This is the accessible text file for GAO report number GAO-11-207 entitled 'Maritime Security: Ferry Security Measures Have Been Implemented, but Evaluating Existing Studies Could Further Enhance Security' which was released on December 6, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Chairman, Committee on Homeland Security, House of Representatives: December 2010: Maritime Security: Ferry Security Measures Have Been Implemented, but Evaluating Existing Studies Could Further Enhance Security: GAO-11-207: GAO Highlights: Highlights of GAO-11-207, a report to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: Ferries are a vital component of the U.S. transportation system and 2008 data show that U.S. ferries carried more than 82 million passengers and over 25 million vehicles. Ferries are also potential targets for terrorism in the United States and have been terrorist targets overseas. GAO was asked to review ferry security, and this report addresses the extent to which (1) the Coast Guard, the lead federal agency for maritime security, assessed risk in accordance with the Department of Homeland Security’s (DHS) guidance and what risks it identified; and (2) federal agencies, ferry and facility operators, and law enforcement entities have taken actions to protect ferries and their facilities. GAO reviewed relevant requirements, analyzed 2006 through 2009 security operations data, interviewed federal and industry officials, and made observations at five domestic and one international locations with varying passenger volumes and relative risk profiles. Site visits provided information on security, but were not projectable to all ports. This is the public version of a sensitive report that GAO issued in October 2010. Information that DHS deemed sensitive has been redacted. What GAO Found: The Coast Guard assessed the risk—including threats, vulnerabilities, and consequences—to ferries in accordance with DHS guidance on risk assessment and, along with other maritime stakeholders, identified risks associated with explosive devices, among other things. Although in April 2010, Coast Guard intelligence officials stated that there have been no credible terrorist threats identified against ferries and their facilities in at least the last 12 months, maritime intelligence officials have identified the presence of terrorist groups with the capability of attacking a ferry. Many of the Coast Guard, ferry system and law enforcement officials GAO spoke with generally believe ferries are vulnerable to passenger- or vehicle-borne improvised explosive devices, although not all ferry systems transport vehicles. The Coast Guard has also identified the potential consequences of an attack, which could include possible loss of life and negative economic effects. In April 2010, Coast Guard officials stated that the relative risk to ferries is increasing, as evidenced by attacks against land- based mass transit and other targets overseas. Federal agencies-—including the Coast Guard, the Transportation Security Administration (TSA), and Customs and Border Protection (CBP)—-ferry operators, and law enforcement entities report that they have taken various actions to enhance the security of ferries and facilities and have implemented related laws, regulations, and guidance, but the Coast Guard may be missing opportunities to enhance ferry security. Security measures taken by the Coast Guard have included providing a security presence on ferries during transit. Coast Guard officials also reported that they are revising regulations to improve ferry operator training and developing guidance on screening. Ferry operators’ security actions have included developing and implementing security plans and screening vehicles and passengers, among other things. However, the Coast Guard had not evaluated and, if determined warranted, acted on all findings and recommendations resulting from five agency-contracted studies on ferry security completed in 2005 and 2006. Reports from these studies included several recommendations for standardizing and enhancing screening across ferry operators. Standards for internal control in the federal government state that agencies should ensure that findings of audits and other reviews are promptly resolved, and that managers take action to evaluate and resolve matters identified in these audits and reviews. As a result of our work on ferry security, in August 2010, Coast Guard officials stated they planned to review the reports. Taking action to address the recommendations in these reports, if determined warranted by the Coast Guard’s evaluation, could enhance ferry security. Furthermore, Coast Guard documents from 2004 state that the agency should reassess vehicle screening requirements pending the completion of the ferry security reports or if the threat changes. However, no specific plans were in place to reassess these requirements. By taking action to reassess its screening requirements, the agency would be better positioned to determine if changes are warranted. What GAO Recommends: GAO recommends that the Commandant of the Coast Guard, after evaluating the completed studies on ferry security, reassess vehicle screening requirements and take further actions to enhance security, if determined warranted. DHS concurred with our recommendations. View [hyperlink, http://www.gao.gov/products/GAO-11-207] or key components. For more information, contact Stephen L. Caldwell at (202) 512-9610 or caldwells@gao.gov. [End of section] Contents: Letter: Background: The Coast Guard Assessed Risk to Ferries and Their Facilities in Accordance with DHS's Risk Assessment Guidance and Security Concerns Exist: Stakeholders Have Implemented Ferry Security Measures, but the Coast Guard Has Not Acted on Other Identified Opportunities That May Enhance Security: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Selected Stakeholders with Security Responsibilities Applicable to Ferries: Table 2: Key Security Requirements Applicable to Ferries and Ferry Facilities: Figures: Figure 1: 2008 National Census Data on States with Ferry Systems Operating High Capacity Passenger Ferries and the Number of Passengers and Vehicles Carried: Figure 2: Coast Guard Escorts of Ferries: Figure 3: TSA Testing of a Vehicle Screening Technology: Figure 4: Security Signage Posted at a Ferry Facility: Figure 5: Security Deficiencies by Vessel Type, 2006 through 2009: Figure 6: Security Deficiencies by Facility Type, 2006 through 2009: Abbreviations: CBP: Customs and Border Protection: DHS: Department of Homeland Security: ISPS: International Ship and Port Facility Security: MTSA: Maritime Transportation Security Act of 2002: SAFE Port Act: Security and Accountability for Every Port Act of 2006: TSA: Transportation Security Administration: VIPR: Visible Intermodal Prevention and Response: [End of section] United States Government Accountability Office: Washington, DC 20548: December 3, 2010: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: Dear Mr. Chairman: Ferries are an important component of the U.S. transportation system, and according to respondents to the 2008 National Census of Ferry Operators, carried more than 82 million passengers and over 25 million vehicles.[Footnote 1] Ferries are also potential targets for terrorism in the United States and have been terrorist targets overseas. A 2005 Coast Guard study stated that as part of the U.S. maritime transportation system, ferry operations are potential terrorist targets, and according to a 2006 RAND Corporation study, certain traits inherent to ferries make them especially attractive to terrorist aggression.[Footnote 2] For example, the RAND study reported that attacks on ferries are easy to execute, have the potential to kill many people, are likely to capture significant media attention, and can be exploited to visibly demonstrate a terrorist group's salience and vibrancy. While these fears have not been realized in the United States, ferries and their facilities in the Philippines have repeatedly been targeted by terrorists. For example, successful bombings on Philippine ferries killed or wounded at least 130 people in 2004 and 2005. Attacks on ferries and their facilities have continued, and in 2009 there were three more attempted bombings in the Philippines. These attacks led the Transportation Security Administration (TSA)--the lead U.S. federal agency for transportation security--to report in 2009 that violent extremists around the Philippines have the intent and capability to attack ferries or use them as a means of conveyance to transport materials. Coast Guard and Navy intelligence officials also stated that the overall risk to ferries may be increasing given the attempts in the Philippines and the attacks against land-based mass transit and other soft targets overseas. Although not caused by a terrorist attack, one of the greatest maritime disasters ever occurred in the Philippines in 1987 when an overloaded ferry collided with a tanker and an estimated 4,300 people died. Although the circumstances of this ferry sinking may be different than those faced by ferries in the United States, they illustrate that an attack on a crowded ferry could have dire consequences. The U.S. Coast Guard, a component of the Department of Homeland Security (DHS), is the lead federal agency responsible for a wide array of maritime safety and security activities, including those involving ferries and their facilities under the Maritime Transportation Security Act of 2002 (MTSA).[Footnote 3] This report is the second of two reviewing the security of high capacity passenger vessels--vessels capable of carrying 500 or more passengers. The first report focused on cruise ship and cruise ship facility security and was issued in April 2010.[Footnote 4] The report found that while governmental agencies, cruise ship operators, and other maritime security stakeholders have taken significant steps to protect against a possible terrorist attack, the U.S. Customs and Border Protection (CBP)--the federal agency primarily responsible for border security--should consider obtaining additional information about cruise ship passengers to enhance its screening process. This report focuses on the security issues of high capacity passenger ferries and their facilities.[Footnote 5] While we limited our review to ferry systems that operate larger, high capacity passenger ferries, these systems often also operate smaller ferries, and according to Coast Guard officials, smaller ferries face similar security concerns. You requested that we identify risks associated with ferries and their facilities and the measures being taken to protect them.[Footnote 6] Specifically, this report responds to the following questions: * To what extent has the U.S. Coast Guard assessed risk related to high capacity passenger ferries and their facilities in accordance with DHS's guidance, and what are the identified risks? * To what extent have maritime security stakeholders taken actions to mitigate the potential risks to high capacity passenger ferries and their facilities, and to implement applicable federal laws, regulations, and guidance; and what additional actions, if any, could enhance ferry security? This is the public version of the report we issued in October 2010 that contained information related to risks to high capacity passenger ferries and efforts made to secure these ferries from terrorist attacks. DHS deemed specific details of ferries, the risks to ferries, and methods used by the Coast Guard and others to secure ferries to be sensitive security information, which must be protected from public disclosure. Therefore, this report omits those details. Although information provided in this report is more limited in scope, it addresses the same questions as the previously issued report. Also, the overall methodology used for both reports is the same. The conclusions and recommendations contained in our October 2010 version of this report remain generally unchanged. To determine the extent to which the Coast Guard assessed the risks to ferries and their facilities in accordance with DHS's guidance, and to identify the risks associated with ferries and their facilities, we reviewed relevant federal guidance on the use of risk management, including DHS's National Infrastructure Protection Plan.[Footnote 7] We also reviewed documents describing the methodology and use of the Coast Guard's primary risk assessment tool--the Maritime Security Risk Analysis Model. We analyzed the elements of the Coast Guard's risk analysis model process and compared it to criteria from two components--risk assessment and prioritization--of the National Infrastructure Protection Plan, the document that articulates the risk management framework for DHS. We also analyzed the nationwide results for 2009 of the risk analysis model to determine the relative risks facing ferries and their facilities. In addition, we interviewed Coast Guard headquarters personnel responsible for the risk analysis model and Coast Guard Sector personnel responsible at the local level to discuss the relative risks in their areas of responsibility.[Footnote 8] In addition, we interviewed Coast Guard and U.S. Navy intelligence personnel actively engaged in determining possible threats to ferries and their facilities. We also interviewed Coast Guard, CBP, and U.S. Park Police officials, as well as personnel from seven nonfederal law enforcement agencies. The Coast Guard and CBP officials were those responsible for ferry and ferry facility security at both the national level and at the locations where we made site visits. Similarly, the law enforcement personnel we met with represented jurisdictions covered in our site visits where they provided security for ferries and their facilities. We made these visits to a nonprobability sample of five domestic locations. Ferry operations at these locations are overseen by five Coast Guard Sectors.[Footnote 9] We selected these locations based on the number of passengers carried by the ferry systems operating in these locations and the relative risk associated with the ferry systems. We also selected locations that had domestic and international ferries. While the information we obtained from personnel at these locations cannot be generalized across all U.S. ferry systems, it provided us with a perspective on the risks to ferries and their facilities at the selected locations. While their views may not represent the views of all high capacity passenger ferry operators, these ferry systems represented about 70 percent of passengers and about 80 percent of vehicles carried by U.S. ferry operators that in 2008 reported that they had vessels in service capable of carrying 500 or more passengers. To determine the extent to which maritime security stakeholders-- including federal agencies, ferry and ferry facility operators, and law enforcement agencies--have taken actions to mitigate the potential risks to ferries and their facilities and to implement applicable federal laws, regulations, and guidance, we reviewed relevant federal legislation, regulations, and guidance. These included pertinent provisions of MTSA, as amended, including the Security and Accountability For Every Port Act of 2006 (SAFE Port Act) amendments to MTSA; implementing regulations--such as 33 CFR Parts 101, 102, 103, 104, and 105; the Coast Guard's Operation Neptune Shield operations order; Navigation and Vessel Inspection Circulars; and Maritime Security Directives, respectively. We analyzed data on the Coast Guard's security performance in meeting internal standards established for Operation Neptune Shield during 2009, and on ferry and ferry facility operator's security performance in meeting requirements identified in Coast Guard regulations from 2006 to 2009. We found these data to be sufficiently reliable for the purpose of providing contextual or background information. To make this determination we conducted interviews with knowledgeable agency officials and performed data testing for missing data, outliers, and obvious errors. We also interviewed federal officials from various agencies, including the Coast Guard, CBP, and U.S. Park Police to discuss their actions to reduce risks to ferries and their facilities. We observed security activities and interviewed law enforcement personnel from seven nonfederal police departments responsible for protecting ferries and their facilities from terrorist attacks at the domestic locations we visited. As part of our observations of security measures, we traveled aboard international and domestic ferries at these locations. While our observations at these locations cannot be generalized across all U.S. ports, they provided us with a general overview and perspective on ferry and ferry facility security at the selected locations. We also made a site visit to one foreign location where a major high capacity ferry system operated to observe possible security actions other than those used in the United States. Although this location does not represent all international locations with high capacity passenger ferry operators, we selected this location because Coast Guard officials stated that this ferry system was similar to one of the larger systems in the United States and would serve as a good comparison to U.S. ferry systems. We also reviewed three Coast Guard- funded reports issued in 2005 and 2006 on ferry security to determine what actions the reports recommended that the Coast Guard take to help ensure ferry security. We interviewed Coast Guard officials to determine what actions had been taken in response to these reports. We also reviewed the scope and methodology for these reports and determined they were sufficient for us to rely on for the purposes of this report. We conducted this performance audit from January 2009 to December 2010 in accordance with generally accepted government auditing standards. [Footnote 10] Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Ferries Transport Passengers and Vehicles: According to the 190 ferry operators responding to the 2008 National Census of Ferry Operators, more than 82 million passengers and over 25 million vehicles were carried on their vessels in the United States. [Footnote 11] As reported in 2008, the ferry systems that carried the most passengers and vehicles in 2008 were the New York City Department of Transportation Ferry Division (Staten Island Ferry) which carried 19 million passengers, but no vehicles, and the Washington State Ferries that carried over 13 million passengers and almost 11 million vehicles. In addition, California, Louisiana, Massachusetts, New Jersey, North Carolina, Ohio, Texas, and Virginia all had ferry systems that carried over 1 million passengers. See figure 1 for a map identifying the states where ferry systems operate vessels that can carry 500 or more passengers, as well as the number of passengers and vehicles carried by these systems. In addition to the ferries that operate solely inside the United States, CBP identified 28 ferries that sailed in 2009 to the United States from a port in Canada, Mexico, the British Virgin Islands, or the Dominican Republic. Figure 1: 2008 National Census Data on States with Ferry Systems Operating High Capacity Passenger Ferries and the Number of Passengers and Vehicles Carried: [Refer to PDF for image: illustrated U.S. map] Depicted on the map are the states with ferry systems along with symbols indicating the number of passengers and vehicles carried in 2008: Symbol scale: 100,000; 1,000,000; 5,000,000; 15,000,000; 20,000,000. States: California: approximately 5,000,000 passengers; Connecticut: approximately 1,000,000 passengers and 100,000 vehicles; Delaware: approximately 1,000,000 passengers and 100,000 vehicles; Florida: approximately 100,000 passengers; Massachusetts: approximately 5,000,000 passengers and 1,000,000 vehicles; Michigan: approximately 1,000,000 passengers and 100,000 vehicles; New Jersey: approximately 1,000,000 passengers; New York: approximately 20,000,000 passengers and 100,000 vehicles; Ohio: approximately 1,000,000 passengers and 100,000 vehicles; Texas: approximately 10,000,000 passengers and 5,000,000 vehicles; Washington: approximately 15,000,000 passengers and 15,000,000 vehicles. Sources: National Census of Ferry Operators; Map Resources (map). Note: This graphic is based on data reported by the Bureau of Transportation Statistics in the 2008 National Census of Ferry Operators. These data included self-reported data to the census by the responding ferry systems, along with information obtained from agencies such as the Coast Guard and the Army Corps of Engineers. As reported by the Bureau of Transportation Statistics, data was not available for all questions for all systems. For example, the reported data for one system in Louisiana included that it operated high capacity passenger ferries, but did not include the total number of passengers it carried. That system is not included in figure 1. Of the systems included in the census, data show that 29 operated ferries capable of carrying 500 or more passengers. Twenty-eight of these 29 ferry systems operate in the 11 states highlighted in figure 1 above. No systems reported operating ferries capable of carrying 500 or more passengers in Alaska or Hawaii. [End of figure] Many Stakeholders Involved in Securing Ferry Operations: Numerous organizations play a role in the security of ferries operating in U.S. waters. Table 1 lists selected federal agencies and other stakeholders together with examples of the ferry-related maritime security activities that they conduct. Table 1: Selected Stakeholders with Security Responsibilities Applicable to Ferries: International organization: Stakeholder: * International Maritime Organization[A]; Selected maritime security-related responsibilities: * Develop international standards for port and vessel security. Federal government: Department of Homeland Security: Stakeholder: * U.S. Coast Guard; Selected maritime security-related responsibilities: * Conduct vessel escorts, boardings of selected vessels, and security patrols of key port areas; * Ensure vessels in U.S. waters comply with domestic and international maritime security standards; * Review U.S. vessel and facility security plans and oversee compliance with these plans. Stakeholder: * Transportation Security Administration (TSA); Selected maritime security-related responsibilities: * Test technologies, practices, and techniques for passenger screening systems in the maritime environment; * Coordinate with the Coast Guard on security training and surge operations. Stakeholder: * U.S. Customs and Border Protection (CBP); Selected maritime security-related responsibilities: * Review documentation of persons, baggage, and cargo arriving from foreign ports on international ferries; * Take action to deny entrance to the United States if concerns about persons, baggage, or cargo exist. State and local governments. Stakeholders: * Law enforcement agencies; Selected maritime security-related responsibilities: * Often act as land-based security for ferry operators; * Support Coast Guard role through water patrols and possibly escort vessels if the agency operates a marine unit. Stakeholder: * State and city Departments of Transportation and Port Authorities; Selected maritime security-related responsibilities: * Own many ferry systems and thus assume responsibility for ensuring their security by conducting vulnerability assessments and developing and implementing security plans to mitigate vulnerabilities and comply with applicable international and domestic standards; * Conduct risk-mitigating actions including maintaining secure areas and screening passengers and vehicles. Private sector: Stakeholder: * Private owners or operators; Selected maritime security-related responsibilities: * Own or operate many ferry systems and thus assume responsibility for ensuring their security by conducting vulnerability assessments and developing and implementing security plans to mitigate the vulnerabilities and comply with applicable international and domestic standards; * Conduct risk-mitigating actions including maintaining secure areas and screening passengers and vehicles. Stakeholder: * Security contractors; Selected maritime security-related responsibilities: * Provide security services at ferry facilities. Source: GAO. [A] The International Maritime Organization is a specialized agency of the United Nations with 169 member states that is responsible for developing an international regulatory framework addressing, among other things, maritime safety and security. [End of table] Maritime Security Actions Are Guided by a Legal and Regulatory Framework: International standards and national laws, regulations, and guidance direct federal agencies and vessel and facility operators nationwide in their security efforts (see table 2). Table 2: Key Security Requirements Applicable to Ferries and Ferry Facilities: Promulgator: International Maritime Organization; Law or guidance: International Ship and Port Facility Security (ISPS) Code,[A] as implemented through Chapter XI-2 of the International Convention for the Safety of Life at Sea[B]; Key provisions: Sets out many of the international standards for vessel and port facility security. For example, all covered vessels shall have a designated security officer. Promulgator: U.S. Federal Government; Law or guidance: Maritime Transportation Security Act of 2002 (MTSA)[C]; Key provisions: Establishes a maritime security framework including many of the U.S. vessel and port facility security requirements and standards and for Coast Guard enforcement of many of such provisions. One such provision, for example, requires regulated facilities and vessels to have vulnerability assessments. Promulgator: U.S. Federal Government; Law or guidance: SAFE Port Act amendments to MTSA (2006)[D]; Key provisions: Sets additional requirements for Coast Guard regulation of port facility security. For example, at least one security inspection to verify the effectiveness of a regulated facility security plan shall be unannounced. Promulgator: Coast Guard; Law or guidance: Implementing Regulations (such as 33 C.F.R. Parts 101, 104, and 105); Key provisions: Based on legislative authority, set specific security requirements for U.S. flagged vessels and port facilities. For example, owners or operators of ferries must ensure that security sweeps of the vessel are performed before getting underway. Promulgator: Coast Guard; Law or guidance: Operation Neptune Shield Operations Order; Key provisions: Sets internal Coast Guard standards for vessel (including ferries) security activities, which include escorts and security boardings--boardings performed to verify that the ship and crew are operating as expected and to act on intelligence that may have prompted security concerns. For example, Coast Guard units are required to escort a certain percentage of high capacity passenger vessels under different Maritime Security threat levels.[E] (Specific percentages are classified.) Operation Neptune Shield activities are based on an understanding of maritime risk and mitigation. Promulgator: Coast Guard; Law or guidance: Navigation and Vessel Inspection Circulars; Key provisions: Provide Coast Guard guidance about the enforcement of, or compliance with, certain federal maritime regulations and Coast Guard maritime safety and security programs. For example, these state how Coast Guard inspectors are to ensure operators' compliance with higher standards for passenger screening and security sweeps on ferries. Promulgator: Coast Guard; Law or guidance: Maritime Security Directives; Key provisions: Set security performance standards for stakeholders responsible for taking security actions commensurate with various Maritime Security threat levels. For example, one standard includes the varying percentages of vehicles to be screened before boarding ferries under different Maritime Security threat levels. Source: GAO. [A] IMO Doc. SOLAS/CONF. 5/34 (Dec. 12, 2002). [B] 32 U.S.T. 47, T.I.A.S. No. 9700. [C] Pub. L. No. 107-295, 116 Stat. 2064 (2002). [D] Pub. L. No. 109-347, 120 Stat. 1884 (2006). [E] Maritime Security threat levels are a three-tiered (Maritime Security Level 1, Maritime Security Level 2, and Maritime Security Level 3) threat warning system to provide a means to easily communicate preplanned scalable responses to increased threat levels. They are set by the Coast Guard, in consultation with DHS, to reflect the prevailing threat environment to the marine elements of the national transportation system, including ports, vessels, facilities, and critical assets and infrastructure located on or adjacent to waters subject to the jurisdiction of the United States. For the purpose of these requirements, the Coast Guard defines high capacity passenger vessels as those carrying 500 or more passengers. [End of table] Risk Management Is Important for Maritime Security: DHS is required by statute to utilize risk management principles with respect to various DHS functions.[Footnote 12] In 2006, DHS issued the National Infrastructure Protection Plan, which is DHS's base plan that guides how DHS and other relevant stakeholders should use risk management principles to prioritize protection activities in an integrated and coordinated fashion. Updated in 2009, the National Infrastructure Protection Plan requires that federal agencies use relative risk to inform the selection of priorities and the continuous improvement of security strategies and programs to protect people and critical infrastructure by reducing the risk of acts of terrorism. The framework for the plan includes six components: (1) set goals and objectives; (2) identify assets, systems, and networks; (3) assess risk; (4) prioritize; (5) implement programs; and (6) measure effectiveness. In the assess risk component, the National Infrastructure Protection Plan establishes baseline criteria for conducting risk assessments. According to the National Infrastructure Protection Plan, risk assessments are a qualitative or quantitative determination of the likelihood of an adverse event occurring and are a critical element of the National Infrastructure Protection Plan's risk management framework. Risk assessments can also help decision makers identify and evaluate potential risks so that countermeasures can be designed and implemented to prevent or mitigate the potential effects of the risks. The National Infrastructure Protection Plan also characterizes risk assessment as a function of three elements: * Threat: The likelihood that a particular asset, system, or network will suffer an attack or an incident. In the context of risk associated with a terrorist attack, the estimate of threat is based on the analysis of the intent and the capability of an adversary; in the context of a natural disaster or accident, the likelihood is based on the probability of occurrence. * Vulnerability: The likelihood that a characteristic of, or flaw in, an asset's, system's, or network's design, location, security posture, process, or operation renders it susceptible to destruction, incapacitation, or exploitation by terrorist or other intentional acts, mechanical failures, and natural hazards. * Consequence: The negative effects on public health and safety, the economy, public confidence in institutions, and the functioning of government, both direct and indirect, that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack, natural disaster, or other incident. Information from the three elements that assess risk--threat, vulnerability, and consequence--can lead to a risk characterization and provide input for prioritizing security goals--the fourth component within the framework. For example, MTSA requires the Coast Guard to prepare Area Maritime Transportation Security Plans for ports around the United States. These plans convey operational and physical security measures, communications procedures, time frames for responding to security threats, and other actions to direct the prevention of and response to a security incident. In its regulations implementing MTSA, the Coast Guard gave primary responsibility for creating the Area Maritime Security Plans to the Captain of the Port, based on the Area Maritime Security Assessment.[Footnote 13] Area Maritime Security Assessments examine the threats and vulnerabilities to activities, operations, and infrastructure critical to a port and the consequences of a successful terrorist attack on the critical activities, operations, and infrastructure at the port. Under the regulations, such assessments are to be risk-based, and should assess each potential threat and the consequences and vulnerabilities for each combination of targets and attack modes in the area. With the information supplied in the assessment, the Area Maritime Security Plan is to identify, among other things, the operational and physical security measures to be implemented at Maritime Security Level 1 and those that, as risks increase, will enable the area to progress to levels 2 and 3. According to the Coast Guard, procedures and measures conveyed in Area Maritime Security Plans are coordinated, communicated, and implemented by the Captain of the Port with stakeholder communication assistance from Area Maritime Security Committees, using existing agency command and control systems, and when activated, unified incident management structures. The Coast Guard Assessed Risk to Ferries and Their Facilities in Accordance with DHS's Risk Assessment Guidance and Security Concerns Exist: The Coast Guard Adheres to Risk Assessment Guidance from DHS's National Infrastructure Protection Plan: The Coast Guard uses a tool known as the Maritime Security Risk Analysis Model to assess risk to vessels and port infrastructure, including ferries and ferry facilities, in accordance with the guidance from DHS's National Infrastructure Protection Plan. As we reported in April 2010, the Coast Guard uses this analysis tool to help implement its strategy and concentrate maritime security activities when and where relative risk is believed to be the greatest.[Footnote 14] The model assesses the risk--threats, vulnerabilities, and consequences--of a terrorist attack based on different scenarios; that is, it combines potential targets with different means of attack. Examples of a Maritime Security Risk Analysis Model scenario related to ferries include those involving a suicide bomber or a boat attack. Taking threats, vulnerabilities, and consequences into consideration is the approach to assessing risk recommended by the National Infrastructure Protection Plan. According to the Coast Guard, the model's underlying methodology is designed to capture the security risk facing different types of targets, allowing comparison between different targets and geographic areas at the local, regional, and national levels. Also in accordance with guidance from the National Infrastructure Protection Plan, the model is designed to support decision making for the Coast Guard. At the national level, the model's results are used for (1) long-term strategic resource planning, (2) identifying capabilities needed to combat future terrorist threats, and (3) identifying the highest-risk scenarios and targets in the maritime domain. At the local level, the Captain of the Port can use the model as a tactical planning tool, and it can help to identify the highest-risk scenarios, allowing the Captain of the Port to prioritize needs and better deploy security assets. As we reported in March 2009, Intelligence Coordination Center officials stated that the Coast Guard uses the model to inform allocation decisions, such as the deployment of local resources and grants.[Footnote 15] Although No Recent Threats Have Been Identified, Stakeholders Reported Security Concerns: Although there have been no recent, credible terrorist threats against ferries and their facilities in the United States, stakeholders expressed concerns about various types of attacks that, if successful, could have significant consequences. Since the characteristics and operations of the ferry systems vary widely, different operations and ferry system components face different levels of threats with different probabilities of occurrence. In April 2010, Coast Guard intelligence officials stated that there have been no credible terrorist threats against ferries and their facilities identified in at least the last 12 months, but noted the presence of terrorist groups that have the capability to attack a ferry. Further, the lack of a recent threat does not preclude the possibility of such an incident occurring in the future. As reported both by the Coast Guard and RAND, ferries have been terrorist targets in the past and are considered attractive targets for terrorists. In 2006, the Transportation Research Board reported that the same characteristics that make ferry systems desirable to passengers--the wide extent of service and the popularity of use--also make them potential targets and potential instruments of a terrorist act.