This is the accessible text file for GAO report number GAO-09-85 entitled 'Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sector' which was released on March 27, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Homeland Security, House of Representatives: United States Government Accountability Office: GAO: February 2009: Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sector: Commercial Vehicle Security: GAO-09-85: GAO Highlights: Highlights of GAO-09-85, a report to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: Numerous incidents around the world have highlighted the vulnerability of commercial vehicles to terrorist acts. Commercial vehicles include over 1 million highly diverse truck and intercity bus firms. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary federal responsibility for ensuring the security of the commercial vehicle sector, while vehicle operators are responsible for implementing security measures for their firms. GAO was asked to examine: (1) the extent to which TSA has assessed security risks for commercial vehicles; (2) actions taken by key stakeholders to mitigate identified risks; and (3) TSA efforts to coordinate its security strategy with other federal, state, and private sector stakeholders. GAO reviewed TSA plans, assessments, and other documents; visited a nonrandom sample of 26 commercial truck and bus companies of varying sizes, locations, and types of operations; and interviewed TSA and other federal and state officials and industry representatives. What GAO Found: TSA has taken actions to evaluate the security risks associated with the commercial vehicle sector, including assessing threats and initiating vulnerability assessments, but more work remains to fully gauge security risks. Risk assessment uses a combined analysis of threat, vulnerability, and consequence to estimate the likelihood of terrorist attacks and the severity of their impact. TSA conducted threat assessments of the commercial vehicle sector and has also cosponsored a vulnerability assessment pilot program in Missouri. However, TSA’s threat assessments generally have not identified the likelihood of specific threats, as required by DHS policy. TSA has also not determined the scope, method, and time frame for completing vulnerability assessments of the commercial vehicle sector. In addition, TSA has not conducted consequence assessments, or leveraged the consequence assessments of other sectors. As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs. Moreover, TSA has not developed a plan or time frame to complete a risk assessment of the sector. Nor has TSA completed a report on commercial trucking security as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act). Key government and industry stakeholders have taken actions to strengthen the security of commercial vehicles, but TSA has not assessed the effectiveness of federal programs. TSA and the Department of Transportation (DOT) have implemented programs to strengthen security, particularly those emphasizing the protection of hazardous materials. States have also worked collaboratively to strengthen commercial vehicle security through their transportation and law enforcement officials’ associations, and the establishment of fusion centers. TSA also has begun developing and using performance measures to monitor the progress of its program activities to secure the commercial vehicle sector, but has not developed measures to assess the effectiveness of these actions in mitigating security risks. Without such information, TSA will be limited in its ability to measure its success in enhancing commercial vehicle security. While TSA has also taken actions to improve coordination with federal, state, and industry stakeholders, more can be done to ensure that these coordination efforts enhance security for the sector. TSA signed joint agreements with DOT and supported the establishment of intergovernmental and industry councils to strengthen collaboration. TSA and DOT completed an agreement to avoid duplication of effort as required by the 9/11 Commission Act. However, some state and industry officials GAO interviewed reported that TSA had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies. TSA has not developed a means to monitor and assess the effectiveness of its coordination efforts. Without enhanced coordination with the states, TSA will have difficulty expanding its vulnerability assessments. What GAO Recommends: GAO is recommending that TSA develop a plan and time frame for completing risk assessments, develop performance measures that assess the effectiveness of federal commercial vehicle security programs, fully define stakeholder roles and responsibilities, and assess its coordination efforts. DHS concurred with our recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-85]. For more information, contact Cathleen Berrick at (202) 512-3404 or berrickc@gao.gov. [End of section] Contents: [End of section] United States Government Accountability Office: Washington, DC 20548: February 27, 2009: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: Dear Mr. Chairman: Numerous incidents around the world have highlighted the vulnerability and accessibility of commercial trucks and buses to terrorists and other persons intending to do harm, including domestic attacks using commercial trucks at the Oklahoma City Murrah Federal Building in 1995 (fig. 1) and the World Trade Center in 1993, as well as bombings using trucks of U.S. embassies in Kenya and Tanzania in 1998. Between 1997 and 2008, there have been 510 terrorist truck and bus bombing attacks worldwide resulting in over 6,000 deaths and, due in large part to the current conflict in Iraq, there was a large surge of truck bombings during 2007. Commercial vehicles play an essential role in moving goods and people throughout the country. For purposes of this report, commercial vehicles refers to those vehicles used in the commercial trucking industry (e.g., for-hire and private trucks moving freight, rental trucks, and trucks carrying hazardous materials) and the commercial motor coach industry (i.e., intercity, tour, and charter buses).[Footnote 1] Figure 1: Murrah Federal Building, Oklahoma City: Image: Murrah Federal Building, Oklahoma City. [Refer to PDF for image] Source: Disaster Assistance and Rescue Team, Ames Research Center, National Aeronautics and Space Administration. [End of figure] More than a million commercial trucking companies transport 65 percent of the nation's daily freight, including almost 800,000 shipments of hazardous materials daily. Commercial buses carry 775 million passengers annually, more than commercial aviation carries. The openness of the nation's highway transportation system allows these vehicles and their operators to move freely and, with the exception of commercial trucks carrying hazardous materials, under almost no restrictions. The open operational environment, sizeable volume, and accessibility of commercial vehicles also presents challenges in addressing potential threats to the system. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has primary responsibility for securing the commercial vehicle sector.[Footnote 2] Within TSA, the Highway and Motor Carrier (HMC) Division is responsible for ensuring highway and motor carrier security. The Department of Transportation's (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) and Federal Motor Carrier Safety Administration (FMCSA), state and local law enforcement agencies, and private companies that own and operate commercial vehicles also have responsibilities related to the security of commercial vehicles. PHMSA is responsible for developing hazardous materials security regulations, and FMCSA is responsible for enforcing those regulations through safety and security inspections. State and local governments coordinate with FMCSA as they conduct their own safety and security inspections, while private commercial vehicle firms are ultimately responsible for personnel, vehicle, and terminal security within the commercial vehicle sector. Given competing homeland security priorities and limited resources, Congress and the executive branch must make difficult policy decisions in order to prioritize security efforts and direct resources to the areas of greatest risk among all transportation modes and across other nationally critical sectors, such as the chemical and energy sectors. Within the commercial vehicle sector, federal, state, and local agencies and private commercial vehicle firms must also identify and invest in appropriate security measures to safeguard the industry while supporting other capital and operational improvements. The National Commission on Terrorist Attacks upon the United States (the 9/11 Commission) recommended that the federal government use risk management principles to determine how best to allocate limited resources. Further, the Intelligence Reform and Terrorism Prevention Act of 2004 requires DHS to develop risk-based priorities across all transportation modes in its National Strategy for Transportation Security.[Footnote 3] A risk management approach entails a continuous process of managing risks through a series of actions, including setting strategic goals and objectives, assessing and quantifying risks, evaluating alternative security measures, selecting which measures to undertake, and implementing and monitoring those measures. The Secretary of DHS and the Assistant Secretary, TSA, have identified that risk-based decision making is a cornerstone of departmental and agency policy. Homeland Security Presidential Directive 7 (HSPD-7), issued in December 2003, directed DHS to establish policies and approaches for integrating critical infrastructure protection and risk management activities. Specifically, federal departments and agencies, working with state and local governments and the private sector, are to identify, prioritize, and coordinate the protection of critical infrastructure and key resources to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them.[Footnote 4] As required by HSPD-7, in June 2006, DHS issued the National Infrastructure Protection Plan (NIPP), which outlines national goals, objectives, milestones, and key initiatives with respect to the protection of critical infrastructure and provides a framework for the development of sector-specific security plans. In accordance with the NIPP and Executive Order 13416, DHS developed the Transportation Systems Sector-specific Plan (TSSP) to govern its strategy for securing the transportation sector, as well as annexes for each mode of transportation, including highway infrastructure and motor carrier transportation. The NIPP and TSSP require a strategy based on a risk assessment process of considering threat, vulnerability, and consequence assessments together to determine the likelihood of terrorist attacks and the severity of their impact. You expressed interest in the progress TSA has made in setting priorities and implementing measures to enhance the security of commercial vehicles, as well as the security practices that commercial trucking and motor coach industries have implemented. This report addresses the following questions: (1) To what extent has TSA assessed the security risks associated with commercial vehicles and used this information to develop and implement a security strategy? (2) What security actions have key government and private sector stakeholders taken to mitigate identified risks to commercial vehicle security, and to what extent has TSA measured the effectiveness of its actions? (3) To what extent has TSA coordinated its strategy and efforts for securing commercial vehicles with other federal entities, states, and private sector stakeholders? To determine the extent to which TSA has assessed the security risks associated with commercial vehicles and used this information to develop and implement a security strategy, we analyzed strategic security planning documents and risk assessment documentation-- including assessments of threat, vulnerability, and consequences--and interviewed agency officials. Specifically, we reviewed DHS and TSA's threat assessments and interviewed officials from TSA's Office of Intelligence and HMC. To evaluate TSA's efforts to assess vulnerability, we examined the results of its vulnerability assessments, known as Corporate Security Reviews (CSRs), attended two Missouri Pilot CSRs, and met with TSA HMC officials, FMCSA field inspectors, and Missouri state officials to discuss the CSRs. We also met with DOT FMCSA officials regarding their security inspection programs. To assess TSA's efforts to conduct consequence assessments, we interviewed officials from TSA's HMC and DHS's National Protection and Programs Directorate. We also reviewed risk assessment and strategy documents and interviewed HMC officials to determine the extent to which their risk assessments were informing TSA's security strategy, and we compared their actions to DHS risk management guidance. To identify the security actions key federal government stakeholders have taken to mitigate risks to commercial vehicle security, and the extent to which TSA has measured the effectiveness of its actions, we reviewed agency annual reports, field risk assessment summaries, and performance reports, and interviewed officials from TSA, PHMSA, and FMCSA. To identify state actions, we interviewed officials of two associations representing state transportation and law enforcement organizations. We also interviewed officials from eight states and conducted site visits at five. We selected these states in a nonprobability sample based on certain characteristics, including their proximity to critical infrastructure and potential terrorist targets such as large population centers, and the amount of hazardous materials originating in the state. To identify private industry actions, we examined inspections data from TSA, and reviewed documents from industry trade associations on the guidance they provided to their members. The quality of TSA's CSR inspection data was previously assessed by the Missouri Pilot Evaluation. We reviewed the pilot evaluation and concurred with its conclusion that the Missouri sample was not representative of the commercial vehicle industry in Missouri or the industry nationwide. We chose industry associations based on a review of the industry and discussions with TSA. We chose 12 industry associations that represent trucking firms, owner operators and truck drivers, truck manufacturers, truck rental and leasing companies, hazardous materials shippers, and intercity and tour bus companies. We also interviewed leadership of the Highway and Motor Carrier Sector Coordinating Council (SCC), and conducted site visit interviews with 26 commercial truck and bus companies selected on the basis of characteristics including size, location, and other factors. Because we selected a nonprobability sample of commercial vehicle firms and states, the information we obtained from these interviews and visits cannot be generalized to all commercial vehicle companies. However, we believe that observations obtained from these visits provided us with a greater understanding of the industry's and state's operations and perspectives. To assess the extent to which TSA has measured the effectiveness of its security actions, we used guidance from the Government Performance Results Act (GPRA) and DHS guidelines as criteria; assessed TSA planning, budgeting, and performance measurement documents; and interviewed agency officials. To review TSA's efforts to coordinate its strategy and efforts for securing commercial vehicles with other federal entities, we reviewed DHS's memorandum of understanding with DOT and subsequent annexes that identify the roles and responsibilities of DHS and DOT components related to the security of commercial vehicles, and interviewed officials from TSA, PHMSA, and FMCSA. In addition, we reviewed statutes relating to DHS and DOT roles and responsibilities, as well as related regulations and associated comments provided during the rulemaking process. To assess TSA's coordination with states, we interviewed state officials in the eight states we selected. We also reviewed documentation of state law enforcement and transportation associations' communication with TSA and interviewed their officials. To assess TSA's coordination with private industry, we reviewed documentation of coordination and communication and interviewed members of the SCC and the 26 private firms we visited. We then discussed a synopsis of these agency, state, and industry comments with TSA officials to obtain their perspectives. Finally, we compared TSA's efforts to collaborate and coordinate with stakeholders to leading practices of collaborating agencies.[Footnote 5] We conducted this performance audit from October 2006 through February 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. For a more detailed discussion of our objectives, scope, and methodology, see appendix I. Results in Brief: TSA has taken actions to assess the security risks associated with the commercial vehicle sector, including assessing threats, initiating vulnerability assessments, and developing security best practices, but more work remains to fully assess the security risks of commercial trucks and buses, and to ensure that this information is used to inform TSA's security strategy. Risk assessment is the process of considering threat, vulnerability, and consequence assessments to determine the likelihood of terrorist attacks and the severity of their impact. TSA has and continues to conduct threat assessments of the commercial vehicle sector, and has reported that Vehicle Borne Improvised Explosive Devices, or truck bombs, are the most likely tactic. TSA has also cosponsored a large number of vulnerability assessments of the commercial vehicle sector through a pilot initiative in the state of Missouri, known as Corporate Security Reviews (CSRs), and is in the process of expanding its CSR program to Michigan and Colorado. In addition, TSA has begun gathering evacuation data that could inform consequence assessments, and is also in the process of conducting threat scenarios of commercial vehicle security risks. Although TSA has taken actions to assess risks to the commercial vehicle sector, it can further strengthen and complete these efforts. Specifically, TSA's threat assessments generally did not identify the likelihood of specific threats as required by the NIPP, and the agency has not yet developed a plan to regularly provide specific threat likelihood estimates. Regarding vulnerability, TSA's contracted evaluation of the Missouri CSR pilot program was completed 2 years ago and made a number of recommendations to expand and improve the CSR program, which TSA has not fully addressed. For example, TSA has not addressed the evaluation's recommendation that it draw a more statistically representative sample for its CSR interviews. As a result, the agency cannot be sure that its CSR efforts will fully identify the vulnerabilities of the sector. Standards for internal controls for the federal government state that findings and deficiencies reported in audits and other reviews should be promptly reviewed, resolved, and corrected within established time frames. TSA also has not determined the scope, method, or time frame it will use to complete vulnerability assessments of the commercial vehicle sector and its diverse firms. Without completing industry vulnerability assessments as required by HSPD-7 and the NIPP, TSA cannot complete an overall assessment of the industry security risks. In addition, TSA has not conducted assessments of consequences of a terrorist attack on the commercial vehicle sector, or developed a plan to conduct sector wide consequence assessments. The agency also has not determined the scope and method required for risk assessments for the commercial vehicle sector, specifically the mix of expert and field-level risk assessments it intends to use and how it plans to integrate the two. Nor has the agency leveraged the risk assessments of other sectors to gauge the consequences of truck bomb attacks on the nation's critical infrastructure. TSA has identified that one of its strategic goals is to inventory the security status of the nation's highway and motor carrier systems. Standard practices in program and project management include developing a road map, or a program plan, to achieve programmatic results within a specified time frame or milestones. However, at present, TSA does not have a plan specifying the degree to which further risk assessments of the commercial vehicle industry are needed and the level of resources required to complete these assessments, nor has TSA established a time frame for completing its risk assessment efforts. Without a plan and a time frame to complete threat, vulnerability, and consequence assessments for the commercial vehicle sector, or an existing strategy that is based on available intelligence information, TSA cannot be assured that its approach for securing the commercial vehicle sector is aligned with the highest priority security needs. In lieu of a completed risk assessment, TSA leadership has decided to implement a current strategy which focuses on examining security risks posed by the shipment of hazardous materials. However, available information from ongoing risk assessments does not appear to support this emphasis, and the basis for TSA's decision for this strategy is unclear. TSA also has not completed a report as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act) on commercial trucking security. Key government and industry stakeholders have taken actions to strengthen the security of the commercial vehicles sector, but TSA has not completely assessed the effectiveness of federal actions. At the federal level, DHS and DOT have implemented a number of programs designed to strengthen the security of the commercial vehicle sector, including conducting security assessments and implementing hazardous materials security programs. States have also worked individually and collaboratively through their state transportation and law enforcement associations to strengthen the security of commercial vehicles and highway infrastructure, establishing various committees and implementing joint initiatives with TSA and DOT. In addition, commercial truck and motor coach industry associations we contacted reported that they were generally assisting their members to improve security by providing them with a variety of best practices guidance. Regarding the preparedness of individual firms, the Missouri CSR pilot evaluation showed that the more highly regulated firms carrying hazardous materials were implementing more security measures to mitigate their risks, while truck companies not transporting hazardous materials were implementing few of TSA's best security practices. Our site visits to 26 commercial truck and bus companies found that most of these companies had implemented basic security measures, but the prevalence and sophistication of these practices varied. TSA has begun developing and using performance measures to assess the progress of commercial vehicle security programs, but does not have outcome data to monitor how effectively its programs are achieving their intended purpose, as suggested by GPRA and the Transportation Sector Security Plan. TSA officials agreed that opportunities exist to develop outcome- based performance measures for its commercial vehicle security programs, and stated that they would like to do so in the future. Without outcome measures and data, TSA will not be able to measure its success in achieving the ultimate goal of enhancing the security of the commercial vehicle sector. Moreover, as we have previously reported, GPRA provides a means for agencies to ensure that program strategies are mutually reinforcing, and, as appropriate, common or complementary performance measures are used. Although TSA officials stated that performance data for these programs are important to monitor the effectiveness of federal efforts to secure the sector, they lacked an agreement to receive performance measurement data for commercial vehicle security programs from FMCSA. However, after the 9/11 Commission Act required TSA and FMCSA to complete an annex to a memorandum of understanding (MOU), an agreement was concluded in October 2008 which included procedures to implement data sharing. While TSA has taken actions to strengthen coordination with federal, state, and industry stakeholders related to commercial vehicle security, more can be done to ensure that these coordination efforts enhance security for the sector. Our previous work has shown that leading practices for collaborating agencies include defining a common outcome and complementary strategy, agreeing on roles and responsibilities, leveraging stakeholder resources, and developing mechanisms to monitor, evaluate, and report on the results of the collaborative effort.[Footnote 6] DHS and DOT have signed an MOU, which established broad areas of responsibility, and TSA signed an additional annex with PHMSA to enhance coordination. Moreover, TSA has established an intergovernmental council to coordinate with federal and state officials and supported the creation of an industry council to gather feedback and input regarding the commercial vehicle sector. DOT officials expressed general satisfaction with their overall level of coordination with TSA. However, without an agreement with FMCSA, TSA had made limited progress in leveraging FMCSA resources and resolving potentially duplicative security inspections. After the 9/11 Commission Act required TSA and FMCSA to complete an annex to the MOU to reduce potential duplication of effort, an agreement was concluded in October 2008. Some state and industry officials we interviewed raised concerns about TSA's coordination and communication with the sector on developing a security strategy and defining roles and responsibilities for the industry. For example, one group of state transportation officials stated that they tried to discuss with TSA and DHS what role the states play in transportation security, but according to these officials, neither agency responded by providing fully defined roles or communicating TSA's strategy to secure commercial vehicles. Other state officials said they had to delay implementing their own initiatives pending TSA clarification of state roles and responsibilities. Although TSA has leveraged the resources of the State of Missouri to conduct CSR vulnerability assessments, and recently reached agreements to expand them to Michigan and Colorado, the agency has made limited progress in coordinating the expansion of CSRs to other states. Without enhanced coordination, it will be difficult for TSA to expand the CSR approach to other states. Finally, TSA stated that it has taken steps to interact with industry regarding the security of the sector and has also leveraged its expertise to strengthen security. However, the agency has not developed a process to monitor the effectiveness of its coordination efforts with this very large and diverse sector, consistent with leading practices for collaborating agencies. Without such a process, TSA will have difficulty enhancing and sustaining collaborative efforts and identifying areas for improvement. To help strengthen the security of commercial vehicles in the United States and leverage the knowledge and practices employed by key federal and nonfederal stakeholders, we are recommending that the Assistant Secretary of the Transportation Security Administration establish a plan and a time frame for completing risk assessments of the commercial vehicle sector and use this information to support future updates of the Transportation Sector Strategic Plan; clarify the basis for the current risk reduction strategy; develop outcome-based performance measures, to the extent possible, to assess the effectiveness of its programs to enhance the security of the commercial vehicle sector; and establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that roles and responsibilities of industry and government are fully defined and clearly communicated, new approaches to enhance communication are considered, and the effectiveness of its coordination efforts are monitored and assessed. We provided a draft copy of this report to DHS and DOT for review. DHS, in its written comments, generally concurred with our findings and recommendations and discussed efforts underway to address them. DOT provided additional technical comments, which were incorporated as appropriate. Background: Certain characteristics of commercial trucks and buses make them inherently vulnerable to terrorist attacks and therefore difficult to secure. The commercial trucking and bus industries are open by design, with multiple access points and terminals so that vehicles can move large numbers of people and volumes of goods quickly. The openness of this sector and the large numbers of riders and quantities of goods on vehicles with access to metropolitan areas or tourist destinations also make them both difficult to secure and attractive targets for terrorists because of the potential for mass casualties and economic damage and disruption. In addition, the multitude of private commercial truck and bus companies and their diversity in size and cargo complicate efforts to develop security measures and mitigation strategies that are appropriate for the entire industry. Between 1997 and 2008 there were 510 terrorist-related commercial truck and bus bombing attacks worldwide, killing over 6,000 people, with 106 bombings occurring during 2007 alone, killing over 2,500 people. Of the 510 bombings since 1997, 364 have been bus bombings and 146 have been truck bombings; 156 have been in Iraq and 354 have been in countries other than Iraq. In 2007, the use of truck bombs as a terrorist tactic more than tripled and resulted in 2072 deaths.[Footnote 7] While trucks were involved in just 29 percent of the bombings since 1997, they accounted for 56 percent of the deaths. Vehicle Borne Improvised Explosive Devices (VBIEDs) are vehicles loaded with a range of explosive materials that are detonated when they reach their target. VBIEDs can also be used to explode flammable fuel trucks, and disperse toxic substances. Terrorists have used a variety of trucks--rental, refrigerator, cement, dump, sewerage, gasoline tanker, trucks with chlorine and propane tanks, and fire engines--to attack a broad range of critical infrastructure, including police and military facilities, playgrounds, childcare centers, hotels, and bridges. Worldwide, commercial buses have also been attacked numerous times, including in Israel, England, Iraq, the Philippines, Lebanon, Sri Lanka, India, Russia, and Pakistan.[Footnote 8] In the United States, terrorists used a commercial truck containing fertilizer-based explosives to attack the World Trade Center in 1993, killing 6 and injuring 1,000 people. Two years later, a similar attack occurred at the Alfred P. Murrah Federal Building in Oklahoma City, Oklahoma, killing 168 people and injuring more than 800. Terrorists have also targeted overseas U.S. military personnel with commercial VBIEDs at the Marine barracks in Lebanon (1983), Khobar Towers in Saudi Arabia (1996), and at U.S. embassies in Kuwait (1983), Lebanon (1984), Kenya (1998), and Tanzania (1998). Figure 2 charts the number of worldwide bombings involving commercial truck or buses since the 1997. See appendix II for more information on truck and bus bombing incidents. Figure 2: Worldwide Terrorist Truck and Bus Bombings from January 1997 through December 2008A: Combination line and bar graph: Year: 1997; Bus and truck bombings: 32; Deaths from bus and truck bombings: 151. Year: 1998; Bus and truck bombings: 30; Deaths from bus and truck bombings: 402. Year: 1999; Bus and truck bombings: 21; Deaths from bus and truck bombings: 32. Year: 2000; Bus and truck bombings: 32; Deaths from bus and truck bombings: 153. Year: 2001; Bus and truck bombings: 18; Deaths from bus and truck bombings: 48. Year: 2002; Bus and truck bombings: 41; Deaths from bus and truck bombings: 363. Year: 2003; Bus and truck bombings: 44; Deaths from bus and truck bombings: 292. Year: 2004; Bus and truck bombings: 27; Deaths from bus and truck bombings: 273. Year: 2005; Bus and truck bombings: 43; Deaths from bus and truck bombings: 504. Year: 2006; Bus and truck bombings: 52; Deaths from bus and truck bombings: 622. Year: 2007; Bus and truck bombings: 106; Deaths from bus and truck bombings: 2578. Year: 2008; Bus and truck bombings: 64; Deaths from bus and truck bombings: 666. [Refer to PDF for image] Source: GAO analysis of global terrorism data. [A] Data on the incidents of truck and bus bombings were based on a systematic search of the Global Terrorism Database, Nexis, and Dialog databases. GAO determined which databases and search terms were to be used through a pilot study which also explored the various potential threats to validity and how to mitigate them. To use only the most reliable data, we limited the search to 1997 through 2008. Incidents directed at troops in combat were not counted; however, incidents directed at civilians or other targets in active war zones such as Iraq and Afghanistan are included. Bus attacks include attacks on bus stations and bus stands. For further information on the methodology and results of our database searches, see app. II. [End of figure] Stakeholder Roles and Responsibilities: DHS and DOT share responsibility for securing the commercial vehicle sector. Prior to the terrorist attacks of September 11, 2001, DOT was the primary federal entity involved in regulating commercial vehicles. In response to September 11, 2001, Congress passed the Aviation and Transportation Security Act (ATSA) of 2001, which created and conferred upon TSA broad responsibility for securing all transportation sectors.[Footnote 9] In 2002, Congress passed the Homeland Security Act, which established DHS, transferred TSA into DHS, and gave DHS responsibility for protecting the nation from terrorism, including securing the nation's transportation systems.[Footnote 10] Although TSA is the lead agency responsible for the security of commercial vehicles, including those carrying hazardous materials,[Footnote 11] DOT maintains a regulatory role with respect to hazardous materials.[Footnote 12] Specifically, DOT continues to issue and enforce regulations governing the safe transportation of hazardous materials. In addition, the Homeland Security Act expanded DOT's responsibility to include ensuring the security, as well as the safety, of the transportation of hazardous materials.[Footnote 13] Accordingly, within DOT, PHMSA is responsible for developing, implementing, and revising security plan requirements for carriers of hazardous materials, while FMCSA inspectors enforce these regulations through reviews of the content and implementation of these security plans. In 2004, based on a recommendation we made, DHS and DOT entered into a memorandum of understanding (MOU) to delineate the agencies' roles and responsibilities with respect to transportation security. In 2006, TSA and PHMSA completed an annex to the MOU related to the transportation of hazardous materials. This annex identifies TSA as the lead federal entity for the security of the transportation of hazardous materials, and PHMSA as responsible for promulgating and enforcing regulations and administering a national program of safety and security related to the transportation of hazardous materials. In addition, the 9/11 Commission Act requires that, by August 2008, DHS and DOT complete an annex to the MOU that would govern the roles of the two agencies regarding the security of commercial motor vehicles.[Footnote 14] State and local governments also play a key role in securing commercial vehicles. States own, operate, and have law enforcement jurisdiction over significant portions of the infrastructure--including highways, tunnels, and bridges--that commercial vehicles use. Further, state and local governments respond to emergencies involving commercial vehicles which travel within and through their jurisdictions daily. Many states also have departments of homeland security with firsthand knowledge of hazardous materials shippers and routing, local smuggling operations, and individuals and groups to be monitored for security reasons. Some states also have fusion centers that collect relevant law enforcement and intelligence information to coordinate the dissemination of alerts and assist in emergency response. State transportation and law enforcement officials also conduct vehicle safety inspections and compliance reviews, sometimes in coordination with FMCSA.[Footnote 15] Although all levels of government are involved in the security of commercial vehicles, primary responsibility for securing commercial vehicles rests with the individual commercial vehicle companies themselves. Truck and bus companies have responsibility for the security of day-to-day operations. As part of these operations, they ensure that company personnel, vehicles, and terminals---as well as all of the material and passengers they transport----are secured. Faced with tight competition, low margins, and, in some sectors, high driver turnover, some industry officials that we interviewed stated that devoting resources to security has remained a challenge. A variety of national organizations represent commercial trucking and motor coach industry interests. Many of these organizations disseminate pertinent security bulletin information from DHS and DOT to their members. Some have also developed and provided their members with security information and tools--such as security check lists and handbooks--to meet members' security needs. See appendix III for a list of the major industry associations representing the truck and motor coach industries interviewed by GAO. Legislation and Regulations Governing the Security of Commercial Vehicles: Although ATSA, passed in November 2001, includes numerous requirements for TSA regarding securing commercial aviation, it does not include any specific requirements related to the security of land transportation sectors. [Footnote 16] However, with regard to all sectors of transportation, ATSA generally requires TSA to: * receive, assess, and distribute intelligence information related to transportation security; * assess threats to transportation security and develop policies, strategies, and plans for dealing with those threats, including coordinating countermeasures with other federal organizations; and, * enforce security-related regulations and requirements. Other legislation, specifically the USA PATRIOT Act and the 9/11 Commission Act, requires TSA to take specific actions to ensure the security of commercial vehicles. The USA PATRIOT Act provides that a state may not issue to any individual a license to transport hazardous materials unless that individual is determined not to pose a security risk.[Footnote 17] TSA regulations require that drivers who transport hazardous materials undergo a security threat assessment that consists of an evaluation of a driver's criminal history, immigration status, mental capacity, and connections to terrorism to determine if the driver poses a security risk.[Footnote 18] The 9/11 Commission Act also requires that the Secretary of Homeland Security, by August 2008, submit a report to Congress that includes, among other things, a security risk assessment on the trucking industry, an assessment of industry best practices to enhance security, and an assessment of actions already taken by both public and private entities to address identified security risks.[Footnote 19] The act also mandates that the Secretary develop a tracking program for motor carrier shipments of hazardous materials by February 2008.[Footnote 20] With regard to intercity buses, the act requires that the Secretary issue regulations by February 2009 requiring high-risk, over-the-road bus operators to conduct vulnerability assessments and develop and implement security plans.[Footnote 21] The act further mandates that the Secretary of Homeland Security issue regulations by February 2008 requiring all over- the-road bus operators to develop and implement security training programs for frontline employees, and that the Secretary establish a security exercise program for over-the-road bus transportation.[Footnote 22] The act also requires DOT to take specific actions related to the security of commercial vehicles. For example, the Act requires that the Secretary of Transportation, by August 2008, analyze the highway routing of hazardous materials, and develop guidance to identify and reduce safety and security risks.[Footnote 23] DOT's PHMSA has issued regulations intended to strengthen the security of the transportation of hazardous materials.[Footnote 24] The regulations require persons who transport or offer for transportation certain hazardous materials to develop and implement security plans.[Footnote 25] Security plans must assess the security risks associated with transporting these hazardous materials and include measures to address those risks. At a minimum, the plan must include measures to (1) confirm information provided by job applicants hired for positions that involve access to and handling of hazardous materials covered by the security plan, (2) respond to the assessed risk that unauthorized persons may gain access to hazardous materials, and (3) address the assessed risk associated with the shipment of hazardous materials from origin to destination. The regulations also require that all employees who directly affect hazardous materials transportation safety receive training that provides awareness of security risks associated with hazardous materials transportation and of methods designed to enhance transportation security. Such training is also to instruct employees on how to recognize and respond to possible security threats. Additionally, each employee of a firm required to have a security plan must be trained concerning the plan and its implementation. DHS funding for commercial vehicle security consists of a general appropriation to TSA for its entire surface transportation security program, which includes commercial vehicles and highway infrastructure, rail and mass transit, and pipeline, as well as and appropriations to the Federal Emergency Management Administration (FEMA) for truck and bus security grant programs.[Footnote 26] Annual appropriations to TSA for surface transportation security for fiscal years 2006 through 2009 are presented in table 1. Table 1: Annual Appropriations to TSA for Surface Transportation Security: Fiscal year: 2006; Annual appropriations: $36 million. Fiscal year: 2007; Annual appropriations: $37.2 million. Fiscal year: 2008; Annual appropriations: $46.6 million. Fiscal year: 2009; Annual appropriations: $49.6 million. Source: TSA. [End of table] The number of TSA full-time employees (FTEs) dedicated to highway and motor carrier security--which includes both commercial vehicles and highway infrastructure--has remained at about 19 FTEs annually since fiscal year 2002.[Footnote 27] Commercial Trucking Industry: TSA estimates that there are approximately 1.2 million commercial trucking companies in the United States. Trucks transport the majority of freight shipped in the United States: by tonnage, 65 percent of total domestic freight; by revenue, 75 percent. According to TSA, 75 percent of U.S. communities depend solely on trucking to transport commodities. Trucks and buses have access to nearly 4 million miles of roadway in the United States. Trucking companies range in size from a single truck to several thousand trucks. According to DOT 2004 data, which are the most current available, 87 percent of trucking companies operated 6 or fewer trucks, while 96 percent operated 20 or fewer. DOT estimates that about 40,000 new commercial trucking companies enter the industry annually. As of August 2008, nearly 11.9 million commercial trucks were registered with DOT. Trucks come in a large variety of configurations and cargo body types to perform a wide range of tasks. Some trucks are used for local tasks such as construction, landscaping, or local package delivery, while others are used for transporting cargo over-the-road or for long hauls. For a more complete summary of DOT data on commercial trucking and bus firms, trucks and buses, and drivers, see appendix V. The trucking industry is diverse, involving several different sectors and including for-hire and private fleets, truckload and less-than- truckload carriers, bulk transport, hazardous materials, rental and leasing, and others. For-hire firms are those for which trucking is their primary business, while private fleets are generally used to support another business activity, such as grocery chains and construction. According to a 2002 DOT survey, for-hire trucks represented 47 percent of the industry, while private fleets represented 53 percent[Footnote 28]. While truckload carriers move loads from point to point, less-than-truckload carriers pick up smaller shipments and consolidate them at freight terminals. Bulk transport firms move bulk commodities such as gasoline, cement and corn syrup in large trailers specifically designed for each type of commodity. Truck rental and leasing companies also are part of the commercial trucking industry. Consumer rental companies rent trucks to walk-in customers for short periods of time and represent 15 percent of the rental and leasing industry. Commercial rental and leasing companies generally lease trucks for a year or longer and account for the remaining 85 percent of the rental and leasing industry. With respect to the transportation of hazardous materials, of an estimated 1.2 million commercial vehicle firms, 60,682 are registered as hazardous materials carriers, or about 5 percent of the commercial vehicle industry, and 1,778,833 drivers are licensed to transport hazardous materials.[Footnote 29] Hazardous materials[Footnote 30] are transported by truck almost 800,000 times a day, and 94 percent of hazardous material shipments are by trucks, which transport approximately 54 percent of hazardous materials volume (tons). DOT PHMSA classifies hazardous materials under 9 different classes of hazards.[Footnote 31] Most hazardous materials shipments by truck involve flammable liquids such as gasoline (81.8 percent), followed by gases (8.4 percent) and corrosive materials (4.4 percent). Class 6 toxic poisons include Toxic Inhalation Hazards (TIH) but comprise only 0.2 percent of hazardous materials transported by truck. The shipment of security sensitive hazardous materials such as Toxic Inhalation Hazards is of particular concern to TSA, although the agency estimates that they represent just .000058 percent of the commercial vehicle industry.[Footnote 32] Eighty-one percent of the Toxic Inhalation Hazards transported by truck is anhydrous ammonia and 10 percent is chlorine. Commercial Bus Industry: Commercial bus companies represent less than 1 percent of the commercial vehicle industry, but according to TSA estimates, carry 775 million passengers annually. Intercity buses, or motor coaches, include buses with regularly scheduled routes, as well as tour and charter bus companies. In August 2008, DOT reported that there were 3,948 motor coach carriers, with 75,285 buses. Of these carriers, fewer than 100 are intercity bus companies, which transport passengers from city to city on scheduled routes, while the remaining carriers operate tour and charter buses. Most bus companies (95 percent) are small operators with fewer than 25 buses. Intercity buses, or motor coaches, serve all large metropolitan areas and travel in close proximity to some of the nation's most visible and populated sites, such as sporting events and arenas, major tourist attractions, and national landmarks. A few intercity bus carriers also travel internationally to Canada and Mexico. According to a study commissioned by DOT, the accessibility and open nature of the motor coach industry make it difficult to protect these assets, and the level of security afforded to the infrastructure of the motor coach industry is relatively low compared to the commercial aviation sector, despite the fact that the motor coach industry handles more passengers a year.[Footnote 33] Risk Management Approach to Guide Homeland Security Investments: HSPD-7 directed the Secretary of DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities. Recognizing that each sector possesses its own unique characteristics and risk landscape, HSPD-7 designates Federal Government Sector-Specific Agencies (SSAs) for each of the critical infrastructure sectors to work with DHS to improve critical infrastructure security.[Footnote 34] On June 30, 2006, DHS released the National Infrastructure Protection Plan (NIPP), which developed--in accordance with HSPD-7--a risk-based framework for the development of Sector-Specific (SSA) strategic plans. The NIPP defines roles and responsibilities for security partners in carrying out critical infrastructure and key resources protection activities through the application of risk management principles. Figure 3 illustrates the several interrelated activities of the risk management framework as defined by the NIPP, including setting security goals and performance targets, identifying key assets and sector information, and assessing risk information including both general and specific threat information, potential vulnerabilities, and the potential consequences of a successful terrorist attack. The NIPP requires that federal agencies use this information to inform the selection of risk-based priorities and continuous improvement of security strategies and programs to protect people and critical infrastructure through the reduction of risks from acts of terrorism. Figure 3: NIPP Risk Management Framework: Flowchart. [Refer to PDF for image] Source: DHS. [End of figure] The NIPP risk management framework consists of the following interrelated activities: * Set security goals: Define specific outcomes, conditions, end points, or performance targets that collectively constitute an effective protective posture. * Identify assets, systems, networks, and functions: Develop an inventory of the assets, systems, and networks that comprise the nation's critical infrastructure, key resources, and critical functions. Collect information pertinent to risk management that takes into account the fundamental characteristics of each sector. * Assess risks: Determine risk by combining potential direct and indirect consequences of a terrorist attack or other hazards (including seasonal changes in consequences, and dependencies and interdependencies associated with each identified asset, system, or network), known vulnerabilities to various potential attack vectors, and general or specific threat information. * Prioritize: Aggregate and analyze risk assessment results to develop a comprehensive picture of asset, system, and network risk; establish priorities based on risk; and determine protection and business continuity initiatives that provide the greatest mitigation of risk. * Implement protective programs: Select sector-appropriate protective actions or programs to reduce or manage the risk identified, and secure the resources needed to address priorities. * Measure effectiveness: Use metrics and other evaluation procedures at the national and sector levels to measure progress and assess the effectiveness of the national Critical Infrastructure and Key Resources protection program in improving protection, managing risk, and increasing resiliency. TSA Has Begun Conducting Risk Assessments of the Commercial Vehicle Sector, but Has Not Completed These Efforts or Fully Used the Results to Support Its Security Strategy: TSA has taken actions to assess the security risks associated with the commercial vehicle sector, including assessing threats, initiating vulnerability assessments, and developing best security practices, but more work remains to fully assess the security risks of commercial trucks and buses, and to ensure that this information is used to inform TSA's security strategy. Although TSA has completed a variety of threat assessments and is in the process of developing several threat scenarios with likelihood estimates, its key annual threat assessments do not include information about the likelihood of a terrorist attack method on a particular asset, system or network, as required by the NIPP. However, in September 2008, TSA reported that in response to the 9/11 Commission Act mandate that it submit a risk assessment report on commercial trucking security TSA was planning to use threat scenarios with likelihood assessments for highway and motor carriers. TSA has also cosponsored a large number of vulnerability assessments through a pilot initiative in the state of Missouri. However, TSA has made limited progress and has not established a plan or time frame for conducting a vulnerability assessment of the commercial vehicle sector nationwide. Moreover, TSA has not determined how it will address the June 2006 recommendations of the Missouri Pilot Program evaluation report regarding the ways in which future vulnerability assessments can be strengthened. As a result, the agency cannot ensure that its CSR efforts will fully identify the vulnerabilities of the sector. Standards for internal controls in the federal government require that findings and deficiencies reported in audits and other reviews be promptly reviewed, resolved, and corrected within established time frames. [Footnote 35] In addition, TSA has not conducted assessments of consequences of a terrorist attack on the commercial vehicle sector, or developed a plan to conduct sectorwide consequence assessments. The TSSP calls for a sectorwide approach and strategies to managing security risks, and TSA has identified one of its strategic goals as conducting an inventory of the security status of the nation's highway and motor carrier systems. In addition, standard practices in program and project management call for developing a road map, or a program plan, to achieve programmatic results within a specified time frame or milestones. TSA has not completed a sectorwide risk assessment of the commercial vehicle sector or determined the extent to which additional risk assessment efforts are needed, nor has it developed a plan or a time frame for doing so, including an assessment of the resources required to support these efforts. In addition, TSA has not fully used available information from its ongoing risk assessments to develop and implement its security strategy. As a result, TSA cannot be assured that its approach for securing the commercial vehicle sector is aligned with the highest priority security needs. Moreover, TSA has not completed a report as required by the 9/11 Commission Act on various aspects of commercial vehicle security. TSA Developed Threat Assessments of the Commercial Vehicle Sector, but Generally Did Not Identify the Likelihood of Specific Threats as Required by the NIPP: TSA has and continues to conduct threat assessments of the commercial vehicle sector by reviewing known terrorist goals and capabilities, and is in the process of strengthening its efforts by developing more specific threat likelihood information to inform agency risk assessment efforts. TSA's Office of Intelligence (OI) develops a variety of products identifying the threats from terrorism, from annual threat assessments on each transportation sector to weekly field intelligence summaries and daily briefings. OI also disseminates additional threat and suspicious incident information to key federal and nonfederal stakeholders as needed related to the commercial vehicle sector. To date, these threat assessments have found an increase in truck and bus terrorist incidents abroad and that VBIEDs were the most likely tactic. TSA OI officials stated that they continue to regard common VBIEDs as a greater threat than attacks using hazardous materials such as chlorine. OI further reported that the July 2005 bus bombing in London demonstrated the capability and intent of terrorists to bomb passenger buses in Western nations. While TSA's threat assessments provide detailed summaries of recent attacks and incidents of interest, and are useful to TSA in informing its strategy for securing commercial vehicles, they do not include information on the likelihood of various types of threats. The NIPP requires that in the context of terrorist risk assessments, the threat component of the analysis be calculated based on the estimated likelihood of a terrorist attack method on a particular asset, system, or network.[Footnote 36] The estimate of this likelihood is to be based on an analysis of intent and capability of a defined adversary, such as a terrorist group. However, TSA has not included likelihood estimates in its annual threat assessments for the highway and motor carrier sector.[Footnote 37] In 2006, TSA developed rankings of the likelihood of various tactics--such as attacks using VBIEDs, VBIED-assisted hazardous materials, and other threats--for highway and commercial vehicles. However, TSA subsequently excluded these likelihood assessments in its 2008 annual threat assessment for the highway sector and did not provide us with the rationale for this decision. OI told us that it developed likelihood estimates for specific threat scenarios used in the draft National Transportation Sector Risk Assessment (NTSRA). NTSRA is being conducted by TSA to assess risks across the entire U.S. transportation system and contains nine high-level scenarios and threat likelihood estimates related to commercial vehicles. Of these high-level scenarios, eight involve VBIEDs, and one involves hazardous materials. OI rated the intent and capability of terrorists to perform each threat scenario to provide their estimate of the relative likelihood of each scenario. However, TSA officials could not identify when the NTSRA will be finalized.[Footnote 38] In addition, in June 2008, OI reported that it would provide likelihood assessments for threat scenarios that were to be conducted in response to a mandate in the 9/11 Commission Act that DHS submit a risk assessment report on the commercial trucking sector. While more extensive threat scenarios are being developed for the commercial vehicle sector, including likelihood estimates, TSA's annual threat assessments do not include information on the likelihood of threat. HMC officials stated that this lack of specific threat information continues to challenge agency risk managers. Without more information on the likelihood of the various threats, there is limited assurance that TSA is focusing its efforts on the activities that pose the greatest threat. Officials stated that they may incorporate likelihood estimates in the annual highway and motor carrier threat assessments in the future, but did not have specific plans to do so. TSA Has Begun to Conduct Industry Vulnerability Assessments of the Commercial Vehicle Sector, but Its Efforts Are in the Early Stages: TSA has begun conducting vulnerability assessments of the commercial vehicle sector, but its efforts are in the early stages. In addition, the agency has not determined the extent to which additional vulnerability assessments are needed, and does not have a strategy or time frame for assessing sectorwide vulnerabilities. HSPD-7 requires each Sector-Specific Agency to conduct or facilitate vulnerability assessments of its sector. In addition, the NIPP states that DHS is responsible for ensuring that comprehensive vulnerability assessments are performed for critical infrastructure and key resources that are deemed nationally critical, and the TSSP further emphasizes a sectorwide system-based approach to risk management. To determine the vulnerability of commercial vehicles as targets or as weapons to attack critical infrastructure in the United States, TSA has begun conducting vulnerability assessments known as Corporate Security Reviews (CSRs). TSA initiated the CSR program in November 2005 to: (1) develop best practices for securing the commercial vehicle industry through discussions with carrier representatives and site visits to carrier facilities; (2) collect and maintain data that will allow TSA HMC to assess various aspects of security across the trucking and motor coach industries through statistical analysis of survey data; (3) identify security gaps and opportunities for improvement; (4) promote security awareness and collaboration with the commercial vehicle industry; (5) provide guidance to motor carriers on their relative level of risk exposure; and (6) determine the costs and benefits of risk mitigation activities. As of September 2008, TSA had conducted 100 CSRs of motor carriers, including 15 motor coach companies, 20 school bus companies/districts, and 65 trucking companies.[Footnote 39] These CSRs were of large firms that were identified by industry stakeholders as having the best security practices in the industry and that agreed to participate in the CSRs on a voluntary basis. TSA conducts these reviews by sending teams of two to four people from TSA headquarters to a trucking or bus company, for one or two days, to analyze the company security plan and mitigation procedures, and make informal recommendations to strengthen security based on a draft of best security practices TSA developed. At the conclusion of the CSRs, TSA prepares summary reports of its findings and informal recommendations. TSA also developed a draft best security practices in February 2006 for trucking firms based on the results of early CSRs, as well as on TSA staff expertise, industry stakeholder input, and best security practices from other transportation sectors such as rail and pipeline, according to officials. [Footnote 40] These draft best practices include measures companies can take to conduct threat, vulnerability, and consequence assessments. They also provide guidance on developing a security plan and strengthening personnel security, training, hazardous materials storage, physical security countermeasures, cyber security, and emergency response exercises. However, according to TSA officials, the agency has delayed issuing these draft best practices in final form until it can complete and incorporate public and industry comments on draft security guidance specifically for carriers of hazardous materials.[Footnote 41] The 9/11 Commission Act requires that DHS, by August 2008, submit a report to Congress that includes, among other things, an assessment of trucking industry best practices to enhance security. TSA reported that as of September 2008, it had not finalized these best practices, but they hoped to complete a template within 4 months. Officials stated that they plan to develop a flexible list of best practices that firms can adapt based on their line of work, size, and circumstances. TSA began a second CSR effort in April 2006 through a pilot project with the state of Missouri which greatly expanded the number of firms reviewed, and extended the reviews to smaller, more diverse firms. Objectives of the pilot were to promote security awareness, collect information on the security status of participating firms, and promote public and private collaboration among federal, state, and private sector stakeholders. TSA partnered with the State of Missouri, FMCSA's Motor Carrier Safety Assistance Program, and the Commercial Vehicle Safety Alliance (CVSA) to train Missouri state safety inspectors to conduct these CSRs.[Footnote 42] DOT funded the CSRs and assisted Missouri in the selection of firms to be reviewed and interviewed. The CSRs performed by TSA headquarters staff were of large companies known to have more robust security measures in place, while the Missouri CSRs were generally conducted on small firms that are most common in the industry. Reviewing the security practices of these small firms can require inspectors to travel to remote locations all over the state. For example, one Missouri CSR we attended assessed a small landscaping company with 12 trucks, while another CSR assessed an owner-operator with a single truck in front of his house (fig. 4). Although these reviews remained voluntary, they were conducted in conjunction with mandatory safety reviews that Missouri inspectors routinely conduct on commercial vehicle trucking and motor coach firms. Motor carriers were selected for Missouri CSRs based on either their safety records as evaluated by FMCSA, or because they were newly registered firms.[Footnote 43] TSA officials stated that partnering with the state's safety inspections enabled TSA to review a more diverse group of firms than it did during the original CSRs. Typically, the Missouri pilot CSRs involved site visits with structured interviews using a questionnaire based on TSA's draft best security practices, and generally lasted less than an hour compared to one or two days as was the case with the original CSRs. The Missouri CSR pilot concluded in February 2007; however, TSA has continued to partner with Missouri and FMCSA to implement a permanent CSR program in the state. TSA told us that as of September 2008, 3,420 CSRs had been completed in Missouri. Figure 4: Missouri CSR of a One Truck Owner-Operator: Photograph. [Refer to PDF for image] Source: GAO. [End of figure] In September 2006, TSA awarded a contract to evaluate the extent to which the Missouri CSR pilot program met its objectives, and whether the firms reviewed had implemented effective security measures. The report reviewed the 1,251 CSRs conducted by Missouri inspectors from April 2006 through February 2007, including 1,231 trucking companies (98.4 percent), 18 motor coach companies (1.4 percent), and 2 school bus operators (0.2 percent). The evaluation reviewed each firm's responses to the CSR questionnaire and assigned it an overall security score based on the security measures the firm reported having in place that were consistent with TSA's draft best security practices. The contractor reported on the results of the study in June 2007 and concluded among other things, that: * the interviewed carriers did not have extensive security procedures in place; * small carriers and owner operators had implemented fewer security measures than larger carriers; and: * hazardous materials carriers identified by the contractor had implemented most of the security measures on the TSA CSR questionnaire. The evaluation report also found that while both motor coaches and nonpassenger motor carriers had low scores, motor coaches scored somewhat higher than nonpassenger motor carriers. The report concluded that the program had achieved its objectives of promoting security awareness, collecting information on the security status of participating commercial vehicle firms, and promoting public and private sector collaboration among federal, state, and private sector stakeholders. However, the report also concluded that the Missouri sample was not representative of the commercial vehicle industry in Missouri or of the industry nationwide. The report further concluded that since the CSRs were based on best practices developed for much larger firms, the CSR data did not completely reflect overall security practices and capabilities for small carriers. Missouri officials we interviewed concurred that the CSR sample was not representative of Missouri firms since the majority of carriers that do not encounter safety problems would not be included in their CSR reviews. The evaluation report of the Missouri CSR pilot made a number of recommendations to TSA to expand and improve the CSR program. These recommendations included that TSA: * review and address CSR pilot program deficiencies; * develop a set of best practices and baseline security standards that is risk-based and appropriate for different sizes and types of firms; * improve the CSR questionnaire to make it more effective in capturing security practices and vulnerabilities of both small and large carriers; * develop a deployment strategy to expand the Missouri pilot program to other carriers and other states; * develop a statistically sound methodology for selecting companies for CSRs as it evaluates the commercial vehicle industry nationwide by conducting a random sample of motor carriers;[Footnote 44] * work with FMCSA to leverage each other's resources and possibly merge security inspection programs; and: * develop a CSR Web portal to provide a more tailored CSR questionnaire to address different industry sector security needs. Two years after these recommendations were made, TSA has taken limited steps to implement them, although officials stated that they were continuing to review the recommendations. As a result, the agency cannot ensure that its CSR efforts will fully identify sector vulnerabilities. Standards for internal controls in the federal government require that findings and deficiencies reported in audits and other reviews be promptly reviewed, resolved, and corrected within established time frames.[Footnote 45] The Missouri evaluation report's recommendation that TSA develop a statistically sound methodology for selecting companies to review was consistent with TSA's original goal that CSRs collect data that enable statistical analysis. In September 2008, TSA officials stated that they had worked out agreements with Michigan and Colorado to begin conducting CSRs in these states, beginning with training officers in October 2008. However, TSA did not have a plan in place or time frame for assessing industry-wide vulnerabilities. The lead official for risk assessment with TSA HMC stated that the agency would like to conduct a vulnerability assessment of a valid nationwide sample of the commercial vehicle industry, but that it lacked the resources to do so. TSA officials further stated that to further expand its CSR efforts, it has initiated a program to train Federal Security Director [Footnote 46] personnel (FSDs) at 3 airports to conduct CSRs on commercial vehicles in the airports' surrounding areas. Officials told us that FSDs had completed 5 CSRs during fiscal year 2008. Without completing industry vulnerability assessments as required by HSPD-7 and the NIPP, TSA cannot complete an overall assessment of the industry security risks. For example, instead of assessing the vulnerabilities of the entire commercial vehicle sector, at the direction of TSA management, TSA HMC is currently focusing all of their CSR efforts on the hazardous materials transportation sector.[Footnote 47] However, TSA's pilot study on Missouri firms found that hazardous materials transportation companies reviewed by the contractor performed much better than other companies in terms of implementing security measures to mitigate potential vulnerabilities. TSA Has Not Begun to Conduct Consequence Assessments of the Commercial Vehicle Sector: TSA has collected some relevant information necessary for estimating the impact of potential attacks involving the commercial vehicle sector, but has not conducted consequence assessments of potential terrorist attacks or leveraged the consequence assessment efforts of others. The DHS NIPP defines consequence assessment as the worst reasonable adverse impact of a successful terrorist attack. According to the NIPP, risk assessments should include consequence assessments to measure the negative effects on public health and safety, the economy, public confidence in institutions, and the functioning of government that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack. The TSA's TSSP also requires that risk analysis include a consideration of consequences. Terrorism involving commercial vehicles can affect a broad range of targets, including not only trucks and buses, but also freight and passengers, terminals, truck stops, and rest areas. In addition to the commercial vehicle system being attacked, commercial vehicles can be used to attack other assets. When used as VBIEDs with explosives or fuel, for example, commercial vehicles can be used to target highway, buildings, and other critical infrastructure. A powerful truck bomb can destroy from a considerable distance. For example, Khobar Towers was attacked from 80 feet away (fig. 5). Figure 5: Khobar Towers, Saudi Arabia, June 1996: Photograph. [Refer to PDF for image] Source: Air Force News. [End of figure] Truck VBIED attacks can also target large numbers of people, as was the case with the coordinated attack of several truck bombs in Northern Iraq on August 14, 2007, that killed approximately 500 people, or to assassinate individuals such the former Lebanese Prime Minister Rafik Hariri. Worldwide, buses have been the target of bombings---some involving suicide bombers---on numerous occasions, such as the attack on former Prime Minister Benazir Bhutto at a mass rally in Pakistan. TSA officials stated that they cannot conduct consequence assessments of the commercial vehicle sector because truck bombs can be used to attack most of the nation's critical infrastructure. Accordingly, officials stated that the number of potential consequences of terrorist attacks is too great to practically assess. Although TSA has not conducted consequence assessments of the commercial vehicle sector, the agency has acquired data from the Bureau of Alcohol, Tobacco and Firearms (ATF) and the U.S. Army on evacuation distances for various- sized shipments of explosives and flammable substances, and PHMSA's Emergency Response Guidebook for first responders to hazardous materials incidents that could be applied to future consequence assessments.[Footnote 48] TSA officials acknowledged that obtaining data on evacuation distances is only a first step in conducting consequence assessments. Evacuation distance provides one measure of the potential consequences of a terrorist attack by defining the danger zone surrounding an attack by a particular type and size of explosive or flammable materials. For example, according to U.S. Army data, the building evacuation distance for such a worst case scenario truck bomb would be a minimum of 1,570 feet, and the minimum outdoor evacuation of people would be 7000 feet. Using another example, a fireball from a fuel truck can threaten both structures and people; accordingly, ATF guidance suggests a minimum evacuation distance of 6,500 feet. In comparison, a tank truck of anhydrous ammonia, which represents 81 percent of Toxic Inhalation Hazard (TIH) shipments, has a smaller recommended standoff distance of 2,112 feet, and the recommended standoff distance for chlorine, which is the next most common form of Toxic Inhalation Hazard, is 3,168 feet. However, other guidance, such as the PHMSA's Emergency Response Guidebook, provides different data based on initial isolation distances and much larger maximum nighttime protective action distances. TSA reported that it is working with various federal partners and industry stakeholders to establish a uniform and scientific assessment of potential consequences of VBIEDs and the discharge of TIH materials. Although TSA has not conducted consequence assessments of the commercial vehicle sector, OI officials stated that, in their judgment, the likely consequences of common VBIED attacks were greater than VBIED attacks using TIH materials because attempts to date to use VBIEDs to vaporize chlorine into a gaseous inhalation hazard have been largely unsuccessful, have caused little damage, and resulted in few casualties. On the other hand, according to officials, VBIEDs using a number of different explosives and incendiary materials have repeatedly been successfully used to kill people. TSA officials stated that the agency also has not leveraged DHS's ongoing nationwide risk assessment efforts to obtain consequence information. For example, recognizing that each sector of our country's critical infrastructure possesses its own unique characteristics, operating models, and risk landscape, pursuant to HSPD-7, the NIPP designates 18 critical infrastructure sectors and the agencies responsible for each of the sectors to work with DHS to implement a risk management framework for the sector and develop protective programs. Each of the 18 sectors has issued Sector Annual Reports (SARs) of their risk management activities, including consequence assessments, which HMC could draw upon to support the assessment of VBIED and hazardous materials consequences for other critical infrastructure sectors. For example, the 2007 sector annual reports identified the following for select sectors: Commercial Nuclear Power Sector: The Department of Energy employs a Comprehensive Review Program to analyze facilities that it considers potential terrorist targets. The Nuclear Sector Annual Report indicated that as of May 2007, reviews had been completed of the vulnerabilities and potential consequences of an attack on 52 of 65 commercial nuclear reactors. Dams Sector: The 2007 Dams Sector Annual Report identified that all security measures were in place at 152 of 254 Army Corps of Engineers dams, and the Federal Energy Regulatory Commission reported having completed risk assessments on its 1,200 most security-sensitive dams. The report also called for improved blast-damage estimates for VBIEDs on certain dams and levees that are potential targets for terrorist attacks. The Chemical Sector: The 2007 Chemical Sector Annual Report, which was based in part on industry risk assessments, identified that VBIEDs are a particular concern because of their portability, size, and potential to cause grave damage. In addition, DHS's 2007 Strategic Homeland Infrastructure Risk Assessment (SHIRA) assessed the highest risk scenarios targeting the nation's 18 critical infrastructure/key resources sectors, and highlighted attack methods with cross-sector implications. The SHIRA used threat assessments from the intelligence community and vulnerability and consequence assessments from the SSAs to identify the attack methods that pose the highest risk to the respective sectors. TSA HMC could use the SHIRA data to identify which sectors are most at risk from VBIEDs and hazardous materials and then coordinate with those SSAs on their vulnerability and consequence assessment efforts. TSA HMC could also use a variety of other relevant assessments to obtain consequence information. These include the agency's Aviation Domain Risk Assessment which also considers consequences for a wide range of attack scenarios including VBIEDs, the Department of Energy's risk assessments of nuclear weapons facilities, and the Nuclear Regulatory Commission's assessments of commercial nuclear power plants. Similar information is also available from the Federal Risk Assessment Working Group, a federal risk assessment information clearinghouse that shares information about completed and ongoing risk assessments through regular meetings and a Web portal. TSA did not comment on why it has not developed a plan for completing consequence assessments, or why it was not leveraging the analysis of potential consequences included in these risk assessments. An Incomplete Risk Assessment Impedes TSA's Ability to Identify Effective Risk Reduction Efforts: As discussed earlier in this report, TSA has identified one of its strategic goals as taking an inventory of the security status of the nation's highway and motor carrier systems, but it has not developed a plan or a time frame for completing a risk assessment of the commercial vehicle sector. Based on general guidance in the NIPP, the TSSP states that TSA's plan for risk assessment should use a combination of both expert and field-level risk assessment techniques to guide its risk management efforts. Expert risk assessments are based on national risk priorities and strategic risk objectives, scenario analyses and the expert judgment of agency officials, national assessments, and annual threat assessments. Field-level risk assessments include state and local assessments, and field inspections such as TSA's CSRs and DOT Security Contact Reviews (SCRs).[Footnote 49] Expert assessments and field assessments have the same goal of identifying where the greatest risk mitigation measures are needed. As previously discussed, TSA is conducting nine high-level scenarios related to commercial vehicles, and has contracted to have more threat scenarios conducted to assess commercial trucking security risks in response to a mandate in the 9/11 Commission Act.[Footnote 50] While these expert assessments, if implemented effectively, should give TSA insights into the security risks of the industry, they will likely provide limited information on what sectors or companies are most at risk and what mitigation practices are currently in place, unless they are further supported by field-level risk assessments consistent with the TSSP.[Footnote 51] As stated previously, TSA is in the early stages of conducting CSRs and the majority of CSRs have to date been conducted in a single state, Missouri. Although TSA is working to expand both its threat scenarios and CSRs, progress to date has been limited. TSA also has not reported on the scope and method of risk assessments required for the commercial vehicle sector. Specifically, it has not reported what mix of expert and field-level risk assessments it intends to use and how it plans to integrate the two. Standard practices in program and project management include developing a road map, or a program plan, to achieve programmatic results within a specified time frame or milestones.[Footnote 52] TSA officials recognize that the agency needs more complete and accurate risk assessment information to inform its security strategy. However, TSA has not developed a plan or a time frame for completing a risk assessment of the commercial vehicle sector, including the level of resources required to complete the assessment and the appropriate scope of the assessment including determining the combination of threat scenarios and field-level vulnerability assessments it intends to use. The NIPP requires that it and the TSSP be reviewed and undergo periodic interim updates as required, and reviewed and reissued every 3 years or more frequently as needed and directed by the Secretary of Homeland Security. Accordingly, the TSSP states that it will undergo periodic updates and eventually align with the NIPP triennial update cycle. The Highway Infrastructure and Motor Carrier Modal Annex also states that the Government Coordination Council (GCC) and SCC are to submit revisions to the annex on an annual basis, and the GCC and SCC are to conduct a complete revision of the annex every 3 years. HMC began its revision process by updating the TSSP Highway Infrastructure and Motorcarrier Annex in 2008 to allow time for the revised strategy to be reviewed by the GCC, SCC, and various working groups and will submit it for review by the third quarter of 2009. The quality of this and future revisions of the annex will depend in large measure on the progress of risk assessments of the commercial vehicle sector and their utilization by TSA managers to inform their risk mitigation efforts. HMC officials stated that without complete risk assessments, they were directed by TSA and DHS leadership to base their strategy for securing the commercial vehicle sector on an examination of the security risks posed by the shipment of hazardous materials. However, agency officials could not identify why TSA and DHS leadership made this distinction, and the rationale for this directive is unclear. HMC officials also cited several additional reasons for focusing their security efforts on commercial vehicles transporting hazardous materials, including the professional judgment of its staff in the motor carrier industry; risk assessments TSA conducted for other transportation sectors, particularly rail; and legislative requirements, in particular the USA PATRIOT Act. However, the applicability of rail risk assessments to highways is unclear because VBIEDs trucks can directly access and attack most buildings in the United States, whereas rail cannot. Rail shipments also typically ship freight, including Toxic Inhalation Hazards, in far larger quantities than can be carried on a truck. Regarding congressional direction, the USA PATRIOT Act required TSA to perform a background check for all applicants for an endorsement of their commercial driver's licenses to allow them to carry hazardous materials, but did not direct TSA to focus its commercial vehicle security efforts on hazardous materials. Moreover, available risk assessment information suggests alternatives or additions to the agency's current focus on commercial vehicle transport of hazardous materials. TSA OI officials have consistently reported that VBIEDs are a greater threat to the United States than hazardous materials, including Toxic Inhalation Hazards. In addition, the evaluation of the Missouri CSR found that truck companies that transport hazardous materials stood out from other truck companies as having implemented most of TSA's security procedures, and concluded that hazardous materials transporting companies were leaders related to the commercial vehicle sector. In addition, in October 2007 DHS Secretary Chertoff stated that IEDs remained a terrorist weapon of choice since they were easy to make, difficult to defend against, and could cause untold destruction. TSA OI officials stated that they continue to regard common VBIEDs as a greater threat than attacks using hazardous materials such as chlorine. Evacuation data also suggest that VBIEDs can have potentially broader impact than trucks carrying many forms of Toxic Inhalation Hazards. Without an existing strategy that is based on available risk assessment information, TSA cannot be assured that its current approach, which is focused on hazardous materials, is aligned with the highest priority security needs of the commercial vehicle sector. Government and Industry Have Taken Actions to Strengthen the Security of Commercial Vehicles, but TSA Has Not Completely Assessed the Effectiveness of Its Actions: Key government and industry stakeholders have taken actions to strengthen the security of the commercial vehicles sector, but TSA has not assessed the effectiveness of its actions. At the federal level, DHS and DOT have implemented a number of programs designed to strengthen commercial vehicle security, particularly programs for the protection of hazardous materials. States, individually and collectively, through their state transportation and law enforcement associations, have also worked to strengthen the security of commercial vehicles. In addition, most of the private truck and motor coach industry associations we contacted stated that they were assisting their members in strengthening security by providing those members with guidance on best practices. TSA also contracted for an evaluation of the Missouri pilot CSRs that found the industry security practices were not extensive, but noted that the sample of firms in the pilot was not representative of the entire industry. Our site visits to 26 commercial truck and bus companies found that most had implemented basic security measures, including some form of personnel security and background checks, terminal security, locks and access controls, trailer seals, and communications and tracking equipment. TSA has begun developing output-based performance measures to gauge progress on achieving milestones and other program activities for its security programs, but the agency has not developed measures and data to monitor outcomes, that is, the extent to which these programs have mitigated security risks and strengthened commercial vehicle security. The TSSP identifies that performance measures of strategic goals and objectives should be outcome-based, but notes that interim output measures may be used during the early years of the program when baseline data on the program's performance are being acquired. Without more complete performance measures, TSA will be limited in assessing the effectiveness of federal commercial vehicle security programs. TSA officials agreed that opportunities exist to develop outcome-based performance measures for its commercial vehicle security programs, and stated that they would like to do so in the future. The Federal Government, States, and Private Industry Have Taken Action to Enhance the Security of Commercial Vehicles: A variety of federal programs have been implemented to enhance the security of the commercial vehicle sector. Several of these programs have been implemented by TSA and other DHS components, others by DOT, and several jointly by DHS and DOT. Overall, these programs are designed to assess commercial vehicle industry security risks, develop guidance on how to prevent and deter attacks, improve security planning for an effective response to a potential terrorist attack, enhance cost- effective risk mitigation efforts, and support research on commercial vehicle security technology. States, both individually and as members of transportation alliances with other states, have expanded their activities to secure the commercial vehicle sector as a part of broader homeland security activities. In addition, many commercial vehicle companies receive guidance on security awareness and best practices from industry associations. According to TSA's pilot study of CSRs in Missouri, except for firms transporting hazardous materials, most commercial vehicle companies have implemented a limited number of security measures. DHS and DOT Security Programs: In addition to CSRs, TSA and other DHS components have a number of programs underway designed to strengthen the security of commercial vehicles: the Truck Security Grant Program (TSP), the Intercity Bus Security Grant Program, Security Action Items (SAIs), and Hazardous Materials Driver Background Check Program. The TSP provides grants that fund programs to train and support drivers, commercial vehicle firms, and other members of the commercial vehicle industry in how to detect and report security threats, and how to avoid becoming a target of terrorist activity. TSP is administered by DHS's Federal Emergency Management Agency's Grant Programs Directorate. From fiscal years 2004 through 2008, the principal activity funded by the TSP was the American Trucking Associations' Highway Watch Program, which provided drivers with security awareness training and support. In May 2008, however, a new grantee was selected.[Footnote 53] DHS also established an Intercity Bus Security Grant Program to distribute grant money to eligible stakeholders for protecting intercity bus systems and the traveling public from terrorism. Current priorities focus on enhanced planning, passenger and baggage screening programs, facility security enhancements, vehicle and driver protection, and training and exercises. In addition, TSA is consulting with industry stakeholders and PHMSA to develop SAIs, or voluntary security practices and standards, intended to improve security for trucks carrying security- sensitive hazardous materials. The SAIs are intended to allow TSA to communicate the key elements of effective transportation security to the industry as voluntary practices, and TSA will use CSRs to gauge whether voluntary practices are sufficient or if regulation is needed. TSA released its voluntary SAIs for hazardous materials carriers in June 2008. For example, it recommended using team drivers for shipments of the most security sensitive explosives, toxic inhalation hazards, poisons, and radioactive materials. [Footnote 54] The USA PATRIOT Act passed in October 2001 prohibited states from issuing Hazardous Materials Endorsements (HME) for a commercial driver's license to anyone not successfully completing a background check. In response, DHS developed rules regarding how the background checks will be conducted and implemented a hazardous materials driver background check assessment program to determine whether a driver poses a security risk.[Footnote 55] We have previously reported on the problem of drivers who have job-hopped to circumvent the drug testing results associated with background checks, including hazardous materials drivers.[Footnote 56] As of October 2008, TSA had completed background checks for 990,961 out of approximately 2.7 million hazardous materials drivers, and 8,699 applicants have been denied HMEs since the beginning of the program. In addition to DHS, at the federal level, DOT has several commercial vehicle security programs underway: Security Contact Reviews (SCR), Security Sensitivity Visits (SSV), and the Hazardous Materials Safety Permit Program. FMCSA conducts SCRs, or compliance reviews, of commercial vehicle firms carrying hazardous materials.[Footnote 57] PHMSA regulations require shippers and carriers of certain hazardous materials to develop and implement security plans. [Footnote 58] At a minimum, these plans must address personnel, access, and enroute security. FMCSA SCRs review company security plans as part of ongoing safety inspections. FMCSA also conducts SSVs, or educational security discussions, with carriers of small amounts of hazardous materials that do not require posting hazardous materials placards on their trucks. As of September 2008, FMCSA had conducted 7,802 SCRs and 13,411 SSVs since the inception of the programs. Federal law also directed DOT to implement the Hazardous Materials Safety Permit Program to produce a safe and secure environment to transport certain types of hazardous materials.[Footnote 59] The Hazardous Materials Safety Permit Program requires certain motor carriers to maintain a security program and establish a system of enroute communication. In addition to CSRs, TSA and DOT also work collaboratively on several projects involving the security of commercial vehicles, including FMCSA and TSA research and development efforts for commercial vehicle security technologies. Both FMCSA and TSA have also completed pilot studies of tracking systems for commercial trucks carrying hazardous materials. For example, FMCSA completed a study of existing technologies in December 2004 evaluating wireless communications systems, including global positioning satellite tracking and other technologies that allow companies to monitor the location of their trucks and buses. TSA is testing tracking and identification systems, theft detection and alert systems, motor vehicle disabling systems, and systems to prevent unauthorized operation of trucks and unauthorized access to their cargos. The 9/11 Commission Act requires that DHS provide a report to Congress by August 2008, that includes, among other things, assessments of (1) the economic impact that security upgrades of trucks, truck equipment, or truck facilities may have on the trucking industry, including independent owner-operators; (2) ongoing research by public and private entities and the need for additional research on truck security; and (3) the current status of secure truck parking.[Footnote 60] TSA officials stated that they are working on developing this report but have not completed it. The 9/11 Commission Act also required that DHS develop a tracking program for motor carrier shipments of hazardous materials by February 2008.[Footnote 61] TSA officials reported that they worked with DOT and implemented a program to facilitate truck tracking in January 2008. However, TSA stated that while the 9/11 Commission Act mandated the tracking program and authorized $21 million over 3 years for its activities, it was never implemented because no funds were appropriated for the program. The 9/11 Commission Act also had a number of mandates regarding the security of over-the-road buses, including that DHS issue regulations by February 2008 requiring all over-the-road bus operators to develop and implement security training programs for frontline employees, and that DHS establish a security exercise program for over-the-road bus transportation.[Footnote 62] The 9/11 Commission Act further requires that DHS issue regulations by February 2009 requiring high-risk over- the-road bus operators to conduct vulnerability assessments and develop and implement security plans.[Footnote 63] TSA officials stated that they were preparing a Notice of Proposed Rulemaking that, if finalized, would require high-risk, over-the-road bus operators to conduct vulnerability assessments, and develop security plans and training plans.[Footnote 64] State Actions: States are responsible for securing highway infrastructure, including highways, bridges, and tunnels, and for ensuring the security and safety of these roadways. State officials work on security issues within their individual states and with other states through several national associations. State transportation officials--through the American Association of State Highway and Transportation Officials (AASHTO)--and state law enforcement officials--through the Commercial Vehicle Safety Alliance (CVSA)--have worked collectively to strengthen the security of commercial vehicles and highway infrastructure through various expert committees and the implementation of joint initiatives with TSA and DOT. AASHTO formed a Special Committee on Transportation Security that has sponsored highway and commercial vehicle security research at the National Academies of Science. AASHTO also conducts surveys of state DOT security efforts, priorities, and identified needs. AASHTO's August 2007 survey found that many state departments of transportation still needed basic training on integrating homeland security considerations in the planning process; detecting, deterring, and mitigating homeland security threats; and assessing transportation network homeland security vulnerabilities and risks. CVSA's state law enforcement members have also organized committees on Transportation Security, Information Systems, Intelligent Transportation Systems, Hazardous Materials, Passenger Carrier, and Training to pool and provide expertise to promote best practices, new programs, and the consistent application of regulations. For example, the purpose of the CVSA's Transportation Security Committee is to enhance homeland security by providing a forum to identify, develop, implement, and evaluate education, enforcement, and information-sharing strategies for enhancing commercial motor vehicle security. CVSA's Program Initiatives committee originated the idea of conducting a CSR pilot in Missouri.[Footnote 65] We interviewed transportation, law enforcement, and homeland security officials responsible for commercial vehicle security from eight states to determine the nature and extent of their security efforts. These officials stated that they generally focused on law enforcement, protection of highway infrastructure, conducting inspections of commercial vehicles, and monitoring threats of all kinds.[Footnote 66] Officials in each state stated that they understood the major transportation security risks in their state. For example, officials from one state that has numerous chemical plants expressed particular concern about the shipment of these chemicals, while officials from another state with extensive military bases expressed concern about shipments of nuclear weapons and waste. Officials from yet another state with numerous explosives plants were more concerned about the transportation of explosives. State and local authorities have also created 58 fusion centers around the country to blend relevant law enforcement and intelligence information analysis and coordinate federal, state, and local security measures in order to reduce threats in local communities. DHS analysts work with state and local authorities at fusion centers to facilitate the two-way flow of information on all types of hazards. DHS has provided staff and more than $254 million to state and local governments to support these centers and facilitate the two-way flow of information between DHS and the states.[Footnote 67] Although states have a number of security efforts involving the commercial vehicle sector, none of the state officials whom we interviewed (with the exception of those from Missouri) reported conducting formal vulnerability assessments of the commercial vehicle sector in their states. Private Sector Security Actions: Industry associations we interviewed were actively assisting their members in strengthening the security of the commercial vehicle sector. We met with 12 of the industry associations representing the commercial vehicle industry, including trucking, motor coaches, shipping, and unions, 9 of which were members of TSA's SCC. TSA relies on the SCC and its industry association members to facilitate communications between the agency and the commercial vehicle industry, and to assist in the development of sector strategies, plans, and policies. Eight of these industry associations reported that they regularly provided federal officials with their industry's perspective on proposed regulations and legislation. Additionally, 8 of the 12 associations reported that they were proactively providing security guidance to their members, which included guidance on security best practices, security awareness, and security self-assessments. In addition, about a third of the associations we reviewed reported providing training, security bulletins, and 24-hour hotlines for their members. TSA supports several of these industry initiatives, including working with trade associations to develop and distribute security brochures for their members. As discussed earlier in this report, the Missouri CSR Pilot evaluation showed that firms carrying hazardous materials were complying with regulations and implementing more security measures to mitigate their risks than other commercial vehicle firms.[Footnote 68] In contrast, the study further found that truck companies not transporting hazardous materials were implementing few of TSA's best security practices. During our site visits to 20 truck and 6 bus companies, ranging in size from the nation's largest commercial vehicle company with 27,453 trucks to an owner-operator with a single truck, we found that most had some form of personnel security procedures and background checks in place, as well as terminal security, communications systems, and truck tracking systems. Overall, the types of security practices among the commercial trucking companies we visited were similar, but the prevalence and sophistication of these practices varied. The range of security practices that companies were using included requiring drivers to lock doors and inspect cargo; cargo seals; driver background checks; vehicle tracking technology; terminal fencing, cameras, and gates; access controls, such as employee identification badges, sign-in and sign-out sheets, or electronic key cards; en route security measures; and driver training. Large corporations and small one-truck owner- operators generally used differently scaled security approaches to the same problem. For example, while a cell phone can suffice for the communications needs of a small operator, a large company may invest in integrated communications and tracking technologies. Conversely, where a large company may have a well-lit, gated terminal monitored by security cameras and guards, a small operator may lock the door of the vehicle and have a watch dog on the premises. In another example, small, independent owner-operator firms may rely solely on emergency responders such as 911 and state patrol hotlines, while larger firms may have dispatchers and in-house security specialists on duty 24 hours a day. TSA Uses Performance Measures to Monitor Its Efforts in Securing Commercial Vehicles, but Lacks Effectiveness Measures for Key Security Programs: TSA has begun developing measures that gauge the completion of its program activities, but could improve its efforts by collecting data that would measure the effectiveness of its programs in strengthening commercial vehicle security. Performance measures are indicators, statistics, or metrics used to gauge program performance.[Footnote 69] Output measures summarize the direct products and services delivered by a program, while outcome measures try to gauge the results of products and services delivered by a program.[Footnote 70] TSA has begun developing and using performance measures to assess the progress of commercial vehicle security programs, but does not have outcome data to monitor how effectively its programs are achieving their intended purpose, as suggested by GPRA. The TSSP also states that performance measures of strategic goals and objectives should be outcome-based, but notes that interim output measures may be used during the early years of the program while baseline data on the program's performance are being acquired. The TSSP also requires that TSA form a Performance Measurement Joint Working Group to recommend the appropriate mix of output and outcome measures for agency programs, outcome monitoring techniques, and standardize measures across transportation sectors. As of August 2008, TSA had formed the transportation sectorwide working group, and according to officials the group was instrumental in developing and reporting on the transportation sector's core, programmatic, and partnership metrics required by the NIPP. However, the joint measurement group for the highway and motor carrier sector had not been formed to develop outcome measures for commercial vehicle security programs. Currently, TSA HMC collects performance data on its own programs, while other commercial vehicle security programs are monitored by other DHS or DOT components. At our suggestion, TSA officials stated they plan to work out an agreement with DOT to receive performance measurement data for DOT security programs, stating that performance data for these programs are important and necessary for an overall view of the impact of federal security programs. TSA officials stated they would request that TSA and DOT share performance measurement data for commercial security programs as the DHS and DOT MOU is updated. The annex to improve coordination and data sharing between TSA and PHMSA was signed in October 2008. Table 2 summarizes the various federal commercial vehicle security programs and the agency responsible for administering the program and measuring its progress. Table 2: Federal Agencies Responsible for Gathering Commercial Vehicle Security Program Performance Measurement Data: Federal program: 1. TSA Corporate Security Reviews (CSRs); Agency performance measurement Data: TSA: X; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: [Empty]. Federal program: 2. DHS Trucking Security Grant Program (TSP); Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: X; Agency performance measurement Data: DOT: [Empty]. Federal program: 3. TSA Security Action Items (SAIs); Agency performance measurement Data: TSA: X; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: [Empty]. Federal program: 4. TSA Hazardous Materials Driver Background Program; Agency performance measurement Data: TSA: X; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: [Empty]. Federal program: 5. DHS Intercity Bus Security Grant Program; Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: X; Agency performance measurement Data: DOT: [Empty]. Federal program: 6. FMCSA Sensitive Security Visits (SSVs); Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: X. Federal program: 7. FMCSA Security Contact Reviews (SCRs); Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: X. Federal program: 8. PHMSA Security Plan Requirements; Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: X. Federal program: 9. FMCSA Hazardous Materials Safety Permit Program; Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: X. Federal program: 10. TSA Missouri CSR Pilot (FMCSA funded); Agency performance measurement Data: TSA: X; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: [Empty]. Federal program: 11. TSA Truck Tracking Security Pilots; Agency performance measurement Data: TSA: X; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: [Empty]. Federal program: 12. DOT and DHS Hazardous Materials Research; Agency performance measurement Data: TSA: [Empty]; Agency performance measurement Data: DHS: [Empty]; Agency performance measurement Data: DOT: X. Source: GAO analysis of DHS and TSA data. [End of table] TSA's HMC established output measures for all five of its commercial vehicle security programs to assist the agency in gauging the performance of these programs. As of September 30, 2008, TSA reported that it had completed: * 100 percent of the target goal of 24 CSRs per year, * 100 percent of the SAI goal of developing voluntary guidelines to reduce risk and enhance the security of high-risk hazardous materials, * 52 percent of hazardous materials driver's license endorsement security threat assessment background checks, and: * 100 percent of the work in developing a pilot Truck Tracking Center. Output-based measures can be useful to TSA for program management purposes, as they can identify whether programs are producing a desired level of output and meeting established milestones. However, they do not measure TSA's success in achieving the ultimate goal of enhancing the security of the commercial vehicle sector. For example, while TSA tracks the number of CSRs completed by its staff or as part of the Missouri CSR program, it has not attempted to measure the effect these programs are having. Missouri officials have suggested that a sample of firms that participated in the CSR program should be revisited to determine the extent to which their security-related practices improved after completing a CSR. Such information could provide TSA with a measure of the effectiveness of its key commercial vehicle security program. In January 2009, TSA stated that it was planning to conduct baseline and follow-on CSRs on hazardous material transporters to measure changes in preparedness. We recognize that TSA faces challenges in developing outcome measures to monitor and evaluate the effectiveness of its security programs that rely on the participation of many public and private entities. In addition, it can be difficult to develop performance measures to gauge the impact of a program in deterring terrorism. Nonetheless, outcome measures of programs designed to mitigate vulnerabilities and consequences are possible. For example, the domain awareness of drivers could be measured both before and after participating in the Trucking Security Grant program. Furthermore, as we have previously reported, a focus on results as envisioned by GPRA means that federal agencies are to look beyond their organizational boundaries and coordinate with other agencies to ensure that their efforts are aligned. The planning processes under GPRA provide a means for agencies to ensure that their goals for crosscutting programs complement those of other agencies; program strategies are mutually reinforcing; and, as appropriate, common or complementary performance measures are used. High-performing organizations use their performance management systems to strengthen accountability for results, specifically by placing greater emphasis on fostering the necessary collaboration both within and across organizational boundaries to achieve results.[Footnote 71] TSA officials agreed that opportunities exist to develop outcome performance measures for the agency's commercial vehicle security programs, and stated that they would like to do so in the future. We previously reported that DHS often lacked the performance information to determine where to target program resources to improve performance, but was taking steps to strengthen their performance measures.[Footnote 72] GAO is currently working with DHS, including TSA, to provide input on the department's performance measurement efforts based on our work at the department. TSA Has Strengthened Efforts to Coordinate with Federal, State, and Industry Stakeholders Regarding the Security of the Commercial Vehicle Sector, but Further Actions Can Enhance Coordination: While TSA has taken actions to improve coordination with federal, state, and industry stakeholders to strengthen commercial vehicle security, more can be done to ensure that these coordination efforts enhance security for the sector. Leading practices for collaborating agencies that we have previously identified offer suggestions for strengthening coordination with other public and private sector stakeholders. These key practices include, for example, defining common outcomes and complementary strategies; agreeing on roles and responsibilities; leveraging stakeholder resources; and developing mechanisms to monitor, evaluate, and report on the results of the collaborative effort.[Footnote 73] DHS and DOT signed an agreement that established broad areas of responsibility regarding the security of the transportation network, as we previously recommended.[Footnote 74] TSA supported the creation of an intergovernmental and industry council to gather feedback and input about security planning, among other efforts. TSA has made limited progress in leveraging FMCSA resources and resolving potentially duplicative security inspections, but in October 2008 signed an agreement to enhance coordination with FMCSA. Although TSA has successfully leveraged resources in the State of Missouri to conduct CSR vulnerability assessments, it has made limited progress in coordinating the expansion of CSRs to other states. Some state and industry officials we interviewed expressed concerns about TSA's coordination and communication with the sector on developing a security strategy, and fully defining roles and responsibilities for the industry. Since many owner operators are hard to contact, some suggested that TSA enhance its Web site to better communicate directly with the industry's many small operators. Moreover, the Missouri CSR pilot evaluation similarly suggested that TSA consider developing a two- way Web portal to allow firms to fill out CSR questionnaires. TSA officials stated that they have taken steps to interact with industry regarding the security of the sector, and have also leveraged industry expertise to strengthen security. However, TSA has not developed a means to monitor the effectiveness of its coordination actions with this very large and diverse sector. Without enhanced coordination, TSA will have difficulty expanding its vulnerability assessments to other states. DHS and DOT Have Entered into Formal Agreements and Taken Other Actions to Enhance Coordination: DHS and DOT have taken actions toward coordinating their efforts to strengthen commercial vehicle security. In September 2004, DHS and DOT signed a MOU that established broad areas of responsibility for each department related to the security of the transportation sector, and specified roles and responsibilities to strengthen their cooperation and coordination. For instance, under the MOU, DOT recognized that DHS has primary responsibility for transportation security while it plays a supporting role, providing technical assistance and supporting DHS in the implementation of its security policies as allowed by DOT statutory authorities. Furthermore, the MOU states that DHS is to establish national transportation security performance goals and, to the extent practicable, appropriate security measures for each transportation sector to achieve an integrated national transportation security system. The MOU responds to our previous work which emphasized the need for greater coordination between DOT and DHS on transportation security efforts and recommended that the two departments establish an MOU to, among other things, delineate the roles, responsibilities, and funding authorities of the each department.[Footnote 75] In August 2006, TSA and PHMSA signed an annex to the DHS and DOT MOU, identifying their respective roles and responsibilities related to research and development, training, outreach, risk assessments, and technical assistance involving hazardous materials transportation security. According to this agreement, the parties commit themselves to seeking consensus on measures to reduce risk and minimize consequences of emergencies, sharing information that may concern the interests of the other party, and coordinating the development of transportation security-related guidelines. The annex further specified that TSA and PHMSA will, among other things: * base security planning on risk, seek consensus concerning measures to reduce risk, and coordinate in the development of standards, regulations, guidelines, and directives; * coordinate on observations and recommended security measures; * explore opportunities for collaboration in inspection and enforcement activities; and: * share information during an emergency. Consistent with this agreement, PHMSA and TSA worked together to develop recommended security measures for hazardous materials carriers. As we have previously identified, an effectively implemented leveraging of stakeholder resources is a key practice for enhancing collaboration.[Footnote 76] According to leading practices for collaborating agencies, such parties bring different levels of resources and capacities to the collective effort; therefore, the parties should identify the types of resources necessary to initiate or sustain their collective effort, as well as assess each party's relative strengths and limitations. In 2003, working with TSA, PHMSA established a set of security plan requirements for hazardous materials carriers that addressed the elements of en route security, unauthorized access, and personnel security. TSA later expanded upon PHMSA's requirements and, in consultation with PHMSA, drafted a set of voluntary security standards, called Security Action Items (SAIs), specifying the level of security suggested for each type of security- sensitive hazardous materials, or hazardous materials transported by motor vehicles whose potential consequences from an act of terrorism may result in detrimental effects to the economy, communities, critical infrastructure, or individuals of the United States. TSA reported that these SAIs were finalized in June 2008 and distributed to stakeholders. TSA further worked with PHMSA to develop guidance on security-sensitive hazardous materials. TSA also established a GCC in April 2006 to monitor and evaluate the results of federal highway and motor carrier security programs, as required by the NIPP. We previously identified the need for collaborating agencies to create a mechanism to monitor and evaluate their efforts and to assist them in identifying areas for improvement. If implemented effectively, reporting on these collaborative activities can help key decision makers obtain feedback for improving both policy and operational effectiveness. The GCC consists of federal agencies and associations representing state and local transportation and law enforcement officials, and motor vehicle administrators with responsibilities directly related to commercial vehicle security. (For a complete list of GCC members, see app. VI). The GCC is intended to coordinate strategies, activities, and communications among its member entities, and establish policies, guidelines, metrics, and performance criteria.[Footnote 77] The highway sector GCC meets approximately once monthly, and both FMCSA and PHMSA officials expressed general satisfaction with the GCC.[Footnote 78] DHS and DOT Can Strengthen Efforts to Leverage Resources and Avoid Duplication of Effort: Although DHS and DOT have established agreements and developed complementary strategies to strengthen security of the commercial vehicles sector, gaps remain that hamper their ability to more effectively coordinate their efforts. Specifically, the two departments have not fully agreed on a strategy to leverage resources and eliminate potential duplication of effort and to share inspection information for monitoring security programs. TSA and FMCSA have shared roles and responsibilities regarding the enhancement of commercial vehicle security, but have different capabilities and resources. TSA HMC has a staff allocation of 19 FTEs. These staff are responsible for all aspects of commercial vehicle and highway infrastructure security including developing best practices, conducting risk assessments, and establishing policy. HMC is also responsible for school bus security. FMCSA has 650 to 700 staff deployed in the field nationwide to conduct inspections, enforce Federal Motor Carrier safety regulations and hazardous materials transportation safety and security regulations, and coordinate with state safety inspectors. Moreover, TSA and FMCSA have similar inspection programs, both of which are currently focused on hazardous materials transportation. As discussed earlier in this report, TSA operates the CSR program designed to review the security efforts and vulnerabilities of all types of commercial vehicle firms, and FMCSA conducts security compliance inspections (SCRs) of hazardous materials carriers.[Footnote 79] The 9/11 Commission Act requires that DOT consult with DHS to limit, to the extent practicable, duplicative reviews of the hazardous materials security plans. [Footnote 80] TSA and FMCSA officials stated that they have discussed how best to leverage FMCSA's ongoing inspections programs and the feasibility of merging the two inspection programs. Officials reported that their interactions to date have focused on how best to take advantage of the similarities between these programs to more efficiently and effectively use agency resources, reduce potentially duplicative efforts, and minimize the burden on the industry. TSA officials stated that one obstacle to merging the two programs is that hazardous materials transportation companies are required to participate in FMCSA's SCRs because they are subject to DOT's hazardous materials regulations, while TSA's CSRs are a voluntary effort. However, both agencies' programs share voluntary and mandatory aspects. For example, along with SCRs, FMCSA also conducts Security Sensitivity Visits, which as discussed earlier in this report are voluntary, educational security reviews of firms carrying small amounts of hazardous materials. Moreover, TSA's Missouri pilot successfully demonstrated that voluntary security reviews could be appended to mandatory safety reviews, and that state safety inspectors could be trained to conduct CSR security reviews. TSA officials further stated that the agency's CSR reviews include a detailed assessment of the adequacy of security plans, whereas FMCSA reviews are intended to ensure a firm's compliance with its written security plan, but are not an assessment of its adequacy. Another obstacle, according to TSA officials, is associated with how the two agencies view their missions and resource sharing. TSA believes utilizing FMCSA resources, infrastructure, and databases may be cost effective. However, DOT officials told us that the primary role of FMCSA's inspectors is safety rather than security. One industry association we interviewed stated that they were working with FMCSA and TSA to merge their commercial vehicle security programs because association officials believed it would reduce duplication and be more efficient for both government and industry. By leveraging resources with FMCSA, TSA may be able to address other priorities, such as conducting additional vulnerability assessments, improving security mitigation programs beyond the hazardous materials sector, and addressing highway infrastructure protection. TSA and FMCSA also do not have a process in place to share information important to monitoring the results of security programs, consistent with leading practices for collaborating agencies. For example, the agencies are not comparing and contrasting their findings from commercial vehicle security inspections. Both TSA and FMCSA concurred that they could benefit from better sharing of information and have discussed developing a unified database for storing and sharing information on CSR and SCRs. Without a process in place to share information on the results of their security programs, TSA will not have a complete picture of the effectiveness of federal programs to secure the sector. FMCSA also maintains other data and information that could potentially be useful to TSA in its effort to understand and analyze the commercial trucking and motor coach industries. For example, the Missouri CSR program selected carriers with particularly bad safety records for review, but TSA does not have general, direct access to these data.[Footnote 81] FMCSA also maintains the Motor Carrier Management Information System (MCMIS) database of all interstate, and some intrastate companies, and all carriers of hazardous materials. Access to MCMIS data could assist TSA in addressing the NIPP requirement that the agency develop an inventory of assets as a basis for conducting vulnerability and consequence assessments. In addition, as TSA expands its CSRs of hazardous materials transporters, DOT may benefit from knowing which firms TSA has reviewed to avoid duplication of effort. Although TSA and PHMSA have signed an annex detailing how they will collaborate, TSA and FMCSA officials stated that they did not establish a similar agreement because the agencies coordinated with each other well, and an annex was not necessary. However, with enactment of the 9/ 11 Commission Act, TSA and FMCSA were required to complete an annex by August 2008 that defined the processes that will be used to promote communications and efficiency, and avoid duplication of effort.[Footnote 82] An annex to the MOU between TSA and FMCSA might help reduce possible duplication of effort in inspection programs, as well as facilitate the development of a process for sharing data to monitor program results. TSA and FMCSA officials signed an annex to the MOU in October 2008. The TSSP also requires that the GCC and the SCC create several joint working groups for research and development, performance measurement, intelligence, and risk.[Footnote 83] These groups are to improve coordination and prioritization of TSA's research and development efforts, address the inherent difficulties in measuring and assessing the performance of security mitigation programs, develop sector- specific metrics, and coordinate and integrate intelligence efforts. However, the creation of these committees has been delayed, according to TSA officials. Without promptly developing joint working groups, TSA increases the risk that collaborative work and progress in these areas will be delayed. TSA officials stated that as of September 2008, the Joint Working Groups for Highway and Motor Carrier had not been officially approved. TSA Has Increased Vulnerability Assessments by Collaborating with the State of Missouri, but Has Not Developed a Plan to Expand the Approach to the Other States: TSA has leveraged resources to enhance its capabilities to perform CSR vulnerability assessments through collaboration with the state of Missouri, and recently reached agreements with Michigan and Colorado to conduct CSRs, but has faced challenges in expanding this collaborative effort to other states. These state coordination challenges have the potential to significantly delay progress in expanding vulnerability assessments to other states. TSA officials stated that it was continuing to explore opportunities to expand the CSR program from Missouri to other states, and to leverage state field inspector and law enforcement resources. TSA also does not have a direct mechanism for coordinating its strategy with the states related to commercial vehicle security planning, and some state officials we spoke to expressed dissatisfaction with TSA's coordination efforts. The agency relies on several GCC-member associations that represent state and local transportation and law enforcement officials to coordinate with states. However, all of these state GCC stakeholders identified concerns about the adequacy of TSA coordination efforts. For example, CVSA, which represents state law enforcement officials at the GCC, stated that the GCC is not an effective means of communication and coordination, and that direct communication with the states was minimal. As a result, CVSA transportation security officials stated that they were not fully informed about TSA's risk management strategy. CVSA officials further stated, in September 2008, that while coordination with TSA had improved after TSA's staffing stabilized, they continued to be concerned that the federal government was more engaged in helping states ensure safety rather than security. They also questioned whether TSA had dedicated sufficient resources to commercial vehicle security, or had the expertise to lead federal efforts to expand vulnerability assessments nationwide. CVSA officials stated that since DOT had the resources but not the authority to oversee commercial vehicle security, it is difficult for either agency to assist the states. Another key association, AASHTO, which represents state transportation officials at the GCC, stated that state security planners are given insufficient attention and information by TSA and other DHS components relating to security. Specifically, AASHTO officials stated that TSA had not communicated its strategy or initiatives to secure commercial vehicles, and that while AASHTO has tried to discuss what role the states play in transportation security with DHS and TSA, neither has been responsive in providing fully defined roles.[Footnote 84] Several officials we spoke with during our interviews with state DOTs also expressed concerns regarding whether the GCC is a sufficient mechanism for TSA to coordinate with the 50 states and were also critical of TSA's leadership and communication related to commercial vehicle security. For example, one state noted that TSA's slow pace in providing guidance was causing it to delay the implementation of its programs for fear such programs would conflict with TSA initiatives. TSA officials stated that the agency had coordinated with states to the extent possible with available resources--having one staff member responsible for federal, state, and industry coordination. TSA Has Worked to Strengthen Partnerships with the Commercial Vehicle Industry, but Stakeholders Identified Coordination Challenges, and the Effects of Existing Coordination Efforts Are Unknown: TSA has made progress in involving industry in their strategy for strengthening commercial vehicle security by supporting the formation of an industry stakeholder council and through ongoing outreach efforts and meetings with industry officials. However, as discussed earlier in this report, industry officials we interviewed stated that they generally desired greater communication with TSA. More specifically, the officials noted that they did not fully understand TSA's strategy for securing the commercial vehicle sector, or what roles and responsibilities the agency expected from industry. Additionally, TSA does not have any measures of the effectiveness of its efforts to coordinate with its many stakeholders, which limits its ability to determine whether its ongoing efforts to collaborate are appropriate and adequate for this very large and diverse transportation sector. Without strengthening communication and coordination with industry, TSA will not be able to fully leverage the resources of its stakeholders. Four of the leading practices for collaborating agencies we previously identified to help improve coordination among federal agencies could also be applied to improve federal collaboration with industry stakeholders--defining a common outcome and complementary strategies, agreeing on roles and responsibilities, leveraging stakeholder resources, and monitoring results. TSA coordinates with the commercial vehicles sector through an industry council and industry associations. To (1) overcome the challenge of working in partnership with such a large and diverse group of stakeholders, (2) understand the current security practices of these industries, and (3) gather industry input and feedback, TSA supported the creation of the Highway and Motor Carrier Sector Coordinating Council (SCC) in June 2006. The SCC represents three private industry groups: highway passenger and school bus carriers, highway freight carriers, and highway infrastructure owners and builders, and facilitates communications within the industry and between the industry and TSA. According to members, its purpose is to represent a broad cross-section of the industry, and there is no limit on the number of organizations that can participate. As of September 2008, the SCC had convened eight times since its first meeting in August 2006, and holds separate meetings to address issues requiring a quick response. Apart from the SCC, TSA has also collaborated with several industry trade associations to develop and distribute security brochures and guides for their membership. For example, TSA assisted the Truck Rental and Leasing Association in developing its Security Awareness and Self- Assessment Guide. Although TSA has made progress in coordinating with industry stakeholders, challenges remain. Specifically, SCC officials stated that the council was dissatisfied with TSA's level of coordination with the SCC on the development of a strategy for enhancing commercial vehicle security. For example, the SCC leadership stated that the SCC was excluded from key stages of drafting revisions to the initial TSSP annex. The TSSP states that its initial goals and objectives would be developed by TSA, and be informed by comments and suggestions from the SCC, and going forward the TSSP annex states that the GCC and SCC are to prepare future revisions of the TSA strategy in the TSSP annex. SCC officials said that TSA did not consult with them regarding the development of key strategic objectives, known as Strategic Risk Objectives, or the Highway and Motor Carrier Annual Report regarding progress made and goals for the next year. These officials stated that overall coordination was better on trucking issues than for motor coach. Furthermore, industry and company officials we interviewed also expressed concerns about TSA's coordination efforts regarding its strategy Specifically, officials from 9 of the 12 industry associations and 20 of the 26 truck and bus companies we interviewed, some of whom were also members of the SCC, stated that they were not familiar with TSA's strategy and/or ongoing efforts to secure the commercial vehicle sector, and that TSA could strengthen its coordination with industry. Officials stated that in some cases, a lack of information led industry associations to hesitate in implementing security actions and dedicating resources to additional security measures that TSA may determine are not necessary or identify other required measures that must be implemented instead. Finally, SCC officials stated that TSA had not explicitly defined roles and responsibilities for the committee, its members, or the industry. Several industry association representatives also expressed similar confusion over their responsibilities and roles in securing the commercial vehicle sector. TSA officials stated that the SCC was not consulted in the development of the Highway and Motorcarrier Annex because TSA did not have enough time to include them. However, the SCC disagreed stating that TSA had received an extension on when the annex was due. TSA officials also said that they were not surprised by the uncertainty about their strategy for securing the sector because TSA's focus has been largely on developing security programs rather than communicating its security strategy to industry. TSA officials stated that going forward, they will work with the SCC as it revises the Highway and Motor Carrier Annex to the TSSP. The SCC leadership stated that during the revision to the latest HMC annual report, TSA was much more open to SCC's input. Our previous work on effective interagency collaboration has demonstrated that to achieve a common outcome, collaborating agencies need to establish strategies that work in concert with those of their partners or are joint in nature.[Footnote 85] Our prior work has further shown that collaboration can be enhanced when parties work together to define and agree on their respective roles and responsibilities, including how the collaborative effort will be led. Responsibility for securing the commercial vehicle sector involves collaboration between governmental and nongovernmental entities that typically have not worked together before on these issues. A fully defined outcome and strategy facilitates overcoming significant differences in organizational missions, cultures, and established ways of doing business. Without defining a common outcome and strategy, individual organizations increase the risk of developing strategies for securing the commercial vehicles industry that differ and conflict rather than help organizations better align their activities and resources to accomplish a common outcome. Fully defining and clarifying respective roles and responsibilities will be important to ensure that TSA and industry understand who will do what regarding securing the commercial vehicle sector, and help to reconcile differing perceptions of leadership that exist among stakeholders. SCC representatives stated that TSA has not maintained active communication with the committee, resulting in missed opportunities to take advantage of their potential contributions, including leveraging of their expertise and resources. TSA officials stated that given the SCC's recent establishment, it may be too soon to fairly assess the effectiveness of their interactions with the council. Most companies we spoke with stated that they rarely heard from TSA if at all, although they were generally much more familiar with FMCSA with whom they have worked for years. Some company officials suggested that TSA develop a direct means of communicating with the industry, such as through e-mail or a robust Web page. The Missouri Pilot Program Evaluation Report also recommended that TSA develop a Web portal to improve coordination and communication with the industry. The lack of communications and coordination could limit the effectiveness of standards and measures meant to enhance the security of commercial vehicles. TSA officials stated that the agency has conducted outreach with private industry to, among other things, coordinate its overall strategy and roles and responsibilities. According to officials, TSA has made numerous resources available to private industry stakeholders through the Homeland Security Information Network and more recently through TSA's Highway and Motor Carrier Web site link.[Footnote 86] Additionally, TSA reported that officials from the HMC are continually attending association conferences and workshops to educate and share TSA's strategy, goals, and policies. To further improve communications, TSA reported that it has conducted 14 monthly conference calls since 2007 with attendees varying from 10 to 20 stakeholder participants. TSA officials stated that, while minor issues regarding specific lines of communication may have existed, in their opinion, the general level of coordination with the industry has been successful and that they were unaware of any significant private sector stakeholder misunderstandings of the agency's security strategy, efforts, or their own roles and responsibilities. While TSA's actions should help strengthen coordination with the commercial vehicle industry, the extent of any effect of these efforts is unknown because, according to TSA officials, the agency has not developed an approach to evaluate the effectiveness of its coordination efforts. Specifically, TSA does not have measures of how coordination efforts such as its current Web site, its participation in conferences, its efforts to coordinate with states, the GCC, and SCC result in a better understanding of TSA strategy and definitions of roles and responsibilities within the commercial vehicle sector. We have previously reported that collaborative efforts can be enhanced and sustained when they include mechanisms for monitoring and evaluation to assist stakeholders in identifying areas for improvement.[Footnote 87] Without such an evaluation, TSA will be hindered in determining whether its ongoing efforts to collaborate with the commercial vehicle industry are appropriate and effective for enhancing the security of this very large and diverse transportation sector. Conclusions: The nature, size, and complexity of the nation's commercial vehicle sector highlights the need for federal and state governments and the private sector to work together to secure this transportation sector. The importance of the nation's commercial trucking and motor coach industries and concerns about their security, coupled with finite homeland security resources, underscores the need for TSA to employ a risk management approach to prioritize its security efforts so that an appropriate balance between costs and security is obtained. TSA has taken steps in implementing a risk management approach by assessing threats to and from the commercial vehicle sector, conducting some vulnerability assessments, and initiating the development of best practices to secure the sector. Despite these achievements, much work remains to fully address the security risks of commercial trucks and motor coaches, and to ensure that this information is used to inform TSA's security strategy. TSA has not yet completed annual threat assessments with estimations of the likelihood of various threats or tactics, nor established a plan and a time frame for completing vulnerability assessments of the commercial vehicle industry and its diverse sectors and firms, to include considering the recommendations of the Missouri Pilot Program Evaluation. TSA also has not developed a plan to conduct consequence assessments, or leveraged the consequence assessments of other sectors. Further, TSA has not determined the extent to which additional risk assessments are needed, or the resources needed to support these efforts. Although TSA is having threat scenarios conducted to inform a preliminary risk assessment of the industry, these assessments will likely provide limited information on what sectors or companies are most at risk, and what mitigation practices are currently in place, unless they are further supported by field-level risk assessments, such as CSRs, consistent with the TSSP. As a result of not having specific threat assessments or complete vulnerability and consequence assessments, the agency is limited in its ability to determine the most pressing security needs, and to use this information to guide its security strategy. While working to develop complete risk assessments, it is important that TSA assess and use available information as the basis for its interim decisions. For example, information currently available from existing threat, vulnerability, and consequence assessments suggest alternatives or additions to the agency's current focus on commercial vehicle transport of hazardous materials. TSA has recently begun the process of revising its strategy for 2009 and beyond; however, without completed risk assessments, its revised strategy may not be appropriately targeted. Until TSA completes assessments of this very large and highly diverse transportation sector, and uses this information to inform its security strategy, it will be limited in its ability to assure Congress that existing funds are being spent in the most efficient and effective manner. TSA has developed a range of programs to strengthen truck and bus security, but has not developed outcome measures to assess how effectively the programs have improved security. Without such performance measures, TSA cannot monitor and evaluate whether or not these programs are achieving results in enhancing commercial vehicle security, nor communicate this progress to industry stakeholders, Congress, policymakers, and taxpayers. With 50 states and over a million diverse industry stakeholders, securing commercial vehicles can pose considerable communication challenges and lead to confusion about roles and responsibilities. Ultimately, the security of the industry is maintained by the companies themselves, and if TSA is to secure the sector it must do so by working with the industry. Coordination and communications techniques that might work well in other transportation sectors may be insufficient for the larger, more complex commercial vehicle industry. TSA has taken steps to coordinate with government and industry stakeholders, and has had some noteworthy successes such as the Missouri CSR program. However, both industry and state officials we interviewed stated that more needed to be done to enhance federal leadership and better ensure that federal, state, and industry actions and investments designed to enhance security are properly focused and prioritized. TSA communicates with states primarily through associations of state law enforcement and transportation officials who participate in the GCC. However, opportunities exist for more effective coordination with states to expand the Missouri CSR to other states, and for TSA to leverage FMCSA's resources in conducting field inspections. TSA could address industry concerns about communication of its strategy, roles, and responsibilities, as well as better leverage industry expertise, by working more collaboratively with industry representatives and improving communication with the nation's many small owner-operators and midsized firms. In addition, because TSA does not monitor and measure the effectiveness of its coordination and communications efforts, it cannot be sure that it is addressing stakeholder concerns. By improving coordination with DOT, the states, and the industry, TSA could build a solid foundation for strengthening the security of the commercial vehicle sector. Recommendations for Executive Action: To assist the Transportation Security Administration in more fully evaluating, selecting, and implementing commercial vehicle security risk mitigation activities, and to help strengthen the security of commercial vehicles in the United States and leverage the knowledge and practices employed by key federal and nonfederal stakeholders, we recommend that the Assistant Secretary for the Transportation Security Administration take the following four actions: 1. Establish a plan and a time frame for completing risk assessments of the commercial vehicle sector, and use this information to support future updates to the Transportation Sector Strategic Plan, to include conducting: * to the extent feasible, assessments that include information about the likelihood of a terrorist attack method on a particular asset, system, or network as required by the National Infrastructure Protection Plan; * a vulnerability assessment of the commercial vehicle sector, including: - assessing the scope and method of assessments required to gauge the sector's vulnerabilities; - considering the findings and recommendations of the Missouri pilot evaluation report to strengthen future Corporate Security Reviews; and: - enhancing direct coordination with state governments to expand the Transportation Security Administration's field inspection Corporate Security Review capacities; * consequence assessments of the commercial vehicle sector, or developing alternative strategies to assess potential consequences of attacks, such as coordinating with other Sector-Specific Agencies to leverage their consequence assessment efforts. 2. In future updates to the Highway Infrastructure and Motor Carrier Annex to the Transportation Sector Security Plan, clarify the basis for the agency's security strategy of focusing on the transportation of hazardous materials, the relative risk of vehicle-borne improvised explosive devices to the sector, and, based on the relative risk of these threats, any risk mitigation activities to be implemented to address them. 3. Develop outcome-based performance measures, to the extent possible, to assess the effectiveness of federal programs to enhance the security of the commercial vehicle sector. 4. Establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that the roles and responsibilities of industry and government are fully defined and clearly communicated; new approaches to enhance communication are considered; and monitoring and assessing the effectiveness of its coordination efforts. Agency Comments and Our Evaluation: We provided a draft of this report to DHS and DOT for review and comment. On January 15, 2009, DOT provided technical oral comments which we incorporated as appropriate. On February 6, 2009, we received written comments on the draft report from DHS, which are reproduced in full in appendix II. DHS concurred with our findings and recommendations and discussed efforts underway to address them. Regarding our recommendation that TSA establish a plan and a time frame for completing risk assessments of the commercial vehicle sector, and use this information to support future updates to the Transportation Sector Strategic Plan, DHS concurred and stated that TSA is actively conducting risk assessments of the major components of the commercial vehicle sector as required by the Implementing Recommendations of the 9/11 Commission Act of 2007, and provided a timetable for completing these scenario-based risk assessments. According to TSA, these assessments will examine specific scenarios involving the commercial vehicle sector and will include information on the likelihood of a terrorist attack. We are pleased that TSA is beginning to conduct risk scenario assessments on various parts of the industry. However, we continue to believe that TSA needs to expand its use of threat likelihood estimates to the extent feasible. For example, we believe that TSA should address the feasibility of annual sector threat assessments including likelihood estimates. TSA also stated that it is planning to conduct annual field-level vulnerability assessment CSRs on a statistically valid sample of hazardous materials carriers. While we support these efforts, as we noted in the report carriers transporting hazardous materials represent only a small fraction of the industry. Therefore, we believe that TSA should also assess the scope and method of its vulnerability assessments for the entire sector, beginning with establishing the mix of expert scenarios and field assessments it deems most appropriate. In response to our recommendation that TSA conduct consequence assessments of the commercial vehicle sector or develop alternative strategies to assess potential consequences of attacks such as coordinating with other sector-specific agencies to leverage their consequence assessment efforts, TSA concurred and stated that it will examine consequence information based on the scenarios that have been developed, consult with public and private sector subject matter experts, and, when appropriate, consult with sector-specific agencies. DHS concurred with our recommendation that in future updates to the Highway Infrastructure and Motor Carrier Annex to the Transportation Sector Security Plan, they should clarify the basis for the agency's security strategy of focusing on the transportation of hazardous materials, the relative risk of vehicle-borne improvised explosive devices in the sector, and, based on the relative risk of these threats, any risk mitigation activities that should be implemented to address them. TSA stated that it intends to include risk-based clarification of the security strategies in future updates to the plan. According to TSA, for the past 2 years it has focused primarily on the transportation of hazardous materials. However, ongoing industry risk assessments and regulatory efforts may shift the current strategies, and communicating these strategies in the annex to all stakeholders will be critical to successful implementation of the plan. We believe that these efforts will help strengthen TSA's strategy for securing the sector. We further believe that it will be important for TSA to clarify the basis for its strategy and any shift in that strategy based on assessments of the relative risks. DHS concurred with our recommendation that TSA develop, to the extent possible, outcome-based performance measures to assess the effectiveness of federal programs to enhance the security of the commercial vehicle sector. DHS stated that TSA recognizes the importance of establishing outcome-based performance measures and described ongoing efforts. TSA stated that it intends to conduct annual CSRs on hazardous materials motor carriers to measure changes in industry security. While these activities will help TSA strengthen its ability to assess the effectiveness of ongoing security measures, we believe that the impact of TSA's programs on the progress of the rest of the commercial vehicle sector should be measured as well. DHS also concurred with our recommendation that TSA establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that the roles and responsibilities of industry and government are fully defined and clearly communicated; new approaches to enhance communication are considered; and the effectiveness of its coordination efforts are monitored and assessed. DHS noted that TSA recognizes the importance of strong working relationships with both industry and other government agencies, and that through its work with coordination councils TSA has established a coordination process that continues to mature and develop. Finally, DHS noted that these coordination efforts are only 17 months old, hence performance measurement processes continue to be refined. We believe that given the size and complexity of the commercial vehicle sector, and the concerns expressed by various stakeholders, new approaches to enhance communication are important. As such, TSA should develop a process to monitor and assess the effectiveness of its coordination efforts. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from the date of this report. At that time, we will send copies of this report to the Secretary of Homeland Security, the Secretary of the Department of Transportation, and other interested parties. This report will also be available at no charge on our Web site at [hyperlink, http://www.gao.gov]. Should you or your staff have any questions concerning this report, please contact me at (202) 512-3404 or berrickc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix VIII. Sincerely yours, Signed by: Cathleen A. Berrick: Managing Director, Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of our review were to answer the following questions: (1) To what extent has TSA assessed the security risks associated with commercial vehicles and used this information to develop and implement a security strategy? (2) What security actions have key government and private sector stakeholders taken to mitigate identified risks to commercial vehicle security, and to what extent has TSA measured the effectiveness of its actions? (3) To what extent has TSA coordinated its strategy and efforts for securing commercial vehicles with other federal entities, states and private sector stakeholders? Federal Risk Assessment Activities: To review the extent to which the federal government has assessed security risks associated with commercial vehicles and used this information to develop and implement its security strategy, we analyzed DHS and DOT strategic and security planning documents such as the NIPP, the TSSP and its Highway and Motor Carrier Annex; performance documents including annual reports such as DHS's 2008 Performance Budget Overview and TSA HMC's Annual Reports and quarterly risk reduction reports; and risk assessment documentation--including assessments of threat, vulnerability, and standoff and evacuation distances. We interviewed officials from DHS National Protection and Programs Directorate; TSA's Office of Highway and Motor Carriers, Office of Risk Management and Strategic Planning, Office of Intelligence, and Office of Cargo Policy; DOT's Office of Intelligence and Security; PHMSA's Office of Hazardous Materials Safety; FMCSA's Office of Emergency Preparedness and Security; and DOT's Bureau of Transportation Statistics. To assess TSA's threat assessments, we analyzed its annual threat assessments and other intelligence products, and met with officials of TSA's Office of Intelligence. We also assessed documentation and interviewed TSA's HMC officials regarding the agency's use of the threat assessments for planning its vulnerability and consequence assessments. We also met with TSA's Risk Management Division and reviewed its use of estimates regarding the likelihood of certain types of specific threats for high-level NTSRA scenarios, and more systematic use of threat scenarios and likelihood estimates for the Aviation Domain Risk Assessment. To evaluate TSA's vulnerability assessments, we reviewed TSA's draft best practices, its vulnerability assessments known as Corporate Security Reviews (CSRs), and CSR questionnaires and reports. We also met with TSA HMC officials and interviewed officials from truck and bus companies that had undergone CSRs. To assess TSA's CSR pilot program, we attended two Missouri Pilot CSRs and analyzed the TSA-sponsored evaluation report of the CSR pilot. At the conclusion of the two CSRs we observed, we interviewed company officials about what they learned from the CSR, how germane it was to their security needs, and how appropriate TSA's suggested security measures were for their operating and business environment. We also met with Missouri state department of transportation and law enforcement officials and FMCSA field officers in Missouri to discuss their experiences with implementing the pilot and conducting CSRs. We also discussed the usefulness of the CSRs with officials from 12 leading industry trade associations representing the different sectors of the industry including, trucking companies, owner-operators, private truck companies, the bus industry, tank truck operators, hazardous materials shippers, rental and leasing firms, and unions. To review DOT's SCR inspections of hazardous material security plan implementation, we reviewed the SCR questionnaire, gathered data from agency Performance and Accountability Reports regarding their annual progress, and met with DOT FMCSA's Office of Emergency Preparedness and Security. We also analyzed FMCSA-sponsored vulnerability assessment of the U.S. motor coach Industry. We also reviewed the completeness of DOT MCMIS and BTS data on the population, or national inventory, of commercial vehicle firms, trucks, and drivers, because to determine industry vulnerabilities requires the development of a well-defined inventory or population of industry firms and assets. For more information, see appendix V. To evaluate TSA's consequence assessments, we analyzed DHS, DOD, and ATF data about standoff distances for VBIED explosions, tanker fuel truck fireballs, and TIH evacuation distances. We also interviewed officials from TSA's HMC and DHS's National Protection and Programs Directorate about their consequence assessment efforts. To explore the feasibility of TSA leveraging the consequence efforts of other sectors, we also reviewed the 17 Critical Infrastructure Sector Annual Reports for 2006 and 2007, and the Strategic Homeland Infrastructure Risk Assessment report which identifies the sectors most at risk from VBIEDs. To determine how, if at all, TSA used its risk assessments to inform its strategy for securing commercial vehicles, we reviewed its strategic plan, the TSSP annex, annual reports, and other related documents. We also interviewed HMC officials, and compared their actions to DHS risk management guidance in the NIPP and TSSP. The quality of TSA's CSR inspection data was previously assessed by the Missouri Pilot Evaluation. We reviewed the pilot evaluation and concurred with its conclusion that the Missouri sample was not representative of the commercial vehicle industry in Missouri or of the industry nationwide. To evaluate the extent to which TSA had a plan or a time frame to complete a comprehensive risk assessment of the commercial vehicle sector, we used standard practices in program and project management, which include developing a road map or a program plan to achieve programmatic results within a specified time frame or milestones.[Footnote 88] To evaluate TSA's progress in addressing the Missouri CSR Pilot evaluation, we used GAO's standards for internal controls in the federal government, which require that findings and deficiencies reported in audits and other reviews be promptly reviewed, resolved, and corrected within established time frames.[Footnote 89] Government and Private Sector Security Actions: To determine the actions the federal government and state and local governments have taken to mitigate commercial vehicle security risks, and the extent to which these actions are consistent with TSA's security strategy, we reviewed documentation and interviewed officials from TSA's Office of Highway and Motor Carrier and the Office of Cargo Policy; DOT PHMSA's Office of Hazardous Materials Safety; FMCSA's Office of Emergency Preparedness and Security; FHWA Transportation Security Office; and the FTA Office of Safety and Security. We also interviewed officials from eight states and conducted site visits to five.[Footnote 90] We selected the states in a nonprobability sample based on their characteristics, proximity to critical infrastructure and potential terrorist targets, such as large population centers, and the amount of hazardous materials (in tons) originating in the state. As a result, we cannot generalize the results to all states. However, we believe that observations obtained from these visits provided us with a greater understanding of the states' operations and perspectives. We gathered information from each regarding their actions to mitigate security risks, and any challenges they face in strengthening security. To identify industry actions taken to secure the commercial vehicle sector, we analyzed TSA's draft best practices and Security Action Items, and reviewed TSA CSR and FMCSA SCR and SSV inspection data. We also interviewed officials from 12 industry associations that represent trucking firms and truck drivers, truck manufacturers, truck rental and leasing companies, hazardous materials shippers, and intercity and tour bus companies to see what actions, if any, the association and its members were taking. We also reviewed security guidance industry trade associations had developed and provided to their members. To supplement what federal and industry associations told us and to observe industry operations firsthand, we also conducted site visits to 26 commercial truck and bus owner-operators. These companies were selected by a nonprobability sample based on: * size, using the number of vehicles (tractors, or power units for trucking companies, and buses for motor coach companies) as an indicator; * geographic location, noting the region's characteristics, proximity to critical infrastructure and potential terrorist targets such as large population centers, and the amount of hazardous materials (in tons) originating in the state; and: * type of operations, using the quantity of hazardous materials transported as an indicator for trucking companies. Because we used a nonprobability sample of owner-operators and states, the information we obtained from these interviews and visits cannot be generalized to all commercial vehicle companies. However, we believe that observations obtained from these visits provided us with a greater understanding of the industry's operations and perspectives. The 20 trucking companies we visited included hazardous materials carriers, nonhazardous materials carriers, and carriers that transported both hazardous materials and nonhazardous materials. The 6 motor coach companies we visited included companies that offer intercity services, and tour and charter services, as well as companies that do both. During our site visits to bus and trucking companies, we interviewed officials and inspected a range of security measures. To assess how the effectiveness of federal programs to reduce risk was being monitored, we analyzed DHS and DOT strategic planning and budgeting documents and performance data and interviewed officials from TSA's HMC, the Transportation Sector Network Management Business Management Office, and the DHS Federal Emergency Management Agency's (FEMA) Grants Program Directorate. To determine what performance measurement data DOT had developed that TSA could potentially use to monitor the progress of these commercial vehicle security programs, we interviewed officials from FMCSA's Analysis Division and Strategic Planning and Program Evaluation Division. We also compared TSA's efforts to evaluate its programs with guidance on performance measurement contained in the GPRA and the TSSP. Coordination and Collaboration Efforts: To review the extent to which the federal government has coordinated its strategy for securing commercial vehicles internally and with private sector stakeholders, we analyzed DHS's memorandum of understanding with DOT and subsequent annex with PHMSA that identifies the roles and responsibilities of DHS and DOT related to commercial vehicle and hazardous materials transportation security. In addition, we reviewed statutes related to DHS and DOT roles and responsibilities, as well as regulations and associated comments provided during rulemaking procedures for commercial vehicle security programs and requirements. We also interviewed officials from TSA's Office of Intelligence, Risk Management Division, the Office of Highway and Motor Carrier, and the Office of Cargo Policy; and DOT's PHMSA and FMCSA to obtain information on their current and planned efforts to secure commercial vehicles, as well as their collaborative efforts across agencies and with the private sector. We also interviewed members of the SCC and the private firms we visited to obtain their views regarding the effectiveness of TSA's coordination efforts, and discussed their views with TSA officials. Finally, we compared TSA's efforts to collaborate and coordinate with stakeholders to key practices that we had previously developed as leading practices of collaborating agencies.[Footnote 91] We conducted this performance audit from September 2006 through February 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (The methodology used to gather our data on the incidents of truck and bus bombing is summarized in app. II). [End of section] Appendix II: Incidents of Truck and Bus Bombings from 1997 to 2008: This appendix provides information on the analysis we conducted to determine the incidents of truck and bus bombings presented in this report. It provides information on the methodology used to identify incidents worldwide and the detailed results of our analysis. Methodology Used to Identify Bombing Incidents: We used open sources, such as press and wire service reports, to determine the extent of bus and truck bombings. We first reviewed the general strengths and weakness of different open-source databases and consulted open source search experts. We reviewed eight databases and chose to use four based on the breadth and completeness of their media sources, years, and geographic coverage; whether they contained sufficient detail to verify that the event was a truck or bus bombing; and whether they allowed for independent verification of source information. We also wanted databases that had, or enabled, control methods to ensure minimization of false positives and duplicates, and standardized criteria for incident inclusion. We narrowed our selection of databases to the Open Source Center (OSC), Nexis, Global Terrorism Database (GTD), and Dialog databases. OSC is the official open-source clearinghouse for the U.S. government that monitors, translates, and disseminates within the U.S. government openly available news and information from non-U.S. media sources. It has state of the art language translation capabilities, so articles are usually translated into English by native-speaker linguists. Nexis, Major World Newspapers provides access to 5 billion searchable documents from more than 40,000 legal, news, and business sources. GTD is an open-source database gathering information on terrorist incidents around the world since 1970. We made limited use of the earlier, first version called GTD 1 and only for 1997 when we could corroborate the incidents it identified with additional sources found in Nexis. Our primary database was the more rigorous GTD2, which currently covers terrorism events from 1998 to 2004. GTD2 is based on the OSC and Nexis databases, which it evaluated as the best general databases. GTD2 entries have to be based on multiple independent open-source reports or a single "highly credible" source. GTD2 has a configurable definition of terrorism that includes more than one definition of the phenomenon; control methods in place to ensure minimization of false positives; a standardized criteria for incident inclusion that is documented in a formal and publicly available codebook; and a ranking system for media sources. Dialog is an online database that allows for an extensive search of a variety of databases and collections using powerful search language. Dialog's ability to identify very specific information made it an ideal second source to search for additional documentation on known but not fully documented events. We then explored the capabilities of these databases over time with a small pilot, conducting searches on truck and bus bombings in one individual year in each of three decades, specifically the years 1987, 1996, and 2002, and explored which search terms and strategies produced the best results for each database. We assessed the possible threats to validity and confirmed that these were the pertinent issues with an open-source terrorism data expert. Our analysis plan addressed a variety of threats to validity and their mitigation: * False positives - Unclassified data on terrorist events are largely gathered through open-source data, typically press reports.[Footnote 92] Since press reports may not be the most reliable, we used several databases that use reputable sources and decision rules for the inclusion of their entries. Entries we accepted had to be based on a highly reliable source, or multiple sources. Supporting articles had to directly confirm whether the incident was a truck or bus bombing as well as the incident date, location, and the number killed. * History - Electronic search engines and archives have improved over time. Therefore, data across 25 years, since the 1983 Marine barracks bombing, may not be comparable. Based on our pilot data, we only included incidents from 1997, by which time both Nexis and GTD were well developed and reliable. * Language - All languages may not be equally covered. GTD uses the Open Source Center which is based entirely on foreign sources and has strong translation capabilities among its staff. * Synonyms - Multiple English terms may be used for bus, truck and bomb (e.g., bus vs. lorry). GTD uses extensive Boolean search terms with search strings using hundreds of terms and synonyms. Nexis and Dialog enable similar searches with wildcard strings. We applied GTD search strings to Nexis and Dialog to cover more current events not yet included in GTD. * Geography - Some areas (e.g. Africa) may not be covered as well. However, we looked for a very particular type of incident that was highly likely to be the lead story where it occurred and picked up by the wires. * Dates -Reporting date vs. actual dates. Reporting dates on global time can lead to confusion. GTD and OSC have date protocols to minimize date error. Since our unit of analysis is years, this error was of little risk. * Breaking reports vs. "final" reports - Initial reports usually have less confirmation of the number killed. When conflicting reports cannot be reconciled, we used the lower number of reported killed. GTD also uses the lowest number. * Incidents in a military area may not be terrorism - The GTD makes a distinction between combatants and noncombatants. We screened out events involving active combatants. However, we included incidents directed at civilians or other targets in active war zones such as Iraq and Afghanistan. * Incident duplication - Using multiple sources could inadvertently lead to incident duplication. GTD has a protocol to eliminate duplicates and Nexis also enables electronic duplication vetting. In addition, duplications were screened manually and the entire dataset was verified by independent staff. Search strategy: We originally hoped to list the incidents since the Beirut bombings of 1983, but given the less rigorous methodology of GTD1, the limited archival coverage of Nexis prior to 1996, and the limitations of other databases we decided to drop 1983 through 1996. Due to the evolving coverage of these databases, we had to employ three different search strategies to cover the years from 1997 to 2007. Time period: 1997 Primary search database: Global Terrorism Database "GTD1" Secondary search database: Nexis' Major World Newspapers: By 1997, Nexis sources were sufficiently developed and available online to augment GTD1, which did not list supporting sources. Time period: 1998-2004 Primary search database: Global Terrorism Database "GTD2" GTD2 incorporates OSC and Nexis in a systematic manner and additional searches of these sources were not necessary. Time period: 2005-present Primary search database: Nexis' Major World Newspapers Secondary search database: Individual newswires database in Dialog Third search database: Open Source Center: For our study we searched the GTD2 for attacks utilizing or against a commercial vehicle, either truck, bus, or bus station or bus stand, specifically with explosives (VBIEDs, IED's, suicide bomber(s), bombs, grenades, roadside bombs, landmines, and rockets). When searching Nexis we used the same search factors but with a Boolean search string. For years in our study outside the GTD year range, we duplicated their search and inclusion methodology. As a final check, we compared our results with Department of State and Department of Defense terrorism lists and timelines. We believe that these various steps successfully mitigated the various threats to validity and enabled us to compile information on the incidents of truck and bus bombings since 1997 with confidence. The results of our search are summarized in figure 2 and detailed in table 3 below. Some additional trends are summarized in the figures below. Truck and bus bombings are compared in figure 6, which shows that while bus bombings have historically been more common, the incidence of truck bombings has sharply increased since 2004 and peaked in 2007. Figure 6: Comparison of Annual Truck and Bus Bombing Incidents: [Refer to PDF for image] Line Graph: Year: 1997; Bus bombings: 3; Truck bombings: 29. Year: 1998; Bus bombings: 5; Truck bombings: 25. Year: 1999; Bus bombings: 3; Truck bombings: 18. Year: 2000; Bus bombings: 6; Truck bombings: 26. Year: 2001; Bus bombings: 2; Truck bombings: 16. Year: 2002; Bus bombings: 4; Truck bombings: 37. Year: 2003; Bus bombings: 7; Truck bombings: 37. Year: 2004; Bus bombings: 6; Truck bombings: 21. Year: 2005; Bus bombings: 13; Truck bombings: 30. Year: 2006; Bus bombings: 16; Truck bombings: 36. Year: 2007; Bus bombings: 58; Truck bombings: 48. Year: 2008; Bus bombings: 23; Truck bombings: 41. Source: GAO analysis of global terrorism data. [End of figure] Figure 7 summarizes how the sharp increase in bombing deaths in 2007 was due to the increase in truck bombings. Figure 7: Comparison of Annual Death Totals from Truck and Bus Bombing Incidents: [Refer to PDF for image] Line Graph: Year: 1997; Deaths by bus: 120; Deaths by truck: 31. Year: 1998; Deaths by bus: 124; Deaths by truck: 278. Year: 1999; Deaths by bus: 31; Deaths by truck: 1. Year: 2000; Deaths by bus: 83; Deaths by truck: 70. Year: 2001; Deaths by bus: 47; Deaths by truck: 1. Year: 2002; Deaths by bus: 269; Deaths by truck: 94. Year: 2003; Deaths by bus: 195; Deaths by truck: 97. Year: 2004; Deaths by bus: 161; Deaths by truck: 112. Year: 2005; Deaths by bus: 345; Deaths by truck: 159. Year: 2006; Deaths by bus: 378; Deaths by truck: 244. Year: 2007; Deaths by bus: 506; Deaths by truck: 2072. Year: 2008; Deaths by bus: 446; Deaths by truck: 220. Source: GAO analysis of global terrorism data. [End of figure] We only counted incidents involving noncombatants, but most of the sharp rise in deaths in truck and bus bombings that occurred in 2007 was due to bombings in Iraq. Figure 8: Comparison of Annual Death Totals from Truck and Bus Bombings in Iraq and All Other Countries: [Refer to PDF for image] Line Graph: Year: 1997; Deaths in Iraq: 0; Deaths in other countries: 151. Year: 1998; Deaths in Iraq: 0; Deaths in other countries: 402. Year: 1999; Deaths in Iraq: 7; Deaths in other countries: 25. Year: 2000; Deaths in Iraq: 0; Deaths in other countries: 153. Year: 2001; Deaths in Iraq: 0; Deaths in other countries: 48. Year: 2002; Deaths in Iraq: 7; Deaths in other countries: 256. Year: 2003; Deaths in Iraq: 45; Deaths in other countries: 247. Year: 2004; Deaths in Iraq: 151; Deaths in other countries: 122. Year: 2005; Deaths in Iraq: 378; Deaths in other countries: 126. Year: 2006; Deaths in Iraq: 384; Deaths in other countries: 238. Year: 2007; Deaths in Iraq: 2119; Deaths in other countries: 459. Year: 2008; Deaths in Iraq: 264; Deaths in other countries: 402. Source: GAO analysis of global terrorism data. [End of figure] Table 3: Worldwide Terrorist Truck and Bus Bombings from January 1997 through December 2008: Date: 1/7/1997; Location: Zugdidi, Georgia; Description: Bus bombing; Deaths: 1. Date: 1/7/1997; Location: Lagos, Nigeria; Description: Bus bombing; Deaths: 2. Date: 1/7/1997; Location: Algiers, Algeria; Description: Car bomb hits bus; Deaths: 13. Date: 1/9/1997; Location: Tel Aviv, Israel; Description: Two bombs at bus station; Deaths: 0. Date: 1/21/1997; Location: Algiers, Algeria; Description: Car bomb hits bus; Deaths: 6. Date: 2/12/1997; Location: Lagos, Nigeria; Description: Bus bombing; Deaths: 0. Date: 2/25/1997; Location: Urumqi, China; Description: Bus bombing; Deaths: 3. Date: 3/7/1997; Location: Beijing, China; Description: Bus bombing; Deaths: 2. Date: 3/17/1997; Location: Algiers, Algeria; Description: Bus stop bombing; Deaths: 4. Date: 3/29/1997; Location: Jammu & Kashmir, India; Description: Bus station bombing; Deaths: 17. Date: 4/6/1997; Location: Pathankot, India; Description: Bus bombing; Deaths: 2. Date: 4/10/1997; Location: Nablus, West Bank; Description: Bus bombing; Deaths: 0. Date: 5/6/1997; Location: Lagos, Nigeria; Description: Army bus bombing; Deaths: 0. Date: 5/8/1997; Location: Tirana, Albania [vicinity]; Description: Bus bombing; Deaths: 3. Date: 5/12/1997; Location: Shunde, China; Description: Suicide bus bombing; Deaths: 5. Date: 6/1/1997; Location: Algiers, Algeria; Description: First of two bus bombings; Deaths: 14. Date: 6/6/1997; Location: Pathankot, India; Description: Bus bombing; Deaths: 7. Date: 6/17/1997; Location: Bogota, Colombia; Description: Truck bombing; Deaths: 8. Date: 6/30/1997; Location: Sialkot, Pakistan; Description: Bus bombing; Deaths: 8. Date: 7/9/1997; Location: Jerusalem, Israel; Description: Bus bombing; Deaths: 0. Date: 7/9/1997; Location: Dagestan, Russian Federation; Description: Bus bombing; Deaths: 9. Date: 7/14/1997; Location: New Delhi, India; Description: First of two bus bombings; Deaths: 0. Date: 7/14/1997; Location: New Delhi, India; Description: Second of two bus bombings; Deaths: 0. Date: 9/5/1997; Location: Blida, Algeria; Description: Bus bombing; Deaths: 4. Date: 9/18/1997; Location: Cairo, Egypt; Description: Bus incendiary bombing; Deaths: 10. Date: 10/15/1997; Location: Colombo, Sri Lanka; Description: Truck bombing; Deaths: 20. Date: 10/24/1997; Location: Srinagar, India; Description: Bus bombing; Deaths: 2. Date: 10/28/1997; Location: Beirut, Lebanon; Description: Bus station bombing; Deaths: 0. Date: 12/3/1997; Location: Udumalpet, India; Description: Bus stand bombing; Deaths: 3. Date: 12/28/1997; Location: Galle, Sri Lanka; Description: Truck bombing; Deaths: 3. Date: 12/30/1997; Location: New Delhi, India; Description: Bus bombing; Deaths: 4. Date: 1/20/1998; Location: Algiers, Algeria; Description: Bus bombing; Deaths: 1. Date: 1/24/1998; Location: Algiers, Algeria; Description: Bomb thrown from a bus; Deaths: 1. Date: 1/26/1998; Location: Kandy, Sri Lanka; Description: Suicide truck bombing of a temple; Deaths: 13. Date: 2/3/1998; Location: Kosice, Slovakia; Description: Bus station bombing; Deaths: 0. Date: 2/14/1998; Location: Wuhan, China; Description: Bus bombing; Deaths: 50. Date: 2/26/1998; Location: Medea, Algeria; Description: Bus hits a mine; Deaths: 10. Date: 2/27/1998; Location: Gujranwala, Pakistan; Description: Bus bombing; Deaths: 5. Date: 3/5/1998; Location: Colombo, Sri Lanka; Description: Suicide bus bombing; Deaths: 37. Date: 3/9/1998; Location: Eravur, Sri Lanka; Description: Truck bombing; Deaths: 6. Date: 4/6/1998; Location: Sakrand, Pakistan; Description: Bus bombing; Deaths: 6. Date: 4/22/1998; Location: Sialkot, Pakistan; Description: Bus bombing; Deaths: 0. Date: 7/29/1998; Location: Sarajevo, Bosnia and Herzegovina; Description: Bus bombing; Deaths: 0. Date: 7/30/1998; Location: Algiers, Algeria; Description: Bus bombing; Deaths: 2. Date: 8/7/1998; Location: Dar es Salaam, Tanzania; Description: Truck bombing of U.S. Embassy; Deaths: 12. Date: 8/7/1998; Location: Nairobi, Kenya; Description: Truck bombing of U.S. Embassy; Deaths: 246. Date: 9/11/1998; Location: Kigali, Rwanda; Description: Bus bombing; Deaths: 1. Date: 9/22/1998; Location: Milan, Italy; Description: Bus bombing; Deaths: 0. Date: 9/24/1998; Location: Jerusalem, Israel; Description: Bus stop bombing; Deaths: 0. Date: 10/7/1998; Location: Ain Tagourait, Algeria; Description: Bus bombing; Deaths: 1. Date: 10/7/1998; Location: Barrancabermeja, Colombia; Description: Truck bombing; Deaths: 0. Date: 10/11/1998; Location: Halis, Iraq; Description: Car bomb exploded near a bus; Deaths: 0. Date: 10/17/1998; Location: Beersheva, Israel; Description: Two grenades explode in a bus terminal; Deaths: 0. Date: 10/29/1998; Location: Kfar Darom, Palestine; Description: Car bombing of a bus; Deaths: 2. Date: 11/2/1998; Location: Bacolod, Philippines; Description: Bus terminal bombing; Deaths: 1. Date: 11/2/1998; Location: Cagayan de Oro, Philippines; Description: Bus terminal bombing; Deaths: 0. Date: 11/19/1998; Location: Plaridel, Philippines; Description: Bus terminal bombing; Deaths: 0. Date: 11/19/1998; Location: Dipolog City, Philippines; Description: Bus bombing; Deaths: 1. Date: 11/22/1998; Location: Oued Atteli, Algeria; Description: Bus bombing; Deaths: 0. Date: 11/25/1998; Location: Kirikkale, Turkey; Description: Bus bombing; Deaths: 4. Date: 12/24/1998; Location: Van, Turkey; Description: Suicide bus bombing; Deaths: 2. Date: 1/8/1999; Location: Impasugong Philippines; Description: Bus bombing; Deaths: 1. Date: 1/12/1999; Location: Davao, Philippines; Description: First of two bus bombings; Deaths: 0. Date: 1/12/1999; Location: Davao, Philippines; Description: Second of two bus bombings; Deaths: 0. Date: 3/7/1999; Location: Bursa, Turkey; Description: Incendiary bombing of a bus; Deaths: 0. Date: 3/9/1999; Location: Colombo, Sri Lanka; Description: Bus station bombing; Deaths: 0. Date: 3/9/1999; Location: Colombo, Sri Lanka; Description: Bombing of bus and bus terminal; Deaths: 1. Date: 3/18/1999; Location: Istanbul, Turkey; Description: Bottled gas truck hit by grenade; Deaths: 0. Date: 3/26/1999; Location: Istanbul, Turkey; Description: Suicide bus bombing; Deaths: 1. Date: 6/9/1999; Location: Baghdad, Iraq; Description: Car bomb next to two buses; Deaths: 7. Date: 7/4/1999; Location: Batman, Turkey; Description: A tanker truck hit a landmine; Deaths: 1. Date: 7/8/1999; Location: Esenler, Turkey; Description: Time bomb on fuel tanker; Deaths: 0. Date: 7/12/1999; Location: Istanbul, Turkey; Description: Bus bombing; Deaths: 0. Date: 7/24/1999; Location: Anantnag, India; Description: Grenade attack on a bus stand; Deaths: 0. Date: 7/24/1999; Location: Lusaka, Zambia; Description: Grenade attack on a bus; Deaths: 0. Date: 7/27/1999; Location: Rawalpindi , Pakistan; Description: Bus bombing; Deaths: 11. Date: 8/14/1999; Location: Dina, Pakistan; Description: Bus bombing; Deaths: 6. Date: 8/16/1999; Location: Suva, Fuji; Description: Bus bombing; Deaths: 0. Date: 9/26/1999; Location: Badulla, Sri Lanka; Description: Bus bombing; Deaths: 1. Date: 11/14/1999; Location: Cali, Colombia; Description: Incendiary bomb attack on a bus stop; Deaths: 0. Date: 11/29/1999; Location: Hyderabad, Pakistan; Description: A bomb hidden under a bus seat; Deaths: 2. Date: 12/28/1999; Location: Jammu, India; Description: Bus terminal bombing; Deaths: 1. Date: 1/1/2000; Location: Chittagong, Bangladesh; Description: Bus stand bombing; Deaths: 0. Date: 2/3/2000; Location: Kosocska Mitrovica, Serbia; Description: Rocket fired at a United Nations bus; Deaths: 2. Date: 2/3/2000; Location: Colombo, Sri Lanka; Description: Bus bombing; Deaths: 0. Date: 2/25/2000; Location: Ozamiz, Philippines; Description: Bus bombing; Deaths: 44. Date: 3/15/2000; Location: Kidapawan, Philippines; Description: Bus bombing; Deaths: 2. Date: 3/15/2000; Location: Matalan, Philippines; Description: Bus bombing; Deaths: 0. Date: 4/4/2000; Location: Kittuoothu, Sri Lanka; Description: Bus hit a land mine; Deaths: 3. Date: 4/7/2000; Location: Lahore, Pakistan; Description: Bus station bombing; Deaths: 0. Date: 5/12/2000; Location: Dzhaglarbi, Russia; Description: Bus bombing; Deaths: 3. Date: 5/20/2000; Location: Midsayap, Philippines; Description: Bus terminal bombing; Deaths: 0. Date: 6/4/2000; Location: Iligan City, Philippines; Description: Bus depot bombing; Deaths: 1. Date: 6/6/2000; Location: Vientiane, Laos; Description: Bus terminal bombing; Deaths: 0. Date: 6/14/2000; Location: Wattala, Sri Lanka; Description: Suicide bus bombing; Deaths: 3. Date: 7/2/2000; Location: Argun, Russia; Description: Suicide truck bombing; Deaths: 50. Date: 7/2/2000; Location: Gudermes, Russia; Description: Two truck bomb suicide attacks; Deaths: 10. Date: 7/2/2000; Location: Urus-Martan, Russia; Description: Truck bombing; Deaths: 2. Date: 7/2/2000; Location: Novogrozny, Russia; Description: Suicide truck bombing; Deaths: 3. Date: 7/17/2000; Location: Matalam, Philippines; Description: Bus terminal bombing; Deaths: 0. Date: 7/24/2000; Location: Jullundur, India; Description: Bus bombing; Deaths: 7. Date: 9/3/2000; Location: Lahore, Pakistan; Description: Bus station bombing; Deaths: 3. Date: 9/12/2000; Location: Grozny, Chechnya; Description: Truck bombing; Deaths: 2. Date: 10/6/2000; Location: Nevinnomyssk, Russia; Description: Bus stop bombing; Deaths: 3. Date: 10/18/2000; Location: Gaza, Palestinian Territories; Description: Bus hit by grenades; Deaths: 0. Date: 11/20/2000; Location: Kfar Darom, Palestine; Description: Bus bombing; Deaths: 2. Date: 11/22/2000; Location: Hadera, Israel; Description: Car bombing of a bus; Deaths: 2. Date: 11/27/2000; Location: Lahore, Pakistan; Description: Bus bombing; Deaths: 0. Date: 11/27/2000; Location: Burewala, Pakistan; Description: Bus bombing; Deaths: 0. Date: 11/28/2000; Location: Kebitigollew, Sri Lanka; Description: Bus Hit a Landmine; Deaths: 7. Date: 12/8/2000; Location: Gudermes, Russia; Description: Truck bombing using a water tanker; Deaths: 3. Date: 12/25/2000; Location: Hyderabad, Pakistan; Description: Bus bombing; Deaths: 0. Date: 12/28/2000; Location: Tel Aviv, Israel; Description: Bus bombing; Deaths: 0. Date: 12/30/2000; Location: Manila, Philippines; Description: Bus terminal bombing; Deaths: 1. Date: 1/26/2001; Location: Rishikesh, India; Description: Bus bombing; Deaths: 2. Date: 2/5/2001; Location: Grozny, Chechnya; Description: Bus hits a mine; Deaths: 0. Date: 2/16/2001; Location: vicinity of Podujevo Kosovo; Description: Bus bombing; Deaths: 10. Date: 2/14/2001; Location: Tel Aviv, Israel; Description: Bus drove into crowded bus stop; Deaths: 8. Date: 3/2/2001; Location: Umm al-Fahm, Israel; Description: Bus bombing; Deaths: 1. Date: 3/7/2001; Location: Jerusalem, Israel; Description: Truck bomb using a garbage truck; Deaths: 0. Date: 3/7/2001; Location: Grozny, Chechnya; Description: Bus bombing; Deaths: 0. Date: 3/16/2001; Location: Tovzeni, Russia; Description: Bus bombing; Deaths: 7. Date: 4/1/2001; Location: Dhaka , Bangladesh; Description: Truck bombing; Deaths: 1. Date: 4/22/2001; Location: Kfar Sava, Israel; Description: Bus stop suicide bombing; Deaths: 2. Date: 5/25/2001; Location: Hadera, Israel; Description: Car bombing of a bus; Deaths: 2. Date: 6/25/2001; Location: Maduvil, Sri Lanka; Description: Bus hits landmine; Deaths: 6. Date: 7/20/2001; Location: Karachi, Pakistan; Description: Double bus bombing; Deaths: 2. Date: 9/6/2001; Location: Digdol, India; Description: Bus bombing; Deaths: 4. Date: 9/8/2001; Location: Matan, India; Description: Bus hits landmine; Deaths: 1. Date: 10/28/2001; Location: Quetta, Pakistan; Description: Bus bombing; Deaths: 2. Date: 10/29/2001; Location: Belfast, Northern Ireland; Description: Bus bombing; Deaths: 0. Date: 11/20/2001; Location: Tafourah , Algeria; Description: A bomb at bus station; Deaths: 0. Date: 1/25/2002; Location: Tel Aviv, Israel; Description: Suicide bombing of a bus station; Deaths: 1. Date: 1/26/2002; Location: Bir Mourad Rais, Algeria; Description: Bus stop bombing; Deaths: 0. Date: 2/3/2002; Location: Bayt Immar, Israel; Description: Incendiary bus bombing; Deaths: 0. Date: 2/19/2002; Location: vicinity of Mehola, Palestine; Description: Suicide bus bombing; Deaths: 1. Date: 2/22/2002; Location: Bhandara, Nepal; Description: Incendiary bombing of a bus; Deaths: 5. Date: 3/5/2002; Location: Afula, Israel; Description: Suicide bus bombing; Deaths: 2. Date: 3/17/2002; Location: Jerusalem, Israel; Description: Suicide bus bombing; Deaths: 1. Date: 3/20/2002; Location: Umm el-Fahm, Israel; Description: Bus bombing; Deaths: 8. Date: 4/11/2002; Location: Djerba, Tunisia; Description: Truck Bombing; Deaths: 20. Date: 4/11/2002; Location: Haifa, Israel; Description: Bus bombing; Deaths: 10. Date: 4/18/2002; Location: Grozny , Chechnya; Description: Truck bombing; Deaths: 17. Date: 4/25/2002; Location: Jammu & Kashmir, India; Description: Bus bombing; Deaths: 1. Date: 5/8/2002; Location: Casanare, Colombia; Description: Truck bombing of a bridge; Deaths: 0. Date: 5/8/2002; Location: Karachi, Pakistan; Description: Car bombing of a bus; Deaths: 14. Date: 5/14/2002; Location: Calarca, Colombia; Description: Bus bombing; Deaths: 0. Date: 5/20/2002; Location: Ta'anachim, Israel; Description: Suicide bus bombing; Deaths: 1. Date: 5/29/2002; Location: Ahmedabad, India; Description: One of three bus bombings; Deaths: 0. Date: 5/29/2002; Location: Ahmedabad, India; Description: One of three bus bombings; Deaths: 0. Date: 5/29/2002; Location: Ahmedabad, India; Description: One of three bus bombings; Deaths: 0. Date: 6/6/2002; Location: Poso, Indonesia; Description: Bus bombing; Deaths: 4. Date: 6/17/2002; Location: Jerusalem, Israel; Description: Suicide bus bombing; Deaths: 19. Date: 6/19/2002; Location: Jerusalem, Israel; Description: Suicide bomber attacked a bus stop; Deaths: 7. Date: 6/27/2002; Location: Davao City, Philippines; Description: Bus bombing; Deaths: 0. Date: 7/16/2002; Location: Emmanuel, Israel [vicinity]; Description: Bus attacked with grenades; Deaths: 7. Date: 8/13/2002; Location: Shali, Russia; Description: Bus hit a landmine; Deaths: 3. Date: 10/10/2002; Location: Kidapawan, Philippines; Description: Bus terminal bombing; Deaths: 8. Date: 10/10/2002; Location: Tel Aviv, Israel; Description: Suicide bombing of a bus; Deaths: 2. Date: 10/12/2002; Location: Kuta, Bali; Description: Bus bomb; Deaths: 101. Date: 10/18/2002; Location: Quezon City, Philippines; Description: Bus bombing; Deaths: 3. Date: 10/22/2002; Location: Pardes Hanna, Israel; Description: Suicide car bomb next to a bus; Deaths: 16. Date: 11/4/2002; Location: Ganeshchowk, Nepal; Description: Incendiary bombing of a bus; Deaths: 2. Date: 11/11/2002; Location: Ramsu, Iraq; Description: Bus hit a landmine; Deaths: 7. Date: 11/13/2002; Location: Lasana, India; Description: Bus bombing; Deaths: 0. Date: 11/14/2002; Location: Malgobek, Russia; Description: Hand grenade attack in a bus; Deaths: 4. Date: 11/14/2002; Location: Charikot, Nepal; Description: Bus hit a landmine; Deaths: 2. Date: 11/18/2002; Location: Chintagudam, India; Description: Bus bombed by remote detonation of landmine; Deaths: 14. Date: 11/21/2002; Location: Jerusalem, Israel; Description: Suicide bus bombing; Deaths: 12. Date: 11/23/2002; Location: Munda, India; Description: Army bus hit a landmine; Deaths: 12. Date: 11/25/2002; Location: Mukinda, India; Description: Grenades attack bus; Deaths: 0. Date: 12/2/2002; Location: Mumbai, India; Description: Bus bombing; Deaths: 2. Date: 12/27/2002; Location: Chechnya, Russian Federation; Description: Suicide truck bombing; Deaths: 57. Date: 1/5/2003; Location: Jammu & Kashmir, India; Description: Grenade attack on a bus stand; Deaths: 0. Date: 1/5/2003; Location: Tel Aviv, Israel; Description: Suicide bombing of a bus station; Deaths: 24. Date: 1/12/2003; Location: Gaza, Palestinian Territories; Description: Bus hit by grenades; Deaths: 2. Date: 1/14/2003; Location: La Trinidad, Philippines; Description: Bus bombing; Deaths: 0. Date: 1/19/2003; Location: Kulgam, India; Description: Grenade thrown at a bus; Deaths: 0. Date: 1/31/2003; Location: Spin Boldak, Afghanistan; Description: Bus on bridge hit a land mine; Deaths: 18. Date: 2/2/2003; Location: vicinity of Basaguda , India; Description: Incendiary bombing of a bus; Deaths: 5. Date: 3/5/2003; Location: Haifa, Israel; Description: Suicide bus bombing; Deaths: 16. Date: 3/11/2003; Location: Bogota, Colombia; Description: Incendiary devices on buses; Deaths: 0. Date: 3/11/2003; Location: Arauca, Colombia; Description: Truck bombing; Deaths: 1. Date: 3/13/2003; Location: Rajauri, India; Description: Bus bombing at a bus terminal; Deaths: 4. Date: 3/16/2003; Location: vicinity of Bamungopha , India; Description: Bus bombed by rebel triggered landmine; Deaths: 7. Date: 4/3/2003; Location: Grozny, Chechnya; Description: Bus bombing; Deaths: 8. Date: 4/8/2003; Location: Gulu, Uganda; Description: Grenades and bombs hit buses; Deaths: 10. Date: 4/12/2003; Location: Qazigund, India; Description: Grenade attack on a bus stop; Deaths: 1. Date: 4/12/2003; Location: Kulgam, India; Description: Grenade attack on a bus stand; Deaths: 0. Date: 4/23/2003; Location: Carmen, Philippines; Description: Bus hit a landmine and attacked by grenades; Deaths: 4. Date: 5/3/2003; Location: Anantnag, India; Description: Grenade attack on a bus stand; Deaths: 0. Date: 5/5/2003; Location: Doda, India; Description: Grenade attack on a bus stand; Deaths: 1. Date: 5/10/2003; Location: Hyderabad, Pakistan; Description: Bus bombing; Deaths: 0. Date: 5/18/2003; Location: Jerusalem, Israel; Description: Suicide bombing of a bus; Deaths: 8. Date: 5/23/2003; Location: Netzarim, Israel [vicinity]; Description: Bus bombing; Deaths: 0. Date: 5/30/2003; Location: Grozny, Chechnya; Description: Bus hit a landmine; Deaths: 0. Date: 5/31/2003; Location: Hyderabad, Pakistan; Description: Grenade attack on a bus; Deaths: 0. Date: 6/5/2003; Location: Mozdok, Russia; Description: Suicide bus bombing; Deaths: 20. Date: 6/11/2003; Location: Jerusalem, Israel; Description: Suicide bus bombing; Deaths: 17. Date: 6/23/2003; Location: Shopian, India; Description: Grenade attack on a bus station; Deaths: 2. Date: 7/12/2003; Location: Kaloosa, India; Description: Bus bombing; Deaths: 0. Date: 7/28/2003; Location: Ghatkopar , India; Description: Bus bombing; Deaths: 5. Date: 8/1/2003; Location: Chechnya, Russia; Description: Suicide Truck bomb; Deaths: 50. Date: 8/4/2003; Location: Vien-tiane, Laos; Description: Bomb explodes at a bus station; Deaths: 0. Date: 8/13/2003; Location: Helmand, Afghanistan; Description: bomb wrecked a bus; Deaths: 15. Date: 8/19/2003; Location: Jerusalem, Israel; Description: Suicide bomber on a bus; Deaths: 20. Date: 8/19/2003; Location: Baghdad, Iraq; Description: Truck Bomb Explosion; Deaths: 24. Date: 9/15/2003; Location: Magas, Russian Federation; Description: Truck Bomb; Deaths: 2. Date: 9/23/2003; Location: Tigzirt, Algeria; Description: Truck bombing; Deaths: 0. Date: 9/24/2003; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 1. Date: 9/27/2003; Location: Karachi, Pakistan; Description: Bus bombing; Deaths: 0. Date: 10/12/2003; Location: Irun, Spain; Description: Two truck bombings; Deaths: 0. Date: 10/20/2003; Location: Batmalloo, India; Description: Grenade attack on a bus station; Deaths: 2. Date: 10/21/2003; Location: Kulgam, India; Description: Grenade attack on a bus stand; Deaths: 0. Date: 11/12/2003; Location: Nasiriyah, Iraq; Description: Truck bombing; Deaths: 20. Date: 12/23/2003; Location: Poso, Indonesia; Description: Bus bombing; Deaths: 0. Date: 12/25/2003; Location: Tel Aviv, Israel; Description: Suicide bus bombing; Deaths: 5. Date: 1/4/2004; Location: Medan, Indonesia; Description: Bus terminal bombing; Deaths: 0. Date: 1/15/2004; Location: Tikrit, Iraq; Description: Bus hits a landmine; Deaths: 3. Date: 1/16/2004; Location: Dhanakuta, Nepal; Description: Bus bombing; Deaths: 4. Date: 1/28/2004; Location: Baghdad, Iraq; Description: Ambulance used as a truck bomb; Deaths: 3. Date: 1/29/2004; Location: Jerusalem, Israel; Description: Suicide bus bombing; Deaths: 11. Date: 2/10/2004; Location: Iskandariya, Iraq; Description: Truck Bomb; Deaths: 50. Date: 2/12/2004; Location: vicinity of Bardibas , Nepal; Description: Bus bombed crossing a bridge; Deaths: 6. Date: 3/29/2004; Location: Tashkent, Uzbekistan; Description: Suicide bombing of a bus stop; Deaths: 6. Date: 4/5/2004; Location: Pulwama, India; Description: Grenade attack on a bus station; Deaths: 8. Date: 5/23/2004; Location: Woodsa , India; Description: Bus bombing; Deaths: 28. Date: 5/30/2004; Location: Kathmandu, Nepal; Description: Bus bombed in a bus station; Deaths: 2. Date: 6/17/2004; Location: Dagestan, Russian Federation; Description: Truck bombing; Deaths: 0. Date: 6/24/2004; Location: Guwahati , India; Description: Bus bombing; Deaths: 5. Date: 6/24/2004; Location: Istanbul, Turkey; Description: Bus bombing; Deaths: 4. Date: 6/27/2004; Location: Jalalabad, Afghanistan; Description: Bus bombing; Deaths: 2. Date: 7/11/2004; Location: San Francisco, Colombia; Description: Bus bombing; Deaths: 2. Date: 7/11/2004; Location: Tel Aviv, Israel; Description: Bomb at a bus stop; Deaths: 1. Date: 7/19/2004; Location: Baghdad. Iraq; Description: Truck bombs hit police station; Deaths: 13. Date: 7/19/2004; Location: Voronezh, Russia; Description: Bomb at a bus stop; Deaths: 2. Date: 7/28/2004; Location: Baqouba, Iraq; Description: Suicide bus bombing; Deaths: 70. Date: 8/5/2004; Location: Mozdok, Russia; Description: Bomb attack on a bus stop; Deaths: 0. Date: 8/10/2004; Location: Barkan, Israel; Description: Bus bombing; Deaths: 0. Date: 8/25/2004; Location: Guwahati, India; Description: One of two bus bombings; Deaths: 1. Date: 8/25/2004; Location: Gossaigaon, India; Description: One of two bus bombings; Deaths: 0. Date: 10/7/2004; Location: Taba, Egypt; Description: Truck bombing of a hotel; Deaths: 34. Date: 11/13/2004; Location: Poso, Indonesia; Description: Bus bombing; Deaths: 6. Date: 12/24/2004; Location: Baghdad, Iraq; Description: Fuel tanker used as a truck bomb; Deaths: 12. Date: 1/2/2005; Location: Balad, Iraq [vicinity]; Description: Bus bombing; Deaths: 23. Date: 1/4/2005; Location: Baghdad, Iraq; Description: Truck bombing of a guard post; Deaths: 10. Date: 1/11/2005; Location: Yussifiyah, Iraq; Description: Bus bombing; Deaths: 7. Date: 1/14/2005; Location: Karni, Gaza Strip; Description: Border police truck bombed; Deaths: 7. Date: 1/19/2005; Location: Baghdad, Iraq; Description: Truck bomb attack on Australian Embassy; Deaths: 3. Date: 1/20/2005; Location: Karamay, China; Description: Suicide bus bombing; Deaths: 11. Date: 1/26/2005; Location: Sinjar, Iraq; Description: Truck bombing; Deaths: 15. Date: 1/30/2005; Location: Abu Alwan, Iraq; Description: Bus bombing; Deaths: 5. Date: 2/14/2005; Location: Manila, Philippines; Description: Bus bombing; Deaths: 3. Date: 2/14/2005; Location: Davao, Philippines; Description: Bus terminal bombing; Deaths: 1. Date: 2/14/2005; Location: Beirut, Lebanon; Description: Truck bombing; Deaths: 21. Date: 2/19/2005; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 18. Date: 3/9/2005; Location: Baghdad, Iraq; Description: Truck bomb hits hotel; Deaths: 4. Date: 4/1/2005; Location: Mazar-e Sharif, Afghanistan; Description: Tractor trailer truck bombing; Deaths: 2. Date: 4/5/2005; Location: Srinagar, India; Description: Bus bombing; Deaths: 0. Date: 4/5/2005; Location: Tal Afar, Iraq; Description: Bus bombing; Deaths: 3. Date: 4/30/2005; Location: Cairo, Egypt; Description: Bus station bombed; Deaths: 2. Date: 5/6/2005; Location: Tikrit, Iraq; Description: Iraqi police bus bombing; Deaths: 8. Date: 5/31/2005; Location: Baquba, Iraq; Description: Truck bombing; Deaths: 2. Date: 6/6/2005; Location: Badarmude, Nepal; Description: Bus bombing; Deaths: 38. Date: 6/10/2005; Location: Narke, Nepal; Description: Bus bombing; Deaths: 8. Date: 6/13/2005; Location: Sungai Padi, Thailand; Description: Garbage truck used as a truck bomb; Deaths: 1. Date: 6/13/2005; Location: Groznyy, Chechnya; Description: Bus stop bombing; Deaths: 0. Date: 6/25/2005; Location: Srinagar, India; Description: Car bomb attacks; Deaths: 9. Date: 7/7/2005; Location: London, United Kingdom; Description: Bus bombing; Deaths: 14. Date: 7/13/2005; Location: Ofra, Israel; Description: Bus bombing; Deaths: 0. Date: 7/16/2005; Location: Kusadasi, Turkey; Description: Bus bombing; Deaths: 5. Date: 7/21/2005; Location: London, United Kingdom; Description: Bus bombing; Deaths: 0. Date: 7/24/2005; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 40. Date: 8/10/2005; Location: Karimnagar, India; Description: Bus station bombed; Deaths: 0. Date: 8/17/2005; Location: Baghdad, Iraq; Description: Bus station bombed; Deaths: 25. Date: 8/28/2005; Location: Beersheba, Israel; Description: Bus station bombed; Deaths: 1. Date: 9/14/2005; Location: Baghdad, Iraq; Description: Suicide bus bombing; Deaths: 114. Date: 9/15/2005; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 3. Date: 9/23/2005; Location: Baghdad, Iraq; Description: Bus Bombing; Deaths: 6. Date: 10/24/2005; Location: Baghdad, Iraq; Description: Cement truck used as a truck bomb; Deaths: 18. Date: 10/29/2005; Location: Iraq; Description: Date truck used as a truck bomb; Deaths: 30. Date: 11/14/2005; Location: Jhalakati, Bangladesh; Description: Bus bombing; Deaths: 2. Date: 11/14/2005; Location: Ramadi, Iraq; Description: Bus bombing; Deaths: 3. Date: 11/18/2005; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 6. Date: 11/19/2005; Location: Beylikduzu, Turkey; Description: Bus stop bombing; Deaths: 1. Date: 12/8/2005; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 32. Date: 12/12/2005; Location: Baghdad, Iraq; Description: Bus bombing near a hospital; Deaths: 3. Date: 1/4/2006; Location: Ishaqi, Iraq; Description: Bombing of a fuel tanker truck; Deaths: 0. Date: 2/5/2006; Location: Quetta, Pakistan; Description: Bus bombing; Deaths: 12. Date: 2/20/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 12. Date: 2/26/2006; Location: Hillah, Iraq; Description: Bus bombing; Deaths: 0. Date: 3/2/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 5. Date: 3/4/2006; Location: Baghdad, Iraq; Description: Bombing of trailer truck; Deaths: 0. Date: 3/4/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 7. Date: 3/10/2006; Location: Fallujah, Iraq; Description: Truck bombing; Deaths: 7. Date: 3/10/2006; Location: Rakhni, Pakistan; Description: Truck hit a landmine; Deaths: 27. Date: 3/29/2006; Location: Digos City, Philippines; Description: Bus bombing; Deaths: 0. Date: 3/31/2006; Location: Istanbul, Turkey; Description: Bus bombing; Deaths: 1. Date: 4/1/2006; Location: Istanbul, Turkey; Description: Bombing of a bus stop; Deaths: 1. Date: 4/2/2006; Location: Istanbul, Turkey; Description: Bus bombing; Deaths: 3. Date: 4/3/2006; Location: Baghdad, Iraq; Description: Truck bombing near mosque; Deaths: 10. Date: 4/19/2006; Location: Narathiwat, Thailand; Description: Truck bombing; Deaths: 1. Date: 5/14/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 5. Date: 5/20/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 19. Date: 5/29/2006; Location: Khalis, Iraq; Description: Bus bombing; Deaths: 11. Date: 6/6/2006; Location: Baqubah, Iraq; Description: Bus stop bombing; Deaths: 1. Date: 6/8/2006; Location: Mosul, Iraq [vicinity]; Description: Fuel truck bombed; Deaths: 1. Date: 6/11/2006; Location: Manila, Philippines; Description: Bus bombing; Deaths: 0. Date: 6/15/2006; Location: Kabithigollewa , Sri Lanka; Description: Bus hit a landmine; Deaths: 62. Date: 6/15/2006; Location: Kandahar, Afghanistan; Description: Bus bombing; Deaths: 8. Date: 7/1/2006; Location: Baghdad, Iraq; Description: Suicide truck bombing; Deaths: 66. Date: 7/6/2006; Location: Tiraspol, Moldova; Description: Bus bombing; Deaths: 7. Date: 7/52006; Location: Kabul, Afghanistan; Description: Bus bombing; Deaths: 1. Date: 7/18/2006; Location: Kufa, Iraq; Description: Bus bombing; Deaths: 50. Date: 7/18/2006; Location: Hawijah, Iraq; Description: roadside bomb near a bus station; Deaths: 9. Date: 7/31/2006; Location: Trincaomalee, Sri Lanka; Description: roadside bomb exploded near a military truck; Deaths: 18. Date: 8/1/2006; Location: Baiji, Iraq; Description: Bus bombing; Deaths: 24. Date: 8/5/2006; Location: Bangkok, Thailand; Description: Bus bombing; Deaths: 0. Date: 8/6/2006; Location: Samarra, Iraq; Description: Truck bombing; Deaths: 9. Date: 8/15/2006; Location: Mosul, Iraq; Description: Truck bombing; Deaths: 5. Date: 8/27/2006; Location: Marmaris, Turkey; Description: Bus bombing; Deaths: 0. Date: 8/27/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 9. Date: 8/30/2006; Location: Kirkuk, Iraq; Description: Bus bombing; Deaths: 3. Date: 9/12/2006; Location: Diyarbakir, Turkey; Description: Bus stop bombed; Deaths: 11. Date: 9/17/2006; Location: Kirkuk, Iraq; Description: Suicide truck bombing; Deaths: 18. Date: 9/20/2006; Location: Baghdad, Iraq; Description: Truck bomb attacks police; Deaths: 8. Date: 10/10/2006; Location: Kabul, Afghanistan; Description: Bus bombing; Deaths: 0. Date: 10/16/2006; Location: Habarana, Sri Lanka; Description: Truck bombing of bus terminal; Deaths: 67. Date: 10/17/2006; Location: Baghdad, Iraq [vicinity]; Description: Truck bombing; Deaths: 4. Date: 10/27/2006; Location: Uruzgan Province, Afghanistan; Description: Bus bombing; Deaths: 14. Date: 10/29/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 1. Date: 10/30/2006; Location: Algiers, Algeria; Description: Truck bombing of a police station; Deaths: 3. Date: 11/13/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 16. Date: 12/5/2006; Location: Baghdad, Iraq; Description: Car bomb hit bus; Deaths: 14. Date: 12/10/2006; Location: Algiers, Algeria; Description: Bus bombing; Deaths: 1. Date: 12/12/2006; Location: Baghdad, Iraq; Description: Car bomb hits bus; Deaths: 57. Date: 12/13/2006; Location: Baghdad, Iraq; Description: Car bombing of a bus stop; Deaths: 11. Date: 12/25/2006; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 2. Date: 12/31/2006; Location: Bangkok, Thailand; Description: Bus station bombed; Deaths: 1. Date: 1/5/2007; Location: Nittambuwa, Sri Lanka; Description: Suicide Bus; Deaths: 5. Date: 1/6/2007; Location: Meetiyagoda , Sri Lanka; Description: Suicide Bus; Deaths: 16. Date: 1/17/2007; Location: Kirkuk, Iraq; Description: Truck bombing; Deaths: 10. Date: 1/19/2007; Location: Guwahati, India; Description: Bus terminal bombed; Deaths: 2. Date: 1/28/2007; Location: Najaf, Iraq; Description: Bus bombing; Deaths: 1. Date: 1/28/2007; Location: Ramadi, Iraq; Description: Dump Truck with Cholrine; Deaths: 16. Date: 2/3/2007; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 135. Date: 2/12/2007; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 70. Date: 2/13/2007; Location: Algiers, Algeria [vicinity]; Description: Truck bombing; Deaths: 6. Date: 2/13/2007; Location: Ain Alaq, Lebanon; Description: Bus Bombs; Deaths: 3. Date: 2/14/2007; Location: Zahedan, Iran; Description: Car bomb attack on a bus; Deaths: 11. Date: 2/19/2007; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 5. Date: 2/20/2007; Location: Taji, Iraq; Description: Chlorine gas tank trucks; Deaths: 9. Date: 2/21/2007; Location: Baghdad, Iraq; Description: Truck bombing using a chlorine gas tank truck; Deaths: 5. Date: 2/21/2007; Location: Kirkuk, Iraq; Description: Bombs at a bus depot; Deaths: 0. Date: 2/24/2007; Location: Falluja, Iraq; Description: Truck bombing; Deaths: 40. Date: 2/27/2007; Location: Ramadi, Iraq; Description: Truck bombing; Deaths: 19. Date: 3/11/2007; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 11. Date: 3/11/2007; Location: Baghdad, Iraq; Description: Car bomb hits truck; Deaths: 19. Date: 3/16/2007; Location: Amiriyah, Iraq; Description: Truck bombing using a chlorine gas tank truck; Deaths: 8. Date: 3/25/2007; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 20. Date: 3/25/2007; Location: Hillah, Iraq; Description: Truck bombing; Deaths: 20. Date: 3/27/2007; Location: Tal Afar, Iraq; Description: Truck bombing; Deaths: 152. Date: 3/29/2007; Location: Fallujah, Iraq; Description: Chlorine Trucks; Deaths: 0. Date: 4/2/2007; Location: Kirkuk, Iraq; Description: Truck bombing; Deaths: 14. Date: 4/3/2007; Location: Ampara, Sri Lanka; Description: Bus bombing; Deaths: 16. Date: 4/6/2007; Location: Ramadi,Iraq; Description: Truck bombing; Deaths: 25. Date: 4/7/2007; Location: Vavuniya, Sri Lanka; Description: Bus bombing; Deaths: 7. Date: 4/12/2007; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 10. Date: 4/14/2007; Location: Mosul, Iraq; Description: Two oil trucks exploded; Deaths: 6. Date: 4/14/2007; Location: Karbala, Iraq; Description: Bombing of a bus station; Deaths: 43. Date: 4/15/2007; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 3. Date: 4/18/2007; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 127. Date: 4/18/2007; Location: Rusafi, Iraq; Description: Bus bombing; Deaths: 4. Date: 4/23/2007; Location: Diyala Province, Iraq; Description: Truck Bombing; Deaths: 9. Date: 4/23/2007; Location: Fallujah, Iraq; Description: Truck bombing; Deaths: 3. Date: 4/24/2007; Location: Ramadi, Iraq; Description: Truck bombing; Deaths: 25. Date: 4/24/2007; Location: Baghdad, Iraq; Description: military checkpoint, A chlorine truck bomb; Deaths: 1. Date: 4/30/2007; Location: Hit, Iraq; Description: Chlorine tanker; Deaths: 10. Date: 5/9/2007; Location: Irbil (Arbil), Iraq; Description: Truck bombing; Deaths: 15. Date: 5/14/2007; Location: Makhmour, Iraq; Description: Truck bombing; Deaths: 50. Date: 5/15/2007; Location: Diyala, Iraq; Description: Truck bombing using a chlorine gas tank truck; Deaths: 45. Date: 5/18/2007; Location: Cotabato City, Philippines; Description: Bomb at bus terminal; Deaths: 3. Date: 5/20/2007; Location: Ramadi, Iraq; Description: Truck bomb with chlorine gas attacked a police checkpoint; Deaths: 11. Date: 5/24/2007; Location: Colombo, Sri Lanka; Description: Bus bombing; Deaths: 1. Date: 5/28/2007; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 24. Date: 6/5/2007; Location: Fallujah, Iraq; Description: Truck bombing; Deaths: 18. Date: 6/7/2007; Location: Rabiyah, Iraq; Description: Truck Bomb at Police headquarters; Deaths: 9. Date: 6/7/2007; Location: Ramadi, Iraq; Description: Truck Bomb at Police headquarters; Deaths: 3. Date: 6/7/2007; Location: Abu Ghraib, Iraq; Description: Truck bomb at Shiite mosque; Deaths: 3. Date: 6/8/2007; Location: Qurnah, Iraq; Description: Bus terminal bombing; Deaths: 18. Date: 6/10/2007; Location: Albu-Ajeel , Iraq; Description: Truck bombing; Deaths: 9. Date: 6/11/2007; Location: Nairobi, Kenya; Description: Bus stop bombing; Deaths: 2. Date: 6/15/2007; Location: Bansalan, Philippines; Description: Bus bombing; Deaths: 9. Date: 6/15/2007; Location: Cotabato City, Philippines; Description: Bus bombing; Deaths: 0. Date: 6/15/2007; Location: Diyarbakir,Turkey; Description: Bus station; Deaths: 0. Date: 6/17/2007; Location: Kabul Afghanistan; Description: Bus bombing; Deaths: 35. Date: 6/19/2007; Location: Baghdad, Iraq; Description: Truck bomb attacks a mosque; Deaths: 78. Date: 6/21/2007; Location: Kirkuk, Iraq; Description: Truck bombing; Deaths: 13. Date: 6/28/2007; Location: Baghdad, Iraq; Description: Car bombing of a bus station; Deaths: 25. Date: 7/1/2007; Location: Ramadi, Iraq; Description: Truck Bomb; Deaths: 5. Date: 7/7/2007; Location: Armil, Iraq; Description: Truck bombing; Deaths: 150. Date: 7/12/2007; Location: Lakhdaria, Algeria; Description: Algerian solders attacked; Deaths: 8. Date: 7/16/2007; Location: Kirkuk, Iraq; Description: Truck bombing; Deaths: 85. Date: 7/18/2007; Location: Tacurong City, Philippines; Description: Bus bombing; Deaths: 0. Date: 7/26/2007; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 3. Date: 7/27/2007; Location: Baghdad, Iraq; Description: Truck bomb Karada market; Deaths: 61. Date: 8/4/2007; Location: Peshawar, Pakistan; Description: Car bombing of a bus station; Deaths: 9. Date: 8/14/2007; Location: Qahtaniya, Iraq; Description: Four truck bombs attack village; Deaths: 500. Date: 8/14/2007; Location: Northern Baghdad, Iraq; Description: Bridge attacked again; Deaths: 10. Date: 8/17/2007; Location: Christchurch, New Zealand; Description: Bus bombing; Deaths: 0. Date: 8/22/2007; Location: Baiji, Iraq; Description: Truck bombing; Deaths: 50. Date: 8/22/2007; Location: Taji, Iraq; Description: Truck bombing; Deaths: 0. Date: 8/22/2007; Location: Baiji, Iraq; Description: Police Station Bombing with Truck; Deaths: 23. Date: 8/26/2007; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 3. Date: 9/1/2007; Location: Afisyoone, Somalia; Description: Bus bombing; Deaths: 1. Date: 9/5/2007; Location: Baghdad, Iraq; Description: Bomb at bus stop; Deaths: 4. Date: 9/5/2007; Location: Rawalpindi, Pakistan; Description: Army bus bombing; Deaths: 24. Date: 9/10/2007; Location: Northern Iraq; Description: Truck bombing; Deaths: 10. Date: 9/14/2007; Location: Beiji, Iraq; Description: Truck bombing of Police checkpoint; Deaths: 4. Date: 9/16/2007; Location: Parwanipur, Nepal; Description: Bus bombing; Deaths: 1. Date: 9/16/2007; Location: Jaffna, Sri Lanka; Description: Bus bombing; Deaths: 2. Date: 9/21/2007; Location: Trincomalee, Sri Lanka; Description: Bus bombing; Deaths: 2. Date: 9/24/2007; Location: Tal Afar, Iraq; Description: Truck bombing; Deaths: 6. Date: 9/29/2007; Location: Kabul, Afghanistan; Description: Military bus bombing; Deaths: 30. Date: 10/2/2007; Location: Kabul, Afghanistan; Description: Bus bombing; Deaths: 13. Date: 10/11/2007; Location: Kirkuk, Iraq; Description: truck bomb exploded at a market; Deaths: 7. Date: 10/16/2007; Location: Mosul, Iraq; Description: Truck bombing; Deaths: 16. Date: 10/19/2007; Location: Karachi , Pakistan; Description: Truck Bomb near Bhutto; Deaths: 136. Date: 10/20/2007; Location: Dera Bugti, Pakistan; Description: Bus bombing; Deaths: 7. Date: 10/23/2007; Location: Mogadishu, Somalia; Description: Bus bombing; Deaths: 7. Date: 10/25/2007; Location: Mingora, Pakistan; Description: Truck bombing; Deaths: 20. Date: 10/31/2007; Location: Togliatti, Russia; Description: Bus bombing; Deaths: 8. Date: 11/22/2007; Location: North Ossetia and Kabardino-Balkaria, Russia [vicinity]; Description: Bus bombing; Deaths: 5. Date: 11/23/3007; Location: Mosul, Iraq; Description: Truck Bomb on bridge; Deaths: 0. Date: 11/24/2007; Location: Rawalpindi, Pakistan; Description: Bus bombing; Deaths: 19. Date: 12/5/2007; Location: Baquba, Iraq; Description: Bus station bombed; Deaths: 5. Date: 12/9/2007; Location: Baghdad, Iraq; Description: Truck bombing; Deaths: 8. Date: 12/9/2007; Location: Algiers, Algeria; Description: Bus bombing; Deaths: 12. Date: 12/9/2007; Location: Nevinnomysk, Russia; Description: School bus bombing; Deaths: 2. Date: 12/10/2007; Location: Kamra, Pakistan; Description: School bus bombing; Deaths: 0. Date: 12/11/2007; Location: Algiers, Algeria; Description: Multiple truck bombs; Deaths: 37. Date: 12/12/2007; Location: Tambon Bang Khoo, Thailand; Description: Bus bombing; Deaths: 0. Date: 12/17/2007; Location: Mosul, Iraq; Description: Truck bombing on dam; Deaths: 1. Date: 12/24/2007; Location: Baghdad, Iraq; Description: Bus bomb; Deaths: 2. Date: 12/25/2007; Location: Baghdad, Iraq; Description: Truck Bomb; Deaths: 25. Date: 1/2/2008; Location: Colombo, Sri Lanka; Description: Bus bombing; Deaths: 4. Date: 1/3/2008; Location: Diyarbakir, Turkey; Description: Bus bombing; Deaths: 5. Date: 1/16/2008; Location: Buttala, Sri Lanka; Description: Bus bombing; Deaths: 23. Date: 1/29/2008; Location: Colombo, Sri Lanka; Description: Bus bombing; Deaths: 18. Date: 2/1/2008; Location: Kabul, Afghanistan; Description: Bus bombing; Deaths: 1. Date: 2/2/2008; Location: Dambulla, Sri Lanka; Description: Bus bombing; Deaths: 20. Date: 2/3/2008; Location: Mogadishu, Somali; Description: Bus bombing; Deaths: 5. Date: 2/5/2008; Location: Weli-Oya, Sri Lanka; Description: Bus bombing; Deaths: 13. Date: 2/12/2008; Location: Beirut, Lebonon; Description: Truck bomb; Deaths: 1. Date: 2/22/2008; Location: Pakistan; Description: Truck bomb; Deaths: 12. Date: 2/24/2008; Location: Colombo, Sri Lanka; Description: Bus bombing; Deaths: 0. Date: 2/26/2008; Location: Tall Afar, Iraq; Description: Bus bombing; Deaths: 8. Date: 3/2/2008; Location: Diyala, Iraq; Description: Bus bombing; Deaths: 5. Date: 3/4/2008; Location: Lahore, Pakistan; Description: Truck bomb; Deaths: 7. Date: 3/11/2008; Location: Nassiriya, Iraq; Description: Bus bombing; Deaths: 14. Date: 3/12/2008; Location: Between Basra and Nasiriya Iraq; Description: Bus bombing; Deaths: 16. Date: 3/12/2008; Location: Mosul, Iraq; Description: Truck bomb; Deaths: 0. Date: 3/12/2008; Location: Samarra, Iraq; Description: Truck bomb; Deaths: 3. Date: 3/14/2008; Location: Humera, Ethiopia; Description: Bus bombing; Deaths: 7. Date: 3/24/2008; Location: Pakistan/ Afghanistan border; Description: Truck bomb; Deaths: 0. Date: 4/5/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 3. Date: 4/14/2008; Location: Mosul, Iraq; Description: Truck bomb; Deaths: 12. Date: 4/22/2008; Location: Ramadi, Iraq; Description: Truck bomb; Deaths: 12. Date: 4/25/2008; Location: Piliyandala, Sri Lanka; Description: Bus bombing; Deaths: 23. Date: 5/9/2008; Location: Midsayap, North Cotabato; Description: Bus bombing; Deaths: 0. Date: 5/15/2008; Location: Legutiano, Spain; Description: Truck bomb; Deaths: 1. Date: 5/22/2008; Location: Erez crossing between Israel and the Gaza Strip; Description: Truck bomb; Deaths: 1. Date: 5/28/2008; Location: Farah province, Afghanistan; Description: Bus bombing; Deaths: 8. Date: 6/5/2008; Location: Baghdad, Iraq; Description: Truck bomb; Deaths: 15. Date: 6/6/2008; Location: Columbo, Sri Lanka; Description: Bus bombing; Deaths: 21. Date: 6/11/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 5. Date: 6/13/2008; Location: Kandahar, Afghanistan; Description: Truck bomb; Deaths: 9. Date: 6/14/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 2. Date: 6/18/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 63. Date: 7/1/2008; Location: Gayarah, Iraq; Description: Truck bomb; Deaths: 1. Date: 7/21/2008; Location: Kunming, China; Description: Bus bombing; Deaths: 2. Date: 7/24/2008; Location: Philippines; Description: Bus bombing; Deaths: 0. Date: 7/25/2008; Location: Bangalore, India; Description: Bus bombing; Deaths: 20. Date: 8/3/2008; Location: Baghdad, Iraq; Description: Truck bomb; Deaths: 12. Date: 8/10/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 4. Date: 8/12/2008; Location: Peshawar, Pakistan; Description: Bus bombing; Deaths: 13. Date: 8/13/2008; Location: Tripoli, Lebanon; Description: Bus bombing; Deaths: 18. Date: 8/20/2008; Location: Bouira, Algeria; Description: Bus bombing; Deaths: 12. Date: 8/23/2008; Location: Kandahar, Afghanistan; Description: Bus bombing; Deaths: 10. Date: 8/28/2008; Location: Bannu, Pakistan; Description: Bus bombing; Deaths: 8. Date: 8/30/2008; Location: Columbo, Sri Lanka; Description: Bus bombing; Deaths: 12. Date: 9/1/2008; Location: Manila, Philippines; Description: Bus bombing; Deaths: 6. Date: 9/2/2008; Location: Mosul, Iraq; Description: Bus bombing; Deaths: 4. Date: 9/20/2008; Location: Islamabad, Pakistan; Description: Truck bomb; Deaths: 60. Date: 9/30/2008; Location: Tripoli, Lebanon; Description: Bus bombing; Deaths: 5. Date: 10/1/2008; Location: Agartala, India; Description: Bus bombing; Deaths: 2. Date: 10/20/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 4. Date: 10/29/2008; Location: Hargeisa, Somalia; Description: Truck bomb; Deaths: 21. Date: 11/2/2008; Location: South Waziristan tribal region, Pakistan; Description: Truck bomb; Deaths: 8. Date: 11/4/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 11. Date: 11/10/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 28. Date: 11/12/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 12. Date: 11/12/2008; Location: Kandahar, Afghanistan; Description: Truck bomb; Deaths: 7. Date: 11/24/2008; Location: Baghdad, Iraq; Description: Bus bombing; Deaths: 11. Date: 12/4/2008; Location: Falluja, Iraq; Description: Truck bomb; Deaths: 13. Date: 12/6/2008; Location: Baghdad, Iraq; Description: Truck bomb; Deaths: 1. Date: 12/15/2008; Location: Khan Dhari, Iraq; Description: Truck bomb; Deaths: 9. Date: 12/24/2008; Location: Lahore, Pakistan; Description: Truck bomb; Deaths: 1. Date: 12/28/2008; Location: Afghanistan; Description: Truck bomb; Deaths: 14. Source: GAO. [End of table] [End of section] Appendix III: Commercial Vehicle Industry Trade Associations GAO Contacted: Table 4: Industry Associations GAO Interviewed Representing Commercial Vehicles: Association: American Bus Association (ABA); Population represented: Membership includes all types of motor coach services including scheduled, charter, shuttle, and commuter buses. Association: American Chemistry Council (ACC); Population represented: Companies engaged in the business of chemistry, including the transportation of chemicals. Association: American Federation of Labor and Congress of Industrial Organizations (AFL-CIO); Population represented: Commercial bus drivers and employees. Association: American Trucking Associations (ATA); Population represented: Trucking companies and affiliated state trucking associations. Association: Chlorine Institute (CI); Population represented: Companies involved in the production, distribution, and use of chlorine and related chemicals. Association: International Brotherhood of Teamsters (IBT); Population represented: Commercial truck drivers and warehousemen. Association: National Private Truck Council (NPTC); Population represented: Companies that operate truck fleets, but not as a primary source of business, such as retail, food and beverage companies. Association: National Tank Truck Carriers (NTTC); Population represented: Companies that specialize in the distribution of bulk liquids, industrial gases, and dry products carried in bulk cargo tankers. Association: Owner-Operator Independent Drivers Association (OOIDA); Population represented: Independent owner-operators and professional drivers. Association: Truck Manufacturers Association (TMA); Population represented: Manufacturers of medium and heavy duty trucks. Association: Truck Rental and Leasing Association (TRALA); Population represented: Truck renting and leasing companies. Association: United Motorcoach Association (UMA); Population represented: Membership largely consists of small bus companies offering charter services. Source: GAO. [End of table] [End of section] Appendix IV: DHS and DOT Commercial Vehicle Security Programs Designed to Strengthen Commercial Vehicle Security: In addition to Corporate Security Reviews, TSA and DHS have four key programs designed to strengthen the security of the commercial vehicle industry. DOT also has four programs underway to strengthen commercial vehicle security and TSA and DOT are working collaboratively on several projects for securing commercial vehicles. Each of these programs and projects are discussed below. DHS Security Programs: Trucking Security Program: The Trucking Security Program (TSP) provides grants that fund programs to train and support the members of the commercial vehicle industry in how to detect and report security threats, and how to avoid becoming a target for terrorist activity. TSP is administered by the Federal Emergency Management Agency's Grant Programs Directorate within DHS. As of May 2008, DHS has provided nearly $78 million in TSP grants since 2003. Congress appropriated $16 million to fund this trucking security grant program for fiscal year 2008, and $8 million for fiscal year 2009. For fiscal years 2004-2008 the principal activity funded by the TSP was the American Trucking Associations' Highway Watch program to improve security awareness in the commercial vehicle industry. In May 2008, however, a new grantee, the HMS Company of Alexandria, Virginia was selected. Security Action Items (SAIs): TSA consulted with DOT and industry stakeholders to develop SAIs, or voluntary security practices, intended to improve security for trucks carrying security-sensitive hazardous materials. TSA eventually plans to also develop SAIs for motor coaches and school buses. According to TSA officials, the SAIs will allow TSA to communicate the key elements of effective transportation security as voluntary practices; TSA officials will use CSRs to gauge whether voluntary practices are sufficient or if regulation is needed. Hazardous Materials Driver Background Check Program: A Hazardous Materials Endorsement (HME) authorizes an individual to transport hazardous materials for commerce. The USA PATRIOT Act, enacted in October 2001, prohibits states from issuing HMEs for a commercial driver's license to applicants who have not successfully completed background checks. In response, TSA implemented the hazardous materials driver security threat assessment program which evaluates the hazardous materials driver's criminal history, immigration status, mental capacity, and connection with terrorism to determine whether that driver poses a security risk.[Footnote 93] Intercity Bus Security Grant Program: This DHS program distributes grant money to eligible stakeholders to protect intercity bus systems and the traveling public from terrorism. Current priorities focus on enhanced security planning, passenger and baggage screening programs, facility security enhancements, vehicle and driver protection, as well as training and exercises. A total of $11.5 million was appropriated for fiscal year 2008 and $12 million for fiscal year 2009. A total of $11.5 million was appropriated for fiscal year 2008 and $12 million for fiscal year 2009.[Footnote 94] DOT Security Programs: Security Plans and Training: DOT regulations require shippers and carriers of certain hazardous materials to develop and implement security plans. [Footnote 95] The regulations permit a company to implement a security plan tailored to its specific circumstances and operations. At a minimum, a security plan must address personnel, access, and en route security. All shippers and carriers must also ensure that employee training includes a security awareness component. In response to an industry petition that certain hazardous materials posing little or no security risk be removed from the list of hazardous materials for which security plans are required, DOT is reevaluating the security plan regulations. Security Contact Reviews (SCRs): Through its SCRs, FMCSA conducts compliance reviews of the security plans for hazardous materials transport required by DOT hazardous materials regulations. FMCSA conducts SCRs on all hazardous materials motor carriers that transport placardable amounts of hazardous materials. As of September, 2008, FMCSA had conducted 7,802 SCRs since the inception of the programs. Hazardous Materials Safety Permit Program: Federal law directed FMCSA to implement the hazardous materials permit program to produce a safe and secure environment to transport certain types of hazardous materials.[Footnote 96] The program requires certain motor carriers to maintain a security program and establish a system of enroute communication. This program uses the SCRs to collect data on motor carrier ability to secure hazardous materials. Sensitive Security Visits (SSVs): FMCSA conducts SSVs as educational security discussions with motor carriers that carry small amounts of hazardous materials that do not require posting hazardous materials placards on their trucks. These visits discuss best practices for hazardous materials transportation and provide informal suggestions for improvement. As of September, 2008, FMCSA had conducted 13,411 SSVs since the inception of the programs. TSA and DOT Joint Security Programs: TSA Missouri CSR Pilot: This pilot program conducts abbreviated CSRs of trucking and motor coach companies using state inspectors. For more details of the Missouri CSR program, see pages 26-31. FMCSA and TSA Truck Tracking Security Pilots: FMCSA and TSA have concluded hazardous materials truck-tracking pilots. FMCSA completed a study of existing technologies in December 2004, evaluating wireless communications systems, including global positioning satellite (GPS) tracking and other technologies that allow companies to monitor the location of their trucks and buses. TSA also tested tracking and identification systems, theft detection and alert systems, motor vehicle disabling systems, and systems to prevent unauthorized operation of trucks and unauthorized access to their cargos. The 9/11 Commission Act mandated that the Secretary develop a tracking program for motor carrier shipments of hazardous materials by February 2008.[Footnote 97] TSA officials reported that they worked with DOT to meet this mandate and completed a program to facilitate truck tracking on January 10, 2008. Hazardous Materials Research Involving Security Initiatives: DOT and DHS sponsor research on emerging technology that could potentially be used to enhance the safety and security of hazardous materials transportation. This research involves evaluation of potential truck- disabling technologies, radiation detection devices, hazardous materials routing, and software to assist in hazardous materials incident response. Additional Programs: DHS and TSA also have a number of smaller programs to augment motor carrier security and programs in the planning stages. TSA has several projects on screening applicants for Commercial Drivers Licenses (CDLs) and Hazardous Materials Endorsements on CDLs. These include the Universal CDL Vetting Project, which will assess the feasibility of implementing watch list checks of 9 million commercial driver records. Through the Rental Truck Vetting Operational Study and Analysis, TSA is assessing technologies to screen rental truck customers against the DHS and FBI Watch List. To address the lack of security-related domain awareness, TSA and DHS also have developed several projects: Federal Law Enforcement Training Center (FLETC) Roadside Law Enforcement Transportation Security Awareness, and the Hazmat Motor Carrier Security Self-Assessment Training Project which distributed security self-assessment training on CDs to approximately 75,000 hazardous materials motor carriers and shippers. Through the Commercial Truck Insurance Initiative, TSA is coordinating with insurance companies to develop methods and measures to provide companies incentives to improve security. [End of section] Appendix V: DOT Data on the Commercial Vehicle Industry: DOT maintains data on carriers and commercial vehicles registered with DOT. However, the data on intrastate operations is incomplete and unreliable because FMCSA does not have authority to regulate intrastate operations that are not involved in the transport of hazardous materials. Firms that operate exclusively within a single state do not have to register with DOT unless they are in the 25 states that require all commercial vehicles to register with DOT, or transport hazardous materials. This means that DOT does not have data on approximately half the nation's intrastate carriers. Second, firms frequently do not keep their registrations current, and as a result the currency and accuracy of DOT's records are not assured and many of its registrations are inactive. "Inactive" means that carriers had no inspections, crashes, enforcement actions, compliance reviews, safety audits, or registration applications with DOT for 3 years. DOT does not know which firms have gone out of business and which have simply failed to maintain their registrations. These incomplete data on the population of commercial vehicle firms will present some additional challenges to TSA for conducting a truly representative sample of industry assessments. Table 5: DOT Commercial Vehicle Industry Data on Active and Inactive Registrants: Commercial vehicle industry: Truck motor carriers; Interstate operation: Total: 654,666; Interstate operation: Active: 479,120; Interstate operation: Inactive[B]: 175,546; Intrastate operation[A]: Total: 360,489; Intrastate operation[A]: Active: 240,726; Intrastate operation[A]: Inactive: 119,763; Total operation: Total: 1,015,155; Total operation: Active: 719,846; Total operation: Inactive: 295,309. Commercial vehicle industry: Motor coach carriers; Interstate operation: Total: 3,792; Interstate operation: Active: 3,686; Interstate operation: Inactive[B]: 106; Intrastate operation[A]: Total: 156; Intrastate operation[A]: Active: 146; Intrastate operation[A]: Inactive: 10; Total operation: Total: 3,948; Total operation: Active: 3,832; Total operation: Inactive: 116. Commercial vehicle industry: Trucks; Interstate operation: Total: 9,618,035; Interstate operation: Active: 8,455,301; Interstate operation: Inactive[B]: 1,162,734; Intrastate operation[A]: Total: 2,281,035; Intrastate operation[A]: Active: 1,622,392; Intrastate operation[A]: Inactive: 658,643; Total operation: Total: 11,899,070; Total operation: Active: 10,077,693; Total operation: Inactive: 1,821,377. Commercial vehicle industry: Motor coaches; Interstate operation: Total: 59,785; Interstate operation: Active: 47,629; Interstate operation: Inactive[B]: 12,156; Intrastate operation[A]: Total: 15,500; Intrastate operation[A]: Active: 13,241; Intrastate operation[A]: Inactive: 2,259; Total operation: Total: 75,285; Total operation: Active: 60,870; Total operation: Inactive: 14,415. Commercial vehicle industry: Drivers; Interstate operation: Total: 5,200,215; Interstate operation: Active: 4,647,922; Interstate operation: Inactive[B]: 552,293; Intrastate operation[A]: Total: 2,214,881; Intrastate operation[A]: Active: 1,789,207; Intrastate operation[A]: Inactive: 425,674; Total operation: Total: 7,415,096; Total operation: Active: 6,437,129; Total operation: Inactive: 977,967. Source: GAO analysis of DOT Motor Carrier Management Information System (MCMIS) and License and & Insurance (L&I) data as of August 22, 2008. [A] Intrastate carriers operate only within a single state. [B] "Inactive" means that carriers have had no inspections, crashes, enforcement actions, compliance reviews, safety audits, or MCS-150 filings with DOT for 3 years. DOT does not know which inactive firms have gone out of business and which have simply failed to maintain their registrations. [End of table] Table 6: Summary of Interstate and Intrastate Hazardous Materials (HAZMAT) Carriers: Total number of truck motor carriers; Interstate hazardous materials operation: Total: 44,028; Interstate hazardous materials operation: Active: 34,660; Interstate hazardous materials operation: Inactive[B]: 9,368; Intrastate hazardous materials operation[A]: Total: 16,654; Intrastate hazardous materials operation[A]: Active: 12,007; Intrastate hazardous materials operation[A]: Inactive: 4,647; Interstate & intrastate hazardous materials operations: Total: 60,682; Interstate & intrastate hazardous materials operations: Active: 46,667; Interstate & intrastate hazardous materials operations: Inactive: 14,015. : Total number of trucks; Interstate hazardous materials operation: Total: 3,677,169; Interstate hazardous materials operation: Active: 3,470,221; Interstate hazardous materials operation: Inactive[B]: 206,948; Intrastate hazardous materials operation[A]: Total: 180,559; Intrastate hazardous materials operation[A]: Active: 159,427; Intrastate hazardous materials operation[A]: Inactive: 21,132; Interstate & intrastate hazardous materials operations: Total: 3,857,728; Interstate & intrastate hazardous materials operations: Active: 3,629,648; Interstate & intrastate hazardous materials operations: Inactive: 228,080. : Total number of drivers; Interstate hazardous materials operation: Total: 1,642,460; Interstate hazardous materials operation: Active: 1,560,586; Interstate hazardous materials operation: Inactive[B]: 81,874; Intrastate hazardous materials operation[A]: Total: 137,584; Intrastate hazardous materials operation[A]: Active: 121,266; Intrastate hazardous materials operation[A]: Inactive: 16,318; Interstate & intrastate hazardous materials operations: Total: 1,780,044; Interstate & intrastate hazardous materials operations: Active: 1,681,852; Interstate & intrastate hazardous materials operations: Inactive: 98,192. Source: GAO analysis of DOT Motor Carrier Management Information System (MCMIS) and License and & Insurance (L&I) data as of August 22, 2008. [A] Intrastate carriers operate only within a single state. [B] "Inactive" means that carriers have had no inspections, crashes, enforcement actions, compliance reviews, safety audits, or MCS-150 filings with DOT for 3 years. DOT does not know which inactive firms have gone out of business and which have simply failed to maintain their registrations. [End of table] [End of section] Appendix VI Highway and Motor Carrier GCC Membership List: The following are member organizations of the Highway GCC: Transportation Security Administration: Federal Motor Carrier Safety Administration: Federal Highway Administration: National Highway Traffic Safety Administration: Pipeline and Hazardous Materials Safety Administration: Department of Defense: Department of Energy: Nuclear Regulatory Commission: DHS Customs and Border Protection: DHS Office of Infrastructure Protection: DHS Homeland Infrastructure Threat and Risk Analysis Center: DHS National Preparedness Directorate: DHS Office for State and Local Government Coordination: American Association of State Highway Transportation Officials: Commercial Vehicle Safety Alliance: American Association of Motor Vehicle Administrators: International Association of Chiefs of Police: National Sheriffs' Association: Federal Bureau of Investigation: [End of section] Appendix VII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: Homeland Security: February 6, 2009: Ms. Cathleen A. Berrick: Director, Homeland Security and Justice Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Berrick: RE: Draft Report GAO-09-85, Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sector (GAO Job Code 440538) The Department of Homeland Security (Department) appreciates the opportunity to review and comment on the draft report referenced above. The Department, specifically the Transportation Security Administration (TSA), agrees with the four recommendations. We value the U.S. Government Accountability Office's (GAO's) extensive review of TSA's progress in addressing commercial vehicle security needs. Progress continues to be made in several commercial vehicle security programs referenced in the report as noted below. Risk Assessments: TSA is conducting separate risk assessments of highway components. TSA examines potential indicators of terrorist activity including the capabilities and intent of terrorists. This examination involves searching open source information along with a careful and thorough examination of classified information. In accordance with the provisions of the "Implementing Recommendations of the 9/11 Commission Act of 2007" (9/11 Act), TSA is conducting risk assessments on school bus transportation and commercial vehicle security, including general freight trucking, hazardous materials trucking, and bulk food transportation trucking. These risk assessments are expected to be completed by February 2009 and May 2009, respectively. In addition to the above, TSA is also conducting risk assessments on motor coach transportation, port and trucking interface, and highway infrastructure. TSA is actively working on the truck security assessment required under section 1540 of the 9/11 Act and as required will develop a comprehensive report which will include [hyperlink, http://www.dbs.gov] assessments of (1) actions already taken by private and public entities to address security risks, (2) economic impacts of security upgrades of trucks, (3) ongoing research by public and private entities, and (4) the current status of secure truck parking. TSA/U.S. Department of Transportation Memorandum of Understanding: TSA and the U.S. Department of Transportation (USDOT) have signed an overarching Memorandum of Understanding (MOU) for commercial vehicle security. TSA and the Federal Motor Carrier Safety Administration (FMCSA) have exhaustively discussed common programs and shared approaches to the variety of security programs needed. Many of those shared programs have become key cooperative elements in the Transportation Systems Sector-Specific Plan (TSSSP). Both agencies agreed during TSSSP discussions to incorporate TSSSP program agreements into MOU formats. That final step was completed when the MOU was signed by FMCSA and TSA on October 22, 2008. Corporate Security Reviews: Since the review by GAO, TSA has enlisted several additional states to conduct Corporate Security Reviews (CSR). Colorado and Michigan state commercial vehicle safety enforcement officers have been trained and have been performing CSRs over the past several months. The State of Arkansas will participate and the state commercial vehicle safety enforcement officers will receive training in June of 2009. TSA's Highway and Motor Carrier Division also is in the process of training 150 TSA Surface Transportation Security Inspectors (STSI) throughout the United States to conduct CSRs. Training has been conducted in Dallas, Washington, D.C., and Los Angeles to date, and additional training is scheduled for Philadelphia, Seattle and Chicago. As of December 2008, TSA has conducted 153 CSRs, encompassing 102 CSRs of motor carriers (15 motor coach companies, 20 school bus companies/districts, and 67 trucking companies). TSA has conducted 46 CSRs of state DOTs, including 3 revisits to previously reviewed states, and 5 CSRs of infrastructure facilities. TSA is launching a voluntary program to measure the security preparedness of the hazardous materials trucking industry. TSA is utilizing its STSI force to conduct CSR visits. TSA will select a statistically valid sample of motor carriers transporting hazardous materials to request that they voluntarily participate in a CSR. This will allow TSA to measure the current level of preparedness for terrorist incidents involving trucks transporting hazardous materials. TSA plans to conduct annual CSRs on a recurring basis to determine whether the trucking industry is following current security regulations as well as voluntary Security Action Items (SATs) established by TSA. TSA's mission includes ensuring the secure movement of people, goods, and services for those using highways, roads, intermodal terminals, bridges, and tunnels. This includes all aspects of the transport of persons and cargo by commercial and non-commercial buses, trucks, and school buses. Although the report analyzes TSA's efforts to secure the 3 "commercial" motor carrier community, TSA's responsibility to address large vehicles capable of delivering terrorist weapons of extraordinary destructive force extends well beyond the "for hire" motor carriers who fall under the jurisdiction of other federal transportation regulators. TSA must also ensure that the security of private motor carriers and those who may not operate in interstate commerce are addressed as well. Highway security is a huge task. Implementation of Recommendations: The recommendations provide TSA with a useful analysis of TSA's current approach regarding commercial vehicle security, recognition of progress to date, and additional guidance for success. TSA is accomplishing much of what GAO recommends and is formulating additional plans to fulfill the recommendations. Recommendation 1: The Assistant Secretary for the TSA establish a plan and a timeframe for completing risk assessments of the commercial vehicle sector, and use this information to support future updates to the Transportation Sector Strategic Plan, including: * to the extent feasible, conduct assessments that include information about the likelihood of a terrorist attack method on a particular asset, system or network as required by the National Infrastructure Protection Plan; * conducting a vulnerability assessment of the commercial vehicle sector, including: - assessing the scope and method of assessments required to gauge the sector's vulnerabilities; - considering the findings and recommendations of [the] Missouri pilot evaluation report to strengthen future Corporate Security Reviews; and - enhancing direct coordination with state governments to expand the TSA's field inspection CSR capacities; * conducting consequence assessments of the commercial vehicle sector, or develop alternative strategies to assess potential consequences of attacks, such as coordinating with other Sector Specific Agencies to leverage their consequence assessment efforts. Response: TSA is actively conducting risk assessments of the major components of the commercial vehicle sector. This includes assessments of the trucking industry (general trucking, hazardous materials trucking, and segments of bulk food trucking) and school buses as required under the 9/11 Act. TSA is also conducting risk assessments of the motor coach industry, highway infrastructure, and the interface of the domestic trucking industry with U.S. ports. These assessments will examine specific scenarios involving individual 4 components of the commercial vehicle sector and will include information on the likelihood of a terrorist attack method on an asset, system, or network. TSA also is committed to a cross comparison of the risk analysis for all of these elements of the commercial vehicle sector. TSA's goal is to complete these risk assessments in the following timeframes: Highway Sector: School Bus; Date: February 2009. Highway Sector: Trucking; Date: May 2009. Highway Sector: Motor Coach; Date: May 2009. Highway Sector: Highway Infrastructure; Date: July 2009. Highway Sector: Trucking-Port Interface; Date: July 2009. Highway Sector: Cross Comparison of Highway/Motor Carrier Risks; Date: October 2009. In developing the risk assessments, TSA relies upon federal and state government subject matter experts and specific private sector stakeholders to identify potential vulnerabilities that may make the structure susceptible to terrorist attacks. This takes place through the framework of scenarios that carefully identify specific elements such as attack mode, attack type, and access to target. When appropriate, TSA will consult with Sector Specific Agencies. TSA also examines consequence information based on the scenarios that have been developed. TSA relies upon public and private sector subject matter experts to identify potential consequences and draws upon data from the Department of Transportation's Federal Motor Carrier Safety Administration, Federal Highway Administration, and Pipeline and Hazardous Materials Safety Administration; the Federal Bureau of Investigation; and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. TSA experts in risk analysis and explosives also provide information on consequences. TSA will continue using this methodology to identify the potential consequences of terrorist actions on transportation and, when appropriate, will consult with Sector Specific Agencies. As previously noted, in addition to working with the State of Missouri, TSA has worked with the states of Colorado and Michigan to set up CSR programs. TSA has provided extensive training to these states in conducting and reporting on CSRs. TSA also is launching a voluntary program to measure security preparedness in the hazardous materials trucking industry. TSA is training its Federal Security Director staffs and Surface Transportation Security Inspectors to conduct CSRs. Using these field resources, TSA will select a statistically valid sample of motor carriers transporting hazardous materials and request they each voluntarily participate in a CSR. This will allow TSA to clearly measure the current level of preparedness for terrorist incidents involving trucks transporting hazardous materials. TSA plans to conduct CSRs annually to assess changes in preparedness in the hazardous materials trucking industry. Recommendation 2: In future updates to the Highway Infrastructure and Motor Carrier Annex to the Transportation Sector Security Plan, the Assistant Secretary for the TSA should clarify the basis for the agency's security strategy of focusing on the transportation of hazardous materials, the relative risk of vehicle borne improvised explosive devices to the sector, and, based on the relative risk of these threats, any risk mitigation activities that will be implemented to address them. Response: As TSA develops future updates to the Transportation Systems Sector Specific Plan Highway Infrastructure and Motor Carrier Annex, it intends to include risk-based clarification of the security strategies. Although for the past two years TSA has primarily focused on the transportation of hazardous materials, ongoing industry risk assessments and regulatory efforts may shift the current strategies, and communicating these strategies in the annex to all stakeholders will be critical to successful implementation of the TSSSP. TSA anticipates that the updated Highway Infrastructure and Motor Carrier Annex to the TSSSP will better enable the communication of the security strategies, including the risks and associated mitigation efforts, stakeholder roles and responsibilities. Recommendation 3: The Assistant Secretary of the TSA develop outcome- based performance measures, to the extent possible, to assess the effectiveness of federal programs to enhance the security of the commercial vehicle sector. Response: TSA recognizes the importance of establishing outcome-based performance measures for any and all programs developed and implemented to strengthen security. Within the highway mode, TSA's Hazardous Materials (HAZMAT) Endorsement Threat Assessment Program requires that security threat assessments be completed on commercial drivers requesting a HAZMAT endorsement for their commercial drivers license (CDL). The outcome-based measure for this program is directly correlated to the number of HAZMAT endorsements approved in relation to the total CDL population. The majority of the other highway modal security efforts within TSA have been establishing baseline voluntary guidelines and training tools as well as industry risk assessments. It is premature to use outcome-based measures on these new and voluntary efforts, thus output measurements were and are being used. As the regulations from the 9/11 Act are completed and finalized, the resulting programs will have outcome based measures. One example of TSA's efforts to establish baseline and follow-on measurements is in the CSR initiative. TSA is creating a database to compile the results of statistically valid CSR visits which are being conducted nationwide on hazardous materials motor carriers beginning in 2009. TSA will conduct these CSRs annually to measure changes in industry security against a potential terrorist event targeting the hazardous materials highway transportation component. Recommendation 4: The Assistant Secretary for the TSA establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that roles and responsibilities of industry and government are fully defined and clearly communicated; new approaches to enhance communication are considered; and monitoring and assessing the effectiveness of its coordination efforts. Response: Recognizing the importance of having and maintaining strong working relationships with both industry and other government agencies, and working through the Government Coordinating Council/Sector Coordinating Councils (GCC/SCC) security partnership framework established in the National Infrastructure Protection Plan (NIPP), TSA has established an industry/government coordination process that continues to mature and develop. TSA recognizes the need to specifically define roles and responsibilities with all highway security stakeholders, including industry and federal, state, local, and tribal governments. The appropriate place for defining roles and responsibilities as well as communications methods and measurement efforts is in the TSSSP modal annex. TSA will include a "roles and responsibilities" section and a "communications" section during the TSSSP rewrite in 2009. In terms of monitoring and assessing the effectiveness of the coordination efforts, TSA continues to build security partnerships under the newly defined GCC/SCC organizations as established in the NIPP and TSSSP. As the coordination efforts under these strategic plans are only 17 months old, the measuring and assessing processes are also new and continue to be refined so as to improve the coordination and communications efforts to be the most effective and efficient possible. Sincerely, Signed by: Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix VIII: GAO Contact and Staff Acknowledgments: GAO Contact: Cathleen A. Berrick (202) 512-3404 or berrickc@gao.gov: Acknowledgments: Glenn Davis and Robert White, Assistant Directors, and Dan Rodriguez and Jason Schwartz, Analysts-in-Charge worked with Cathleen Berrick to manage this assignment. Gary Malavenda made significant contributions to many aspects of the work. Tracey King provided legal and regulatory support. Shamia Woods analyzed federal, state, and industry actions. Jennifer Cooper analyzed TSA's cooperation efforts. Elizabeth Curda provided assistance on performance measurement and collaboration. Anish Bhatt and Joanna Berry helped in the design, methodology, and pilot test of the incidents of bus and truck bombings. Colleen Candrl helped in the design and conducted the searches on the incidents of bus and truck bombings. Evan Gilman, Virginia Chanley, and Anna Maria Ortiz provided additional design and methodological support. [End of section] Footnotes: [1] Intracity buses and rail are part of urban mass transit systems. We are currently conducting a separate review of mass transit and passenger rail security and plan to report on the results in early 2009. [2] Transportation sectors are also referred to as modes of transportation. [3] Pub. L. No. 108-458, § 4001(a), 118 Stat. 3638, 3710 (2004). [4] On December 17, 2003, President Bush issued HSPD-7 addressing critical infrastructure identification, prioritization, and protection. [5] GAO, Results-Oriented Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: October 2005). [6] See [hyperlink, http://www.gao.gov/products/GAO-06-15]. [7] In 2007, 1865 of 2072 truck bombing deaths were in Iraq. [8] There have also been shootings and kidnappings of drivers. [9] Pub. L. No. 107-71, § 101(a), 115 Stat. 597, 597 (2001). [10] Pub. L. No. 107-296, 116 Stat. 2135 (2002). [11] See Pub. L. No. 110-53, § 1310, 121 Stat. 266, 400 (2007); Pub. L. No. 107-71, 115 Stat. 597 (2001); HSPD-7; Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006). [12] 49 U.S.C. § 5103. [13] Pub. L. No. 107-296, § 1711, 116 Stat. 2135, 2319-20 (2002) (codified at 49 U.S.C. § 5103). [14] Pub. L. No. 110-53, § 1541, 121 Stat. 266, 469 (2007) (codified at 6 U.S.C. § 1186). [15] Some of these inspections are funded through FMCSA's Motor Carrier State Assistance Program (MCSAP), which provides financial assistance to certain state and local jurisdictions. This assistance may be used to conduct compliance reviews of state safety regulations. MCSAP is a federal grant program administered by FMCSA that provides financial assistance to states to reduce the number and severity of crashes and hazardous materials incidents involving commercial motor vehicles. [16] Pub. L. No. 107-71, 115 Stat. 597 (2001). [17] 49 U.S.C. § 5103a(a)(1). [18] 49 C.F.R. pt. 1572. [19] The report must also include an assessment of the economic impact that security upgrades of trucks, truck equipment, or truck facilities may have on the trucking industry and its employees, including independent owner-operators; an assessment of ongoing research by public and private entities and the need for additional research on truck security; and an assessment of the current status of secure truck parking. Pub. L. No. 110-53, § 1540, 121 Stat. 266, 468 (2007). [20] Id. at § 1554, 121 Stat. at 473 (codified at 6 U.S.C. § 1204). [21] Id. at § 1531, 121 Stat. at 454-57 (codified at 6 U.S.C. § 1181). [22] Id. at § 1534, 121 Stat. at 461-62 (codified at 6 U.S.C. § 1184); id. at § 1533, 121 Stat. at 460-61 (codified at 6 U.S.C. § 1183). [23] Id. at § 1553, 121 Stat. at 472 (2007) (codified at 6 U.S.C. § 1203). [24] 49 C.F.R. §§ 172.700-172.804. [25] Specifically, the subset of hazardous materials requiring security plans includes: (1) a highway route-controlled quantity of a Class 7 (radioactive) material; (2) more than 25 kg (55 lbs) of a Division 1.1 (explosive with a mass explosion hazard), 1.2 (explosive with a projection hazard), or 1.3 (explosive with predominately a fire hazard material); (3) more than 1 L (1.06 qt) per package of a toxic by inhalation (TIH) material of a specified concentration level; (4) a shipment of hazardous materials in bulk packaging having a capacity of 13,248 L (3,500 gallons) or more for liquids or gases or more than 13.24 cubic meters (468 cubic feet) for solids; (5) a shipment in other than bulk packaging of 2,268 kg (5,000 lbs) gross weight or more of one class of hazardous materials for which placarding is required; (6) a select agent or toxin regulated by the Centers for Disease Control and Prevention; and (7) a quantity of hazardous materials that requires placarding. 49 C.F.R. § 172.800. [26] The component to which surface transportation grant funding has been appropriated has changed over time, due largely to DHS restructuring. TSA distributed the transportation security grants until fiscal year 2005, when the DHS Office for State and Local Government Coordination and Preparedness assumed responsibility for issuing and administering the grants. During fiscal year 2008, the grant funding was appropriated to FEMA, which is currently responsible for distributing the grants. [27] As of May 2008, TSA HMC had 17 staff including two personnel in the risk assessment (TVC) branch, five in trucking, four for licensing and infrastructure, and three for policy, plans and stakeholder coordination. HMC had two staff vacancies. [28] Industry shares are by tonnage. [29] DOT data on carriers are as of August 2008. [30] Federal hazardous transportation law defines a hazardous material as a substance or material that the Secretary of Transportation has determined is capable of posing an unreasonable risk to health and safety or property when transported in commerce. 49 U.S.C. § 5103. It includes a variety of substances such as explosive or radioactive material and toxic materials such as anhydrous ammonia, sulfuric acid, or chlorine. [31] The hazard class of dangerous goods is indicated either by its class (or division) number or name. Most classes also are further broken out into subsidiary hazard classes. Placards are used to identify the class or division of a material to first responders. Class 1 are explosives which are further subdivided into explosives with a hazard of mass explosion, projection, fire, etc; Class 2 are flammable, nonflammable and nontoxic gases, and toxic gases; Class 3 are flammable liquids and combustible liquids such as gasoline; Class 4 are flammable solids, spontaneously combustible materials, and water- reactive, dangerous-when-wet materials; Class 5 are oxidizing substances and organic peroxides; Class 6 include toxic or poisonous substances such as TIH and infectious substances; Class 7 are radioactive materials, Class 8 are corrosive substances; and class 9 are miscellaneous hazardous materials, products, substances, or organisms. [32] Toxic Inhalation Hazards are a gas or volatile liquid which is known to be so toxic to humans as to pose a hazard to health during transportation, or in the absence of adequate data on human toxicity, is presumed to be toxic to humans based on tests on laboratory animals. [33] Volpe National Transportation Systems Center, Security Enhancement Study for the U.S. Motorcoach Industry. (Cambridge, Mass.: May 2003). [34] DHS serves as the sector-specific agency for 11 of the 18 sectors: information technology; communications; transportation systems; chemical; emergency services; nuclear reactors, material, and waste; postal and shipping; dams; government facilities; critical manufacturing and commercial facilities. Other sector-specific agencies are the Departments of Agriculture, Defense, Energy, Health and Human Services, Interior, Treasury, and the Environmental Protection Agency. See GAO, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Improve, GAO-07-706R (Washington, D.C.: July 10, 2007). [35] See GAO, Standards for Internal Control in the Federal Government [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999) pp. 21-22. [36] The NIPP defines threat as: The likelihood that a particular asset, system, or network will suffer an attack or an incident. In the context of risk from terrorist attack, the estimate of this is based on the analysis of the intent and the capability of an adversary; in the context of natural disaster or accident, the likelihood is based on the probability of occurrence. [37] Motor carriers include commercial vehicles and school buses. [38] TSA officials also stated that the Aviation Domain Risk Assessment (ADRA) developed in response to HSPD-16 was a more comprehensive risk assessment of the aviation industry, with 117 scenario-based risk assessments with likelihood estimates. We were not provided the opportunity to review the NTSRA or the ADRA before completing our work, and we could not assess their validity. [39] This is the most recent information provided by TSA. The agency has also conducted 44 CSRs on state DOTs and 6 bridge and tunnel authorities. [40] The draft best practices are called the Uniform Security Template. In addition, specific voluntary best practices for hazardous materials carriers, called Strategic Action Items, were developed. [41] Through an earlier contract with the American Bus Association, TSA developed and released a list of recommended security practices for motor coach operators in October 2005. [42] This program is generally referred to as the MCSAP. [43] FMCSA decides which motor carriers to review for compliance with its safety regulations primarily by using an algorithm called SafeStat to identify high-risk carriers. GAO analyzed two alternative approaches to better identify commercial carriers that pose high crash risks: GAO, Motor Carrier Safety: A Statistical Approach Will Better Identify Commercial Carriers That Pose High Crash Risks Than Does the Current Federal Approach, [hyperlink, http://www.gao.gov/products/GAO-07-585] (Washington, D.C.: June 11, 2007); and Motor Carrier Safety: Federal Safety Agency Identifies Many High-Risk Carriers but Does Not Assess Maximum Fines as Often as Required by Law, [hyperlink, http://www.gao.gov/products/GAO-07-584] (Washington, D.C.: Aug. 28, 2007). All new firms registering with DOT are also subject to these safety inspections. [44] The report also noted difficulties throughout the CSR data collection process, from questionnaire design through analysis and reporting. For example, because the Missouri CSRs did not identify carriers delivering different types of cargo on the questionnaire, the contractor lacked a formal mechanism for selection of hazardous material transport companies for review, and it is likely that the 14 hazardous materials carriers identified do not represent the full set of hazardous materials carriers among the 1251 cases studied. [45] Monitoring of internal control should include policies and procedures for ensuring that the findings of audits and other reviews are promptly resolved. Managers are to (1) promptly evaluate findings from audits and other reviews, including those showing deficiencies and recommendations reported by auditors and others who evaluate agencies' operations; (2) determine proper actions in response to findings and recommendations from audits and reviews; and (3) complete, within established time frames, all actions that correct or otherwise resolve the matters brought to management's attention. See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999) pp. 21-22. [46] TSA Federal Security Directors (FSDs) are the ranking TSA authorities responsible for the leadership and coordination of TSA security activities at commercial airports regulated by TSA. [47] Going forward, TSA reported that it will identify CSR targets based on risk factors including the safety records of commercial motor carriers, business factors, data on theft, and a focus on select hazardous materials such as toxic inhalation hazards. TSA could not provide documentation that it had validated this approach and that these factors were valid indicators of likely levels of security practices. TSA contracted with Oak Ridge National Laboratory to develop a risk-based CSR selection procedure, but this report has not been finalized. [48] TSA also had acquired an Argonne National Laboratory report that provides additional predictive information that expands on the Protective Action Distances for Toxic Inhalation Hazard incidents provided in the Emergency Response Guidebook: David F. Brown, Safe Distance Estimates for Selected Toxic-by-Inhalation Materials, Argonne National Laboratory (Argonne, Ill.: 2003). TSA has also consulted the Defense Threat Reduction Agency on specific scenarios. [49] Security self-assessments could provide additional data on industry vulnerabilities, and TSA developed Web-based security self- assessment training for hazmat motor carriers and shippers. [50] In September 2008 TSA officials stated that the contractor was conducting 80 to 100 scenarios using industry experts for the highway and motor carrier sector. TSA stated that these scenarios would cover general freight, transportation of food commodities and hazardous materials, IEDs, and VBIEDs. [51] For example, a full analysis of vulnerability, the likelihood of an attack succeeding, includes assessing how well potential targets have mitigated risks. Accordingly, the 9/11 Commission Act also mandated that TSA complete and report an assessment of actions already taken by both public and private entities to address identified security risks to the trucking industry. Scenarios alone cannot assess the incidence and quality of mitigation efforts. Without a comprehensive CSR program, or a survey of private sector actions, TSA will not be able to methodically assess private security activity. [52] See GAO, Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress, [hyperlink, http://www.gao.gov/products/GAO-08-492] (Washington, D.C.: June 25, 2008), p. 13. [53] The Trucking Security Program (TSP) provides grants that fund programs to train and support the members of the commercial vehicle industry in how to detect and report security threats, and how to avoid becoming a target for terrorist activity. The 9/11 Commission Act required the DHS Inspector General to prepare an initial report on the Trucking Security Program, which was issued in October 2007 and described the announcement, application, receipt, review, award, and monitoring processes, and summarized the expenditures related to fiscal year 2004 and 2005 grants. Office of the Inspector General, Department of Homeland Security, Administration of the Federal Trucking Industry Security Grant Program for FY 2004 and FY 2005, OIG-08-08 (Washington, D.C.: Oct. 29, 2007). The 9/11 Commission Act also required the DHS Inspector General to prepare a report by August 2008 that analyzes the performance, efficiency, and effectiveness of the trucking security grant program. Pub. L. No. 110-53, § 1542, 121 Stat. 266, 469 (2007). [54] In addition, the Transportation Sector Annual Report notes that the DHS Science and Technology Explosives Division and is working on improving existing explosive detection methods and technologies, including for IEDs and VBIEDS. [55] 49 C.F.R. pt. 1572. TSA is utilizing a phased-in implementation over 5 years and expects that all drivers with a hazardous materials endorsement on a commercial driver's license will have obtained a TSA fingerprint-based background check by May 31, 2010. To mitigate the risk of potentially dangerous drivers retaining an HME until the end of the implementation period, in September, 2006 TSA conducted name-based intelligence checks of all drivers who have HMEs. [56] Most of these are trucking firms, but a few bus companies also transport some of the less dangerous hazardous materials. [57] 49 C.F.R. §§ 172.800-172.804. [58] The Hazardous Materials Transportation Uniform Safety Act of 1990 required DOT to establish a safety permit program for hazardous materials motor carriers. Pub. L. No. 101-615, § 8, 104 Stat. 3244, 3255-58 (codified as amended at 49 U.S.C. § 5109). [59] Pub. L. No. 110-53, § 1540, 121 Stat. 266, 468 (2007). [60] Id. at § 1554, 121 Stat. 266, 473. [61] Id. at § 1534, 121 Stat. at 461-62 (codified at 6 U.S.C. § 1184); id. at § 1533, 121 Stat. at 460-61 (codified at 6 U.S.C. § 1183). [62] Id. at § 1531, 121 Stat. at 454-57 (codified at 6 U.S.C. § 1181). [63] TSA officials stated that they also supported a FEMA decision to require bus security grant applicants this year to have in place a vulnerability assessment and a comprehensive plan. [64] State governors also work collectively through the National Governor's Association (NGA) which has surveyed its members on their homeland security progress in developing homeland security structures, priorities, and programs, but NGA does not have any specific committees for commercial vehicle security. [65] States conduct both roadside inspections of trucks and on-site company inspections. [66] DHS supports fusion centers by providing financial assistance, the majority of which has flowed through the Homeland Security Grant Program. All of the states we interviewed had state or regional fusion centers to coordinate safety and security monitoring and response. [67] However, as previously noted, due to design problems the accuracy of the report's findings regarding both hazardous materials and small carriers could not be assured. [68] OMB Circular A-11. [69] GAO, Performance Measurement and Evaluation: Definitions and Relationships, [hyperlink, http://www.gao.gov/products/GAO-05-739SP], p. 3 (Washington, D.C.: May 2, 2005). [70] See [hyperlink, http://www.gao.gov/products/GAO-06-15]; GAO, Agency Performance Plans: Examples of Practices That Can Improve Usefulness to Decision Makers, [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69] (Washington, D.C.: February 26, 1999), p. 3; and GAO, Results-Oriented Management: Agency Crosscutting Actions and Plans in Border Control, Flood Mitigation and Insurance, Wetlands, and Wildland Fire Management, [hyperlink, http://www.gao.gov/products/GAO-03-321], p.1 (Washington, D.C.: December 20, 2002), p. 1. [71] GAO, Transportation Security: DHS Efforts to Eliminate Redundant Background Check Investigations, [hyperlink, http://www.gao.gov/products/GAO-07-756], (Washington, D.C.: April 26, 2007), p. 5. [72] See [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington, D.C: October 21, 2005). [73] GAO, Transportation Security: Federal Action Needed to Help Address Security Challenges, [hyperlink, http://www.gao.gov/products/GAO-03-843] (Washington, D.C.: June 2003). [74] See [hyperlink, http://www.gao.gov/products/GAO-03-843]. [75] See [hyperlink, http://www.gao.gov/products/GAO-06-15]. [76] TSA plans to revise its sector-specific plan in 2009. [77] PHMSA did complain that TSA has a separate GCC for each sector of transportation, and as a result, the sum of all these meetings was becoming a burden. [78] As noted above, DOT is responsible for ensuring the security, as well as the safety, of the transportation of hazardous materials, and DOT has issued and enforces regulations regarding training and security plans for hazardous materials shippers and carriers. 49 U.S.C. § 5103; 49 C.F.R. §§ 172.700-172.804. [79] Pub. L. No. 110-53, § 1555, 121 Stat. 266, 475 (2007). [80] Safety Status Measurement System (SAFESTAT). GAO has previously made recommendations about how to better identify safety risks: GAO, Motor Carrier Safety: A Statistical Approach Will Better Identify Commercial Carriers That Pose High Crash Risks Than Does the Current Federal Approach, [hyperlink, http://www.gao.gov/products/GAO-07-585] (Washington, D.C.: September 2007). [81] In addition, TSA and DOT have established a specific MOU annex concerning the Commercial Driver's License Information System (CDLIS), which allows TSA direct access to this database to check applicants with backgrounds in hazardous materials transport. [82] The TSSP does not specify what the role of the Risk Working Group shall be. [83] The National Governors Association (NGA), representing the nation's governors, does not have a specific committee on commercial vehicle security. However, they are the lead on state homeland security and recently reported in their 2007 NGA Best Practices survey that a particular concern of state homeland security officials was coordination with DHS. They reported that "States continue to report unsatisfactory progress in their relationship with the federal government, specifically with the DHS." [84] [hyperlink, http://www.gao.gov/products/GAO-06-15]. [85] TSA HMC's Web site [hyperlink, http://www.tsa.gov/what_we_do/tsnm/highway/documents_reports.shtm] [86] See [hyperlink, http://www.gao.gov/products/GAO-06-15]. [87] See GAO, Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress, [hyperlink, http://www.gao.gov/products/GAO-08-492] (Washington, D.C.: June 25, 2008), p. 13. [88] See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999) pp. 21-22. [89] We conducted site visits to Maryland, Virginia, Ohio, Georgia, and Missouri and held teleconferences with Louisiana, Illinois, and Florida. [90] GAO, Results-Oriented Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: October 2005). [91] In September 2008, the Director of the Central Intelligence Agency said that 80 percent of all intelligence comes from open sources. [92] 49 C.F.R. pt. 1572. [93] Annual appropriations for the bus security grant program were $10 million for fiscal year 2005, $10 million for fiscal year 2006, $12 million for fiscal year 2007, $11.5 million for fiscal year 2008, and $12 million for fiscal year 2009. [94] 49 C.F.R. §§ 172.800-172.804. [95] The Hazardous Materials Transportation Uniform Safety Act of 1990 required DOT to establish a safety permit program for hazardous materials motor carriers. Pub. L. No. 101-615, § 8, 104 Stat. 3244 (codified as amended at 49 U.S.C. § 5109). [96] Pub. L. No. 110-53, § 1554, 121 Stat. 266, 473 (2007). GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: