This is the accessible text file for GAO report number GAO-10-401T 
entitled 'Homeland Security: Better Use of Terrorist Watchlist 
Information and Improvements in Deployment of Passenger Screening 
Checkpoint Technologies Could Further Strengthen Security' which was 
released on January 28, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Statement for the Record: 

To the Committee on Homeland Security, House of Representatives: 

United States Government Accountability Office: 

For Release on Delivery: 
Expected on Wednesday, 
January 27, 2010: 

Homeland Security: 

Better Use of Terrorist Watchlist Information and Improvements in 
Deployment of Passenger Screening Checkpoint Technologies Could 
Further Strengthen Security: 

Statement for the Record by Eileen R. Larence: 
Director, Homeland Security and Justice Issues: 


Stephen M. Lord:
Director, Homeland Security and Justice Issues: 


GAO Highlights: 

Highlights of GAO-10-401T, a statement for the record to the Committee 
on Homeland Security, House of Representatives. 

Why GAO Did This Study: 

The December 25, 2009, attempted bombing of flight 253 raised 
questions about the federal government’s ability to protect the 
homeland and secure the commercial aviation system. This statement 
focuses on the government’s efforts to use the terrorist watchlist to 
screen individuals and determine if they pose a threat, and how 
failures in this process contributed to the December 25 attempted 
attack. This statement also addresses the Transportation Security 
Administration’s (TSA) planned deployment of technologies for enhanced 
explosive detection and the challenges associated with this 
deployment. GAO’s comments are based on products issued from September 
2006 through October 2009 and selected updates in January 2010. For 
these updates, GAO reviewed government reports related to the December 
25 attempted attack and obtained information from the Department of 
Homeland Security (DHS) and TSA on use of the watchlist and new 
technologies for screening airline passengers. 

What GAO Found: 

The intelligence community uses standards of reasonableness to 
evaluate individuals for nomination to the consolidated terrorist 
watchlist. In making these determinations, agencies are to consider 
information from all available sources. However, for the December 25 
subject, the intelligence community did not effectively complete these 
steps and link available information to the subject before the 
incident. Therefore, agencies did not nominate the individual to the 
watchlist or any of the subset lists used during agency screening, 
such as the “No Fly” list. Weighing and responding to the potential 
impacts that changes to the nomination criteria would have on the 
traveling public will be an important consideration in determining 
what changes may be needed. Also, screening agencies stated that they 
do not check against all records in the watchlist, partly because 
screening against certain records may not be needed to support a 
respective agency’s mission or may not be possible because of the 
requirements of computer programs used to check individuals against 
watchlist records. In October 2007, GAO reported that not checking 
against all records may pose a security risk and recommended that DHS 
and the FBI assess potential vulnerabilities, but they have not 
completed these assessments. TSA is implementing an advanced airline 
passenger prescreening program—known as Secure Flight—that could 
potentially result in the federal government checking passengers 
against the entire watchlist under certain security conditions. 
Further, the government lacks an up-to-date strategy and 
implementation plan—supported by a clearly defined leadership or 
governance structure—which are needed to enhance the effectiveness of 
terrorist-related screening and ensure accountability. In the 2007 
report, GAO recommended that the Homeland Security Council ensure that 
a governance structure exists that has the requisite authority over 
the watchlist process. The council did not comment on this 

As GAO reported in October 2009, since TSA’s creation, 10 passenger 
screening technologies have been in various phases of research, 
development, procurement, and deployment, including the Advanced 
Imaging Technology (AIT)—formerly known as the Whole Body Imager. TSA 
expects to have installed almost 200 AITs in airports by the end of 
calendar year 2010 and plans to install a total of 878 units by the 
end of fiscal year 2014. In October 2009, GAO reported that TSA had 
not yet conducted an assessment of the technology’s vulnerabilities to 
determine the extent to which a terrorist could employ tactics that 
would evade detection by the AIT. Thus, it is unclear whether the AIT 
or other technologies would have detected the weapon used in the 
December 25 attempted attack. GAO’s report also noted the problems TSA 
experienced in deploying another checkpoint technology that had not 
been tested in the operational environment. Since GAO’s October 
report, TSA stated that it has completed the testing as of the end of 
2009. We are currently verifying that all functional requirements of 
the AIT were tested in an operational environment. Completing these 
steps should better position TSA to ensure that its costly deployment 
of AIT machines will enhance passenger checkpoint security. 

What GAO Recommends: 

GAO is not making new recommendations, but has made recommendations in 
prior reports to DHS, the Federal Bureau of Investigation (FBI), and 
the White House Homeland Security Council to enhance the use of the 
watchlist and to TSA related to checkpoint technologies. The agencies 
generally agreed and are making some progress, but full implementation 
is needed. 

View [hyperlink,] or key 
components. For more information, contact Eileen Larence at (202) 512-
6510 or and Stephen Lord at (202) 512-4379 or 

[End of section] 

Mr. Chairman and Members of the Committee: 

We are pleased to submit this statement on the progress federal 
agencies have made and the challenges they face in key areas of 
terrorism information sharing and the deployment of checkpoint 
technologies. The December 25, 2009, attempted bombing of flight 253 
has led to increased scrutiny of how the government creates and uses 
the consolidated terrorist screening database (the watchlist) to 
screen individuals and determine if they pose a security threat, and 
highlighted the importance of detecting improvised explosive devices 
and other prohibited items on passengers before they board a 
commercial aircraft. The White House's initial review of these events 
exposed gaps in how intelligence agencies collected, shared, and 
analyzed terrorism-related information to determine if the subject--
Umar Farouk Abdulmutallab--posed enough of a threat to warrant placing 
him on the watchlist, which could have altered the course of events 
that day. To enhance its ability to detect explosive devices and other 
prohibited items on passengers, the Transportation Security 
Administration (TSA) is evaluating the use of Advanced Imaging 
Technology (AIT)--formerly called the Whole Body Imager--as an 
improvement over current screening capabilities. 

In October 2007, we released a report on the results of our review-- 
conducted at your request--of how the watchlist is created and 
maintained, and how federal, state, and local security partners use 
the list to screen individuals for potential threats to the 
homeland.[Footnote 1] As a result of that review, we identified 
potential vulnerabilities, including ones created because agencies 
were not screening against all records in the watchlist. We made a 
number of recommendations aimed at addressing these potential 
vulnerabilities and helping to enhance the effectiveness of the 
watchlist process, which the agencies have not yet fully addressed. 
These recommendations--which we discuss later in this statement--are 
still important to address and can inform ongoing reviews of the 
December 25 attempted terrorist attack. 

Also, in January 2005, we designated information sharing for homeland 
security a high-risk area because the government faced formidable 
challenges in analyzing and disseminating this information in a 
timely, accurate, and useful manner.[Footnote 2] Since then, we have 
been monitoring and making recommendations to improve the government's 
efforts to share terrorism-related information, not only among federal 
agencies but also with their state, local, tribal, and private sector 
security partners.[Footnote 3] Addressing this high-risk area is 
important to help remove barriers that lead to agencies maintaining 
information in stove-piped systems, and to hold them accountable to 
the Congress and the public for ensuring terrorism information is 
shared, is used, and makes a difference. We are continuing to review 
federal agencies' efforts to share terrorism-related information and 
expect to report the results of this work later this year.[Footnote 4] 

In addition, in October 2009, we released a report on TSA's efforts to 
deploy checkpoint technologies and the challenges the agency faces in 
these efforts.[Footnote 5] We made eight recommendations related to 
the research, development, and deployment of these technologies. The 
Department of Homeland Security (DHS) agreed with our recommendations 
and identified actions planned or under way to implement them. While 
DHS is taking steps to address our recommendations related to 
conducting risk assessments, the actions DHS reported that TSA had 
taken or plans to take do not fully address the intent of the majority 
of our recommendations. 

This statement for the record discusses (1) the government's efforts 
to use the terrorist watchlist to screen individuals and determine if 
they pose a threat, as well as how aspects of this process contributed 
to the December 25 attempted terrorist attack and (2) TSA's planned 
deployment of the AIT for enhanced explosive detection and the 
challenges associated with this deployment. 

This statement is based on products GAO issued from September 2006 
through October 2009.[Footnote 6] In conducting our prior work, we 
reviewed documentation obtained from and interviewed officials at the 
various departments and agencies with responsibilities for compiling 
and using watchlist records. We also reviewed documentation and 
obtained information on current checkpoint screening technologies 
being researched, developed, and deployed. Our previously published 
reports contain additional details on the scope and methodology for 
those reviews. In addition, this statement contains selected updates 
conducted in December 2009 and January 2010. For the updates, GAO 
reviewed government reports and other information related to the 
December 25 attempted attack, obtained information from DHS and TSA on 
the use of watchlist records and new technologies for screening 
airline passengers, and interviewed a senior TSA official. We 
conducted our updated work in December 2009 and January 2010 in 
accordance with generally accepted government auditing standards. 

In Summary: 

Because the subject of the December 25 attempted terrorist attack was 
not nominated for inclusion on the government's consolidated terrorist 
screening database, federal agencies responsible for screening 
activities missed several opportunities to identify him and possibly 
take action. We have previously reported on a number of issues related 
to the compilation and use of watchlist records, such as the potential 
security risk posed by not checking against all records on the 
watchlist. We also identified the need for an up-to-date strategy and 
implementation plan--one that describes the scope, governance, 
outcomes, milestones, and metrics, among other things--for managing 
the watchlist process across the federal government. Such a strategy 
and plan, supported by a clearly defined leadership or governance 
structure, can be helpful in removing cultural, technological, and 
other barriers--such as those problems that the December 25 attempted 
terrorist attack exposed--that inhibit the effective use of watchlist 

With regard to the deployment of technology to detect explosives on 
passengers, TSA expects to have installed almost 200 AITs in airports 
by the end of calendar year 2010, and plans to procure and install a 
total of 878 units by the end of fiscal year 2014. While recently 
providing GAO with updated information to our October 2009 report, TSA 
stated that operational testing for the AIT was completed as of the 
end of calendar year 2009. We are in the process of verifying that TSA 
tested all of the AIT functional requirements in an operational 
environment. Moreover, we previously reported that TSA had not yet 
conducted an assessment of the technology's vulnerabilities to 
determine the extent to which a terrorist could employ tactics that 
would evade detection by the AIT. While we recognize that the AIT 
could provide an enhanced detection capability, completing these steps 
should better position TSA to have the information necessary to ensure 
that moving ahead with a costly deployment of AIT machines will 
enhance passenger checkpoint security. 


Terrorist Watchlist Process: 

The Terrorist Screening Center (TSC)--administered by the Federal 
Bureau of Investigation (FBI)--is responsible for maintaining the U.S. 
government's consolidated watchlist and providing it to federal 
agencies as well as state, local, and selected foreign partners for 
their use in screening individuals. TSC receives the vast majority of 
its watchlist nominations and information from the National 
Counterterrorism Center (NCTC), which compiles information on known or 
suspected international terrorists from executive branch departments 
and agencies.[Footnote 7] In addition, the FBI provides TSC with 
information on known or suspected domestic terrorists who operate 
primarily within the United States. To support agency screening 
processes, TSC first determines if each nomination contains specific 
minimum derogatory information for inclusion in its terrorist 
screening database. TSC then sends applicable records from the 
terrorist watchlist to screening agency systems for use in efforts to 
deter or detect the movements of known or suspected terrorists. For 
instance, applicable TSC records are provided to TSA for use in 
prescreening airline passengers; to a U.S. Customs and Border 
Protection (CBP) system for use in screening travelers entering the 
United States; to a Department of State system for use in screening 
visa applicants; and to an FBI system for use by state and local law 
enforcement agencies pursuant to arrests, detentions, and other 
criminal justice purposes.[Footnote 8] 

Airline Passenger Screening Using Checkpoint Screening Technology: 

Passenger screening is a process by which screeners inspect 
individuals and their property to deter and prevent an act of violence 
or air piracy, such as the carrying of any unauthorized explosive, 
incendiary, weapon, or other prohibited item on board an aircraft or 
into a sterile area.[Footnote 9] Screeners inspect individuals for 
prohibited items at designated screening locations. TSA developed 
standard operating procedures for screening passengers at airport 
checkpoints. Primary screening is conducted on all airline passengers 
before they enter the sterile area of an airport and involves 
passengers walking through a metal detector and carry-on items being 
subjected to X-ray screening. Passengers who alarm the walk-through 
metal detector or are designated as selectees--that is, passengers 
selected for additional screening--must then undergo secondary 
screening, as well as passengers whose carry-on items have been 
identified by the X-ray machine as potentially containing prohibited 
items.[Footnote 10] Secondary screening involves additional means for 
screening passengers, such as by hand-wand; physical pat-down; or, at 
certain airport locations, an explosives trace portal (ETP), which is 
used to detect traces of explosives on passengers by using puffs of 
air to dislodge particles from their bodies and clothing into an 
analyzer. Selectees' carry-on items are also physically searched or 
screened for explosives, such as by using explosives trace detection 

Assessing Potential Vulnerabilities Related to Not Screening against 
All Watchlist Records and Ensuring Clear Lines of Authority over the 
Watchlist Process Would Provide for Its More Effective Use: 

Agencies Rely upon Standards of Reasonableness in Assessing 
Individuals for Nomination to TSC's Watchlist, but Did Not Connect 
Available Information on Mr. Abdulmutallab to Determine Whether a 
Reasonable Suspicion Existed: 

Federal agencies--particularly NCTC and the FBI--submit to TSC 
nominations of individuals to be included on the consolidated 
watchlist. For example, NCTC receives terrorist-related information 
from executive branch departments and agencies, such as the Department 
of State, the Central Intelligence Agency, and the FBI, and catalogs 
this information in its Terrorist Identities Datamart Environment 
database, commonly known as the TIDE database. This database serves as 
the U.S. government's central classified database with information on 
known or suspected international terrorists. According to NCTC, 
agencies submit watchlist nomination reports to the center, but are 
not required to specify individual screening systems that they believe 
should receive the watchlist record, such as the No Fly list of 
individuals who are to be denied boarding an aircraft.[Footnote 11] 
NCTC is to presume that agency nominations are valid unless it has 
other information in its possession to rebut that position. 

To decide if a person poses enough of a threat to be placed on the 
watchlist, agencies are to follow Homeland Security Presidential 
Directive (HSPD) 6, which states that the watchlist is to contain 
information about individuals "known or appropriately suspected to be 
or have been engaged in conduct constituting, in preparation for, in 
aid of, or related to terrorism."[Footnote 12] HSPD-24 definitively 
established the "reasonable suspicion" standard for watchlisting by 
providing that agencies are to make available to other agencies all 
biometric information associated with "persons for whom there is an 
articulable and reasonable basis for suspicion that they pose a threat 
to national security."[Footnote 13] NCTC is to consider information 
from all available sources and databases to determine if there is a 
reasonable suspicion of links to terrorism that warrants a nomination, 
which can involve some level of subjectivity. The guidance on 
determining reasonable suspicion, which TSC most recently updated in 
February 2009, contains specific examples of the types of terrorism- 
related conduct that may make an individual appropriate for inclusion 
on the watchlist. 

The White House's review of the December 25 attempted terrorist attack 
noted that Mr. Abdulmutallab's father met with U.S. Embassy officers 
in Abuja, Nigeria, to discuss his concerns that his son may have come 
under the influence of unidentified extremists and had planned to 
travel to Yemen.[Footnote 14] However, according to NCTC, the 
information in the State Department's nomination report did not meet 
the criteria for watchlisting in TSC's consolidated terrorist 
screening database per the government's established and approved 
nomination standards. NCTC also noted that the State Department cable 
nominating Mr. Abdulmutallab had no indication that the father was the 
source of the information. According to the White House review of the 
December 25 attempted attack, the U.S. government had sufficient 
information to have uncovered and potentially disrupted the attack--
including by placing Mr. Abdulmutallab on the No Fly list--but 
analysts within the intelligence community failed to connect the dots 
that could have identified and warned of the specific threat. 

After receiving the results of the White House's review of the 
December 25 attempted attack, the President called for members of the 
intelligence community to undertake a number of corrective actions-- 
such as clarifying intelligence agency roles, responsibilities, and 
accountabilities to document, share, and analyze all sources of 
intelligence and threat threads related to terrorism, and accelerating 
information technology enhancements that will help with information 
correlation and analysis. The House Committee on Oversight and 
Government Reform has asked us, among other things, to assess 
government efforts to revise the watchlist process, including actions 
taken related to the December 25 attempted attack. 

As part of our monitoring of high-risk issues, we also have ongoing 
work--at the request of the Senate Committee on Homeland Security and 
Governmental Affairs--that is assessing agency efforts to create the 
Information Sharing Environment, which is intended to break down 
barriers to sharing terrorism-related information, especially across 
federal agencies.[Footnote 15] Our work is designed to help ensure 
that federal agencies have a road map that defines roles, 
responsibilities, actions, and time frames for removing barriers, as 
well as a system to hold agencies accountable to the Congress and the 
public for making progress on these efforts. Among other things, this 
road map can be helpful in removing cultural, technological, and other 
barriers that lead to agencies maintaining information in stove-piped 
systems so that it is not easily accessible, similar to those problems 
that the December 25 attempted attack exposed. We expect to issue the 
results of this work later this year. 

By Not Placing Mr. Abdulmutallab on the Consolidated Watchlist or Its 
Subsets, the Government Missed Opportunities to Use These 
Counterterrorism Tools: 

Following the December 25 attempted terrorist attack, questions were 
raised as to what could have happened if Mr. Abdulmutallab had been on 
TSC's consolidated terrorist screening database. We created several 
scenarios to help explain how the watchlist process is intended to 
work and what opportunities agencies could have had to identify him if 
he was on the watchlist. For example, according to TSC, if a record 
from the terrorist screening database is sent to the State 
Department's system and the individual in that record holds a valid 
visa, TSC would compare the identifying information in the watchlist 
record against identifying information in the visa and forward 
positive matches to the State Department for possible visa revocation. 
If an individual's visa is revoked, under existing procedures, this 
information is to be entered into the database CBP uses to screen 
airline passengers prior to their boarding, which we describe below. 
According to CBP, when the individual checks in for a flight, the on-
site CBP Immigration Advisory Program officers already would have been 
apprised of the visa revocation by CBP and they would have checked the 
person's travel documents to verify that the individual was a match to 
the visa revocation record. Once the positive match was established, 
the officers would have recommended that he not be allowed to board 
the flight. 

Under another scenario, if an individual is on TSC's terrorist 
screening database, existing processes provide CBP with the 
opportunity to identify the subject of a watchlist record as part of 
the checks CBP is to conduct to see if airline passengers are eligible 
to be admitted into the country. Specifically, for international 
flights departing to or from the United States (but not for domestic 
flights), CBP is to receive information on passengers obtained, for 
example, when their travel document is swiped. CBP is to check this 
passenger information against a number of databases to see if there 
are any persons who have immigration violations, criminal histories, 
or any other reason for being denied entry to the country, in 
accordance with the agency's mission. According to CBP, when it 
identifies a U.S. bound passenger who is on the watchlist, it 
coordinates with other federal agencies to evaluate the totality of 
available information to see what action is appropriate. In foreign 
airports where there is a CBP Immigration Advisory Program presence, 
the information on a watchlisted subject is forwarded by CBP to 
program officers onsite. The officers would then intercept the subject 
prior to boarding the aircraft and confirm that the individual is 
watchlisted, and when appropriate based on the derogatory information, 
request that the passenger be denied boarding. 

In a third scenario, if an individual is on the watchlist and is also 
placed on the No Fly or Selectee list, when the person checks in for a 
flight, the individual's identifying information is to be checked 
against these lists. Individuals matched to the No Fly list are to be 
denied boarding. If the individual is matched to the Selectee list, 
the person is to be subject to further screening, which could include 
physical screening, such as a pat-down. The criteria in general that 
are used to place someone on either of these two lists include the 

* Persons who are deemed to be a threat to civil aviation or national 
security and should be precluded from boarding an aircraft are put on 
the No Fly list. 

* Persons who are deemed to be a threat to civil aviation or national 
security but do not meet the criteria of the No Fly list are placed on 
the Selectee list and are to receive additional security screening 
prior to being permitted to board an aircraft.[Footnote 16] 

The White House Homeland Security Council devised these more stringent 
sets of criteria for the No Fly and Selectee lists in part because 
these lists are not intended as investigative or information-gathering 
tools or tracking mechanisms, and TSA is a screening but not an 
intelligence agency.[Footnote 17] Rather, the lists are intended to 
help ensure the safe transport of passengers and facilitate the flow 
of commerce. However, the White House's review of the December 25 
attempted terrorist attack raised questions about the effectiveness of 
the criteria, and the President tasked the FBI and TSC with developing 
recommendations for any needed changes to the nominations guidance and 

Weighing and responding to the potential impacts that changes to the 
nominations guidance and criteria could have on the traveling public 
and the airlines will be important considerations in developing such 
recommendations. In September 2006, we reported that tens of thousands 
of individuals who had similar names to persons on the watchlist were 
being misidentified and subjected to additional screening, and in some 
cases delayed so long as to miss their flights.[Footnote 18] We also 
reported that resolving these misidentifications can take time and, 
therefore, affect air carriers and commerce. If changes in criteria 
result in more individuals being added to the lists, this could also 
increase the number of individuals who are misidentified, exacerbating 
these negative effects. In addition, we explained that individuals who 
believe that they have been inappropriately matched to the watchlist 
can petition the government for action and the relevant agencies must 
conduct research and work to resolve these issues. If more people are 
misidentified, more people may trigger this redress process, 
increasing the need for resources. Finally, any changes to the 
criteria or process would have to ensure that watchlist records are 
used in a manner that safeguards legal rights, including freedoms, 
civil liberties, and information privacy guaranteed by federal law. 

Agencies Do Not Screen Individuals against All Records in the 
Watchlist, Which Creates Potential Security Vulnerabilities; GAO 
Continues to Recommend That Agencies Assess and Address These Gaps: 

In reacting to the December 25 attempted terrorist attack, determining 
whether there were potential vulnerabilities related to the use of 
watchlist records when screening--not only individuals who fly into 
the country but also, for example, those who cross land borders--are 
important considerations. Screening agencies whose missions most 
frequently and directly involve interactions with travelers generally 
do not check against all records in the consolidated terrorist 
watchlist. In our October 2007 report, we noted that this is because 
screening against certain records may not be needed to support a 
respective agency's mission or may not be possible because of computer 
system limitations, among other things.[Footnote 19] 

For example, CBP's mission is to determine if any traveler is eligible 
to enter the country or is to be denied entry because of immigration 
or criminal violations. As such, CBP's computer system accepts all 
records from the consolidated watchlist database that have either a 
first name or a last name and one other identifier, such as a date of 
birth. Therefore, TSC sends CBP the greatest number of records from 
the consolidated watchlist database for its screening. In contrast, 
one of the State Department's missions is to approve requests for 
visas. Since only non-U.S. citizens and nonlawful permanent residents 
apply for visas, TSC does not send the department records on citizens 
or lawful permanent residents for screening visa applicants. 

Also, the FBI database that state and local law enforcement agencies 
use for their missions in checking individuals for criminal histories, 
for example, also receives a smaller portion of the watchlist. 
According to the FBI, its computer system requires a full first name, 
last name, and other identifier, typically a date of birth. The FBI 
noted that this is because having these identifiers helps to reduce 
the number of times an individual is misidentified as being someone on 
the list, and the computer system would not be effective in making 
matches without this information. Finally, the No Fly and Selectee 
lists collectively contain the lowest percentage of watchlist records 
because the remaining ones either do not meet the nominating criteria, 
as described above, or do not meet system requirements--that is, 
include full names and dates of birth, which TSA stated are required 
to minimize misidentifications. 

TSA is implementing a new screening program that the agency states 
will have the capability to screen an individual against the entire 
watchlist.[Footnote 20] Under this program, called Secure Flight, TSA 
will assume from air carriers the responsibility of comparing 
passenger information against the No Fly and Selectee lists.[Footnote 
21] According to the program's final rule, in general, Secure Flight 
is to compare passenger information only to the No Fly and Selectee 
lists.[Footnote 22] The supplementary information accompanying the 
rule notes that this will be satisfactory to counter the security 
threat during normal security circumstances. However, the rule 
provides that TSA may use the larger set of watchlist records when 
warranted by security considerations, such as if TSA learns that 
flights on a particular route may pose increased risks. TSA emphasized 
that use of the full terrorist screening database is not routine. 
Rather, TSA noted that its use is limited to circumstances in which 
there is information concerning an increased risk to transportation 
security, and the decision to use the full watchlist database will be 
based on circumstances at the time. According to TSA, as of January 
2010, the agency was developing administrative procedures for 
utilizing the full watchlist when warranted. 

In late January 2009, TSA began to assume from airlines the watchlist 
matching function for a limited number of domestic flights, and has 
since phased in additional flights and airlines. TSA expects to assume 
the watchlist matching function for all domestic and international 
flights departing to and from the United States by December 2010. It 
is important to note that under the Secure Flight program, TSA 
requires airlines to provide the agency with each passenger's full 
name and date of birth to facilitate the watchlist matching process, 
which should reduce the number of individuals who are misidentified as 
the subject of a watchlist record. We continue to monitor the Secure 
Flight program at the Congress's request. 

In our October 2007 watchlist report, we recommended that the FBI and 
DHS assess the extent to which security risks exist by not screening 
against certain watchlist records and what actions, if any, should be 
taken in response.[Footnote 23] The agencies generally agreed with our 
recommendations but noted that the risks related to not screening 
against all watchlist records needs to be balanced with the impact of 
screening against all records, especially those records without a full 
name and other identifiers. For example, more individuals could be 
misidentified, law enforcement would be put in the position of 
detaining more individuals until their identities could be resolved, 
and administrative costs could increase, without knowing what 
measurable increase in security is achieved. While we acknowledge 
these tradeoffs and potential impacts, we maintain that assessing 
whether vulnerabilities exist by not screening against all watchlist 
records--and if there are ways to limit impacts--is critical and could 
be a relevant component of the government's ongoing review of the 
watchlist process. Therefore, we believe that our recommendation 
continues to have merit. 

Identifying Additional Screening Opportunities and Determining Whether 
There Are Clear Lines of Authority for and Accountability over the 
Watchlist Process Would Help Ensure Its Effective Use: 

As we reported in October 2007, the federal government has made 
progress in using the consolidated terrorist watchlist for screening 
purposes, but has additional opportunities to use the list. For 
example, DHS uses the list to screen employees in some critical 
infrastructure components of the private sector, including certain 
individuals who have access to vital areas of nuclear power plants or 
transport hazardous materials. However, many critical infrastructure 
components are not using watchlist records, and DHS has not finalized 
guidelines to support such private sector screening, as HSPD-6 
mandated and we previously recommended.[Footnote 24] 

In that same report, we noted that HSPD-11 tasked the Secretary of 
Homeland Security with coordinating across other federal departments 
to develop (1) a strategy for a comprehensive and coordinated 
watchlisting and screening approach and (2) a prioritized 
implementation and investment plan that describes the scope, 
governance, principles, outcomes, milestones, training objectives, 
metrics, costs, and schedule of necessary activities.[Footnote 25] We 
reported that without such a strategy, the government could not 
provide accountability and a basis for monitoring to ensure that (1) 
the intended goals for, and expected results of, terrorist screening 
are being achieved and (2) use of the watchlist is consistent with 
privacy and civil liberties. We recommended that DHS develop a current 
interagency strategy and related plans. 

According to DHS's Screening Coordination Office, during the fall of 
2007, the office led an interagency effort to provide the President 
with an updated report, entitled, HSPD-11, An Updated Strategy for 
Comprehensive Terrorist-Related Screening Procedures.[Footnote 26] The 
office noted that the report was formally submitted to the Executive 
Office of the President through the Homeland Security Council and 
reviewed by the President on January 25, 2008. Further, the office 
noted that it also provided a sensitive version of the report to the 
Congress in October 2008. DHS provided us an excerpt of that report to 
review, stating that it did not have the authority to share excerpts 
provided by other agencies, and we were unable to obtain a copy of the 
full report. The information we reviewed only discussed DHS's own 
efforts for coordinating watchlist screening across the department. 
Therefore, we were not able to determine whether the HSPD-11 report 
submitted to the President addressed all of the components called for 
in the directive or what action, if any, was taken as a result. We 
maintain that a comprehensive strategy, as well as related 
implementation and investment plans, as called for by HSPD-11, 
continue to be important to ensure effective governmentwide use of the 
watchlist process. 

In addition, in our October 2007 report, we noted that establishing an 
effective governance structure as part of this strategic approach is 
particularly vital since numerous agencies and components are involved 
in the development, maintenance, and use of the watchlist process, 
both within and outside of the federal government. Also, establishing 
a governance structure with clearly-defined responsibility and 
authority would help to ensure that agency efforts are coordinated, 
and that the federal government has the means to monitor and analyze 
the outcomes of such efforts and to address common problems 
efficiently and effectively. We determined at the time that no such 
structure was in place and that no existing entity clearly had the 
requisite authority for addressing interagency issues. We recommended 
that the Homeland Security Council ensure that a governance structure 
was in place, but the council did not comment on our recommendation. 

At the time of our report, TSC stated that it had a governance board 
in place, comprised of senior-level agency representatives from 
numerous departments and agencies. However, we also noted that the 
board provided guidance concerning issues within TSC's mission and 
authority. We also stated that while this governance board could be 
suited to assume more of a leadership role, its authority at that time 
was limited to TSC-specific issues, and it would need additional 
authority to provide effective coordination of terrorist-related 
screening activities and interagency issues governmentwide. In January 
2010, the FBI stated that TSC has a Policy Board in place, with 
representatives from relevant departments and agencies, that reviews 
and provides input to the government's watchlist policy. The FBI also 
stated that the policies developed are then sent to the National 
Security Council Deputies Committee (formerly the Homeland Security 
Council) for ratification. The FBI noted that this process was used 
for making the most recent additions and changes to watchlist 
standards and criteria. We have not yet been able to determine, 
however, whether the Policy Board has the jurisdiction and authority 
to resolve issues beyond TSC's purview, such as issues within the 
intelligence community and in regard to the nominations process, 
similar to the types of interagency issues the December 25 attempted 
attack identified. We maintain that a governance structure with the 
authority for and accountability over the entire watchlist process, 
from nominations through screening, and across the government is 

On January 7, 2010, the President tasked the National Security Staff 
with initiating an interagency review of the watchlist process-- 
including the business processes, procedures, and criteria--and the 
interoperability and sufficiency of supporting information technology 
systems. This review offers the government an opportunity to develop 
an updated strategy, related plans, and governance structure that 
would provide accountability to the administration, the Congress, and 
the American public that the watchlist process is effective at helping 
to secure the homeland. 

Recent Work Highlights the Importance of Conducting Vulnerability 
Assessments and Operational Testing Prior to Deployment of New 
Checkpoint Technologies: 

While TSA Has Not Yet Deployed Any New Checkpoint Technologies 
Nationwide, It Plans to Have Installed Almost 200 AITs by the End of 

As we reported in October 2009, in an effort to improve the capability 
to detect explosives at aviation passenger checkpoints, TSA has 10 
passenger screening technologies in various phases of research, 
development, procurement, and deployment, including the AIT (formerly 
Whole Body Imager).[Footnote 27] TSA is evaluating the AIT as an 
improvement over current screening capabilities of the metal detector 
and pat-downs specifically to identify nonmetallic threat objects and 
liquids. The AITs produce an image of a passenger's body that a 
screener interprets. The image identifies objects, or anomalies, on 
the outside of the physical body but does not reveal items beneath the 
surface of the skin, such as implants. TSA plans to procure two types 
of AIT units: one type uses millimeter wave and the other type uses 
backscatter X-ray technology. Millimeter wave technology beams 
millimeter wave radio frequency energy over the body's surface at high 
speed from two antennas simultaneously as they rotate around the body. 
[Footnote 28] The energy reflected back from the body or other objects 
on the body is used to construct a three-dimensional image. Millimeter 
wave technology produces an image that resembles a fuzzy photo 
negative. Backscatter X-ray technology uses a low-level X-ray to 
create a two-sided image of the person. Backscatter technology 
produces an image that resembles a chalk etching.[Footnote 29] 

As we reported in October 2009, TSA has not yet deployed any new 
technologies nationwide. However, as of December 31, 2009, according 
to a senior TSA official, the agency has deployed 40 of the millimeter 
wave AITs, and has procured 150 backscatter X-ray units in fiscal year 
2009 and estimates that these units will be installed at airports by 
the end of calendar year 2010. In addition, TSA plans to procure an 
additional 300 AIT units in fiscal year 2010, some of which will be 
purchased with funds from the American Recovery and Reinvestment Act 
of 2009.[Footnote 30] TSA plans to procure and deploy a total of 878 
units at all category X through category IV airports.[Footnote 31] 
Full operating capability is expected in fiscal year 2014. TSA 
officials stated that the cost of the AIT is about $130,000 to 
$170,000 per unit, excluding installation costs. In addition, the 
estimated training costs are $50,000 per unit. 

While TSA stated that the AIT will enhance its explosives detection 
capability, because the AIT presents a full body image of a person 
during the screening process, concerns have been expressed that the 
image is an invasion of privacy. According to TSA, to protect 
passenger privacy and ensure anonymity, strict privacy safeguards are 
built into the procedures for use of the AIT. For example, the officer 
who assists the passenger never sees the image that the technology 
produces, and the officer who views the image is remotely located in a 
secure resolution room and never sees the passenger. Officers 
evaluating images are not permitted to take cameras, cell phones, or 
photo-enabled devices into the resolution room. To further protect 
passengers' privacy, ways have been introduced to blur the passengers' 
images. The millimeter wave technology blurs all facial features, and 
the backscatter X-ray technology has an algorithm applied to the 
entire image to protect privacy. Further, TSA has stated that the 
AIT's capability to store, print, transmit, or save the image will be 
disabled at the factory before the machines are delivered to airports, 
and each image is automatically deleted from the system after it is 
cleared by the remotely located security officer. Once the remotely 
located officer determines that threat items are not present, that 
officer communicates wirelessly to the officer assisting the 
passenger. The passenger may then continue through the security 
process. Potential threat items are resolved through a direct physical 
pat-down before the passenger is cleared to enter the sterile 
area.[Footnote 32] In addition to privacy concerns, the AITs are large 
machines, and adding them to the checkpoint areas will require 
additional space, especially since the operators are segregated from 
the checkpoint to help ensure passenger privacy. 

TSA Reports That It Is Taking Steps to Operationally Test AITs but Has 
Not Conducted Vulnerability Assessments: 

We previously reported on several challenges TSA faces related to the 
research, development, and deployment of passenger checkpoint 
screening technologies and made a number of recommendations to improve 
this process.[Footnote 33] Two of these recommendations are 
particularly relevant today, as TSA moves forward with plans to 
install a total of 878 additional AITs--completing operational testing 
of technologies in airports prior to using them in day-to-day 
operations and assessing whether technologies such as the AIT are 
vulnerable to terrorist countermeasures, such as hiding threat items 
on various parts of the body to evade detection. 

First, in October 2009, we reported that TSA had relied on 
technologies in day-to-day airport operations that had not been proven 
to meet their functional requirements through operational testing and 
evaluation, contrary to TSA's acquisition guidance and a knowledge-
based acquisition approach. We also reported that TSA had not 
operationally tested the AITs at the time of our review, and we 
recommended that TSA operationally test and evaluate technologies 
prior to deploying them.[Footnote 34] In commenting on our report, TSA 
agreed with this recommendation. A senior TSA official stated that 
although TSA does not yet have a written policy requiring operational 
testing prior to deployment, TSA is now including in its contracts 
with vendors that checkpoint screening machines are required to 
successfully complete laboratory tests as well as operational tests. 
The test results are then incorporated in the source selection plan. 
The official also stated that the test results are now required at key 
decision points by DHS's Investment Review Board. While recently 
providing GAO with updated information to our October 2009 report, TSA 
stated that operational testing for the AIT was completed as of the 
end of calendar year 2009. We are in the process of verifying that TSA 
has tested all of the AIT's functional requirements in an operational 

Deploying technologies that have not successfully completed 
operational testing and evaluation can lead to cost overruns and 
underperformance. TSA's procurement guidance provides that testing 
should be conducted in an operational environment to validate that the 
system meets all functional requirements before deployment. In 
addition, our reviews have shown that leading commercial firms follow 
a knowledge-based approach to major acquisitions and do not proceed 
with large investments unless the product's design demonstrates its 
ability to meet functional requirements and be stable.[Footnote 35] 
The developer must show that the product can be manufactured within 
cost, schedule, and quality targets and is reliable before production 
begins and the system is used in day-to-day operations. 

TSA's experience with the ETPs, which the agency uses for secondary 
screening, demonstrates the importance of testing and evaluation in an 
operational environment. The ETP detects traces of explosives on a 
passenger by using puffs of air to dislodge particles from the 
passenger's body and clothing that the machine analyzes for traces of 
explosives. TSA procured 207 ETPs and in 2006 deployed 101 ETPs to 36 
airports, the first deployment of a checkpoint technology initiated by 
the agency.[Footnote 36] TSA deployed the ETPs even though agency 
officials were aware that tests conducted during 2004 and 2005 on 
earlier ETP models suggested that they did not demonstrate reliable 
performance. Furthermore, the ETP models that were subsequently 
deployed were not first tested to prove their effective performance in 
an operational environment, contrary to TSA's acquisition guidance, 
which recommends such testing. As a result, TSA procured and deployed 
ETPs without assurance that they would perform as intended in an 
operational environment. TSA officials stated that they deployed the 
machines without resolving these issues to respond quickly to the 
threat of suicide bombers. In June 2006, TSA halted further deployment 
of the ETP because of performance, maintenance, and installation 
issues. According to a senior TSA official, as of December 31, 2009, 
all but 9 ETPs have been withdrawn from airports and 18 ETPs remain in 
inventory. TSA estimates that the 9 remaining ETPs will be removed 
from airports by the end of calendar year 2010. In the future, using 
validated technologies would enhance TSA's efforts to improve 
checkpoint security. Furthermore, retaining existing screening 
procedures until the effectiveness of future technologies has been 
validated could provide assurances that use of checkpoint technologies 
improves aviation security. 

Second, as we reported in October 2009, TSA does not know whether its 
explosives detection technologies, such as the AITs, are susceptible 
to terrorist tactics. Although TSA has obtained information on 
vulnerabilities at the screening checkpoint, the agency has not 
assessed vulnerabilities--that is, weaknesses in the system that 
terrorists could exploit in order to carry out an attack--related to 
passenger screening technologies, such as AITs, that are currently 
deployed. According to TSA's threat assessment, terrorists have 
various techniques for concealing explosives on their persons, as was 
evident in Mr. Abdulmutallab's attempted attack on December 25, where 
he concealed an explosive in his underwear. However, TSA has not 
assessed whether these and other tactics that terrorists could use to 
evade detection by screening technologies, such as AIT, increase the 
likelihood that the screening equipment would not detect the hidden 
weapons or explosives. Thus, without an assessment of the 
vulnerabilities of checkpoint technologies, it is unclear whether the 
AIT or other technologies would have been able to detect the weapon 
Mr. Abdulmutallab used in his attempted attack. TSA is in the process 
of developing a risk assessment for the airport checkpoints, but the 
agency has not yet completed this effort or clarified the extent to 
which this effort addresses any specific vulnerabilities in checkpoint 

TSA officials stated that to identify vulnerabilities at airport 
checkpoints, the agency analyzes information such as the results from 
its covert testing program. TSA conducts national and local covert 
tests, whereby individuals attempt to enter the secure area of an 
airport through the passenger checkpoint with prohibited items in 
their carry-on bags or hidden on their persons. However, TSA's covert 
testing programs do not systematically test passenger and baggage 
screening technologies nationwide to ensure that they identify the 
threat objects and materials the technologies are designed to detect, 
nor do the covert testing programs identify vulnerabilities related to 
these technologies. We reported in August 2008 that while TSA's local 
covert testing program attempts to identify test failures that may be 
caused by screening equipment not working properly or caused by 
screeners and the screening procedures they follow, the agency's 
national testing program does not attribute a specific cause of a test 
failure.[Footnote 37] We recommended, among other things, that TSA 
require the documentation of specific causes of all national covert 
testing failures, including documenting failures related to equipment, 
in the covert testing database to help TSA better identify areas for 
improvement. TSA concurred with this recommendation and stated that 
the agency will expand the covert testing database to document test 
failures related to screening equipment. 

In our 2009 report, we also recommended that the Assistant Secretary 
for TSA, among other actions, conduct a complete risk assessment-- 
including threat, vulnerability, and consequence assessment--for the 
passenger screening program and incorporate the results into TSA's 
program strategy, as appropriate. TSA and DHS concurred with our 
recommendation, but have not completed these risk assessments or 
provided documentation to show how they have addressed the concerns 
raised in our 2009 report regarding the susceptibility of the 
technology to terrorist tactics. 

Mr. Chairman, this concludes our statement for the record. 

Contacts and Acknowledgments: 

For additional information on this statement, please contact Eileen 
Larence at (202) 512-6510 or or Stephen Lord at (202) 
512-4379 or 

In addition to the contacts named above, Kathryn Bernet, Carissa 
Bryant, Frances Cook, Joe Dewechter, Eric Erdman, Richard Hung, Anne 
Laffoon, Linda Miller, Victoria Miller, and Michelle Woods made key 
contributions to this statement. 

[End of section] 


[1] GAO, Terrorist Watchlist Screening: Opportunities Exist to Enhance 
Management Oversight, Reduce Vulnerabilities in Agency Screening 
Processes, and Expand Use of the List, [hyperlink,] (Washington, D.C.: Oct. 11, 

[2] See GAO, High-Risk Series: An Update, [hyperlink,] (Washington, D.C.: January 
2009), for our most recent update. 

[3] See, for example, GAO, Information Sharing: The Federal Government 
Needs to Establish Policies and Processes for Sharing Terrorism-
Related and Sensitive but Unclassified Information, [hyperlink,] (Washington, D.C.: Mar. 17, 
2006); Information Sharing Environment: Definition of the Results to 
Be Achieved in Improving Terrorism-Related Information Sharing Is 
Needed to Guide Implementation and Assess Progress, [hyperlink,] (Washington, D.C.: June 25, 
2008); and Information Sharing: Federal Agencies Are Sharing Border 
and Terrorism Information with Local and Tribal Law Enforcement 
Agencies, but Additional Efforts Are Needed, [hyperlink,] (Washington, D.C.: Dec. 18, 

[4] We have three ongoing reviews of terrorism-related information 
sharing that are being conducted based on separate requests from your 
committee, the House Committee on Oversight and Government Reform, and 
the Senate Committee on Homeland Security and Governmental Affairs. 

[5] GAO, Aviation Security: DHS and TSA Have Researched, Developed, 
and Begun Deploying Passenger Checkpoint Screening Technologies, but 
Continue to Face Challenges, [hyperlink, (Washington, D.C.: Oct. 7, 

[6] See GAO, Terrorist Watch List Screening: Efforts to Help Reduce 
Adverse Effects on the Public, [hyperlink,] (Washington, D.C.: Sept. 29, 
2006); [hyperlink,]; Aviation 
Security: TSA Has Completed Key Activities Associated with 
Implementing Secure Flight, but Additional Actions Are Needed to 
Mitigate Risks, [hyperlink,] 
(Washington, D.C.: May 13, 2009); and [hyperlink,]. 

[7] By law, NCTC, which is within the Office of the Director of 
National Intelligence, serves as the primary organization in the U.S. 
government for analyzing and integrating all intelligence pertaining 
to terrorism and counterterrorism, except for intelligence pertaining 
exclusively to domestic terrorists and domestic counterterrorism. See 
50 U.S.C. § 404o(d)(1). 

[8] See [hyperlink,] for 
additional details on the compilation and use of terrorist watchlist 

[9] Sterile areas are generally located within the terminal where 
passengers are provided access to boarding aircraft, and access is 
controlled in accordance with TSA requirements. 

[10] A nonselectee passenger who alarms the walk-through metal 
detector on the first pass is offered a second pass. If the passenger 
declines the second pass, the passenger must proceed to additional 
screening. If the nonselectee passenger accepts the second pass and 
the machine does not alarm, the passenger may generally proceed 
without further screening. 

[11] As discussed later in this statement, agencies generally do not 
use the full terrorist watchlist to screen individuals. Rather, they 
generally use subsets of the full list based on each agency’s mission 
and other factors. 

[12] The White House, Homeland Security Presidential Directive/HSPD-6, 
Subject: Integration and Use of Screening Information (Washington, 
D.C., Sept. 16, 2003). 

[13] The White House, Homeland Security Presidential Directive/HSPD-
24, Subject: Biometrics for Identification and Screening to Enhance 
National Security (Washington, D.C., June 5, 2008). 

[14] The White House, Summary of the White House Review of the 
December 25, 2009, Attempted Terrorist Attack (Washington, D.C., Jan. 
7, 2010). 

[15] The Intelligence Reform and Terrorism Prevention Act of 2004, as 
amended, defines the Information Sharing Environment as “an approach 
that facilitates the sharing of terrorism and homeland security 
information, which may include any method determined necessary and 
appropriate for carrying out [section 1016].” See Pub. L. No. 108-458, 
§ 1016(a)(2), 118 Stat. 3638, 3665 (codified as amended at 6 U.S.C. § 
485(a)(3)). See also Homeland Security Act of 2002, 6 U.S.C. § 482 
(requiring the establishment of procedures for the sharing of homeland 
security information, as defined by this section). 

[16] Of all of the screening databases that accept watchlist records, 
only the No Fly and Selectee lists require certain nomination criteria 
or inclusion standards that are narrower than the “known or 
appropriately suspected” standard of HSPD-6. The most recent guidance 
related to the No Fly and Selectee list criteria was issued in 
February 2009. 

[17] The Homeland Security Council originally was established in 2001 
by executive order and subsequently codified into law by the Homeland 
Security Act of 2002 for the purpose of more effectively coordinating 
the policies and functions of the federal government relating to 
homeland security. See Exec. Order No. 13,228; Pub. L. No. 107-296, 
tit. IX, 116 Stat. 2135, 2258-59 (codified at 6 U.S.C. §§ 491-496). On 
May 26, 2009, the President announced the full integration of White 
House staff supporting national security and homeland security into a 
new “National Security Staff” supporting all White House policy-making 
activities relating to international, transnational, and homeland 
security matters. The Homeland Security Council was maintained as the 
principle venue for interagency deliberations on issues that affect 
the security of the homeland, such as terrorism, weapons of mass 
destruction, natural disasters, and pandemic influenza. 

[18] [hyperlink,]. 

[19] [hyperlink,]. 

[20] [hyperlink,]. 

[21] Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-15 (codified 
at 49 U.S.C. § 44903(j)(2)(C)). 

[22] See 73 Fed. Reg. 64,018 (Oct. 28, 2008) (codified at 49 C.F.R. 
pt. 1560). 

[23] [hyperlink,]. 

[24] The identification of critical infrastructure components that are 
not using watchlist records for screening is considered Sensitive 
Security Information that cannot be disclosed in a public statement. 

[25] The White House, Homeland Security Presidential Directive/HSPD-
11, Subject: Comprehensive Terrorist-Related Screening Procedures 
(Washington, D.C., Aug. 27, 2004). 

[26] DHS established the Screening Coordination Office in July 2006 to 
enhance security measures by integrating the department’s terrorist-
and immigration-related screening efforts, creating unified screening 
standards and policies, and developing a single redress process for 

[27] [hyperlink,]. 

[28] According to TSA, this description of the millimeter wave 
technology applies only to the machine manufactured by L3 and does not 
apply to other millimeter wave technologies that TSA is evaluating, 
such as the Smiths millimeter wave AIT. 

[29] Research and development of the AIT technology is continuing, 
specifically, to develop passive terahertz (THz) and active gigahertz 
(GHz) technologies to improve detection performance and reduce 
operational costs of commercially available systems. 

[30] According to TSA, some of the 300 AIT units to be procured in 
fiscal year 2010 will begin to be deployed to airports in the latter 
half of fiscal year 2010. 

[31] TSA classifies the commercial airports in the United States into 
one of five security risk categories (X, I, II, III, and IV). In 
general, category X airports have the largest number of passenger 
boardings, and category IV airports have the smallest. Categories X, 
I, II, and III airports account for more than 90 percent of the 
nation’s air traffic. 

[32] TSA stated that it continues to evaluate possible display options 
that include a “stick figure” or “cartoon-like” form to provide 
greater privacy protection to the individual being screened while 
still allowing the unit operator or automated detection algorithms to 
detect possible threats. 

[33] [hyperlink,]. 

[34] Operational testing refers to testing in an operational 
environment in order to verify that new systems are operationally 
effective, supportable, and suitable. 

[35] GAO, Best Practices: Using a Knowledge-Based Approach to Improve 
Weapon Acquisition, [hyperlink,] (Washington, D.C.: January 

[36] TSA deployed the ETPs from January to June 2006. Since June 2006, 
TSA removed all but 9 ETPs from airports because of maintenance issues. 

[37] See GAO, Transportation Security: TSA Has Developed a Risk-Based 
Covert Testing Program, but Could Better Mitigate Aviation Security 
Vulnerabilities Identified Through Covert Tests, [hyperlink,] (Washington, D.C.: Aug. 8, 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink,]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink,] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 

To Report Fraud, Waste, and Abuse in Federal Programs: 


Web site: [hyperlink,]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: