This is the accessible text file for GAO report number GAO-05-144 entitled 'General Aviation Security: Increased Federal Oversight Is Needed, but Continued Partnership with the Private Sector Is Critical to Long-Term Success' which was released on December 10, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Homeland Security, Committee on Appropriations, House of Representatives: United States Government Accountability Office: GAO: November 2004: General Aviation Security: Increased Federal Oversight Is Needed, but Continued Partnership with the Private Sector Is Critical to Long-Term Success: GAO-05-144: GAO Highlights: Highlights of GAO-05-144, a report to the Chairman, Subcommittee on Homeland Security, Committee on Appropriations, House of Representatives. Why GAO Did This Study: Federal intelligence agencies have reported that in the past, terrorists have considered using general aviation aircraft (all aviation other than commercial and military) for terrorist acts, and that the September 11th terrorists learned to fly at general aviation flight schools. The questions GAO answered regarding the status of general aviation security included (1) What actions has the federal government taken to identify and assess threats to, and vulnerabilities of, general aviation; and communicate that information to stakeholders? (2) What steps has the federal government taken to strengthen general aviation security, and what, if any, challenges does the government face; and (3) What steps have non-federal stakeholders taken to enhance the security of general aviation? What GAO Found: The federal and state governments and general aviation industry all play a role in securing general aviation operations. While the federal government provides guidance, enforces regulatory requirements, and provides some funding, the bulk of the responsibility for assessing and enhancing security falls on airport operators. Although TSA has issued a limited threat assessment of general aviation, and the FBI identified that terrorists have considered using general aviation to conduct attacks, a systematic assessment of threats has not been conducted. In addition, to assess airport vulnerabilities, TSA plans to issue a self- assessment tool for airport operators’ use, but it does not plan to conduct on-site vulnerability assessments at all general aviation airports due to the cost and vastness of the general aviation network. Instead, TSA intends to use a systematic and analytical risk management process, which is considered a best practice, to assess the threats and vulnerabilities of general aviation. However, TSA has not yet developed an implementation plan for its risk management efforts. TSA and the Federal Aviation Administration (FAA) have taken steps to address security risks to general aviation through regulation and guidance, but still face challenges in their efforts to further enhance security. For example, TSA has promulgated regulations requiring background checks of foreign candidates for U.S. flight training schools and has issued security guidelines for general aviation airports. However, we found limitations in the process used to conduct compliance inspections of flight training programs. In addition, FAA, in coordination with TSA and other federal agencies, has implemented airspace restrictions over certain landmarks and special events. However, FAA has not established written policies or procedures for reviewing and revalidating the need for flight restrictions that limit access to airspace for indefinite periods of time and could negatively affect the general aviation industry. Non-federal general aviation stakeholders have partnered with the federal government and have individually taken steps to enhance general aviation security. For example, industry associations developed best practices and recommendations for securing general aviation, and have partnered with TSA to develop security initiatives such as the Airport Watch Program, similar to a neighborhood watch program. Some state governments have also provided funding for enhancing security at general aviation airports, and many airport operators GAO surveyed took steps to enhance security such as installing fencing and increasing police patrols. Examples of General Aviation Aircraft: [See PDF for image] [End of figure] What GAO Recommends: GAO recommends, among other things, that the Transportation Security Administration (TSA) develop a plan for implementing a risk management approach to strengthen general aviation security, and that the Federal Aviation Administration establish a documented process to review and revalidate flight restrictions. TSA and FAA generally concurred with GAO’s recommendations. www.gao.gov/cgi-bin/getrpt?GAO-05-144. To view the full product, including the scope and methodology, click on the link above. For more information, contact Cathleen Berrick, 202-512-8777, Berrickc@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Intelligence Information and Industry Characteristics Challenge TSA's Ability to Identify and Assess Threats and Vulnerabilities and Communicate with General Aviation Stakeholders: TSA and FAA Have Taken Actions to Reduce Security Risks Associated with General Aviation but Face Regulatory and Funding Challenges: Nonfederal Stakeholders Have Taken Steps to Strengthen General Aviation Security: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Transportation Security Administration: Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Tables: Table 1: Some Major Industry Associations Representing General Aviation: Table 2: TSA and FAA Regulatory Actions Governing the Screening and Validation of Pilot and Student Pilot Identities: Table 3: Examples of Security Measures Used by Aviation Departments of 55 Fortune 500 Corporations: Figures: Figure 1: Use Categories of General Aviation: Figure 2: Composition of the General Aviation Fleet, 2002: Figure 3: Categories and Numbers of Airports in the United States: Figure 4: Example of a Rural Turf Runway General Aviation Airport (top) and a More Complex Urban General Aviation Airport (bottom): Figure 5: Example of Security Advisory Issued by TSA: Figure 6: TSA Has Established Regulations that Expand Federal Security Requirements from Commercial Air Carriers to Include Some Private and Public Charter Aircraft: Figure 7: Temporary Flight Restriction over the Crawford Ranch in Texas when the President Is Present: Figure 8: Washington, D.C. Air Defense Identification Zone Surrounding the 15-Nautical-mile Radius Flight Restriction Zone: Figure 9: Remaining and Cancelled Security TFRs Over Military Installations: Figure 10: Violations of Temporary Flight Restrictions Have Increased: Figure 11: Sign at St. Mary's Airport in Brunswick, Georgia, Warning General Aviation Pilots to Avoid Restricted Airspace: Figure 12: Airport Watch Program Signs Distributed to General Aviation Airports Around the Country: Figure 13: Examples of Propeller Locks to Prevent Unauthorized Aircraft Use: Abbreviations: CIA: Central Intelligence Agency: FAA: Federal Aviation Administration: FBI: Federal Bureau of Investigation: TFR: temporary flight restrictions: TSA: Transportation Security Administration: United States Government Accountability Office: Washington, DC 20548: November 11, 2004: The Honorable Harold Rogers: Chairman: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: Dear Mr. Chairman: General aviation accounts for three-quarters of all aircraft that take off and land in the United States. These aircraft encompass a wide range of flight operations at nearly 19,000 general aviation airports nationwide.[Footnote 1] According to the National Air Transportation Association, the general aviation industry contributes about $100 billion to the U.S. economy each year and accounts for about 1.3 million jobs. Federal intelligence agencies have reported in the past that terrorists have considered using general aviation aircraft for terrorist acts and that the September 11 terrorists learned to fly at flight schools in Florida, Arizona, and Minnesota. In addition, the 9/ 11 Commission identified concerns that vulnerabilities continue to exist in general aviation. The Transportation Security Administration (TSA), along with other federal agencies, state governments, and the general aviation industry, plays a role in securing general aviation operations. While the federal government provides guidance on threats and vulnerabilities, enforces regulatory requirements, and provides some funding assistance, because of competing needs of commercial aviation security funding and the vastness and diversity of the general aviation network, the bulk of the responsibility for assessing and enhancing security falls on airport operators. This public/private partnership has been strengthened following the terrorist attacks of September 11, in part, through the teaming of TSA and general aviation industry associations by means of the Aviation Security Advisory Committee, which, among other things, helped develop security guidelines for general aviation airports based on industry best practices.[Footnote 2] To assess the status of general aviation security, we answered the following questions: (1) What actions has the federal government taken to identify and assess threats to, and vulnerabilities of, general aviation, and communicate that information to stakeholders? (2) What additional steps has the federal government taken to strengthen general aviation security, and what, if any, challenges does the government face in further enhancing security? (3) What steps have non-federal stakeholders taken to enhance the security of general aviation? Due to TSA's concerns that the public release of our detailed findings could compromise aviation security, we issued a separate restricted report to you detailing the results of our review. This report is intended to summarize, in a publicly releasable form, our overall findings and confirm TSA and the Federal Aviation Administration's (FAA) agreement to take action to better assess the potential for terrorist misuse of general aviation aircraft, improve the communication of terrorist threat information to the general aviation community, help manage security risks associated with access to general aviation aircraft and airspace, and help ensure that temporary flight restrictions issued for indefinite periods of time are reviewed, revalidated, and consistently applied. Information determined to be sensitive has been removed from this report. To determine the actions taken by the federal government to assess and communicate threats and vulnerabilities associated with general aviation, we reviewed federal agency reports and studies sponsored by industry associations, and interviewed federal officials and general aviation industry representatives, including those who provided input to TSA's Aviation Security Advisory Committee Working Group on General Aviation. To identify what additional steps the federal government has taken to address national security risks from general aviation, we obtained and analyzed data from the FAA, including the number of flight restrictions that affect general aviation and information from TSA on efforts to ensure compliance with general aviation regulations and provide security guidelines for airport operators. We sought to determine the reliability of these data by, among other things, discussing methods of inputting and maintaining data with agency officials. On the basis of these discussions, we determined that the data were sufficiently reliable for the purposes of this review. To identify what steps nonfederal aviation stakeholders have taken to enhance the security of general aviation, we judgmentally selected 31 general aviation airports to observe security measures implemented since September 11, 2001, and discuss security-related issues.[Footnote 3] We selected these airports based on characteristics including size, location, and aviation activity.[Footnote 4] Because of the limited number of airports in our sample, and because the selected airports did not constitute a representative sample, the results of our case study analysis cannot be projected to the universe of general aviation airports. We also discussed security issues with selected state aviation officials. In addition, we surveyed a random sample of publicly accessible general aviation airports that are eligible for federal funding to obtain airport managers' views on changes in the security environment in general aviation since September 11.[Footnote 5] We performed our work between October 2003 and August 2004 in accordance with generally accepted government auditing standards. Appendix I provides more details about our scope and methodology of our work. Results in Brief: TSA and other federal agencies have not conducted an overall systematic assessment of threats to, or vulnerabilities of, general aviation to determine how to better prepare against terrorist threats. Although TSA issued a limited assessment of threats associated with general aviation and the Federal Bureau of Investigation (FBI) stated that terrorists have considered using general aviation to conduct attacks, a systematic assessment of threats has not been conducted. In addition, TSA has conducted vulnerability assessments at selected general aviation airports, but agency officials stated that conducting these assessments is costly and, therefore, impractical to do for the 19,000 general aviation airports nationwide. TSA intends to implement a risk management approach to better assess threats and vulnerabilities of general aviation aircraft and airports and, as part of this approach, is developing an online vulnerability self-assessment tool to be completed by individual airport managers. However, we found limitations in the use of the self-assessment tool. Further, TSA has not yet developed a plan with specific milestones for implementing these tools and assessments. Without such a plan, it will be difficult for TSA to (1) monitor the progress of its efforts, (2) hold responsible officials accountable for achieving desired results, and (3) ensure that alternative approaches are considered should the tool not provide sufficient data to provide a desired security baseline of vulnerabilities. TSA has also partnered with industry associations to develop security guidelines that enable general aviation airport managers to assess their own vulnerabilities to terrorist attack, and works through industry associations to communicate threat information. However, industry and state aviation officials we spoke with stated that security advisories distributed by TSA were general in nature and were not consistently received. In part this is understandable because, among other things, the agency relies on other federal agencies for threat information. However, we have found that applying these principles to the extent possible provides organizations like TSA with the best opportunity to achieve desired results. TSA and FAA have taken steps to address security risks to general aviation through regulation and guidance, but still face challenges in their efforts to further enhance security. For example, TSA has developed regulations governing background checks of foreign candidates for U.S. flight training schools and has issued security guidelines for general aviation airports. However, we found limitations in the process used to conduct compliance inspections of flight training programs. Further, should TSA establish new security requirements for general aviation airports, competing funding needs could challenge the ability of general aviation airport operators to meet these requirements. In addition, FAA, in coordination with TSA and other federal agencies, has implemented airspace restrictions over certain landmarks and special events to guard against potential terrorist threats. However, FAA has not established written policies or procedures for reviewing and revalidating the continuing need for extended flight restrictions that limit access to airspace for indefinite periods of time and could negatively affect the general aviation industry. In addition, we found limitations in the process used to allow pilots to fly through security-related flight restrictions. Nonfederal general aviation stakeholders have partnered with the federal government and one another to enhance general aviation security and have individually taken a number of steps to address the threat of misuse of general aviation aircraft. For example, in addition to developing their own sets of best practices and recommendations for securing general aviation aircraft and operations, industry associations have worked with TSA to develop security initiatives such as the Airport Watch program,[Footnote 6] launched jointly by the Aircraft Owners and Pilots Association and TSA, and the TSA Access Certificate program,[Footnote 7] developed by the National Business Aviation Association and currently being evaluated at selected airports by TSA. Some state governments have also provided funding for enhancing security at general aviation airports and established security regulations. For example, New Jersey requires that all aircraft stored at general aviation airports be secured with at least two locks to prevent unlawful access to the aircraft. In addition, many of the general aviation airports we visited and surveyed had taken steps to enhance security such as installing fencing and lighting, and requesting increased local police patrols. Because of the importance of securing general aviation operations and to help address associated challenges, we are making recommendations to the Department of Homeland Security to take four actions to better assess the possibility of terrorists' misuse of general aviation aircraft, better communicate terrorist threat information, and help mitigate security risks to general aviation operations. We are also making a recommendation to the Department of Transportation to take action to ensure that temporary flight restrictions issued for indefinite periods are reviewed and, if appropriate, revalidated and consistently applied. We provided a draft of this report to the Secretary of the Department of Homeland Security, the Secretary of Transportation, the Assistant Secretary of Homeland Security for the Transportation Security Administration, and the Administrator of the Federal Aviation Administration who generally concurred with our findings and recommendations. TSA's written comments are presented in appendix II. Background: General aviation encompasses a wide variety of activities, aircraft types, and airports. About 85 percent of all general aviation hours flown falls into one of five categories of flying activity, as defined by FAA and described in figure 1. The largest of these categories is recreational flying, which is defined as flying for pleasure or personal transportation and not for business purposes. In 2002, recreational flying accounted for about 41 percent of all general aviation hours flown. The remaining categories include activities such as medical services, aerial advertising, aerial mapping and photography, and aerial application of seeds or chemicals.[Footnote 8] Figure 1: Use Categories of General Aviation: [See PDF for image] [End of figure] Various types of aircraft can be used in general aviation operations, including single-engine and multi-engine piston aircraft, turboprops, turbojets, helicopters, gliders, and experimental aircraft. The general aviation fleet in the United States consists of about 211,000 active aircraft. While this fleet is diverse, certain activities are generally associated with specific types of general aviation aircraft. For example, corporate flying generally involves the use of turboprop and turbojet aircraft, while personal and instructional flying generally involves the use of single-engine propeller-driven aircraft. The largest category of general aviation aircraft is single-engine propeller, which in 2002 made up 68 percent of the general aviation fleet. Types of general aviation aircraft and their uses are described in figure 2.[Footnote 9] Figure 2: Composition of the General Aviation Fleet, 2002: [See PDF for image] [End of figure] There are approximately 14,000 private-use and 4,800 public-use general aviation airports in the United States, and about 550,000 active general aviation pilots and instructors. [Footnote 10] Non-U.S. citizens can also possess active student pilot certificates in the United States, according to FAA. Although general aviation aircraft can take off and land at almost any airport, including most of the nation's commercial service airports,[Footnote 11] there is an extensive system of general aviation airports nationwide. Figure 3 identifies the categories of airports in the United States. Figure 3: Categories and Numbers of Airports in the United States: [See PDF for image] [A] According to FAA, commercial service airports are those airports that handle regularly scheduled commercial airline traffic and have at least 2,500 annual passenger enplanements. TSA considers commercial service airports to be those subject to security requirements under 49.C.F.R. part 1542 and by that definition, there are approximately 450 commercial service airports. [End of figure] Public-use general aviation airports can range in size and complexity from the short, grass landing strip in rural areas to the very busy urban airports with multiple paved runways of differing lengths that can accommodate large jet aircraft. Figure 4 illustrates examples of a rural general aviation airport with a grass landing strip and a more complex urban general aviation airport. Figure 4: Example of a Rural Turf Runway General Aviation Airport (top) and a More Complex Urban General Aviation Airport (bottom): [See PDF for image] [End of figure] General aviation industry interests are represented by a variety of national organizations. One of the functions of these organizations is disseminating information from federal agencies to their members. These associations also provide their members with security best practices and recommendations tailored to their members' specific needs. Table 1 provides an overview of some of the largest industry associations and their role in general aviation. Table 1: Some Major Industry Associations Representing General Aviation: Association: American Association of Airport Executives; Who they represent: Airport executives at public use airports. Association: Aircraft Owners and Pilots Association; Who they represent: Pilots and aircraft owners. Association: Experimental Aircraft Association; Who they represent: Recreational aviation enthusiasts and builders. Association: General Aviation Manufacturers Association; Who they represent: Companies manufacturing general aviation aircraft, engines, and component parts. Association: Helicopter Association International; Who they represent: Helicopter operators and manufacturers. Association: National Business Aviation Association, Inc; Who they represent: Companies that own or operate general aviation aircraft as an aid to the conduct of their business or are involved with some other aspect of business aviation. Association: National Agricultural Aviation Association; Who they represent: Licensed commercial applicator-operators that use aircraft to enhance food and fiber production, protect forestry, and control health-threatening pests. Association: National Air Transportation Association; Who they represent: Companies that provide general aviation service including on-demand air charter, fuel and ground services, aircraft maintenance, and pilot training. Association: National Association of State Aviation Officials; Who they represent: Officials in state government aviation agencies. Source: Industry associations. [End of table] Prior to the passage of the Aviation and Transportation Security Act in November 2001, FAA had primary responsibility for securing all civil aviation, including general aviation. Although the act transferred much of that responsibility from FAA to TSA,[Footnote 12] FAA maintains a security role because of its regulatory authority over the imposition of temporary flight restrictions (TFR)[Footnote 13] and its disbursement of grants to fund safety and security enhancements at commercial and general aviation airports. Most of the civil aviation security regulations TSA assumed from FAA did not apply to general aviation, but rather to commercial passenger air carriers and commercial airports.[Footnote 14] Although the security of general aviation airports remains largely unregulated, the Aviation and Transportation Security Act and subsequent laws required TSA to develop additional regulations that affect specific segments of general aviation--flight training schools and certain charter flight operations.[Footnote 15] Among other things, with regard to all modes of transportation, the Aviation and Transportation Security Act also required TSA to: * receive, assess, and distribute intelligence information related to transportation security; * assess threats to transportation security and develop policies, strategies, and plans for dealing with those threats, including coordinating countermeasures with other federal organizations; * enforce security-related regulations and requirements; and: * oversee the implementation, and ensure the adequacy, of security measures at airports and other transportation facilities.[Footnote 16] Intelligence Information and Industry Characteristics Challenge TSA's Ability to Identify and Assess Threats and Vulnerabilities and Communicate with General Aviation Stakeholders: TSA and other federal agencies have not conducted an overall, systematic assessment of threats to, or vulnerabilities of, general aviation to determine how to better prepare against terrorist threats. However, in July 2003, TSA issued a limited assessment of threats associated with general aviation activities. In addition, the FBI stated that intelligence indicates that terrorists have considered using general aviation aircraft in the past to conduct attacks. To determine vulnerabilities, TSA conducted vulnerability assessments at some general aviation airports based on specific security concerns or requests by airport officials, and have conducted less intensive security surveys at selected general aviation airports. To better focus its efforts and resources, TSA intends to implement a risk management approach to assess the threats and vulnerabilities of general aviation aircraft and airports, and conduct on-site vulnerability assessments only at those airports the agency determines to be nationally critical. However, TSA has not yet developed a plan with specific milestones for implementing these tools and assessments. While TSA has partnered with industry associations to develop security guidelines for general aviation airports and communicate threat information to airport operators, we found limitations in the communication of threat information. Industry and state aviation officials we spoke with stated that security advisories distributed by TSA were general in nature and were not consistently received. Risk communication principles provide that specific information on potential threats include--to the extent possible--the nature of the threat, when and where it is likely to occur, over what time period it is likely to occur, and guidance on actions to be taken. Applying these principles presents problems for TSA because, among other things, the agency receives threat information from other federal agencies and that information is often classified. Theft of General Aviation Aircraft Has Been a Concern, but Intelligence on Threats to General Aviation Is Infrequent and Non-specific: Neither TSA nor FBI has conducted an overall systematic assessment of threats to, or vulnerabilities of, general aviation to determine how to better prepare against terrorist threats. In July 2003, TSA issued a brief summary assessment of the threats associated with general aviation. However, the assessment was not widely distributed or made available to general aviation airports or other stakeholders. In 2004, the Secretary of the Department of Homeland Security acknowledged that the department, along with the Central Intelligence Agency (CIA), FBI, and other agencies, lacked precise knowledge about the time, place, and methods of potential terrorist attacks related to general aviation. Additionally, industry and TSA officials stated that the small size, lack of fuel capacity, and minimal destructive power of most general aviation aircraft make them unattractive to terrorists and, thereby, reduce the possibility of threat associated with their misuse. Historical intelligence indicates that terrorists have expressed interest in using general aviation aircraft to conduct attacks. The following are examples of intelligence information indicating terrorist interest in general aviation: * CIA reported that terrorists associated with the September 11 attacks expressed interest in the use of crop-dusting aircraft (a type of general aviation aircraft) for large area dissemination of biological warfare agents such as anthrax. * CIA reported that one of the masterminds of the September 11 attacks originally proposed using small aircraft filled with explosives to carry out the attacks. * In May 2003, the Department of Homeland Security issued a security advisory indicating that al Qaeda was in the late stages of planning an attack, using general aviation aircraft, on the U.S. Consulate in Karachi, Pakistan, and had also planned to use general aviation aircraft to attack warships in the Persian Gulf. The Extent of General Aviation's Vulnerability to Terrorist Attack Is Difficult to Determine: TSA and industry stakeholders we spoke with stated that general aviation airports are vulnerable to terrorist attack. TSA officials stated also that it would be difficult for the agency to systematically conduct on-site assessments of the vulnerabilities of individual general aviation airports to terrorist activities because of the diversity and large number of airports. Officials cited the nearly 19,000 general aviation airports nationwide, noting that each has distinct characteristics that may make it more or less attractive to potential terrorists. TSA's efforts to assess vulnerabilities at specific general aviation airports have been limited. At the time of our review, TSA had conducted vulnerability assessments at selected general aviation airports based on specific security concerns or requests by airport officials. TSA officials stated that the resources associated with conducting vulnerability assessments, and the diverse nature of general aviation airports, makes it impractical to conduct assessments at the approximately 19,000 general aviation airports nationwide, or even the approximately 4,800 public-use general aviation airports. TSA officials said, however, that they had conducted a less intensive security survey at additional general aviation airports. TSA selected these airports, among other things, in preparation for special security events such as the G-8 summit and national Republican and Democratic political conventions. In response to industry requests for federally endorsed security protocols, TSA issued security guidelines in May 2004 meant to enable individual general aviation airport managers to assess their own facility's vulnerability to terrorist attack and suggest security enhancements.[Footnote 17] Although these guidelines were issued after we conducted our survey of general aviation airport managers, we found that the majority of airport managers surveyed stated that they would use a security review/vulnerability assessment tool if it were provided. To produce these security guidelines, TSA partnered with industry associations participating in the Aviation Security Advisory Committee's Working Group on General Aviation Airports Security. The guidelines include an airport characteristic measurement tool that allows airport operators to assess the level of risk associated with their airport to determine which security enhancements are most appropriate for their facility. The guidelines also contain security guidance based on industry best practices. TSA officials emphasized that, because security at general aviation airports is not currently regulated by TSA, the security enhancements suggested by the guidelines are voluntary and are to be implemented at the discretion of the airport manager. While TSA's and general aviation airport managers' assessments at specific general aviation airports have been limited, TSA has identified a number of factors that could make general aviation aircraft and airports vulnerable to exploitation by terrorists. Implementing a Risk Management Approach Could Improve the Assessment of Threats and Vulnerabilities, but TSA Lacks an Implementation Plan: In order to address challenges in assessing threats and vulnerabilities to all modes of transportation--including general aviation--and focusing scarce resources, TSA plans to implement a risk management approach based on assessments of criticality, threat, and vulnerability.[Footnote 18] TSA's risk management approach, as it relates to general aviation security, is summarized below. * TSA plans to use a criticality tool to provide the basis for prioritizing which transportation assets and facilities require additional or special protection. On the basis of a criticality assessment, TSA intends to provide greater security scrutiny to general aviation airports that require special protection. * TSA plans to apply threat scenarios of how terrorists might conduct attacks in specific situations in airport environments to assess threats faced by individual general aviation airports. * TSA is developing an online self-assessment toolintended to help general aviation airport managers develop a comprehensive security baseline for their facility. * TSA is developing a Transportation Risk Assessment and Vulnerability Evaluation tool for conducting on-site assessments of general aviation airports that are deemed to be nationally critical. TSA intends to compile baseline data on security vulnerabilities from these tools and use the data to conduct a systematic analysis of security vulnerabilities at general aviation airports nationwide. TSA officials stated that such an analysis will allow the agency to establish the need, if any, for minimum security standards; determine the adequacy of current security regulations; and help the agency and airports better direct limited resources. They noted that because airports will not be required to use the tool, the usefulness of the data gathered will be dependent on the number of airports voluntarily submitting assessment results to TSA. Despite these plans, however, TSA has not developed an implementation plan with specific milestones for conducting its risk management efforts. These efforts have been under development for over a year and were originally scheduled to have been completed between June and August of 2004. Without a plan that establishes specific time frames for implementation of the tools and assessments, it will be difficult for TSA to monitor the progress of its efforts and hold responsible officials accountable for achieving desired results. Similarly, without a plan that includes estimates of the resources needed to effectively implement the agency's risk management approach, TSA's ability to allocate its resources to areas of greatest need could be impaired. A plan could also address alternative approaches that could be implemented if the extent of voluntary participation of general aviation airport managers does not provide sufficient data needed to establish the desired security baseline of vulnerabilities. TSA Faces Challenges in Applying Risk Communication Principles to Improve the Quality of Threat Information Disseminated to General Aviation Stakeholders: TSA faces challenges in ensuring that threat information is effectively communicated to the general aviation community due to the generality of intelligence information given, and the lack of a current, reliable, and complete list of airport contacts. In addition, intelligence information may be classified or sensitive, thus limiting with whom it can be shared.[Footnote 19] TSA partners with industry associations that are part of a General Aviation Coalition as a primary means for communicating threat information and developing security guidelines for general aviation airport managers.[Footnote 20] Specifically, rather than notifying general aviation airport operators directly, TSA communicates threat advisories to these industry associations, which in turn are to provide it to their members. A majority of general aviation airport managers we surveyed reported that they had at least some contact with nonfederal entities such as state aviation officials or industry associations such as the American Association of Airport Executives or the National Business Aviation Association.[Footnote 21] Additionally, a majority indicated that they had established procedures for disseminating security-related information to airport employees and tenants. TSA issued threat advisories for dissemination by general aviation associations to general aviation airports. However, industry association representatives and state aviation officials we spoke with stated that these security advisories were general in nature and were not consistently received. An example of one of TSA's threat advisories is shown in figure 5 below. Figure 5: Example of Security Advisory Issued by TSA: [See PDF for image] [End of figure] Timely, specific, and actionable information are three key principles of effective risk communication. However, TSA faces inherent challenges in applying risk communication principles because of: (1) the generality of intelligence information received from the intelligence community, (2) a limited capability to identify appropriate officials and airports to receive threat information, and (3) potential restrictions placed on communicating classified or sensitive security information to general aviation stakeholders. Providing threat information to the public or those with a need to know in accordance with these principles is challenging and extends beyond threat communications related to general aviation. The first challenge TSA, along with other federal agencies, faces in applying risk communication principles is the generality of intelligence information and the difficulties the government faces in developing such information. According to TSA, gathering specific threat information is difficult because the threat posed by a particular person or group varies over time with changes in the terrorist organization's structure, objectives, methodologies, and capabilities. Targets also change depending on the security of the target in question; likelihood of success; mission complexity; and potential psychological, emotional, and financial impact of the attack. These variations in groups and targets make predicting how and when a terrorist event could occur difficult. Nonetheless, we have reported that public warning systems should, to the extent possible, include specific, consistent, accurate, and clear information on the threat at hand, including the nature of the threat, location, and threat time frames along with guidance on actions to be taken in response to the threat.[Footnote 22] According to risk communication principles, without adequate threat information, the public may ignore the threat or engage in inappropriate actions, some of which may compromise rather than promote the public's safety. A second challenge faced by TSA in communicating threat information to general aviation airports is the lack of current, reliable, and complete information about who to contact to facilitate communication. General aviation airport operators are widely spread among a diverse range of airports that have historically been subject to little or no federal regulation or contact. As a result, contact information about who the owners or operators of individual airports are may not be complete, current, or readily available. Neither FAA nor TSA maintains a current database with contact information for all general aviation airports. Thus, identifying who should receive threat information at the nearly 19,000 airports poses a significant challenge. While general aviation industry associations typically maintain contact information on their members, association officials stated that when they need contact information on general aviation airports they generally use data from the FAA. A third challenge TSA faces in providing classified threat information to general aviation airport operators is determining which airport officials have a need and clearance to receive classified or sensitive intelligence information. In general, the more detailed and specific the threat information, the more likely the information is classified and, therefore, not available to those without appropriate security clearances. TSA officials said they had sanitized threat information in order to issue the five security advisories to general aviation industry associations in an unclassified format. TSA officials said they had also granted security clearances to individuals at certain industry associations who were willing to undergo the required background check process. However, although TSA has developed the ability to communicate classified threat information to some general aviation industry representatives, the agency still faces limitations on its ability to ensure that airport operators with a need to know have access to classified threat information, and have the appropriate clearances. According to TSA officials, the agency's approach to risk management should improve its ability to communicate threat information to the general aviation community by addressing the three challenges mentioned above. Specifically, once TSA completes threat and criticality assessments and--in coordination with general aviation airport managers--vulnerability assessments, the agency will have a greater sense of the threats that individual general aviation airport managers should be aware of and therefore be able to communicate more useful and specific threat information. Conducting vulnerability and criticality assessments should also help TSA identify airports for which current and reliable contact information is needed, and identify airport officials with a need to know classified threat information. TSA and FAA Have Taken Actions to Reduce Security Risks Associated with General Aviation but Face Regulatory and Funding Challenges: TSA and FAA have taken steps to address security risks associated with general aviation through regulation, guidance, and funding. However, in response to the September 11 attacks, TSA has primarily focused on strengthening the security of commercial aviation and meeting associated congressional mandates. As a result, TSA has dedicated fewer resources to strengthening general aviation security, and both TSA and FAA continue to face challenges in their efforts to further enhance security. For example, TSA has developed a regulation governing background checks of foreign candidates for flight training at U.S. flight schools and issued security guidelines for general aviation airports.[Footnote 23] However, TSA has not yet developed a schedule for conducting inspections or determined the resources needed for monitoring compliance with new regulations. In addition, should TSA establish security requirements for general aviation airports, it may be difficult for airport operators to finance security enhancements independently and federal funding will also be a challenge since general aviation airports' needs must compete with the needs of commercial airports for security funding. FAA, in coordination with TSA and other federal agencies, has implemented airspace restrictions over certain landmarks and events, among other things, to guard against potential terrorist threats. FAA officials said that they intermittently reviewed the continuing need for flight restrictions limiting access to airspace for indefinite periods of time--those established at the request of the Department of Defense and for the defense of the national capital region. However, they had not established written procedures or criteria for revalidating the need for restrictions to ensure such reviews were consistently conducted. In addition, we found limitations in the process used by TSA to review and make recommendations regarding waivers to allow general aviation pilots to fly through security related flight restrictions. DOJ, FAA, and TSA Have Issued Requirements for Student Pilots, but Limitations Exist: Recognizing the threat posed by larger aircraft, whether carrying passengers or cargo, the Department of Justice, in February 2003, issued a requirement that all non-U.S. citizens seeking flight training in aircraft weighing 12,500 pounds or more must undergo a comprehensive background check.[Footnote 24] Both TSA and FAA subsequently issued regulations intended to limit access to aircraft for certain segments of the general aviation community by increasing requirements for background checks of pilots. As table 2 shows, TSA and FAA promulgated new regulations governing the screening and validation of pilot and student pilot identities. Table 2: TSA and FAA Regulatory Actions Governing the Screening and Validation of Pilot and Student Pilot Identities: Date: Feb. 2002; Agency: TSA[A]; New requirement: Individuals must successfully complete a fingerprint- based criminal history records check before serving as a flight crew member. Date: Feb. 2002; Agency: FAA[B]; New requirement: Flight crew operating aircraft to or from College Park Airport, Potomac Airfield, or Washington Executive/Hyde Field must successfully complete a background check by a law enforcement agency and that may include a fingerprint- based criminal history records check. (All three airports are within 15 nautical miles of key landmarks such as the Washington Monument.) Date: Oct. 2002; Agency: FAA[C]; New requirement: All pilots must carry and present picture identification along with their pilot certificates. Date: Jan. 2003; Agency: FAA and TSA[D]; New requirement: FAA may suspend, revoke, or refuse to issue an airman certificate to anyone (any citizen or noncitizen) when notified by TSA after TSA's determination that such a person is a threat to transportation security. Date: July 2003; Agency: FAA; New requirement: FAA began issuing the new certificates made of plastic and incorporating security features such as a hologram of the FAA seal to replace the old paper certificates. Date: Dec. 2003; Agency: TSA[E]; New requirement: All non-U.S. citizens or nationals seeking flight training at a U.S. flight school must undergo a comprehensive background check by TSA, regardless of aircraft weight. Source: GAO's analysis of regulations. [A] 49 C.F.R. §§ 1544.229 & 1544.230. [B] 14 C.F.R. Part 91, SFAR 94. [C] 14 C.F.R. § 61.3. [D] 14 C.F.R. § 61.18 and 49 C.F.R. §§ 1540.115 & 1540.117. [E] Pub. L. No. 108-176, § 612, 117 Stat. @ 2572-74 (TSA has yet to finalize its implementing regulation). [End of table] Prior to September 11, FAA did not require background checks of anyone seeking a pilot license, also referred to as a pilot certificate. In November 2001, the Aviation and Transportation Security Act required that foreign student pilots seeking training in aircraft weighing 12,500 pounds or more undergo a background check by the Department of Justice. Under regulations issued by the Department of Justice, flight training providers are responsible for ensuring that aliens applying for flight training in aircraft weighing 12,500 pounds or more fill out and submit a Department of Justice Flight Training Candidate Checks Program form and are fingerprinted.[Footnote 25] The Foreign Terrorist Tracking Task Force is to perform a criminal history background check of the foreign candidate and notify the flight training provider whether or not the foreign candidate is cleared to receive flight training.[Footnote 26] According to officials from the Foreign Terrorist Tracking Task Force, a number of foreign student pilot candidates have been denied from enrolling in a flight training program between March 17, 2003 and August 18, 2004.[Footnote 27] FAA officials said that in February 2002 they took additional steps to make sure that foreign student pilots who already had student pilot certificates when the new requirements went into effect were checked. In December 2003, the Vision 100--The Century of Aviation Reauthorization Act (Vision 100)[Footnote 28] transferred responsibility for conducting background checks from the Department of Justice to TSA and expanded the background check requirement to include all foreign student pilots regardless of the aircraft's size in which they train.[Footnote 29] TSA has developed a regulation implementing the mandates of Vision 100 and, at the time of our review, planned to publish the final regulation and assume the background check responsibilities from the Department of Justice by September 30, 2004. According to TSA officials, TSA's Alien Flight Student program will be similar to the Department of Justice's Flight Training Candidate Checks Program.[Footnote 30] A key challenge for TSA is fulfilling its responsibility to enforce security related regulations will be monitoring the compliance of flight training programs in the United Sates and Puerto Rico with this new requirement. We found limitations in the monitoring of these flight-training programs. In addition to the Department of Justice regulations governing foreign student pilots, FAA, in July 2002, implemented changes to the process of issuing a U.S. pilot certificate to foreign nationals already holding a pilot certificate from a foreign country.[Footnote 31] Historically, FAA issued pilot certificates to pilots who held licenses issued by nations that are members of the International Civil Aviation Organization based on their foreign license. Members of the organization, including the United States and 187 other nations, (including nations known to sponsor terrorism) agreed to issue private pilot certificates to those holding pilot licenses from other organization member nations without requiring them to undergo skills testing. Because of the destructive potential of larger aircraft, the Aviation and Transportation Security Act directed TSA to promulgate new rules governing security requirements for certain public and private charter operations. Generally, the "twelve-five rule" requires nonscheduled or on-demand charter services (for passengers or cargo) using aircraft weighing 12,500 pounds or more to implement a specific program of security procedures similar to those required of scheduled commercial airlines and public charters.[Footnote 32] Similarly, the "private charter rule" requires private charter services using aircraft weighing 100,309.3 pounds (45,500 kilograms) or more, or that have 61 or more passenger seats, to implement many of the same security procedures required of the major airlines. However, we found that TSA faces challenges in monitoring compliance with these new security regulations. Figure 6 shows that selected existing security requirements have been expanded from commercial air carriers to public and private charter aircraft. Figure 6: TSA Has Established Regulations that Expand Federal Security Requirements from Commercial Air Carriers to Include Some Private and Public Charter Aircraft: [See PDF for image] [A] The sterile area is the portion of an airport defined in the airport security program that provides passengers access to boarding aircraft through the screening of persons and property. [End of figure] Procedures for Determining Continued Need for Temporary Flight Restrictions Have Not Been Developed: Since September 11, 2001, FAA has issued temporary flight restrictions (TFR) for some Department of Defense facilities and for the protection of the national capital region for indefinite periods without a documented process to justify their continuance. FAA imposes TFRs to temporarily restrict aircraft operations within designated areas. Prior to September 11, FAA issued TFRs primarily to safely manage airspace operations during events of limited duration. Since then, however, FAA, in coordination with TSA, the Department of Defense, and the Secret Service, among others, has increasingly used TFRs for the purposes of national security over specific events and critical infrastructure.[Footnote 33] FAA has authority over the U.S. National Airspace System and is the agency responsible for implementing TFRs via the Notice to Airmen system.[Footnote 34] For security-related TFRs, FAA generally requests that TSA's Office of Operations Policy evaluate requests received from federal and nonfederal entities--such as the FBI, the Department of the Interior, and state or local government entities--associated with National Special Security Events and selected sporting events.[Footnote 35] TSA evaluates such requests using security related criteria. Based on their evaluation of requests for selected security-related TFRs, TSA officials will make recommendations to FAA regarding whether the TFR should be issued. On the basis of this information, FAA will make a determination whether to issue the TFR through the Notice to Airmen system. The Number, Size, and in Some Cases Duration of TFRs Has Increased since September 11, 2001: According to FAA officials, prior to September 11, 2001, TFRs were rarely issued for security purposes. Since then, however, FAA has issued numerous TFRs for the purpose of national security as a result of increased focus on aviation security. FAA officials stated that Notices to Airmen and other records of TFRs were historically not kept after the restrictions were removed, thus they were unable to provide accurate information on the number of TFRs issued for national security purposes prior to September 11, 2001. Since that time, however, FAA officials said the agency had issued approximately 220 Notices to Airmen and associated TFRs. The size--that is, the amount of airspace restricted both vertically and laterally--of some TFRs has increased. For example, prior to September 11, TFRs for presidential visits had a radius of 3 nautical miles with a ceiling of 3,000 feet.[Footnote 36] Since then, presidential TFRs have had a radius of 30 nautical miles, with a ceiling of 18,000 feet.[Footnote 37] The rationale for increasing the size of presidential TFRs, according to FAA, was based on the difficulty the military might have in preventing an airborne attack on the President once an aircraft was within the 3-nautical mile zone. Figure 7 illustrates the area now covered by a presidential TFR over the Crawford Ranch in Texas when the President is in residence. Figure 7: Temporary Flight Restriction over the Crawford Ranch in Texas when the President Is Present: [See PDF for image] [End of figure] In the case of the national capital region and selected military installations, the duration of TFRs implemented for national security reasons has been put in place and subsequently extended for indefinite periods of time. For example, temporary flight restrictions in and around the national capital region were established shortly after September 11 and according to FAA officials, no set date has been established for their removal. These restrictions in and around Washington, D.C., are the flight-restricted zone and the Washington, D.C. Metropolitan Air Defense Identification Zone, as shown in figure 8.[Footnote 38] Figure 8: Washington, D.C. Air Defense Identification Zone Surrounding the 15-Nautical-mile Radius Flight Restriction Zone: [See PDF for image] Note: The Air Defense Identification Zone consists of three overlapping zones centered on the regions three major airports--Baltimore- Washington International, Dulles International, and Reagan National Airport--and extends approximately 30-nautical miles in all directions. [End of figure] In addition, FAA issued 21 TFRs around various military facilities throughout the country because of security concerns at these facilities after the terrorist attacks of September 11. While 8 of these TFRs have since been canceled, 13 were still in effect as of July 27, 2004, with no scheduled date for removal or documented analysis to justify their continued need. According to FAA officials, the agency plans to convert 11 of these areas to national security areas.[Footnote 39] Once FAA publishes revised aeronautical charts reflecting the new, permanent advisories recommending that pilots avoid the airspace, FAA officials said they plan to cancel the TFRs. In January 2004, FAA issued proposals for converting the remaining two TFRs to permanently prohibited airspace (where no flights are permitted). At the time of our review, FAA was still reviewing comments on the proposal to permanently restrict the surrounding airspaces. Figure 9 shows the status of security-related TFRs FAA established over military installations since September 11. Figure 9: Remaining and Cancelled Security TFRs Over Military Installations: [See PDF for image] [End of figure] TFRs May Negatively Affect the General Aviation Industry: TSA, FAA, and general aviation industry stakeholders we spoke with stated that TFRs negatively affect primarily general aviation operators and airports. According to aviation industry representatives we contacted and FAA, the increase in the number, size, and duration of TFRs and, at times, limited notice given prior to their establishment since September 11 has resulted in numerous inadvertent violations of restricted airspace. For example, the Washington, D.C. Air Defense Identification Zone has been violated over 1,000 times, constituting over 40 percent of all TFR violations since September 11, 2001. As figure 10 shows, since September 2001, the number of violations of all TFRs has increased dramatically. General aviation has accounted for most TFR violations committed within U.S. airspace. Further, about 95 percent of all TFR violations occurred in airspace secured for either presidential security or other national security purposes. Figure 10: Violations of Temporary Flight Restrictions Have Increased: [See PDF for image] [End of figure] Although no TFR violations have been shown to be terrorist related, violators are subject to disciplinary action. According to FAA officials, violations of a TFR typically result in a suspension of the pilot's certificate ranging anywhere from 15 days to 90 days. They said that the most common reason for TFR violations is pilots not reading the Notices to Airmen for the flight area, a required preflight procedure. Other reasons for violations included weather problems, mechanical failures, and pilot in-flight disorientation (i.e., getting lost). FAA officials stated that the number and severity of disciplinary actions imposed on pilots violating TFRs have increased since September 11. However, FAA officials were unable to provide statistical information on the number and severity of disciplinary actions for pilots violating TFRs before or since September 11. The imposition of TFRs can also have an economic impact on general aviation operations.[Footnote 40] TSA, FAA, and industry associations we spoke with stated that the costs associated with restricting airspace can be significant. The National Business Aviation Association commissioned a study to estimate the economic impact TFRs have had on general aviation since September 11.[Footnote 41] While we did not independently assess the validity of the association's assumptions or calculations, the study estimated that general aviation passengers and firms lost over $1 billion because of increased costs to passengers and lost revenues and additional operating costs for general aviation firms.[Footnote 42] We visited St. Mary's Airport in Brunswick, Georgia, to discuss the economic impact of TFRs with an affected general aviation airport operator.[Footnote 43] St. Mary's is located approximately 3 miles south of the Kings Bay Naval Base, where FAA issued a security-related TFR shortly after September 11. The airport operator stated that the loss of much of the general aviation traffic through his airport resulting from the TFR had significantly reduced his ability to generate revenue to sustain operations. According to the operator, the airport's proximity to the TFR around the base significantly deters pilots from using the airport. Other airport operators we visited that were affected by TFRs also cited their negative economic impacts. A sign warning pilots to avoid restricted airspace near the St. Mary's Airport is pictured in figure 11. Figure 11: Sign at St. Mary's Airport in Brunswick, Georgia, Warning General Aviation Pilots to Avoid Restricted Airspace: [See PDF for image] [End of figure] Although TFRs may have economic and other negative impacts on the general aviation industry, FAA did not establish a systematic process for periodically reviewing the continuing need for TFRs over the national capital region and the 13 TFRs over military installation, or determine the long-term economic or other impacts on general aviation operations of these restrictions. While FAA officials said they frequently reviewed TFRs on an informal basis, they did not conduct routine assessments of the continuing need for indefinite TFRs based on a consistent, documented set of criteria or determine the impact of these restrictions on general aviation. In June 2004, FAA officials, in reporting to Congress on the Air Defense Identification Zone, did not cite specific criteria or the process used to determine the continuing need for the restrictions. Instead, FAA based its report primarily on unspecified security reasons submitted by TSA. TSA officials cited the continuing threat posed to the national capital region by organizations such as al Qaeda. While the air defense identification zone around the national capital region is unique, it is possible that future circumstances may warrant the issuance of other temporary flight restrictions of indefinite duration. Without documented procedures and criteria, FAA cannot ensure that future reviews of flight restrictions issued for indefinite periods are properly conducted, or consistently ensure that restrictions on airspace are still needed. We also found that TSA and FAA were limited in their ability to mitigate the threat of airborne attack. This is a result of limitations in airspace restrictions, and the practice of granting pilots waivers to enter temporarily restricted airspace. Enhancing Security at General Aviation Airports Is Difficult because of Funding Challenges: Enhancing general aviation security is difficult because of funding challenges faced by the federal government and general aviation airport operators. General aviation airports have received some federal funding for implementing security upgrades since September 11, but have funded most security enhancements on their own. General aviation stakeholders we contacted expressed concern that they may not be able to pay for any future security requirements that TSA may establish. In addition, TSA and FAA are unlikely to be able to allocate significant levels of funding for general aviation security enhancements, given competing priorities of commercial aviation and other modes of transportation. About 3,000 general aviation airports are eligible to receive FAA Airport Improvement Program grants.[Footnote 44] General aviation airports can use Airport Improvement Program grant funds for projects that provide safety and security benefits. For example, 6 of the 31 airport managers we interviewed, including one of the largest general aviation airports in the country, said they used Airport Improvement Program grants to pay for some of their security enhancements after September 11, 2001. In fiscal year 2002, general aviation airports received $561 million in Airport Improvement Program grants, of which $3.2 million (or about 0.6 percent) was awarded for security projects, and in fiscal year 2003, $680 million, of which $1.3 million (or about 0.2 percent) was awarded for security projects.[Footnote 45] Because general aviation airports are generally not subject to any federal regulations for security,[Footnote 46] in order to meet eligibility requirements for their grants, general aviation airport projects are generally limited to those related to safety but have security benefits, such as lighting and fencing, as well as the acquisition and use of cameras, additional lighting, and motion sensors.[Footnote 47] FAA officials stated that if new security requirements were established for general aviation airports, security-related enhancement projects related to these requirements would be eligible and receive priority for Airport Improvement Program funding. However, given the competing demands of commercial airports, the large number of general aviation airports eligible for such funding, and the limitations of the Airport Improvement Program,[Footnote 48] funding could be uncertain for general aviation airport operators to meet any new security-related requirements. The Office for Domestic Preparedness within the Department of Homeland Security administers two grant programs that could benefit general aviation airports--the State Homeland Security Grant Program and the Urban Areas Security Initiative.[Footnote 49] Under these programs, states may purchase equipment to protect critical infrastructure, including equipment for general aviation airports, if the state declares general aviation airports critical infrastructures. During the course of our review, we learned of one state that plans to spend a small amount of Department of Homeland Security grants to improve the security of general aviation airports. According to officials in Wisconsin, the state plans to use at least $1.5 million of its $41 million Homeland Security Grant in 2004 to enhance security at general aviation airports located along the Great Lakes. Vision 100 also authorized the Department of Homeland Security to establish a $250 million Aviation Security Capital Fund administered by TSA to alleviate some of the demand on the Airport Improvement Program for security enhancement grants. Of this amount, $125 million is discretionary, with priority given to the installation of baggage- screening equipment at commercial airports while the balance is allocated by formula based on airport size and other security considerations. TSA officials noted that Congress did not provide an appropriation for fiscal year 2004 for the fund. If Congress decides to make appropriations in the future for these purposes, general aviation airports will still have to compete with commercial airports for this discretionary funding. Given the extent of unmet security funding needs at commercial airports, it seems unlikely that a significant proportion of funding would be available for general aviation. For example, estimates to install explosive detection system machinery with commercial airport baggage systems range from $3 billion to $5 billion. At the time of our review, $1.2 billion had been appropriated for this effort, and according to the House Committee on Appropriations, airports will be funded, at best, for about half of their installation needs. Even if funds were available, TSA would face a challenge in establishing and prioritizing security projects eligible for Aviation Security Capital Fund grants across a wide spectrum of general aviation airports with diverse characteristics. Although funding is limited for airport improvement, someairport managers we spoke with said they had expended thousands or hundreds of thousands of dollars for security in order to attract more tenants to their facility or to retain their existing tenants. Nonfederal Stakeholders Have Taken Steps to Strengthen General Aviation Security: Nonfederal stakeholders with an interest in general aviation security- -including industry associations, state governments, general aviation airport operators (owners and managers), and users of general aviation airports and aircraft--have taken steps to strengthen the security of general aviation airports and operations. Industry associations have developed and provided recommendations on best practices for enhancing security around general aviation airports, have partnered with the federal government to develop federally endorsed security guidelines, and have sponsored and provided training for their own voluntary security programs. Some states also have suggested best practices, established regulations, and provided funding to general aviation airports to reduce security vulnerabilities. General aviation airport operators and tenants, such as air charter services, have also implemented policy and procedural measures to restrict access to airport property and aircraft. Many airports we visited and surveyed had installed physical security enhancements, such as fencing, lighting, surveillance cameras, and electronic access control gates, and had hired additional security guards. General aviation aircraft owners have also taken steps to protect their aircraft from misuse. Industry Associations Have Provided General Aviation Airport Operators Guidance on Security Practices and Made Recommendations to TSA: Many of the general aviation industry associations we contacted had developed guidance to help enhance the security of general aviation operations and airports. For example, the following are some of the recommendations or best practices designed to strengthen security at general aviation airports made by some of the members of the Aviation Security Advisory Committee's Working Group on General Aviation Airports Security:[Footnote 50] * Posting signs at general aviation airports warning against unauthorized use of aircraft. * Securing aircraft when unattended using existing mechanisms such as door locks, keyed ignitions, and locked hangars to protect aircraft from unauthorized use or tampering. * Controlling vehicle access to areas where aircraft operate by using signs, fences, or gates. * Installing effective outdoor lighting to help improve the security of aircraft parking, hangar, and fuel storage areas, as well as airport access points. * Allowing local law enforcement operational space at the airport to provide a security presence that serves as a natural deterrent to terrorism. Several general aviation industry associations, in partnership with TSA, have also initiated their own voluntary security programs to address the security of general aviation operations and airports. For example: * The Aircraft Owners and Pilots Association, working with TSA, established and operates the Airport Watch program. The program was formed in March 2002--similar in concept to a neighborhood watch program--to improve general aviation airport community awareness. Through the program, the association provides warning signs for airports, informational literature, and training videotapes to educate pilots and airport employees on how the security of their airports and aircraft can be enhanced. TSA operates a toll-free hotline (866-GA- SECURE) where airport operators, managers, and pilots can report suspicious activity to TSA. In May 2004 the hotline began receiving calls regarding a variety of airport users' concerns of suspicious activities or individuals in and around general aviation airports. Figure 12 shows an example of the posters identifying the hotline TSA provides to general aviation airports. Figure 12: Airport Watch Program Signs Distributed to General Aviation Airports Around the Country: [See PDF for image] [End of figure] * The National Business Aviation Association developed a set of security procedures that corporate aircraft operators can put into place to increase the security of their operations. In January 2003, the association, in partnership with TSA, initiated a pilot project, called the TSA Access Certificate program, at Teterboro Airport in New Jersey for operators who had established these procedures in a security program and had their security program reviewed and approved by TSA. TSA approval allows operators to operate internationally without the need of a waiver each time they enter the country.[Footnote 51] (In August 2003, TSA expanded the program to include corporate aircraft operators based at Morristown, New Jersey, and White Plains, New York.) According to association officials, the concept of a TSA-approved security program could be applied to other types of general aviation operations. Officials also stated that one operator of a single general aviation aircraft applied for and received a TSA access certificate to operate internationally.[Footnote 52] * The National Agricultural Aircraft Association created a program to educate aerial application pilots on safety and security issues (the Professional Aerial Applicators Support System).[Footnote 53] According to association officials, the training program qualifies operators in most states to meet continuing education requirements needed to maintain state agricultural aviation licenses. In addition to providing security guidance and developing security programs, 10 general aviation industry associations worked together to make security recommendations to TSA to help prevent the unauthorized use of general aviation aircraft in a terrorist attack. The group met throughout the summer of 2003 to review and discuss numerous general aviation airport security recommendations and evaluated each recommendation for its appropriateness and effect on enhancing security at general aviation airports. On the basis of this review, the group issued a report to TSA on suggested security guidelines.[Footnote 54] States We Visited Varied in Their Efforts to Address General Aviation Vulnerabilities: We visited 10 states and found that their efforts to enhance general aviation security reflected a range of activities. Some states had implemented new requirements for security, funded security enhancements, or provided guidance on best practices. Specifically, 2 of the 10 states we visited had imposed requirements for general aviation airports and aircraft owners and operators since September 11, 2001.[Footnote 55] * In July 2002, the Massachusetts Aeronautics Commission issued a requirement that all airport employees--including general aviation airport employees--wear special photo identification badges. According to state officials, the badges enable airport personnel to distinguish between those who are, and are not, authorized to be on airport property. * In March 2003, the Governor of New Jersey issued an executive order that directed aircraft owners and operators who use the state's 486 licensed general aviation facilities to take steps to limit access to aircraft. Called the "two-lock rule," the executive order requires that all aircraft parked or stored at a general aviation facility in New Jersey for more than 24 hours be protected by a minimum of two locks that secure or disable the aircraft to prevent illegal or unlawful operations. Four of the 10 states we contacted provided funding for security enhancements at general aviation airports. This funding, however, was generally limited to matching funds for federal grants used to install measures that had both a safety and a security benefit, such as airport perimeter fencing and lighting projects. Some states had grant programs that could be used strictly for security enhancements: * For fiscal years 2002 through 2004, Georgia's Department of Transportation Aviation Programs provided a total of $1,174,000 in grants to general aviation airports for fencing, lighting, and electronic card-reader gates. * In February 2002, Tennessee's Aeronautics Commission issued a policy that the state would provide 90 percent of the cost (not to exceed a total of $50 million annually) on security-related projects at general aviation airports. Eligible projects include security fencing and gates, signage, security lighting and motion sensors, and surveillance cameras and monitors. * In 2003, the State of Washington established a $2 million annual matching grant program for general aviation airport security enhancements funded by proceeds from the state's aviation fuel tax. * In 2004, Virginia appropriated $1.5 million to the state's Department of Aviation specifically for security upgrades at general aviation airports. * California's Aviation Division established a grant program for research and development projects that could fund security enhancements at general aviation airports. However, the Aviation Division's budget has not been sufficient to provide any grants from the program over the past 3 years. One of the 10 states we contacted provided guidance on security best practices, while 2 others provided guidance on preparing airport- specific security plans and self-assessments of vulnerabilities. In 3 of the 10 states, the incentive for airports to develop security plans is tied to funding eligibility. * In March 2003, Virginia's Aviation Department Director issued a set of best practices and later established a voluntary security certification program, encouraging airports to assess their vulnerabilities and develop airport-specific security plans. * In May 2002, Tennessee's Aeronautics Division issued guidance on developing an airport emergency and security plan. * In April 2003, Washington's Aviation Division issued security guidelines for general aviation airports based on recommendations from a task force of pilots, general aviation associations, airports, law enforcement, and government agencies. General Aviation Airport Managers and Aircraft Owners Are Primarily Responsible for Security Enhancements: Unlike commercial service airports, general aviation airports are not subject to current federal security regulations,[Footnote 56] and, therefore, general aviation managers and aircraft owners determine what security measures they will use to protect their assets. To determine security measures undertaken since September 11, we judgmentally selected and visited 31 general aviation airports in 10 states open to the public and part of FAA's National Plan of Integrated Airports.[Footnote 57] Airport managers we contacted reported spending as little as $10 for providing forgery-proof identification badges for airport employees to as much as $3 million on, among other voluntary measures at one airport, fencing and around-the-clock security guards. In our survey, about a third (36 percent) of managers reported that funds to pay for security improvements had come from airport revenues, while about a fifth reported receiving federal grants (21 percent) and a fifth reported receiving state grants (22 percent) to finance security improvements.[Footnote 58] According to 18 of the 31 airport managers and 3 of 5 tenants (e.g., fixed base operators)[Footnote 59] we visited, the security measures and practices they implemented following the September 11 attacks were self-initiated, common sense kinds of measures that were expected by the public and their clients to help protect property from vandalism or theft. Many of these measures were no-cost or low-cost security enhancements based primarily on procedural changes. For example, for those airports that did not have formal written security plans, airport managers said they generally discussed security issues with their tenants on a regular basis through meetings and e-mails. Other airports that had formal written security plans or procedures updated those security plans and procedures based on recommendations from industry associations. Some of the 31 airport managers we visited said they had arranged for more frequent patrols by local law enforcement officers since September 11, some for no cost to the airports. Many of the airports we visited had implemented an "airport watch" program--similar to neighborhood watch programs--and displayed signs designed and provided by the Airline Owners and Pilots Association, as discussed above. Other airports absorbed the cost of installing new signs warning against trespassing. Our survey of airport managers identified an increase in the use of security awareness training since September 11. For those aircraft owners who do not store their aircraft in a hangar, forms of securing their aircraft from unauthorized use include attaching devices to propellers, known as "prop locks," to prevent them from rotating; and devices to cover throttle levers, known as "throttle locks," to prevent someone from being able to start the aircraft. Figure 13 shows two kinds of prop locks aircraft owners use. According to airport and state aviation officials, prop locks range in cost from about $150 to about $300. Figure 13: Examples of Propeller Locks to Prevent Unauthorized Aircraft Use: [See PDF for image] [End of figure] Several of the airport managers we visited had invested in high-cost security measures to minimize access by potential criminals and terrorists to airport property and, thus, tenants' aircraft. Specifically, airport officials we visited had obtained federal or state grant assistance for purchasing additional fencing and lighting or purchasing high-tech surveillance cameras. However, several airport managers and tenants considered additional security a cost of conducting business in the post-September 11 environment. Airports officials generally said that they spent between $25,000 and $500,000 on security enhancements such as fencing, lighting, and electronic access gates. While airport officials said they would like to add more security enhancements, they were reluctant to spend much more on enhancing security until TSA issued guidance on what security measures, or combination of security measures, TSA considers appropriate. (As noted previously, TSA issued security guidelines with recommended enhancements in May 2004, after the majority of our site visits.) Officials from the National Business Aviation Association said that corporate aviation departments are more likely to take high-cost measures to protect their aircraft. For example, some of the large member corporations had provided information on the types of security measures they used before September 11, to protect their aircraft from tampering, theft, or hijacking. According to the association, these included the types of security initiatives shown in table 3. Table 3: Examples of Security Measures Used by Aviation Departments of 55 Fortune 500 Corporations: All aircraft are stored in hangars: All hangars are closed and monitored with security systems when the area is unattended. All aircraft are stored in hangars: Mechanics are all company employees or vetted contractors. All aircraft are stored in hangars: Visitors are personally escorted. All aircraft are stored in hangars: Aviation facilities are restricted by an access control system. All aircraft are stored in hangars: Aircraft doors are kept closed and locked when the aircraft is in a secure hangar. All aircraft are stored in hangars: Comprehensive background investigations are conducted for flight crew personnel. Source: National Business Aviation Association. [End of table] Conclusions: From its inception, TSA has primarily focused its efforts on enhancing commercial aviation security to prevent aircraft from again being used as weapons. The amount of TSA's resources and the vastness and diversity of the general aviation airport system mean the bulk of the responsibility for determining vulnerabilities and instituting security enhancements has fallen and will likely continue to fall on airport operators. As the 9/11 Commission concluded, homeland security and national preparedness often begins with the private sector. While the federal government can provide guidance and some amount of funding for security enhancements, long-term success in securing general aviation depends on a partnership among the federal government, state governments, and the general aviation industry. Even with such a partnership, enhancing security at general aviation airports presents TSA and the general aviation community with challenges that will not be easily or quickly resolved. For example, TSA's planned risk management approach for general aviation could assist the agency in providing guidance and prioritizing funding for security enhancements by assessing vulnerabilities and threats to better target its efforts. However, without a documented implementation plan for assessing threats and vulnerabilities that sets forth time frames and goals and the resources needed to achieve these goals, there is limited assurance that TSA will focus its resources and efforts on areas of greatest need, monitor the progress of its efforts, and hold responsible officials accountable for achieving desired results. In addition, completing vulnerability and threat assessments in partnership with general aviation airports should help TSA better communicate threat information. However, because TSA must rely on other federal agencies to provide threat information and follow federal requirements governing disclosure of classified information, it is difficult for TSA to adhere to risk communication principles, particularly in providing specific and actionable information. Nevertheless, effective communication of threat information is important because misallocation of limited resources and disruption of operations are possible effects of communicating nonspecific or incorrect threat information. While TSA and FAA have promulgated regulations to help reduce security risks associated with access to aircraft and airspace, the intended security benefit of these regulations may be limited for a variety of reasons. For example, we found limitations in TSA's process for monitoring flight training providers and operators of private charter aircraft, and in granting waivers to pilots to fly through security related flight restrictions. In addition, FAA has not documented its process for reviewing and revalidating the need for continuing security-related flight restrictions on airspace that are established for indefinite periods. Without plans for monitoring compliance or procedures to document agency processes, TSA and FAA cannot ensure that these regulations achieve their intended effect or minimize the negative impacts of the regulations on affected general aviation industry stakeholders. Recommendations for Executive Action: To better assess the threat of terrorists' misuse of general aviation aircraft and to improve the quality of communicating terrorist threat information to the general aviation community, we recommend that the Secretary of the Department of Homeland Security direct the Assistant Secretary of Homeland Security for the Transportation Security Administration to take the following two actions: * Develop an implementation plan for executing a risk management approach that will help identify threats and vulnerabilities. Such a plan should include milestones, specific time frames, and estimates of funding and staffing needed to focus its resources and efforts on identified airports. * After identifying the most critical threats and vulnerabilities, apply risk communication principles, including to the extent possible the nature of the threat, when and where it is likely to occur, over what time period, and guidance on actions to be taken--in developing and transmitting security advisories and threat notifications. To help ensure that temporary flight restrictions issued for indefinite periods are reviewed and, if appropriate, revalidated and consistently applied, we recommend that the Secretary of the Transportation direct the Administrator of the Federal Aviation Administration to establish a documented process to justify the initiation and continuance of flight restrictions for extended periods. In our restricted report, we also made two recommendations to the Secretary of the Department of Homeland Security regarding monitoring compliance with regulations governing the identification of student pilots, their training, and the operation of certain general aviation aircraft; and the process for granting pilots waivers to enter restricted airspace. Agency Comments: We provided draft copies of this report to the Department of Homeland Security, the Department of Transportation, the Transportation Security Administration, and the Federal Aviation Administration for their review and comment. TSA generally concurred with the findings and recommendations in the report and provided formal written comments that are presented in appendix II. TSA provided technical comments that we incorporated as appropriate. FAA also generally concurred with the findings and recommendations in the report and provided technical comments that we incorporated as appropriate. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from the date of this report. At that time, we will send copies of this report to the Secretary of the Department of Homeland Security, the Secretary of the Department of Transportation, the Assistant Secretary of Homeland Security for the Transportation Security Administration, and the Administrator of the Federal Aviation Administration and interested congressional committees. In addition, the report will be available at no charge on GAO's Web site at http://www.gao.gov. If you or your staff have any questions about this report or wish to discuss it further, please contact me at (202) 512-8777 or at berrickc@gao.gov, or Chris Keisling, Assistant Director, at (404) 679- 1917 or at keislingc@gao.gov. Key contributors to this report are listed in appendix III. Sincerely yours, Signed by: Cathleen A. Berrick: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: To determine what steps the federal government has taken to identify and assess threats to and vulnerabilities of general aviation, and communicate that information to stakeholders, we interviewed individuals in the Transportation Security Administration's (TSA) Office of Transportation Security Policy, Office of Operations Policy, and General Aviation Operations and Inspections Office on TSA's role in enhancing general aviation security. Individuals from these offices provided documentation on TSA's threat assessment efforts as well as its past vulnerability assessment activities and future vulnerability assessment plans. We examined documentation on TSA's means of obtaining intelligence information and disseminating that information to general aviation stakeholders. We also interviewed individuals from FAA's Special Operations Division and Airspace and Rules Division on their roles in securing general aviation. We examined documentation from the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA) on intelligence regarding potential terrorist misuse of general aviation. In addition, we examined documentation from TSA and FBI on the reasons general aviation may be vulnerable to terrorist misuse. We also spoke to staff in and examined documentation from TSA's Office of Threat Assessment and Risk Management to obtain information on plans to implement a risk management approach to further assess threats and vulnerabilities and to enable the agency to implement risk communication principles to communicate threat information. To determine what steps the federal government has taken to strengthen general aviation security, and what, if any, challenges the government faces in further enhancing security, we obtained and analyzed information from Federal Aviation Administration (FAA), including data on the number of flight restrictions that affect general aviation and the amount of federal funding that has been spent on enhancing general aviation security. We sought to determine the reliability of these data by, among other things, discussing methods of inputting and maintaining data with FAA officials. We spoke to TSA officials about, and examined related documentation on, security guidelines published by TSA, including documentation on TSA's activities with the Aviation Security Advisory Committee's Working Group on General Aviation Airports Security. We interviewed general aviation industry representatives, including those who provided input to the TSA-sponsored Aviation Security Advisory Committee's Working Group on General Aviation Airports Security, to obtain their views on federal efforts to enhance general aviation security. We also interviewed individuals from TSA's Office of Compliance on the promulgation of regulations as a result of the passage of the Aviation and Transportation Security Act, as well as TSA's plans for ensuring operator compliance with these regulations. We interviewed personnel from FAA's Special Operations Division regarding FAA's issuance of temporary flight restrictions, including the criteria and internal controls FAA uses to examine requests for these restrictions from federal and nonfederal entities. As part of this analysis, we took steps to verify the reliability of data from FAA on the number of violations of temporary flight restrictions. We interviewed FAA and TSA officials on potential limitations of the effectiveness of these flight restrictions. We also contacted the Director of the Foreign Terrorist Tracking Task Force on efforts to screen foreign students applying for flight training in the United States. We examined potential sources of funding for additional security measures at general aviation airports, including challenges associated with limited funding. To determine the actions individual general aviation airport managers have taken to enhance security at their airports, we visited 31 general aviation airports in 10 states. We judgmentally selected these 31 airports to observe a cross section of general aviation airports. However, we limited our selection of general aviation airports to the 2,829 listed in FAA's National Plan of Integrated Airport Systems, because these airports are eligible for FAA funding and are open to use by the general public. The remaining 16,000 general aviation airports are generally privately owned and not open to use by the public, and/or are small landing strips with fewer than 10 based aircraft, and are not eligible for federal funding. To ensure we selected a cross section of general aviation airports listed in the National Plan, we based our selection on: 1. Size, using the number of based aircraft as an indicator--100 or more aircraft we considered large, 25 to 99 medium, and 24 or fewer small. 2. Regional location--northeast, northwest, southeast, and southwest areas of the country. 3. Proximity to potential terrorist targets such as large population centers versus sparse population areas, as well as near to and far from other critical infrastructures and symbolic landmarks. 4. Airport characteristics, including number, length, and type (turf or paved) of runways, and primary types of general aviation operations such as recreational aviation, business and corporate aviation, charter services, and flight training. Because we judgmentally selected these general aviation airports, we cannot draw generalized conclusions based on airport managers' interview responses. However, the anecdotal information provided is intended to complement the findings of our random survey of 500 general aviation airports. To obtain examples of what some states have done to enhance general aviation security, we judgmentally selected 10 states with efforts to enhance general aviation security ranging from issuing new security requirements to those in the early stages of determining how they would address general aviation security. To select this range of states, we conducted a literature search to determine which states had proposed or enacted new security laws, regulations, or requirements. We also requested recommendations from the National Association of State Aviation Officials and other industry associations such as the Aircraft Owners and Pilots Association, and noted which state aviation directors had participated in the National Association of State Aviation Officials' Task Group on General Aviation Security. We also considered whether a state participated in FAA's block grant program in which FAA provides airport improvement program grant money to a state in a lump sum and the state determines which airport projects to fund, rather than each airport applying directly to FAA for grant funds on a project-by-project basis. Finally, on the basis of our resources, we considered those states in which we also planned to visit general aviation airports. Because we did not randomly select the states in which we obtained information, we cannot draw generalized conclusions about all states. However, the information obtained from these 10 states serves to provide examples of what some states have done to enhance general aviation security. [End of section] Appendix II: Comments from the Transportation Security Administration: Office of the Assistant Secretary: U.S. Department of Homeland Security: 601 South 12th Street: Arlington, VA 22202-4220: Transportation Security Administration: OCT 26 2004: Ms. Cathleen Berrick: Director, Homeland Security & Justice Issues: U.S. Government Accountability Office: 441 G Street, N.W.: Washington, D.C. 20548: Dear Ms. Berrick: The Transportation Security Administration (TSA) would like to thank the Government Accountability Office (GAO) for the report entitled, " GENERAL AVIATION SECURITY. Increased Federal Oversight Is Needed, But Continued Partnership with Private Sector is Critical to Long-Term Success," GAO-05-144 (Job Code 440352). The report offers a welcome review of the General Aviation community and contributes to the broad understanding of the security environment for the 19,000 General Aviation airports, 211,000 active aircraft, and 550,000 active pilots and instructors. TSA generally concurs with the GAO findings. TSA would like to emphasize the vastness of the General Aviation community when contemplating proposed security initiatives. For example, there are approximately 300 sea and river ports and 453 commercial airports in contrast to the 19,000 General Aviation airports. The size and diversity of this community warrants careful consideration in any proposed Federal oversight, initiatives, and/or guidelines. TSA and General Aviation community partnerships are vital to developing appropriate security initiatives. TSA carefully considers security initiatives using a threat based, risk management approach. TSA agrees with GAO that a continued partnership with the General Aviation community is critical for mutual long-term success. Here are some highlights of our results in partnering with private stakeholders: * General Aviation Security Guidelines: The Aviation Security Advisory Committee (ASAC) partnered with TSA to develop General Aviation security recommendations. These recommendations were included in TSA's Information Publication A-001: "Security Guidelines for General Aviation Airports." * AOPA Airport Watch and GA Hotline: Development of the Airport Watch program, which includes a general aviation "hotline" in coordination with the Aircraft Owners and Pilots Association (AOPA). This program seeks to improve local awareness through public communications and promotes the hotline for reporting suspicious behavior in the General Aviation community. * NBAA Security Protocol: Partnering with National Business Aviation Association (NBAA), TSA developed guidelines based on industry best practices to standardize security procedures for corporate flight departments. These guidelines, endorsed by the International Business Aviation Council (IBAC), have applicability to corporate general aviation aircraft operating internationally. In addition to the above, TSA also works cooperatively with the Federal Aviation Administration (FAA) on requests for Temporary Flight Restrictions (TFRs) and looks forward to collaborating in the future. TSA has and will continue to coordinate and answer requests for the implementation and removal of TFRs with the FAA. These examples of voluntary, public-private partnership programs demonstrate how TSA, in a short amount of time, has enhanced the security of General Aviation by leveraging community networks and the existing communication infrastructure. Comments on the Public GAO Recommendations: GAO recommendation to TSA (1): Develop an implementation plan for executing a risk management approach that will help identify threats and vulnerabilities. Such a plan should include milestones, specific time frames, and estimates of funding and staffing needed to focus its resources and efforts on identified airports. TSA concurs. The agency is committed to a threat based, risk management approach and will continue to apply that approach to General Aviation. TSA has conducted a General Aviation threat assessment and, through TSA's Transportation Security Intelligence Service (TSIS), continuously monitors all-source intelligence and law enforcement reporting for information relative to General Aviation. TSA intelligence reporting practices and protocols are consistent throughout all modes of transportation. TSA also maintains the General Aviation hotline at the TSA Transportation Security Operations Center (TSOC) where General Aviation related suspicious activity and threats may be reported. In addition, TSA has piloted a General Aviation Self Assessment Risk Module (TSARM). TSARM is a free web-based tool designed to assist transportation asset owners/operators in developing security plans and identifying potential vulnerabilities along with security system upgrades. In addition to providing direct feedback to local operators, it concurrently provides TSA timely infrastructure data to consider in criticality assessments. GAO recommendation to TSA (2): After identifying the most critical threats and vulnerabilities, apply risk communication principles, including to the extent possible the nature of the threat, when and where it is likely to occur, over what time period, and guidance on action to be taken-in developing and transmitting security advisories and threat notifications. TSA concurs. TSA supports the communication protocol as directed by the Department of Homeland Security based on the methodology of risk communication principles (see DHS statement GAO-04-682). Currently, TSA sends out advisories to the General Aviation community that are disseminated by both national and local General Aviation stakeholders. In the few instances when there has been a specific threat, TSA has provided the General Aviation community with information that is timely, specific, and actionable. In addition, TSA has the ability to provide SSI and classified information to General Aviation industry stakeholders as appropriate. TSA does maintain extensive contact lists of key General Aviation stakeholders, including home contact information, and with its stakeholder network, TSA is able to respond to specific threats in a timely manner. In conclusion, thank you again for the GAO review to assist Congress to better understand the dynamics of providing security in conjunction with the General Aviation community. We appreciate your efforts to help define the efforts and challenges ahead. Sincerely yours, Signed by: David M. Stone: Assistant Secretary: [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Cathleen A. Berrick (202) 512-3404 Chris Keisling (404) 679-1917: Staff Acknowledgments: In addition to those named above, Leo Barbour, Grace Coleman, Chris Ferencik, Kara Finnegan-Irving, Dave Hooper, Stan Kostyla, Thomas Lombardi, Mark Ramage, Robert Rivas, Jerry Seigler, and Richard Swayze were key contributors to this report. FOOTNOTES [1] The range of general aviation flight operations encompasses personal/family transportation, power line inspection and repair, pipeline patrol, training, transporting medical supplies, emergency services, rescue operations, wildlife and land surveys, traffic reporting, agricultural aviation, firefighting, and law enforcement. [2] The Aviation Security Advisory Committee was formed following the 1988 Pan American World Airways Flight 103 tragedy (Lockerbie, Scotland) to allow all segments of the population to have input into future aviation security considerations. The committee was originally sponsored by the Federal Aviation Administration. However, when the Aviation and Transportation Security Act was signed into law, primary responsibility for civil aviation security were transferred from the Federal Aviation Administration to TSA, and accordingly, sponsorship of the Aviation Security Advisory Committee also was transferred to TSA. [3] We visited general aviation airports in Alabama, California, Georgia, Maryland, Massachusetts, New Jersey, New York, South Carolina, Tennessee, Texas, and Washington. [4] General aviation activities also take place at some commercial airports, but we did not include commercial airports in the scope of this review. [5] Because this is a probability sample, population estimates based on this sample data are subject to sampling error. All percentage estimates based on this sample have 95 percent confidence intervals that are within +/-6 percentage points of the estimate itself, unless otherwise noted. [6] Airport Watch is a program initiated by the Aircraft Owners and Pilots Association working with TSA. The program is supported by a TSA- sponsored toll free hotline (866-GA-SECURE) and warning signs for airports, informational literature, and training videotapes provided by the association. [7] The TSA Access Certificate program is based on a set of security protocols developed by the National Business Aviation Association. TSA is testing this program at three airports in the Northeast for possible use as a national security standard for corporate and business operators. [8] TSA considers general aviation aircraft to include all U.S. registered civil aircraft not (1) operated under 14 C.F.R. Part 121 (scheduled commercial airlines), (2) military operations, and (3) on- demand air carriers that operate nonscheduled commercial service under 14 C.F.R. Part 135 [9] For a more detailed discussion on the general aviation industry, see GAO, General Aviation: Status of the Industry, Related Infrastructure, and Safety Issues, GAO-01-916, (Washington, D.C.: Aug. 31, 2001). [10] According to FAA's Airmen's Registry as of July 3, 2004. [11] Airports that handle regularly scheduled commercial airline traffic and have at least 2,500 annual passenger enplanements. [12] Aviation and Transportation Security Act (ATSA), Pub. L. No. 107- 71, § 101(a), (g), 115 Stat. 597, 603 (2001). [13] FAA has sole authority to issue TFRs and other rules to restrict aircraft from operating within defined areas, on a temporary or permanent basis, in order to protect persons or property in the air or on the ground. When time permits, FAA issues security-based TFRs after consultation with TSA and other federal agencies, as appropriate. [14] 49 C.F.R. parts 1540, 1542 & 1544 (formerly codified, in part, at 14 C.F.R. parts 107 & 108). [15] Pub. L. No. 107-71, §§ 113(a) & 132, 115 Stat. at 622 & 635. [16] Pub. L. No. 107-71, § 101(a), 115 Stat. at 598. [17] Transportation Security Administration, Security Guidelines for General Aviation Airports, Information Publication A-001, (May 2004). [18] See GAO, Homeland Security: Key Elements of a Risk Management Approach,. GAO-02-150T (Washington, D.C.: Oct. 12, 2001). [19] For example, 49 C.F.R. Part 1520 limits TSA's ability to distribute sensitive security information to persons with a need to know, and Executive Order 13292--Further Amendment to Executive Order 12958, as Amended, Classified National Security Information, March 25, 2003, limits the distribution of classified information. [20] The General Aviation Coalition consists of the major general aviation organizations and focuses on addressing aviation issues of common interest and concern. The coalition meets every 6 months with the FAA Administrator and senior FAA managers to present and update issues. The industry associations that make up the coalition consists of the Aircraft Electronics Association, the Aircraft Owners and Pilots Association, the Experimental Aircraft Association, the General Aviation Manufacturers Association, the Helicopter Association International, the International Council of Air Shows, the National Aeronautics Association, the National Agricultural Aviation Association, the National Air Transportation Association, the National Aircraft Resale Association, the National Association of State Aviation Officials, the National Business Aviation Association, the Professional Aviation Maintenance Association, the Small Aircraft Manufacturers Association, the Soaring Society of America, the U.S. Parachute Association, and the University Aviation Association. [21] TSA officials said they also conducted outreach programs before national events requiring special aviation security to educate the general aviation community on flight restrictions and other planned security measures and that TSA planned to assign a lead federal security director in each state as a point of contact for states' general aviation communities. [22] GAO, Homeland Security: Risk Communication Principles May Assist in Refinement of the Homeland Security Advisory System, GAO-04-538T (Washington, D.C.: Mar. 16, 2004). [23] TSA has proposed a regulation pursuant to section 612 of the Vision 100ćCentury of Aviation Reauthorization Act, Pub. L. No. 108- 176, 117 Stat. 2490, 2572-74 (2003), to codify TSA's authority in light of the transfer of responsibilities from the Department of Justice. The Department of Justice issued and enforced regulations that require background checks of foreign candidates for flight training pursuant to section 113 of ATSA, Pub. L. No. 107-71, 115 Stat. at 622-23. [24] 28 C.F.R. Part 105. Vision 100 subsequently amended this requirement, transferring responsibility for conducting the background checks to TSA and applying this requirement to all non-U.S. citizens seeking flight training in aircraft weighing more than 12,500 pounds. TSA has developed, but not yet implemented, regulations to this effect. [25] 28 C.F.R.Part 105. [26] The Foreign Terrorist Tracking Task Force was created in response to Homeland Security Presidential Directive 2, Oct. 29, 2001. The purpose of the task force is to (1) deny entry into the United States of aliens associated with, suspected of being engaged in, or supporting terrorist activity; and (2) locate, detain, prosecute, or deport any such aliens already present in the United States. The directive required that the task force be staffed by personnel from the Department of State, the Immigration and Naturalization Service, the Federal Bureau of Investigation, the Secret Service, the Customs Service, the intelligence community, military support components, and other federal agencies as appropriate. The Department of Justice delegated authority for establishing and administering the Flight Training Candidate Checks Program to the Foreign Terrorist Tracking Task Force. [27] The regulations establishing the Flight Training Candidate Checks Program became effective on March 17, 2003. 68 Fed. Reg. 7,313 (Feb. 13, 2003) (codified at 28 C.F.R. Part 105). [28] Pub. L. No. 108-176, § 612, 117 Stat. at 2572-74. [29] As of July 2004, FAA reported that 3,742 foreign student pilots had active student certificates and TSA officials estimated that over 200,000 pilots currently licensed by FAA are non-U.S. citizens. [30] According to TSA officials, most foreign candidates must receive a U.S. student or work visa to receive flight training in the United.States. Under the Department of Justice's Flight Training Candidate Checks Program, the Department of State would not issue such visas to foreign candidates unless they had received preliminary approval from the Department of Justice. TSA officials said that TSA intends to work with the Department of State to continue this process when the TSA regulation is finalized. [31] According to TSA officials, responsibility for conducting these checks will transfer from Department of Justice to TSA in October 2004. [32] Prior to the Aviation and Transportation Security Act, certain aviation charter services were already subject to security requirements. For example, charter services using aircraft with 31 seats or more were required to meet security requirements similar to those in place for scheduled commercial air carriers. [33] FAA may issue TFRs related to security including TFRs issued for sporting events and significant national landmarks (14 C.F.R. § 99.7.) In addition, FAA may issue security-related TFRs by working directly with the Secret Service for the security of the President and other dignitaries (14 C.F.R. § 91.141) and the Department of Defense for protection of certain military facilities (14 C.F.R. § 99.7). [34] Notices to Airmen are a method by which FAA communicates to pilots information that is time-critical and is either of a temporary nature or is not known far enough in advance to permit publication on aeronautical charts or other operation publications. This can include the establishment, condition, or change in any facility, service, procedure, or hazard in the national airspace system. They may be regulatory (restrictive) or advisory in nature, or both. [35] The Secretary of Homeland Security, after consultation with the Homeland Security Council, is responsible for designating events as National Special Security Events. A recent example was the 2004 G-8 Summit in Sea Island, Georgia. [36] Presidential TFRs are issued to address security with respect to airspace over presidential and other parties. No person may operate an aircraft in the vicinity of an area to be visited or traveled by the President, Vice President, or other public figures for which this type of restriction is issued. According to TSA officials, the size of TFRs issued for dignitaries other than the President did not increase after September 11, 2001. [37] The first 10 nautical miles from the center of the TFR constitute a no-fly zone. The area from 10 to 30 nautical miles of the TFR constitute an air defense identification zone (ADIZ) where operators must obtain a unique beacon code to identify themselves and maintain constant radio contact with air traffic controllers. [38] 14 C.F.R. § 99.3 defines an air defense identification zone as an area of airspace over land or water in which the ready identification, location, and control of civil aircraft is required in the interest of national security. General aviation aircraft must meet certain operational requirements; that is, pilots must have an approved flight plan by FAA, maintain two-way radio communications with air traffic control, and have a transponder that transmits a unique code. According to TSA officials, smaller general aviation aircraft are limited in their ability to access the flight restricted zone because of limited operational capabilities needed to operate in the air defense identification zone. FAA officials noted that additional airspace, extending in places as much as 45 nautical miles from the Washington Monument, is also included in the zone. [39] In commenting on the draft report, FAA officials noted that one of the 11 remaining military TFRs--Anniston, Alabama--was canceled and established as a national security area after completed we completed our review. National security areas are established at locations where there is a requirement for increased security and safety of ground facilities. For example, FAA designated a national security area over Rocky Flats Environmental Technology Site, located in Colorado. Pilots are advised to avoid flying over these designated areas. During times of heightened alert levels, FAA may increase the national security area advisories to TFRs. [40] These costs may be expected to increase with the number of TFRs, and with their size and duration. A TFR that encompasses a large area and is in effect for a long period of time is more likely to cause flights to be cancelled, delayed, or diverted than is a TFR that covers a smaller area or is in effect for only a short while. [41] Key assumptions underlying the study's estimates were that the typical TFR lasts about 4 hours and affects approximately 15 flights per hour. Of the affected flights, about 40 percent were assumed to be delayed, with about 50 percent assumed to be diverted, imposing costs on passengers and aircraft operators. [42] HLB Decision Economics INC (HLB Reference 6795) March 2004, "The Economic Costs of Restricting General Aviation Access to Ronald Reagan Washington National Airport and TFRs (Temporary Flight Restrictions) Since September 11, 2001." The study estimated that, from September 11, 2001, through March 2004, 2,898 TFRs affected general aviation in the following ways: approximately 11,101 general aviation flight cancelations, 74,334 general aviation flight postponements, and 103,162 general aviation flight diversions to more circuitous routes. [43] St. Mary's would be directly affected by FAA proposals to permanently prohibit flight operations within airspace under temporary flight restrictions at the time of our review. [44] These airports are eligible to receive Airport Improvement grants because they have submitted applications to be included in and have been accepted in FAA's National Plan of Integrated Airport Systems. These grant funds are usually limited to planning, designing, and constructing projects such as runways, taxiways, aprons, and land purchases. However, they may also be used for security and safety purposes. Eligible safety and security projects include improvements or equipment that is required by federal regulation or, according to FAA officials, if TSA makes an airport-specific determination that security enhancements are needed. [45] The amounts of 2002 and 2003 Airport Improvement Program funds do not include grants provided to general aviation airports in states that receive FAA block grants since detailed information about the total amounts given to general aviation airports or the amounts of those funds that went for general aviation security are not readily available, according to FAA officials. Airport Improvement Program block grant states are Illinois, Michigan, New Jersey, North Carolina, Pennsylvania, Tennessee Texas, and Wisconsin. [46] The Potomac, Washington Executive/Hyde Park, and Montgomery County general aviation airports in Maryland are subject to federal security regulations. [47] The Aviation and Transportation Security Act had extended eligibility for Airport Improvement Program funding to any additional security-related facilities and equipment required by law or the Secretary of Transportation after September 11, 2001, and before October 1, 2002. [48] GAO, Airport Finance: Past Funding Levels May Not Be Sufficient to Meet Airports' Planned Developments, GAO-03-497T (Washington, D.C.: Feb. 25, 2003). [49] The Office of Domestic Preparedness allocated nearly $1.7 billion in State Homeland Security grants among the 50 states, the District of Columbia, and five territories for fiscal year 2004, and an additional $671 million in Urban Area Security Initiative grants among 50 metropolitan areas. [50] The members of the Aviation Security Advisory Committee Working Group on General Aviation Airports Security are the Aircraft Owners and Pilots Association, the Airports Consultants Council, the American Association of Airport Executives, the Experimental Aircraft Association, the General Aviation Manufacturers Association, the Helicopter Association International, the National Air Transportation Association, the National Association of State Aviation Officials, the National Business Aviation Association, and the U.S. Parachute Association. [51] According to general aviation industry association officials, general aviation aircraft operators wishing to fly to the United States from other countries must stop in one of seven portal countries before entering the country. [52] TSA officials noted that all certificate holders are corporations. [53] According to the association, the majority of its members are licensed as commercial applicator-operators who use aircraft to enhance food and fiber production, protect forestry, and control health- threatening pests. [54] Report of the Aviation Security Advisory Committee Working Group on General Aviation Airports Security, October 1, 2003, Transportation Security Administration, Washington, D.C. [55] In addition, TSA officials said that New York had mandated that all general aviation airports in the state apply TSA's security guidelines. [56] 49 C.F.R. Part 1542. [57] A primary purpose of the National Plan of Integrated Airports (NPIAS) is to identify the airports that are important to national transportation and, therefore, eligible to receive grants under the Airport Improvement Program. The NPIAS is composed of all commercial service airports, all reliever airports, and selected general aviation airports. The word "airport" includes landing areas developed specifically for helicopters and seaplanes as well as conventional fixed wing aircraft landing areas. [58] We conducted a probability sample consisting of 499 or the 2,829 general aviation airports that are open to the public and part of FAA's National Plan of Integrated Airports (NPIAS). We conducted this survey between March and May 2004, and obtained 344 eligible responses. From this sample, estimates are produced for a target population defined as managers of service level general aviation airports that were included in the FAA National Plan of Integrated Airports database as of January 2004. Because we used a probability sample, the estimates could be different for a different random sample. For estimated percentages in this report, we are 95 percent confident that the actual value is within +/-6 percentage points of the survey estimate. [59] Fixed-base operators provide a variety of services to pilots, such as flight training, aircraft rental, fueling, maintenance, parking, and the sale of pilot supplies. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: