Aviation Security: TSA Could Strengthen Its Insider Threat Program by Developing a Strategic Plan and Performance Goals
TSA estimates there are about 1.8 million aviation workers at U.S. airports. In some cases, workers have used access privileges to commit crimes, including stealing an aircraft and smuggling guns.
TSA efforts to reduce potential insider threats from aviation workers include requiring employee background checks and randomized worker screenings. Responsibility for these efforts is spread across multiple offices within TSA, airport operators, and air carriers.
The agency does not have a strategic plan to guide its Insider Threat Program. We recommended that it develop one that spells out strategic goals and identify ways to measure its progress.
Access Control Technologies at an Access Point to a Secured Area of an Airport
A door with a sign on it that says Secured Area
What GAO Found
The Transportation Security Administration (TSA), airport operators, and air carriers mitigate insider threats through a variety of efforts. TSA's Insider Threat Program comprises multiple TSA offices with ongoing insider threat mitigation activities, including long-standing requirements addressing access controls and background checks, and compliance inspections. TSA also initiated activities more recently, such as implementing TSA-led, randomized worker screenings in 2018. Airport and air carrier officials implement security measures in accordance with TSA-approved programs and may implement additional measures to further mitigate threats. For example, many airport operators reported using sophisticated access control technologies (e.g. fingerprint readers). Additionally, some air carriers reported conducting more rigorous background checks prior to issuing identification credentials to employees.
Examples of Methods to Mitigate Insider Threats at U.S. Airports
TSA‘s Insider Threat Program is not guided by a strategic plan with strategic goals and objectives nor does it have performance goals.
- TSA does not have an updated strategic plan that reflects the Program's current status. TSA officials said that the plan was not updated due to turnover of key senior leadership. As of January 2020, TSA officials said they were developing a roadmap that could serve as a new strategic plan for the Program. However, officials had not finalized the contents and were uncertain when it would be completed and implemented. Developing and implementing a strategic plan will help guide TSA's ongoing efforts and coordinate TSA's agency-wide approach.
- TSA has not defined performance goals with targets and timeframes to assess progress achieving the Program's mission. Without a strategic plan and performance goals, it is difficult for TSA to determine if its approach is working and progress is being made toward deterring, detecting, and mitigating insider threats to the aviation sector.
Why GAO Did This Study
Aviation workers using their access privileges to exploit vulnerabilities and potentially cause harm at the nation's airports is known as an “insider threat.” TSA, airport operators, and air carriers share the responsibility to mitigate all insider threats at airports. In October 2019, TSA estimated there are about 1.8 million aviation workers at the nation's airports.
GAO was asked to review TSA's and aviation stakeholders' efforts to mitigate insider threats at airports. This report (1) discusses the efforts that TSA, airport operators, and air carriers have taken to help mitigate insider threats at airports and (2) evaluates the extent to which TSA's Insider Threat Program is guided by a strategic plan and has performance goals.
GAO reviewed TSA guidance; analyzed TSA data from a questionnaire sent to a representative sample of airport operators; and obtained information from TSA officials, officials from selected larger U.S.-based air carriers, and a nongeneralizable sample of seven airport operators, selected, in part, based on the number of aircraft take-offs and landings.
GAO recommends that TSA develop and implement a strategic plan that has strategic goals and objectives, and develop performance goals to assess progress achieving objectives in the strategic plan. TSA agreed with GAO's recommendations.
Recommendations for Executive Action
|Transportation Security Administration||The TSA Administrator should develop and implement a strategic planfor its Insider Threat Program that includes strategic goals andobjectives. (Recommendation 1)||
In February 2020, we reported on the extent to which the Transportation Security Administration (TSA) had a strategic plan in place to guide its Insider Threat Program. During the course of our review, we found that TSA never fully implemented the 2014-2016 strategic plan for its Insider Threat Program, and further, TSA did not renew or revise the plan after 2016 due to the departure of the key sponsoring senior leader. We recommended that TSA develop a strategic plan for its Insider Threat Program. On May 14, 2020, TSA published the TSA Insider Threat Roadmap 2020 that establishes its strategic vision to deter, detect, and mitigate insider threats in the transportation sector. The roadmap describes strategic priorities and goals to help refine and improve its efforts to mitigate insider risks. The roadmap also describes specific objectives to help achieve these priorities. The roadmap should provide TSA with an integrated vision to guide its Insider Threat Program, and the specific goals and objectives in the roadmap should help TSA further develop and mature its insider threat program and mitigate insider risks.
|Transportation Security Administration||The TSA Administrator should develop performance goals for its Insider Threat Program that assess progress achieving the strategic objectives in the insider threat strategic plan. (Recommendation 2)||
In October 2020, TSA developed an implementation plan for its strategic framework, the TSA Insider Threat Roadmap, for mitigating insider threats in the transportation sector. The plan includes initial implementation approaches and milestones for each of the Roadmap's strategic objectives as well as some initial performance goals. In September 2021, TSA noted that it incorporated all aspects of the implementation plan into a single database, to include the performance goals for each strategic objective. In December 2021, TSA demonstrated that it had consolidated all of its implementation plan's strategic goals and associated objectives into a single database. For each objective, the database includes information about a series of milestones related to reaching that objective, the status of each milestone, and the expected completion date. TSA officials update the database at the beginning of each month. TSA then generates two monthly reports that contain up-to-date information on the agency's progress toward its strategic objectives and shares these with TSA leadership and the Insider Threat Executive Steering Committee. The database platform and monthly reports will allow TSA and Congress to better monitor and assess the progress of TSA's insider threat efforts, target areas most in need of improvement, and select appropriate levels of investment to meet the mission of deterring, detecting, and mitigating insider threats to the aviation sector.