Transportation Worker Identification Credential:

Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives

GAO-11-657: Published: May 10, 2011. Publicly Released: May 10, 2011.

Additional Materials:

Contact:

Jennifer A. Grover
(202) 512-7141
groverj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) and the U.S. Coast Guard manage the Transportation Worker Identification Credential (TWIC) program, which requires maritime workers to complete background checks and obtain a biometric identification card to gain unescorted access to secure areas of regulated maritime facilities. As requested, GAO evaluated the extent to which (1) TWIC processes for enrollment, background checking, and use are designed to provide reasonable assurance that unescorted access to these facilities is limited to qualified individuals; and (2) the effectiveness of TWIC has been assessed. GAO reviewed program documentation, such as the concept of operations, and conducted site visits to four TWIC centers, conducted covert tests at several selected U.S. ports chosen for their size in terms of cargo volume, and interviewed agency officials. The results of these visits and tests are not generalizable but provide insights and perspective about the TWIC program. This is a public version of a sensitive report. Information DHS deemed sensitive has been redacted.

Internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of Maritime Transportation Security Act (MTSA)-regulated facilities is restricted to qualified individuals. To meet the stated program purpose, TSA designed TWIC program processes to facilitate the issuance of TWICs to maritime workers. However, TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals. GAO found that internal controls in the enrollment and background checking processes are not designed to provide reasonable assurance that (1) only qualified individuals can acquire TWICs; (2) adjudicators follow a process with clear criteria for applying discretionary authority when applicants are found to have extensive criminal convictions; or (3) once issued a TWIC, TWIC-holders have maintained their eligibility. Further, internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of MTSA-regulated facilities during covert tests conducted by GAO's investigators. During covert tests of TWIC use at several selected ports, GAO's investigators were successful in accessing ports using counterfeit TWICs, authentic TWICs acquired through fraudulent means, and false business cases (i.e., reasons for requesting access). Conducting a control assessment of the TWIC program's processes to address existing weaknesses could better position DHS to achieve its objectives in controlling unescorted access to the secure areas of MTSA-regulated facilities and vessels. DHS has not assessed the TWIC program's effectiveness at enhancing security or reducing risk for MTSA-regulated facilities and vessels. Further, DHS has not demonstrated that TWIC, as currently implemented and planned, is more effective than prior approaches used to limit access to ports and facilities, such as using facility specific identity credentials with business cases. Conducting an effectiveness assessment that further identifies and assesses TWIC program security risks and benefits could better position DHS and policymakers to determine the impact of TWIC on enhancing maritime security. Further, DHS did not conduct a risk-informed cost-benefit analysis that considered existing security risks, and it has not yet completed a regulatory analysis for the upcoming rule on using TWIC with card readers. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program, could help DHS ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. Among other things, GAO recommends that DHS assess TWIC program internal controls to identify needed corrective actions, assess TWIC's effectiveness, and use the information to identify effective and cost-efficient methods for meeting program objectives. DHS concurred with all of the recommendations.

Recommendations for Executive Action

  1. Status: Open

    Comments: We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In December 2017, a third party contracted by TSA reported on the results of its internal control assessment of the TWIC program, including the TWIC program's internal controls of the enrollment, background checking, and credential issuance processes. We believe that this is a positive step towards addressing our recommendation. However, the assessment did not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. In February 2018, TSA, with assistance from DHS's Science and Technology Directorate, initiated a study with a Homeland Security Operational Analysis Center to conduct an assessment of the TWIC program's security effectiveness in the maritime environment. The study plan sets forth methods for assessing the TWIC program's planned use with card readers. However, the study will not assess information systems controls and related risks for reasonably assuring that use of TWIC with readers and associated systems used for access control decisions are reliable and not surreptitiously altered by cyber intrusions or attack. Absent an assessment of controls for ensuring the reliable use of TWIC with readers, the study will fall short in meeting our recommendation and the deficiencies identified in our report. We continue to believe that the internal control assessment inclusive of TWIC use and the interrelationship between acquiring a TWIC and using it in the maritime environment is needed. For the reasons noted above, as of January 2019, this recommendation remains open.

    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Priority recommendation

    Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. DHS, through TSA, has taken steps to address this recommendation by having an internal controls assessment conducted of the TWIC program's enrollment, background checking, credential issuance, and continued eligibility review. In February 2018, TSA, with assistance from DHS's Science and Technology Directorate, initiated a study with a Homeland Security Operational Analysis Center to conduct an assessment of the TWIC program's security effectiveness in the maritime environment. The study plan sets forth methods for assessing the TWIC program's planned use with card readers. However, the study will not assess information systems controls and related risks for reasonably assuring that use of TWIC with readers and associated systems used for access control decisions are reliable and not surreptitiously altered by cyber intrusions or attack. Moreover, the assessment does not include an assessment of the federally managed single credential approach in contrast to federally regulated decentralized options, such as the SIDA airport credentialing model, the Hazardous Materials endorsement for truck drivers (wherein an endorsement is added to a driver's license), the federal government's own agency-specific credentialing model which relies on organizational sponsorship and credentials with agency-specific security features, or any combination thereof. Absent an assessment of controls for ensuring the reliable use of TWIC with readers and the above-noted types of credentialing approaches, the study will fall short in meeting our recommendation and the deficiencies identified in our report. With consideration of the above noted shortfalls, DHS should proceed to conduct an assessment of the TWIC program's effectiveness to determine whether the benefits of continuing to implement and operate the program in its present form and planned use with readers surpass the costs. Absent an effectiveness assessment that meets the intent of our recommendation, as of January 2019, this recommendation remains open.

    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and needed corrective actions could better inform and enhance the reliability of the new regulatory analysis. Moreover, these actions could help DHS identify and assess the full costs and benefits of implementing the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks, and help ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. We therefore recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In March 2012, DHS reported that upon completion of the internal control and effectiveness assessments, DHS will evaluate the results to determine any subsequent actions, and that any applicable data or risks will be communicated to the Coast Guard for consideration during their regulatory analysis. However, DHS has not implemented the internal control assessment we recommended, which is to be the basis for the effectiveness assessment and addressing this recommendation. Further, the January 15, 2016 effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers" did not substantively address the risk concerns identified in our report. Given shortfalls that remain in addressing our internal control assessment and effectiveness assessment recommendations, this recommendation remains open pending DHS taking corrective actions. As of January 2019, no further action has been taken.

    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Not Implemented

    Comments: We found that Coast Guard's approach for monitoring and enforcing TWIC compliance could be improved by enhancing its collection and assessment of maritime security information. We reported that the Coast Guard uses its Marine Information for Safety and Law Enforcement (MISLE) database to provide the capability to collect, maintain, and retrieve information necessary for the administration, management, and documentation of Coast Guard Activities. However, because of limitations in the MISLE system design, the processes involved in the collection, cataloging, and querying of information cannot be relied upon to produce the management information needed to assess trends in compliance with the TWIC program or associated vulnerabilities. For instance, when inspectors document a TWIC card verification check, the system is set up to record the number of TWICs reviewed for different types of workers and whether the TWIC holders are compliant or noncompliant. However, other details on TWIC-related deficiencies, such as failure to ensure that all facility personnel with security duties are familiar with all relevant aspects of the TWIC program and how to carry them out, are not recorded in the system in a form that allows inspectors or other Coast Guard officials to easily and systematically identify that a deficiency was related to TWIC. Further, according to Coast Guard officials, local Coast Guard inspectors may not always or consistently record all inspection attempts. Consequently, while Coast Guard officials told us that inspectors verify TWICs as part of all security inspections, the Coast Guard could not reliably provide the number of TWICs checked during each inspection. We therefore reported that as a result of limitations in MISLE design and the collection and recording of inspection data, it will be difficult for the Coast Guard to identify trends nationwide in TWIC-related compliance, such as whether particular types of facilities or a particular region of the country have greater levels of noncompliance, on an ongoing basis. We therefore recommended that the Coast Guard design effective methods for collecting, cataloging, and querying TWIC-related compliance issues to provide the Coast Guard with the enforcement information needed to assess trends in compliance with the TWIC program and identify associated vulnerabilities. As of May 2016, Coast Guard reported that it has made updates to its MISLE system to address our recommendation. For example, Coast Guard can now query TWIC compliance reports by district. Coast Guard officials also report that they have requested additional adjustments to the system in order to better query and produce reports from its MISLE system but can provide no timetable for completion. Coast Guard officials, however, report that they will not be implementing certain reporting features highlighted in our report, such as the ability to query TWIC-related compliance issues that occur by the type of facility. Specifically, Coast Guard officials reported that they see no value in building a capability to sort TWIC data by the type of facility. They further reported that data showing that a given type of facility had a given rate of TWIC compliance would have no significance as it would represent many different companies in different locations. Given that impending TWIC regulation on the use of TWIC with readers is to be applied based on facility type, we continue to believe that such information would help inform the Coast Guard's implementation of TWIC requirements provide for a better understanding of its security-related enhancements. Given that this recommendation was issued 5 years ago and it remains incomplete with no timetable for completion, we are closing the recommendation as not implemented.

    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to design effective methods for collecting, cataloguing, and querying TWIC-related compliance issues to provide the Coast Guard with the enforcement information needed to assess trends in compliance with the TWIC program and identify associated vulnerabilities.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Aug 15, 2019

Jul 24, 2019

Jun 28, 2019

May 21, 2019

May 15, 2019

May 9, 2019

May 7, 2019

Mar 29, 2019

Mar 28, 2019

Mar 26, 2019

Looking for more? Browse all our products here