This is the accessible text file for GAO report number GAO-06-76 entitled 'Aviation Security: Federal Action Needed to Strengthen Domestic Air Cargo Security' which was released on November 16, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: October 2005: Aviation Security: Federal Action Needed to Strengthen Domestic Air Cargo Security: GAO-06-76: GAO Highlights: Highlights of GAO-06-76, a report to congressional requesters. Why GAO Did This Study: In 2004, an estimated 23 billion pounds of air cargo was transported within the United States, about a quarter of which was transported on passenger aircraft. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) is responsible for ensuring the security of commercial aviation, including the transportation of cargo by air. To evaluate the status of TSA’s efforts to secure domestic air cargo, GAO examined (1) the extent to which TSA used a risk management approach to guide decisions on securing air cargo, (2) the actions TSA has taken to ensure the security of air cargo and the factors that may limit their effectiveness, and (3) TSA’s plans for enhancing air cargo security and the challenges TSA and industry stakeholders face in implementing these plans. What GAO Found: TSA has taken initial steps toward applying a risk-based management approach to address air cargo security. A risk-based management approach entails a continuous process of managing risk through a series of actions, including setting strategic goals and objectives and assessing risk through the identification and evaluation of threats, vulnerabilities, and critical assets. In November 2003, TSA completed an air cargo strategic plan that outlined a threat-based, risk management approach to secure the air cargo system by, among other things, targeting elevated risk cargo for inspection. TSA also completed an updated threat assessment in April 2005. However, TSA has not yet established a methodology and schedule for completing assessments of air cargo vulnerabilities and critical assets—two crucial elements of a risk-based management approach without which TSA may not be able to appropriately focus its resources on the most critical security needs. TSA has taken a number of actions intended to strengthen air cargo security, but factors exist that may limit their effectiveness. For example, TSA established a centralized database on people and businesses that routinely ship air cargo to improve information on known shippers. However, we identified problems with the reliability of the information in the database, and how TSA is using the information to identify shippers who may pose a risk. TSA has also established requirements for air carriers to randomly inspect air cargo, but has exempted some cargo from inspection, potentially creating security weaknesses. Further, TSA conducts audits of air carriers and indirect air carriers to ensure that they are complying with existing air cargo security requirements. However, TSA has not developed measures to assess the adequacy of air carrier and indirect air carrier compliance, systematically analyzed these audit results to target future inspections, or assessed the effectiveness of its enforcement actions to ensure compliance with air cargo security requirements. TSA’s plans for enhancing air cargo security focus on implementing a system for targeting and inspecting elevated risk cargo, and requiring air carriers to conduct security threat assessments on thousands of cargo workers, among other efforts. However, these plans may pose financial, operational, and technological challenges to the agency and air cargo industry stakeholders. For example, stakeholders are concerned, and our analysis identified, that TSA may have underestimated the cost of its proposed measures. Figure: Air Cargo Being Loaded and Inspected Using an Explosive Detection System: [See PDF for image] This figure contains two photographs of air cargo being loaded and inspected using an Explosive Detection System. Source: GAO and TSA. What GAO Recommends: GAO recommends that DHS direct TSA to complete assessments of air cargo vulnerabilities and critical assets; reexamine the rationale for existing air cargo inspection exemptions; develop measures to gauge air carrier and indirect air carrier compliance; assess the effectiveness of compliance enforcement actions; and ensure that the data to be used in identifying elevated risk cargo are complete, accurate, and current. DHS reviewed a draft of this report and generally concurred with GAO’s recommendations. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-76]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Cathleen Berrick at (202) 512-8777 or berrickc@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: TSA Has Developed a Risk-Based Strategic Plan but Has Not Completed Assessments of the Risks Posed by Terrorists to the Air Cargo System: TSA Has Implemented Actions Intended to Strengthen Air Cargo Security, but Factors Exist That May Limit Their Effectiveness: TSA Plans to Enhance Air Cargo Security, but Implementing These Plans Poses Challenges to the Agency and Air Cargo Stakeholders: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Federal Agency Roles in Air Cargo Security: Appendix III: Timeline of Significant Events Related to Air Cargo Security: Appendix IV: ASAC Representatives in the 2003 Air Cargo Working Group: Appendix V: Testing Explosive Detection System Technologies for Inspecting Air Cargo: Appendix VI: Testing the Use of TSA-Certified Explosives Detection Canine Teams: Appendix VII: New Technologies Selected by TSA for Further Development and Testing: Appendix VIII: Comments from the Department of Homeland Security: Appendix IX: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Elements of a Typical Homeland Security Risk Assessment: Table 2: Potential Challenges Associated with Using Current and New and Emerging Technology to Inspect Air Cargo: Table 3: TSA's Proposed Air Cargo Security Measures: Table 4: Federal Agency Roles in Air Cargo Security: Figures: Figure 1: Flow of Cargo from Shipper to Air Carrier: Figure 2: Risk Management Cycle: Figure 3: TSA Air Cargo Security Compliance Inspection Results for the Period between January 1, 2003, and January 31, 2005: Figure 4: Top 10 Areas in Which Violations Were Found During Air Cargo Inspections for the Period January 1, 2003, to January 31, 2005: Figure 5: Timeline of Significant Events Related to Air Cargo Security: Figure 6: EDS Technology Inspecting Break Bulk Cargo: Abbreviations: ASAC: Aviation Security Advisory Committee: ASI: aviation security inspector: ATSA: Aviation and Transportation Security Act: CBP: U.S. Customs and Border Protection: DHS: Department of Homeland Security: EDS: explosive detection system: ETD: explosive trace detection: FBI: Federal Bureau of Investigation: FSD: Federal Security Director: PARIS: Performance and Results Information System: STA: security threat assessment: SIDA: security identification display area: TSA: Transportation Security Administration: TWIC: Transportation Worker Identification Credential: [End of section] United States Government Accountability Office: Washington, DC 20548: October 17, 2005: Congressional Requesters: In the aftermath of the September 11, 2001, terrorist attacks, aviation security, including the security of cargo carried on passenger and all- cargo aircraft, became a growing concern both to the public and to members of Congress. Since the attacks, several instances of human stowaways in the cargo holds of all-cargo aircraft have further heightened the concern over air cargo security by revealing vulnerabilities that could potentially threaten the entire air transportation system. The Aviation and Transportation Security Act (ATSA), enacted in November 2001, required the screening of all passengers and property, including cargo, United States mail, and carry- on and checked baggage that is carried on board commercial passenger aircraft.[Footnote 1] It also required that a system be put in place as soon as practicable to screen, inspect, or otherwise ensure the security of cargo on all-cargo aircraft.[Footnote 2] Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) is responsible for overseeing aviation security to ensure the security of the air traveling public. While TSA has focused much of its attention on meeting requirements to screen 100 percent of passengers and baggage, less attention has been paid to securing air cargo transported on passenger and all-cargo aircraft. In 2004, an estimated 23 billion pounds of air cargo were transported within the United States, with about a quarter of this amount transported on passenger aircraft. Recently, DHS reported that most cargo on passenger aircraft is not physically inspected.[Footnote 3] Specifically, according to industry estimates, only a very small percentage of the total cargo placed on passenger aircraft is physically screened or inspected.[Footnote 4] To enhance air cargo security, Congress recently enacted legislation authorizing $902 million for air cargo security and required that TSA take additional steps to secure air cargo, including increasing the percentage of cargo being inspected on passenger aircraft.[Footnote 5] We have previously reported on the need for TSA to strengthen air cargo security, and the challenges TSA faces in determining how to allocate its resources to manage risks while addressing threats and enhancing security both within aviation and across all modes of transportation.[Footnote 6] This evolving approach, referred to as risk management, entails a continuous process of managing risk through a series of actions, including setting strategic goals and objectives and assessing risk through the identification and evaluation of threats, vulnerabilities, and critical assets, among other efforts. To help Congress evaluate the status of TSA's efforts to secure domestic air cargo, we answered the following questions: (1) To what extent has TSA used a risk management approach to guide decisions on securing air cargo? (2) What actions has TSA taken to ensure the security of air cargo, and what factors may limit their effectiveness? (3) What are TSA's plans for enhancing air cargo security, and what financial, operational, and other challenges do TSA and industry stakeholders face in implementing these plans? To answer these questions, we interviewed TSA headquarters officials responsible for managing the agency's air cargo security program. We reviewed laws and regulations related to air cargo security and TSA air cargo security directives and guidance to determine the requirements placed on air carriers and indirect air carriers for ensuring air cargo security.[Footnote 7] To determine the extent to which TSA has used a risk management approach to guide decisions on securing air cargo, we compared the elements of our risk management approach with TSA's efforts to implement such an approach. A complete risk-based management approach includes setting strategic goals and objectives; assessing risk (threat, vulnerabilities, and criticality); evaluating alternatives; selecting initiatives to undertake; and implementing and monitoring those initiatives. This report examines the two risk management efforts TSA has focused on thus far related to air cargo security--setting strategic goals and objectives and assessing risk. Regarding risk assessment, we interviewed air cargo industry stakeholders to obtain their views on the timeliness, specificity, and clarity of threat information provided by TSA.[Footnote 8] We also analyzed data on TSA's compliance inspections to determine the agency's progress in evaluating industry compliance with existing air cargo security requirements. We discussed the reliability of TSA's compliance inspection data for fiscal years 2002, 2003, and 2004 with TSA officials in charge of this effort, and concluded that they were sufficiently reliable for the purposes of this review. To obtain information on government and industry actions and plans to secure air cargo, we interviewed TSA officials and air cargo industry stakeholders. We also reviewed TSA's Air Cargo Strategic Plan and proposed air cargo security rule, including comments on the regulation and costs associated with implementing the proposal.[Footnote 9] In addition, we conducted site visits to 12 United States commercial airports to observe air cargo security operations and pilot testing of cargo inspection technology, including explosive detection systems (EDS).[Footnote 10] We selected these airports based on several factors, including airport size, geographical dispersion, and the volume of air cargo transported to and from these airports.[Footnote 11] Because we selected a nonprobability sample of airports, the results from these visits cannot be generalized to other United States commercial airports. More detailed information on our scope and methodology is contained in appendix I. We conducted our work between June 2004 and September 2005 in accordance with generally accepted government auditing standards. We issued a restricted version of this report on July 29, 2005.[Footnote 12] This report contains information presented in that report with all sensitive security information removed. Results in Brief: TSA has taken steps toward applying a risk-based management approach to addressing air cargo security, including conducting threat assessments. However, TSA has not conducted assessments of air cargo vulnerabilities and critical assets, such as cargo facilities and aircraft. TSA completed an Air Cargo Strategic Plan in November 2003 that outlined a threat-based risk management approach to securing the nation's air cargo transportation system. TSA's plan identifies strategic objectives and priority actions for enhancing air cargo security based on risk, cost, and deadlines. The plan describes TSA's commitment to inspect 100 percent of elevated risk cargo, and ensure the security of the entire air cargo supply chain[Footnote 13]. The plan focused on two threats to air cargo security--preventing the introduction of an explosive device on a passenger aircraft and the hijacking of an all-cargo aircraft, resulting in its use to inflict mass destruction. To address these threats, the plan highlighted four strategic objectives: (1) enhancing cargo shipper and cargo supply chain security, (2) identifying elevated risk cargo through prescreening, (3) identifying technology for performing inspections of elevated risk cargo, and (4) strengthening the security of all-cargo aircraft and cargo operation areas. In November 2004, TSA issued a proposed air cargo security rule that would implement many of the objectives and associated actions identified in the strategic plan. These include enhancing the Known Shipper program, which allows individuals or businesses with established histories to ship cargo on passenger carriers, and improving the security of air carriers. TSA expected to issue the final rule by mid-August 2005. However, as of September 2005, this rule has not been issued. TSA is also in the process of assessing the risks terrorists pose to air cargo--another key component of risk management. For example, TSA conducted an air cargo threat assessment in June 2004 and updated its assessment in April 2005. However, TSA has not completed a methodology for assessing the vulnerability and criticality of air cargo assets, or established a schedule for conducting such assessments because of competing agency efforts to address other areas of aviation security. Moreover, TSA's existing tools for assessing vulnerability have not been adapted for use in conducting air cargo assessments, nor has TSA established a schedule for when these tools would be ready for use. TSA has also not systematically collected and used information on air cargo security breaches, which could provide useful information to identify the full range of potential air cargo security vulnerabilities. Without fully assessing the risks posed by terrorists to the air cargo system, TSA is limited in its ability to identify potential air cargo security vulnerabilities and focus its resources on those areas representing the most critical security needs. TSA has implemented a number of actions intended to strengthen air cargo security, but factors exist that may limit the effectiveness of these efforts. For example, TSA has established a centralized Known Shipper database to streamline the process by which shippers (individuals and businesses) are made known to carriers with whom they conduct business. However, the information in this database on the universe of shippers is incomplete, because participation in this database is currently voluntary and the information in the database may not be reliable. TSA estimates the agency's centralized database contains information on about 400,000 known shippers, or less than one- third of the total population of known shippers, which is estimated to be about 1.5 million. Moreover, TSA has not taken needed steps to identify shippers who may pose a security threat, in part because TSA has incomplete information on known shippers. Through its proposed air cargo security rule, TSA plans to make the Known Shipper database mandatory by requiring air carriers and indirect air carriers to submit information on their known shippers to TSA's Known Shipper database. According to TSA officials, the agency also plans to take further steps to identify those shippers who may pose a security risk. Although TSA has established requirements for passenger and all-cargo carriers to randomly inspect cargo they transport, the agency has exempted certain cargo from inspection because of its nature and size. Local TSA officials and officials representing airports, air carriers, and indirect air carriers we spoke with recognize that some of these exemptions may create potential vulnerabilities in the air cargo security system. To ensure that existing air cargo security requirements are being implemented, TSA conducts audits, referred to as compliance inspections, of air carriers and indirect air carriers. These compliance inspections range from a comprehensive review of the implementation of all air cargo security requirements by an air carrier or indirect air carrier to a review of just one or several security requirements. TSA reported conducting about 37,000 air cargo compliance inspections from January 2003 through January 2005. However, TSA has not determined what constitutes an acceptable level of performance or compared air carriers and indirect air carriers' performance against this standard, analyzed the results of inspections to systematically target future inspections on those entities that pose a higher security risk to the domestic air cargo system, or assessed the effectiveness of its enforcement actions taken against air carriers and indirect air carriers to ensure that they are complying with air cargo security requirements. TSA's plans for enhancing air cargo security focus on implementing a system for targeting and inspecting elevated risk cargo, developing and testing air cargo inspection technology, and implementing enhancements proposed in its air cargo security rule. However, these planned enhancements may pose operational, financial, and technological challenges to the agency and air cargo industry stakeholders. Specifically, TSA is developing a system to target elevated risk cargo for inspection that would minimize the agency's reliance on random inspections. This system, referred to as Freight Assessment, would compare information on individual cargo shipments and shippers, among other things, against targeting criteria to assign a risk level to cargo. Cargo identified as posing an elevated risk would then be subject to additional inspection through physical searches or nonintrusive technology, such as X-ray systems. TSA plans to develop this system because the agency concluded that inspection of all air cargo would have a negative impact on the flow of commerce and is currently not technologically feasible. Although the agency acknowledges that the successful development of the targeting system is contingent upon having complete, accurate, and current targeting information, the agency has not yet completed efforts to ensure information that will be used by the system is reliable. TSA plans to pilot-test this targeting system in early 2006, with a phased-in deployment during calendar years 2006 and 2007. TSA is also testing new and available technologies to determine their applicability to inspecting air cargo. However, according to TSA officials, the agency will need to analyze the results of its technology tests before it determines which technologies will be certified for inspecting elevated risk cargo and whether it will require carriers to use such technology. Further, through its proposed air cargo security rule, TSA would require air carriers and indirect air carriers to secure air cargo facilities, screen all individual persons boarding all-cargo aircraft, and conduct security checks on air cargo workers. In commenting on the proposed rule, industry stakeholders representing air carriers, indirect air carriers, and airport authorities stated that several of the proposals may be costly and difficult to implement. Specifically, these industry stakeholders stated that TSA may have significantly underestimated the costs associated with implementing these proposed measures, particularly those requiring air carriers to conduct security threat assessments on thousands of air cargo workers and random inspections on a percentage of air cargo. TSA estimated that the proposed air cargo rule will cost $637 million (in discounted 2003 dollars) over a 10-year period to implement. Our analysis of TSA's estimate identified concerns with the agency's methodology and suggests that TSA's cost figures may have been underestimated. According to TSA officials, the agency plans to reassess its cost estimates before issuing its final air cargo security rule. As of September 2005, the final rule has not been issued. We are making several recommendations to assist TSA in strengthening the security of the domestic air cargo transportation system. These include (1) developing a methodology and schedule for completing assessments of air cargo vulnerabilities and critical assets; (2) reexamining the rationale for existing air cargo inspection exemptions; (3) developing measures to gauge air carrier and indirect air carrier compliance with air cargo security requirements; (4) developing a plan for systematically analyzing and using the results of air cargo compliance inspections to target future inspections and identify systemwide corrective actions; (5) assessing the effectiveness of enforcement actions in ensuring air carrier and indirect air carrier compliance with air cargo security requirements; (6) and ensuring that the data to be used in the Freight Assessment System are complete, accurate, and current. We provided a draft of this report to DHS for review. DHS, in its written comments, generally concurred with the findings and recommendations in the report. The full text of DHS's comments is included in appendix VIII. Background: Safeguarding the nation's air cargo transportation system is a shared public and private sector responsibility. While TSA enforces statutory and regulatory requirements, provides guidance on securing air cargo, and provides some funding, air carriers and indirect air carriers have operational responsibility for implementing security requirements issued by TSA.[Footnote 14] The Aviation and Transportation Security Act (ATSA) charged TSA with the responsibility for ensuring the security of the nation's transportation systems, including the transportation of cargo by air.[Footnote 15] Specifically, TSA's responsibilities include (1) establishing security rules and regulations covering domestic and foreign passenger carriers that transport cargo, domestic and foreign all-cargo air carriers, and domestic indirect air carriers;[Footnote 16] (2) overseeing implementation of air cargo security requirements by air carriers and indirect air carriers through compliance inspections; and (3) conducting research and development of air cargo security technologies.[Footnote 17] Section 130 of ATSA also requires TSA to take actions consistent with the Government Performance and Results Act of 1993, which states that agencies must use outcome-oriented goals and measures that assess results, effects, or impacts of a program or activity compared with its intended purpose. TSA officials stated that the agency has developed performance goals for the overall air cargo security program consistent with the Government Performance and Results Act. These goals include the percentage of known shipper cargo inspected on passenger aircraft, the percentage of regulatory compliance inspections completed, and the percentage of assets that remain below acceptable levels of risk for all threat scenarios for air cargo. Air carriers (passenger and all-cargo) and indirect air carriers are responsible for implementing TSA security requirements, including maintaining a TSA-approved security program that describes the security policies, procedures, and systems the air carrier and indirect air carrier must implement in order to comply with TSA security requirements.[Footnote 18] These requirements include measures related to the acceptance, handling, and inspection of cargo; training of employees in security and cargo inspection procedures; testing employee proficiency in cargo inspection; and access to cargo areas and aircraft. Although TSA screens or inspects passengers and their baggage, it does not do so for air cargo. Instead, TSA regulations assign this responsibility to air carriers. TSA also does not directly regulate individuals or businesses that have their cargo shipped by air. Air cargo includes freight and express packages that range in size from small to very large, and in type from car engines, electronic equipment, machine parts, apparel, medical supplies, human remains, to fresh-cut flowers, fresh seafood, fresh produce, tropical fish, and other perishable goods. Cargo can be shipped in various forms, including in unit-loading devices, wooden crates, assembled pallets, or individually wrapped/boxed pieces, known as break bulk cargo.[Footnote 19] Participants in the air cargo shipping process include potentially millions of individuals and businesses that ship their cargo on all- cargo aircraft; about 1.5 million known entities, such as manufacturers, that ship their products on passenger aircraft; about 3,800 indirect air carriers, also known as freight forwarders, who operate about 10,000 facilities nationwide where they consolidate shipments and deliver them to air carriers; and 285 passenger and all- cargo air carriers that use their cargo facilities to store cargo until it is placed onboard an aircraft for transport. There are about 2,800 such facilities or stations at commercial United States airports.[Footnote 20] Figure 1 depicts these participants and the two primary ways in which a shipper can send cargo by air. Figure 1: Flow of Cargo from Shipper to Air Carrier: [See PDF for image] This figure is an illustration of the flow of cargo from shipper to air carrier. The following two scenarios are depicted: Flow of Cargo from Shipper to Air Carrier: From Shipper/manufacturer, goes to: Pickup; goes to: Consolidation; goes to: Airport sorting center; goes to: Air Carrier. Or: Flow of Cargo from Shipper to Air Carrier: From Shipper/manufacturer, goes to: Pickup; goes to: Airport sorting center; goes to: Air Carrier. Source: GAO analysis of TSA information. [End of figure] As illustrated in figure 1, shippers typically send cargo by air in one of two ways. A shipper may take its packages to indirect air carriers, which consolidate air cargo from many shippers and deliver it to air carriers. The indirect air carrier usually has cargo facilities located in or near airports and uses trucks to deliver bulk freight to commercial air carriers--either to a cargo facility or to a small- package receiving area at the ticket counter. According to TSA, about 80 percent of shippers use indirect air carriers. A shipper may also send cargo by directly packaging and delivering it to an air carrier's airport sorting center. Under both scenarios, the shipper may employ a representative or agent to act on its behalf. The shipper may also have cargo picked up and delivered by an all-cargo carrier. In 2004, an estimated 23 billion pounds of cargo was shipped within the United States by air. About three-quarters of this amount, or 17 billion pounds, traveled aboard all-cargo aircraft, while the remaining 6 billion pounds traveled aboard passenger aircraft.[Footnote 21] Typically, about one-half of the hulls of each passenger aircraft transporting cargo are filled with cargo. Air cargo is a significant source of revenue to air carriers, bringing in about $17 billion for passenger airlines in 2004.[Footnote 22] To support TSA's efforts to address air cargo security, Congress provided the agency with varying levels of funding over the last 2 fiscal years. For example, in fiscal year 2004, Congress, through the DHS 2004 Appropriations Act conference report, directed TSA to spend $85 million for air cargo security, including $55 million for conducting research and development of air cargo inspection technologies.[Footnote 23] In fiscal year 2005, Congress, through the DHS 2005 Appropriations Act conference report, directed TSA to spend $118 million for air cargo security activities, including the hiring of additional air cargo inspectors, continued research and development of technologies to provide more effective and efficient methods of detecting air cargo threats, and expanding the number of TSA-certified explosive detection canine teams deployed to inspect air cargo. [Footnote 24] The conference report further requires that DHS act expeditiously to fully obligate and expend the funding provided for air cargo security, and directs TSA to provide quarterly reports to the House and Senate Appropriations Committees beginning in December 2004 on the use of all funds obligated and plans for the use of unobligated balances related to air cargo security. The Intelligence Reform and Terrorism Prevention Act of 2004, (Intelligence Reform Act) also authorized $902 million for air cargo security activities for fiscal years 2005 through 2007, including $200 million each year to improve aviation security related to the transportation of cargo on both passenger and all-cargo aircraft, $100 million each year for research and development related to enhanced air cargo security technology and the deployment and installation of such enhanced technology, and $2 million to support efforts to explore alternative technologies for minimizing the potential effects of detonating an explosive device on cargo and passenger aircraft.[Footnote 25] The President's fiscal year 2006 budget requested $40 million for TSA to ensure the security of air cargo. According to the request, this amount includes funds for supporting the 200 air cargo inspectors, continuing the development and improvement of the Known Shipper and indirect air carrier databases, supporting the canine explosive detection program, and field-testing the agency's air cargo targeting program, among other things. See appendix III for a timeline of significant events in air cargo security following the terrorist attacks of September 11, including additional TSA requirements and enacted legislation. As we have previously reported, given the vast transportation network and its importance to commerce, quick and easy access for passengers and cargo must be maintained while identifying the best possible strategies for security.[Footnote 26] Consistent with this goal, we have advocated the need to implement--at TSA and throughout the federal government--a risk management approach for prioritizing efforts and focusing resources. A risk management approach entails a continuous process of managing risk through a series of actions, including setting strategic goals and objectives, assessing risk, evaluating alternatives, selecting initiatives to undertake, and implementing and monitoring those initiatives. The President's fiscal year 2006 budget request recognizes the need for TSA to identify, prioritize, and manage risks, and mitigate the impact of potential incidents, to help ensure that the best security strategies are pursued. Figure 2 depicts a risk management cycle that is a synthesis of government requirements and best practices, as previously reported.[Footnote 27] Elements of strategic planning and risk assessments implemented for air cargo security are separately identified. Figure 2: Risk Management Cycle: [See PDF for image] This figure is an illustration of the risk management cycle. The cycle forms a circle to illustrate a continual process. The process is depicted as follows: Strategic Goals, Objectives and Constraints: * Department of Homeland Security Strategic Plan; * Transportation Security Administration Strategic Plan; * Transportation Security Administration Air Cargo Strategic Plan; Flow to: Risk Management: * Threat Assessment; * Vulnerability Assessment; * Criticality/consequence Assessment. Flow to: Alternatives evaluation; flow to: Management selection; flow to: Implementation and monitoring; cycle repeats. Source: GAO. [End of figure] TSA has committed to implementing a risk management approach for securing air cargo and has to date focused its efforts on the first two elements of this approach, setting strategic goals, objectives, and constraints, and developing a risk assessment. Setting strategic goals, objectives, and constraints is a key first step in implementing a risk management approach and helps to ensure that management decisions are focused on achieving a purpose. These decisions should take place in the context of an agency's strategic plan that includes goals and objectives that are clear and concise. These goals and objectives should identify resource issues and external factors to achieving the goals. Further, the goals and objectives of an agency should link to a department's overall strategic plan. The ability to achieve strategic goals depends, in part, on how well an agency manages risk. The agency's strategic plan should address risk- related issues that are central to the agency's overall mission. Assessing risk, a critical component of a risk management approach in a homeland security setting, typically involves three key elements-- threats, vulnerabilities, and criticality--that provide input into the decision-making process for homeland security. A threat assessment identifies and evaluates potential threats on the basis of factors such as capabilities, intentions, and past activities. A vulnerability assessment identifies weaknesses that may be exploited by identified threats and suggests options to address those weaknesses. A criticality assessment evaluates and prioritizes assets and functions in terms of specific criteria, such as their importance to public safety and the economy, as a basis for identifying which structures or processes are relatively more important to protect from attack. Information from these three assessments can lead to a risk characterization, such as high, medium, or low, and provides input for prioritizing security initiatives.[Footnote 28] Table 1 describes the elements of a risk assessment. Table 1: Elements of a Typical Homeland Security Risk Assessment: A threat assessment: Threat is defined as a potential intent to cause harm or damage to an asset (e.g., natural environment, people, manmade infrastructures, and activities and operations). Threat assessments consist of the identification of adverse events that can potentially affect an entity. Threats might be present at the global, national, or local level, and their sources include terrorists and criminal enterprises. Specific threat information may indicate vulnerabilities that are subject to attack or following the completion of a risk management process, may, for instance, indicate that resources should be temporarily deployed to protect cargo in a particular region of the country or a specific airport. Even if updated frequently, a threat assessment might not adequately capture some emerging threats. A vulnerability assessment: Vulnerability is defined as the inherent state (either physical, technical, or operational) of an asset that can be exploited by an adversary to cause harm or damage. Vulnerability assessments identify these inherent states and the extent of their susceptibility to exploitation, relative to the existence of any countermeasures. A vulnerability assessment is generally conducted by a team of experts skilled in such areas as engineering, intelligence, security, information systems, finance, and other disciplines. A criticality assessment: Criticality is defined as an asset's relative importance given that an event occurs. Criticality or similar consequence assessments identify and evaluate an entity's assets based on a variety of factors, including the importance of its mission or function, the extent to which people are at risk, or the significance of a structure or system in terms of, for example, national security, economic activity, or public safety. Criticality or consequence assessments are important because they provide, in combination with threat and vulnerability assessments, information for later stages of the risk management process. [End of table] Source: GAO. TSA Has Developed a Risk-Based Strategic Plan but Has Not Completed Assessments of the Risks Posed by Terrorists to the Air Cargo System: TSA has taken initial steps toward applying a risk-based management approach to address air cargo security but not yet completed risk assessments for air cargo security. Specifically, in November 2003, TSA completed an Air Cargo Strategic Plan that included goals and objectives that tie into broader aviation and homeland security goals. This plan incorporates recommendations provided by industry stakeholders and outlines a threat-based risk management approach for securing the air cargo transportation system. Specifically, this plan is based on two primary threats--preventing the introduction of an explosive device on a passenger aircraft and the hijacking of an all- cargo aircraft resulting in its use as a weapon to inflict mass destruction. In November 2004, TSA issued a proposed rule to implement many of the actions identified in the strategic plan. TSA is also in various stages of assessing the risk posed by terrorists to the air cargo transportation system--a key aspect of risk management. However, while TSA has conducted a threat assessment to identify terrorist threats to the air cargo transportation system, TSA has not yet conducted assessments to identify air cargo security vulnerabilities and critical air cargo assets. TSA has acknowledged the need to conduct these assessments but has not yet completed a methodology or schedule for completing them. As a result, TSA is limited in its ability to fully address the risks posed by terrorists because some potential air cargo security vulnerabilities may have gone undetected. Further, TSA cannot be assured that it is focusing its resources on those air cargo assets that are determined to be critical and therefore represent the most pressing security needs. TSA Has Worked with Industry Stakeholders to Develop an Air Cargo Strategic Plan: Establishing strategic goals and objectives is the key first component of a risk management approach. The Government Performance and Results Act of 1993, among other things, requires agencies to prepare an annual performance plan and directs executive agencies to articulate goals and strategies for achieving those goals.[Footnote 29] More specifically, agencies are required to develop a strategic plan that contains a comprehensive mission statement covering the major functions and operations of the agency and outlines how an agency will achieve its goals and objectives. In December 2002, we reported that TSA lacked a comprehensive plan with long-term goals and performance targets for air cargo security, time frames for completing security improvements, and risk-based criteria for prioritizing actions to achieve those goals.[Footnote 30] We recommended that TSA develop a comprehensive plan for air cargo security that incorporated a risk management approach. Specifically, we stated that this plan should provide a framework for systematically evaluating and prioritizing technological and operational improvements, and for identifying and implementing additional improvements. We also stated that such a plan should provide a framework for developing a system to ensure air cargo security. In January 2003, TSA partnered with the Aviation Security Advisory Committee (ASAC) to establish a working group to address air cargo security issues.[Footnote 31] TSA officials stated that the establishment of the working group was a first step in addressing our recommendation calling for a risk-based approach to enhancing air cargo security. The ASAC working group consisted of three subgroups that focused on shipper acceptance procedures, indirect air carriers, and securing all-cargo aircraft. These groups collectively developed over 40 recommendations for enhancing air cargo security that were issued to TSA in October 2003. Representatives from various sectors of the air cargo industry participated in these working groups, including those from passenger and all-cargo carriers, indirect air carriers, government agencies, unions representing pilots and flight attendants, and the victims from Pan Am flight 103. In November 2003, TSA issued its Air Cargo Strategic Plan, which incorporated many of the ASAC working groups' recommendations to enhance air cargo security. The plan focuses on securing the air cargo supply and transportation system through the implementation of a layered security approach. This includes screening, or reviewing specific information on all cargo shipments, in order to determine their level of relative risk; ensuring that 100 percent of cargo identified as posing an elevated risk is physically inspected; pursuing technological solutions to physically inspect air cargo; and implementing regulations and programs that support enhanced security measures. To achieve these goals, TSA's plan identifies strategic objectives and priority actions for enhancing air cargo security based on risk, cost, and deadlines. TSA's air cargo security objectives tie into broader aviation and homeland security goals and objectives contained in TSA's agencywide strategic plan and the Department of Homeland Security's strategic plan. For example, TSA's air cargo plan addresses broader agency and departmental goals by proposing the establishment of a system to identify elevated risk cargo through prescreening. This goal of the air cargo plan supports one of TSA's agencywide goals of identifying technology for performing inspections of elevated risk cargo. In turn, this agencywide goal of TSA supports DHS's broad goal of safeguarding critical infrastructure, property, and the nation's economy from terrorism acts or other emergencies. The air cargo plan also calls for a coordinated effort in three other strategic areas--enhancing shipper and supply chain security, identifying technology for performing inspection of elevated risk air cargo, and securing all-cargo aircraft and operation areas through appropriate physical security measures. These efforts support TSA's strategic goal to deter foreign and domestic terrorists and others from causing harm or disrupting the transportation system by implementing preventive and protective measures to mitigate risk to this system. DHS's corresponding strategic goal is to detect, deter, and mitigate threats by strengthening the security of the nation's transportation systems. While TSA Has Identified Terrorist Threats, It Has Not Assessed Vulnerabilities and Criticality of Air Cargo Assets: Risk assessment is a systematic process used to analyze threats, vulnerabilities, and the criticality of assets to better support key decisions. We have previously reported that without using a risk management approach, TSA and other federal decision makers cannot know whether resources are being deployed as effectively and efficiently as possible to reduce the risk and mitigate the consequences of a terrorist attack.[Footnote 32] The importance of a risk management approach was also highlighted by the National Commission on Terrorist Attacks upon the United States (also known as the 9/11 Commission).[Footnote 33] The commission noted that the United States government should identify and evaluate the transportation assets that need to be protected, set risk-based priorities for defending them, select the most practical and cost-effective ways of doing so, and develop a plan, budget, and funding to implement the effort.[Footnote 34] The commission further reported that the plan should assign related roles and missions to the relevant federal, state, and local authorities and to private stakeholders. TSA has acknowledged the need to assess the risks associated with air cargo security and is in various phases of conducting these assessments. However, while TSA has completed an assessment of air cargo threats, the agency has not yet developed a methodology or schedule for completing assessments of air cargo vulnerabilities or critical assets. TSA Has Identified Terrorist Threats to Air Cargo: In TSA's 2003 Air Cargo Strategic Plan, the agency outlined an approach for securing the air cargo transportation system based on two threats. These threats include the introduction of an explosive device on a passenger aircraft and the hijacking of an all-cargo aircraft resulting in its use as a weapon to inflict mass destruction.[Footnote 35] In June 2004, a TSA air cargo security threat assessment confirmed the threats identified in the agency's Air Cargo Strategic Plan and provided additional information on other general and specific threats to the air cargo industry.[Footnote 36] In October 2004, TSA conducted additional threat assessments, focusing on United States mail and threats to the United States commercial aviation system. These assessments identified the same threats to the air cargo transportation system documented in TSA's June 2004 assessment. More recently, in April 2005, TSA briefed a congressional committee on threats to the nation's entire transportation sector, including aviation. The briefing included a threat matrix that ranked the risk associated with the different transportation modes and showed threats to the air cargo system that were consistent with previous threat assessments. (The details of TSA threat assessments and the briefing are classified.) TSA officials acknowledged the need to periodically reassess the terrorist threats to air cargo and stated that the agency's air cargo threat assessment would be updated as new or additional information on air cargo security threats is identified.[Footnote 37] In June 2005, TSA officials requested that the agency's Transportation Security Intelligence Service (TSIS) update the air cargo threat assessment. According to TSA officials, they have not been provided a date for when this assessment will be completed. TSA officials stated that because the agency does not independently gather intelligence information, the agency is dependent upon sources, such as DHS's Directorate of Information Analysis and Infrastructure Protection, the Federal Bureau of Investigation (FBI), and the Central Intelligence Agency, for information on air cargo security-related threats. According to agency officials, TSA's TSIS reviews intelligence information upon receipt and analyzes such information to determine whether policy decisions are needed to address the identified threats. Such policy decisions could include immediate actions to safeguard air cargo through the issuance of security directives or long-term strategic planning efforts to enhance the overall security of the nation's air cargo transportation system. Some air cargo industry stakeholders agreed with TSA's decision to focus efforts on strengthening air cargo security based on the two threats described in the agency's strategic plan and proposed air cargo security rule. For example, one passenger air carrier representative said that his company supported TSA's decision to increase supply chain security in a post-September 11 environment. However, other air cargo stakeholders noted that TSA plans to enhance air cargo security do not sufficiently address another potential threat to the air cargo transportation system. Specifically, in comments to TSA's proposed air cargo security rule, associations representing airline pilots, some security technology experts, airline passenger groups, and airport operators stated that the third threat--the introduction of an explosive device containing a weapon of mass destruction on an all- cargo aircraft--warrants greater emphasis in the agency's near-and long- term air cargo security plans. In discussing this issue, TSA officials stated that the agency decided to focus on the two threats cited above because they are the most likely scenarios to occur. TSA officials also stated that they address potential threats as needed. In June 2005, TSA officials stated that DHS is concerned about a new and emerging threat to air cargo on a passenger aircraft.[Footnote 38] According to TSA officials, the agency is reviewing the likelihood that this threat would occur and what actions would need to be taken to mitigate the threat. TSA Disseminates Air Cargo Security Threat Information, but Industry Stakeholders Have Varying Views on the Quality of the Information Received: TSA disseminates threat information related to air cargo security to relevant stakeholders through several methods. TSA officials stated that they typically notify the Federal Security Directors (FSDs), who are responsible for overseeing the implementation of air cargo security requirements at airports nationwide, of the most updated threat information related to aviation security, to include the security of air cargo.[Footnote 39] In turn, the FSDs and responsible field office staff notify stakeholders, including passenger and all-cargo carriers, of threat-related information in person or via electronic mail or telephone. For example, at one airport we visited, TSA and the law enforcement community hold a monthly meeting in which both classified and nonclassified information on threat-related information is exchanged among the participants. In addition, updated threat information can also be relayed to industry stakeholders, such as air carrier security managers, via information circulars, emergency amendments, and security directives issued by TSA, which typically contain new security requirements or other prescribed actions to take to mitigate the identified threats. In recognition that some industry stakeholders with a need to know, such as indirect air carriers, may not be receiving air cargo security threat information, TSA is proposing through its air cargo security rule to implement measures allowing for indirect air carrier personnel to receive such information. Specifically, this proposal would require indirect air carriers to designate a security coordinator at the corporate level who would be responsible for implementing security programs and serve as the point of contact for communications with TSA. Air cargo stakeholders we spoke with, including air carrier officials, expressed various views on the quality of the air cargo threat information they received from TSA. An official from one of the seven air carriers we interviewed stated that the threat information provided by TSA was adequate, while officials from two other carriers stated that the information lacked specificity about the locations, targets, and assets being threatened, and was not communicated directly to all cargo industry stakeholders who may have a need to know such information, such as indirect air carrier personnel and airline pilots. Officials from these two carriers stated that in the absence of quality TSA threat information, they have taken independent steps to compile and analyze potential air cargo threat information and use this information as a basis to make informed decisions on whether additional air cargo security measures are warranted. For example, officials from one of the two carriers stated that the all-cargo carrier had assigned a full-time staff person to perform daily reviews and analyses of government and publicly available information to identify potential threats to its air cargo personnel, aircraft, and operations resulting from reports of civil unrest, political instability, the high presence of extremists and terrorist groups, and anti-United States sentiment in foreign countries. These officials stated that this information is communicated to corporate managers to facilitate operational decisions, which could include increased security measures. Officials from the remaining four air carriers did not comment on the quality of threat information provided by TSA. As we have previously reported, dissemination of timely, specific, and actionable threat information is a key element of effective risk communication. Our prior work on aviation security has also shown that TSA faces challenges in ensuring that threat information is effectively communicated to relevant stakeholders because intelligence information can be general.[Footnote 40] In November 2004, we reported that applying risk communication principles that focus on relaying to the extent possible, only timely, specific, and actionable information could provide organizations like TSA with the best opportunity to achieve the desired result of effectively communicating with stakeholders.[Footnote 41] We discussed the issues raised by industry stakeholders with TSA officials, who stated that that the agency is a consumer of intelligence and a disseminator of related-threat information to stakeholders and thus can only provide stakeholders with information it receives. In addition, intelligence information may be classified or sensitive, thus limiting with whom it can be shared.[Footnote 42] Specifically, TSA's TSIS receives information from the United States intelligence and federal law enforcement communities. For example, the FBI shares intelligence information and maintains daily contact with TSA through its liaison responsible for civil aviation. TSA also participates in the FBI's Joint Terrorism Task Forces in some FBI field office locations. Upon receipt of threat information, TSIS reviews the information for its applicability to the transportation sector. According to TSA officials, on the basis of the credibility of the information, the agency may obtain an unclassified version of threat- related intelligence so that it may be disseminated to TSA field office officials and stakeholders. TSA Has Not Completed a Methodology or Established a Schedule for Conducting Assessments of Air Cargo Vulnerabilities and Critical Assets: TSA has not yet completed a methodology or established a schedule for completing a post-September 11 assessment of air cargo vulnerabilities to identify the range of security weaknesses that could be exploited by terrorists or an assessment of critical assets that need to be protected. TSA is in the early stages of developing a methodology for conducting a post-September 11 assessment of air cargo security vulnerabilities. However, according to officials, limited resources and competing priorities have delayed agency efforts to conduct such an assessment.[Footnote 43] TSA officials stated that after completing its vulnerability assessments and analyzing the results, the agency may propose measures to address identified vulnerabilities. TSA also has not yet developed a methodology for conducting criticality assessments of air cargo assets. TSA officials stated that they anticipate conducting three air cargo vulnerability assessments beginning in June 2005 at locations yet to be determined and will decide whether additional assessments are needed based on the results of these initial assessments. However, TSA has not established a schedule for when it would complete these vulnerability assessments, nor has it established a schedule for completing criticality assessments. TSA officials stated that the agency will use vulnerability assessment tools such as the agency's Transportation Risk Assessment and Vulnerability Evaluation tool and Web-based Vulnerability Identification Self-Assessment Tool for conducting its vulnerability assessments of the air cargo system.[Footnote 44] However, as of September 2005, these tools have not been modified for use in conducting such assessments. Further, TSA officials did not establish a schedule for when these tools would be ready for use, thus raising concerns whether TSA will have the necessary tools available to begin conducting its vulnerability assessments. According to TSA's Air Cargo Strategic Plan, the agency's plans for enhancing air cargo security considered air cargo system vulnerabilities identified by GAO, the Department of Transportation's Inspector General, and the Federal Aviation Administration. For example, in October 2001, the Federal Aviation Administration conducted an assessment of air cargo security that focused on the pathways by which a terrorist may introduce an improvised explosive device into the cargo hold of a passenger aircraft. Some air cargo vulnerability scenarios, however, were not addressed. Other air cargo vulnerabilities identified relate to the adequacy of background investigations for all persons handling cargo, possible tampering with cargo during transport, and the illegal shipment of hazardous materials. We and others have also reported that the amount of cargo theft that occurs in these locations, which is estimated to range into the billions of dollars annually, indicates potential weakness in security, including air cargo security.[Footnote 45] Recent news reports of air cargo workers stealing goods from all-cargo aircraft intended for United States military personnel further illustrates this concern. Various sources have highlighted the importance of TSA's efforts to assess air cargo vulnerabilities. Specifically, TSA officials have acknowledged the need to conduct a post-September 11 vulnerability assessment to both validate existing vulnerabilities in the air cargo security system and identify new ones.[Footnote 46] In addition, air carrier representatives we spoke with said that a TSA-led vulnerability assessment would facilitate their efforts to comprehensively document air cargo security weaknesses and develop measures that would effectively mitigate the identified weaknesses. These air carrier representatives added that TSA's assessment process should also be ongoing and repeated as needed to reflect major changes in the air cargo threat environment. In addition, in December 2003, the President issued a directive calling for assessments of the vulnerability of critical infrastructure to assist in developing the nation's homeland security strategy.[Footnote 47] TSA has also taken the departmental lead in developing a National Strategy for Transportation Security, for which air cargo vulnerability assessments may provide critical information.[Footnote 48] Data on air cargo security breaches could also provide useful information to identify the full range of potential air cargo security vulnerabilities by exposing weaknesses in air cargo security procedures that would otherwise not be detected. However, TSA has not defined what constitutes a breach of air cargo security, even though it has defined breaches of security in other areas of aviation security, such as passenger and airport access controls.[Footnote 49] Specifically, TSA officials stated that the agency has not yet determined the difference between a security breach and a violation of air cargo security requirements identified through its regulatory oversight of air carriers and indirect air carriers. In our discussions with TSA officials, TSA agreed that an air cargo security breach could consist of an event that exposes vulnerabilities in air cargo security procedures that would not necessarily be detected during a TSA compliance inspection. TSA officials acknowledged that such events could include instances of human stowaways in aircraft cargo holds, an event for which TSA issued security directives calling for random inspection of cargo on all-cargo aircraft to deter and detect future occurrences. Although TSA officials agreed that data on air cargo security breaches could provide useful information to identify potential security weaknesses, the agency does not have plans to define what constitutes a breach of air cargo security or compile information on these breaches. In addition to lacking some data on air cargo vulnerabilities, TSA has not developed a methodology or schedule for completing assessments to identify those air cargo assets deemed most critical to protect. Air cargo assets could include workers, facilities, aircraft, and airports in heavily populated areas, among other things. According to TSA officials, the agency is still in the process of determining the methodology it will use to conduct criticality assessments of air cargo assets, as well as the criteria for identifying such assets. The criteria could include factors such as the number of fatalities that could occur during an attack on an airport cargo facility or the economic and political importance of the cargo facility. TSA officials stated that the agency's efforts to identify critical air cargo assets have been delayed because of limited resources and competing aviation security priorities. To facilitate the development of a methodology for identifying critical air cargo assets, such as indirect air carriers and their facilities, TSA officials stated that the agency planned to contract with the National Safe Skies Alliance to compile business and location information on the nation's entire population of indirect air carriers, and to map out in detail the various ways cargo can flow through the supply chain.[Footnote 50] However, TSA officials stated that they decided not to fund this effort because of its cost. According to TSA officials, the agency plans to capture information on the entire population of indirect air carriers and the location of their facilities through its centralized indirect air carrier database, which was deployed in May 2005. TSA officials stated that this database will provide the agency with more detailed information on these critical assets. The need for an assessment of critical transportation infrastructure, which could include the nation's air cargo transportation system, has been identified by various sources. For example, the 9/11 Commission reported that the United States government should identify and evaluate the transportation assets that need to be protected, set risk-based priorities for defending them, select the most practical and cost- effective ways of doing so, and develop a plan, budget, and funding to implement the effort. Moreover, DHS's 2005 Interim National Infrastructure Protection Plan highlights the need for criticality assessments of transportation infrastructure, beginning with the identification of critical or key assets. TSA officials acknowledged that completed criticality assessments could better enable the agency to prioritize its efforts by focusing on high-priority or high-value air cargo assets, and by targeting resources to cost-effectively address the most critical air cargo security risks. Moreover, criticality assessments could provide the basis for taking immediate protective actions depending on the threat environment and the need, as well as future agency decisions related to securing the air cargo supply chain. In the absence of completed vulnerability and criticality assessments, TSA officials stated they are using available threat intelligence, expert judgment, and information about past terrorist incidents to select and prioritize their efforts to address air cargo security needs, including determining where to place TSA's cadre of 200 dedicated air cargo inspectors. For example, TSA officials said that in 2004, the agency allocated the first 100 of its 200 dedicated air cargo inspectors to airports with the highest volume of air cargo. Officials also stated that other factors considered in determining the allocation of inspectors included whether the airport was considered high-risk because of its geographic location, and the number of air carriers and indirect air carriers operating at that airport, as well as other airport-specific issues. TSA officials stated that the agency will continue to use such rationales in determining where to allocate its remaining dedicated air cargo inspectors until criticality assessments are completed. TSA Has Implemented Actions Intended to Strengthen Air Cargo Security, but Factors Exist That May Limit Their Effectiveness: TSA has implemented a variety of actions intended to strengthen the security of air cargo as it works to fully implement a risk management approach for securing air cargo. Specifically, these measures focus on four areas: (1) improving the screening and inspection of air cargo, (2) strengthening the physical security of aircraft and cargo operation areas, (3) conducting security checks on cockpit crew members, and (4) verifying and validating the identity of indirect air carriers. However, factors exist that may limit the effectiveness of these measures. For example, the information in TSA's database on known shippers is incomplete because participation is voluntary, and the information in the database may not be reliable. In addition, exemptions in TSA's random cargo inspection requirements may leave the air cargo system vulnerable to terrorist attack. Further, TSA has not developed performance measures to determine to what extent air carriers and indirect air carriers are complying with air cargo security requirements, analyzed the results of inspections to systematically target future inspections on those entities that pose a higher security risk to the domestic air cargo system, or assessed the effectiveness of its enforcement actions in ensuring air carrier and indirect air carrier compliance with air cargo security requirements. TSA Has Implemented Various Actions Aimed at Strengthening Air Cargo Security: Prior to the events of September 11, the Federal Aviation Administration was responsible for overseeing the security of domestic air cargo. Security regulations and rules in place at that time focused on preventing the introduction and transport of any unauthorized explosive or incendiary via cargo aboard passenger aircraft and included requirements related to the acceptance, handling, and inspection of cargo, and access to cargo areas and aircraft, among other things. Since its establishment in November 2001, TSA has implemented additional actions intended to strengthen domestic air cargo security, several of which built upon preexisting requirements. According to TSA, the new actions were implemented in the aftermath of the terrorist attacks on September 11, to address general threats to the nation's aviation transportation system, specific threats to air cargo, and incidences of exploited vulnerabilities in existing air cargo security programs and requirements. Specifically, these actions focus on four areas: (1) improving the screening of air cargo, including prohibiting shipments from unknown shippers on passenger aircraft, and requiring air carriers to perform random cargo inspections for weapons, explosives, and stowaways; (2) strengthening the physical security of aircraft and cargo operation areas, including controlling access around aircraft; (3) conducting security checks on cockpit crew members, among others, consisting of checks against TSA no- fly and selectee lists, and other terrorist-related law enforcement or intelligence databases; and (4) verifying the identity of indirect air carriers to identify entities potentially posing a security risk. According to TSA officials, while some of these actions, such as random cargo inspections, are designed to serve as interim measures until a more comprehensive risk management approach to air cargo security can be implemented, others, such as the centralized Known Shipper database and system to verify indirect air carriers, will be used to support their planned risk management approach.[Footnote 51] TSA has implemented requirements for conducting security checks on cockpit crew members for both passenger and all-cargo aircraft. This requirement was implemented to ensure that individuals who pose a potential terrorist threat are not permitted to board or access an aircraft. In addition, TSA implemented an automated system to recertify indirect air carriers, and took steps to verify the accuracy of information for each indirect air carrier to identify entities posing a security risk.[Footnote 52] TSA took these steps in recognition that indirect air carriers could pose a potentially serious vulnerability in the air cargo transportation system and because the historic paper- based process for certifying indirect air carriers was time-consuming and cumbersome.[Footnote 53] Specifically, in May 2004, TSA began operating a Web-based system that allowed indirect air carriers the option of electronically submitting information to revalidate their status in lieu of submitting paper renewal forms. The system also informs indirect air carriers via e-mail when their certification is due to expire. According to TSA officials, in May 2005, the agency allowed indirect air carriers to submit initial certification applications on-line. TSA's proposed air cargo security rule would require indirect air carriers to use the agency's automated system to obtain initial indirect air carrier certification and to apply for recertification. Air cargo industry stakeholders have also independently taken measures to enhance air cargo security. However, several officials representing air carriers and indirect air carriers we spoke to stated that they were generally reluctant to invest resources on implementing security measures beyond those required by TSA. Specifically, these representatives stated that they were waiting for TSA to finalize its proposed air cargo security rule, due in mid-August 2005, before spending funds on security measures that may differ from those that would be required by TSA. As of September 2005, this rule has not been issued. We did, however, identify some examples of air carriers and indirect air carriers that have taken actions to address air cargo security that went beyond implementing measures currently required by TSA. Specifically, officials representing 8 of the 11 air carriers and indirect air carriers we spoke with stated that they had implemented security measures beyond those required by TSA. According to some of the 8 air carrier and indirect air carrier officials, while some of these actions focus on safeguarding cargo from theft, they also have applicability to cargo security and mitigating terrorist threats. These actions include inspecting a higher percentage of air cargo than required by TSA and conducting recurring security training for air cargo workers, among other things.[Footnote 54] Known Shipper Program May Not Provide Adequate Assurance That Shippers Are Trustworthy and That Air Cargo Transported on Passenger Aircraft Is Secure: ATSA requires the screening of all passengers and property, including cargo, United States mail, and carry-on and checked baggage that is brought aboard commercial passenger aircraft. TSA has primarily relied on its Known Shipper program to ensure that cargo transported on passenger air carriers is screened in accordance with this requirement. [Footnote 55] The Known Shipper program allows individuals or businesses with established histories to ship cargo on passenger carriers.[Footnote 56] However, the Known Shipper program has weaknesses and may not provide adequate assurance that shippers are trustworthy and that air cargo transported on passenger air carriers is secure.[Footnote 57] As part of the Known Shipper program, in February 2004, TSA deployed a voluntary centralized Known Shipper database designed to streamline the process by which shippers are made known to carriers with whom they conduct business.[Footnote 58] As of May 2005, TSA reported that the database is being used by 89 air carriers and over 500 indirect air carriers and contains information on approximately 400,000 known shippers. Prior to the database being implemented, each air carrier and indirect air carrier was responsible for maintaining its own information on its known shippers. As a result, each carrier had to repeat the process of making new shipping customers known when that shipper was already known to another carrier. The centralized database allows carriers and indirect air carriers to electronically ascertain the status of shippers unknown to carriers and indirect air carriers. Specifically, an electronic message is provided to the air carrier or indirect air carrier indicating whether or not the shipper is a known shipper. If the shipper is known, a unique shipper identification number is electronically provided to the carrier, and the cargo can be accepted from that shipper as known shipper cargo and shipped on a passenger aircraft. TSA officials stated that these known shipper data are automatically compared with the names of restricted entities. If the shipper is a restricted entity, the carrier would receive a warning against receiving shipments from that entity. Local TSA officials at airports we visited and associations representing air carriers, law enforcement, and pilots we spoke with stated that while the Known Shipper program may provide some security benefit, it is by itself an insufficient security safeguard and must be supplemented by other security measures.[Footnote 59] Following the terrorist acts of September 11, TSA issued security directives which require that passenger air carriers only transport cargo from shippers who meet certain eligibility criteria.[Footnote 60] However, these requirements may not by themselves deter or prevent terrorists from meeting the Known Shipper program's basic eligibility criteria and thus becoming known shippers.[Footnote 61] According to TSA officials, the new Known Shipper program requirements are one of several layers of air cargo security--including random cargo inspections conducted by air carriers, comparing information on cargo cockpit members against terrorist watch lists, and securing access to aircraft and cargo operation areas--aimed at deterring and preventing terrorists from doing harm.[Footnote 62] TSA currently estimates that the agency's centralized database contains information on about 400,000 known shippers, or less than one-third of the total population of known shippers, which TSA estimates at about 1.5 million known shippers.[Footnote 63] Moreover, we determined that the information contained in the agency's database may not be reliable.[Footnote 64] TSA is planning to address the problems associated with the Known Shipper database by, among other things, proposing that air carriers and indirect air carriers be required to submit information on their known shippers into the database. According to TSA officials, information in the Known Shipper database could be used in a variety of ways to identify shippers who pose a risk to the air cargo transportation system.[Footnote 65] For example, analyses of known shipper data could include those already being conducted for indirect air carriers.[Footnote 66] TSA Implemented Random Air Cargo Inspection Requirements as an Interim Security Measure, but Inspection Exemptions May Leave the Air Cargo System Vulnerable to Terrorist Attack: In November 2003, TSA required air carriers to conduct random inspections of air cargo transported on passenger and all-cargo aircraft.[Footnote 67] TSA officials stated that the agency views random inspections as an interim security measure until a risk-based approach that targets elevated risk cargo for inspection is implemented. As previously noted, inspection refers to some level of examination of cargo, which can include manual physical searches and the use of nonintrusive technology to ensure that cargo does not contain an improvised explosive device or stowaway. TSA established the requirements for random inspection to address threats to the nation's aviation transportation system and to reflect the agency's position that inspecting 100 percent of air cargo was not technologically feasible and was potentially disruptive to the flow of air commerce. TSA officials stated that through these random inspection requirements, the agency attempted to balance the need for increased security with the need to allow for the flow of air commerce. TSA officials added that the random nature of the inspections adds an additional layer of security to the air cargo transportation system by inserting a level of uncertainty into the inspection process, thus creating a deterrent effect to terrorists. As of May 2005, TSA required that passenger carriers randomly inspect a specific percentage of nonexempt items, and that all-cargo carriers randomly inspect a different percentage of nonexempt items.[Footnote 68] According to TSA officials, the agency issued an amendment to air carriers' security programs on April 25, 2005, to triple the percentage of cargo inspected on passenger aircraft to address a provision in the fiscal year 2005 Department of Homeland Security Appropriations Act.[Footnote 69] According to TSA officials, the increase in the percentage of nonexempt cargo items inspected was to be phased in by the end of July 2005. TSA officials stated that they chose to exempt certain cargo from the requirement for random inspection because it did not view the exempted cargo as posing a significant security risk.[Footnote 70] In an effort to address the threats identified for all-cargo aircraft, TSA focused its inspection requirements for all-cargo air carriers on specific areas that address known threats. Similarly, in an effort to address the threats identified for passenger aircraft, TSA focused its inspection requirements for passenger air carriers on items that could potentially contain an explosive device. Four local TSA officials and airport and air carrier officials we spoke with at airports we visited stated that existing inspection exemptions could pose a potential vulnerability to the air cargo security system. According to industry stakeholders, including two air carriers and four local TSA officials we spoke to, while the rationale for exempting certain types of cargo from inspection is understandable, the exemptions may create potential security risks and vulnerabilities.[Footnote 71] Without examining the rationale of current air cargo inspection exemptions in light of potential vulnerabilities associated with these exemptions, TSA cannot be assured that increasing the percentage of cargo inspected by air carriers, as required by recent legislation, will enhance air cargo security. Airport, air carrier, and indirect air carrier officials we interviewed agreed that the rationale for these exemptions should be reviewed and potentially reconsidered in light of the potential vulnerability associated with the exemptions. According to TSA officials, the agency has no plans to revise its current inspection exemptions for cargo transported on passenger air carriers. Further, because of existing inspection exemptions for cargo transported on passenger air carriers, a significant portion of this cargo is not subject to physical inspection. Specifically, at 4 of the 12 airports we visited, we observed cargo being loaded and unloaded onto both passenger and all-cargo aircraft. During these four visits, a considerable amount of cargo we observed being loaded and unloaded was exempt from inspection.[Footnote 72] While we did not directly observe cargo inspections conducted by air carriers, we discussed the quality of the inspections with air cargo industry stakeholders, including air carriers. Officials from four air carriers we spoke with stated that the quality and thoroughness of cargo inspections on passenger aircraft varied.[Footnote 73] The quality of air cargo inspections is also the subject of an ongoing Department of Homeland Security Inspector General review. TSA's Inspection Program May Not Be Effective in Ensuring Air Carrier and Indirect Air Carrier Compliance with Air Cargo Security Requirements: As discussed previously, air carriers and indirect air carriers have the primary responsibility for implementing domestic air cargo security requirements, in contrast to the screening of passengers and baggage, for which TSA has operational responsibility. For air cargo, TSA's role is to ensure that air carriers and indirect air carriers are complying with TSA security requirements. TSA determines industry compliance with existing air cargo security requirements through regulatory audits or inspections.[Footnote 74] Although the agency has significantly increased the number of inspections it conducts, TSA has not (1) developed performance measures to determine to what extent air carriers and indirect air carriers are complying with air cargo security requirements; (2) analyzed the results of inspections to systematically target future inspections on those entities that pose a higher security risk to the domestic air cargo system; or (3) assessed the effectiveness of its enforcement actions in ensuring air carrier and indirect air carrier compliance with air cargo security requirements. TSA's Air Cargo Security Compliance Inspection Program: TSA inspections can include reviews of documentation, interviews of carrier personnel, direct observations of air cargo operations, and testing by inspectors to determine whether air carriers and indirect air carriers are in compliance with air cargo security requirements. TSA's 950 inspectors are responsible for inspecting 285 passenger and all-cargo air carriers with about 2,800 cargo facilities nationwide, as well as 3,800 indirect air carriers with about 10,000 domestic locations. Of TSA's 950 aviation security inspectors located at airports throughout the United States, 750 are considered generalists who conduct a variety of aviation security inspections, and 200 are dedicated to conducting air cargo inspections. Domestic passenger air carriers have 11 separate areas of cargo security that are subject to inspection, while indirect air carriers have 12 areas that are subject to inspection. All-cargo carriers that have implemented the voluntary all-cargo security program have 24 areas that are subject to inspection. These areas of inspection include access to cargo, cargo acceptance, including cargo from known shippers, and security training and testing. In TSA's Annual Inspection and Assessment Plan for fiscal year 2004, the agency revised its approach for ensuring compliance with air cargo security regulations by increasing the number of inspections yet narrowing the focus. Specifically, prior to fiscal year 2004, TSA's goals were to inspect each air carrier and indirect air carrier once a year and cover all aspects of air cargo security (known as comprehensive inspections). Beginning in fiscal year 2004, TSA's new approach involved visiting air carriers and indirect air carriers but inspecting only some of the air cargo specific inspection areas (known as supplementary inspections). According to TSA officials, the new inspection process uses risk management principles that consider threat factors, local security issues, and input from law enforcement to target key vulnerabilities and critical assets. TSA added that the new process also takes into account how to use the agency's limited inspection resources most effectively. As a result, TSA's approach provides the local FSD at each airport the responsibility for determining the scope and emphasis of the inspections, as well as discretion for how to assign local inspection staff. TSA provides local airport FSDs and inspectors with goals for the number of inspections to be conducted per quarter. TSA's Annual Inspection and Assessment Plan for fiscal year 2005 established air cargo inspection goals. TSA Has Not Developed Performance Measures to Determine an Acceptable Level of Compliance with Air Cargo Security Requirements: According to TSA officials, following the terrorist attacks of September 11, the primary focus of inspectors was to monitor passenger and baggage screening operations rather than to conduct air cargo compliance inspections. Officials added that the agency was not able to conduct a large number of inspections of air carriers and indirect air carriers prior to January 2003 because of limited personnel assigned to perform these tasks and agency decisions to direct these resources to address other areas of aviation security. More recently, TSA has focused on increasing the number of air cargo inspections. Our analysis of TSA data shows that the number of inspections conducted in 2004 rose over 10-fold from the number conducted in 2003. TSA officials stated that several factors account for the increase in the number of inspections, including the hiring, training, and deployment of dedicated cargo inspectors, and a shift in the agency's focus from conducting comprehensive inspections that cover all aspects of air cargo security to supplemental inspections that cover only some of the 24 air cargo specific inspection areas. TSA established an automated Performance and Results Information System (PARIS) to compile the results of cargo inspections and the actions taken when violations are identified.[Footnote 75] Our analysis of PARIS inspection records shows that between January 1, 2003, and January 31, 2005, TSA conducted 36,635 cargo inspections of air carriers and indirect air carriers and found 4,343 violations.[Footnote 76] Figure 3 shows TSA's air cargo security compliance inspection volumes by month, from January 1, 2003, to January 31, 2005.[Footnote 77] Figure 3: TSA Air Cargo Security Compliance Inspection Results for the Period between January 1, 2003, and January 31, 2005: [See PDF for image] This figure is a vertical bar graph depicting TSA Air Cargo Security Compliance Inspection results for the period between January 1, 2003, and January 31, 2005. The vertical axis of the graph represents number of inspections from 0 to 3,500. The horizontal axis of the graph represents months from January 2003 through January 2005. Source: GAO analysis of TSA data. [End of figure] Although TSA has compiled information on the number of air cargo security compliance inspections conducted and the number of violations identified, the agency has not determined what constitutes an acceptable level of performance or compared air carriers' and indirect air carriers' performance against this standard. As previously noted, TSA officials stated that the agency has developed performance goals for the overall air cargo security program consistent with the Government Performance and Results Act. The agency, however, has not established performance measures to determine an acceptable level of compliance by air carriers and indirect air carriers with air cargo security requirements. Performance measures are indicators used to gauge performance and are meant to address key aspects of performance for a program and help decision makers assess program accomplishments and improve program performance. Such measures are also called for by our internal controls standards to enable agencies to compare and analyze actual performance data against expected or planned goals. Without such measures, TSA cannot assess the performance of individual air carriers or indirect air carriers against national performance averages or goals that would allow TSA to target inspections and other actions on those that fall below acceptable levels of compliance. According to TSA officials, the agency is currently working on developing short-term and long-term outcome measures for air cargo security, but they could not provide a timetable for when this effort would be completed. In addition, TSA officials acknowledged that the agency will need to compile sufficient data to determine the agency's progress in meeting such measures. Until these measures are established, TSA cannot readily determine how carriers' compliance compares with a set standard of acceptable performance. TSA Has Not Yet Analyzed the Results of Inspections to Systematically Target Future Inspections Of Those Entities That Pose a Higher Security Risk to the Domestic Air Cargo System: TSA has taken initial steps to compile information on the results of its compliance inspections of air carriers and indirect air carriers and identify the most frequent types of violations found. For example, from January 1, 2003, to January 31, 2005, TSA identified violations committed by air carriers and indirect air carriers involving noncompliance with air cargo security requirements in several areas, including those TSA determined to be high-risk because they would pose the greatest risk to the safety and security of air cargo operations. Specifically, these violations covered areas such as cargo acceptance procedures, access control to cargo facilities, and physical cargo inspections. TSA identified indirect air carriers' failure to comply with their own security programs as the area with the most violations. According to TSA officials, the large number of violations by indirect air carriers is due, in part, to their unfamiliarity with air cargo security requirements. Figure 4 shows the top 10 violations found during inspections of air carriers and indirect air carriers as determined by TSA.[Footnote 78] Figure 4: Top 10 Areas in Which Violations Were Found During Air Cargo Inspections for the Period January 1, 2003, to January 31, 2005: [See PDF for image] This figure is a vertical bar graph depicting the top 10 areas in which violations were found during air cargo inspections for the period January 1, 2003, to January 31, 2005. The vertical axis of the graph represents number of violations, from 0 to 600. The horizontal axis of the graph represents the ten areas. The following data is depicted: Violation Area: Adherence to indirect air carrier security program; Number of Violations: 565. Violation Area: Documentation of air cargo notification process: Number of Violations: 399. Violation Area: Other[A]; Number of Violations: 368. Violation Area: Adherence to air carrier security program; Number of Violations: 329. Violation Area: Cargo accepted in accordance with security requirements; Number of Violations: 288. Violation Area: Cargo inspection training provided to air cargo workers; Number of Violations: 285. Violation Area: Cargo security training provided to workers; Number of Violations: 239. Violation Area: Properly controlling access to cargo; Number of Violations: 212. Violation Area: Adherence to air cargo security directives and emergency amendments; Number of Violations: 168. Violation Area: Cargo inspected in accordance with security requirements: Number of Violations: 159. Source: TSA. [A] According to TSA officials, "other" includes information on violations not specifically identified in the agency's PARIS database. [End of figure] While TSA has identified frequently occurring violations, it has not yet determined the specific area of violation for a large number of inspections completed from January 1, 2003, to January 31, 2005. For example, TSA reported its third most frequent type of air cargo security violations was "other." According to TSA officials, the "other" category includes violations that could not be easily categorized by one of the violation area fields listed in the agency's PARIS database. Moreover, our analysis found 540 additional violations for which no specific violation area was reported. When combined with the "other" violations, these two violation areas account for about 21 percent of the total number of air cargo security violations identified by TSA during this period. In addition, TSA could not identify how many of its 36,635 inspections covered each air cargo security requirement, including those in the top 10 violation areas identified in figure 4. As a result, TSA cannot determine the compliance rate for each specific area inspected. For example, TSA found 288 violations related to cargo acceptance procedures but could not identify how many of its inspections examined these procedures. Without complete information on the specific air cargo security requirements that air carriers and indirect air carriers violated, as well as the number of times each topic area was inspected, TSA is limited in its ability to determine the compliance rates for specific air cargo security requirements and effectively target future inspections for air cargo security requirements that are most frequently violated and the carriers and indirect air carriers that violate them. In June 2005, TSA officials informed us that in the future they intend to compile information on the number of instances in which specific air cargo security requirements are inspected. While TSA has compiled information on the results of its compliance inspections, the agency has not yet systematically analyzed these results to target future inspections on security requirements and entities that pose a higher risk. Analyzing inspection results would be consistent with our internal control standards calling for comparisons of data to identify relationships that could form the basis for corrective actions, if necessary.[Footnote 79] TSA officials and the agency's fiscal year 2005 annual domestic inspection and assessment plan identified the need for such analyses. According to TSA officials, the agency has recently hired one staff person to begin analyzing inspection data. In June 2005, TSA officials also stated that the agency is working to revise its PARIS database to allow for more accurate recording of inspection violations. However, the agency has not systematically analyzed the results of its inspections to target future inspections of those entities that pose an increased security risk. Without an analysis of the results of its inspections, TSA has a limited basis to determine how best to allocate its inspection resources. Analyzing key program performance data and using the results of this analysis to effectively allocate resources are consistent with elements of a risk management approach. Specifically, analyzing the results of compliance inspection data could help focus limited inspection resources on those entities posing a higher security risk. Such targeting is important because TSA may not have adequate resources to inspect all air carriers and indirect air carriers on a regular basis. According to TSA inspection data for the period from January 1, 2003, to January 31, 2005, compliance inspections identified a greater incidence of violations by indirect air carriers than by air carriers. Specifically, violations found in inspections of indirect air carriers accounted for 72 percent of the total violations identified (3,116 out of 4,343). In addition, the percentage of inspections of air carriers that did not identify a violation of air cargo security requirements was significantly higher than that for indirect air carriers. Specifically, TSA found violations in over 40 percent in its domestic indirect air carrier inspections during this period, while it found violations in less than 10 percent of its domestic air carrier cargo inspections. In addition, our analysis of TSA's compliance inspection data from November 1, 2001, through September 30, 2004, determined that the agency had conducted compliance inspections of about 83 percent of the approximately 2,800 domestic air carrier stations, but for less than half (49 percent) of the estimated 10,000 indirect air carrier facilities nationwide during the same period.[Footnote 80] According to TSA officials, the agency is taking steps to enhance its ability to conduct compliance inspections of indirect air carriers.[Footnote 81] Specifically, in May 2005, TSA established a centralized database to capture information on indirect air carriers and required each indirect air carrier to provide information on corporate and satellite locations.[Footnote 82] The agency's ability to inspect indirect air carrier compliance could also be affected by the agency's proposed change in the definition of what constitutes an indirect air carrier. According to TSA's proposed air cargo security rule, the definition of indirect air carriers would be amended to include not only those companies transporting goods on passenger aircraft, but also those transporting goods via all-cargo aircraft. This change in definition will increase the number of regulated indirect air carriers TSA will be responsible for overseeing. As part of its compliance inspection process, TSA recently began implementing a testing program to identify air cargo security weaknesses, referred to as special emphasis assessments.[Footnote 83] On the basis of its review of compliance inspection results for the period of January 2003 and January 2005, TSA identified 25 indirect air carriers and 11 air carriers with a history of violations related to air cargo security requirements. TSA officials stated that the agency began conducting tests on these air carriers and indirect air carriers in April 2005.[Footnote 84] TSA officials stated that the agency plans to conduct additional tests. TSA officials further stated that the agency has not yet determined how it will use the results of its testing program to help interpret the results from its other compliance inspection efforts. TSA has also not analyzed inspection results to identify additional targets for future testing. Such analysis could include focusing compliance testing efforts on air carriers and indirect air carriers with a history of air cargo security violations related to high risk areas. TSA Has Not Yet Assessed the Effectiveness of Its Enforcement Actions in Ensuring Air Carrier and Indirect Air Carrier Compliance with Air Cargo Security Requirements: According to TSA officials, the agency corrects minor violations of air cargo security requirements collaboratively with air carriers and indirect air carriers through on-site counseling and training. TSA reserves the use of civil enforcement actions, which include administration actions and civil monetary penalties, for the most serious security risks identified during TSA inspections. Administrative actions range from a warning notice suggesting corrective steps to a letter of correction that requires the carrier to take immediate action to avoid civil penalties. TSA is authorized to issue civil monetary penalties when air carriers and indirect air carriers fail to correct serious violations of air cargo security requirements.[Footnote 85] TSA officials stated that the majority of air cargo security violations identified from January 1, 2003, to January 31, 2005, were addressed through on-site counseling and training. Specifically, of the 4,343 air cargo security violations identified during this period, TSA resolved almost 60 percent (2,590) through on-site counseling and training. TSA enforcement action data covering this period, however, did not specify the actions the agency took in resolving approximately 1,600 (about 35 percent) of the 4,343 air cargo security violations.[Footnote 86] TSA also recommended civil penalties for 185 violations, of which 11 were issued and 15 were resolved through administrative actions or no action. Enforcement actions on the remaining 159 violations are still pending.[Footnote 87] According to TSA officials, the agency has not assessed the effectiveness of its enforcement actions, including on-site counseling and civil penalties, in ensuring air carrier and indirect air carrier compliance with air cargo security requirements. Our reviews of agency compliance inspection programs have cited the need for evaluations of enforcement activities and have noted the effectiveness of using sanctions such as civil penalties to increase compliance.[Footnote 88] Moreover, ATSA requires TSA to conduct ongoing assessments of the effectiveness of penalties in ensuring airport compliance with security procedures. Without assessing the effectiveness of its enforcement actions, TSA cannot be assured that its current cooperative approach to addressing issues of noncompliance is resulting in increasing carrier compliance with air cargo security requirements. TSA Plans to Enhance Air Cargo Security, but Implementing These Plans Poses Challenges to the Agency and Air Cargo Stakeholders: TSA has developed plans aimed at enhancing air cargo security, but the agency and industry face challenges in effectively implementing these plans. Specifically, TSA is developing a system to target elevated risk air cargo for inspection that would minimize the agency's reliance on random inspections. This system would compare information on individual air cargo shipments as well as information from the Known Shipper, indirect air carrier, and PARIS databases against targeting criteria to assign a risk level to cargo. Cargo identified as posing an elevated risk would then be subject to additional inspection by air carrier personnel through physical searches or other nonintrusive means. Elevated risk cargo could include cargo that has been determined to pose a risk to the safety and security of passengers and air cargo operations. Although the agency acknowledges that the successful development of the targeting system is contingent upon having complete and accurate targeting information in a timely manner, the agency has not yet completed efforts to ensure that these data are complete, accurate, and current. Moreover, the agency has not yet determined the criteria that will be used to identify elevated risk cargo. TSA plans to pilot-test this targeting system beginning in early 2006 and phase in deployment of the system during calendar years 2006 and 2007. [Footnote 89] TSA is also testing and developing technologies to assess their applicability to air cargo--a key component of the agency's Air Cargo Strategic Plan. According to TSA officials, the results of its technology tests will need to be analyzed before the agency determines which technologies will be certified for inspecting cargo, and whether it will require air carriers to use such technology. Further, TSA's proposed air cargo security rule would require air carriers and indirect air carriers to (1) include all known shippers in a centralized database, (2) secure air cargo facilities, and (3) conduct security checks on air cargo workers. A number of industry stakeholders, including passenger and all-cargo carriers that commented on the proposed rule, stated that TSA underestimated the costs associated with implementing the proposed measures and that some of these proposals may be difficult to implement. Our analysis of TSA's proposed air cargo security rule cost estimate, $637 million (in discounted 2003 dollars) over a 10-year period, identified concerns with the agency's methodology for calculating the cost estimate and suggests that TSA's cost figure may have been underestimated. According to TSA officials, the agency plans to reassess its cost estimates before issuing its final air cargo security rule. TSA Is Working to Develop a System to Target Elevated Risk Cargo, but Has Not Yet Ensured That Data to Be Used to Target Cargo Are Complete, Accurate, and Current: According to TSA officials, the agency decided to develop a system to target elevated risk cargo after concluding that physically inspecting 100 percent of the cargo boarded onto passenger aircraft was not feasible using currently available technology without significantly impeding the flow of commerce. Specifically, TSA officials stated that currently available technology does not have the capability to inspect various types and sizes of cargo in a timely manner and that the cost associated with inspecting 100 percent of air cargo could be significant. A Federal Aviation Administration analysis conducted in 2001 determined that only a small portion of the nation's air cargo could be inspected effectively or efficiently with available technology, for similar reasons. In its analysis, the Federal Aviation Administration estimated that 8,000 federal screeners and $500 million (in the first year) would be required to implement a federally managed cargo inspection program for passenger aircraft. Further, in June 2002, TSA estimated that it would cost air carriers and the federal government up to $3.61 billion (in discounted 2001 dollars) over 10 years to physically inspect all cargo placed in the cargo hold of commercial passenger aircraft, primarily because of the expense associated with inspection equipment and personnel costs. Moreover, according to TSA, delays associated with inspecting 100 percent of cargo would significantly affect the air cargo operations on passenger carriers by potentially delaying cargo delivery schedules. Delays associated with cargo inspection could also affect cargo shippers who may be required by air carriers to deliver cargo sooner so it can be properly inspected before being loaded onto aircraft. In addition, air cargo stakeholders contend that additional security costs related to 100 percent cargo inspection could adversely affect the financial status of air carriers. TSA is in the early stages of developing a system to target elevated risk cargo for additional scrutiny, including physical inspection through manual searches and the use of nonintrusive inspection technologies. TSA officials anticipate that the agency's targeting system, referred to as Freight Assessment, will minimize the reliance on the random physical inspections currently conducted by air carriers. TSA officials stated that the development of the Freight Assessment System will also help the agency to address one of its key objectives in the agency's Air Cargo Strategic Plan--identifying elevated risk cargo. TSA's planned Freight Assessment System would use information maintained in the agency's Known Shipper, indirect air carrier, and PARIS databases to target elevated risk cargo for inspection. Cargo that is identified by the Freight Assessment System as posing an elevated risk will then be physically inspected either through the use of inspection technology or other methods.[Footnote 90] According to agency plans, air carriers would receive targeting information from TSA on specific cargo items identified as posing an elevated risk. Upon notification by TSA's Freight Assessment System, carrier personnel would be responsible for conducting the inspection of cargo identified as elevated risk. Thus, cargo inspection would continue to differ from current passenger and baggage inspection in that cargo inspection would be performed by the employees of air carriers, rather than by a federal workforce. Air carrier and indirect air carrier officials we spoke with have raised concerns about their role in cargo inspection and have questioned the skill level and adequacy of inspection training provided to air carrier employees. TSA and CBP officials stated that they had agreed to jointly develop and deploy the Freight Assessment System and the rules that would be used to identify elevated risk cargo for inspection. TSA officials stated that the goal of this interagency coordination is to minimize the cost of the Freight Assessment System's development by leveraging existing DHS capabilities, and reduce the administrative burden on the air cargo industry by not requiring stakeholders to submit the same data to multiple government agencies. CBP is responsible for preventing terrorists and terrorist weapons from entering the United States. To target elevated risk international cargo, CBP systems store data on international cargo shipments, assign a risk score to a specific cargo shipment, and update stored information with the latest risk scoring for specific shipments.[Footnote 91] In addition, all commercial air carriers transporting international cargo must now transmit specific cargo information to CBP through an automated system.[Footnote 92] This cargo information is screened to identify elevated risk cargo based on certain criteria. Upon arrival in the United States, cargo that is deemed as posing an elevated risk is to be inspected either physically or with nonintrusive inspection technology by CBP inspectors. According to TSA and CBP officials, most of the components needed for TSA's Freight Assessment System already exist within CBP. To use these components, however, TSA will need to further develop its air cargo databases to identify and target elevated risk air cargo and develop the criteria and rules necessary to assign a risk score to domestic air cargo shipment. TSA's databases will also need to be linked to the systems housed within CBP. According to TSA officials, the preliminary design phase of the Freight Assessment System, incorporating components already existing within CBP, was completed on April 12, 2005.[Footnote 93] In addition to collaborating with CBP, TSA has worked with the air cargo industry to develop the overall design of the Freight Assessment System. For example, in September 2004, the Aviation Security Advisory Committee created an industry working group to advise TSA on the development of a Freight Assessment System. On April 28, 2005, the working group presented the Aviation Security Advisory Committee with four recommendations to be formally provided to TSA. The working group recommended (1) extending the life of the working group to enable the industry to have adequate input into the Freight Assessment System process as it evolves over time; (2) designing the Freight Assessment System to include processes for sharing threat information; (3) establishing a pilot program to determine whether the proper system elements are in place, and whether the communication between government and industry allows for the inspection of elevated risk cargo without disrupting the air cargo supply chain; and (4) obtaining public comment on the proposed Freight Assessment System through a notice of public rule making, and implementing the system through amendments to each regulated party's security program. During the April 28, 2005, meeting, the Freight Assessment System working group members noted that in addition to the targeting and physical inspection of elevated risk air cargo, random physical inspection should continue as an additional layer of security and stressed that once elevated risk air cargo is identified, inspection of such cargo should be performed by TSA employees. TSA officials stated that they would consider the working group's recommendations and that most of the group's recommendations have been accepted and incorporated into the Freight Assessment System design. In addition, TSA officials agreed to continue the life of the Freight Assessment System working group to extend through the implementation of the pilot. TSA further requested that once the pilot program was complete, the working group draft additional recommendations on the implementation of the system. According to TSA officials, however, the agency does not plan to use TSA employees to inspect air cargo because of the cost associated with using federal screeners and because the number of full-time equivalent screeners is capped at 45,000. TSA officials anticipate pilot-testing the Freight Assessment System in early 2006. According to TSA officials, two airlines and five indirect air carriers have agreed to participate in the pilot test. TSA officials expect to expand the pilot test to include cargo transported on all-cargo carriers but have yet to make a final determination on when the agency will expand the pilot. TSA officials also plan to phase in implementation and deployment of the targeting system for cargo transported on passenger carriers during calendar years 2006 and 2007. Until such time, TSA officials stated that the agency will rely on the Known Shipper program and random inspection requirements as the primary means for screening and inspecting air cargo. Although TSA has identified data elements that could be used in its Freight Assessment System, the agency has not yet ensured that these data are complete, accurate, and current. TSA acknowledges that the successful development of the targeting system is contingent upon having complete and accurate information on shippers and cargo shipments, among other things. However, as we have previously noted, there are problems with the information contained in the TSA Known Shipper database and how TSA uses this information to identify shippers who may pose a risk. TSA plans to make the Known Shipper database mandatory, allowing the agency to compile and verify information on the entire population of known shippers and take other actions to identify high-risk shippers. In December 2004, TSA contracted for a study to review the information contained in the Known Shipper database. However, as of June 2005, the study has not yet been completed. TSA officials stated that they intend to conduct a follow-on study to examine how to use known shipper data as part of the Freight Assessment System once privacy issues are addressed. Further, while TSA plans to use the results of its compliance inspection program to help target elevated risk cargo, the agency has not yet fully analyzed its compliance inspection results data or required air carriers to provide data of their inspection activities. In addition, TSA does not currently require carriers to submit information on individual domestic cargo shipments, as is done by CBP for international shipments in transit to the United States. TSA anticipates requiring domestic air carriers to submit such information under the proposed Freight Assessment System. Complete and accurate shipment and compliance inspection information is essential for the development of an effective system to target elevated risk cargo. Further, as we have recently reported, efforts to target elevated cargo will only be as good as the data used to conduct such targeting.[Footnote 94] Specifically, we reported on limitations associated with the information used by CBP in targeting oceangoing cargo. CBP uses manifest information as one of several data sources to assess the risk level of United States-bound shipments, but our review identified problems with this information.[Footnote 95] We found that without complete and accurate information on shipments, it is difficult for CBP's Automated Targeting System to accurately assess the risk of shipments and to conduct thorough targeting.[Footnote 96] Similarly, TSA plans to develop a system to target elevated risk domestic air cargo based on the use of information from existing agency databases, as well as information contained in air carrier's cargo airway bills. The limitations we identified with CBP's efforts highlight the need for TSA to evaluate the accuracy and reliability of information it plans on using to target elevated risk domestic air cargo. Without quality information, TSA's ability to effectively target cargo for inspection will be limited, regardless of the system being used. According to TSA officials, the agency is working to address issues of quality and availability for both industry-provided data and data from government sources. TSA anticipates using the results of this analysis as well as the results of its Freight Assessment pilot, which is currently scheduled for early 2006, to adjust the information that will be used to identify elevated risk cargo. Finally, TSA is still deliberating on the criteria it will use to define elevated risk cargo during the pilot test of its Freight Assessment System. While TSA is considering various factors for determining an air cargo shipment's risk, the agency has not yet determined whether these or other criteria will be used to define elevated risk cargo. According to TSA officials, the Freight Assessment System has been designed to accommodate changes in targeting criteria to identify elevated risk cargo. Establishing clear criteria for identifying elevated risk cargo will be essential for the development, testing, and implementation of an effective system to target such cargo for further inspection. TSA Is Testing Inspection Technologies to Determine Their Applicability to Air Cargo: TSA is currently developing and testing technologies to assess their applicability to the inspection of air cargo. According to TSA officials, the agency will determine whether it will certify or require the use of air cargo inspection technologies once the agency has completed its assessments of various technologies and the results have been analyzed. Testing and developing technology is also one of TSA's key objectives in the agency's strategic plan for enhancing air cargo security and is also a key component of TSA's plans to inspect elevated risk cargo. Recognizing the importance of researching and developing inspection technology, TSA obligated about $700,000 in fiscal year 2003 and was directed by the conference report for the DHS's fiscal year 2004 appropriations act to spend $55 million for air cargo security research and development activities. The fiscal year 2005 Department of Homeland Security Appropriations Act also directed the Secretary of Homeland Security to research, develop, and procure certified systems to inspect and screen air cargo on passenger aircraft at the earliest date possible.[Footnote 97] To accomplish this, the accompanying conference report directed TSA to spend an additional $75 million to research and develop air cargo security technologies.[Footnote 98] TSA is currently developing performance criteria for technology to inspect air cargo and considering whether to establish a certification standard for such technology. At present, TSA is not required to certify technology for air cargo inspection. Until such technology is certified, TSA officials stated that the agency will continue to allow air carriers to use the technologies and methods described in the air carrier standard security program and TSA security directives. These technologies and methods include manual physical searches, X-ray systems, explosive trace detection (ETD) equipment, explosive detection systems, TSA-certified explosives detection canine teams, and decompression chambers, among other methods.[Footnote 99] TSA security programs contain procedures and training requirements for air carrier personnel when using X-ray systems or performing manual searches of air cargo. TSA also established protocols for air carriers to follow when using ETD equipment to inspect air cargo. These protocols include testing procedures, operating instructions, alarm resolution guidance, and training requirements. TSA has recently completed a pilot program focused on testing the applicability of EDS technology to inspect individual pieces of air cargo, referred to as break bulk cargo.[Footnote 100] According to TSA officials, the agency decided to test EDS's applicability for inspecting air cargo, in part because this technology is already used to inspect checked baggage. EDS pilot-testing criteria included detection rates, false alarm rates, and throughput rates.[Footnote 101] Although EDS is currently an approved method for inspecting air cargo, it had not been tested by TSA to determine its effectiveness in inspecting air cargo. According to TSA officials, EDS was approved by the Federal Aviation Administration for inspecting air cargo, but TSA still needs to review the results of its EDS pilot test before the agency will determine whether to certify EDS for inspecting air cargo. Although TSA has not yet finalized its evaluation of the results of the EDS pilot, agency officials stated that preliminary data suggest that EDS technology is well suited to inspect break bulk cargo under a range of environmental and climactic conditions, but limitations exist with using such technology. TSA has not yet established time frames, however, for when the agency will decide whether or not to certify EDS technology for air cargo or require air carriers to use this technology to inspect air cargo. For a description of TSA's evaluation of EDS technology, see appendix V. TSA also recently completed an operational test and evaluation to determine the applicability of explosives detection canine teams to inspect air cargo. There are currently 370 TSA-certified explosives detection canine teams authorized and 333 assigned for use in inspecting passengers' checked baggage. According to TSA, the agency chose to test the effectiveness of TSA-certified explosives detection canine teams in inspecting air cargo in part because these teams are already used as part of the agency's multifaceted approach to airport security. As with EDS technology, existing TSA security programs allow air carriers to use canines for inspecting air cargo. According to TSA officials, the agency, however, has not yet certified the use of canines for inspecting air cargo. TSA officials stated that the canine operational test and evaluation was designed to determine the effectiveness of canine detection teams in the air cargo environment. Although TSA has not fully evaluated the results of the pilot tests, according to TSA, the data suggest that even without prior training, the canine teams performed effectively in inspecting various types of cargo. They added that the results of these tests will be used to determine whether canines will be certified for inspecting air cargo. TSA has not yet established time frames, however, for when such decisions will be made. For a description of the recently completed TSA canine pilot program, see appendix VI. TSA is also testing other forms of currently available cargo inspection technologies, as well as identifying and developing new and emerging technologies. In February 2004, for example, TSA solicited information from vendors on new and emerging technology concepts for inspecting cargo containers and United States mail. According to TSA officials, the agency is pursuing multiple technologies that will automate the detection of explosives in the types and quantities that will cause catastrophic damage to an aircraft in flight. On the basis of responses to its solicitation, TSA identified nine technologies to finance for further development and testing. According to TSA, the technologies selected will go through four phases of development: (1) a preliminary design phase, consisting of activities in which the concept of operations will be clearly defined and the system components will be clearly identified; (2) a critical design phase, consisting of further definition of system design features and analysis of overall detection and false alarm performance; (3) a system development phase, consisting of the final design and fabrication of the system, including developmental tests and evaluations; and (4) a prototype evaluation phase, consisting of a series of laboratory tests using threats and cargo to evaluate the detection and false alarm performance for a variety of threat scenarios. TSA plans to develop working prototypes of these technologies by September 2006 and complete operational testing by 2008. TSA acknowledges that full development of these technologies may take 5 to 7 years. For a description of the new and emerging technologies selected by TSA for further development and testing, see appendix VII. TSA also has other efforts under way to develop and deploy technology in the air cargo environment. For example, in January 2005, TSA solicited information on technology systems that could be used to inspect break bulk air cargo. According to TSA officials, the agency will identify and evaluate commercial off-the-shelf systems that could be used to inspect break bulk cargo. TSA plans to begin laboratory and field tests of these technologies in the summer of 2005. In April 2005, TSA issued another solicitation for information on air cargo inspection technology. This solicitation specifically requested information on explosives detection systems for inspection of cargo containers or palletized air cargo and will cover the use of unit load devices placed on passenger aircraft. According to TSA, the agency is currently reviewing the responses to this solicitation. In addition to cargo inspection technology, hardened cargo containers are being considered as a means to mitigate the threat of an improvised explosive device. The Federal Aviation Administration previously had a research program on blast-resistant containers to examine their effectiveness in containing the effects of an improvised explosive device. Air carriers have raised concerns regarding the weight of these containers and the potentially significant affect their use would have on airlines by increasing fuel costs, reducing flight range, and decreasing payload capacity for revenue-generating passengers and cargo. Other challenges associated with deploying hardened cargo containers include purchasing costs (which, according to TSA can range from $20,000 to $40,000 per container), durability, and potentially higher maintenance costs for hardened container materials. Although the purchase, deployment, and use of such containers may prove to be challenging, the Intelligence Reform and Terrorism Prevention Act of 2004 required that TSA begin to carry out a pilot program to evaluate the use of blast-resistant containers for cargo and baggage on passenger aircraft to minimize the potential effects of an explosive device's detonation. The act authorized $2 million to conduct such a pilot program. According to TSA officials, the agency is currently conducting a pilot program with two airlines on the use of hardened containers. Finally, according to its Air Cargo Strategic Plan, TSA is also considering whether the agency's Transportation Worker Identification Credential (TWIC) Program would be beneficial to incorporate into the air cargo environment.[Footnote 102] The TWIC Program is intended to establish a uniform identification credential for 6 million workers who require unescorted physical or cyber access to secured areas of transportation facilities. The program is intended to combine standard background checks and new and emerging biometric technology so that a worker can be positively matched to his or her credential. As of June 2005, TSA had not yet determined whether the TWIC Program would be incorporated as part of the agency's overall effort to enhance air cargo security. We currently have an on-going review of the TWIC Program. According to TSA officials and air carrier and airport representatives, the federal government and the air cargo industry face several challenges that must be overcome to effectively implement technology to inspect air cargo for explosives. These challenges include factors such as the nature, type, and size of the cargo; environmental and climatic conditions; inspection throughput rates; screener staffing and training issues; the location of air cargo facilities (centralized versus decentralized); cost and availability; and employee health and safety concerns. For example, cargo weighing several tons may be too large to be inspected by currently available technology. The heat and humidity at certain airport locations may affect the functioning of inspection technology. Furthermore, trained staff must be available to operate the technology, and health and safety concerns such as worker exposure to radiation must be addressed. We have also previously reported on the need for TSA and DHS to better manage their research and development programs to ensure effective use of technology research funds. Specifically, we recommended that DHS and TSA implement a risk management approach for their research and development programs. [Footnote 103] Table 2 describes the potential challenges with using current and new and emerging technology to inspect air cargo that were identified by TSA officials and officials representing airports and air carriers. Table 2: Potential Challenges Associated with Using Current and New and Emerging Technology to Inspect Air Cargo: Potential challenge: Nature, type, and size of air cargo; Challenge description: Air cargo ranges in size from less than 1 pound to several tons, and in type from perishables to engines, including electronic equipment, machine parts, apparel, medical supplies, fresh- cut flowers, fresh seafood, tropical fish, live animals, and human remains. Cargo can be shipped in various forms including unit-loading devices, wooden crates, and assembled pallets, or as break bulk. Potential challenge: Environmental and climatic conditions; Challenge description: Different environmental conditions may have an effect on different types of technology. For example, technology may need to perform under very cold and very hot conditions, which may affect its performance. Potential challenge: Inspection throughput rates; Challenge description: Technology must have the capacity to inspect a large quantity of cargo in a timely manner to meet the delivery schedules of the air cargo industry and the needs of shippers. Potential challenge: Screener staffing and training; Challenge description: Depending on the type of technology, operators may require rigorous training. It may be financially burdensome to hire, train, and retrain staff to operate the inspection technology. Potential challenge: Logistics; Challenge description: Construction of centralized inspection facilities for storing and using inspection equipment may be challenging. Larger airports may be in a better position to handle the financial burden of additional security measures but may not have the space for inspection equipment. Smaller airports would probably have difficulty paying for new inspection equipment and staff but may have the space to add the equipment. Potential challenge: Cost and availability; Challenge description: The overall cost of technology may be a challenge. For example, one EDS machine can cost up to $1.2 million. TSA canine units can cost up to $120,000 per team annually. Newer technologies, such as current models of pulsed fast neutron analysis systems, cost between $10 million and $25 million. In addition, cargo handling is usually performed at separate cargo facilities either on airport property or off-site. Potential challenge: Employee health and safety; Challenge description: Air carriers contend that certain inspection technologies, such as pulsed fast neutron analysis, may pose potential health risks to operators and handlers consolidating and loading cargo. Air carriers also contend that once items are inspected they may not be safe to handle for some period of time, which could affect delivery time. According to TSA, the technologies they are considering for explosives detection for cargo do not present these problems. Other inspection technologies using neutron beams may also pose similar health risks. Source: GAO summary of reported challenges. [End of table] TSA noted that given the challenges of inspecting air cargo using currently available technologies, the agency's goal is to develop an approach to inspect air cargo using a combination of technologies. TSA's strategic plan states that the agency envisions developing a "tool box" of technologies that can be used by air carriers to inspect cargo of various types of sizes under different operating environments. Although the agency recognizes the challenges associated with inspecting air cargo, has completed some technology evaluations, and plans to conduct further technology testing, TSA has not decided whether it will certify or require air carriers to use specific technologies. TSA officials stated that they will make these decisions after evaluating the results of the cargo inspection technology assessments, but the agency has not established time frames for making such decisions. To effectively inspect cargo that TSA deems to be an elevated risk, the agency will need to make decisions regarding the use of air cargo inspection technologies prior to full implementation of its Freight Assessment System, which is currently scheduled for the end of calendar year 2007. TSA Plans to Issue New Air Cargo Security Requirements, but Some Industry Stakeholders Have Expressed Concern Over Their Cost and Feasibility: In addition to developing a system to target and inspect elevated risk cargo, TSA has proposed additional requirements to enhance air cargo security in its proposed rule, issued on November 10, 2004. Many of the measures outlined in the proposed rule are initiatives that are outlined in TSA's Air Cargo Strategic Plan, as discussed earlier in this report. Specifically, the proposed rule making would require the adoption of security measures that focus on inspecting cargo, securing air cargo facilities, and conducting security checks on air cargo workers. TSA received 676 comments to its proposed rule from 134 commentators representing air carriers, indirect air carriers, and airports, among others. The agency has reviewed these comments as it determines how to finalize its proposals aimed at enhancing air cargo security. TSA estimated in its proposed rule that implementing these proposals, including random inspection of air cargo, will cost $637 million (in discounted 2003 dollars) over a 10-year period from 2004 to 2013. Table 3 describes TSA's proposed measures. Table 3: TSA's Proposed Air Cargo Security Measures: TSA-proposed measure: Security threat assessments (STA) for air cargo workers; Description of proposed measure: Persons who have unescorted access to air cargo, but do not have unescorted security identification display area access, to undergo a STA to verify that they do not pose a security threat. Specifically, TSA will conduct checks of air cargo workers against intelligence records and databases, including terrorist watch lists. An estimated $39 fee per applicant would be imposed to conduct the STA. TSA estimates that 28,225 of the estimated 63,000 air cargo workers would be affected by this new requirement. TSA-proposed measure: Inspecting cargo; Description of proposed measure: Codifying existing requirements for aircraft operators to inspect air cargo, including that offered by known shippers. TSA-proposed measure: Applying or extending airport security identification display area (SIDA) requirements to air cargo operations areas[A]; Description of proposed measure: Applying or extending airport SIDA requirements to air cargo operating areas. This proposal does not call for the creation of a SIDA at airports where there currently is not one. In these situations, all-cargo operators will be required to institute other security measures to prevent unauthorized access. TSA-proposed measure: Known Shipper program and database; Description of proposed measure: Codify and strengthen the Known Shipper program. Specifically, participation in the Known Shipper database would be mandatory for all domestic operators, foreign air carriers, and indirect air carriers. Air carriers and indirect air carriers would be required to submit information on a known shipper applicant electronically to TSA for vetting against terrorist and law enforcement data. Aircraft operators, foreign air carriers, and indirect air carriers will be required to submit known shipper information electronically and update it as needed. TSA-proposed measure: Accepting cargo directly from shippers or from entities with security programs; Description of proposed measure: Authorize aircraft operators under full or all-cargo programs to accept cargo only from entities with security programs comparable to the aircraft operators'. TSA-proposed measure: Enhanced indirect air carrier security requirements, including training and personnel requirements; Description of proposed measure: Expand the definition of indirect air carrier to include businesses engaged in the indirect transport of cargo on larger commercial aircraft, whether conducted with a passenger aircraft or an all-cargo aircraft. Vet businesses more thoroughly before they are authorized to do business as indirect air carriers, strengthen a requirement for periodic recertification of indirect air carrier status, and strengthen security requirements for accepting and processing air cargo. TSA is developing a Web-based centralized system for validating and revalidating indirect air carriers. Upon its implementation, TSA proposes to require all business to use the system to obtain initial indirect air carrier approval and to renew their approval. Indirect air carriers would also be required to use the system to notify TSA of any changes to their corporate structure and to renew their status annually. Proposes procedures for withdrawing indirect air carrier security program approval and requiring a comprehensive and recurrent training program for indirect air carriers to ensure that indirect air carrier employees understand and are trained to implement their security responsibilities. Requires indirect air carriers to designate a security coordinator at the corporate level (as currently required by airport and aircraft operators) to serve as the indirect air carrier's primary point of contact for communications with TSA, including receipt of threat information. TSA-proposed measure: Security measures for persons boarding an all- cargo aircraft; Description of proposed measure: Codify requirements for physically screening persons other than passengers boarding all-cargo aircraft with a maximum certified takeoff weight greater than 12,500 pounds. TSA-proposed measure: Establish a required standardized security program for all-cargo carriers; Description of proposed measure: Require additional steps for securing all-cargo aircraft weighing more than 45,500 kilograms (100,309 pounds). The proposal would institute security measures for all-cargo aircraft comparable to passenger aircraft of the same size and be incorporated into a mandatory All-Cargo Aircraft Operator Standard Security Program. Source: GAO analysis of Air Cargo Notice of Proposed Rule Making and Industry Comments. [A] Individuals working in SIDA must have an airport's approved photo ID; the ID must be displayed at all times above the waist on the individual's outermost garments; to obtain a SIDA ID, a person must successfully undergo a fingerprint-based criminal history records check, and successfully complete security training. In addition, procedures must be in place for challenging all persons not displaying appropriate ID. [End of table] Although most industry members who commented on the proposed air cargo rule were pleased that TSA is taking steps to enhance air cargo security, many pointed out various issues related to implementing these measures, particularly cost.[Footnote 104] Specifically, officials representing air carriers, indirect air carriers, and airports have expressed concern that they would incur approximately 97 percent of the projected cost of the air cargo security procedures described in TSA's proposed air cargo security rule. Air carriers also contend that the additional air cargo security costs will ultimately be borne by shippers and passed on to their customers. Officials representing passenger and all-cargo carriers also commented that the overall estimate to implement these proposed procedures was low. For example, cost projections developed by one stakeholder suggest that implementing TSA's proposals could cost more than double what TSA estimated. A major reason for this higher cost estimate was that the stakeholder assumed a tripling in the estimated percentage of air cargo required to be inspected on passenger aircraft, as mandated in the fiscal year 2005 Department of Homeland Security Appropriations Act.[Footnote 105] According to TSA officials, the agency's cost estimate for implementing its proposed security measures did not assume the tripling of the inspection percentage, as required by the Act, because the fiscal year 2005 Department of Homeland Security Appropriations Act was signed shortly before the proposed rule was issued.[Footnote 106] Therefore, TSA based its proposed rule's cost estimates for cargo inspection on existing requirements at the time.[Footnote 107] Our analysis of TSA's costs estimates identified four ways in which the agency had likely underestimated the costs of air cargo inspections. First, TSA's estimate did not take into consideration the tripling in the percentage of inspections for cargo transported on passenger aircraft. Second, TSA is proposing to expand the definition of indirect air carriers to include those transporting goods on all-cargo aircraft in addition to those transporting goods on passenger aircraft, a change that would increase the cost of implementing the proposed rule. Third, earlier TSA analyses assumed a range of costs for inspection technology, yet in TSA's cost analysis for its proposed rule, the agency chose to use a cost estimate for this technology at the lower end of this range. Incorporating the full range of possible inspection technology costs raises the expected cost of the proposed regulation. Fourth, our analysis of the proposed regulation also indicated that there is no allowance for the cost of any delay. For instance, added time spent inspecting cargo could mean missing delivery deadlines for shippers or flight delays. This could affect industries, whose costs of production are tied to inventories being delivered on time. We discussed these issues with TSA officials, who stated that the agency will consider revising its costs estimates as it reviews industry comments to these security proposals. In addition to concerns about the overall cost of TSA's proposed rule, air cargo industry stakeholders expressed concern about the cost and feasibility of implementing specific proposals described in TSA's proposed rule. For example, in commenting on the proposed rule, some air carriers and indirect air carriers acknowledged the need for TSA's proposal for conducting security threat assessments on air cargo workers but expressed concern that TSA may have underestimated the total number of workers affected, as well as the total costs to perform these checks. Specifically, one air cargo stakeholder estimated that the population affected by TSA's proposal is more than twice as large as the agency estimated, thus potentially more than doubling the estimated cost of $3.2 million (in discounted 2003 dollars) over 10 years. Air carrier representatives also questioned why TSA would propose a different type of check than is already required for workers with unescorted access to an airport's SIDA.[Footnote 108] These air carrier representatives stated that requiring a single type of check for workers with access to either an airport SIDA or air cargo would provide for a more uniform level of worker security. According to TSA officials, the agency's preliminary review of the comments on its proposed rule indicates that industry stakeholders may have misunderstood the scope of this proposal, particularly as it relates to the number and type of workers affected. According to TSA officials, the agency will clarify these requirements in the agency's final air cargo security rule. Several stakeholders also commented on TSA's proposal to apply or extend airport SIDA requirements to air cargo operations areas. While three air carrier and indirect air carrier representatives we spoke with were supportive of this proposal and stated that extending the airport SIDA should enhance the physical security of cargo shipments and aircraft, other air carriers and indirect air carriers expressed concern over the implementation of this proposal. For example, officials from two air carrier associations we spoke with stated that this proposal would transfer responsibility for cargo operations areas from the air carrier to the airport authority. One airport official we spoke with stated that he did not want the additional responsibility associated with implementing this proposal, and that air carriers should be responsible for overseeing the implementation of this requirement. According to TSA officials, the agency's preliminary review of comments to its proposed rule indicates that industry stakeholders may have misunderstood the air carriers' and airport operators' role in implementing this proposed requirement, particularly as it relates to their role in overseeing all-cargo operations within the SIDA. According to TSA officials, the agency will clarify these requirements in the agency's final air cargo security rule. Air cargo industry stakeholders, also expressed concern about the cost and feasibility of implementing TSA's proposal to put into regulation existing requirements for air carriers to inspect a portion of air cargo. For example, a representative from one industry association we spoke with stated that TSA's proposal to screen a percentage of air cargo does not ensure that air cargo is secure and suggested that most, if not all, cargo should be screened. Air carrier representatives noted that the inspection of air cargo should be considered a national security issue and therefore funded and conducted by the federal government. In addition, several stakeholders who represent air carriers and indirect air carriers we spoke with stated that TSA has not adequately defined what an inspection will entail and who will be responsible for such an inspection. Further, three of the air cargo stakeholders we spoke with stated that TSA's interchangeable use of the terms "screening" and "inspection" created confusion about the actions they were required to take regarding the examination of air cargo. Specifically, they noted that they were unsure whether inspection meant conducting a physical search, while screening meant using nonintrusive methods such as X-ray machines. These three stakeholders added that clearer definitions of the terms "screening" and "inspection" would help ensure that the appropriate type of examination was conducted. Finally, air carrier and indirect air carrier representatives, in general, concurred with TSA's proposals to strengthen the security of indirect air carriers. Some indirect air carriers noted that more information is needed on who will now be defined as an indirect air carrier, who will receive security training, and what the training will entail. Similarly, air carrier representatives agreed with TSA's proposals regarding security measures for individuals boarding an all- cargo aircraft and establishing a required standardized security program for all-cargo carriers, but they said that they would like clarification on what these measures would entail. TSA officials told us that the agency is evaluating industry stakeholders' comments to its proposed security measures and may revise these proposals prior to issuing its final air cargo security rule. The Intelligence Reform and Terrorism Prevention Act of 2004 provides that TSA must issue a final air cargo rule no later than 240 days from its date of enactment (August 14, 2005).[Footnote 109] As of September 2005, this rule has not been issued. Conclusions: Securing all aspects of the aviation system is a daunting task. The nature, size, and complexity of the nation's air cargo transportation system highlights the need for the federal government and the private sector to work together to secure this system and enhance security. While the cost of enhancing air cargo security can be significant, the potential costs of a terrorist attack, in terms of both the loss of life and property and long-term economic impacts, would also be significant although difficult to predict and quantify. The importance of the nation's air cargo security system and the limited resources available to protect it underscore the need for a risk management approach to prioritize security efforts so that a proper balance between costs and security can be achieved. In December 2002, we recommended, and TSA committed to, implementing a risk management approach for securing air cargo. By developing a strategic plan, TSA established strategic goals and objectives, a key first step in implementing a risk management approach. TSA also took another key step in implementing a risk management approach by assessing threats to air cargo security. While these efforts represent achievements, more work remains to be done to fully address the risks posed to air cargo security. By not yet fully evaluating the risks posed by terrorists to the air cargo transportation system through assessments of systemwide vulnerabilities and critical assets, including analyzing information on air cargo security breaches, TSA is limited in its ability to focus its resources on those air cargo vulnerabilities that represent the most critical security needs and assure Congress that existing funds are being spent in the most efficient and effective manner. Further, without examining the rationale of current air cargo inspection exemptions in light of potential vulnerabilities associated with these exemptions, TSA cannot be assured that tripling the amount of cargo on passenger aircraft that is inspected, as required by recent legislation, will enhance air cargo security. Without performance measures to gauge air carrier and indirect air carrier compliance with air cargo security requirements, TSA cannot effectively focus its inspection resources on those entities posing the great risk. In addition, without systematically analyzing the results of its air cargo compliance inspections, TSA will be limited in its ability to effectively target future inspections and fulfill its oversight responsibilities for this essential area of aviation security. TSA also cannot be assured that its current cooperative approach to addressing issues of noncompliance is resulting in increased air carrier and indirect air carrier compliance with air cargo security requirements without assessing the effectiveness of its enforcement actions. Finally, TSA's goal of developing a system to target elevated risk cargo for inspection without impeding the flow of air commerce will be difficult to achieve without ensuring that the information used to target such cargo is complete, accurate, and current. By addressing these areas, TSA would build a better basis for strengthening air cargo security in the future as it moves forward in implementing risk-based security initiatives. Recommendations for Executive Action: To help ensure that the Transportation Security Administration has a comprehensive risk-based approach for securing the domestic air cargo transportation system, we recommend that the Secretary of Homeland Security direct the Assistant Secretary of Homeland Security for the Transportation Security Administration to take the following six actions: (1) develop a methodology and schedule for completing assessments of air cargo vulnerabilities and critical assets, as well as defining, gathering, and analyzing information on air cargo security breaches, and use the information resulting from these assessments as a basis for prioritizing the steps necessary to enhance the security of the nation's air cargo transportation system; (2) reexamine the rationale for existing air cargo inspection exemptions, determine whether such exemptions leave the air cargo system unacceptably vulnerable to terrorist attack, and make any needed adjustments to the exemptions; (3) develop measures to gauge air carrier and indirect air carrier compliance with air cargo security requirements to assess and address potential security weaknesses and vulnerabilities; (4) develop a plan for systematically analyzing the results of air cargo compliance inspections and use the results to target future inspections and identify systemwide corrective actions; (5) assess the effectiveness of enforcement actions, including the use of civil penalties, in ensuring air carrier and indirect air carrier compliance with air cargo security requirements; and: (6) ensure that the data to be used in the Freight Assessment System to identify elevated risk cargo are complete, accurate, and current. Agency Comments and Our Evaluation: We provided a draft of this report to DHS for review and comment. On September 30, 2005, we received written comments on the draft report, which are reproduced in full in appendix VIII. DHS generally concurred with the findings and recommendations in the report. With regard to our recommendation to develop a methodology and schedule for completing assessments of air cargo vulnerabilities and critical assets, as well as defining, gathering, and analyzing information on air cargo security breaches, DHS stated that it intends to perform a vulnerability assessment to assess the relative significance of vulnerabilities associated with domestic air cargo operations and services. Specifically, DHS stated that this assessment will identify weaknesses with the nation's air cargo operations that may be exploited by terrorists and that this assessment will be tied into the department's work to identify critical assets. Completing a vulnerability assessment is an important step in applying a risk management approach to securing air cargo. While DHS identified that the vulnerability assessment will tie into the department's criticality work, it has not indicated when a vulnerability or criticality assessment of air cargo assets will be conducted or whether it intends to define, gather, and analyze information on air cargo security breaches as part of this assessment. Taking these steps would more fully address our recommendation. Concerning our recommendation to reexamine the rationale for existing air cargo inspection exemptions, DHS stated that it is already in consultation with industry stakeholders regarding reevaluating current cargo inspection exemptions as it designs and develops the Freight Assessment System, and will soon launch a broad-based review of current air cargo policies and processes. While conducting such a review may provide useful information on security processes and policies that need to be improved, it is important that the exemptions specifically be reviewed to determine whether they leave the air cargo system unacceptably vulnerable to terrorist attack. This assessment, as well as any resulting adjustments to the exemptions, should be completed as soon as practical and should not be exclusively tied to the design and development of the Freight Assessment System. Taking this step would more fully address our recommendation. In addressing our recommendation to develop measures to gauge air carrier and indirect air carrier compliance with air cargo security requirements, DHS stated that TSA is committed to focusing compliance inspection resources on regulated parties that have greater security weaknesses and vulnerabilities and will enhance current efforts to gauge air carrier and indirect air carrier compliance with air cargo security requirements. Although these efforts should help TSA in performing its oversight responsibilities, developing specific performance measures to gauge air carrier and indirect air carrier compliance with air cargo security requirements will be important to fulfilling the agency's oversight commitment. Taking such action would more fully address the intent of this recommendation. Regarding our recommendation to develop a plan for systemically analyzing the results of air cargo compliance inspections, DHS stated that TSA has taken steps to compile information results from past compliance inspections and will analyze the results of its inspection activities to target future inspections and develop systematic and localized corrective action as appropriate. In addition, DHS stated that TSA recently formed an advisory group to assist in developing the agency's annual compliance work plan which will identify and direct further inspection efforts. If properly implemented, these actions should address the intent of this recommendation. Concerning our recommendation to assess the effectiveness of enforcement actions to ensure air carrier and indirect air carrier compliance with air cargo security requirements, DHS stated that TSA will use compliance inspection results generated by the PARIS database, in addition to reviewing formal enforcement actions and adjudications rendered through the legal process, to assess enforcement action effectiveness. Developing specific details on how compliance inspection results will be evaluated to determine the effectiveness of the agency's enforcement actions will be necessary for the agency to ensure that these actions result in increased air carrier and indirect air carrier compliance with air cargo security requirements. With regard to our recommendation to ensure that the data to be used in the Freight Assessment System to identify elevated risk cargo are complete, accurate, and current, DHS stated that TSA is developing a plan to ensure the integrity of all data that will be used in the Freight Assessment System. Specifically, TSA plans to implement a continuous monitoring process to alert TSA of significant data changes to ensure that the Freight Assessment System is provided with the most complete, accurate, and current information. Additionally, DHS stated that TSA has enlisted industry's assistance, through the Aviation Security Advisory Committee, in the development of standards for shipment data. If properly implemented, these actions should help ensure that the critical information necessary to target elevated risk cargo for inspection will be complete, accurate, and current. DHS also offered technical comments and clarifications, which we have considered and incorporated where appropriate. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after its issue date. At that time, we will provide copies of this report to the Secretary of the Department of Homeland Security, the Assistant Secretary of the Transportation Security Administration, and interested congressional committees. If you have any further questions about this report, please contact me at (202) 512-3404 or berrickc@gao.gov. Key contributors to this report are listed in appendix IX. Sincerely, Signed by: Cathleen A. Berrick: Director: Homeland Security and Justice Issues: [End of section] List of Congressional Requesters: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: The Honorable Peter T. King: Chairman: The Honorable Bennie G. Thompson: Ranking Minority Member: Committee on Homeland Security: House of Representatives: The Honorable Christopher Shays: Chairman: Subcommittee on National Security, Emerging Threats, and International Relations: Committee on Government Reform: House of Representatives: The Honorable Daniel E. Lungren: Chairman: The Honorable Loretta Sanchez: Ranking Minority Member: Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity: Committee on Homeland Security: House of Representatives: The Honorable Edward J. Markey: House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to answer the following questions: (1) To what extent has the Transportation Security Administration (TSA) used a risk management approach to guide decisions on securing air cargo? (2) What actions has TSA taken to ensure the security of air cargo, and what factors may limit their effectiveness? (3) What are TSA's plans for enhancing air cargo security, and what financial, operational, and other challenges do TSA and industry stakeholders face in implementing these plans? To answer these questions, we interviewed TSA headquarters officials responsible for managing the agency's air cargo security program. We also interviewed headquarters' officials at the Department of Homeland Security's (DHS) U.S. Customs and Border Protection (CBP), the Federal Bureau of Investigation, and the United States Postal Service to obtain information about their role in air cargo security. In addition, we interviewed 48 air cargo industry stakeholders, including officials representing 7 air carriers, 4 indirect air carriers, 12 airport authorities, 16 associations representing airport operators, air carrier pilots, indirect air carriers, passenger air carriers, all- cargo air carriers, law enforcement agencies, and 9 air cargo security consultants and experts. The majority of these industry stakeholders participated in the Aviation Security Advisory Committee working groups that developed recommendations for enhancing air cargo security. We also conducted site visits at 12 United States commercial airports. [Footnote 110] Because we selected a nonprobability sample of airports, the results from these visits cannot be generalized to other U.S. commercial airports. During our site visits, we met with Federal Security Directors and inspections staff at each airport and observed pilot testing of air cargo inspection technology, including explosive detection systems at select airports.[Footnote 111] We also met with CBP officials at 4 of the airports we visited.[Footnote 112] In addition, we met with airport authorities at each airport we visited and interviewed air carrier and indirect air carrier officials at several airports we visited. Specifically, we interviewed officials from four passenger and three all-cargo air carriers. To gain an understanding of current and planned air cargo security requirements, we reviewed air cargo security-related laws and regulations as well as TSA's air cargo security strategic plan and proposed air cargo security rule. Moreover, we reviewed and analyzed stakeholders' comments to TSA's proposed rule. We also reviewed reports on air cargo security previously issued by GAO, the Congressional Research Service, the Federal Aviation Administration, and the Department of Transportation Inspector General. To determine the amount of air cargo transported and the revenue that major, national, and large regional air carriers received from transporting air cargo for the year 2004, we obtained and reviewed information from TSA and the Department of Transportation's Bureau of Transportation Statistics. To determine the extent to which TSA has used a risk management approach to guide decisions on securing air cargo, we compared a synthesis of government requirements and best practices that represents GAO's risk management approach with TSA's efforts to implement such an approach. Specifically, we focused on the strategic planning and objectives and risk assessment elements of the risk management framework. To identify the extent to which TSA's air cargo strategic goals and objectives support broader departmental and agency strategic goals and objectives, we reviewed and analyzed Department of Homeland Security and TSA strategic planning documents, including TSA's Air Cargo Strategic Plan. Regarding TSA's efforts to assess risk, we reviewed threat assessments prepared by TSA in 2004 and 2005. We did not assess the quality of the threat assessments completed. To obtain information on how threat information is shared and TSA's efforts to address threats, we met with officials from TSA's Transportation Security and Intelligence Service, Federal Bureau of Investigation, and air cargo industry stakeholders. We also obtained these stakeholders' views on the timeliness, specificity, and clarity of threat information TSA disseminates. To determine the actions TSA has taken to ensure the security of domestic air cargo and the factors that may limit their effectiveness, we reviewed and analyzed TSA security requirements including current air cargo-related regulations, security directives, and program policies. In addition, we reviewed the Aviation Security Advisory Working Group's committee's recommendations to TSA, TSA's air cargo security strategic plan, and TSA's proposed air cargo security rule to gain an understanding of the similarities, differences, and weaknesses among these plans. We also analyzed information on TSA's compliance testing program to determine the agency's progress in evaluating existing air cargo security requirements. Further, we reviewed TSA's compliance inspection process and results to determine air carriers' and indirect air carriers' compliance with existing air cargo security measures. Specifically, we reviewed TSA's annual inspection plans for fiscal years 2004 and 2005 and available data on the results of inspections, including civil penalties, conducted from November 1, 2001, through January 31, 2005. To determine the percentage of air cargo transported on passenger and all-cargo air carriers that is exempt from TSA random inspection requirements, we used industry estimates that a very small percentage of all cargo carried on passenger and all-cargo air carriers is inspected. We assumed that passenger and all-cargo air carriers were fully compliant with TSA random inspection requirements in place as of May 2005. To identify TSA's plans for enhancing air cargo security and the financial, operational, and other challenges TSA and industry stakeholders face in implementing air cargo security plans, we interviewed TSA and air cargo industry stakeholders. In our discussions, we obtained their views on the challenges related to developing and implementing air cargo security enhancements, including air cargo inspection technologies. We also reviewed TSA's proposed air cargo security rule and analyzed stakeholders' comments to the rule to identify stakeholder concerns with TSA's proposal. To identify the costs of implementing TSA's existing and additional measures proposed to enhance air cargo, we analyzed TSA and industry studies, models, and documents outlining the economic cost and other challenges associated with implementing the proposed security measures as well as other possible measures. Specifically, we reviewed TSA's methodology, assumptions, and findings related to cost projections and economic impacts associated with its proposed enhancements. To determine how sensitive TSA cost estimates were to various cost assumptions, we conducted Monte Carlo simulations.[Footnote 113] We also interviewed TSA's Director of Regulatory and Economic Analysis, who was responsible for preparing the economic analysis of the proposed air cargo security rule. To obtain an understanding of TSA's efforts to develop a system to target and inspect elevated risk cargo, we met with TSA and CBP officials who are responsible for developing TSA's planned air cargo targeting and inspection systems. We discussed TSA's development of the Freight Assessment System, including its air cargo data systems that are to be used to target elevated risk cargo. In addition we reviewed documentation on CBP's policies and procedures for targeting elevated risk cargo as well as its automated targeting system. In addition we observed CBP's targeting efforts at its National Targeting Center. We did not assess the effectiveness of CBP's targeting efforts. Regarding TSA's research and development to identify inspection technology, we spoke with officials in TSA's Chief Technology Office and reviewed TSA's research and development plans, including the scope, methodology, and implementation time frames and results of their pilot programs. We also reviewed private industry's efforts to develop and test available inspection technologies. While we did not assess the effectiveness of inspection technologies, we spoke with TSA and private sector officials regarding the limitations of the technology. We conducted our work between June 2004 and September 2005 in accordance with generally accepted government auditing standards. We issued a restricted version of this report on July 29, 2005.[Footnote 114] This report contains information presented in that report with all sensitive security information removed. Data Reliability: To assess the reliability of TSA's data on the number, type, and location of their compliance inspections, we (1) obtained data on TSA's compliance inspection activities conducted from November 2001 to January 2005, (2) discussed discrepancies identified through our review of the data with TSA officials, and (3) obtained TSA headquarters' responses to our questionnaire regarding the reliability of the data. Although our initial reliability testing indicated that there were some inconsistencies in the data provided by TSA, we were able to resolve most of the discrepancies. For example, TSA inspection data did not include unique identification numbers for each inspection. As a result, TSA data could have counted duplicate inspections. We developed a methodology to count individual inspections based on entity name, location of the facility, type of inspection being conducted, inspector conducting the inspection, and the date of the inspection. Further, we were unable to replicate the methodology TSA used to group violation topics and to count the number of violations for each topic in its reporting of high-risk violations from January 1, 2003, to January 31, 2005, including violations identified as "other" or violations for which no specific topic area was provided. We interviewed TSA officials to discuss how the agency defines violations identified as "other" and to what extent the agency will address violations for which no specific topic area was identified. After reviewing the compliance data, we determined that the data were reasonable for identifying general trends in TSA's inspection violations. Additionally, we were unable to determine the number of indirect air carrier facilities inspected from November 1, 2001, to September 30, 2004, and we used TSA inspection data to provide a maximum range of indirect air carrier facilities that TSA inspected for this time period. These discrepancies, however, did not affect our overall findings related to the compliance inspection data. Therefore, we determined that the compliance inspection data were sufficiently reliable for use in supporting our findings regarding TSA's efforts to monitor air carrier and indirect air carrier compliance with air cargo security requirements. Further, TSA provided us information on the number of civil penalty enforcement cases recommended and issued from November 1, 2001, to January 31, 2005. We discussed how these data were compiled and maintained with TSA officials and determined that this information was sufficient for counting the number of civil penalties recommended and issued for violations of air cargo security requirements by air carriers and indirect air carriers. [End of section] Appendix II: Federal Agency Roles in Air Cargo Security: As part of the Aviation and Transportation Security Act, Congress gave the Transportation Security Administration responsibility for ensuring the security of cargo carried aboard passenger and all-cargo air carriers. In addition to TSA, other federal agencies have a role in securing air cargo. These roles cover a broad range of issues, including the enforcement of import, export, customs, transportation, and economic and trade regulations. For example, the Departments of Commerce, Homeland Security, and the Treasury are responsible for oversight and enforcement of international customs and trade laws. The United States Postal Service also has responsibility for mail that is placed on an aircraft. Last, the Department of Transportation has responsibility for, among other things, ensuring the security of hazardous materials being transported on air carriers. Table 4 describes federal agency roles in air cargo security. Table 4: Federal Agency Roles in Air Cargo Security: Federal agency: U.S. Customs and Border Protection (CBP); Role in air cargo security: CBP's mission is to prevent terrorists and terrorist weapons from entering the United States. This involves security at and between United States ports of entry, as well as its security zone beyond its physical borders. To stop terrorists and terrorist weapons from entering United States borders, CBP screens air cargo data prior to the air carrier's arrival at a United States airport in order to target the use of domestically based technologies, physical inspection methods, and inspection staff against high-risk shipments. Federal agency: United States Postal Service (USPS); Role in air cargo security: USPS has an Aviation Security Program that incorporates TSA's security regulations to secure mail that is being transported via surface and air. Federal agency: Department of Transportation (DOT); Role in air cargo security: DOT, through the Federal Aviation Administration, regulates the transportation of hazardous materials and other cargo by air and through the Innovative Technology Administration is responsible for developing, managing, and evaluating programs and research activities for the security of passengers and cargo in the transportation system. Federal agency: Department of the Treasury; Role in air cargo security: The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury administers and enforces economic and trade sanctions based on United States foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. United States air carriers and indirect air carriers are not permitted to conduct business with businesses and individuals banned by OFAC. Federal agency: Department of Commerce (DOC); Role in air cargo security: Air cargo is subject to DOC jurisdiction to the extent the cargo or the aircraft are subject to export controls, i.e., the Export Administration Regulations (EAR). The export control provisions of the EAR are intended to serve the national security, foreign policy, nonproliferation, and short supply interests of the United States. Source: GAO prepared based on review of other federal agencies' roles in air cargo security. [End of table] [End of section] Appendix III: Timeline of Significant Events Related to Air Cargo Security: The following timeline reflects significant events in air cargo security following the terrorist attacks in the United States involving four jet airliners on September 11, 2001. These key events include the enactment of the Aviation and Transportation Security Act; the development of the Known Shipper database; additional TSA air cargo security requirements; three reported incidences of stowaways; the release of the Air Cargo Security Strategic Plan; release of the air cargo security proposed rule; and initial development of TSA's air cargo targeting system. The timeline also includes established time frames for issuing the final air cargo security rule and the commencement of the air cargo targeting system pilot. Figure 5: Timeline of Significant Events Related to Air Cargo Security: [See PDF for image] The following events and dates are depicted on the timeline from 2001 through February 2006: 9/11/01: Terrorist attacks; 9/13/01: U.S. national airspace reopened to commercial aviation after two-day shutdown; 11/91/01: Aviation and Transportation Security Act enacted (P.L. 107- 71); 10/02: TSA developed voluntary Known Shipper database; 9/03: Man ships himself in cargo from Newark, NJ to Dallas, TX; 10/1/03: Department of Homeland Security Security Appropriations Act, 2004 (P.L. 108-90); 10/1/03: Aviation Security Advisory Committee recommendations; 11/03: TSA required random inspection of cargo on passenger and all- cargo aircraft; 11/17/03: Air Cargo Strategic Plan; 12/12/03: Vision 100-Century of Aviation Reauthorization Act (P.L. 108- 176); 1/31/04: Three stowaways shipped themselves in shrink-wrapped pallet from Dominican Republic to Miami, Florida; 2/3/04: TSA Expands Federal Flight Deck Officer program to pilots of all-cargo aircraft; 8/04: Woman ships herself in cargo crate from Nassau, Bahamas to Miami, Florida; 10/18/04: Department of Homeland Security Appropriations Act, 2005 (P.L. 108-334); 11/10/04: Air Cargo Security Notice of Proposed Rule Making; 12/17/04: Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458); 1/05: TSA began developing cargo targeting system; 8/14/05: Approximate date for TSA Issuance of Air Cargo Security Final Rule; 2/06: TSA scheduled to start pilot test of cargo targeting system. Source: GAO. [End of figure] [End of section] Appendix IV: ASAC Representatives in the 2003 Air Cargo Working Group: American Association of Airport Executives (AAAE): Air Courier Conference of America (ACCA): Airports Council International--North America (ACI-NA): Air France (AF): Association of Flight Attendants (AFA): Air Forwarders Association (AFA): Airport Law Enforcement Action Network (ALEAN): Air Line Pilots Association (ALPA): Allied Pilots Association (APA): Air Transport Association (ATA): American Trucking Associations (ATruckA): British Airways (BA): Cargo Airline Association (CAA): Coalition of Airline Pilots Association (CAPA): U.S. Customs and Border Protection (CBP): Federal Aviation Administration (FAA): Federal Bureau of Investigation (FBI): International Airline Passenger Association (IAPA): Lufthansa Airlines (LCAG): National Air Carrier Association (NACA): National Air Transportation Association (NATA): National Customs Brokers and Forwarders Association of America (NCBFAA): National Industrial Transportation League (NITL): Regional Airline Association (RAA): Transportation Intermediaries Association (TIA): Untied States Postal Service (USPS): Victims of Pan Am Flight 103: [End of section] Appendix V: Testing Explosive Detection System Technologies for Inspecting Air Cargo: TSA began phase I testing to evaluate the effectiveness of explosive detection system (EDS) (technologies currently certified for use in inspecting passenger baggage) to screen air cargo in January 2004 at 6 airports.[Footnote 115] According to TSA, the objectives of phase I of the pilot were to determine the expected performance of the explosive detection system for inspecting outbound break bulk air cargo onboard commercial air carriers for the threat of improvised explosive devices (IED) within the air cargo operational environment, examine the resource requirements (including manpower and support equipment) that could be expected with deployment of EDS in the cargo environment, and examine the potential affect on air cargo operations. Figure 6 shows explosive detection system technology being used to screen break bulk cargo as part of TSA's pilot test.[Footnote 116] Figure 6: EDS Technology Inspecting Break Bulk Cargo: [See PDF for image] This figure is a photograph of EDS Technology Inspecting Break Bulk Cargo. [End of figure] In August 2004, TSA began phase II of the EDS pilot at 6 additional airports. Phase II operational testing studied the effectiveness of EDS technologies by two vendors in the following cargo environments and cargo configurations--mail screening, all-cargo aircraft, and break bulk. According to TSA, the 12 airports selected for phases I and II of the pilot program were based on variances in the type and volume of cargo being transported as well as differences in climatic and environmental conditions. Although TSA has not yet finalized its evaluation of the results of the EDS pilot, agency officials stated that preliminary data suggest that EDS technology is well suited to inspect break bulk cargo under a range of environmental and climactic conditions, but limitations exist with using such technology. TSA officials noted that such limitations would be discussed in its final evaluation report of the EDS pilot. According to TSA, the report for phase II testing will be finalized in July 2005. Based on the results of the tests, TSA has extended the use of EDS for an additional year. TSA stated that during the extended field tests, the air carriers will screen break bulk air cargo using EDS. [End of section] Appendix VI: Testing the Use of TSA-Certified Explosives Detection Canine Teams: The objective of the first phase of the pilot was to assess the performance and determine the effectiveness of TSA-certified explosives detection canine teams when used to inspect three air cargo configurations (break bulk, palletized, and cookie sheet) under operational conditions. This pilot test was conducted at six airports over the course of 6 weeks and involved 18 TSA-certified explosives detection canine teams. According to TSA's evaluation report of the pilot issued in October 2004, the average detection rates were relatively high for break bulk cargo, palletized configurations, and cookie sheet configurations. According to TSA, the results of this study can be used to draw a number of conclusions regarding the use of TSA-certified explosives detection canine teams to inspect break bulk, palletized, and cookie sheet configurations. Overall, the data suggest that even without prior training, the teams performed well on all three cargo configurations. This illustrates the teams' abilities to adapt to new and different environments and tasks. The second phase of the canine cargo inspection operational test and evaluation was conducted at six additional airports and involved 18 TSA- certified explosives detection canine teams. The objective of this phase of the pilot was to determine and examine the effectiveness of TSA-certified canine teams in inspecting additional air cargo configurations (break bulk, containers, and ground support equipment) and two United States Postal Service mail configurations (break bulk and rolling stock equipment).[Footnote 117] According to the pilot program's evaluation report, issued in November 2004, the observed detection rates were relatively high for break bulk cargo, containers, and ground support equipment. Overall, the data suggest that even without prior training, the canine teams performed reasonably well, illustrating the ability of the teams to adapt to new and different environments and tasks. According to TSA officials, the results of both phases of the pilot program demonstrated that canines offer promising alternatives to inspecting air cargo. [End of section] Appendix VII: New Technologies Selected by TSA for Further Development and Testing: Technology name: XR/PFNA X-ray combined with pulsed fast neutron analysis as a confirmation system; Items to be inspected: Cargo; Technology description: Uses a beam of neutrons to excite common elements (hydrogen, carbon, nitrogen, and oxygen) in cargo and generates a three-dimensional map of the elements from which explosives and drugs can be detected and located. In September 2004, Total cost of the project is $12 million; Estimated length of time needed for completing technology testing: 24 months. Technology name: Miniature explosives and toxic chemical detector; Items to be inspected: Cargo; Technology description: Utilizes sensors based on Micro Electro- Mechanical Systems (MEMS) technology to detect traces of explosives and toxic chemicals; Estimated length of time needed for completing technology testing: 24 months. Technology name: Pressure-activated sampling system; Items to be inspected: Cargo/mail; Technology description: Items are placed inside a steel pressure vessel. The chamber is then pressurized, allowing the air to be forced into the package contents. The air exhaust is then sampled and analyzed using an approved trace detector; Estimated length of time needed for completing technology testing: 24 months. Technology name: Low-cost Quadruple Resonance (QR) explosives detection for containerized air cargo; Items to be inspected: Cargo; Technology description: A container placed on the transport mechanism will be automatically moved into the scanning chamber, positioned, and examined by QR and trace detection technologies; Estimated length of time needed for completing technology testing: 22 months. Technology name: Megavolt computed tomography for air cargo container inspection; Items to be inspected: Cargo; Technology description: Uses high-energy computed tomography to generate high-resolution, three-dimensional images of oversized boxes, palletized cargo, and cargo containers. This system is based on the same principles as those employed for checked luggage, but is large enough to inspect air cargo containers; Estimated length of time needed for completing technology testing: 24 months. Technology name: Neutron resonance radiography for containerized cargo inspection; Items to be inspected: Cargo; Technology description: An imaging system that uses medium energy neutrons to effectively measure the neutron absorption through thick objects and determine the relative concentrations of different materials from which explosives can be detected in air cargo containers with checked baggage or mail as contents; Estimated length of time needed for completing technology testing: 25 months. Technology name: Mail inspection sensor system based on micro cantilevers; Items to be inspected: Mail; Technology description: A detection method based on the highly sensitive micro cantilever sensors that can detect explosives in mail at an estimated rate of 300 pieces of mail per hour; Estimated length of time needed for completing technology testing: 24 months. Technology name: Terahertz spectrometer-based trace detection system for cargo; Items to be inspected: Cargo; Technology description: Combines a particle and vapor sampling system with a Terahertz detector, which will analyze trace residues based on their rotational spectra; Estimated length of time needed for completing technology testing: 24 months. Technology name: Material specific explosives and nuclear material detection system for cargo and United States mail; Items to be inspected: Cargo/mail; Technology description: Accurately measures the elements and their ratios in a container. The elemental densities are used to indicate the presence of explosives and other contraband; Estimated length of time needed for completing technology testing: 22 months. Source: TSA. [End of table] [End of section] Appendix VIII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: [hyperlink, http://www.dhs.gov]: September 30, 2005: Ms. Cathleen A. Berrick: Director, Homeland Security and Justice Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Ms. Berrick: Thank you for the opportunity to comment on GAO's draft report entitled, "Aviation Security: Federal Action Needed to Strengthen Domestic Air Cargo Security" GAO-06-76. We appreciate the analysis GAO has done over the past year to reflect on our program development and for recognizing our progress in strengthening the nation's air cargo security. The Department of Homeland Security (DHS) generally concurs with the report and recommendations. DHS is Aggressively Working to Secure the Nation's Air Cargo: The threat of a terrorist exploiting vulnerability within the air cargo supply chain is real and is a high priority of the Department. In addition, the Department's mission includes direction "to promote the free-flow of commerce." The movement of cargo via air, onboard both passenger and all-cargo airplanes, represents a critical component of global and domestic supply chains. Accordingly, the manner and extent to which DHS secures the air cargo domain continues to evolve, and the balance between security and the flow of commerce is critical in this evolution. The complexity of the air cargo environment requires thoughtful analysis of alternatives and subsequent trade-offs among a wide array of security options. Since 9/11 there has been significant progress in securing the nation's air cargo. Within DHS, the air cargo security approach being aggressively pursued by the Transportation Security Administration (TSA) and U.S. Customs and Border Protection (CBP) is tightly linked to key best practices of the Department, namely: * Active collaboration and partnership with the private sector, leading to strong industry support and active participation in ongoing programs: * Applying a risk-based management model to resource allocation. This includes integrating air cargo risk-based managed resources in the Department's overall national security strategies: * Embracing technology as a critical means of enhancing security in the short and long-term. Threat-Based Risk Managed Approach Requires a Public Private Partnership: DHS is committed to prioritizing its work in response to risk. Both government and industry recognize that vulnerabilities within the air cargo supply chain must be addressed in order to effectively combat current threats. A threat-based risk management approach, one that balances the twin goals of enhancing air cargo security without unduly impeding the flow of commerce, is therefore required. The current domestic air cargo security approach is being executed in close coordination with the industry stakeholders who operate and maintain the supply chain movements of cargo via air. The agency has drawn upon the private sector's expertise through various government- industry working groups, chartered under TSA's Aviation Security Advisory Committee (ASAC). Insights generated through this public- private partnership provided important inputs into TSA's Air Cargo Strategic Plan. The National Air Cargo Strategic Plan Integrates a Layered Security Strategy: By employing a layered security strategy that combines policy, strong regulatory oversight, and technology to combat threats, mitigate vulnerabilities, and control consequences, the DHS air cargo team is managing risk effectively. Since the Department endorsed the TSA Air Cargo Strategic Plan, TSA has been implementing a layered security approach that strengthens our defense against existing threats. The Air Cargo Strategic Plan is closely aligned with The National Homeland Security Strategy, National Strategy for the Physical Protection of Critical Infrastructure and Key Assets and TSA's Strategic Plan. The plan directly supports TSA's goal of preventing terrorists and other individuals from disrupting the transportation system and harming its users. This plan is the core document guiding the agency's efforts to further secure the air cargo supply chain through four key strategic objectives: * Enhance shipper and supply chain security; * Identify elevated risk cargo through prescreening; * Identify technology for performing targeted air cargo inspections; * Secure all-cargo aircraft through appropriate facility security measures. Opportunities to further secure the air cargo supply chain include: * Adding a greater level of standardization across air cargo security programs; * Employing a risk-based approach to targeting the subset of cargo that represents a potential threat to the supply chain. These opportunities are being addressed through strengthening of policy, increasing day-to-day security compliance oversight, and applying technical solutions. 1. Strengthening Policy. A major rulemaking is underway, with final regulations to be published in late 2005. The revised policy direction focuses on strengthening requirements for the existing population of regulated parties in the air cargo supply chain (indirect air carriers, air carriers, and airports). It also expands the regulatory footprint of DHS to reach more participants in standard air cargo shipping processes and transactions. 2. Focusing Day-to-Day Operations. During the past two years, TSA has more than doubled the number of regulatory inspectors performing compliance operations in the field. The impact of the expanded inspection corps has also been enhanced through innovative programs such as focused inspections, cargo strikes, and special emphasis assessments. Further, the operations of current and prospective regulated entities are scrutinized through the use of third party corporate data that identifies criminal history, changes in ownership, and other security-relevant information. 3. Embracing Technology. The Department is actively pursuing technology programs and applications that address both short and long-term challenges. In the short-term, core processes such as shipper and indirect air carrier (IAC) registration and renewal can now be handled through automated, web-based systems (the Known Shipper Database and the IAC Management System) that promote public-private information sharing. Meanwhile, the air cargo program continues to invest in research and development activities that assess the readiness of existing and emerging technologies such as Explosive Detection Systems (EDS) machines and hardened containers to be integrated into normal cargo operations. Finally, the program has embarked on a joint initiative with industry and CBP, through the Automated Commercial Environment (ACE), to identify elevated risk cargo through pre- screening of air cargo shipment data. The output of this program, Freight Assessment System, will be piloted with two major air carriers and their suppliers at two major airports in early 2006. A Layered Security Strategy Supports 100% Screening of Elevated-Risk Cargo: TSA believes that all cargo should be pre-screened for risk, and that 100% of cargo that is identified as elevated-risk should be screened using appropriate technology and methods. Consequently, both the Department and the air cargo industry support a layered security approach that includes using data to pre-screen 100% of shipments. DHS Responses to the GAO Recommendations: GAO Recommendation: (1) develop a methodology and schedule for completing assessments of air cargo vulnerabilities and critical assets, as well as defining, gathering, and analyzing information on air cargo security breaches, and use the information resulting from these assessments as a basis for prioritizing the steps necessary to enhance the security of the nation's air cargo transportation system; TSA intends to perform "Commercial Air Cargo Industrial Vulnerability Assessments" to assess the relative significance of vulnerabilities associated with U. S. commercial air cargo operations and ancillary activities. This vulnerability assessment will comprehensively identify weaknesses in physical structures, personnel protection systems, processes, or other areas associated with U. S. air cargo operations that may be exploited by terrorists. The vulnerability assessment will be tied into the Department's criticality work. GAO Recommendation: (2) re-examine the rationale for existing air cargo inspection exemptions, determine whether such exemptions leave the air cargo system unacceptably vulnerable to terrorist attach and make any needed adjustments to the exemptions; TSA continually reviews the measures it has put into place as part of its threat-based, risk-managed approach to securing the air cargo environment and will soon launch a broad-based review of current air cargo policies and processes. TSA is also in consultation with industry stakeholders regarding reevaluation of current exemptions as it designs and develops the Freight Assessment System (FAS). GAO Recommendation: (3) develop measures to gauge air carrier and indirect air carrier compliance with air cargo security requirements to assess and address potential security weaknesses and vulnerabilities; TSA collects compliance and enforcement data through its Performance and Results Information System (PARIS). In early 2005, TSA created a Compliance Analysis Division that uses compliance data to track trends in security, identify systemic and localized compliance concerns, and gauge compliance on both micro and macro levels. TSA continues to enhance the functionalities of its PARIS database. TSA is committed to focusing our inspection resources on regulated parties that have greater security weaknesses and vulnerabilities. Accordingly, TSA will enhance current efforts to gauge air carrier and IAC compliance with cargo security requirements. Results of the inspection activity will be compiled, analyzed and used to target future inspections. GAO Recommendation: (4) develop a plan for systematically analyzing the results of air cargo compliance inspections and use the results to target future inspections and identify systemwide corrective actions; TSA has taken steps to compile information results from past compliance inspections. Using the data collected in PARIS, TSA will analyze the results of its inspection activities to target future inspections and develop both systemic and localized corrective action as appropriate. Additionally, TSA recently formed its Compliance Advisory Group to assist in developing the Agency's annual compliance work plan which will identify and direct further inspection efforts. GAO Recommendation: (5) assess the effectiveness of enforcement actions, including the use of civil penalties, in ensuring air carrier and indirect air carrier compliance with air cargo security requirements; and; TSA will use results generated by the PARIS database in addition to reviewing formal enforcement actions and adjudications rendered through the legal process to assess enforcement action effectiveness. TSA's analysis of overall metric-based compliance results will be enhanced by our consideration of specific enforcement actions and individualized impact on the regulated entities. TSA's analysis is also informed by follow-up inspections of these entities focusing on corrective action taken, operational remediation, and continued compliance with security requirements. GAO Recommendation: (6) ensure that the data to be used in the Freight Assessment System to identify elevated risk cargo are complete, accurate, and current. TSA is developing a comprehensive plan to ensure the integrity of all data that will "feed" the Freight Assessment System (FAS). TSA is evaluating designs of the FAS to implement a continuous monitoring process to alert TSA of significant changes within the community. This data verification and monitoring process would ensure that FAS is provided with the most complete, accurate and current information. Additionally, TSA has enlisted industry's assistance, through the Aviation Security Advisory Committee, in the development of standards for shipment data. TSA believes that implementing data standardization requirements is essential to ensuring accuracy and reliability of the shipment data. Current Department Initiatives and Plans are Raising the Security Bar Considerably: The current domestic air cargo security approach is consistent with the principles of the Department and is being executed in close coordination with the industry stakeholders who operate and maintain the supply chain movements of cargo via air. By employing a layered approach that combines policy, strong regulatory oversight, and technology to combat threats, mitigate vulnerabilities, and control consequences, the DHS air cargo team is managing risk effectively. The continued execution of major ongoing programs - such as Freight Assessment and emerging technology R&D - will raise the air cargo security bar even higher in the future. Thank you again for the opportunity to contribute comments to the draft report. Please let us know if we can provide any further information or clarity on our response. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/IG Liaison Office: [End of section] Appendix IX: GAO Contacts and Staff Acknowledgments: Contacts: Cathleen A. Berrick, (202) 512-8777: Acknowledgments: In addition to those named above, John C. Hansen, Assistant Director; Leo Barbour; C. Jenna Battcher; Charles W. Bausell; Katherine Davis; Scott Farrow; Stanley J. Kostyla; Tom Lombardi; Jeremy Manion; Steve Morris; Meg Ullengren; and Nicolas Zitelli made key contributions to this report. [End of section] Footnotes: [1] Aviation and Transportation Security Act, Pub. L. No. 107-71, § 110(b), 115 Stat. 597, 614-16 (2001). [2] TSA generally uses the terms "inspecting" and "screening" interchangeably to denote some level of examination of a person or good, which can entail a number of different actions, including manual physical inspections to ensure that cargo does not contain weapons, explosives, or stowaways. When TSA applies a filter to information or characteristics of cargo, such as its Known Shipper program, it refers to such processes as screening. For the purposes of this report, we use the term "inspection" to refer only to an air carrier's effort to physically examine air cargo. [3] DHS Science and Technology Directorate, Systems Engineering Study of Civil Aviation Security-Phase I, April 7, 2005. [4] The exact percentage of cargo physically screened or inspected is sensitive security information. [5] Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), Pub. L. No. 108-458, 118 Stat. 3638; Department of Homeland Security Appropriations Act, 2005, Pub. L. No. 108-334, 118 Stat. 1298 (2004). The fiscal year 2006 DHS appropriations bill, H.R. 2360, as passed by the House of Representatives on May 17, 2005, proposes to, among other things, reduce TSA funding by $100,000 per day until it satisfies the fiscal year 2005 requirement to triple the percentage of cargo inspected on passenger aircraft, require that DHS develop screening standards and protocols to more thoroughly screen all types of cargo on passenger and cargo aircraft, and require that TSA utilize checked baggage explosive detection equipment and screeners to screen cargo carried on passenger aircraft to the greatest extent practicable at each airport. The Senate version of the bill, passed on July 14, 2005, proposes to direct that DHS research, develop, and procure certified systems to screen air cargo on passenger aircraft at the earliest date possible, enhance the known shipper program, and increase the level of cargo inspected beyond the tripling mandated in fiscal year 2005. [6] GAO, Transportation Security: Systematic Planning Needed to Optimize Resources, GAO-05-357T (Washington, D.C.: Feb.15, 2005), and GAO, Aviation Security: Vulnerabilities and Potential Improvements for the Air Cargo System, GAO-03-344 (Washington, D.C.: Dec. 2002). [7] Air carriers refers to both commercial passenger air carriers whose aircraft have been configured to accommodate both passengers and cargo and all-cargo carriers whose aircraft transport only cargo. Indirect air carriers, sometimes referred to as freight forwarders, consolidate cargo from many shippers and deliver it to passenger air carriers. TSA's proposed air cargo security rule would expand the definition of an indirect air carrier to include those companies that consolidate and transport cargo to all cargo carriers. The United States Postal Service, or its representatives while acting on behalf of the Postal Service, is not an indirect air carrier. [8] During our review we spoke with 48 air cargo industry stakeholders, including officials representing 7 air carriers, 4 indirect air carriers, 12 airport authorities, 16 associations representing airport operators, air carrier pilots, indirect air carriers, passenger air carriers, all-cargo air carriers, law enforcement agencies, and 9 air cargo security consultants and experts. [9] Unless otherwise indicated, all cost estimate figures cited in this report are in discounted dollars. [10] An explosive detection system uses probing radiation to examine objects inside baggage and identify the characteristic signatures of threat explosives. [11] There are about 450 commercial airports in the United States. TSA classifies airports into one of five categories (X, I, II, III, and IV) based on various factors, such as the total number of takeoffs and landings annually, the extent to which passengers are screened at the airport, and other special security considerations. [12] GAO, Aviation Security: Federal Action Needed to Strengthen Domestic Air Cargo Security, GAO-05-446SU, (Washington, D.C.: July 29, 2005). [13] Elevated risk cargo could include cargo that has been determined to pose a risk to the safety and security of passengers and air cargo operations. [14] Airport operators may also be responsible for air cargo security to the extent that air cargo operations areas overlap with areas of the airport designated as security identification display areas (SIDA), pursuant to 49 C.F.R. part 1542. Individuals working in a SIDA must have an airport-approved photo identification that is displayed at all times above the waist on the individual's outermost garments. To obtain a SIDA identification badge, a person must successfully undergo a fingerprint-based criminal history records check and successfully complete security training. In addition, SIDA access requirements must include procedures for challenging all persons not displaying appropriate SIDA photo identification. [15] Other federal entities involved in safeguarding air cargo include the Department of Homeland Security-U.S. Customs and Border Protection, the United States Postal Service, the Department of Commerce, the Department of Transportation, and the Department of the Treasury. See appendix II for a description of each entity's role and responsibility in securing air cargo. [16] TSA regulations governing air cargo security are codified at Title 49, chapter XII, subchapter C, of the Code of Federal Regulations. These regulations focus on requiring air carriers and indirect air carriers to develop measures to deter and prevent the carriage of any unauthorized explosive or incendiary aboard passenger aircraft, including refusal to transport any cargo if the shipper does not consent to a search or inspection of that cargo. [17] Federal Security Directors (FSDs) are responsible for overseeing the implementation of air cargo security requirements at airports nationwide. The FSDs work with inspection teams composed of Aviation Security Inspectors (ASIs) to conduct air cargo compliance inspections. [18] TSA-approved security programs include (1) Aircraft Operators Standard Security Program (AOSSP), which applies to domestic passenger air carriers; (2) Indirect Air Carrier Standard Security Program (IACSSP), which applies to domestic indirect air carriers; (3) Domestic Security Integration Program (DSIP), a voluntary program that applies to domestic all cargo carriers; (4) the Twelve-Five Program, which applies to certain operators of aircraft weighing 12,500 pounds of more in scheduled or charter service that carry passengers, cargo, or both. TSA's proposed air cargo security rule making proposes to change the 12- 5 weight requirement to "more than 12,500 pounds"; (5) Model Security Program applies to foreign passenger air carriers; and (6) All-Cargo International Security Procedures, which applies to each foreign air carrier engaged in the transportation of cargo to, from, within, or overflying the United States in all-cargo aircraft with a maximum certified takeoff weight of 12,500 pounds or more. [19] According to the Federal Aviation Administration, up to 60 percent of the cargo transported by passenger air carriers is made up of break bulk items. According to TSA, more recent estimates range from 30 to 40 percent. [20] Given that the data on the estimated numbers of shippers, air carriers, and shipping facilities are used for background purposes, we did not assess the reliability of these data. [21] In fiscal year 2003, almost 16 billion pounds of cargo was shipped by air on international flights to and from the United States. [22] Given that the estimated poundage of cargo shipped on all-cargo and passenger air carriers and the estimated amount of revenue of air cargo for air carriers in 2004 are presented for background purposes, we did not assess the reliability of these data. [23] Department of Homeland Security Appropriations Act, 2004, Pub. L. No. 108-90, 117 Stat. 1137 (2003), H.R. Conf. Rep. No. 108-280, at 37 (2003). [24] Department of Homeland Security Appropriations Act, 2005, Pub. L. No. 108-334, 118 Stat. 1298 (2004), H.R. Conf. Rep. No. 108-774, at 51- 52 (2004). [25] Pub. L. No. 108-458, §§ 4051-52, 118 Stat. at 3728-29. Congress has yet to appropriate funds pursuant to this authorization. [26] GAO-05-357T. [27] GAO-05-357T. [28] GAO-05-357T. [29] The Government Performance and Results Act of 1993 (GPRA), Pub. L. No. 103-62, 107 Stat. 285, focuses the federal government on providing objective, results-oriented information to improve the efficiency and effectiveness of federal programs, among other things. Under GPRA, strategic plans are the starting point and basic underpinning for results-oriented management. [30] GAO-03-344. [31] ASAC was established in 1989 in the wake of the crash of Pan Am flight 103 to provide the federal government with expert consultation on aviation security issues. ASAC is composed of 27 organizations with a stake in securing the aviation sector. The ASAC working groups include groups representing victims and survivors of terrorist acts, indirect air carriers, aircraft owners, airports, aircraft manufacturers, representatives of passenger and all-cargo airline management and labor, and representatives of federal government agencies. A complete list of ASAC representatives participating in the air cargo working groups can be found in appendix IV. [32] GAO-05-357T. [33] National Commission on Terrorist Attacks upon the United States, The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks upon the United States (Washington, D.C.: 2004). The 9/11 Commission was an independent, bipartisan commission created in late 2002. [34] Transportation assets include rail and maritime assets, in addition to aviation assets. [35] Specific information on these threats is considered sensitive security information and is discussed in more detail in the restricted version of this report, GAO-05-446SU. [36] Specific information on these threats is considered sensitive security information and is discussed in more detail in the restricted version of this report, GAO-05-446SU. [37] As we have previously reported, while threat assessments are a key decision support tool, it should be recognized that even if updated frequently, threat assessments might not adequately capture emerging threats posed by some terrorist groups. No matter how much we know about potential threats, we will never know whether we have identified every threat or whether we have complete information even about the threats of which we are aware. Consequently, a risk management approach to help prepare for terrorism that supplements threat assessments with vulnerability and criticality assessments can provide better assurance of preparedness for a terrorist attack. [38] Specific information on this threat is considered sensitive security information and is discussed in more detail in the restricted version of this report, GAO-05-446SU. [39] FSDs are responsible for the day-to-day operational direction for federal security at airports. Additionally, FSDs are the ranking TSA authorities responsible for the leadership and coordination of TSA security activities at airports. [40] GAO, General Aviation Security: Increased Federal Oversight Is Needed, but Continued Partnership with the Private Sector Is Critical to Long-Term Success, GAO-05-144 (Washington, D.C. November 2004). [41] GAO-05-357T. [42] For example, Executive Order 13292--Further Amendment to Executive Order 12958, as Amended, Classified National Security Information, March 25, 2003--limits the distribution of classified information, while 49 C.F.R. part 1520 limits TSA's ability to distribute sensitive security information to persons with a need to know. [43] In May 2005, TSA staff identified a number of potential vulnerabilities across the air cargo supply chain, including those related to entities involved in the air cargo shipping process. [44] According to TSA, its Transportation Risk Assessment and Vulnerability Evaluation Tool could be used to assess and analyze the vulnerability of those air cargo system assets TSA determines to be nationally critical. Specifically, the tool assesses an asset's baseline security system and that system's effectiveness in detecting, deterring, and preventing various threats scenarios. Established threat scenarios contained in the tool outline a potential threat situation, including the target, threatening act, aggressor type, and tactic/ dedication, among other things. In addition, the tool includes a cost performance component that compares the costs of implementing a given countermeasure with the reduction in relative risk to that countermeasure. TSA's Vulnerability Identification Self-Assessment Tool could be used to assess and analyze vulnerabilities for assets that TSA determines to be less critical. This Web-based self-assessment tool is intended to guide the user through a series of security-related questions to develop a security baseline of the asset and provide mitigation strategies for use when the national threat level is increased. [45] We previously reported that the National Cargo Security Council, now referred to as the International Cargo Security Council, a coalition of public and private transportation organizations, estimates that cargo theft among all modes of transportation accounts for more than $10 billion in merchandise losses each year. The FBI estimates that the majority of cargo theft in the United States occurs in cargo terminals, transfer facilities, and cargo consolidation areas. GAO, Vulnerabilities and Potential Improvements for the Air Cargo System, GAO-03-344 (Washington, D.C.: December 2002). [46] TSA officials stated that air cargo security vulnerabilities were considered but not fully addressed during joint FBI assessments of airport security conducted in 2003. As a result, TSA considered these assessment results of limited value in identifying the vulnerabilities associated with the air cargo transportation system. [47] On December 17, 2003, President Bush issued a Homeland Security Presidential Directive (HSPD-7) addressing critical infrastructure identification, prioritization, and protection. The directive calls for federal departments and agencies to identify, prioritize, and coordinate the protection of critical infrastructure and key resources in order to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them. The directive also requires federal departments and agencies to work with state and local governments and the private sector to accomplish this objective. DHS's Interim National Infrastructure Protection Plan was issued in February 2005. Transportation systems are 1 of 17 sectors identified in the national infrastructure protection plan. [48] The Intelligence Reform Act required the Department of Homeland Security to develop a National Strategy for Transportation Security and transportation sector specific security plans by April 1, 2005. On April 5, 2005, the Department of Homeland Security issued a letter notifying Congress that TSA has taken the departmental lead for developing the national strategy but that its issuance would be delayed by 2 to 3 months to allow for integration of various other strategic transportation security documents. [49] A breach of security does not necessarily mean that a threat was imminent or successful. According to TSA officials, the significance of a breach must be considered in light of several factors, including the intent of the perpetrator, and whether existing security measures and procedures successfully responded to and mitigated the breach so that no harm to persons, facilities, or other assets resulted. A breach of passenger security, for example, may occur when a passenger bypasses a security checkpoint. Regarding airport access controls, a breach may involve an unauthorized individual gaining access to a runway. [50] The National Safe Skies Alliance is a nonprofit organization that tests technology and often contracts with the federal government. [51] Specific actions TSA has taken or required air carriers and indirect air carriers to take to enhance the security of the nation's air cargo transportation system are considered sensitive security information and have therefore been removed from this report. A description of these actions is provided in the restricted version of this report, GAO-05-446SU. [52] To become a certified TSA indirect air carrier, an entity must provide TSA with a written application and meet certain eligibility criteria. [53] Specific TSA actions taken to identify indirect air carriers who may pose a security risk are sensitive security information and described in the restricted version of this report, GAO-05-446SU. [54] Details on security actions and measures reported by air carriers and indirect air carriers that exceed TSA requirements are discussed in the restricted version of this report, GAO-05-446SU. [55] According to TSA's Chief Counsel, screening is not limited to inspection but may include a variety of methods for evaluating persons and property. On the basis of the Chief Counsel's definition, TSA has taken the position that identifying cargo as coming from a known shipper constitutes screening. [56] The Known Shipper program was created prior to the events of September 11 to establish procedures for differentiating between shippers that are known and unknown to an indirect air carrier or air carrier. ATSA acknowledged that the Known Shipper program is a mechanism for screening cargo placed on passenger aircraft. TSA security requirements do not allow for unknown shipments to be placed on passenger aircraft. [57] Specific Known Shipper program requirements are considered sensitive security information and are described in more detail in the restricted version of this report, GAO-05-446SU. [58] Prior to September 11, indirect air carriers were allowed to accept cargo from unknown shippers for transport on passenger aircraft. At that time, cargo from unknown shippers was required to be screened by the indirect air carrier or identified to the passenger aircraft operator so that the aircraft operator could screen the cargo. After September 11, security directives and emergency amendments were issued to both indirect air carriers and aircraft operators; these precluded the transport of unknown shipper cargo on passenger aircraft. The prohibition regarding unknown shipper cargo on passenger aircraft is still in place today. [59] Specific Known Shipper program weaknesses identified by local TSA officials and air cargo industry associations are considered sensitive security information and described in more detail in the restricted version of this report, GAO-05-446SU. [60] TSA security directives also require that passenger air carriers only transport cargo from shippers that could either be verified through the agency's automated Known Shipper database or from shippers that meet other known shipper criteria. [61] Specific problems identified with the Known Shipper program are considered sensitive security information and described in more detail in the restricted version of this report, GAO-05-446SU. [62] Terrorist watch lists provide decision makers with information about individuals who are known or suspected of being a terrorist, among other things. These lists are developed, maintained, or used by federal, state, and local government entities, as well as by private sector entities, and contain various types of data. [63] According to some industry estimates, the total population of known shippers may range up to 3 million. [64] Specific problems with TSA's Known Shipper database are considered sensitive security information and described in the restricted version of this report, GAO-05-446SU. [65] The conference report accompanying the fiscal year 2005 Department of Homeland Security Appropriations Act directs TSA to work more aggressively to strengthen air cargo security by strengthening the Known Shipper program to include regular security checks on all known shippers to ensure that they are not compromising security standards. [66] Information on other types of analyses that could be performed to identify known shippers posing an elevated security risk is considered sensitive security information and is discussed in more detail in the restricted version of this report, GAO-05-446SU. [67] TSA requirements described in aircraft operator standard security programs and security directives allow air carriers to use several methods and technologies to inspect air cargo, including manual physical searches, X-ray systems, explosive trace detection systems, decompression chambers, and explosive detection systems and TSA- certified explosives detection canines for use in inspecting checked baggage, among other methods. [68] Details on the percentage of cargo required to be randomly inspected are considered sensitive security information and described in the restricted version of this report, GAO-05-446SU. [69] Pub. L. No. 108-334, § 513, 118 Stat. at 1317. [70] Details on the types of cargo transported on passenger and all- cargo carriers exempt from TSA random inspection requirements are considered sensitive security information. A description of these exemptions is provided in the restricted version of this report, GAO- 05-446SU. [71] Details on the specific items to be inspected by air carriers and on how existing inspection exemptions may create potential risks security risks and vulnerabilities are considered to be sensitive security information and discussed in the restricted version of this report, GAO-05-446SU. [72] Estimates of the percentage of cargo inspected by air carriers are considered sensitive security information and discussed in the restricted version of this report, GAO-05-446SU. [73] Details on the quality of air cargo inspections are considered sensitive security information and discussed in the restricted version of this report, GAO-05-446SU. [74] TSA compliance inspections are fundamentally different from air carriers' inspections of cargo. TSA inspections are designed to ensure air carrier compliance with air cargo security requirements, while air carrier inspections focus on ensuring that cargo does not contain weapons, explosives, or stowaways. [75] The PARIS database, established in July 2003, provides TSA a Web- based method for entering, storing, and retrieving performance activities and information on TSA-regulated entities, including air carriers and indirect air carriers. PARIS includes profiles for each entity, inspections conducted by TSA, incidents that occur throughout the nation, such as instances of bomb threats, and investigations that are prompted by incidents or inspection findings. [76] We requested all of TSA's compliance inspection data, starting in November 2001. According to TSA, agency efforts to conduct air cargo compliance inspections during calendar years 2001 and 2002 were minimal. Moreover, documentation of inspection results for that period was problematic in part because of the way the Federal Aviation Administration reported compliance inspection data, which made it difficult to migrate the Federal Aviation Administration's data into TSA's PARIS system. [77] TSA reported conducting 40,372 inspections during the same period, but we removed duplicate information found in the data. TSA did not provide unique identification numbers for each inspection; therefore, we developed a methodology for counting individual inspections based on factors including type of inspection, entity inspected, and location and date of inspection. [78] The restricted version of this report, GAO-05-446SU, provides information on the most frequently occurring violations by risk level, as determined by TSA. [79] GAO Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). [80] The percentages of air carrier and indirect air carrier facilities inspected by TSA are estimates. In calculating these estimates, we assumed that none of the indirect air carrier facilities inspected in fiscal year 2004 were inspected before and that there were no discrepancies or missing information in the data for fiscal years 2002 and 2003. As a result, the percentage of air carrier's stations and indirect air carrier's facilities inspected during this period may be lower. TSA did not provide us data to calculate the number of stations and facilities visited for the period beginning in fiscal year 2005. [81] Factors accounting for the limited number of TSA compliance inspections of indirect air carrier facilities are sensitive security information and discussed in the restricted version of this report, GAO- 05-446SU. [82] Since September 1999, each indirect air carrier was required to annually submit and maintain information on all its corporate and satellite offices. [83] According to TSA, special emphasis assessments are distinct from agency efforts to conduct covert testing by TSA's office of Internal Affairs and Program Review. Covert testing is typically done by undercover TSA agents and includes testing the security procedures at passenger check points and airport access controls. [84] Results of TSA's tests are considered sensitive security information and described in the sensitive security version of this report, GAO-05-446SU. [85] The statutory authority for TSA to issue fines and penalties to individual air carriers and indirect air carriers for not complying with established security procedures is 49 U.S.C. § 46301. The penalty for an aviation security violation is found at 49 U.S.C. § 46301(a)(4) and states that the maximum civil penalty for violating chapter 449 (49 U.S.C. §§ 44901 et seq.) or another requirement under this title administered by the TSA's administrator shall be $10,000 except that the maximum civil penalty shall be $25,000 in the case of a person operating an aircraft for the transportation of passengers or property for compensation. [86] This percentage is based on TSA enforcement action data, which include data for the period October 1, 2002, to December 31, 2002. TSA's data on civil enforcement actions were provided by fiscal year and not by month. Not including the data for October 1, 2002, to December 31, 2002, could potentially increase the percentage of cases for which TSA could not specify the action it took to resolve identified security violations. [87] These figures include data for the period October 1, 2002, to December 31, 2002, as TSA's data on civil enforcement actions were provided by fiscal year and not by month. [88] GAO, Aviation Security: Better Management Controls are Needed to Improve FAA's Safety Enforcement and Compliance Efforts, GAO-04-646 (Washington D.C.: July 2004), and GAO, Pipeline Safety: Management of the Office of Pipeline Safety Enforcement Program Needs Further Strengthening, GAO-04-801 (Washington D.C.: July 2004). [89] On September 22 2005, TSA announced that the agency's planned targeting system would undergo a "proof of concept" phase" before being piloted. This phase would entail evaluating the system's potential effectiveness in identifying elevated risk cargo, assessing data quality related to cargo shipments, and recommending any necessary modifications to the system. [90] Details on TSA's planned Freight Assessment System are sensitive security information. A description of the system is provided in the restricted version of this report, GAO-05-446SU. [91] CBP currently uses the Automated Targeting System to target elevated risk international cargo for additional review or inspection. [92] Commercial air carriers must submit specific cargo information to CBP by "wheels up" in the case of aircraft departing for the United States from any foreign place in America, north of the equator only. Aircraft departing for the United States from any other foreign area must provide information electronically no later than 4 hours prior to arrival in the United States. [93] TSA officials could not provide us with details on the Freight Assessment System because such details have not yet been finalized within DHS. [94] GAO, Homeland Security: Challenges Remain in the Targeting of Oceangoing Cargo Containers for Inspection, GAO-04-325NI (Washington, D.C.: Feb. 20, 2004), and GAO, Container Security: A Flexible Staffing Model and Minimum Equipment Requirements Would Improve Overseas Targeting and Inspection Efforts, GAO-05-187SU (Washington, D.C.: April 2005). [95] According to CBP officials, they continue to work on improving the completeness and accuracy of oceangoing cargo manifest data. The mandatory transmission of manifest data for U.S.-bound air cargo shipments was not finalized until December 2004. [96] CBP's Automated Targeting System uses targeting criteria to assign a risk score to cargo shipments. [97] Pub. L. No. 108-334, § 513, 118 Stat. at 1317. [98] In the past TSA received research and development (R&D) funding. For fiscal year 2006, TSA's R&D programs are permanently transferred to the DHS Office of Science and Technology (S&T). A small amount of resources will remain within TSA to assist with EDS testing, and liaison with S&T for operational integration. [99] ETD technology requires human operators to collect samples of items to be inspected with swabs, which are chemically analyzed to identify any traces of explosive material. Decompression chambers simulate the pressures acting on aircraft which cause explosives that are attached to barometric fuses to detonate. [100] In addition to TSA's efforts to test current EDS technology, one airport we visited was undertaking an independent air cargo inspection pilot testing the effectiveness of different versions of X-ray technology. According to airport officials, the inspection process was time-consuming. Airport authority officials stated that they planned to conduct additional inspection technology testing sometime in 2005. [101] Throughput means the amount of cargo screened during a given period of time, for example, per hour. [102] We previously reported on the challenges associated with developing and operating a maritime worker identification card program. GAO, Port Security: Better Planning Needed to Develop and Operate Maritime Worker Identification Card Program, GAO-05-106 (Washington, D.C.: December 2004). [103] GAO, Transportation Security R&D: TSA and DHS Are Researching and Developing Technologies, but Need to Improve R&D Management, GAO-04-890 (Washington, D.C.: September 2004). [104] TSA's proposed air cargo rule also includes measures for enhancing the security of cargo transported by foreign air carriers entering the United States. According to CBP, air carriers arriving from foreign counties that are already members of the Customs-Trade Partnership Against Terrorism program are required to have security plans. [105] Pub. L. No. 108-334, § 513, 118 Stat. at 1317. [106] The conference report accompanying the fiscal 2005 Department of Homeland Security Appropriations Act, which also contained the requirement for tripling the inspection percentage, was available approximately 1 month prior to the publication of TSA's proposed rule. [107] TSA determined that the proposed regulatory action is not a major rule within the definition of Executive Order 12866, as annual costs to all affected parties do not pass the order's $100 million threshold in any year. If the proposed cost estimates had exceeded the $100 million threshold, TSA would have had to comply with Executive Order 12866's requirement that TSA's analysis of its proposed air cargo security rule consider the costs and benefits of reasonable alternative courses of action and adequately explain the reasons for the proposed action. [108] An airport's SIDA is not to be accessed by passengers and typically encompasses areas near terminal buildings, baggage loading areas, and other areas that are close to parked aircraft and airport facilities, including air traffic control towers and runways used for landing, taking off, or surface maneuvering. [109] Pub. L. No. 108-458, § 4053, 118 Stat. at 3729. [110] We selected 12 airports based on airport size, geographical dispersion, and volume of cargo operations, based on cargo statistics prepared by an industry stakeholder and the Federal Aviation Administration. Information on the specific airports we visited is sensitive security information and is listed in the restricted version of this report, GAO-05-446SU. [111] We observed testing of inspection technology pilot programs at Boston Logan International Airport and Miami International Airport. [112] We met with CBP officials based on the volume of cargo operations at the airports we visited in which CBP has a service port. A service port is a CBP location that has a full range of cargo-processing functions, including inspections, entry, collections, and verification. Information on specific service ports we visited is sensitive security information and is listed in the restricted version of this report, GAO- 05-446SU. [113] Our analysis was conducted using what is called Monte Carlo simulation, which uses random numbers to measure the effects of uncertainty. [114] GAO-05-446SU. [115] Phase I testing of the EDS pilot program took place at Ted Stevens Anchorage International Airport, Atlanta Hartsfield-Jackson International Airport, Chicago O'Hare International Airport, Dallas Fort Worth International Airport. Los Angeles International Airport, and Miami International Airport. [116] The fiscal year 2006 Department of Homeland Security appropriations bill, H.R. 2360, as passed by the House of Representatives on May 17, 2005, proposes to require that TSA utilize existing checked baggage explosive detection equipment and screeners to screen cargo carried on passenger aircraft to the greatest extent practical, and would require that TSA report monthly on the amount of cargo screened by TSA. The Senate version of the bill, passed on July 14, 2005, proposes to direct that DHS research, develop, and procure certified systems to screen air cargo on passenger aircraft at the earliest date possible. [117] Ground support equipment is a wheeled cart, maneuvered by airline tugs, used to move air cargo between airline cargo facilities and aircraft. Rolling stock equipment is a bulk mail container used to transport mail sacks and outside packages from a mail facility to the airline mail screening location and then to the aircraft. [End of section] GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site [hyperlink, http://www.gao.gov] contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to [hyperlink, http://www.gao.gov] and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Paul Anderson, Managing Director, AndersonP1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: