled in size in the past year and shifting deployment and field reporting structures--will challenge TSA to manage its new responsibilities. However, this transition will be important for both TSA and industry stakeholders to manage successfully to ensure that new requirements are met and that TSA and stakeholders continue to work together to secure mass transit and passenger rail. One approach that could help DHS manage these many changes is to develop a schedule with milestones for implementing the remaining 9/11 Commission Act requirements pertaining to mass transit and passenger rail. Without such a plan, it will be difficult for TSA to provide reasonable assurance that the provisions of the act are being implemented and that a strategy is in place for overcoming identified challenges. We recognize the inherent challenges to securing these systems given the continuing terrorist threat, openness of the system, and difficulties posed by attempting to secure and patrol numerous points of entry. However, given the criticality of mass transit and passenger rail systems to our way of life and the economy, and the inherent risks to them, TSA should continue to strive to strengthen its security efforts for the systems. Recommendations for Executive Action: To help ensure that the Transportation Security Administration is successfully prioritizing resources and collaborating with federal and industry stakeholders in implementing actions to secure the mass transit and passenger rail systems from acts of terrorism, and that its strategy is consistent with the characteristics of a successful national strategy, we are making six recommendations to the Assistant Secretary for the Transportation Security Administration: * To help ensure that the federal strategy to secure the mass transit and passenger rail systems considers assessment information within the context of risk, TSA, as the sector-specific agency for mass transit and passenger rail, should conduct a risk assessment that integrates all three elements of risk--threat, vulnerability, and consequence. As part of this assessment, TSA should, to the extent feasible, fully leverage existing assessment information from its own sources as well as those provided by other federal and industry stakeholders, as appropriate, and use this information to inform its security strategy. * To better achieve the security strategy laid out in its Mass Transit Modal Annex--TSA's security strategy for the mass transit and passenger rail systems--TSA should, to the extent feasible, incorporate into future updates of the Modal Annex the characteristics of a successful national strategy and the elements outlined in Executive Order 13416, including: - measuring the agency's and industry's performance in achieving the goals of preventing and deterring acts of terrorism and enhancing the resiliency of mass transit and passenger rail systems and: - incorporating information on what the strategy will cost along with the specifying the sources and types of resources and investments needed, and identifying where those resources and investments should be targeted. * To help ensure that DHS security technology research and development efforts reflect the security technology needs of the nation's mass transit and passenger rail systems, TSA should expand its outreach to the mass transit and passenger rail industry in the planning and selection of related security technology research and development projects. * To meet the needs of mass transit and passenger rail agencies regarding information on available security technologies, TSA should explore the feasibility of expanding the security technology product information on the Public Transit Portal of the Homeland Security Information Network, and consider including information such as product performance in a rail or bus venue, cost, maintenance needs, and other information to support mass transit and passenger rail agencies purchasing and deploying new security technologies. * To better ensure that DHS consistently funds sound and valid security training delivery programs for mass transit and passenger rail employees, TSA should consider enhancing its criteria for evaluating whether security training vendors meet the performance standards of federally sponsored training providers and whether the criteria could be used by transit agencies for training under the transit security grant program. As part of this effort, TSA should consider coordinating with other federal agencies that have developed criteria for similar programs, such as the Federal Transit Administration. * To better ensure DHS's ability to satisfy the provisions of the 9/11 Commission Act related to mass transit and passenger rail, DHS should develop a plan with milestones for implementing provisions of the 9/11 Commission Act related to mass transit and passenger rail security. Agency Comments: We provided a draft of this report to DOT, Amtrak, and DHS for review and comment. DOT did not provide comments. Amtrak provided written comments on June 16, 2009. In its letter, Amtrak provided additional information on security actions they were taking, noted collaboration with federal agencies, and expressed some concern about the cumbersome nature and cost share requirements of the Transit Security Grant Program. Amtrak's comments are presented in appendix VII. DHS provided written comments on June 17, 2009, which are presented in appendix VIII. In commenting on the report, DHS stated that it concurred with all six recommendations and identified actions planned or under way to implement them. In comments related to our first recommendation, that DHS conduct a risk assessment that integrates all three elements of risk, DHS stated that it recognized the importance of conducting risk assessments to inform agency priorities, security enhancement programs, and resource allocations. It also reported that in addition to the various assessments already completed and the BASE reviews conducted on a continuous cycle, an assessment pilot program is planned for later in 2009. Under this pilot, TSA will evaluate the effectiveness of and provide lessons learned from its new risk assessment tool for mass transit and passenger rail to enhance the tool's capability prior to its implementation. In comments related to our second recommendation that DHS incorporate in future updates of the Modal Annex the characteristics of a successful national strategy and the elements outlined in Executive Order 13416, DHS reported that it planned to revise its Mass Transit Modal Annex and incorporate these characteristics and elements to improve its ability to measure agency and industry progress toward achieving mass transit and passenger rail security performance goals. In response to our third recommendation that TSA expand its outreach to the mass transit and passenger rail industry in the planning and selection of related security technology research and development projects, DHS reported on several planned coordination efforts including its intent to coordinate the Modal Annex update with mass transit and passenger rail stakeholders, and work to ensure that stakeholders have ample opportunities to provide input on security technology development and testing priorities. With regard to our fourth recommendation that TSA explore the feasibility of expanding the security technology product information on the Public Transit Portal of the Homeland Security Information Network, DHS reported that it expects to expand both the scope and quality of security technology information provided to stakeholders through the Public Transportation Information Sharing and Analysis Center--which has a principal objective of aligning and integrating analytical and information sharing activities with relevant federal processes to enhance the information-sharing environment for the mass transit and passenger rail community. In comments related to our fifth recommendation that TSA consider enhancing its criteria for evaluating security training vendors under the Transit Security Grant Program and consider coordinating with other federal agencies that have developed such criteria, DHS stated that TSA will work with FTA through an existing joint working group to develop criteria for reviewing new vendor- provided training courses. Lastly, with regard to our sixth recommendation that DHS develop a plan with milestones for implementing provisions of the 9/11 Commission Act related to mass transit and passenger rail security, DHS reported that TSA will produce a plan that identifies necessary actions and sets milestones to evaluate its effectiveness in meeting statutory requirements associated with the 9/ 11 Commission Act. DHS and Amtrak also provided us with technical comments, which we considered and incorporated into the report where appropriate. As agreed with your office, unless you publicly announce the contents of this report, we plan no further distribution for 30 days from the report date. At that time, we will send copies of this report to the Secretary of Homeland Security, the Secretary of Transportation, Amtrak, interested congressional committees, and other interested parties. The report will also be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report, or wish to discuss these matters further, please contact me at (202) 512-3404 or berrickc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IX. Sincerely yours, Signed by: Cathleen A. Berrick: Managing Director, Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of this report were to: (1) determine the extent that federal and industry stakeholders assessed or supported assessments of the security risks to mass transit and passenger rail since 2004, and how, if at all, TSA used risk assessment information to inform and update its security strategy; (2) describe key actions, if any, that federal and industry stakeholders implemented or initiated, since 2004, to strengthen the security of mass transit and passenger rail systems, the extent to which federal actions were consistent with TSA's security strategy, and what challenges, if any, TSA faces in implementing these actions; and (3) describe TSA's reported status in implementing provisions of the Implementing Recommendations of the 9/11 Commission Act of 2007 related to mass transit and passenger rail security, and discuss challenges, if any, TSA and the mass transit and passenger rail industry face in implementing the actions required by the act. To determine the extent that federal and industry stakeholders have assessed or supported assessments of the security risks to mass transit and passenger rail since 2004, and how, if at all, TSA has used risk assessment information to inform and update its security strategy, we obtained and analyzed various reports that address some or all elements of security risk (threat, vulnerability, and consequence) from DHS component agencies, including TSA, the DHS Office of Infrastructure Protection within the National Protection and Programs Directorate (NPPD), and the Homeland Infrastructure Threat Reporting and Analysis Center (HITRAC). We also reviewed information on risk-related assessments conducted by federal agencies, including mass transit and passenger rail security vulnerability assessments conducted by DOT's Federal Transit Administration (FTA), and a variety of federally developed security risk assessment tools for the mass transit and passenger rail industry. Additionally, we reviewed TSA's Baseline Assessment for Security Enhancement (BASE) review checklist and fiscal year 2007 BASE report of the results of BASE reviews that TSA conducted at 44 of the top 50 largest mass transit and passenger rail agencies--by ridership--as a measure of TSA's efforts to gather vulnerability information. We gathered information on TSA's consequence assessments through interviews with Transportation Sector Network Management (TSNM) officials. We also interviewed TSNM officials in order to assess how risk assessments were informing TSA's security strategy for mass transit and passenger rail and then compared TSA's actions to GAO and DHS reports on risk assessment.[Footnote 77] Because of the scope of our work, we relied on TSA to identify its assessment activities but did not assess the extent to which its assessment activities meet the National Infrastructure Protection Plan criteria for threat, vulnerability, and consequence assessments. To further assess risk assessment efforts, we interviewed federal officials from DHS's HITRAC, TSA's Office of Intelligence, TSA's Surface Transportation Security Inspection Program, and, at DOT, FTA's Office of Safety and Security to understand what additional assessment information or assistance on risk assessments was available to either TSA or the transit agencies. Further, we interviewed security officials from Amtrak and 30 mass transit and passenger rail agencies across the nation. This sample allowed us to meet with agencies of varying sizes and types to determine their perspectives on federal and mass transit and passenger rail industry risk assessment efforts to date (see objective 2 for how these agencies and cities were selected). Additionally, we reviewed TSA's strategic planning document--the Mass Transit Modal Annex to the Transportation System - Sector Specific Plan (TS-SSP) issued in May 2007--and identified federal guidelines for developing a risk-based security strategy. Specifically, to determine the extent to which TSA's strategy conformed to requirements and best practices, we reviewed relevant statutory requirements of the Government Performance and Results Act of 1993 (GPRA) that included general requirements that are applicable in the establishment of government strategies and programs, and the Implementing Recommendations of the 9/11 Commission Act of 2007, which included requirements for establishing a security strategy. For example, we reviewed existing Executive Directives, including Homeland Security Presidential Directives 1, 7, and 8, and Executive Order 13416: Strengthening Surface Transportation Security to determine the extent to which TSA's Mass Transit Modal Annex conformed to these requirements. We also analyzed executive guidance documents outlining best practices for effectively implementing a risk management framework, and in particular, risk assessment best practices, including both the DHS National Infrastructure Protection Plan (NIPP) and the TS- SSP. We also reviewed GAO best practice criteria for developing a successful national strategy and compared the Mass Transit Modal Annex against it. Finally, to identify the extent to which TSA is measuring its performance in implementing its mass transit and passenger rail security programs, we reviewed DHS and TSA documents, including the Modal Annex, DHS Critical Infrastructure and Key Resources Annual Reports, and Surface Transportation Regulatory Activities Plan, as well as the Office of Management and Budget's Program Assessment Rating Tool (PART), which assessed the adequacy and effectiveness of these program measures. To identify and describe the key actions federal and industry stakeholders have implemented or initiated since 2004 to strengthen the security of mass transit and passenger rail systems, the extent to which federal actions are consistent with TSA's security strategy, and the challenges, if any, that TSA has faced in making these actions effective, we interviewed officials from DHS and DOT. From DHS, we interviewed officials from TSA's Surface Transportation Security Inspection Program within the Office of Security Operations, TSA's Office of Security Technology, and, within TSA's Office of Law Enforcement, the Federal Air Marshal Service (which plays a lead role in implementing VIPR Operations). We also interviewed officials from DHS's Science and Technology Directorate and Federal Emergency Management Agency's Grants Programs Directorate. Within DOT, we interviewed officials from FTA's Office of Safety and Security and also the Federal Railroad Administration. We also interviewed officials from the three federally sponsored mass transit employee training providers-- the National Transit Institute, Transportation Safety Institute, and Johns Hopkins University--to obtain information on training they offered to mass transit and passenger rail employees and their perspectives on TSA's Mass Transit Security Training Program. To obtain information on industry security actions and perspectives on federal mass transit and passenger rail security actions, we conducted site visits at, or held teleconferences with, officials representing 30 mass transit and passenger rail systems across the nation--representing 75 percent of the nation's total mass transit and passenger rail ridership--based on information we obtained from the Federal Transit Administration's National Transit Database and the American Public Transportation Association (APTA). We selected this non-probability sample of mass transit and passenger rail systems and cities because of their high levels of ridership, geographic dispersion, experience with TSA security assessments, eligibility for grant funding, and expert recommendation. Because we selected a non-probability sample of mass transit and passenger rail agencies, the information obtained from these site visits cannot be generalized to all transit agencies nationwide. However, we determined that the selection of these sites was appropriate for our design and objectives and that the selection would provide valid and reliable evidence. The information we obtained provided us with a broad overview of the types of actions taken to strengthen security. Table 1 lists the mass transit and passenger rail systems we interviewed. Table 7: Mass Transit and Passenger Rail Systems Interviewed: Mass transit and/or passenger rail system: Bay Area Rapid Transit (BART); Urban area served: San Francisco-Oakland, California. Mass transit and/or passenger rail system: Broward County Office of Transportation (BCT); Urban area served: Broward County, Florida. Mass transit and/or passenger rail system: CALTRAIN; Urban area served: San Francisco and San Jose, California. Mass transit and/or passenger rail system: Chicago Transit Authority (CTA); Urban area served: Chicago, Illinois. Mass transit and/or passenger rail system: Dallas Area Rapid Transit (DART); Urban area served: Dallas, Texas. Mass transit and/or passenger rail system: Delaware River Port Authority (PATCO); Urban area served: New Jersey and Philadelphia, Pennsylvania. Mass transit and/or passenger rail system: Fort Worth Transportation Authority (The T); Urban area served: Fort Worth, Texas. Mass transit and/or passenger rail system: King County Department of Transportation - Metro Transit Division (King County Metro); Urban area served: Seattle, Washington. Mass transit and/or passenger rail system: Los Angeles County Metropolitan Transportation Authority (LACMTA); Urban area served: Los Angeles, California. Mass transit and/or passenger rail system: Maryland Transit Administration (MTA); Urban area served: Greater Washington, D.C., and Maryland. Mass transit and/or passenger rail system: Massachusetts Bay Transportation Authority (MBTA); Urban area served: Boston, Massachusetts. Mass transit and/or passenger rail system: METRA Commuter Rail; Urban area served: Chicago, Illinois. Mass transit and/or passenger rail system: Metropolitan Atlanta Rapid Transit Authority (MARTA); Urban area served: Atlanta, Georgia. Mass transit and/or passenger rail system: Metro Transit; Urban area served: Minneapolis, Minnesota. Mass transit and/or passenger rail system: Metropolitan Transit Authority of Harris County (Houston Metro); Urban area served: Houston, Texas. Mass transit and/or passenger rail system: Miami Dade Transit; Urban area served: Miami, Florida. Mass transit and/or passenger rail system: New Jersey Transit; Urban area served: Newark, New Jersey - New York, New York. Mass transit and/or passenger rail system: New York Metropolitan Transit Authority (MTA); Urban area served: New York, New York. Mass transit and/or passenger rail system: Orange County Transportation Authority (OCTA); Urban area served: Orange County, California. Mass transit and/or passenger rail system: Pierce County Public Transportation Benefit Area (Pierce Transit); Urban area served: Tacoma - Seattle, Washington. Mass transit and/or passenger rail system: Port Authority Trans Hudson (PATH); Urban area served: New York, New York--New Jersey. Mass transit and/or passenger rail system: Santa Clara Valley Transportation Authority (VTA); Urban area served: San Jose, California. Mass transit and/or passenger rail system: South Florida Regional Transportation Authority (SFRTA); Urban area served: Miami, Florida. Mass transit and/or passenger rail system: Southern California Regional Rail Authority (Metrolink); Urban area served: Greater Los Angeles, California. Mass transit and/or passenger rail system: San Francisco Municipal Railway (MUNI); Urban area served: San Francisco, California. Mass transit and/or passenger rail system: Sound Transit (Sounder); Urban area served: Seattle, Washington. Mass transit and/or passenger rail system: Southeastern Pennsylvania Transportation Authority (SEPTA); Urban area served: Philadelphia, Pennsylvania. Mass transit and/or passenger rail system: TRIMET; Urban area served: Portland, Oregon. Mass transit and/or passenger rail system: Virginia Railway Express (VRE); Urban area served: Northern Virginia, Greater Washington, D.C. Mass transit and/or passenger rail system: Washington Metropolitan Area Transit Authority (WMATA); Urban area served: Washington, D.C. Source: GAO and TSA data. [End of table] We also interviewed Amtrak headquarters officials and visited three Amtrak station locations in the Northeast Corridor. During site visits to mass transit and passenger rail agencies, we interviewed security officials, toured stations and other facilities such as control centers, and observed security practices. Further, we interviewed TSA surface transportation security inspectors from the 13 field offices responsible for overseeing the passenger rail and mass transit systems we visited, and in one case, observed the inspectors conduct a BASE review of a mass transit system. We also interviewed state officials with homeland security responsibilities, representatives of the American Public Transportation Association, and where applicable, regional transportation authority officials. To determine the extent to which federal and industry actions were consistent with TSA's security strategy, we reviewed TSA and FTA documentation describing ongoing programs and compared them with the strategic objectives, programs, and actions TSA described in its Mass Transit Modal Annex. To further assess federal and industry actions, and identify potential challenges, we reviewed DHS and DOT documents relevant to federal and industry stakeholder actions to secure passenger rail and mass transit systems. For example, we reviewed program documentation for TSA's Mass Transit Security Training Program, as well as FTA's 2009 Final Draft of Training Curriculum Development Guidelines and federal transit employee training curricula. We also reviewed TSA's Surface Transportation Security Inspection Program Standard Operating Procedures, strategic and annual plans, and documentation of completed mass transit and passenger rail security assessments. We also reviewed TSA's Concept of Operations (CONOPS) for its Visible Intermodal Prevention and Response (VIPR) program--TSA's program for deploying security personnel to augment security on mass transit and passenger rail systems--to identify guidelines TSA has established for implementing the program. We then obtained a list of VIPR operations, by location and date, that TSA reported conducting in mass transit and passenger rail systems immediately following its issuance of the CONOPS in October 2007. We obtained and matched this list with information found in electronic copies of all TSA VIPR operation plan after-action reports (AAR)-- describing the results and challenges encountered during VIPR operations that TSA conducted at mass transit and passenger rail systems from November 2007 through July 2008. We chose to review after- action reports for this period to determine the impact of guidance TSA issued in October 2007, to improve its implementation of the VIPR program. Both the initial list and after-action reports identified 108 VIPR operations; however, we reviewed 104 of these.[Footnote 78] Two analysts independently coded the challenges noted on each of the reports. They discussed differences until agreement could be reached on the most appropriate challenge category. We also conducted a site visit to the Transportation Security Operations Center to interview officials with TSA's Federal Air Marshal Service within the Office of Law Enforcement--which manages the VIPR program--to discuss the challenges identified in the after-action reports. We also obtained access to, and reviewed, the DHS Homeland Security Information Network -Public Transit Portal secure Web communication system to identify the type and extent of security technology information that TSA had made available to industry users of the system, and identified and reviewed best practices applicable to R&D programs identified by leading research organizations, such as the National Research Council of the National Academy of Sciences, in order to establish criteria for evaluating federal and industry coordination in research and development efforts. We also reviewed two DHS-IG reports and found the quality of the methods used to develop these reports sufficient for use as a source in this report. For the final objective, to determine the status of TSA's implementation of 9/11 Commission Act requirements for mass transit and passenger rail, and challenges, if any, that TSA and the mass transit and passenger rail industry face in meeting these requirements, we reviewed the 9/11 Commission Act to identify DHS and industry requirements related to mass transit and passenger rail security. We also reviewed TSA status reports outlining the agency's reported status in satisfying various 9/11 Commission Act provisions related to mass transit and passenger rail security. However, we did not verify the accuracy of TSA's reported status in implementing these 9/11 Commission Act requirements. To identify potential challenges TSA and the mass transit and passenger rail industry may face in implementing various 9/ 11 Commission Act requirements, we interviewed TSA headquarters officials from the Transportation Security Network Management--Mass Transit division, including the Deputy General Manager, and officials from TSA's Surface Transportation Security Inspection Program, including the headquarters based Program Chief, and Surface Transportation Security Inspectors from 13 of 54 field offices, including 11 of 12 Assistant Federal Security Directors for Surface. [Footnote 79] We also reviewed TSA program documents relating to its inspection program including strategic and annual inspection plans, standard operating procedures, and memorandums and directives documenting organizational and staffing plans. Moreover, to obtain information on industry perspectives of potential challenges, we interviewed officials from 30 mass transit and passenger rail systems and Amtrak as well as APTA. In addition, we obtained and reviewed various reports which discuss the federal or industry role in implementing the 9/11 Commission Act, including recent reports issued by the DHS-IG, Congressional Research Service, and a January 2008 report prepared by six Assistant Federal Security Directors for Surface. We conducted this performance audit from September 2007 through June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: TSA/FTA Security and Emergency Management Action Items: The following list of voluntary Security and Emergency Management Action Items is an update to the Federal Transit Administration's Top 20 Security Program Action Items originally released in January 2003. The update has been developed by FTA and the Department of Homeland Security's Transportation Security Administration and Office of Grants & Training in consultation with the public transportation industry through the Mass Transit Sector Coordinating Council, for which the American Public Transportation Association serves as Executive Secretary. The updated action items address current security threats and risks that confront transit agencies, with particular emphasis on priority areas where gaps need to be closed in security and emergency preparedness programs. Though this update consolidates the previous 20 items into 17, the purpose, scope, and objectives remain consistent. Management and Accountability: 1. Establish written security plans and emergency management plans. 2. Define roles and responsibilities for security and emergency management. 3. Ensure that operations and maintenance supervisors, forepersons, and managers are held responsible for security issues under their control. 4. Coordinate security and emergency management plan(s) with local and regional agencies. Security and Emergency Response Training: 5. Establish and maintain a security and emergency training program. Homeland Security Advisory System: 6. Establish plans and protocols to respond to the DHS Homeland Security Advisory System threat levels. Public Awareness: 7. Implement and reinforce a Public Security and Emergency Awareness Program. Drills and Exercises: 8. Conduct tabletop and functional drills. Risk Management and Information Sharing: 9. Establish and use a risk management process to assess and manage threats, vulnerabilities and consequences. 10. Participate in an information sharing process for threat and intelligence information. 11. Establish and use a reporting process for suspicious activity (internal and external). Facility Security and Access Controls: 12. Control access to security critical facilities with ID badges for all visitors, employees, and contractors. 13. Conduct physical security inspections. Background Investigations: 14. Conduct background investigations of employees and contractors. Document Control: 15. Control access to documents of security critical systems and facilities. 16. Ensure existence of a process for handling and access to Sensitive Security Information (SSI). Security Audits: 17. Conduct security program audits. [End of section] Appendix III: Identifying Characteristics of Successful National Strategies in the Context of Mass Transit and Passenger Rail Security: To help the federal government develop sound national strategies, we have previously identified six desirable characteristics of successful national strategies, including (1) purpose, scope, and methodology of the strategy; (2) risk assessment; (3) goals, subordinate objectives, activities, and performance measures; (4) resources and investments; (5) organizational roles, responsibilities, and coordination; (6) integration and implementation.[Footnote 80] We discussed four of these characteristics in the body of the report, and below we discuss the other two characteristics.[Footnote 81] Where applicable, we link relevant sections of Executive Order 13416 to highlight the importance of these measures to strengthen the passenger rail and mass transit security national strategy. Purpose, Scope, and Methodology: This characteristic addresses why the strategy was produced, the scope of its coverage, and the process by which it was developed. For example, a strategy might discuss the specific impetus that led to its creation, such as statutory requirements, executive mandates, or other events--such as terrorist attacks. In addition to describing what the strategy is meant to do and the major functions, mission areas, or activities it covers, a national strategy would ideally also outline its methodology. For example, a strategy might discuss the principles or theories that guided its development, what organizations or offices drafted the document, whether it was the result of a working group, or which parties were consulted in its development. TSA's Mass Transit Modal Annex identifies the purpose and scope of the Modal Annex and references several principle documents used to develop the Modal Annex--including the Presidential Executive Order 13416: Strengthening Surface Transportation Security, the Transportation System-Sector Specific Plan (TS-SSP), and the National Infrastructure Protection Plan. It also describes the process or methodology that was used and who developed the Annex. For example, the Modal Annex states that TSA's vision is to provide a secure, resilient transit system that leverages public awareness, technology, and layered security programs while maintaining the efficient flow of passengers and encouraging the expanded use of the nation's transit services. The Modal Annex also discusses the scope and type of various federal and industry mass transit and passenger rail security efforts and aligns them with three broad DHS security goals for the transportation sector, as outlined in the TS-SSP.[Footnote 82] In addition, the Modal Annex references the National Infrastructure Protection Plan as a source for developing security programs for mass transit and passenger rail systems, and it also discusses several domestic and international terrorist attacks that have occurred as evidence of the various security risks to the mass transit and passenger rail systems.[Footnote 83] Furthermore, the Modal Annex explains the methodology used in its development, as called for in our prior work on characteristics of a national strategy. In addition to referencing the National Infrastructure Protection Plan and the TS-SSP as literatures providing the principles or theories that guided the development of the Modal Annex, the Modal Annex also describes the process and information that were used to develop the strategy and identified entities that contributed to its development. For example, the strategy describes how mass transit and passenger rail security programs and initiatives are developed and implemented and how they are aligned with the overall transportation sector goals and objectives and mass transit and passenger rail modal strategies and objectives. Also, the Modal Annex identifies the Transit, Commuter and Long Distance Rail Government Coordinating Council (TCLDR-GCC), the Mass Transit Sector Coordinating Council (SCC), the Critical Infrastructure Partnership Advisory Council, and TSA's Mass Transit Division as entities involved in developing the transportation security strategic policy. Integration and implementation: This characteristic addresses both how a national strategy relates to other strategies' goals, objectives, and activities and to subordinate levels of government and their plans to implement the strategy. For example, a national strategy could discuss how its scope complements, expands upon, or overlaps with other national strategies, such as DHS efforts to mitigate transportation risks. Also, related strategies could highlight their common or shared goals, subordinate objectives, and activities. Similarly, the Executive Order requires that the Modal Annex identify existing security guidelines and requirements. To meet these requirements and because protecting the mass transit and passenger rail systems is a shared responsibility among many stakeholders, the Modal Annex could identify regulations and programs that affect the security of the mass transit and passenger rail systems. In addition, a strategy could address its relationship to other agency strategies using relevant documents from implementing organizations, such as strategic plans, annual performance plans, or annual performance reports that GPRA requires of federal agencies. A strategy might also discuss, as appropriate, various strategies and plans produced by the state, local, or private sectors and could provide guidance such as the development of national standards to more effectively link together the roles, responsibilities, and capabilities of the implementing parties. TSA's Modal Annex delineates mechanisms to facilitate stakeholders coordination, specifically the TCLDR-GCC and the Mass Transit SCC, discusses other relevant industry security plans, and identifies regulations and programs such as the regulation on designating a rail security coordinator and security programs related to public awareness and training that affect the security of the mass transit and passenger rail systems. The Modal Annex also addresses its relationship with strategic documents or activities of other federal agencies that have a role in mass transit and passenger rail security, such as those that guide FTA, which has a supporting role along with TSA for protecting mass transit and passenger rail systems. For example, the Modal Annex mentions how FTA's activities, such as the State Safety Oversight Agencies audit program and FTA's Section 5307 grant program fit into TSA's overall strategy for securing mass transit and passenger rail systems. The Modal Annex also mentions DHS-DOT collaborative efforts through their memorandum of understanding such as the development of public transportation annex delineating areas of coordination to assist transit agencies in prioritizing and addressing security related needs. In addition, the Modal Annex points out how it relates to the National Strategy for Transportation Security required by the Intelligence Reform and Terrorism Prevention Act of 2004.[Footnote 84] For example, it explains how TSA's effort in building security force multipliers through security training for front-line employees of mass transit and passenger rail systems directly supports the National Priorities, the National Preparedness Goal, and the National Strategy for Transportation Security. By providing such information, the agency is identifying linkages with other developed strategies and other organizational roles and responsibilities. [End of section] Appendix IV: Federal Actions Taken to Enhance Mass Transit and Passenger Rail Security since 2004: This appendix expands on the list of key actions identified in the body of the report in table 5. This table presents a more comprehensive list of federal actions taken to enhance mass transit and passenger rail security since 2004. Table 8: Federal Actions Taken to Enhance Mass Transit and Passenger Rail Security since 2004: Category: Deploying Manpower: Program: Surface Transportation Security Inspection Program (STSIP); Lead agency: TSA; Description: Established in 2005, TSA's Surface Transportation Security Inspectors (TSI-S) serve as the agency's field force for conducting non- regulatory security assessments, outreach, and technical assistance with the nation's largest mass transit agencies, as well as participating in VIPR security operations at key transit and passenger rail locations. TSA reported that, as of February 2009, TSI-S had conducted non-regulatory security posture assessments--BASE reviews--of 91 mass transit and passenger rail agencies, including 82 of the largest agencies, and over 1,350 site visits to mass transit rail stations--Station Profiles--to gather detailed information pertaining to their physical security elements, geography, and emergency points of contact. Program: Visible Intermodal Prevention and Response (VIPR) Program; Lead agency: TSA; Description: TSA, to date, has reported deploying over 800 teams of various TSA personnel to augment the security of mass transit and passenger rail systems and promote the visibility of TSA. Working alongside local security and law enforcement officials, VIPR teams conduct a variety of security tactics to introduce unpredictability and deter potential terrorist actions, including random high visibility patrols at mass transit stations and conducting passenger and baggage screening operations using specially trained behavior detection officers and a varying combination of explosive detection canine teams and explosives detection technology. Program: National Explosive Detection Canine Team Program (NEDCTP); Lead agency: TSA; Description: In 2005, TSA expanded the NEDCTP from aviation into mass transit. TSA has worked in partnership with mass transit systems to procure, train, certify, and deploy 88 explosives detection canine teams to 15 participating mass transit systems nationwide to provide mobile and flexible deterrence and explosives detection capabilities. TSA provides the canine training for the handler and the dogs and also allocates funds to cover costs associated with continued training and maintenance of the team, while the transit system commits a handler to attend the TSA training and receive program certification. Category: Coordinating with federal and industry stakeholders and issuing guidance: Program: Mass Transit Modal Annex; Lead agency: TSA; Description: In 2007, TSA, in coordination with FTA, issued the Mass Transit Modal Annex to serve as the federal strategy for achieving the objectives and priorities laid out in the Transportation Systems-Sector Specific Plan. The Modal Annex outlines security programs and activities--initiated largely by TSA, but including FTA and other federal stakeholders--to enhance the security of the nation's mass transit and passenger rail systems. Program: DHS/DOT memorandum of understanding (MOU) for coordination of roles/responsibilities; Lead agency: TSA, FTA; Description: Through a 2004 MOU and 2005 annex DOT (FTA) and DHS (TSA) agreed to closely coordinate their mass transit and passenger rail programs and services in developing mass transit and passenger rail security guidance and regulations, with TSA as the lead agency. The agreements confirm TSA as having the lead role for transportation security and DOT as having a supporting role for providing technical assistance and assisting DHS in the implementation of its security policies. Program: Transit, Commuter and Long Distance Rail Government Coordinating Council and Mass Transit Sector Coordinating Council (GCC/SCC) Joint Working Groups; Lead agency: TSA, FTA; Description: In 2007, under the Transit, Commuter and Long Distance Rail Government Coordinating Council (GCC) and Mass Transit Sector Coordinating Council (SCC) framework, TSA and FTA collaborated with the American Public Transportation Association to establish working groups composed of federal and industry mass transit and passenger rail security stakeholders to serve as a modal coordinating council for the mass transit and passenger rail modes. Working groups were established in three substantive areas: security training, security technology, and grants. Program: Transit Policing and Security Peer Advisory Group (PAG); Lead agency: TSA; Description: In late 2006, TSA established the monthly Transit Policing and Security Peer Advisory Group (PAG) to bring together 16 transit police chiefs and security directors from Amtrak and major transit systems across the nation to act as a consultative forum for advancing the security concerns of transit systems. Program: Transit Safety and Security Roundtables; Lead agency: TSA, FTA; Description: Administered in 2003 and 2004 by FTA, and jointly administered since 2005, TSA and FTA have convened semi-annual Transit Safety and Security Roundtables to serve as a means for representatives of the 50 largest mass transit agencies to share security-related ideas and information. Program: Coordinated Security Surges; Lead agency: TSA; Description: Coordinated effort integrating TSA with mass transit and passenger rail agencies and law enforcement partners in the systems' operating areas. TSA reported initiating the program with planning, coordination, and execution of "Northeast Corridor Rail Security Day" in September 2008, a surge operation that brought officers from nearly 120 law enforcement agencies to some 150 Amtrak, commuter rail, and rail transit stations from Fredericksburg, Virginia to Portland, Maine. Program: Security Standards; Lead agency: TSA, FTA; Description: In accordance with the DOT-DHS MOU annex, FTA is leading an initiative with TSA to develop security standards for mass transit and passenger rail systems, with a focus on recommended procedures and practices. FTA has funded APTA to administer this initiative, and as of March 2009, APTA had issued six security standards related to security emergency management, security infrastructure, and security risk management. Program: Smart Security Practices List; Lead agency: TSA; Description: In June 2008, TSA disseminated to the mass transit industry a list of 55 smart security practices listing the most effective security activities, measures, practices, and procedures inspectors had identified in TSA mass transit security assessments. TSA plans to periodically expand this list as it continues to identify additional smart practices through its security assessments. Program: Mass Transit Security Training Program; Lead agency: TSA, FEMA, FTA; Description: In early 2007, to improve the quality and scope of transit agency employee security training, TSA established the Mass Transit Security Training Program to provide transit agencies with curriculum guidance and expedited grant funding to cover training costs. FEMA administers the funding through the Transit Security Grant Program. The program is largely based on courses developed and financially supported by FTA. For example, among other things, FTA funds and supports delivery of a variety of security training, including 17 security training programs for mass transit and passenger rail agency employees. Program: Connecting Communities Public Transportation Emergency Preparedness Workshops; Lead agency: FTA, TSA; Description: Established by FTA in 2002 and funded by both FTA and TSA, these 2-day workshops are designed to facilitate coordination between federal stakeholders and the local agencies that respond to transit emergencies. TSA and FTA share transit policies, procedures, resources, and effective practices with local first responders and discuss emergency management and response, including the roles of federal, state, and local emergency management offices. FTA and TSA convene these workshops several times per year in cities nationwide. Program: Transit Watch; Lead agency: TSA/FTA; Description: To boost public vigilance and awareness of potential terrorist threats, Transit Watch was introduced in 2003 as a nationwide safety and security awareness program designed to encourage the active participation of transit passengers and employees. Via the program, TSA/FTA jointly created templates for use by transit agencies to produce security-awareness materials, such as posters and flyers. Program: Bomb Squad Response to Transportation Systems; Lead agency: TSA; Description: TSA reported that through training and scenario-based exercises, this program expands regional capabilities to respond to a threat or incident involving a suspected explosive device in mass transit and passenger rail systems. Bomb technicians from law enforcement forces in the system's operating area are placed in the mass transit or passenger rail environment to confront exercise situations necessitating coordinated planning and execution of operations to identify, resolve, and, if appropriate, render harmless improvised explosive devices. TSA reported that as of May 2009, this program has been conducted at three mass transit locations. Program: Employee Awareness Program; Lead agency: TSA; Description: TSA reported that this program produces posters and tip cards for frontline employees emphasizing the critical importance of observing and reporting in terrorism prevention. The products are adapted to the partnering agency, applying its logo, system images, and employees' quotes. Category: Developing security technology and providing technology information: Program: Security Technology Research and Development; Lead agency: DHS S&T/TSA; Description: DHS Science and Technology Directorate and TSA collaborate to research, develop, and test various security technologies for applicability in the mass transit and passenger rail modes, including explosive trace detection technologies, infrastructure protection measures, and behavior based and advanced imaging technologies. Program: Homeland Security Information Network Public Transit Portal; Lead agency: TSA; Description: In 2006, TSA established the Public Transit Portal of the Homeland Security Information Network, a secure, web-based communications system to provide the mass transit industry with information on threats, best practices, and security technologies. Program: Transportation Research Board; Lead agency: FTA; Description: FTA sponsors academic research from the Transportation Research Board (TRB), which is one of six divisions within the National Research Council. The National Research Council serves as an independent advisor to the federal government and others on scientific and technical questions of national importance. TRB has produced several reports on public transportation security, such as a report on mass transit passenger security inspections procedures and technology. Source: GAO analysis of DHS and DOT information. [End of table] [End of section] Appendix V: Modal Annex Objectives and Examples of Actions Taken to Achieve Them as of February 2009: Table 9: TSA Mass Transit Modal Annex Objectives and Examples of Actions That Have Been Employed to Achieve the Objectives, as of February 2009: Modal Annex mass transit objective: * Employ technology for screening passengers and bags in random applications throughout the mass transit and passenger rail systems as appropriate; Action to achieve objective: Explosive detection technology screening employed during VIPR operations. Modal Annex mass transit objective: * Bolster screening technology efforts with a program for random searches of passengers' bags entering system; Action to achieve objective: Screening programs introduced by select major transit agencies. Modal Annex mass transit objective: * Affect regional approach through coordinated planning among federal, local, and mass transit security stakeholders to maximize application of available security resources through multiple teams for random, unpredictable activities; Action to achieve objective: TSA VIPR operations and coordinated security surges. Modal Annex mass transit objective: * Conduct Security Readiness assessments; Action to achieve objective: TSA BASE reviews. Modal Annex mass transit objective: * Coordinate with system security officials to examine capabilities of transit agencies and front-line employees in identifying and reporting suspicious items and activities; Action to achieve objective: TSA Security Analysis and Action Program Assessments. Modal Annex mass transit objective: * Use covert testing to test awareness and reporting by employees and passengers; Action to achieve objective: N/A[A]. Modal Annex mass transit objective: * Improve flow of threat and other security information through outreach and regional intelligence and information-sharing centers; Action to achieve objective: Joint Terrorism Task Force mass transit threat briefings[B] and TSA mass transit security awareness messages[C]. Modal Annex mass transit objective: * Coordinate focused transit system employee training to be aligned with needs and requirements of mass transit agencies; Action to achieve objective: TSA Mass Transit Security Training Program. Modal Annex mass transit objective: * Employ all available media-public address system announcements in public awareness programs; Action to achieve objective: TSA Employee Awareness Poster Program[D]. Source: GAO Analysis of TSA information and Mass Transit Modal Annex. [A] As of February 2009, due to potential safety risks and potential disruptions to transit operations, TSA has elected not to conduct covert testing of passenger rail and mass transit systems. [B] DHS, TSA, and the Federal Bureau of Investigation (FBI) conduct Joint Terrorism Task Force (JTTF) Mass Transit Threat Briefings on a quarterly basis, or as threats or security incidents warrant, bringing together mass transit and passenger rail security directors and law enforcement chiefs with their federal security partners in 15 metropolitan areas simultaneously through the secure video teleconferencing system maintained in the JTTF network. [C] Through its Mass Transit Security Awareness Messages, TSA periodically disseminates unclassified threat information to mass transit and passenger rail security and management officials to increase vigilance and preparedness and practical guidance on how to enhance security. [D] Through the Employee Awareness Poster Program, TSA partners with mass transit and passenger rail agencies to produce tailored posters specifically focused on transit employee security awareness. TSA develops a common theme, transit agencies provide graphics, logos, and quotations, and TSA tailors the posters for use by the transit agencies. [End of table] [End of section] Appendix VI: DHS Mass Transit and Passenger Rail Related Security Technology Pilots Conducted from 2004 to 2009: Table 10: DHS Mass Transit and Passenger Rail Related Security Technology Pilots Conducted from 2004 to 2009: Pilot program: Program for Response Options and Technology Enhancement for Chemical/Biological Terrorism (PROTECT); Description: Technology is an automated network of chemical sniffers, TV cameras, and computers that provides early warning of chemical attack, as well as intelligent emergency response management; Status: Evaluation is completed. In March 2003, it became the nation's first permanently installed detection system for chemical attacks in a public place. PROTECT can be found in three major cities. Pilot program: Transit and Rail Inspection Pilot (TRIP); Description: Three phase pilot program launched in 2004 that evaluated the feasibility of using checkpoint style passenger screening, explosive trace detection systems for passenger checked baggage, and evaluated the feasibility of modifying a passenger rail car by installing screening technologies within it and conducting passenger screening operations while the train was moving at normal speed; Status: Evaluation is completed. TSA found that the screening technologies and processes tested would be difficult to implement on more heavily used passenger rail systems. TSA concluded that the screening technologies could be used randomly or during certain high- risk events. For example, similar technologies were used by TSA to screen certain passengers and belongings in Boston and New York during the Democratic and Republican national conventions, respectively, in 2004. Pilot program: Conventional screening technology adaptation pilot program (Countermeasures Test Beds Rail Security Pilot); Description: Congressionally mandated project which included testing the feasibility of adapting airport security checkpoint screening technologies and procedures to screen rail passengers and baggage for explosives and testing technologies that would be integrated into fare card purchasing machines to detect trace levels of explosive residue on the hands of passengers; Status: Evaluation is completed. Though DHS found that several of the technologies could be adapted to function on mass transit in the near term, it identified several obstacles that needed to be overcome, including high technology costs, high personnel requirements, high false-alarm rates, and reduced passenger throughput. Pilot program: Mobile security checkpoints; Description: Tested the rapid deployment of the "screener in a box" - a full airport-style x-ray checkpoint passenger and baggage screening system that fits into two standard-sized shipping containers; Status: Evaluation is completed. The pilot determined that the checkpoint could be used for screening passengers at a moderately busy transit platform, but coordination and logistical support, storage, screeners, and set-up challenges make these checkpoints suitable only for short term, high threat use in mass transit and passenger rail. The unit is now maintained for deployment in situations of heightened alert. Pilot program: Advanced Screening Equipment - SPO-20 deployment; Description: As part of TSA's increased security presence at the nation's major transportation centers on July 4 2007, TSA tested the rapid deployment of the SPO-20, a passive millimeter wave screening device that can scan large crowds for body-borne improvised explosive devices; Status: Evaluation is completed. TSA reported the pilot successfully screened almost all passengers at a busy transit station with few false alarms. The most significant challenge came from the fact that TSA gave the transit agency less than 24 hours to coordinate the SPO-20's deployment, which caused some logistical and training issues. TSA concluded that pre-deployment site visits and coordinating meetings are crucial to successful deployment. Pilot program: Resilient tunnel; Description: In 2003-2004, DHS S&T conducted an assessment of the nation's 29 underground and underwater tunnels for mass transit and passenger rail to identify ways to mitigate vulnerabilities that terrorists using improvised explosive devices could exploit to cause catastrophic failure of an underground transit tunnel; Status: Ongoing. In fiscal year 2007, the project surveyed concepts for tunnel protection and identified existing European inflatable tunnel protection systems that could be used to limit the spread of fire caused by an explosion. DHS S&T plans to complete and demonstrate a prototype inflatable tunnel protection system by fiscal year 2010. Pilot program: Bus communications and control; Description: In 2006, TSA and DHS S&T developed the ability to remotely disable a bus using engine control technologies and therefore prevent its use as a delivery device for a weapon of mass destruction; Status: Ongoing. In fiscal year 2007, the project began with full field operational testing, which will continue through fiscal year 2009. Pilot program: Standoff technology demonstration program; Description: A field testing program intended to accelerate the development of promising standoff detection technologies and adapted checkpoint screening systems. The program's objectives include testing and evaluating technologies, developing concept of operation plans, and to developing agile test beds to evaluate technologies; Status: Ongoing. In fiscal year 2010, the program will demonstrate an integrated system of technologies to detect a left-behind IED or a suicide bomber in commuter rail. Pilot program: Future Attribute Screening Technologies Mobile Module (FASTM2); Description: This module is developing real-time, mobile screening technologies to automatically detect behavior indicative of mal-intent at security checkpoints such as border crossings, transportation portals, and other critical infrastructures; Status: Ongoing. In fiscal year 2009, the project plans to conduct a prototype demonstration of real-time intent detection capability. Pilot program: Infrastructure Blast Mitigation Project; Description: Project is developing proof-of-concept technologies to mitigate the explosive and damaging force from an IED. This project will include basic research studies on advanced mitigation technologies, including new glass materials and deflecting structures that reduce damage to infrastructure or personnel; Status: Ongoing. In fiscal year 2009, the project plans to begin developing models to further determine the vulnerability of infrastructure, bridges, and tunnels to various explosive threats. Pilot program: Automated Carry-on Detection Project; Description: Project develops advanced capabilities to detect explosives and concealed weapons, including home-made explosives. This project will introduce new standalone technologies or adjunct technologies to Computed Tomography technology to continue improving detection performance and the detection of novel explosives; Status: Ongoing. In fiscal year 2009, the project plans to award a development contract for the detection of novel explosives in what are called "next generation" checkpoint systems. Pilot program: Concrete Mats for Tunnel Protection; Description: Project is testing articulated concrete mats, which are composed of individual concrete blocks held together by a series of cables, for their potential effectiveness in protecting underwater transportation tunnels; Status: Ongoing. In fiscal year 2006, a series of scaled experiments in geotechnical centrifuge was initiated to evaluate the effectiveness of the mats for tunnel protection. In February 2009, the third phase of the experimental testing was nearing completion, after which a report will be generated. All work has been coordinated with a specific mass transit agency to inform the operational deployment of the mats once the project is finished. Source: GAO analysis of TSA and DHS documents. [End of table] [End of section] Appendix VII: Comments from Amtrak: Amtrak: June 15, 2009: Ms. Cathy Berrick: Managing Director: Homeland Security and Justice: U.S. Government Accountability Office: 441 G Street. NW: Washington, DC 20548: Dear Ms. Berrick: Thank you for your correspondence of May 13, 2009, regarding a draft report from your office for "Transportation Security: Key Actions Have Been Taken to Enhance Mass Transit and Passenger Rail Security, but Opportunities Exist to Strengthen Federal Strategy and Programs, GAO-09- 678SU" provided for agency comment. With regard to industry stakeholders conducting risk assessments related to security, the Department of Homeland Security (DHS) funded a risk-based assessment of all Amtrak facilities, practices and assets in 2004-2005. DHS hired Science Applications International Corporation (SAIC) directly to conduct the assessment, which occurred from 2005 through 2008. The methodology employed conforms to DHS risk assessment standards. Amtrak has embraced this assessment as the baseline from which all subsequent security remediation priorities have been determined and acted upon. In addition arid since 2006, Amtrak has utilized corroborating sub- assessments, executed by institutions such as the Lawrence Livermore National Laboratories (LLNL), and the Department of Defense's (DOD) Full Spectrum Vulnerability Analysis Assessment (FSIVA) process. to confirm, augment, clarity, and otherwise round out the SAIC results. TSA was largely uninvolved in this process, though the TSGP grant program administered by at agency did fund some of the sub-assessments. In response to key remediation actions taken by industry stakeholders to address issues identified in risk-based assessments, Amtrak has taken and continues to aggressively implement remediation actions, in risk order priority, identified in the DHS-sponsored risk assessment, and in corroborating independent assessments. Broadly, these activities fall into the following categories: a) Physical infrastructure hardening (barriers, fences, CCTV systems, IIVAC sensors, etc.,) funded through successive Transportation Security Grant Programs (TSGP), and more recently through $196 million from the ARRA. b) Employee and passenger security training and awareness programs funded in the same way. c) Increase in counter-terrorism security and police headcount, training, and capability, to include expansion of Amtrak's canine bomb detection program. through both grant and corporate operating budget funding. d) Prototype development of focused information sharing and intelligence systems, funded through grants. e) Development of station action teams and contingency plans for key facilities and stations (as identified by risk analysis), paid for through grants and corporate operating budget. Detailed information on any or all of these programs can be made available upon written request. TSA involvement in these activities is primarily that of a funding agency--in that it administers TSGP, first authorized by the Congress in 2005. Additionally, TSA has been significantly and profoundly helpful in the conduct of Amtrak security contingency operations and exercises since 2005. DHS (through its Science and Technology Division) has been directly involved in assisting Amtrak with ideas and assessments of promising security technologies. TSA has sponsored exploratory tests with millimeter wave detection technologies. Relating to impediments to implementing security remediation, the grants regime facilitates Amtrak's pursuit of security remediation (see above), especially with regard to physical infrastructure hardening. The grant approval process managed by TSA and FEMA is at times cumbersome and overly bureaucratic. As well, the grant guidance administered by TSA sometimes diverged from clear legislative intent. This was particularly the case in the 2008 TSGP grant rules. which imposed a 25% cost share on grant funds selectively applied to five programs where Amtrak was implementing risk mitigation measures. While subsequently removed by Congressional action, this requirement caused hardship to transit agencies with already constrained resources, and considerable frustration to those charged with planning and scheduling complex projects distributed over multiple fiscal years. We appreciate this opportunity to provide more detailed information on our security- and counterterrorism activities, and believe that the report contributes significantly to understanding the challenges involved in securing the transit environment. Sincerely, Signed by: Joseph H. Boardman: President and Chief Executive Officer: [End of section] Appendix VIII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: June 17, 2009: Ms. Cathleen A. Berrick: Managing Director, Homeland Security and Justice Issues: U.S. Government Accountability Office (GAO): 441 G Street, NW: Washington, DC 20548: Dear Ms. Berrick: Thank you for the opportunity to comment on GAO-09-678SU, the draft report entitled, "Key Actions Have Been Taken to Enhance Mass Transit and Passenger Rail Security, but Opportunities Exist to Strengthen Federal Strategy and Programs." We commend the professionalism and thoroughness of the GAO team consistently displayed throughout the audit. The findings and recommendations in the report will prove helpful as we continue the persistent effort to strengthen the security strategy and enhance security programs for mass transit and passenger rail. In particular, we appreciate the description of the extensive progress that has been made in security strategy, program development, and program execution since the publication of the last comprehensive GAO audit of mass transit and passenger rail in September 2005. As the report shows, TSA has developed a foundation for strong mass transit and passenger rail security. Constant commitment to improvement of this foundation is essential to meeting the challenges of the security mission. The current draft GAO report, which provides a broad investigation and pointed analysis, will foster this process. Specific responses to the recommendations for executive action follow. Recommendation 1: To help ensure that the federal strategy to secure the mass transit and passenger rail systems considers assessment information within the context of risk, TSA, as the Sector-Specific Agency for mass transit and passenger rail, should conduct a risk assessment that integrates all three elements of risk: threat, vulnerability, and consequence. As part of this assessment, TSA should, to the extent feasible, fully leverage existing assessment information from its own sources as well as those provided by other federal and industry stakeholders, as appropriate, and use this information to inform its security strategy. DHS Concurs: We appreciate the constructive review and discussion of the subject of a comprehensive risk assessment in mass transit and passenger rail. In this context, it is important to note that mass transit and passenger rail agencies operating in the Nation's sizeable metropolitan areas are among the most thoroughly assessed of all transportation modes. Since 9/11, they have undergone security assessments by the Federal Transit Administration (FTA), the former Office of Grants and Training of the U.S. Department of Homeland Security (DHS) (for grant funding eligibility), the American Public Transportation Association (APTA), private sector security consultants (often funded by DHS grants), and now the Baseline Assessment for Security Enhancement (BASE) program. Additionally, through DHS's Office of Infrastructure Protection, Protective Security Advisors (PSAs) have conducted risk assessments on specific critical assets in mass transit and passenger rail systems (including Amtrak) in higher risk areas. As the draft report notes, through the BASE program, TSA assesses the security posture of mass transit and passenger rail agencies in the Security and Emergency Management Action Items. Developed in a joint effort of TSA, DHS, Department of Transportation/FTA, and mass transit and passenger rail operating and security officials engaged through the Mass Transit Sector Coordinating Council (SCC), the Action Items cover a range of areas that are foundational to an effective security program. Components include security program management and accountability, security and emergency response training, drills and exercises, public awareness, protective measures for Homeland Security Advisory System (HSAS) threat levels, physical security, personnel security, and information sharing and security. Particular emphasis is placed on posture in the six Transit Security Fundamentals (protection of underground/underwater infrastructure; protection of other high consequence systems and assets; random, unpredictable deterrence; training; exercises; and public awareness). TSA's approach with the BASE program is distinct from the multiple risk assessments conducted previously in mass transit and passenger rail. The specific purpose is to evaluate, with a thorough checklist and narrative responses, the effectiveness of the security programs, procedures, and measures developed and implemented by mass transit and passenger rail agencies in response to the results of the prior risk assessments. TSA's Surface Transportation Security Inspectors (STSIs) conduct the BASE assessments in partnership with mass transit and passenger rail agencies' security chiefs and directors to ensure full understanding of their efforts and thorough assessment of their effectiveness. The results of these assessments inform development of risk mitigation priorities, security enhancement programs, and resource allocations, including transit security grants. The results have also enabled production and dissemination of a compilation of Smart Security Practices, listed by implementing agency with name and contact information for a key official, with the specific purpose of inspiring networking among transit security professionals to expand adoption of these effective security practices. TSA disseminated the initial compilation to the mass transit and passenger rail community in July 2008. Annual updates are projected. The assessed agencies receive a complete report of the results. This information helps focus the development and implementation of plans, programs, and measures to redress identified weaknesses and informs the preparation of project applications under the Transit Security Grant Program. TSA acknowledges the importance of GAO's recommendation to leverage the results of these assessments and advance the capability to produce a comprehensive risk assessment of the mass transit and passenger rail mode. The ongoing development of the Risk Assessment Tool, cited in Table 2 of the draft report, aims to provide a comprehensive risk assessment product for TSA in mass transit and passenger rail. A pilot program planned for later this year will apply this tool, evaluate its effectiveness, and produce lessons learned to enhance the capability prior to programmatic implementation. This effort, integrating the findings of the earlier assessments, is specifically intended to address this GAO recommendation. Recommendation 2: To better achieve the security strategy laid out in its Mass Transit Modal Annex - TSA's security strategy for the mass transit and passenger rail systems - TSA should, to the extent feasible, incorporate in future updates of the Modal Annex the characteristics of a successful national strategy and the elements outlined in Executive Order 13416, including: * Measuring the agency's and industry's performance in achieving the goals of preventing and deterring acts of terrorism and enhancing the resiliency of mass transit and passenger rail systems; and; * Incorporating information on what the strategy will cost along with the sources and types of resources and investments needed, and identifying where those resources and investments should be targeted. DHS Concurs: We welcome the constructive review and insights on improving the effectiveness of the Mass Transit Modal Annex to the Transportation Systems Sector-Specific Plan (TS-SSP) as TSA's security strategy for mass transit and passenger rail. TSA will apply this context in the ongoing effort to update the Annex and enhance its utility as a national strategy. Additionally, TSA will coordinate this update with the mass transit and passenger rail community through multiple forums, such as the Mass Transit SCC, the Transit Policing & Security Peer Advisory Group, and participants in the semi-annual Transit Safety and Security Roundtables that bring together the law enforcement. chiefs and security directors of Amtrak and the largest 50 mass transit and passenger rail agencies with federal security partners to advance collaborative solutions to security challenges. Recommendation 3: To help ensure that DHS security technology research and development efforts reflect the security technology needs of the nation's mass transit and passenger rail systems, TSA should expand its outreach to the mass transit and passenger rail industry in the planning and selection of related security technology research and development projects. DHS Concurs: While we believe significant progress has been made in this area, as discussed in the draft report, the reference to concerns reported by the security technology working group of the Mass Transit SCC warrants our attention. As part of the continuous improvement process, we will strive to ensure security partners in mass transit and passenger rail are afforded ample and clear opportunities to provide input on priorities for security technology development and testing. Recommendation 4: To meet the needs of mass transit and passenger rail agencies regarding information on available security technologies, TSA should explore the feasibility of expanding the security technology product information on the Public Transit Portal of the Homeland Security Information Network, and consider including information such as product performance in a rail or bus venue, cost, maintenance needs, and other information to support mass transit and passenger rail agencies purchasing and deploying new security technologies. DHS Concurs: As noted in the discussion on this subject above, we recognize the need for a more comprehensive and user-friendly approach in providing appropriate information on security technologies that may be deployed in mass transit and passenger rail. To progress in this area, and consistent with the provisions of section 1410(b) of the 9/11 Commission Act, TSA has arranged funding in the amount of $600,000 for operations of the Public Transportation Information Sharing and Analysis Center (PT-ISAC) in fiscal year 2009. Beyond meeting the statutory requirement, a principal objective of this initiative is to align and integrate the PT-ISAC's analytical and information sharing activities with relevant Federal processes to establish and maintain a comprehensive information sharing environment for the mass transit and passenger rail community. Expanding the scope and enhancing the quality of the security technology information resource, in coordination with the Mass Transit SCC, will be a key component of this effort. Recommendation 5: To better ensure the DHS consistently funds sound and valid security training delivery programs for mass transit and passenger rail employees, TSA should consider enhancing its criteria for evaluating whether security training vendors meet the performance standards of federally sponsored training providers and whether they could be used by transit agencies for training under the transit security grant program. As part of this effort, TSA should consider coordinating with other federal agencies that have developed criteria for similar programs, such as the Federal Transit Administration. DHS Concurs: In recent years, DHS has substantially increased the investment in security training in mass transit and passenger rail through awards under the Transit Security Grant Program (TSGP). Though to date, new proposals for approval of courses for use of TSGP funds have been limited, we must anticipate growth in these types of requests from security training vendors as security training of frontline employees in mass transit and passenger rail remains a strategic security priority. An existing joint working group staffed by the appropriate officials from TSA and FTA is evaluating the security training program for mass transit and passenger rail to assess the effectiveness of current courses and to identify any gaps and needed improvements. Consistent with this GAO recommendation, we will add the establishment of criteria to review new training courses proposed by security training vendors to the joint working group's focus areas. Recommendation 6: To better ensure DHS's ability to satisfy the provisions of the 9/11 Commission Act related to mass transit and passenger rail, DHS should develop a plan with milestones for implementing provisions of the 9/11 Commission Act related to mass transit and passenger rail security. DHS Concurs: TSA reports its progress in implementing the requirements of the 9/11 Commission Act to DHS on a monthly basis. For items not yet completed, this monthly report includes projected actions to advance implementation with general timelines. However, a progress report is not the equivalent of an overall plan that identifies necessary actions and sets milestones to evaluate the effectiveness of efforts to meet the statutory requirements. Pursuant to this recommendation, TSA will produce such a plan. Again, DHS appreciates the work GAO has done in the review of mass transit and passenger rail security. We look forward to maintaining communication with GAO as we work to continue progress in these areas. Sincerely yours, Signed by: Jerald E. Levine: Director, DHS GAO/OIG Liaison Office: [End of section] Appendix IX: GAO Contacts and Staff Acknowledgments: GAO Contacts: Cathleen Berrick, (202) 512-3404 or berrickc@gao.gov: Staff Acknowledgments: In addition to the contact named above, Dawn Hoff, Assistant Director, and Daniel Klabunde, Analyst-in-Charge, managed this assignment. Jay Berman, Martene Bryan, Charlotte Gamble, and Su Jin Yon made significant contributions to the work. Chuck Bausell and Rudy Chatlos, assisted with design, methodology, and data analysis. Lara Kaskie and Linda Miller provided assistance in report preparation; and Tracey King provided legal support. [End of section] Footnotes: [1] Mass transit and passenger rail systems consist of various bus and passenger rail transit systems. Transit bus includes inter-city bus or trolleybus systems. Transit rail is comprised of heavy, commuter, light and intercity rail systems. Heavy rail is an electric railway that can carry a heavy volume of traffic. Heavy rail is characterized by high speed and rapid acceleration, passenger rail cars operating singly or in multi-car trains on fixed rails, separate rights of way from which all other vehicular and foot traffic is excluded, sophisticated signaling, and high-platform loading. Most subway systems are considered heavy rail. Commuter rail is characterized by passenger trains operating on railroad tracks and providing regional service, such as between a central city and its adjacent suburbs. Light rail systems typically operate passenger rail cars singly (or in short, usually two-car, trains) and are driven electrically with power being drawn from an overhead electric line. Amtrak operates the nation's primary intercity rail system. [2] The American Public Transportation Association compiled this ridership data from the Federal Transit Administration's National Transit Database. Ridership on rail transit systems in the District of Columbia and Puerto Rico are included in these statistics. A passenger trip is defined as the number of passengers who board public transportation vehicles. Passengers are counted each time they board vehicles no matter how many vehicles they use to travel from their origin to their destination. [3] Pub. L. No. 110-53, 121 Stat. 266 (2007). [4] According to TSA's fiscal year 2009 Surface Transportation Security Inspection Program Annual Domestic Inspection and Assessment Plan, a security directive is a mandatory measure or measures issued by TSA in response to a threat assessment or to a specific threat against transportation, requiring affected transportation organizations to implement specified security measures. TSA issued two security directives in May 2004 after terrorists attacked the commuter rail system in Madrid, Spain. The directives mandated passenger rail systems and Amtrak to implement a number of security measures. [5] For the purpose of this report, industry stakeholders include mass transit and passenger rail systems, Amtrak and an industry association. [6] Exec. Order No. 13416, 71 Fed. Reg. 71033 (Dec. 5, 2006). [7] GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, [hyperlink, http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3, 2004). [8] DHS S&T was established by the Homeland Security Act of 2002 to, among other things, coordinate the federal government's civilian efforts to identify and develop countermeasures to emerging terrorist threats to the United States. As DHS's primary research and development arm, DHS S&T is tasked with providing federal, state, local, and tribal officials with state of the art technology and other resources. [9] Ridership data reported by the American Public Transportation Association for 2008. [10] The Alaska Railroad Corporation also operates intercity passenger rail service. Amtrak's ridership data comes from the 2007 Amtrak Environmental Health and Safety Report, which is the most recently available data. [11] An IED, or "homemade bomb," is typically constructed of commonly available materials, and can be carried by an individual or deposited in an unnoticed location for detonation by a timer or remote control. [12] Pub. L. No. 107-71, 115 Stat. 597 (2001). A mode of transportation refers to the different means that are used to transport people or cargo. [13] Pub. L. No. 107-296, 116 Stat. 2135 (2002). [14] The 18 industry sectors include agriculture and food, banking and finance, chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, government facilities, information technology, national monuments and icons, nuclear, postal and shipping, public health and healthcare, transportation, and water. [15] On November 26, 2008, TSA published a final rule that included some of the provisions in the security directives, including requirements for passenger rail systems to appoint a security coordinator and report potential threats and significant security concerns to TSA. 73 Fed. Reg. 72130 (Nov. 26, 2008). [16] Through 49 C.F.R. pt. 659, FTA requires states to designate an agency to conduct tri-annual safety and security audits of the nation's light or heavy rail systems. These agencies are called state safety oversight agencies. [17] According to FRA, the regulation makes clear that an "emergency" includes a security-related situation. Each plan must address employee training and qualification, and provide for training and coordination with emergency responders. Also, each covered railroad must conduct full-scale passenger train emergency simulations in order to determine its capability to execute the emergency preparedness plan. [18] The 9/11 Commission was one of the congressionally chartered commissions established by Congress on November 27, 2002 to (1) investigate the relevant facts and circumstances relating to the terrorist attacks of September 11, 2001; (2) identify, review, and evaluate lessons learned from these attacks; and (3) report to the President and the Congress on findings, conclusions, and recommendations that generated from the investigation and review. [19] GAO, Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts, [hyperlink, http://www.gao.gov/products/GAO-05-851] (Washington, D.C.: September 2005). [20] Sector-specific agencies (SSA) refer to the federal department or agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category. [21] DHS serves as the sector-specific agency for 11 of the18 sectors: information technology; communications; transportation systems; chemical; emergency services; nuclear reactors, material, and waste; postal and shipping; dams; government facilities; and commercial facilities; and critical manufacturing. Other sector-specific agencies such as the departments of Agriculture, Defense, Energy, Health and Human Services, the Interior, the Treasury, and the Environmental Protection Agency are responsible for the other 7 sectors: agriculture and food; defense industrial base; energy; healthcare and public health; national monuments and icons; banking and finance; and water. See GAO, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Improve, [hyperlink, http://www.gao.gov/products/GAO-07-706R] (Washington D.C.: July 10, 2007). [22] The NSTS, mandated in the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), outlines the federal government approach--in partnership with state, local, and tribal governments and private industry--to secure the U.S. transportation system from terrorist threats and attacks. [23] DHS updated its NIPP in 2009. [24] Critical infrastructure are systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters. Key resources are publicly or privately controlled resources essential to minimal operations of the economy or government, including individual targets whose destruction would not endanger vital systems but could create a local disaster or profoundly damage the nation's morale or confidence. [25] [hyperlink, http://www.gao.gov/products/GAO-04-408T] and Exec. Order No. 13416, 71 Fed. Reg. 71033 (Dec. 5, 2006). [26] See [hyperlink, http://www.gao.gov/products/GAO-05-851]. [27] Security and Emergency Management Action Items consist of 17 action items developed by TSA and FTA which address current security threats and risks that confront transit agencies, with particular emphasis on priority areas where gaps need to be closed in security and emergency preparedness programs. Also, see appendix II for a list of these 17 action items. [28] The TSGP provides grant funding to the nation's key high-threat urban areas to enhance security measures for their critical transit infrastructure including bus, ferry and rail systems. For more information on the TSGP, please see GAO, Transit Security Grant Program: DHS Allocates Grants Based on Risk, but its Risk Methodology, Management Controls, and Grant Oversight Can Be Strengthened, GAO-09- 491 (Washington, D.C., June 8, 2009). [29] GAO, Transportation Security: Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocations, [hyperlink, http://www.gao.gov/products/GAO-09-492] (Washington, D.C., Mar. 27, 2009). [30] [hyperlink, http://www.gao.gov/products/GAO-09-492]. [31] In addition to the U.S. Coast Guard and FEMA, DHS's Office of Science and Technology has conducted the following risk assessments using traditional methodologies: a Biological Threat Risk Assessment and an Integrated Chemical, Biological, Radiological, and Nuclear Terrorism Risk Assessment. [32] According to officials from the Intelligence Coordination Center, they use intelligence to quantify each sub-element within capability, intent, and presence. For example, presence is composed of two sub- elements--the number of known or suspected extremists and the number of areas of potential support or permissive environments--which are quantified and weighted within the overall threat model. This threat assessment is combined with assessments of vulnerability and consequence to produce MSRAM's risk assessment. [33] See GAO, Homeland Security: DHS Risk-Based Grant Methodology Is Reasonable, But Current Version's Measure of Vulnerability is Limited, [hyperlink, http://www.gao.gov/products/GAO-08-852] (Washington, D.C.: June 27, 2008). [34] See [hyperlink, http://www.gao.gov/products/GAO-08-852]. According to DHS officials, the agency's Office of Intelligence and Analysis (I&A) calculated the Threat Index by (1) collecting qualitative threat information with a nexus to international terrorism, (2) analyzing the threat information to create threat assessments for states and urban areas, (3) empaneling intelligence experts to review the threat assessments and reach consensus as to the number of threat tiers, and (4) assigning threat scores. This process, according to DHS officials, relied upon analytical judgment and interaction with the Intelligence Community, as opposed to the use of total counts of threats and suspicious incidents to calculate the Threat Index for the 2006 grant cycle. The final threat assessments are approved by the intelligence community--the Federal Bureau of Investigation, Central Intelligence Agency, National Counterterrorism Center, and the Defense Intelligence Agency--along with the DHS Under Secretary for Intelligence and Analysis and the Secretary of DHS, according to DHS officials. [35] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [36] The sixth characteristic is "Problem Definition and Risk Assessment," which addresses the particular national problems and threats the strategy is directed toward. However, because we provided details earlier in our report in the section on risk assessment, we do not address this characteristic in this section of our report. [37] This information helps answer the fundamental question about who is in charge, not only during times of crisis, but also during all phases of homeland security and combating terrorism including prevention, vulnerability reduction, and response and recovery. This entails identifying the specific federal entities involved and, where appropriate, the different levels of government or stakeholders, such as state and local governments and private entities. In our past work, we found that a successful strategy clarifies implementing organizations' relationships in terms of leading, supporting, and partnering. In addition, a strategy could describe the organizations that will provide the overall framework for accountability and oversight. Furthermore, a strategy might identify specific processes for collaboration between sectors and organizations--and address how any conflicts would be resolved. [38] GAO, Coast Guard: Non-Homeland Security Performance Measures Are Generally Sound, but Opportunities for Improvement Exist, [hyperlink, http://www.gao.gov/products/GAO-06-816] (Washington, D.C.: Aug. 16, 2006). [39] According to TSA's fiscal year 2009 Regulatory Inspection Plan, this measure demonstrates the efficiency of inspection activities by quantifying the number of completed mass transit and freight rail inspections. For mass transit and passenger rail, this includes BASE reviews and station profiles, and for freight rail, this includes Security Action Item Reviews. [40] Since late 2005, TSA has reported deploying Visible Intermodal Prevention and Response (VIPR) teams consisting of various TSA personnel to augment the security of mass transit and passenger rail systems and promote the visibility of TSA. Working alongside local security and law enforcement officials, VIPR teams conduct a variety of security tactics to introduce unpredictability and deter potential terrorist actions, including random high visibility patrols at mass transit and passenger rail stations and conducting passenger and baggage screening operations using specially trained behavior detection officers and a varying combination of explosive detection canine teams and explosives detection technology. [41] Another key action TSA has taken to strengthen mass transit and passenger rail security since 2004 has been providing grant funding through the Transit Security Grant Program (TSGP). We reported on DHS's administration of the grant program in [hyperlink, http://www.gao.gov/products/GAO-09-491]. [42] From August 2006 to February 2009, TSA reported conducting BASE reviews of 82 of the top 100 largest mass transit and passenger rail systems. As of February 2009, five transit agencies had declined TSA's request to participate in the reviews. [43] Through the Employee Awareness Poster Program, TSA partners with mass transit and passenger rail agencies to produce tailored posters specifically focused on transit employee security awareness. TSA develops a common theme, transit agencies provide graphics, logos, and quotations, and TSA tailors the posters for use by the transit agencies. [44] On May 20, 2004, TSA issued Transportation Security Directives RAILPAX 04-01: Threat to Passenger Rail Systems and RAILPAX 04-02: Threat to Passenger Rail Systems--National Railroad Corporation (Amtrak) and Alaska Rail Road Corporation. As of March 2009, these directives remained in place. However, senior TSA Headquarters officials told us that since 2006, as a matter of policy, TSA had chosen not to enforce industry compliance with the directives, and instead used the security directives as a tool to communicate general security priorities. TSA officials attributed their decision not to enforce the directives to passenger rail industry concerns regarding the impracticality of implementing some of the measures, the ambiguity of the directives, and the lack of industry input in developing and issuing the directives. Of the 30 systems which we included in our study, 25 systems operated passenger rail services and were subject to implementing the security directives. [45] In fiscal year 2007, TSA reported conducting BASE reviews of 53 mass transit and passenger rail systems, including 44 that were ranked in the top 50 in the nation based on ridership. TSA's BASE review report assessed the status of these 53 systems in implementing the 17 TSA/FTA Security and Emergency Management Action Items. [46] According to the 9/11 Commission Act, frontline transit employees include an employee of a public transportation agency who is a transit vehicle driver or operator; dispatcher; maintenance and maintenance support employee; station attendant,; customer service employee; security employee; or transit police or any other employee who has direct contact with riders on a regular basis, and any other employee of a public transportation agency that the Secretary determines should receive training. Pub. L. No. 110-53, § 1402(4), 121 Stat. 266, 401 (2007). [47] Rail transit agencies include either (1) those which operate passenger rail systems only or (2) a combination of both passenger rail and bus transit systems. [48] TSA conducts this work through the Surface Transportation Technology Program, established in fiscal year 2007. It conducts this work to assess potential technologies for addition to the Transit Security Grant Program guidance, to gain a better understanding of emerging technologies, to evaluate technologies in the mass transit environment, and to provide test results and lessons learned to mass transit and passenger rail authorities. [49] To carry out this process, DHS S&T brings together agency representatives into Integrated Product Teams (IPTs) to collaboratively set research and spending priorities to the individual project level. The IPTs do not include technology end-users--such as transit bus and rail system security operators--because DHS has assumed that its component agencies would represent end-user interests. [50] GAO, Transportation Security R&D: TSA and DHS Are Researching and Developing Technologies, but Need to Improve R&D Management, [hyperlink, http://www.gao.gov/products/GAO-04-890] (Washington D.C.: Sept. 30, 2004). [51] There are two working groups comprised of federal, industry, and other stakeholders for transportation security research and development. The Mass Transit Sector Coordinating Council (SCC) Security Technology Working Group is led by the American Public Transportation Association (APTA). This group provides recommendations to federal stakeholders in the area of security technology R&D. The Transportation Systems - Sector Specific Plan Research and Development Working Group meets on a monthly basis and is working on ways to harmonize the R&D efforts for critical infrastructure in all transportation sectors by identifying currently available technology and facilitating common definitions and standards, among other activities. [52] [hyperlink, http://www.gao.gov/products/GAO-04-890]. [53] In September 2005, we recommended that DHS and TSA consider establishing an online clearinghouse of information on security-related products, such as closed circuit television cameras or intrusion detection systems.In December 2002, we also reported that the federal government should play a greater role in testing transportation security technology and making this information available to industry stakeholders. See [hyperlink, http://www.gao.gov/products/GAO-05-851] and GAO, Mass Transit: Federal Action Could Help Transit Agencies Address Security Challenges, [hyperlink, http://www.gao.gov/products/GAO-03-263], (Washington D.C.: Dec. 13, 2002). [54] VIPR teams consist of varying sizes and composition of TSA personnel and other federal, state, or local assets. TSA has designated Federal Air Marshals (FAMs)--the primary law enforcement entity within TSA, whose primary mission is protecting air passengers and crew--as the lead for coordinating VIPR operations. Other VIPR personnel may include Surface and Aviation Transportation Security Inspectors, explosive detection canine teams, and behavioral detection officers-- personnel trained to screen for high-risk individuals based on involuntary physical or psychological behavior. [55] TSA program officials reported that historically TSA has not tracked statistics regarding whether VIPR deployments were driven by specific intelligence, versus being random, broadly risk-based, or special event driven. However, program officials stated that there have been few instances when TSA deployed VIPR teams to mass transit and passenger rail on the basis of specific threat information. In February 2009, TSA officials reported that they had amended the VIPR database to track the reasons for future VIPR deployments. [56] TSA's Concept of Operations for the Effective Employment of VIPR teams in Mass Transit and Passenger Rail lays out guidelines for ten core components that are the foundation for effectively collaborating on VIPR programs, including: (1) coordination; (2) mission focus; (3) active deterrence; (4) planning; (5) force composition; (6) consistency; (7) training; (8) communications; (9) authority; and (10) continuous improvement. [57] Department of Homeland Security Inspector General, TSA's Administration and Coordination of Mass Transit Security Programs (June 12, 2008). [58] In addition, TSA reported it was developing a VIPR tool kit concept to be distributed to mass transit systems and TSA field staff, which will contain an educational DVD explaining the potential security value of VIPR operations. The tool kit is projected for completion by June 2009, with initial distribution at the mid-year Transit Safety and Security Roundtable. [59] According to TSA's program guidance for the Mass Transit Security Training Program, only underground or underwater tunnel infrastructure rank as high as security training among its security priorities. [60] According to the TSA guidance, federally sponsored training providers are FTA-funded training providers including the National Transit Institute (NTI), the Transportation Safety Institute (TSI), and Johns Hopkins University (JHU). [61] According to the guidance, DHS must review transit agency applications for non-federally sponsored or funded training venders and discern the extent to which each vendor it reviews will provide training programs whose curriculum and delivery services generally equal or exceed the performance of those provided by federally sponsored training providers. [62] U.S. Department of Transportation, Federal Transit Administration, Curriculum Development Guidelines: Final Draft (2009). [63] GAO, A Guide For Assessing Strategic Training and Development Efforts, [hyperlink, http://www.gao.gov/products/GAO-04-546G] (Washington D.C: March 2004). [64] GAO, Results-Oriented Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington D.C: Oct. 21, 2005). [65] Project Management Institute, The Standard for Program Management (Newton Square, PA, 2006). [66] TSA reported that the pending regulations required by the 9/11 Commission Act requiring transit agencies to issue security plans would supersede the existing security directives. [67] We interviewed 11 of 12 AFSD-S that, as of February 2009, TSA has deployed nationwide to lead area inspection offices. At the time, two AFSD-S shared duties in the New York field office and were interviewed together. [68] TSA's fiscal year 2009 Regulatory Activities Plan for Transportation Surface Inspectors requires surface inspectors to split their assessment workload between mass transit and passenger rail and freight, with a minimum of about 60 percent of their time dedicated to freight and 40 percent to mass transit and passenger rail. [69] From fiscal year 2005 though fiscal year 2007, the Surface Transportation Security Inspection Program was authorized at 100 full- time employees and in June 2008 reported a staffing level of 93 positions. The 9/11 Commission Act authorized DHS to increase its number of surface transportation security inspectors for fiscal years 2008 through 2011 to a maximum of 200 positions. In February 2009, TSA reported that it had completed hiring for 58 of the 75 surface inspector positions that had been appropriated in fiscal year 2008, but had not filled the remaining positions because of contractor hiring challenges. [70] On November 26, 2008, TSA issued a final rule for freight rail and passenger rail that establishes security requirements on freight and passenger rail carriers, including designating a rail security coordinator and reporting significant security concerns, and codifies TSA's authority to conduct security inspections of passenger rail agency property. [71] The DHS Inspector General has issued two recent reports on TSA's mass transit security programs. These include Department of Homeland Security Office of the Inspector General, TSA's Administration and Coordination of Mass Transit Security Programs, OIG-08-66 (June 12, 2008) and Department of Homeland Security Office of the Inspector General, Effectiveness of TSA's Surface Transportation Security Inspector, OIG-09-24, (Feb. 5, 2009). [72] GAO, Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington D.C.: Dec. 11, 2003). [73] GAO, Aviation Security: Aviation Security: Status of Transportation Security Inspector Workforce. [hyperlink, http://www.gao.gov/products/GAO-09-123R] (Washington, D.C.: Feb. 6, 2009). [74] In fiscal year 2008, TSA reported that it had deployed a total of 1224 inspectors into the aviation and surface modes, 1131 of whom were aviation inspectors. [75] TSA's Surface Transportation Security Inspection Program strategic plan for fiscal year 2008 notes that the program expects to expand its roles and responsibilities to enforce compliance with future mass transit and passenger rail regulations and notes challenges in meeting its current responsibilities because of resource limitations. [76] OIG-09-24 and OIG-08-66. [77] GAO and DHS reports on risk assessment include, but are not limited to, GAO, Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts [hyperlink, http://www.gao.gov/products/GAO-05-851] (Washington, D.C.: September 2005) and the DHS National Infrastructure Protection Plan (NIPP). [78] We did not did not review four after actions report files because they could not be opened or TSA did not provide a report that was associated with the operation on TSA's original list. [79] We visited or conducted phone interviews with Surface Transportation Security Inspectors in each location where we visited a mass transit or passenger rail system and TSA had maintained a field office for the inspectors. [80] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [81] In this report we discuss resources and investments; risk assessment; developing goals, subordinate objectives, activities, and performance measures; and identifying organizational roles, responsibilities, and coordination. [82] These sector goals are: 1) prevent and deter acts of terrorism using or against the transportation system; 2) enhance the resiliency of the U.S. transportation system; and 3) improve the cost-effective use of resources for transportation security. [83] These incidents include, but are not limited to the September 11, 2001, attacks on the World Trade Center and the Pentagon, coordinated attacks on four commuter trains in Madrid in 2004, and attacks on transportation targets in the 2005 London bombings and the 2006 train bombings in Mumbai. [84] The National Strategy for Transportation Security, required by section 4001 of the Intelligence Reform and Terrorism Prevention Act of 2004 outlines the federal government approach--in partnership with state, local and tribal governments and private industry--to secure the U.S. transportation system from terrorist threats and attacks. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: