Aviation Security: Secure Flight Development and Testing Under Way, but Risks Should Be Managed as System Is Further Developed

In March 2005, we reported, among other things, that the Transportation Security Administration (TSA) had not finalized key program documents, such as the systems requirements document and the concept of operations, or completed key system testing, including stress testing, that were needed before the program became operational. Further, at the time of our review, TSA had not yet designed the procedures it would use to conduct stress testing. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program (including Statutory Condition 3, which required performance of stress testing) and conditionally achieved 1 condition. Specifically, related to our March 2005 recommendation, TSA has finalized key program documentation, including the systems requirements document and concept of operations (finalized in August and December 2008, respectively); developed a Performance, Stress, and Load Test Plan with specific stress test requirements (finalized December 2008); and completed key system testing, including significant stress testing of the vetting (name matching) portion of Secure Flight (completed January 2009).

In March 2005, we reported, among other things, that the Transportation Security Administration (TSA) had not resolved how passenger data would be transmitted from air carriers to TSA to support Secure Flight operations. Further, we reported that officials from TSA and U.S. Customs and Border Protection (CBP) stated that it was uncertain whether CBP's existing systems--which Secure Flight would use to support the transfer of data--would be able to handle the larger amount of data that would need to be regularly transferred for the Secure Flight program. In February 2008, we reported that TSA and CBP had since worked with the Department of Homeland Security (DHS) to develop a strategy called the One DHS Solution--which is to align the two agencies' domestic and international watch-list matching processes, information technology systems, and regulatory procedures--to provide a seamless interface between DHS and the airline industry. In line with this strategy, the agencies agreed that TSA will take over international watch-list matching from CBP, with CBP continuing to perform, among other things, its border-related functions. Further, TSA and CBP coordinated their efforts to facilitate consistency across their programs. Specifically, related to our recommendation, in November 2008, TSA and CBP jointly issued a consolidated user guide to key stakeholders, including air carriers, that defines Secure Flight system data requirements. Also, in August 2008, TSA and CBP signed a formal interconnection security agreement establishing individual and organizational responsibilities for the protection and handling of unclassified information between the DHS router operated by CBP and TSA's Secure Flight program.

In March 2005, we reported, among other things, that the Transportation Security Administration (TSA) had not developed life-cycle cost estimates and only recently had completed an expenditure plan. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and conditionally achieved 1 condition (requiring the development of appropriate life-cycle cost estimates and expenditure and program plans). Specifically, related to our March 2005 recommendation, TSA provided us a plan of action, dated April 2009, that details the steps the Secure Flight program management office intends to carry out to address weaknesses we identified in the program's cost estimate in accordance with best practices. With regard to the program's cost estimate, TSA's plan has established a timeline of activities, that if effectively implemented, should result in (1) a more detailed work breakdown structure that would define the work necessary to accomplish the program's objectives; (2) the program cost estimate and schedule work breakdown structures being aligned properly; (3) an independent cost estimate performed by a contractor; (4) an assessment of the life-cycle cost estimate by the Department of Homeland Security's Cost Analysis Division; and (5) cost uncertainty and sensitivity analysis. In addition, TSA's plan has estimated government costs that were originally missing from its cost estimate. According to TSA, these costs will be addressed in its life-cycle cost estimate documentation.

In March 2005, we reported, among other things, that the Transportation Security Administration (TSA) had not yet established performance goals or measures to gauge the success of the Secure Flight program once it was operational. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program (including Statutory Condition 7, which required the adoption of policies establishing the effective oversight of the use and operation of the Secure Flight system and the development of performance measures to monitor and assess the effectiveness of the Secure Flight program) and conditionally achieved 1 condition. Specifically related to our prior recommendation, in September 2007, TSA developed a set of Secure Flight implementation performance metrics. The metrics are aligned with the goals and objectives of the Department of Homeland Security, TSA, and Secure Flight and cover five performance areas: Office of Management and Budget Key Performance Measures and four internal or operational performance measure areas--Service Center, General Operations, System, and Organizational Development.

In March 2005, we reported, among other things, that the Transportation Security Administration (TSA) had not yet clearly defined the privacy impacts of the operational system or all of the actions TSA planned to take to mitigate potential impacts. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of 10 statutory conditions related to the development of the Secure Flight program (including Statutory Condition 8, which required TSA to take action to ensure that no specific privacy concerns remain with the Secure Flight system) and conditionally achieved 1 condition. Specifically related to our prior recommendation, TSA issued required privacy notices--including a Privacy Impact Assessment in October 2008 and Systems of Records Notice in August 2007--that meet legal requirements and address key privacy principles. These notices describe, among other things, information that will be collected from passengers and airlines, the purpose of collection, and the planned uses of the data. In addition, in May 2009, we reported that TSA had established a variety of programmatic and technical controls for Secure Flight, such as involving privacy experts in major aspects of Secure Flight development; developing privacy training for all Secure Flight staff and related incident response procedures; tracking privacy issues and performing analysis when significant privacy issues are identified; instituting access controls to ensure that data are not accidentally or maliciously altered or destroyed; filtering unauthorized data from incoming data to ensure collection is limited to predefined types of information; establishing standard formats for the transmission of personally identifiable information in order to reduce variance in data and improve data quality; and maintaining audit logs to track access to personally identifiable information and document privacy incidents.

In March 2005, we reported, among other things, that the Transportation Security Administration (TSA) had not yet clearly defined how it plans to implement the redress process for Secure Flight, such as how errors in personal data, if identified, would be corrected. We recommended that TSA, prior to achieving initial operating capability, finalize policies and procedures detailing the Secure Flight passenger redress process, including defining the appeal rights of passengers and their ability to correct personal data. Since the time of our review, we found that TSA has made significant progress in developing the Secure Flight program and has completed key activities associated with implementing the program. In May 2009, GAO reported that TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program--including Statutory Condition 1, which required that a system of due process (redress)exist whereby aviation passengers determined to pose a threat who are either delayed or prohibited from boarding their scheduled flights by TSA may appeal such decisions and correct erroneous information contained in the Secure Flight program--and conditionally achieved 1 condition. Specifically related to our March 2005 recommendation, we reported that for the Secure Flight program, TSA plans to use the existing redress process that is managed by the Department of Homeland Security (DHS) Traveler Redress Inquiry Program (TRIP). TRIP, which was established in February 2007, serves as the central processing point within DHS for travel-related redress inquiries. TRIP refers redress inquiries submitted by airline passengers to TSA's Office of Transportation Security Redress (OTSR) for review. This process provides passengers who believe their travels have been adversely affected by a TSA screening process with an opportunity to be cleared if they are determined to be an incorrect match to watch-list records, or to appeal if they believe that they have been wrongly identified as the subject of a watch-list record. TSA has also coordinated with key stakeholders to identify and document shared redress processes and to clarify roles and responsibilities, consistent with relevant GAO guidance for coordination and documentation of internal controls. In addition, Secure Flight, TSA OTSR, and TSA's Office of Intelligence have jointly produced guidance that clarifies how the entities will coordinate their respective roles in the redress process, consistent with GAO's best practices on coordinating efforts across government stakeholders.