[Footnote 16] As we previously reported in 2007, security officials in the U.S. government are concerned about the possibility of a future terrorist attack in a U.S. port.[Footnote 17] For example, captured terrorist training manuals cite ports as targets and instruct trainees to use covert means to obtain surveillance information for use in attack planning. Terrorist leaders have also stated their intent to attack infrastructure targets within the United States, including ports, in an effort to cause physical and economic damage and inflict mass casualties. In April 2010, Coast Guard intelligence officials also stated that they have seen a gradual shift in terrorist tactics and procedures overseas that had been seen in attacks against mass transit and other soft targets--characteristics typically shared with ferry systems as well. Stakeholders Reported Various Security Concerns: Maritime security stakeholders reported various ferry-related security concerns with the greatest concerns being improvised explosive device attacks delivered via vehicles, passengers or small boats. Vehicle- borne improvised explosive device concerns, for ferry operations that carry vehicles, included concerns about devices carried in cars and trucks. Our work from February 2009 supports the likely validity of this concern as vehicle-borne improvised explosive devices were the most common tactic used in truck and bus terrorist incidents abroad. [Footnote 18] However, not all ferry systems allow vehicles on board. Coast Guard officials we interviewed expressed concern about passenger- borne improvised explosive devices on ferries as well--such as a passenger carrying a bomb in a backpack. Determining passengers' identities, through admissibility inspections, is one type of action that CBP has taken to help mitigate concerns posed by passengers boarding ferries that originate from Canada.[Footnote 19] Nonetheless, according to CBP officials, CBP personnel do not know a person's identity until he or she arrives at the facility to board. However, Coast Guard officials stated that ferry operators may see the same people over and over again and can become familiar with the regular passengers. Maritime security stakeholders also consider waterborne improvised explosive devices to be a concern for ferries and their facilities. According to the Coast Guard's Strategy for Maritime Safety, Security, and Stewardship, one of the greatest risks associated with maritime scenarios is a direct attack using a waterborne improvised explosive device, and a recurring attack mode has been the use of small boats to carry out an attack. Port security stakeholders we interviewed also reported other ferry- related security concerns--some of which were more port specific. For example, international ferries pose an additional concern by providing a possible transit for terrorists to enter the United States as exemplified by the 1999 millennium bomber, who traveled to the United States on a ferry from Canada and had planned to bomb the Los Angeles International Airport. Port security stakeholders reported other security concerns including criminal activity, such as drug or human smuggling, particular to where their ferries transit. A Successful Attack Could Have Significant Consequences: A successful attack on a ferry could affect the ship, its passengers, and the U.S. economy. A successful attack could damage a ferry and the extent of the loss of life would depend on the severity of the attack, according to various studies. A 2006 RAND report stated that scenarios involving significant damage could easily result in several hundred fatalities and the greater the damage, the more likely it would be that the vessel would sink resulting in a higher death toll. A successful terrorist attack on a ferry system may also have an economic impact. Coast Guard officials stated that an attack on a ferry could target a lot of people at one time and shut down port operations, which could ultimately have an economic ripple effect. Coast Guard officials differed in their opinions, however, on whether a ferry attack would likely have a national economic impact or if the economic impact would be more localized, but agreed that it would depend on the scenario. Furthermore, the reaction to an attack on a ferry could also affect the degree of the economic impact. According to the Coast Guard and RAND, ferry transit is largely a substitutable form of transportation for which passengers may opt to use another form of transportation, such as a bridge, following an attack, and, therefore, the economic impact of such an action may not necessarily be significant. However, an attack on a ferry could also result in additional funding spent on enhanced security measures. For example, the 2004 attack against the SuperFerry 14 in the Philippines affected perceived terrorist threat contingencies and was a central factor in subsequent decisions to deploy sea marshals on all ships traveling in Philippine waters as well as promulgate heightened surveillance, investigation, arrest, and detention powers for the police and intelligence services. Stakeholders Have Implemented Ferry Security Measures, but the Coast Guard Has Not Acted on Other Identified Opportunities That May Enhance Security: To secure ferries and their facilities, responsible maritime security stakeholders--including the Coast Guard, CBP, and TSA, as well as owners and operators of ferries and their facilities--reported having taken various actions to implement applicable federal maritime laws, regulations, and guidance designed to help ensure the security of ferries and their facilities. The Coast Guard Reports That It Conducts Multiple Types of Security Activities: The Coast Guard seeks to mitigate risks to ferries and their facilities through regulatory and operational activities. The Coast Guard's regulatory activity involves ferry and ferry facility inspections, conducted by inspections teams who monitor compliance with operators' security plans.[Footnote 20] According to Coast Guard officials, the Coast Guard conducts inspections of ferries four times per year: the annual security inspection, which may be combined with a safety inspection and typically occurs when the ferry is out of service, and the quarterly inspections, which are shorter in duration, and generally take place while the ferry remains in service. During calendar years 2006 through 2009, the Coast Guard reported conducting over 1,500 ferry inspections--about 670 of which were for high capacity passenger ferries. Coast Guard officials stated that although ferry operators are responsible for scheduling inspections as a condition of their certification, the Coast Guard has a system in place to notify the agency if a ferry's certification has expired so that the Coast Guard may act accordingly. In addition to ferry vessel inspections, the Coast Guard reports that it inspects MTSA-regulated maritime facilities, including ferry facilities, at least two times a year in accordance with SAFE Port Act requirements.[Footnote 21] One of these inspections must be unannounced. The Coast Guard reported conducting between approximately 700 and 850 ferry facility inspections each calendar year for the period 2006 through 2009.[Footnote 22] To track its performance in completing inspections, Coast Guard officials stated they have the ability to create a daily report to inform the Captain of the Port when each facility in his or her area of responsibility is due for an inspection. The report lists all MTSA-regulated facilities, shows the dates on which the Coast Guard performed its last two required inspections, and highlights any facilities that are coming due or are overdue for an inspection. In addition, a quarterly reporting tool was developed for Coast Guard district and headquarters officials to determine if facility inspection requirements were being met. The Coast Guard also reported that it conducts operational activities to secure ferries, including conducting boat escorts of ferries, implementing positive control measures--that is, stationing armed Coast Guard personnel in key locations aboard a vessel to ensure that the operator maintains control--and providing a security presence through various actions. Operation Neptune Shield requires Coast Guard units to escort a certain percentage of high capacity passenger vessels at each maritime security threat level to protect against an external threat, such as a waterborne improvised explosive device. [Footnote 23] The requirement is applicable to all types of high capacity passenger vessels--cruise ships, ferries, and excursion vessels--in a Sector's area of responsibility, and is not specific to ferries. According to Coast Guard data, although 16 of 28 Sectors with high capacity passenger vessels operating in their area of responsibility met or exceeded the number of required escorts in calendar year 2009, 12 did not meet their escort requirement.[Footnote 24] However, Coast Guard officials reported that some of the Sectors that did not meet escort requirements may not have had high capacity passenger ferries operating in their area of responsibility, but instead may have had other high capacity passenger vessels, such as cruise ships.[Footnote 25] Moreover, Operation Neptune Shield allows the Captain of the Port the latitude to manage risk and shift resources to other priorities when deemed necessary, for example, when resources are not available to fulfill all missions simultaneously. Officials from one Sector reported that its local law enforcement agency has a large presence in the port, providing a presence on the ferries and protecting security zones. See figure 2 for a depiction of Coast Guard units escorting ferries. Figure 2: Coast Guard Escorts of Ferries: [Refer to PDF for image: 3 photographs] Source: U.S. Coast Guard. [End of figure] In addition to conducting escorts and positive control measures, the Coast Guard provides a security presence through other activities, including patrolling areas in which ferries operate using airborne, waterborne, and shoreside assets. In addition, Coast Guard personnel may board docked ferries for the purpose of providing a security presence once they are in transit. For example, at one location we visited, we accompanied a Coast Guard Vessel Boarding Security Team, which boarded the ferry and rode for two consecutive trips to provide a security presence as part of its regular patrol duties. TSA Also Has a Role in Ferry and Ferry Facility Security: TSA supports ferry security by demonstrating a security presence, providing training, and implementing pilot programs involving security technologies. Providing a security presence, TSA's Visible Intermodal Prevention and Response (VIPR) teams are comprised of federal air marshals, surface transportation security inspectors, transportation security officers, behavior detection officers, and explosives detection canine teams. In July 2010, TSA officials reported that they had deployed VIPR teams to ferry systems 319 times since calendar year 2006. Law enforcement officials in one location stated they had participated in one VIPR operation each year from 2007 to 2009. In another location, the Coast Guard Sector cited VIPR operations among other best practices for ensuring the security of high capacity passenger ferries. In addition to its security presence, TSA developed training courses to educate passenger vessel employees on maritime security issues such as crowd control, improvised explosive detection recognition, and hijacking procedures. TSA also provides training through its Intermodal Security Training Exercise Program, which allows maritime security stakeholders to practice security exercises on ferries and provides training on explosive devices. TSA also accepts maritime security stakeholders into its explosive trace detection canine training program.[Footnote 26] Law enforcement officers affiliated with a ferry system we visited reported they were among the first ferry operators to be accepted into the TSA program, which has helped them to integrate four canines into their security operation. TSA also reported that it conducts pilot programs at transportation systems, including ferry systems, through its Security Enhancement and Capabilities Augmentation Program. TSA documents state that the program gives TSA the opportunity to network with different ferry operators across the United States, test emerging technologies, and develop strategies that the agency can use to respond to specific threats that arise from new intelligence or major events. TSA officials stated that these pilots help to determine how technologies work in different environments and in large-scale applications, and allow local agencies to try the technologies. According to one ferry operator, as part of their participation in TSA pilot programs, they provided feedback to TSA in response to pilots that have been tested in their respective systems. TSA officials also stated that the agency has visited approximately 12 passenger vessel venues since 2003 to test technologies used in the screening of passengers, baggage, and stores to be loaded on passenger vessels. Although TSA does not track implementation of piloted screening technologies, officials reported that five passenger facility operators, some of which were ferry facility operators, have adopted new technologies as a result of participating in a TSA pilot. See figure 3 for a photographic depiction of a technology used to screen vehicles for explosives that TSA piloted at a ferry system. Figure 3: TSA Testing of a Vehicle Screening Technology: [Refer to PDF for image: photograph] Source: Transportation Security Administration. [End of figure] For International Ferries That Enter U.S. Ports, CBP Carries Out Several Activities: CBP reports that it conducts inspections on international ferries that arrive in, or are bound for a U.S. port, and deploys radiation detection technologies at international ferry crossings. In the United States, CBP inspects passengers, bags, vehicles, and crew that disembark from international ferries. Additionally, CBP officers based in Canada conduct admissibility inspections of U.S.-bound ferry passengers. Furthermore, the SAFE Port Act of 2006 required CBP to determine if it could expand its international presence. Specifically, the act required CBP to seek to develop a plan by February 2007 for the inspection of passengers and vehicles before they board a vehicle- carrying ferry bound for the United States.[Footnote 27] In 2009, CBP concluded that such actions would not be feasible, and in a 2009 letter to Congress, listed conditions which would prevent the agency from examining all persons seeking to enter the United States. Finally, CBP uses radiation detectors called portal monitors to screen vehicles inbound from Canada as they disembark in the United States. CBP officials stated that beginning in March 2008, radiation portal monitors were deployed to U.S. facilities that receive ferries inbound from Canada. By October 2009, CBP officials reported that 11 radiation portal monitors had been deployed, and in July 2010, officials reported that 4 additional devices were estimated to be deployed by 2013. Ferry Operators Have Taken Action to Enhance Security and Their Ability to Meet Security Standards Has Been Measured through Inspections: Ferry and ferry facility operators develop and implement security plans. Pursuant to the ISPS Code and its guidance, and Coast Guard's implementing MTSA regulations and guidance, like other regulated vessels and facilities, ferry and ferry facility operators must develop and implement security plans that address, among other things, concerns identified in their security assessments. Security plans must be reviewed and approved by the Coast Guard. Coast Guard officials stated that as part of this process, the Captain of the Port determines whether a plan's security measures address the concerns identified in a ferry or ferry facility's security assessment. To address requirements in their security plans, ferry operators we interviewed reported using measures such as establishing a security presence that may be provided by either their own law enforcement branches or state and local law enforcement agencies; conducting security sweeps of the ferries; implementing access controls such as cameras, posting signage advising of security procedures, and installing proximity card door systems; and screening vehicles. [Footnote 28] See figure 4 for a photograph depicting security signage posted at a ferry facility. Figure 4: Security Signage Posted at a Ferry Facility: [Refer to PDF for image: photograph] Sign data: Security Notice: Maritime Security Level: 1: Security measures may include ID checks and screening of persons/belongings/vehicles. Entering this facility is deemed valid consent to ID check/screening/inspection. Failure to consent or submit to ID check/screening/inspection will result in denial or revocation of authorization to enter this facility. Source: GAO. [End of figure] Security methods varied across ferry operations. Ferry systems had a range of methods for providing onboard security, though the frequency and means they used varied across ferry systems. For example, at one ferry system we visited, local law enforcement officers rode on all ferry transits, while another ferry system had state law enforcement officers ride on selected trips. Similarly, all of the ferry systems we visited conducted screening operations to help protect against a passenger-or vehicle-borne improvised explosive device, but their frequency and screening methods also varied across systems. While the Coast Guard sets the minimum screening requirements at each maritime security threat level,[Footnote 29] Coast Guard guidance states that each ferry operator is permitted to enact measures that protect passengers without unduly compromising service to the community. Accordingly, operators may select the screening method most appropriate for their respective operation and within their resources, provided the Coast Guard deems the method sufficient to mitigate security risks. On our site visits, we observed variation in screening operations with respect to (a) the frequency of screening, (b) the personnel involved in screening, and (c) the screening methods used. With respect to screening frequency, port security stakeholders with screening responsibilities at five of the six ferry systems we interviewed generally reported that they met the minimum screening requirement set forth by the Coast Guard, and one ferry system reported that it screened all passengers, bags, and crew.[Footnote 30] This operator noted that its screening frequency was determined by the U.S. Park Police because the ferry transits to a national park. According to the U.S. Park Police, this national park is listed as the national icon that receives the greatest number of threats. During our site visits, we also observed one system that did not appear to be screening according to its standards, but we did not determine any failure to meet minimum screening requirements. Ferry and ferry facility operators utilize various personnel in their screening operations. Federal regulations require personnel with specific security responsibilities--such as screening--to have knowledge through training or equivalent job experience in certain areas and require operators to maintain personnel training records. [Footnote 31] Based on our site visits, screening was performed by a variety of personnel in these locations, including ferry crew members, contracted security screeners, and state or local law enforcement. [Footnote 32] Among the ferry systems we visited, canine and manual screening methods were utilized. Additionally, one passenger-only ferry system we visited screened passengers and baggage using walk-through metal detectors and baggage belts. According to a Coast Guard report on ferry security, canine screening provides a reliable and proven method for detecting concealed explosives.[Footnote 33] The report also states that canines provide advantages of superior mobility and the ability to follow a scent directly to its source--citing that canines have a higher probability of detection compared to manual, x-ray, and trace detection methods. Finally, the report states that while manual screening is considered a nontechnological screening option, it allows for higher passenger throughput than other screening devices. Screening operations differ by ferry system due to various factors, including system characteristics, state laws, and resource availability. System characteristics like passenger throughput influence the screening method an operator may feasibly implement, as passenger processing rates vary across technologies. For example, two ferry operators we interviewed reported that certain screening technologies would not be able to accommodate their high passenger throughput. Additionally, state provisions, under certain circumstances, may limit the ability of security personnel to perform certain screening methods. For example, state police officers who perform canine screening at one ferry system we visited reported that state case law generally prohibits them from opening a vehicle trunk without the driver's consent or a search warrant. However, when a canine detects a potential threat associated with a vehicle and the driver does not consent to trunk screening, officers notify the ferry captain. Under the ferry system's security procedures, anyone denying such a screening will be prohibited from boarding, preventing a potential risk from boarding the ferry. Furthermore, funding may also pose a limiting factor in designing security operations. A 2005 Coast Guard report on ferry screening indicates that costs vary across screening methods, stating that canine screening is over three times more expensive than manual screening. The report also notes that startup programs for two canines and their handlers are estimated to cost $250,000.[Footnote 34] In July 2010, one port security stakeholder we interviewed stated that in addition to training costs, their four canine units cost $160,000 per year. Coast Guard data show that while ferry security deficiency rates varied compared to other vessel types, ferry facility deficiency rates were generally lower compared to other facility types. Of the nearly 700 inspections conducted on high capacity passenger ferries during calendar years 2006 through 2009, the Coast Guard identified 48 deficiencies.[Footnote 35] Officials stated that overall, ferry security deficiencies were generally no more severe than deficiencies cited for cargo vessels and other passenger vessels. As shown in figure 5, among nine vessel types, the relative ranking of security deficiency rates for ferries--including both high capacity and smaller capacity passenger ferries--varied from 2006 to 2009. Figure 5: Security Deficiencies by Vessel Type, 2006 through 2009: [Refer to PDF for image: vertical bar graph] Vessel type: Ferry; Deficiency rate[A]: 2006: 0.29; 2007: 0.29; 2008: 0.13; 2009: 0.32. Vessel type: Cruise ship; Deficiency rate[A]: 2006: 0.11; 2007: 0.33; 2008: 0.08; 2009: 0.09. Vessel type: Excursion tour vessel; Deficiency rate[A]: 2006: 0.7; 2007: 0.28; 2008: 0.39; 2009: 0.89. Vessel type: General dry cargo ship; Deficiency rate[A]: 2006: 0.23; 2007: 0.3; 2008: 0.14; 2009: 0.25. Vessel type: Bulk carrier; Deficiency rate[A]: 2006: 0.08; 2007: 0.21; 2008: 0.05; 2009: 0.02. Vessel type: Tank ship; Deficiency rate[A]: 2006: 0.23; 2007: 0.11; 2008: 0.11; 2009: 0.21. Vessel type: Ro-Ro cargo ship; Deficiency rate[A]: 2006: 0.22; 2007: 0.29; 2008: 0.17; 2009: 0.11. Vessel type: Barge; Deficiency rate[A]: 2006: 0.01; 2007: 0.01; 2008: 0.01; 2009: 0.01. Vessel type: Towing vessel; Deficiency rate[A]: 2006: 0.18; 2007: 0.02; 2008: 0.01; 2009: 0.01. Source: U.S. Coast Guard. [A] Within each vessel type, the deficiency rate is the number of deficiencies divided by the number of regulated vessels each year. [End of figure] Coast Guard officials stated that ferry security deficiencies were commonly found in the following areas: security plan audits and amendments; drills and exercises; records and documentation; and access control procedures, including monitoring of secure and restricted areas. Coast Guard officials at agency headquarters reported that operators were particularly responsive to correcting deficiencies, because they understood that deficiencies could lead the Coast Guard to remove a vessel from service and interrupt operations. With regard to ferry facilities, the Coast Guard identified nearly 1,300 deficiencies in conducting a total of nearly 3,200 ferry facility inspections during calendar years 2006 through 2009. According to Coast Guard officials, the majority of the deficiencies were related to (1) operations or management issues, such as the failure of the security officers to properly perform their duties related to required drills or personnel training and (2) documentation issues such as the security officer failing to post security signage, document security responsibilities, drills or training, or submit security plan amendments. Coast Guard officials stated that compared to other types of facilities, ferry facilities tended to have more security requirements yet they generally outperformed other types of facilities in meeting requirements. As shown in figure 6, ferry facilities generally had the lowest deficiency rate compared to eight other facilities during the period 2006 through 2009. Figure 6: Security Deficiencies by Facility Type, 2006 through 2009: [Refer to PDF for image: vertical bar graph] Facility type: Ferry; Deficiency rate[A]: 2006: 0.61; 2007: 0.86; 2008: 0.65; 2009: 0.84. Facility type: Cruise Ship; Deficiency rate[A]: 2006: 1.18; 2007: 1.29; 2008: 0.66; 2009: 0.93. Facility type: Bulk Dry/Solid; Deficiency rate[A]: 2006: 1.28; 2007: 1.47; 2008: 1.08; 2009: 1.07. Facility type: Break Bulk; Deficiency rate[A]: 2006: 1.48; 2007: 1.75; 2008: 1.52; 2009: 1.44. Facility type: Bulk Liquid; Deficiency rate[A]: 2006: 0.77; 2007: 1.16; 2008: 0.95; 2009: 1.14. Facility type: Bulk Oil; Deficiency rate[A]: 2006: 0.92; 2007: 1.24; 2008: 0.96; 2009: 0.89. Facility type: Barge Fleeting; Deficiency rate[A]: 2006: 2.48; 2007: 0.45; 2008: 3.03; 2009: 3.72. Facility type: Assist/Escort Tug; Deficiency rate[A]: 2006: 1.64; 2007: 1.29; 2008: 0.79; 2009: 1.07. Facility type: Boat Ramp; Deficiency rate[A]: 2006: 0.67; 2007: 0.76; 2008: 0.67; 2009: 0.19. Source: U.S. Coast Guard. [A] Within each facility type, the deficiency rate is the number of deficiencies recorded each year divided by the number of regulated facilities recorded in 2008. Ferry facilities may service both high capacity ferries and smaller ferries. [End of figure] The Coast Guard May Be Missing Opportunities to Enhance Ferry Security: The Coast Guard has reported taking various actions to help secure ferries, but may be missing opportunities to further enhance ferry security, particularly with respect to enhancing screening measures because it has not evaluated and, if determined warranted, acted on all of the findings and recommendations from several ferry security reports completed in 2005 and 2006. In addition, the Coast Guard has not reassessed its vehicle screening requirements since 2004. The Coast Guard Has Not Evaluated and, if Determined Warranted, Acted on Report Findings and Recommendations: The Coast Guard spent $1.5 million on contracted studies related to ferry security, but has not evaluated and, if determined warranted, taken action to address all of the findings and recommendations from these studies even though their results were issued in 2005 and 2006. Recognizing the security risk posed by vehicle-borne improvised explosive devices, the Coast Guard, in consultation with various other entities, initiated five studies to conduct more comprehensive research and development to enhance security on ferries.[Footnote 36] According to Coast Guard documentation from 2004, these studies were aimed at establishing a new benchmark for ferry screening and enhancing the agency's ability to focus on improving security practices, screening technology, and identification of explosive hazards. In addition, the document states that the Coast Guard should convene an interagency working group with private sector representation from the ferry industry to identify areas for improvement in the screening process by discussing (a) previously implemented screening practices and (b) information from the studies once they were completed. The five studies resulted in three reports with key findings related to the screening of vehicles boarding a ferry, and two of them made recommendations to the Coast Guard. The ferry security reports included several findings and recommendations. Two of the reports included classified recommendations which can not be discussed in our report. The third report, issued by ABSG Consulting in April 2005, reported on the completed consequence studies that were conducted and included classified findings on the potential consequences of a vehicle-borne improvised explosive device, but no recommendations resulted from this report. The objectives of the consequences studies were to predict structural damage to the selected ferries from different charge sizes, locations, and methods of attack. The Coast Guard has not evaluated and, if determined warranted, taken actions on the ferry security reports. Standards for Internal Control in the Federal Government state that agencies should have policies and procedures for ensuring that findings of audits and other reviews are promptly resolved. The guidance further states that managers are to (1) promptly evaluate findings from audits and other reviews, including those showing deficiencies and recommendations reported by auditors and others who evaluate agencies' operations; (2) determine proper actions in response to findings and recommendations from audits and reviews; and (3) complete, within established time frames, all actions that correct or otherwise resolve the matters brought to management's attention.[Footnote 37] Although Coast Guard program officials stated that the agency does not have a process for addressing, responding to, or documenting recommendations stemming from research and development studies, they stated that once they receive a report they generally review its recommendations and seek feedback from Coast Guard program specialists and field units as well as industry stakeholders. After this, Coast Guard officials stated that they work with port captains and industry stakeholders to implement feasible security measures. Coast Guard Research and Development officials we met with told us that after the 2005 National Ferry Security Study was issued, they communicated the report findings to various entities, including the Coast Guard Commandant, Area Maritime Security Committees, and stakeholders at the ports included in the ferry study. In addition, a 2005 informational memorandum to the Secretary of Homeland Security from the Commandant indicated that the Coast Guard, in consultation with TSA and the Office for Domestic Preparedness, planned to implement new security measures to mitigate the risk of an improvised explosive device as a result of the ferry security studies. However, in May 2010, Coast Guard program officials stated that there were no current actions being taken to address the findings and recommendations from the National Ferry Security Study. Coast Guard officials explained that the ferry security reports were released when the agency was undergoing an internal reorganization and as a result the reports were not sent to the appropriate unit after the reorganization--which they also believe is the likely reason for why no further actions were taken to evaluate or address the reports' findings and recommendations. In June 2010, Coast Guard program officials reported that they were taking actions to improve ferry security through ongoing rulemaking and guidance development efforts. Coast Guard officials stated that they were in the process of revising the MTSA regulations, through which they would amend security training for vessel and facility personnel--including ferry screening personnel. Coast Guard officials stated that they began these revisions in late 2006, but had to divert their attention to the implementation of the Transportation Worker Identification Credential program in 2007, and thus, were delayed in developing the MTSA regulation revisions. The Coast Guard plans to finalize the MTSA regulatory revisions through the proposed rulemaking process. In addition, Coast Guard officials stated that they have been developing a Navigation and Vessel Inspection Circular for about 2 years to provide updated guidance for ferry screening. The guidance is intended to update existing screening policies and assist owners or operators of ferries and ferry facilities in the prevention of security incidents by developing and implementing more effective passenger screening programs appropriate for each maritime security threat level. Although the officials reported these efforts initially began in about 2005 or 2006, they did not expect the Navigation and Vessel Inspection Circular to be published until fall 2010. Coast Guard officials further reported that they plan to review the 2005 and 2006 reports to determine if additional changes should be incorporated into their ongoing development of the Navigation and Vessel Inspection Circular. However, officials stated that they could not delay the publication of the MTSA regulatory revisions currently under development, and thus, it was unlikely they would make any major ferry- related changes in this rulemaking as a result of reviewing the 2005 and 2006 reports. Furthermore, Coast Guard officials also informed us that DHS is currently evaluating the feasibility of developing standards for nonfederal canine programs. The Captain of the Port determines whether the qualifications of the canine program used by screening personnel are sufficient, as standards for private or nonfederal canine programs do not exist as they do for federal canine programs.[Footnote 38] Although these ongoing efforts may address some of the findings and recommendations from the 2005 and 2006 reports, it is not evident that the Coast Guard utilized the reports or their recommendations to inform the agency's decision making, as officials could not confirm whether the 2005 and 2006 reports were the catalyst for the agency's actions. In addition, Coast Guard officials confirmed that the ongoing actions will not address all of the findings and recommendations from the reports. As a result of our work on ferry security, in August 2010, Coast Guard officials stated that they believe the ferry security reports can still provide valuable information and they plan to begin evaluating the reports in fall 2010. After conducting this evaluation of the reports and considering their recommendations, the Coast Guard could be in a better position to determine if additional actions could be taken to improve the security of ferries and their facilities. Moreover, fully evaluating the study results could assist the Coast Guard in determining if its current proposed actions will address previously identified deficiencies. The Coast Guard Has Not Reassessed Vehicle Screening Requirements in Accordance with Agency Guidance: Although agency documents have suggested that the Coast Guard reassess its vehicle screening requirements for ferry operators, the Coast Guard has not taken action to update these requirements since 2004. [Footnote 39] Along with MTSA regulations pertaining to vehicle screening, the Coast Guard established minimum screening requirements for vehicles boarding ferries in a November 2003 Coast Guard maritime security directive.[Footnote 40] In September 2004, the Coast Guard issued another maritime security directive which increased minimum vehicle screening requirements for high capacity passenger ferries, citing the use of a vehicle-borne improvised explosive device by a terrorist as a primary concern for ferries.