Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Transportation security"

    16 publications with a total of 51 open recommendations including 7 priority recommendations
    Director: Jennifer Grover
    Phone: (202) 512-7141

    4 open recommendations
    Recommendation: The Administrator of TSA should address limitations in TSA's data system, such as by adding a data element that identifies individuals as surface inspectors, to facilitate ready access to information on all surface inspector activities. (Recommendation 1)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of TSA should ensure that surface inspector activities align more closely with higher-risk modes by incorporating the results of surface transportation risk assessments, such as the Transportation Sector Security Risk Assessment, when it plans and monitors surface inspector activities, and that TSA documents its rationale for decisions to prioritize activities in lower-risk modes over higher-risk ones, as applicable. (Recommendation 2)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of TSA should identify and prioritize high-risk entities and locations for TSA's Risk Mitigation Activities for Surface Transportation (RMASTs). (Recommendation 3)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of TSA should define clear and measurable objectives for the RMAST program. (Recommendation 4)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: The Assistant Administrator for the Office of Global Strategies should ensure that data regarding the root causes of security deficiencies and corrective actions are consistently captured in accordance with TSA guidance. (Recommendation 1)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Assistant Administrator for the Office of Global Strategies should update TSA's data systems to include more specific categories for TSA's data on the root causes and corrective actions related to security deficiencies. (Recommendation 2)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Carol Harris
    Phone: (202) 512-4456

    14 open recommendations
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes and implements specific time frames for determining key strategic implementation details, including how the program will transition from the current state to the final TIM state. (Recommendation 1)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes a schedule that provides planned completion dates based on realistic estimates of how long it will take to deliver capabilities. (Recommendation 2)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes new time frames for implementing the actions identified in the organizational change management strategy and effectively executes against these time frames. (Recommendation 3)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office defines and documents the roles and responsibilities among product owners, the solution team, and any other relevant stakeholders for prioritizing and approving Agile software development work. (Recommendation 4)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes specific prioritization levels for current and future features and user stories. (Recommendation 5)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office implements automated Agile management testing and deployment tools, as soon as possible. (Recommendation 6)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office updates the Systems Engineering Life Cycle Tailoring Plan to reflect the current governance framework and milestone review processes. (Recommendation 7)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office establishes thresholds or targets for acceptable performance-levels. (Recommendation 8)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office begins collecting and reporting on Agile-related cost metrics. (Recommendation 9)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that program velocity is measured and reported consistently. (Recommendation 10)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The TSA Administrator should ensure that the TIM program management office ensures that unit test coverage for software releases is measured and reported accurately. (Recommendation 11)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that appropriate DHS leadership reaches consensus on needed oversight and governance changes related to the frequency of reviewing Agile programs, and then documents and implements associated changes. (Recommendation 12)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that the Office of the Chief Technology Officer completes guidance for Agile programs to use for collecting and reporting on performance metrics. (Recommendation 13)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management to ensure that DHS-level oversight bodies review key Agile performance and cost metrics for the TIM program and use them to inform management oversight decisions. (Recommendation 14)

    Agency: Department of Homeland Security
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: The Administrator of TSA should explore and pursue methods to assess the deterrent effect of TSA's passenger aviation security countermeasures; such an effort should identify FAMS—a countermeasure with a focus on deterring threats—as a top priority to address. (Recommendation 1)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.
    Recommendation: The Administrator of TSA should systematically evaluate the potential cost and effectiveness tradeoffs across countermeasures, as TSA improves the reliability and extent of its information on the effectiveness of aviation security countermeasures. (Recommendation 2)

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: DHS concurred with this recommendation and in its September 2017 response to our report, DHS stated that TSA will continue efforts to improve both its analysis of information related to security effectiveness and its cost information, leading to better informed cost-benefit decisions for individual countermeasures. To address the intent of our recommendation, TSA will need to evaluate the costs and effectiveness of individual aviation security countermeasures and then use this information to systematically evaluate the potential cost and effectiveness tradeoffs across countermeasures. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.
    Director: Shelby S. Oakley
    Phone: (202) 512-3841

    3 open recommendations
    Recommendation: To improve the awareness of how risk-significant radioactive sources are transported within the United States and to better determine whether Nuclear Regulatory Commission (NRC) is meeting its goal of providing reasonable assurance for preventing the theft or diversion of these dangerous materials, the Chairman of NRC should take actions to collect information from licensees on the number of shipments and mode of transport for such sources--for example, by identifying the extent to which an existing NRC database (e.g., the National Source Tracking System) may be used to capture this information.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: In its 60-day response letter from NRC to GAO, NRC repeated its position on this recommendation as stated in its formal agency response that was included as appendix III in the report. In both cases, NRC states that it disagrees with this recommendation. NRC disagrees that the specific number of shipments by mode of transport is always needed. NRC explained that existing information collection requirements already exist for category 1 quantities and that it had previously determined that collection of shipment information for category 2 quantities was not necessary. NRC also stated that NSTS would not be the appropriate database to capture shipment information; it is not designed to capture real-time information. In addition, NRC does not consider the proposed collection activity to be of sufficient benefit to justify the additional cost of capturing the information. Therefore, NRC does not believe that adopting this recommendation would result in significant improvements to safety. Despite its disagreement with this recommendation, we will continue to monitor whether NRC takes any actions that would result in addressing the concern GAO raised.
    Recommendation: To further enhance the security of radioactive sources during ground transport, the Chairman of NRC, in consultation with the Secretary of Transportation and the Secretary of Homeland Security, should identify an approach to verify that motor carriers are meeting NRC's Part 37 security requirements applicable to transportation, for example by having DOT inspectors verify compliance with NRC Part 37 security requirements during their on-site investigations.

    Agency: Nuclear Regulatory Commission
    Status: Open

    Comments: As noted in the NRC comments on the GAO report, the NRC agrees in general with the second recommendation to explore with Federal partners an approach to verify that motor carriers meet 10 CFR Part 37 transportation security requirements. The NRC commits to exploring how the respective agencies can verify that motor carriers are meeting the NRC's applicable Part 37 transportation security requirements. This recommendation will remain open until NRC presents evidence that it has acted on it.
    Recommendation: To further enhance the security of radioactive sources during ground transport, the Secretary of Transportation, in consultation with the Chairman of NRC and the Secretary of Homeland Security, should consider examining the potential costs and security benefits associated with lowering the Highway Route Controlled Quantity (HRCQ) threshold so that more, or all, category 1 shipments are classified as HRCQ shipments.

    Agency: Department of Transportation
    Status: Open

    Comments: In its 60-day response letter, NRC stated that it recognizes that HRCQ thresholds fall under the jurisdiction of DOT. The NRC commits to exploring with DOT the potential costs and security benefits associated with lowering the HRCQ threshold so that more if not all , of the shipments of Category 1 quantities of radioactive material may be classified as HRCQ shipments. In its 60-day response letter, DOT concurred with this recommendation and stated that it planned to consult with NRC and the Department of Homeland Security Domestic Nuclear Detection Office, and its internal stakeholders to evaluate potential costs and security benefits of lowering the HRCQ threshold, which they expect to complete by January 15, 2018. This recommendation will remain open until evidence is presented by NRC and DOT that they have examined the costs and benefits of lowering the HRCQ threshold.
    Director: Susan Fleming
    Phone: (202) 512-2834

    3 open recommendations
    Recommendation: To determine whether CSA interventions influence motor carrier safety performance, the Secretary of Transportation should direct the FMCSA Administrator to identify and implement, as appropriate, methods to evaluate the effectiveness of individual intervention types or common intervention patterns to obtain more complete, appropriate, and accurate information on the effectiveness of interventions in improving motor carrier safety performance. In identifying and implementing appropriate methods, FMCSA should incorporate accepted practices for designing program effectiveness evaluations, including practices that would enable FMCSA to more confidently attribute changes in carriers' safety behavior to CSA interventions.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To understand the efficiency of CSA interventions the Secretary of Transportation should direct the FMCSA Administrator to update FMCSA's cost estimates to determine the resources currently used to conduct individual intervention types and ensure FMCSA has cost information that is representative of all states.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To enable FMCSA management to monitor the agency's progress in achieving its effectiveness and efficiency outcomes for CSA interventions and balance priorities, the Secretary of Transportation should direct the FMCSA Administrator to establish and use performance measures to regularly monitor progress toward both FMCSA's effectiveness outcome and its efficiency outcome.

    Agency: Department of Transportation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Michael J. Courts
    Phone: (202) 512-8980

    5 open recommendations
    including 5 priority recommendations
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct the Bureau of Diplomatic Security (DS) to create consolidated guidance for RSOs that specifies required elements to include in post travel notification and transportation security policies. For example, as part of its current effort to develop standard templates for certain security directives, DS could develop templates for transportation security and travel notification policies that specify the elements required in all security directives as recommended by the February 2005 Iraq ARB as well as the standard transportation-related elements that DS requires in such policies.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify whether or not the FAH's armored vehicle policy for overseas posts is that every post must have sufficient armored vehicles, and if DS determines that the policy does not apply to all posts, articulate the conditions under which it does not apply.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to develop monitoring procedures to ensure that all posts comply with the FAH's armored vehicle policy for overseas posts once the policy is clarified.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to clarify existing guidance on refresher training, such as by delineating how often refresher training should be provided at posts facing different types and levels of threats, which personnel should receive refresher training, and how the completion of refresher training should be documented.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Recommendation: To enhance State's efforts to manage transportation-related security risks overseas, the Secretary of State should direct DS to improve guidance for RSOs, in coordination with other relevant State offices and non-State agencies as appropriate, on how to promote timely communication of threat information to post personnel and timely receipt of such information by post personnel.

    Agency: Department of State
    Status: Open
    Priority recommendation

    Comments: State concurred with this recommendation and provided an update in April 2017 describing its plans to address the recommendation. However, as of October 2017, State had not completed the described actions. We will continue to monitor State's progress in implementing this recommendation.
    Director: Mark Goldstein
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To improve access to and awareness and applicability of ITS resources for ITS deployment, the Secretary of Transportation should direct the ITS Joint Program Office (JPO), in coordination with the Federal Transit Administration (FTA), to develop a strategy to raise awareness of JPO's training, technical assistance, and knowledge resources for transit ITS deployment in the transit community.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with GAO's recommendation and stated that its Professional Capacity Building Program has two initiatives under development that will raise awareness of existing Intelligent Transportation System knowledge resources. First, the department will develop an overall course catalog that will describe all existing resources offerings. Second, the department will develop a new strategic plan that will utilize information from the updated course catalog as well as internal analyses to determine which new knowledge resources need to be developed to meet the needs of the transit community. As of June 2017, GAO is awaiting the Department's response regarding the status of its efforts to implement this recommendation.
    Recommendation: To improve access to and awareness and applicability of ITS resources for ITS deployment, the Secretary of Transportation should direct the ITS JPO, in coordination with FTA, to include ITS adoption by small urban and rural transit providers in ITS monitoring efforts.

    Agency: Department of Transportation
    Status: Open

    Comments: The Department of Transportation agreed with GAO's recommendation and stated that the Federal Transit Administration is considering the development of a small urban and rural Intelligent Transportation System survey component as part of its 2019 Intelligent Transportation System Deployment Survey. As of June 2017, GAO is awaiting the Department's response regarding the status of its efforts to implement this recommendation.
    Director: Jennifer Grover
    Phone: (202) 512-7141

    2 open recommendations
    Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

    Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
    Status: Open

    Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2017, TSA officials reported that FAMS was continuing to identify ways to refine the methodology FAMS uses to allocate resources between international and domestic flights. Specifically, TSA officials noted that FAMS was considering ways to incorporate information on the travel patterns of known or suspected terrorists, trends in TSA PreCheck passenger data, airport screening capabilities, and other factors. FAMS officials also reported that, as part of this effort, they were reviewing their International Concept of Operations. It is unclear how these steps will address the recommendation. To fully address this recommendation, FAMS should incorporate risk into its method for initially setting its annual target numbers of average daily international and domestic flights to cover.
    Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, the Director of FAMS should conduct and document a risk assessment--systematically collecting information on and assigning value to current risks--to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas.

    Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
    Status: Open

    Comments: In May 2016, we reported that FAMS's choice of domestic geographic focus areas and resource allocation levels were based on professional judgment, not risk assessment. With regard to the geographic focus areas, for example, FAMS officials explained that they did not conduct a risk assessment to inform this decision, but rather selected these areas in consultation with 30 subject matter experts from various offices within TSA based on their intuitive, qualitative perceptions of threats, vulnerabilities, potential impacts, history, and the demographics of the areas. Without fully incorporating risk when determining such priorities, FAMS cannot reasonably ensure it is targeting its resources to the highest-risk flights. As a result, we recommended that FAMS conduct and document a risk assessment--systematically collecting information on and assigning value to current risks--to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas. In March 2017, TSA officials explained that they were continuing to develop their "risk-by-flight" initiative--a long-term effort to develop a method of assigning each domestic flight a relative risk score to assist in identifying high-risk flights. At the time of our report in 2016, FAMS officials estimated that the risk-by-flight tool would probably be ready for use within 7 to 10 years. In March 2017, TSA officials stated that they had developed a prototype Risk-Based Resource Deployment Decision Aid, which they refer to as R2D2. TSA officials further reported that the DHS Science and Technology Directorate had contracted for the development of a risk engine--based on the R2D2 data--to assign risk values to all U.S.-carrier domestic and international flights. TSA officials reported that this contract runs through early 2018. To fully address this recommendation, FAMS should conduct and document a risk assessment to further support FAMS's domestic resource allocation decisions, including the identification of high-priority geographic areas.
    Director: Michele Mackin
    Phone: (202) 512-4841

    1 open recommendations
    Recommendation: To help ensure that actions taken to improve the test and evaluation process address identified challenges, the Administrator of TSA should finalize all aspects of the third party testing strategy before implementing further third party testing requirements for vendors to enter testing.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: In its response to this recommendation, the Department of Homeland Security concurred and identified initial planned actions to implement the finalize third party strategy. Subsequently, in the Spring of 2016, the TSA Office of Security Capabilities finalized its third party tester application and approval process; established quality conformance standards for potential third party testers; and gathered and considered industry feedback on potential third party test strategy consequences among other actions. Collectively, TSA established and published program requirements and procedures for the third party test strategy. In late 2016, TSA formally delayed its planned implementation of the third-party testing program by a calendar year to now be completed by December 31, 2017. TSA cited a need to conduct additional assessments, coordination challenges, and larger TSA security equipment related initiatives as the reasons for the delay. As part of its regular recommendation status reporting to GAO, TSA in the Spring 2017, noted that it is on track to meet the intent of the recommendation by the later revised date. TSA noted it had recently updated its qualification process by which qualified product lists will be populated and has already incorporated various aspects of third party testing for legacy security equipment qualification.
    Director: Grover, Jennifer A
    Phone: (202)512-7141

    1 open recommendations
    Recommendation: To ensure that TSA's planned testing yields reliable results, the TSA Administrator should take steps to ensure that TSA's planned effectiveness testing of the Managed Inclusion process adheres to established evaluation design practices.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: TSA continues to make progress on implementing this recommendation. In March 2017, TSA reported that an evaluation of the security effectiveness of the managed inclusion process is to be completed over the next few weeks. Once documentation for the evaluation is available, TSA will provide it for review and analysis.
    Director: Maurer, Diana C
    Phone: (202) 512-9627

    2 open recommendations
    Recommendation: To ensure effective evaluation of federal training programs and enhance DHS's stewardship of resources for federal training programs, the Secretary of Homeland Security should direct DHS components to ensure that their documented training evaluation processes fully address attributes for effective training evaluation processes as they are drafted, updated, or revised.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2014, we reported on the Department of Homeland Security's (DHS) training efforts, including the extent to which DHS has a documented process to evaluate training and development programs. We found that all five DHS components in GAO's review--U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, the U.S. Coast Guard, the Transportation Security Administration, and the Federal Law Enforcement Training Center--have a documented process to evaluate their training programs. Their documented processes fully included three of six attributes of effective training evaluation processes identifying goals, programs to evaluate, and how results are to be used. However, the documented processes did not consistently include the other three attributes: methodology, timeframes, and roles and responsibilities. We concluded that by updating documentation to address these attributes, DHS components would have more complete information to guide its efforts in conducting effective evaluations. We therefore recommended that DHS direct its components to ensure that their documented training evaluation processes fully address attributes for effective training evaluation processes as they are drafted, updated, or revised. In September 2016, DHS officials reported that a DHS-wide self-audit of training evaluation processes was completed on March 31, 2016 and found that DHS has current documentation addressing effective learning evaluation programs and that there are commonalities in evaluation procedures across the components. As a part of the self-audit, components provided policy and procedures documents related to their training evaluation processes and found that they adhere to sound instructional systems design models. However, the self-audit focused on identifying the specific training evaluation practices for a sample of courses at each component and not whether the component-level guidance included the attributes for effective training evaluation processes we identified in our report. Further, although DHS updated its department-wide guidance on training evaluation in April 2016 to incorporate the attributes for effective training evaluation processes and some components have followed suit, other components have not. For example, we found that some components, such as Customs and Border Protection and the U.S. Coast Guard, had updated their training evaluation guidance to include the attributes we identified in our report. Others, such as U.S. Immigration and Customs Enforcement were in the process of updating their guidance. However, as of April 2017, the guidance from the Transportation Security Administration remained in draft and the guidance from the Federal Law Enforcement Training Center had not been updated since our review. Therefore, this recommendation remains open pending action on the above noted items.
    Recommendation: To ensure effective evaluation of federal training programs and enhance DHS's stewardship of resources for federal training programs, the Secretary of Homeland Security should identify existing challenges that prevent DHS from accurately capturing training costs department-wide and, to the extent that the benefits of addressing those challenges exceed the costs, implement corrective measures to overcome these challenges..

    Agency: Department of Homeland Security
    Status: Open

    Comments: In September 2014, we reported on the Department of Homeland Security's (DHS) training efforts, including the extent to which DHS has a documented process to reliably capture costs. We found that DHS identified efficiencies and cost savings for delivering a number of training programs. However, different methods are used for capturing training costs across the department, which poses challenges for reliably capturing these costs across DHS. Components capture training costs differently, contributing to inconsistencies in training costs captured across DHS. Variation in methods used to collect data can affect the reliability and quality of DHS-wide training program costs. However, DHS has not identified all challenges that contribute to these inconsistencies. We concluded that DHS could improve its awareness about the costs of training programs DHS-wide and thereby enhance its resource stewardship by identifying existing challenges that prevent DHS from accurately capturing training costs and implementing corrective measures. We therefore recommended that DHS identify existing challenges that prevent DHS from accurately capturing training costs department-wide and, to the extent that the benefits of addressing those challenges exceed the costs, implement corrective measures to overcome these challenges. As of September 2016, DHS reported that its Office of the Chief Human Capital Officer and Office of the Chief Financial Officer worked together to research the issue and determine the best course of action to standardize training cost reporting. However, this did not require a formal root cause analysis. In order to identify a way for the components to capture training costs in a standardized manner, DHS formed a Tiger Team that included officials from each component which identified 12 common functional areas for training to capture training costs. Components were directed to prepare implementation plans outlining how they will begin capturing cost data within the identified functional training areas and, according to DHS, began capturing the data on September 29, 2016. In January 2017, the DHS Chief Financial Officer provided guidance to the components as to how they are to report their training costs to DHS on a quarterly basis. Components provided their first quarterly submission to DHS in January 2017. These steps are in line with the intent of our recommendation. This recommendation will remain open as we monitor its continued implementation over the next two quarters.
    Director: Jennifer A. Grover
    Phone: (202) 512-7141

    1 open recommendations
    Recommendation: To assess the progress of the Secure Flight program toward achieving its goals, the Transportation Security Administration's Administrator should develop additional measures to address key performance aspects related to each program goal, and ensure these measures clearly identify the activities necessary to achieve progress toward the goal.

    Agency: Department of Homeland Security: Transportation Security Administration
    Status: Open

    Comments: When we confirm what actions that DHS TSA has taken in response to this recommendation, we will provide updated information. Status last confirmed on 10/26/15.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    5 open recommendations
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal partners to ensure that the maritime risk assessment includes cyber-related threats, vulnerabilities, and potential consequences.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that the National Maritime Strategic Risk Assessment (NMSRA) was still being finalized. The agency stated that they expected this to be completed by July 2017. Once completed, we will analyze the results of the NMSRA in order to validate the extent to which its contents implement our recommendation.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to use the results of the risk assessment to inform how guidance for area maritime security plans, facility security plans, and other securityrelated planning should address cyber-related risk for the maritime sector.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, USCG stated that it had developed a draft Navigation and Vessel Inspection Circular (NVIC) to provide guidance on assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities. USCG stated that the draft NVIC would be published in the Federal Register for 60 days, to enable maritime stakeholders to review and provide comment. Once USCG provides us a final copy of the NVIC, we will analyze it to determine if it provides guidance for addressing cyber-related risk in the maritime sector.
    Recommendation: To enhance the cybersecurity of critical infrastructure in the maritime sector, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to work with federal and nonfederal stakeholders to determine if the Maritime Modal Sector Coordinating Council should be reestablished to better facilitate stakeholder coordination and information sharing across the maritime environment at the national level.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In April 2017, the U.S. Coast Guard (USCG) stated that the tasking for the National Maritime Security Advisory Committee to explore the issue of information sharing mechanisms in regards to cyber information had been completed. However, USCG did not mention any decision related to the reestablishment of the sector coordinating council.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to develop procedures for officials at the field review level (i.e., captains of the port) and national review level (i.e., the National Review Panel and FEMA) to consult cybersecurity subject matter experts from the Coast Guard and other relevant DHS components, if applicable, during the review of cybersecurity grant proposals for funding.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information we receive and update status of implementation efforts.
    Recommendation: To help ensure the effective use of Port Security Grant Program funds to support the program's stated mission of addressing vulnerabilities in the maritime port environment, the Secretary of Homeland Security should direct the FEMA Administrator, in coordination with the Coast Guard, to use any information on cyberrelated threats, vulnerabilities, and consequences identified in the maritime risk assessment to inform future versions of funding guidance for grant applicants and reviews at the field and national levels.

    Agency: Department of Homeland Security
    Status: Open

    Comments: In June 2017, FEMA officials stated they would provide GAO an update on the status of the recommendation by July 2017. Once provided, we will analyze the information received and update status of implementation efforts.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    1 open recommendations
    including 1 priority recommendation
    Recommendation: To help ensure that security-related funding is directed to programs that have demonstrated their effectiveness, the Secretary of Homeland Security should direct the TSA Administrator to limit future funding support for the agency's behavior detection activities until TSA can provide scientifically validated evidence that demonstrates that behavioral indicators can be used to identify passengers who may pose a threat to aviation security.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: The Department of Homeland Security (DHS) did not concur with GAO's November 2013 recommendation to the TSA Administrator to limit future funding support for the agency's behavior detection activities until TSA can provide scientifically validated evidence that demonstrates that behavioral indicators can be used to identify passengers who may pose a threat to aviation security. However, as of July 2017, DHS has reduced funding for its behavior detection activities and taken some steps toward identifying additional evidence to support its use of behavioral indicators. TSA officials stated that GAO's recommendation contributed to DHS's decision to reduce the number of behavior detection officers (BDO) from 3,131 full-time equivalents in fiscal year 2013 to 2,393 full-time equivalents employed in fiscal year 2016. Further, in the summer of 2016 and consistent with the Aviation Security Act of 2016, the agency began assigning BDOs to other positions at passenger screening checkpoints where they are able to observe passengers while performing screening duties. According to TSA officials, all BDOs have now been converted into transportation security officers with behavior detection capabilities, which is expected to reduce the cost of the agency's behavior detection activities. As of August 2017, TSA does not yet have an estimate of any associated cost reductions. Since GAO's 2013 report, TSA has revised its list of behavioral indicators and taken some steps to identify evidence that these indicators can be used to identify passengers who may pose a threat to aviation security. Specifically, TSA hired a contractor to search available literature for sources supporting its revised list of 36 behavioral indicators. However, in 2017, GAO reviewed all 178 sources TSA identified and found that 98 percent (175 of 178) did not provide valid evidence for specific behavioral indicators in its revised list and that the remaining 3 sources could be used as valid evidence to support 8 of the 36 indicators. GAO reported that TSA should continue to limit funding for the agency's behavior detection activities until TSA can provide valid evidence demonstrating that behavioral indicators can be used to identify passengers who may pose a threat to aviation security, consistent with the recommendation in its November 2013 report.
    Director: Grover, Jennifer A
    Phone: (202) 512-7141

    3 open recommendations
    including 1 priority recommendation
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In April 2013, DHS reported that it had taken a number of steps to address our recommendations. For example, it had refreshed and reissued fraudulent document detection training to enrollment personnel; created a mechanism for enrollment personnel to send detailed information of suspected fraud to adjudication personnel; benchmarked TWIC enrollment processes with passport enrollment processes; and defined guidance for adjudicators on the application of discretionary authority. As we reported in May 2013, to determine if the internal control weaknesses identified in our May 2011 report still exist, we conducted limited covert testing in late 2012. Our investigators again acquired an authentic TWIC through fraudulent means and were able to use this card and counterfeit TWIC cards to access areas of ports or port facilities requiring a TWIC for entry at four ports. In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. In January 2017 TSA awarded a contract for an internal control assessment of the TWIC program, including the TWIC program?s internal controls of the enrollment, background checking, and credential issuance processes. The assessment, however, is to exclude an assessment of Coast Guard?s role in TWIC enforcement. The project held a kickoff meeting in March of 2017 and is expected to produce final recommendations by August 2017. We believe that this is a positive step towards addressing our recommendation. However, the assessment does not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. We continue to believe that the internal control assessment inclusive of TWIC use and the interrelationship between acquiring a TWIC and using it in the maritime environment is needed. For the reasons noted above, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.

    Agency: Department of Homeland Security
    Status: Open
    Priority recommendation

    Comments: We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. In March 2012, DHS reported that it agreed that the results and progress of the internal control actions should be used to further evaluate the effectiveness of the TWIC program. They further noted that as the different long term actions progress, DHS will develop specific plans to address this action. In May 2013 (see GAO-13-198), we reported that DHS had not addressed this recommendation. On January 17, 2014, the explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the assessment that we recommended within 90 days after enactment (April 17, 2014). In February 2014, TSA reported that it, in coordination with Coast Guard and DHS subject matter experts, had established an Executive Steering Committee to address recommendations from the May 2011 report on the TWIC program's internal controls (GAO-11-657). GAO recommended that the internal control assessment be the basis of the effectiveness assessment. In response, the Executive Steering Committee developed an internal control action plan that lists TWIC program control issues GAO identified, along with actions that TSA and the Coast Guard would or would not take to address them. However, based on our review of the internal control action plan and associated documents, and further discussing with TSA officials the methodology used to arrive at the internal control action plan, we determined that the internal control assessment we recommended has not been implemented. Specifically, there is no evidence of a detailed mapping of each policy and process in the program, their interrelationships, and clear linkage to show how actions in one step may enhance or reduce the effectiveness of the TWIC program achieving its stated mission needs. As of March 2017, the internal control assessment we recommended as the basis for initiating the effectiveness assessment had not been completed. However, on January 15, 2016, Coast Guard reported that it had completed its effectiveness assessment. Specifically, DHS completed an effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers." However, the effectiveness assessment did not substantively address the risk concerns identified in our report. For example, the effectiveness assessment lacked the internal control assessment we deem to be the critical first step for fully understanding the TWIC program's controls, costs, and risks. Further, while the effectiveness assessment presented a comparison of alternative credentialing approaches, the assessment did not fully consider, as discussed in our 2011 and 2013 reports, an approach wherein federal security threat assessments could be leveraged in concert with site-specific credentials. The analysis did consider the benefits of updating the TWIC credential to new federal credentialing standards. However, absent from the analysis is a risk-informed basis for disallowing site-specific credentials. While TWIC credentials are developed based on standards aligned with those used by federal entities, each federal entity continues to use site-specific credentials that have varying appearances, rather than a single credential for granting access to all federal entities. This is important, especially because Coast Guard's risk assessment does not include an evaluation of the security benefits and shortfalls that a single credential used nation-wide provide. Absent effectiveness assessment that meets the intent of our recommendation, this recommendation remains open.
    Recommendation: To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis, which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and needed corrective actions could better inform and enhance the reliability of the new regulatory analysis. Moreover, these actions could help DHS identify and assess the full costs and benefits of implementing the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks, and help ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. We therefore recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In March 2012, DHS reported that upon completion of the internal control and effectiveness assessments, DHS will evaluate the results to determine any subsequent actions, and that any applicable data or risks will be communicated to the Coast Guard for consideration during their regulatory analysis. However, DHS has not implemented the internal control assessment we recommended, which is to be the basis for the effectiveness assessment and addressing this recommendation. Further, the January 15, 2016 effectiveness assessment titled "Security Assessment of the Transportation Worker Identification Credential and Readers" did not substantively address the risk concerns identified in our report. Given shortfalls that remain in addressing our internal control assessment and effectiveness assessment recommendations, this recommendation remains open pending DHS taking corrective actions. As of March 2017, no further action has been taken.