Aviation Security: TSA Strengthened Foreign Airport Assessments and Air Carrier Inspections, but Could Improve Analysis to Better Address Deficiencies
Highlights
What GAO Found
The Transportation Security Administration (TSA) has taken steps to enhance its foreign airport assessments and air carrier inspections since 2011, including aligning resources based on risk, resolving airport access issues, making evaluations more comprehensive, and creating operational efficiencies. For example, TSA has implemented targeted foreign airport assessments in locations where risk is high and developed the Global Risk Analysis and Decision Support System to strengthen data analysis. In addition, TSA has increased the number of joint airport assessments with the European Commission. Specifically, TSA officials GAO met with indicated that TSA's strong relationship with the European Commission has afforded the agency excellent access to foreign airports in Europe and a better understanding of vulnerabilities at these locations, which has resulted in more comprehensive assessments.
In its analysis of TSA foreign airport assessment results, GAO found that during fiscal years 2012 through 2016 there was considerable regional variation among last point of departure airports in the level of compliance with select International Civil Aviation Organization security standards and recommended practices. TSA attributed this regional variation to lack of airport resources or technical knowledge, among other factors. TSA officials also stated that while these challenges are not easy to overcome, agency efforts, such as training host country staff, can help foreign airports reduce their vulnerability scores over time. GAO's analysis of TSA's foreign airport assessment data confirmed that point by demonstrating that most foreign airports categorized with poor vulnerability ratings in fiscal year 2012 improved their vulnerability score in at least one follow-up assessment during fiscal years 2012 through 2016.
Meanwhile, U.S. and foreign-flagged air carriers providing last point of departure service to the United States from foreign airports complied with all TSA security requirements in most inspections, and TSA was able to resolve the majority of security deficiencies it identified with on-the-spot counseling. In some cases, TSA inspectors submitted violations for investigation because the violations were considered serious enough to potentially warrant an enforcement action.
TSA addresses identified deficiencies at foreign airports through capacity development, such as training and on-the-spot counseling. However, GAO found that TSA's database for tracking the resolution status of security deficiencies did not have comprehensive data on security deficiencies' root causes and corrective actions. In addition, the database lacked adequate categorization mechanisms. For example, while it captures three broad categories of root causes (e.g., lack of knowledge) it does not capture subcategories (e.g., supervision) that would better explain the root causes of security deficiencies. Fully collecting these data and improving the specificity of categorization would help TSA strengthen analysis and decision making. For example, TSA would be better positioned to determine the extent to which airports that received particular types of capacity development assistance were able to close security vulnerabilities. This is a public version of a sensitive report issued in October 2017. Information that TSA deemed to be sensitive is omitted from this report.
Why GAO Did This Study
Approximately 300 foreign airports offer last point of departure flights to the United States. TSA is the federal agency with primary responsibility for securing the nation's civil aviation system and assesses foreign airports and inspects air carriers to ensure they have in place effective security measures. While TSA is authorized under U.S. law to conduct foreign airport assessments, it does not have authority to impose or otherwise enforce security requirements at foreign airports. TSA is authorized to impose and enforce requirements on air carriers. The Aviation Security Act of 2016 includes a provision for GAO to review TSA's effort to enhance security at foreign airports.
This report addresses (1) steps TSA has taken to enhance foreign airport assessments and air carrier inspections since 2011, (2) the results of TSA's foreign airport assessments and air carrier inspections, and (3) steps TSA takes to address any deficiencies identified during foreign airport assessments and air carrier inspections. GAO reviewed TSA program data, interviewed TSA officials, and conducted site visits to TSA field locations that manage assessments and inspections.
Recommendations
To help strengthen TSA's analysis and decision making, GAO recommends that TSA fully capture and more specifically categorize data on the root causes of security deficiencies that it identifies and corrective actions. TSA concurred with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Transportation Security Administration | The Assistant Administrator for the Office of Global Strategies should ensure that data regarding the root causes of security deficiencies and corrective actions are consistently captured in accordance with TSA guidance. (Recommendation 1) |
Closed – Implemented
In October 2017, we reported that the Transportation Security Administration (TSA) had taken steps to enhance its foreign airport assessments and air carrier inspections, including aligning resources based on risk, resolving airport access issues, making evaluations more comprehensive, and creating operational efficiencies. However, we found that TSA's database for tracking the resolution status of security deficiencies identified during foreign airport assessments did not have comprehensive data on security deficiencies' root causes and corrective actions. Consequently, we recommended that TSA ensure that data regarding the root causes of security deficiencies and corrective actions are consistently captured in accordance with TSA guidance. In response, TSA developed the Vulnerability Resolution Tool (VRT) within its Global Risk Analysis and Decision Support (GRADS) system (the automated tracking system for oversight of the Foreign Airport Assessment Program). Specifically, VRT allows TSA to capture airport vulnerability data, such as a description of the airport assessment finding including vulnerabilities associated with a specific location, and allows for analysis of the vulnerability. VRT also allows TSA to capture root cause data associated with identified security deficiencies as well as any corrective actions taken. Furthermore, in March 2018, TSA created the Risk Mitigation Activity Tracker (RMAT) which tracks risk mitigation activities and corrective actions from planning, to implementation, to final resolution. In June 2018, TSA also created additional Root Cause Guidance that contains general information and guidance for conducting root cause selection and analysis for a variety of scenarios. In March 2019, TSA provided GAO with information on the steps it has taken to train staff around the globe in the use of VRT and RMAT, including documentation confirming that root cause and corrective action information is being captured and operationalized throughout the organization in VRT and RMAT. Based on these actions, we are closing the recommendation as implemented.
|
| Transportation Security Administration | The Assistant Administrator for the Office of Global Strategies should update TSA's data systems to include more specific categories for TSA's data on the root causes and corrective actions related to security deficiencies. (Recommendation 2) |
Closed – Implemented
In October 2017, we reported that the Transportation Security Administration (TSA) had taken steps to enhance its foreign airport assessments and air carrier inspections, including aligning resources based on risk, resolving airport access issues, making evaluations more comprehensive, and creating operational efficiencies. However, we found that TSA's database lacked adequate categorization mechanisms. For example, while TSA's database captures three broad categories of root causes (e.g., lack of knowledge) it did not capture subcategories (e.g., supervision) that would better explain what the exact root causes of identified security deficiencies were. Consequently, we recommended that TSA update its data systems to include more specific categories for root causes and corrective actions related to identified security deficiencies. In December 2017, TSA initiated a project team to improve its data systems and processes to more effectively capture root cause data, including incorporating more specific root cause categories in order to better analyze, plan, and execute corrective actions. In December and March of 2018, TSA piloted updated categories and underlying root cause selections at the Miami Regional Operation Center (ROC) and Frankfurt ROC, which was accompanied by guidance on making selections and what factors are required for root cause analysis. In addition, TSA developed an iShare tool to better track and retain mitigation activities, which it tested in a live environment as part of its Frankfurt pilot. In October 2018, TSA finalized the expansion of its Root Cause lists and updated its Vulnerability Resolution Tool (VRT) within its Global Risk Analysis and Decision Support (GRADS) system (the automated tracking system for oversight of the Foreign Airport Assessment Program) to reflect the new category lists, and also conducted training sessions for all affected staff. In March 2019, TSA provided GAO with a guidance document that delineates the updated categories for root causes in its data systems, and describes how root cause and corrective action analysis is being operationalized throughout the organization. Based on these actions, we are closing the recommendation as implemented.
|