Recommendation: The TSA Administrator should establish quantifiable targets for the Surface Transportation Security Inspectors Program's activity-level performance measures. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should direct T&D and Security Operations to monitor for instances of TSO non-compliance by individual commercial airports across fiscal years that could potentially warrant corrective action at the headquarters level. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In January 2020, TSA's formal comment letter in response to our draft report stated that T&D will begin recording instances of noncompliance and work with Security Operations to monitor trends at individual airports and with specific courses. TSA also reported that T&D had developed a repository in its iShare database for this information at the end of 2019 and the agency is currently testing various options for reporting and pulling data. Once options are chosen and incorporated into its standard operating procedures, TSA reports that T&D will begin sharing the reports with Security Operations on a monthly basis. In July 2020, TSA officials told us that T&D had begun sharing training compliance reports from their database with Security Operations and discussing the results with them on a monthly basis. This database allows T&D to recognize trends at individual airports and specific courses throughout the fiscal year. Going forward, this process will enable T&D to identify noncompliance trends across fiscal years. We will continue to montior these efforts to verify that the T&D is montioring trends across fiscal years and work with TSA towards closure of this recommendation.

Recommendation: The Executive Assistant Administrator / Director of FAMS should identify and utilize a suitable system that provides information about air marshals' medical qualification status. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS is evaluating case management software to track this information and plans to pursue funding for this effort in fiscal year 2021.This action, if fully implemented, should address the intent of the recommendation. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Assistant Administrator / Director of FAMS should develop and implement a plan to assess the health and fitness of the FAMS workforce as a whole, including trends over time. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS had established a team to develop a plan for assessing workforce health and wellness issues. Adopting and implementing a plan that assesses the health and fitness of the FAMS workforce as a whole, should address the intent of the recommendation. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Assistant Administrator / Director of FAMS should identify and implement a means to monitor the extent to which air marshals' actual shifts and rest hours are consistent with scheduling guidelines. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS will begin tracking air marshals' actual hours and examine the extent to which air marshals' actual and scheduled hours vary. This information could be helpful, for example, in assessing air marshals' schedule predictability. However, to address the intent of this recommendation, FAMS would need to monitor the extent that air marshals' actual work and rest hours are consistent with FAMS's scheduling guidelines. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The Executive Assistant Administrator / Director of FAMS should take steps to reaffirm and strengthen efforts to prevent discrimination by, for example, updating and following through on its 2012 action plan and renewing leadership commitment to the plan's goals. (Recommendation 6)

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: DHS concurred with this recommendation and in January 2020, DHS officials stated that FAMS plans to review the goals of its 2012 action plan and develop steps to strengthen efforts to prevent discrimination. These actions, if fully implemented, should address the intent of the recommendation. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should develop performance goals for its Insider Threat Program that assess progress achieving the strategic objectives in the insider threat strategic plan. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In May 2020, TSA published its strategic framework, the TSA Insider Threat Roadmap, for mitigating insider threats in the transportation sector. The Roadmap contains three overarching strategic priorities and specific objectives for each of these priorities to refine and continue to improve its efforts to detect, deter, and mitigate insider threats. TSA described that its next steps will be to develop implementation plans for each of these priorities and objectives, including detailed plans of actions with timelines and performance measures to assess its progress achieving the Roadmap's priorities and objectives. We will continue to monitor TSA's efforts to implement our recommendation.

Recommendation: The TSA Administrator should update TSA guidance for developing and approving screening technology explosives detection standards to reflect designated procedures, the roles and responsibilities of stakeholders, and changes in the agency's organizational structure. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should require and ensure that TSA officials document key decisions, including testing and analysis decisions, used to support the development and consideration of new screening technology explosives detection standards. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should require and ensure that TSA officials document their assessments of risk and the rationale—including the assumptions, methodology, and uncertainty considered—behind decisions to deploy screening technologies. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should develop a process to ensure that screening technologies continue to meet detection requirements after deployment to commercial airports. (Recommendation 4)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should implement the process it develops to ensure that screening technologies continue to meet detection requirements after deployment to commercial airports. (Recommendation 5)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The TSA Administrator should clarify roles and responsibilities for all offices involved in the coordination of surface transportation exercises, including when these offices are to coordinate, as part of the planned revision of the Surface Division's Internal Operating Procedure for I-STEP. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with the recommendation and will develop a standard operating procedure to clarify the roles and responsibilities for all offices involved in the coordination of surface transportation exercises, including when these offices are to coordinate, in conjunction with the planned revision of I-STEP's Surface Division Internal Operating Procedure. As part of this, TSA initiated a Surface Exercise Steering Group in January 2020 to clarify surface roles and responsibilities and to discuss a new approach for coordination of surface exercises. TSA estimates completing these actions by September 30, 2020.

Recommendation: The Administrator of TSA should document which rule review process TSA I&A uses (exigent or standard) for each new rule or rule change; (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and agreed to document which rule review process TSA I&A uses (exigent or standard) for each new rule or rule change. In March 2020, TSA updated its SOP to require that the selected rule review process be documented for each new rule and rule change. TSA's policy change is a positive first step, but to fully address this recommendation, TSA will need to demonstrate that the selected rule review process is now being documented.

Recommendation: The Administrator of TSA should explore additional data sources measuring the effectiveness of Silent Partner and Quiet Skies rules. (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and, in May 2020, DHS officials stated that they are reviewing data sources and assessing potential ways to assess the effectiveness of Quiet Skies and Silent Partner screening rules. DHS officials stated that they plan to fully address this recommendation by December 2020.

Recommendation: The Administrator of TSA should develop a mechanism to more routinely and comprehensively share appropriate information on the performance of mass transit security technologies (such as the annual sensor catalog and security technology assessments) with mass transit operators and stakeholders until DHS completes work on a more permanent information sharing resource. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2019, GAO reported on key mechanisms that TSA uses to collaborate and share information on identifying capability gaps and security technologies with stakeholders, including mass transit operators. We found that TSA regularly assesses commercially available technologies, but does not routinely or comprehensively share its results with mass transit operators. Therefore, we recommended that TSA develop a mechanism to routinely and comprehensively share security technology information with mass transit operators. TSA concurred with our recommendation, and in February 2020, reported implementing two of three planned efforts to better share security technology information, including steps to increase distribution of its annual publication on security technologies and to provide regular updates on assessed technologies at routine stakeholder meetings. We will continue to monitor TSA efforts with a third effort in order to close this recommendation.

Recommendation: The TSA Administrator should periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. (Recommendation 5)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and stated that TSA will periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. In October 2019, TSA officials reported that they were in the process of reviewing the 2010 Pipeline Security and Incident Recovery Protocol Plan and anticipated completing the review by December 2019. However, this review was delayed and we will continue to monitor TSA's efforts to implement this recommendation.

Recommendation: The Administrator of TSA should assess Security Operations guidance for applying root causes for test failures, and identify opportunities to clarify how they should be applied. (Recommendation 4)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it. In March 2020, TSA officials reported that they are developing new guidance to help testers identify and record root causes for covert test failures. Once TSA completes this guidance and GAO has been provided a copy for review, we will close this recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to clarify TSA's Pipeline Security Guidelines by defining key terms within its criteria for determining critical facilities. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA reported that it completed a review of the Pipeline Security Guideline criteria for determining critical facilities. TSA sought and received pipeline stakeholder comments following their review of the criteria. According to TSA officials, TSA is sharing draft criteria with federal stakeholders and anticipates completion of the review by December 31, 2020. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should develop a strategic workforce plan for its Security Policy and Industry Engagement's Surface Division, which could include determining the number of personnel necessary to meet the goals set for its Pipeline Security Branch, as well as the knowledge, skills, and abilities, including cybersecurity, that are needed to effectively conduct Corporate Security Reviews (CSR) and Critical Facility Security Reviews (CFSR). (Recommendation 3)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open
Priority recommendation

Comments: As of June 2020, TSA reported that officials, including TSA's Office of Human Capital Strategic Planning, began collaborating to draft a strategic workforce plan for the pipeline security section of TSA. According to the officials, while this effort was delayed as TSA's Office of Human Capital needed focus on protecting TSA's workforce in response to the COVID-19 public health emergency, progress has been made. Phase one of a four-phase process began the week of 6/8/2020, with a Manpower Study to be completed by October 2020. The second phase will be a job skills/competency analysis and the third and fourth phases are position management and classification, and plan development and approval, respectively. TSA estimated completion of the workforce plan by June 30, 2021. We will continue to monitor the status of these efforts to develop a strategic workforce plan in response to this recommendation.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to identify or develop other data sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities and incorporate that data into the Pipeline Relative Risk Ranking Tool to assess relative risk of critical pipeline systems, which could include data on prior attacks, natural hazards, feedback data on pipeline system performance, physical pipeline condition, and cross-sector interdependencies. (Recommendation 6)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, TSA officials reported meeting with representatives from the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) in February and March 2019 for their input on the identification of sources relevant to threat, vulnerability, and consequence consistent with the National Infrastructure Protection Plan and DHS critical infrastructure risk mitigation priorities. TSA officials also reported meeting with RAND personnel in March 2020 to discuss possible contract options for addressing this recommendation. Further action on this recommendation has been limited due to work on the COVID-19 response. We will continue to monitor the status of TSA's activities to determine whether our recommendation is fully implemented.

Recommendation: The TSA Administrator should direct the Security Policy and Industry Engagement's Surface Division to take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool, after the Pipeline Security Branch completes enhancements to its risk assessment approach. (Recommendation 7)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: As of June 2020, DHS officials reported that TSA will take steps to coordinate an independent, external peer review of its Pipeline Relative Risk Ranking Tool after addressing recommendations 4,5, and 6 of this report. DHS estimated that this effort would be completed by April 30, 2021.

Recommendation: The Administrator of TSA should monitor the duration of all cases beginning-to-end by stage and case type (Recommendation 16).

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2020, TSA provided documentation of internal reports that measure duration. However, the reports do not provide management information on the duration of all case types from beginning-to-end and, by stage. TSA needs to provide evidence that it monitors the duration of all cases, including a description of which process stages are measured and which data fields are used to measure the total duration from beginning-to-end and by stage. We are continuing to follow up on the actions taken by TSA to implement this recommendation.

Recommendation: The Administrator of TSA should monitor the timeliness of misconduct cases according to established targets for management inquiries (fact finding) and administrative inquiries, and the proposal and decision stages, using case information system data (Recommendation 17).

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In September 2020, TSA provided evidence of reports it uses to measure duration. However, these reports do not show how TSA performs with regards to established targets. TSA needs to provide evidence of how it monitors the timeliness of all established targets , including which specific data fields are used to measure these targets. We are continuing to follow up on the actions taken by TSA to implement this recommendation.

Recommendation: The Administrator of TSA should define and document the case management system data fields and methodology to be used for monitoring all established performance targets and provide related guidance to staff (Recommendation 18).

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: In May 2019, TSA provided guidance to its staff related to monitoring performance targets. However, these documents do not specify which system data should be used as part of the methodology for monitoring all established performance targets. TSA needs to provide documentation of guidance to staff that defines and documents all the specific case management system data field names (in the various databases, as applicable) and methodology staff should use to monitor all established timeliness targets. We are continuing to follow up on the actions taken by TSA to implement this recommendation.

Recommendation: The Administrator of TSA should explore and pursue methods to assess the deterrent effect of TSA's passenger aviation security countermeasures; such an effort should identify FAMS—a countermeasure with a focus on deterring threats—as a top priority to address. (Recommendation 1)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: DHS concurred with this recommendation and has begun taking steps intended to address it. In May 2018, officials with DHS's Requirements and Capabilities Analysis (RCA) reported conducting a literature review to identify ways DHS might be able to measure deterrence. ORCA officials reported looking to published studies and other agencies to identify data sources and methods, and were in the process of developing a model to assess the deterrent value of various aviation security countermeasures. In July 2019, TSA officials reported that they were continuing to develop this model which could better inform deployment of deterrence-related countermeasures. As of October 2020, DHS has provided no further updates on steps taken to implement this recommendation. To fully address this recommendation, TSA will need to fully develop this or another method to assess the deterrent effect of TSA's aviation security countermeasures.

Recommendation: To better ensure that FAMS uses its resources to cover the highest-risk flights, in addition to considering risk when determining how to divide FAMS's international flight coverage resources among international destinations, the Director of FAMS should incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover.

Agency: Department of Homeland Security: Transportation Security Administration: Office of Law Enforcement - Federal Air Marshal Service
Status: Open

Comments: In May 2016, we found that FAMS officials considered risk when selecting specific domestic and international flights to cover, but they did not consider risk when deciding how to initially divide their annual resources between domestic and international flights. Rather, each year FAMS considered two variables--travel budget and number of air marshals--to identify the most efficient way to divide the agency's resources between domestic and international flights. As a result, we recommended that FAMS incorporate risk into FAMS's method for initially setting its annual target numbers of average daily international and domestic flights to cover. In March 2018, FAMS revised its deployment methodology to no longer set an annual target number of average daily international and domestic flights to cover. Rather, FAMS now prioritizes deploying air marshals on as many flights as possible with passengers who have been identified as potentially higher risk because they match TSA's intelligence-based screening rules, among other risk-based priorities. In August 2020, FAMS officials explained that they were evaluating their concept of operations and planned to more fully develop a risk basis for dividing its resources between international and domestic flights. By doing so, FAMS could better ensure it is targeting its limited resources to the highest risk flights and better aligning with FAMS's stated goal of using risk-based decisions to guide mission operations. As a result, this recommendation remains open.