TSA Has Taken Steps to Conduct More Risk-Informed Covert Tests and Address Vulnerabilities
GAO-19-633T: Published: Jun 25, 2019. Publicly Released: Jun 25, 2019.
- Full Report:
To test screening at U.S. airports, TSA regularly tries to sneak guns and simulated bombs through checkpoints. We testified about TSA’s covert testing efforts, primarily based on our April report.
We observed covert tests at 5 airports and reviewed how test results are used. We found that TSA’s ability to run covert tests has improved, but that it could do a better job of choosing what to test. TSA also has a new process to address vulnerabilities found through these tests—but this process hasn’t yet resolved any identified security vulnerabilities.
TSA has addressed or is addressing our April recommendations.
Passengers entering a TSA security checkpoint at an airport
- Full Report:
What GAO Found
TSA revised its covert test processes in 2016 and has recently taken steps to document and use a risk-informed approach for covert testing. The Department of Homeland Security requires that agencies use risk information to make decisions, and TSA issues annual risk assessments of threats that its offices should consult when making risk-based decisions, such as what covert test to conduct. Two offices within the Transportation Security Administration (TSA) conduct covert tests at U.S. airports—Inspection and Security Operations. Of the two offices, GAO reported in April 2019 that Inspection's process appropriately considered risk information when determining what to test. However, Inspection had not fully documented its risk-informed approach. GAO recommended that TSA document its rationale for key decisions related to its risk-informed approach for selecting test scenarios. TSA recently made changes to address this recommendation, which GAO is in the process of reviewing. In addition, GAO reported in April 2019 that Security Operations was not fully considering risk information (such as risk assessments) when determining what tests to run. GAO recommended that TSA incorporate a more risk-informed approach into Security Operations' process for selecting covert test scenarios. TSA has since begun selecting scenarios for Security Operations' tests using an analysis tool that incorporates information from TSA risk assessments.
Inspection's updated process is designed to produce quality information, but Security Operations faces challenges with the quality of its test results. GAO reported in April 2019 that Inspection had established a new process for conducting covert tests that was intended to result in quality information on screening vulnerabilities. GAO found that two reports issued for tests conducted using this new process produced quality information on screening vulnerabilities. In contrast, GAO reported that Security Operations had not been able to ensure the quality of the results of covert tests performed by TSA staff at local airports. GAO identified local airport testing practices that could be compromising the quality of Security Operations' test results, such as having the test coordinator at the checkpoint during tests, whose presence may have provided advance notice to screeners that a test was in progress. GAO recommended that TSA assess the current covert testing process used by TSA officials at airports to identify opportunities to improve the quality of test data. DHS agreed and estimated that this effort would be completed by the end of July 2019.
TSA established the Security Vulnerability Management Process in 2015 to review and address any systemic vulnerability facing TSA, including those identified through Inspection's covert tests. However, GAO reviewed the vulnerabilities that Inspection has submitted to the process, and, as of June 2019, none of the nine vulnerabilities had been closed through mitigation steps taken through the new process. GAO found that TSA had difficulty closing identified vulnerabilities through the Security Vulnerability Management Process, in part, because it did not establish timeframes and milestones to ensure offices responsible for vulnerabilities were making measured progress toward mitigation. GAO recommended that TSA establish time frames and milestones for key steps in the process. DHS agreed and subsequently revised the charter to include timeframes and milestones for key aspects of the process, such as assigning a vulnerability owner to lead mitigation efforts for a specific vulnerability.
Why GAO Did This Study
In 2015, TSA identified deficiencies in its covert testing process. Since then, TSA has taken steps intended to improve its covert testing and to use test results to better address vulnerabilities.
This statement summarizes selected findings from GAO's April 2019 report, entitled, Aviation Security: TSA Improved Covert Testing but Needs to Conduct More Risk-Informed Tests and Address Vulnerabilities (GAO-19-374). Specifically, it addresses the extent to which (1) TSA's covert tests are risk-informed, (2) TSA's covert test processes produced quality information for fiscal years 2016 through March 2018, and (3) TSA has used the results of covert tests to address security vulnerabilities. This statement also contains updates as of June 2019 about actions TSA has taken to address the recommendations made in GAO's April 2019 report.
For this statement, GAO reviewed documentation TSA officials submitted to identify actions taken to address GAO's recommendations.
What GAO Recommends
GAO made 9 recommendations in its April 2019 report. DHS concurred with all of the recommendations.
For more information, contact William Russell at 202-512-8777 or RussellW@gao.gov.