[Footnote 41] The directive cited three factors that contributed to the decision to increase vehicle screening requirements: (1) an increase in suspicious activity in the preceding 2 years, (2) possible surveillance of ferry operations during that same period, and (3) an anticipated increase in risk associated with the January 2005 presidential inauguration. The directive further stated that following the period of increased risk related to the inauguration and the completion of the aforementioned studies on ferry security, screening requirements would be reassessed. The directive also called for the establishment of a workgroup to address the new screening levels and develop a strategy to monitor vehicle screening effectiveness. Lastly, a 2004 Coast Guard document on ferry screening stated that the agency should monitor threats to ferries and continually reassess screening requirements relative to specific threats. Despite Coast Guard documents from 2004 stating that a reassessment of the screening requirements should be conducted when the ferry security studies were completed or if the threat were to change--both of which have occurred--as of May 2010, Coast Guard officials stated that they had not taken action to reassess and update the requirements since the 2004 security directive. Reviewing the screening requirements could provide the Coast Guard with reasonable assurance that it is setting standards for ferry operators that mitigate current threats to ferries and take into account the needs of ferry operators in maintaining their operations. Again, as a result of our work on ferry security, in August 2010, Coast Guard officials stated that they intended to begin reviewing the ferry security reports in fall 2010. According to one of these officials, although the agency's review of the ferry security reports could result in a change to the vehicle screening requirements, the agency did not have a specific plan to reassess the vehicle screening requirements. Conclusions: Given the attractiveness of ferries as targets for terrorists and the importance of ferry systems as a transportation mode, it is important that maritime security stakeholders regularly assess risks and take action to best ensure their security. Certainly, federal agencies and maritime security stakeholders have implemented security measures to enhance ferry system security, and in 2005, the Coast Guard recognized the need to further enhance ferry system security. However, the Coast Guard's attention was then diverted to other agency priorities and thus the agency did not proactively evaluate and take action, if determined appropriate, on the findings and recommendations from the 2005 and 2006 ferry security reports. The reports provide information for potentially improving the detection of vehicle-borne improvised explosive devices and enhancing security across the nation's ferry systems, and in August 2010, Coast Guard officials acknowledged the value of this information. Fully assessing and considering these report findings and recommendations could provide the Coast Guard with valuable information that could augment ferry security. After evaluating the report findings and recommendations, the Coast Guard could be in a better position to determine what additional actions, if any, should be taken to enhance ferry security. In addition, although Coast Guard documentation from 2004 states that the agency should reassess its vehicle screening requirements after the results of the ferry security reports are issued or if the threat changes, it has not yet taken action to do so. Taking action to reassess screening requirements could provide the Coast Guard with key information to help improve its vehicle screening requirements. Thus, the Coast Guard could be in a better position to set standards for ferry operators that take into consideration the needs of the ferry systems to maintain operations while also protecting against current threats. Recommendations for Executive Action: To ensure that the Coast Guard considers all known options for securing the ferry transportation system and is not missing opportunities to enhance ferry security, we recommend that the Commandant of the Coast Guard take the following two actions: (1) after fully evaluating the findings and recommendations from the Coast Guard's 2005 and 2006 ferry security reports, take appropriate actions to address the findings and recommendations identified in these reports; and: (2) upon review of the reports, ensure that vehicle screening requirements are set at an appropriate level that considers both the risks to and operating requirements of ferry systems, and when warranted, reassess screening requirements for ferries and make changes as appropriate. Agency Comments: We provided a draft of the sensitive version of this report to the Departments of Homeland Security, State, and Interior for their review and comment. DHS did not provide official written comments to include in our report. However, in an e-mail received on September 23, 2010, the DHS liaison stated that DHS concurred with our recommendations. DHS provided written technical comments, which we incorporated into the report, as appropriate. The Departments of State and Interior responded that they did not have any comments on the report. We are sending copies of this report to the Secretaries of Homeland Security, the Interior, and State; and interested congressional committees as appropriate. The report is also available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-9610 or caldwells@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix I. Sincerely yours, Signed by: Stephen L. Caldwell: Director, Homeland Security and Justice Issues: [End of section] Appendix I: GAO Contact and Staff Acknowledgments: GAO Contact: Stephen L. Caldwell, (202) 512-9610 or caldwells@gao.gov: Staff Acknowledgments: In addition to the contact named above, Dawn Hoff, Assistant Director, and Jonathan Bachman, analyst-in-charge, managed this assignment. Tracey Cross and Christine Hanson made significant contributions to the work. Stanley Kostyla assisted with design and methodology. Geoffrey Hamilton provided legal support. Jessica Orr provided assistance in report preparation. Josh Ormond and Lydia Araya developed the report's graphics. [End of section] Related GAO Products: Maritime Security: DHS Progress and Challenges in Key Areas of Port Security. [hyperlink, http://www.gao.gov/products/GAO-10-940T]. Washington, D.C.: July 21, 2010. Maritime Security: Varied Actions Taken to Enhance Cruise Ship Security, but Some Concerns Remain. [hyperlink, http://www.gao.gov/products/GAO-10-400]. Washington, D.C.: April 9, 2010. Supply Chain Security: Feasibility and Cost-Benefit Analysis Would Assist DHS and Congress in Assessing and Implementing the Requirement to Scan 100 Percent of U.S.-Bound Containers. [hyperlink, http://www.gao.gov/products/GAO-10-12]. Washington, D.C.: October 30, 2009. Maritime Security: Vessel Tracking Systems Provide Key Information, but the Need for Duplicate Data Should Be Reviewed. [hyperlink, http://www.gao.gov/products/GAO-09-337]. Washington, D.C.: March 17, 2009. Supply Chain Security: CBP Works with International Entities to Promote Global Customs Security Standards and Initiatives, but Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-08-538]. Washington, D.C.: August 15, 2008. Maritime Security: National Strategy and Supporting Plans Were Generally Well-Developed and Are Being Implemented. [hyperlink, http://www.gao.gov/products/GAO-08-672]. Washington, D.C.: June 20, 2008. Supply Chain Security: Challenges to Scanning 100 Percent of U.S.- Bound Cargo Containers. [hyperlink, http://www.gao.gov/products/GAO-08-533T]. Washington, D.C.: June 12, 2008. Supply Chain Security: U.S. Customs and Border Protection Has Enhanced Its Partnership with Import Trade Sectors, but Challenges Remain in Verifying Security Practices. [hyperlink, http://www.gao.gov/products/GAO-08-240]. Washington, D.C.: April 25, 2008. Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data. [hyperlink, http://www.gao.gov/products/GAO-08-12]. Washington, D.C.: February 14, 2008. Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed. [hyperlink, http://www.gao.gov/products/GAO-08-187]. Washington, D.C.: January 25, 2008. Maritime Security: Federal Efforts Needed to Address Challenges in Preventing and Responding to Terrorist Attacks on Energy Commodity Tankers. [hyperlink, http://www.gao.gov/products/GAO-08-141]. Washington, D.C.: December 10, 2007. Maritime Security: The SAFE Port Act: Status and Implementation One Year Later. [hyperlink, http://www.gao.gov/products/GAO-08-126T]. Washington, D.C.: October 30, 2007. Combating Nuclear Smuggling: Additional Actions Needed to Ensure Adequate Testing of Next Generation Radiation Detection Equipment. [hyperlink, http://www.gao.gov/products/GAO-07-1247T]. Washington, D.C.: September 18, 2007. Information on Port Security in the Caribbean Basin. [hyperlink, http://www.gao.gov/products/GAO-07-804R]. Washington, D.C.: June 29, 2007. Port Risk Management: Additional Federal Guidance Would Aid Ports in Disaster Planning and Recovery. [hyperlink, http://www.gao.gov/products/GAO-07-412]. Washington, D.C.: March 28, 2007. Maritime Security: Public Safety Consequences of a Terrorist Attack on a Tanker Carrying Liquefied Natural Gas Need Clarification. [hyperlink, http://www.gao.gov/products/GAO-07-316]. Washington, D.C.: February 22, 2007. Coast Guard: Observations on the Preparation, Response, and Recovery Missions Related to Hurricane Katrina. [hyperlink, http://www.gao.gov/products/GAO-06-903]. Washington, D.C.: July 31, 2006. Maritime Security: Information Sharing Efforts Are Improving. [hyperlink, http://www.gao.gov/products/GAO-06-933T]. Washington, D.C.: July 10, 2006. Cargo Container Inspections: Preliminary Observations on the Status of Efforts to Improve the Automated Targeting System. [hyperlink, http://www.gao.gov/products/GAO-06-591T]. Washington, D.C.: March 30, 2006. Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure. [hyperlink, http://www.gao.gov/products/GAO-06-91]. Washington, D.C.: December 15, 2005. Homeland Security: Key Cargo Security Programs Can Be Improved. [hyperlink, http://www.gao.gov/products/GAO-05-466T]. Washington, D.C.: May 26, 2005. Maritime Security: Enhancements Made, But Implementation and Sustainability Remain Key Challenges. GAO-05-448T. Washington, D.C.: May 17, 2005. Container Security: A Flexible Staffing Model and Minimum Equipment Requirements Would Improve Overseas Targeting and Inspection Efforts. [hyperlink, http://www.gao.gov/products/GAO-05-557]. Washington, D.C.: April 26, 2005. Maritime Security: New Structures Have Improved Information Sharing, but Security Clearance Processing Requires Further Attention. [hyperlink, http://www.gao.gov/products/GAO-05-394]. Washington, D.C.: April 15, 2005. Cargo Security: Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of Improved Security. [hyperlink, http://www.gao.gov/products/GAO-05-404]. Washington, D.C.: March 11, 2005. Maritime Security: Better Planning Needed to Help Ensure an Effective Port Security Assessment Program. [hyperlink, http://www.gao.gov/products/GAO-04-1062]. Washington, D.C.: September 30, 2004. Maritime Security: Partnering Could Reduce Federal Costs and Facilitate Implementation of Automatic Vessel Identification System. [hyperlink, http://www.gao.gov/products/GAO-04-868]. Washington, D.C.: July 23, 2004. Maritime Security: Substantial Work Remains to Translate New Planning Requirements into Effective Port Security. [hyperlink, http://www.gao.gov/products/GAO-04-838]. Washington, D.C.: June 30, 2004. Homeland Security: Summary of Challenges Faced in Targeting Oceangoing Cargo Containers for Inspection. [hyperlink, http://www.gao.gov/products/GAO-04-557T]. Washington, D.C.: March 31, 2004. Homeland Security: Preliminary Observations on Efforts to Target Security Inspections of Cargo Containers. [hyperlink, http://www.gao.gov/products/GAO-04-325T]. Washington, D.C.: December 16, 2003. Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain. [hyperlink, http://www.gao.gov/products/GAO-03-1155T]. Washington, D.C.: September 9, 2003. Combating Terrorism: Interagency Framework and Agency Programs to Address the Overseas Threat. [hyperlink, http://www.gao.gov/products/GAO-03-165]. Washington, D.C.: May 23, 2003. Nuclear Nonproliferation: U.S. Efforts to Combat Nuclear Smuggling. [hyperlink, http://www.gao.gov/products/GAO-02-989T]. Washington, D.C.: July 30, 2002. Coast Guard: Vessel Identification System Development Needs to Be Reassessed. [hyperlink, http://www.gao.gov/products/GAO-02-477]. Washington, D.C.: May 24, 2002. [End of section] Footnotes: [1] Ferry data are based on results from the 2008 National Census of Ferry Operators. These data were self-reported by respondents to the census, include other sources of ferry data, and are the latest data available. The Bureau of Transportation Statistics has ferry data available for censuses taken in 2000, 2006, and 2008. [2] U.S. Coast Guard Research and Development Center, National Ferry Security Study (Groton, Conn.: May 2005); Michael D. Greenberg, Peter Chalk, Henry H. Willis, Ivan Khilko, and David S. Ortiz, Maritime Terrorism: Risk and Liability (Santa Monica, Calif.: RAND Corporation, 2006). [3] Pub. L. No. 107-295, 116 Stat. 2064 (2002). [4] GAO, Maritime Security: Varied Actions Taken to Enhance Cruise Ship Security, but Some Concerns Remain, [hyperlink, http://www.gao.gov/products/GAO-10-400] (Washington, D.C.: Apr. 9, 2010). [5] Some passenger ferries may also carry cargo and/or vehicles in addition to passengers. [6] Risk is a function of three elements: (1) threat--the probability that a specific type of attack will be initiated against a particular target/class of targets, (2) vulnerability--the probability that a particular attempted attack will succeed against a particular target or class of targets, and (3) consequence--the expected worst case or worst reasonable adverse impact of a successful attack. [7] The National Infrastructure Protection Plan provides the unifying structure and overall framework for the integration of critical infrastructure and key resource protection into a single national program. [8] Coast Guard Sectors run all Coast Guard missions at the local and port level, such as search and rescue, port security, environmental protection, and law enforcement in ports and surrounding waters, and oversee a number of smaller Coast Guard units, including small cutters, small boat stations, and Aids to Navigation teams. The Coast Guard is divided into 35 Sectors. [9] At these five locations, we made observations of six ferry systems. Two of the locations also received international ferries. In addition to the Coast Guard, we interviewed a total of eight federal, state, or local law enforcement agencies; seven ferry operators or port authorities; and one Area Maritime Security Committee chair at these locations; and one CBP unit at a foreign port. [10] During this time, we were concurrently working on another passenger vessel security report, issued in April 2010; see GAO-10- 400. In addition, we were also developing the sensitive version of this ferry security report, issued in October 2010. [11] U.S. Department of Transportation, Research and Innovative Technology Administration, Bureau of Transportation Statistics, National Census of Ferry Operators 2008, hyperlink, http://www.transtats.bts.gov/tables.asp?DB_ID=616&DB_Name=&DB_Short_Name ] (Accessed May 21, 2010). [12] For example, the Homeland Security Act of 2002 (Pub. L. No. 107- 296, §201, 116 Stat. 2135, 2146 (2002)) requires DHS to perform risk assessments of key resources and critical infrastructure, and the Intelligence Reform and Terrorism Prevention Act of 2004 (Pub. L. No. 108-458, §4001, 118 Stat. 3638, 3710 (2004)) requires that DHS's National Strategy for Transportation Security include the development of risk-based priorities across all transportation modes. [13] The Captain of the Port is the Coast Guard officer designated by the Commandant to enforce within his or her respective areas port safety and security and marine environmental protection regulations, including, without limitation, regulations for the protection and security of vessels, harbors, and waterfront facilities. [14] [hyperlink, http://www.gao.gov/products/GAO-10-400]. [15] For more information on risk assessment models used in the aviation transportation mode, see GAO, Transportation Security: Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocation, [hyperlink, http://www.gao.gov/products/GAO-09-492] (Washington D.C.: Mar. 27, 2009). [16] Transportation Research Board's Transit Cooperative Research Program, Security Measures for Ferry Systems (Washington, D.C.: 2006). [17] GAO, Maritime Security: Federal Efforts Needed to Address Challenges in Preventing and Responding to Terrorist Attacks on Energy Commodity Tankers, [hyperlink, http://www.gao.gov/products/GAO-08-141] (Washington, D.C.: Dec. 10, 2007). [18] GAO, Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sectors, [hyperlink, http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: Feb. 27, 2009). [19] Admissibility inspections are conducted to determine the nationality and identity of each person wishing to enter the United States and to prevent the entry of inadmissible aliens, including those thought to be criminals, terrorists, or drug traffickers. In this example, the inspection would be conducted while the ferry is still in a Canadian port. [20] MTSA and its implementing regulations require that ferry and ferry facility operators develop security plans and that the Coast Guard review and approve these plans to ensure they are sufficient to mitigate identified vulnerabilities and that stakeholders are complying with them. [21] Some ferries operate out of public access facilities for which the Coast Guard does not conduct security inspections. For those facilities the Coast Guard does inspect, agency guidance requires that inspections: (a) ensure the facility complies with the Facility Security Plan; (b) ensure the approved Facility Security Plan/ Alternative Security Program adequately addresses the performance- based criteria as outlined in 33 CFR 105; (c) ensure the adequacy of the Facility Security Assessment and the Facility Vulnerability and Security Measures Summary (Coast Guard-6025); and (d) ensure that the measures in place adequately address the vulnerabilities. [22] The total number of MTSA-regulated ferry facilities can vary from year to year due to some facilities receiving waivers from MTSA regulations or discontinuing their operations. [23] Operation Neptune Shield escort percentages are classified. To meet escort requirements, the Coast Guard may receive assistance from local law enforcement, provided the escorting vessel is equipped comparably to Coast Guard vessels. According to Coast Guard officials, the Captain of the Port uses historical data for the purpose of determining which ferries to escort. [24] Seven of the Coast Guard's 35 Sectors did not have any type of high capacity passenger vessel operating within their respective area of responsibility. [25] Coast Guard data on escorts do not differentiate between types of high capacity passenger vessels, such as ferries, cruise ships, or excursion vessels. Accordingly, it is not possible to determine the number of escorts that were performed on ferries or the number of ferry transits that did not receive escorts. [26] TSA's canine training program consists of a 10-week course which pairs law enforcement officers from across the country with canines specifically bred for the program. Officers and canines learn to work together while being trained to locate and identify a wide variety of dangerous materials. [27] Pub. L. No. 109-347, § 122, 120 Stat. 1884, 1899 (2006). [28] In addition to security actions taken on behalf of the ferry operators, state and local law enforcement agencies may engage in ferry security efforts as part of their broader law enforcement or antiterrorism activities. [29] The maritime security threat level is a three tiered rating of the terrorist threat in the maritime environment. [30] In one location the Coast Guard approved a slight decrease in the minimum vehicle screening requirements so the ferry operator could more randomly screen and more effectively mitigate risk. [31] Required knowledge includes areas such as current security threats and patterns; testing, calibration, operation, and maintenance of security equipment and systems; methods of physical screening of persons; inspection, control, and monitoring techniques; recognition of characteristics and behavioral patterns of persons who are likely to threaten security; and recognition and detection of dangerous substances and devices. [32] At one ferry system where both law enforcement and contractors participated in security operations, officials stated that personnel conducting screening may have varying authorities. For example, sworn law enforcement officers would typically have the authority to take additional actions beyond those that ferry employees or contractors may have been able to take, such as detaining a passenger suspected of committing or attempting to commit an illegal act. [33] U.S. Coast Guard Research and Development Center, National Ferry Security Study (Groton, Conn.: May 2005). [34] U.S. Coast Guard Research and Development Center, National Ferry Security Study (Groton, Conn.: May 2005). [35] The reported number of deficiencies does not include deficiencies that may still be open. Coast Guard officials reported that deficiencies could be considered open for a number of reasons, such as an appeal of the deficiency. Officials stated that prior year deficiencies should all be closed, though it is possible that some may still be open. According to the Coast Guard's standardized inspection checklist, inspectors can check operators' compliance with approximately 150 items, many of which could result in more than one deficiency. In addition to the items addressed during the inspection, other items such as failure to resolve or acquire waivers for previously cited deficiencies could generate further deficiencies. Conversely, some inspection items may not apply to certain facilities. For example, one item applies only to facilities which serve vessels that carry vehicles. [36] The five studies included a general study, a consequence assessment, an explosion screening effectiveness and technology study, a study to collect data on screening technology in the ferry-operating environment, and a system analysis and deterrence effectiveness study. These studies were conducted by members of an integrated product team that included members from the Coast Guard's Research and Development Center, DHS's Science and Technology Directorate, Department of Transportation's Maritime Administration, the Department of Defense's Technical Support Working Group, TSA, Homeland Security Institute, and ABSG Consulting. [37] Federal guidance on internal control also states that the resolution process begins when audit or other review results are reported to management, and is completed only after action has been taken that (1) corrects identified deficiencies, (2) produces improvements, or (3) demonstrates the findings and recommendations do not warrant management action. In addition, the consideration of findings of reviews and audits is a means for an agency to identify risk. See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [38] Participants in TSA's Transit Security Grant Program and DHS's Homeland Security Grant Program are required to maintain data to document compliance with guidelines for their explosives detection canine teams. These guidelines were developed by a scientific working group that included officials from DHS. See GAO, TSA's Explosives Detection Canine Program: Status of Increasing Number of Explosives Detection Canine Teams, [hyperlink, http://www.gao.gov/products/GAO-08-933R] (Washington, D.C.: July 2008). [39] The requirements employed a random strategy designed to provide an effective level of deterrence while also balancing the need to maintain an efficient flow of commerce. [40] While the Coast Guard required ferry operators to incorporate screening into their security plans--plans the Coast Guard must approve--operators were permitted to select the method of screening. The Captain of the Port may change screening requirements based on changes in the risk to or threat level at the port. [41] Through the security directive the Coast Guard increased minimum screening requirements for vehicles and large enclosed vehicles at two of the three maritime security threat levels. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: