Aviation Security:

A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls

GAO-09-399: Published: Sep 30, 2009. Publicly Released: Sep 30, 2009.

Additional Materials:

Contact:

Stephen M. Lord
(202) 512-4379
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Incidents of airport workers using access privileges to smuggle weapons through secured airport areas and onto planes have heightened concerns regarding commercial airport security. The Transportation Security Administration (TSA), along with airports, is responsible for security at TSA-regulated airports. To guide risk assessment and protection of critical infrastructure, including airports, the Department of Homeland Security (DHS) developed the National Infrastructure Protection Plan (NIPP). GAO was asked to examine the extent to which, for airport perimeters and access controls, TSA (1) assessed risk consistent with the NIPP; (2) implemented protective programs, and evaluated its worker screening pilots; and (3) established a strategy to guide decision making. GAO examined TSA documents related to risk assessment activities, airport security programs, and worker screening pilots; visited nine airports of varying size; and interviewed TSA, airport, and association officials.

Although TSA has implemented activities to assess risks to airport perimeters and access controls, such as a commercial aviation threat assessment, it has not conducted vulnerability assessments for 87 percent of the nation's approximately 450 commercial airports or any consequence assessments. As a result, TSA has not completed a comprehensive risk assessment combining threat, vulnerability, and consequence assessments as required by the NIPP. While TSA officials said they intend to conduct a consequence assessment and additional vulnerability assessments, TSA could not provide further details, such as milestones for their completion. Conducting a comprehensive risk assessment and establishing milestones for its completion would provide additional assurance that intended actions will be implemented, provide critical information to enhance TSA's understanding of risks to airports, and help ensure resources are allocated to the highest security priorities. Since 2004, TSA has taken steps to strengthen airport security and implement new programs; however, while TSA conducted a pilot program to test worker screening methods, clear conclusions could not be drawn because of significant design limitations and TSA did not document key aspects of the pilot. TSA has taken steps to enhance airport security by, among other things, expanding its requirements for conducting worker background checks and implementing a worker screening program. In fiscal year 2008 TSA pilot tested various methods to screen airport workers to compare the benefits, costs, and impacts of 100 percent worker screening and random worker screening. TSA designed and implemented the pilot in coordination with the Homeland Security Institute (HSI), a federally funded research and development center. However, because of significant limitations in the design and evaluation of the pilot, such as the limited number of participating airports--7 out of about 450--it is unclear which method is more cost-effective. TSA and HSI also did not document key aspects of the pilot's design, methodology, and evaluation, such as a data analysis plan, limiting the usefulness of these efforts. A well-developed and well-documented evaluation plan can help ensure that pilots generate needed performance information to make effective decisions. While TSA has completed these pilots, developing an evaluation plan for future pilots could help ensure that they are designed and implemented to provide management and Congress with necessary information for decision making. TSA's efforts to enhance the security of the nation's airports have not been guided by a unifying national strategy that identifies key elements, such as goals, priorities, performance measures, and required resources. For example, while TSA's various airport security efforts are implemented by federal and local airport officials, TSA officials said that they have not identified or estimated costs to airport operators for implementing security requirements. GAO has found that national strategies that identify these key elements strengthen decision making and accountability; in addition, developing a strategy with these elements could help ensure that TSA prioritizes its activities and uses resources efficiently to achieve intended outcomes.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to develop milestones for establishing agency procedures for reviewing airport perimeter and access control requirements imposed through security directives.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) develop milestones for establishing agency procedures for reviewing airport perimeter and access control requirements imposed through security directives. In response to GAO's recommendation, in October 2009, TSA and select industry associations that support commercial airport operations formed a working group--the In-Depth Security Review (IDSR) effort--to review all active airport (as defined by 49 C.F.R. Section 1542.103(a)) security directives and security program amendments to consider the placement of these requirements within the regulatory framework, to include deletions or revisions to current requirements. In April 2012, TSA sent a letter to industry associations affirming its commitment to ongoing reviews of active security directives through the IDSR working group. In this letter, TSA stated that the IDSR had completed its initial review of all airport security directives, alternate procedures, and security program amendments, and was submitting to TSA leadership recommendations to rescind certain requirements, further clarify requirements within the Airport Security Program Guide, or consolidate similar requirements into an airport security program amendment. TSA also stated that the agency had, as a result of IDSR recommendations, taken actions to rescind, change, or finalize various requirements. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.

    Recommendation: To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to develop milestones for meeting statutory requirements, in consultation with appropriate aviation industry stakeholders, for establishing system requirements and performance standards for the use of biometric airport access control systems.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) develop milestones for meeting statutory requirements, in consultation with appropriate aviation industry stakeholders, for establishing system requirements and performance standards for the use of biometric airport access control systems. In response to GAO's recommendation, TSA identified actions taken since 2005 that collectively establish requirements and performance standards for the use of biometric airport access control systems. Specifically, in March 2005, TSA issued draft guidance on the use of biometrics in airport access control systems and invited comment from affected stakeholders and experts through a public meeting and notification in the Federal Register (70 Fed. Reg. 10667). In October 2005, TSA released a guidance package that discussed the basic criteria and standards biometric products should meet to address the technical requirements of acceptable performance for airport access control systems. Subsequently, as a member of the RTCA, Inc., a federal aviation advisory committee TSA worked with primary aviation stakeholders on the RTCA's Special Committee on Integrated Security Standards for Airport Access Control to develop guidance and standards for access controls at airports, including specifications for access control technologies, biometrics, credentials, and other systems. As this is a permanent committee, TSA and other members are to conduct ongoing revisions to biometric standards and guidance as needed. GAO reviewed the 2005 guidance and other documents, and TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.

    Recommendation: To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to ensure that future airport security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes (1)measurable objectives, (2) criteria or standards for determining program performance, (3) a clearly articulated methodology, (4) a detailed data collection plan, and (5) a detailed data analysis plan.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) ensure that future airport security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes measurable objectives, criteria or standards for determining program performance, a clearly articulated methodology, a detailed data collection plan, and a detailed data analysis plan. In response to GAO's recommendation, TSA issued a memorandum, effective August 24, 2012, to division directors in the Office of Security Policy and Industry Engagement (OSPIE) requiring that future transportation security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes measurable objectives, criteria or standards for determining program performance, a clearly articulated methodology, a detailed data collection plan, and a detailed data analysis plan. The memorandum specifies that an evaluation plan is to be developed prior to initiation of any new initiative or project that has the potential to either become a new program or to modify in any significant manner an existing program, and is to be distinct from performance measures. The memorandum also cites GAO-12-208G, Designing Evaluations: 2012 Revision (January 2012), as a resource guide to effective evaluation. All evaluation plans are to be reviewed for compliance with the directive before they are approved. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.

    Recommendation: To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to develop a comprehensive risk assessment for airport perimeter and access control security, along with milestones (i.e., time frames) for completing the assessment, that (1) uses existing threat and vulnerability assessment activities, (2) includes consequence analysis, and (3) integrates all three elements of risk--threat, vulnerability, and consequence. As part of this effort, evaluate whether the current approach to conducting JVAs appropriately and reasonably assesses systems vulnerabilities, and whether an assessment of security vulnerabilities at airports nationwide should be conducted. If the evaluation demonstrates that a nationwide assessment should be conducted, develop a plan that includes milestones for completing the nationwide assessment. As part of this effort, leverage existing assessment information from industry stakeholders, to the extent feasible and appropriate, to inform its assessment.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) develop a comprehensive risk assessment for airport perimeter and access control security, along with milestones for completing the assessment, that (1) uses existing threat and vulnerability assessment activities, (2) includes consequence analysis, and (3) integrates all three elements of risk--threat, vulnerability, and consequence. As part of this effort, TSA should evaluate whether the current approach to conducting joint vulnerability assessments (JVAs) of high-risk airports conducted jointly with the Federal Bureau of Investigation appropriately and reasonably assesses systems vulnerabilities, and whether an assessment of security vulnerabilities at airports nationwide should be conducted. If the evaluation demonstrates that a nationwide assessment should be conducted, TSA should develop a plan that includes milestones for completing the nationwide assessment. As part of this effort, TSA should leverage existing assessment information from industry stakeholders to inform its assessment. In response to this recommendation, TSA used existing threat and vulnerability assessment activities to collectively develop a comprehensive risk assessment of airport perimeter and access controls security. This assessment is comprised of seven existing threat and vulnerability assessment activities, such as airport inspections, airport self-evaluation and resource allocation activities, strategic risk assessment reports, threat information, and JVAs, among other activities. In response to the second part of our recommendation, TSA stated that as part of this effort to create a comprehensive risk assessment, it analyzed its current approach to conducting JVAs and determined that while this approach appropriately assesses system vulnerabilities, enhancing the process would be beneficial. Consequently, TSA contracted to develop a new JVA tool that is intended to help assessors better determine which airports are most at risk and to identify strategies for reducing an airport's vulnerability. TSA also analyzed whether an assessment of security vulnerabilities at airports nationwide should be conducted and determined that while the current status of airport perimeter systems does not warrant an immediate nationwide assessment, a future nationwide assessment is appropriate to improve security. TSA plans to conduct this ongoing, nationwide comprehensive risk assessment in phases, to include local and national information, and to be updated as conditions warrant. TSA began the initial phase in 2011, with the development of an initiative to identify, through surveys, airports' use of more innovative security measures, such as the use of biometrics, and compile these into a compendium. TSA has identified timeframes for beginning the remaining phases of the nationwide comprehensive risk assessment, such as developing a baseline of airport perimeter and access control elements for category III - X airports that are to be inputted in a national database for risk scoring, among other things. TSA plans in the final phase to review high-risk airports for vulnerabilities and identify measures to mitigate these vulnerabilities. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.

    Recommendation: To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to better ensure a unified approach among airport security stakeholders for developing, implementing, and assessing actions for securing airport perimeters and access to controlled areas, develop a national strategy for airport security that incorporates key characteristics of effective security strategies, including the following: (1) Measurable goals, priorities, and performance measures. TSA should also consider using information from other methods, such as covert testing and proxy measures, to gauge progress toward achieving goals. (2) Program cost information and the sources and types of resources needed. TSA should also identify where those resources would be most effectively applied by exploring ways to develop and implement cost-benefit analysis to identify the most cost-effective alternatives for reducing risk. (3) Plans for coordinating activities among stakeholders, integrating airport security goals and activities with those of other aviation security priorities, and implementing security activities within the agency.

    Agency Affected: Department of Homeland Security: Directorate of Border and Transportation Security: Transportation Security Administration

    Status: Closed - Implemented

    Comments: In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) work with aviation stakeholders to develop a national strategy for airport security that incorporates key characteristics of effective security strategies, such as measurable goals, priorities, performance measures, program cost information, and plans for implementing security activities within the agency. In response to GAO's recommendation, in September 2012, TSA issued a national strategy for airport perimeter and access control security. This strategy includes, among other things, strategic objectives and goals, such as promoting the use of innovative and cost effective measures for reducing risk to airport perimeter and controlled access areas. It also states that TSA will identify outcome-based performance targets and levels for each strategic goal, against which progress can be measured, noting that current performance measures, which are primarily output based, do not measure the effectiveness of protection and mitigation activities. Towards this end, a matrix of proposed, high-level outcome-oriented metrics is also provided. Additionally, the strategy discusses areas in which program cost information may be developed, such as personnel costs associated with the airport assessment and inspection activities. The strategy also identifies challenges to securing commercial airports as well as potential risk areas. GAO reviewed a draft of the strategy and provided comments for TSA's consideration. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.

    Apr 18, 2014

    Apr 8, 2014

    Feb 28, 2014

    Feb 12, 2014

    Feb 5, 2014

    Feb 3, 2014

    Jan 31, 2014

    Jan 16, 2014

    Looking for more? Browse all our products here