Skip to main content

Aviation Security: A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls

GAO-09-399 Published: Sep 30, 2009. Publicly Released: Sep 30, 2009.
Jump To:
Skip to Highlights

Highlights

Incidents of airport workers using access privileges to smuggle weapons through secured airport areas and onto planes have heightened concerns regarding commercial airport security. The Transportation Security Administration (TSA), along with airports, is responsible for security at TSA-regulated airports. To guide risk assessment and protection of critical infrastructure, including airports, the Department of Homeland Security (DHS) developed the National Infrastructure Protection Plan (NIPP). GAO was asked to examine the extent to which, for airport perimeters and access controls, TSA (1) assessed risk consistent with the NIPP; (2) implemented protective programs, and evaluated its worker screening pilots; and (3) established a strategy to guide decision making. GAO examined TSA documents related to risk assessment activities, airport security programs, and worker screening pilots; visited nine airports of varying size; and interviewed TSA, airport, and association officials.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Transportation Security Administration To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to develop a comprehensive risk assessment for airport perimeter and access control security, along with milestones (i.e., time frames) for completing the assessment, that (1) uses existing threat and vulnerability assessment activities, (2) includes consequence analysis, and (3) integrates all three elements of risk--threat, vulnerability, and consequence. As part of this effort, evaluate whether the current approach to conducting JVAs appropriately and reasonably assesses systems vulnerabilities, and whether an assessment of security vulnerabilities at airports nationwide should be conducted. If the evaluation demonstrates that a nationwide assessment should be conducted, develop a plan that includes milestones for completing the nationwide assessment. As part of this effort, leverage existing assessment information from industry stakeholders, to the extent feasible and appropriate, to inform its assessment.
Closed – Implemented
In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) develop a comprehensive risk assessment for airport perimeter and access control security, along with milestones for completing the assessment, that (1) uses existing threat and vulnerability assessment activities, (2) includes consequence analysis, and (3) integrates all three elements of risk--threat, vulnerability, and consequence. As part of this effort, TSA should evaluate whether the current approach to conducting joint vulnerability assessments (JVAs) of high-risk airports conducted jointly with the Federal Bureau of Investigation appropriately and reasonably assesses systems vulnerabilities, and whether an assessment of security vulnerabilities at airports nationwide should be conducted. If the evaluation demonstrates that a nationwide assessment should be conducted, TSA should develop a plan that includes milestones for completing the nationwide assessment. As part of this effort, TSA should leverage existing assessment information from industry stakeholders to inform its assessment. In response to this recommendation, TSA used existing threat and vulnerability assessment activities to collectively develop a comprehensive risk assessment of airport perimeter and access controls security. This assessment is comprised of seven existing threat and vulnerability assessment activities, such as airport inspections, airport self-evaluation and resource allocation activities, strategic risk assessment reports, threat information, and JVAs, among other activities. In response to the second part of our recommendation, TSA stated that as part of this effort to create a comprehensive risk assessment, it analyzed its current approach to conducting JVAs and determined that while this approach appropriately assesses system vulnerabilities, enhancing the process would be beneficial. Consequently, TSA contracted to develop a new JVA tool that is intended to help assessors better determine which airports are most at risk and to identify strategies for reducing an airport's vulnerability. TSA also analyzed whether an assessment of security vulnerabilities at airports nationwide should be conducted and determined that while the current status of airport perimeter systems does not warrant an immediate nationwide assessment, a future nationwide assessment is appropriate to improve security. TSA plans to conduct this ongoing, nationwide comprehensive risk assessment in phases, to include local and national information, and to be updated as conditions warrant. TSA began the initial phase in 2011, with the development of an initiative to identify, through surveys, airports' use of more innovative security measures, such as the use of biometrics, and compile these into a compendium. TSA has identified timeframes for beginning the remaining phases of the nationwide comprehensive risk assessment, such as developing a baseline of airport perimeter and access control elements for category III - X airports that are to be inputted in a national database for risk scoring, among other things. TSA plans in the final phase to review high-risk airports for vulnerabilities and identify measures to mitigate these vulnerabilities. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.
Transportation Security Administration To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to ensure that future airport security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes (1)measurable objectives, (2) criteria or standards for determining program performance, (3) a clearly articulated methodology, (4) a detailed data collection plan, and (5) a detailed data analysis plan.
Closed – Implemented
In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) ensure that future airport security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes measurable objectives, criteria or standards for determining program performance, a clearly articulated methodology, a detailed data collection plan, and a detailed data analysis plan. In response to GAO's recommendation, TSA issued a memorandum, effective August 24, 2012, to division directors in the Office of Security Policy and Industry Engagement (OSPIE) requiring that future transportation security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes measurable objectives, criteria or standards for determining program performance, a clearly articulated methodology, a detailed data collection plan, and a detailed data analysis plan. The memorandum specifies that an evaluation plan is to be developed prior to initiation of any new initiative or project that has the potential to either become a new program or to modify in any significant manner an existing program, and is to be distinct from performance measures. The memorandum also cites GAO-12-208G, Designing Evaluations: 2012 Revision (January 2012), as a resource guide to effective evaluation. All evaluation plans are to be reviewed for compliance with the directive before they are approved. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.
Transportation Security Administration To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to develop milestones for meeting statutory requirements, in consultation with appropriate aviation industry stakeholders, for establishing system requirements and performance standards for the use of biometric airport access control systems.
Closed – Implemented
In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) develop milestones for meeting statutory requirements, in consultation with appropriate aviation industry stakeholders, for establishing system requirements and performance standards for the use of biometric airport access control systems. In response to GAO's recommendation, TSA identified actions taken since 2005 that collectively establish requirements and performance standards for the use of biometric airport access control systems. Specifically, in March 2005, TSA issued draft guidance on the use of biometrics in airport access control systems and invited comment from affected stakeholders and experts through a public meeting and notification in the Federal Register (70 Fed. Reg. 10667). In October 2005, TSA released a guidance package that discussed the basic criteria and standards biometric products should meet to address the technical requirements of acceptable performance for airport access control systems. Subsequently, as a member of the RTCA, Inc., a federal aviation advisory committee TSA worked with primary aviation stakeholders on the RTCA's Special Committee on Integrated Security Standards for Airport Access Control to develop guidance and standards for access controls at airports, including specifications for access control technologies, biometrics, credentials, and other systems. As this is a permanent committee, TSA and other members are to conduct ongoing revisions to biometric standards and guidance as needed. GAO reviewed the 2005 guidance and other documents, and TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.
Transportation Security Administration To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to develop milestones for establishing agency procedures for reviewing airport perimeter and access control requirements imposed through security directives.
Closed – Implemented
In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) develop milestones for establishing agency procedures for reviewing airport perimeter and access control requirements imposed through security directives. In response to GAO's recommendation, in October 2009, TSA and select industry associations that support commercial airport operations formed a working group--the In-Depth Security Review (IDSR) effort--to review all active airport (as defined by 49 C.F.R. Section 1542.103(a)) security directives and security program amendments to consider the placement of these requirements within the regulatory framework, to include deletions or revisions to current requirements. In April 2012, TSA sent a letter to industry associations affirming its commitment to ongoing reviews of active security directives through the IDSR working group. In this letter, TSA stated that the IDSR had completed its initial review of all airport security directives, alternate procedures, and security program amendments, and was submitting to TSA leadership recommendations to rescind certain requirements, further clarify requirements within the Airport Security Program Guide, or consolidate similar requirements into an airport security program amendment. TSA also stated that the agency had, as a result of IDSR recommendations, taken actions to rescind, change, or finalize various requirements. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.
Transportation Security Administration To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, the Assistant Secretary of TSA should work with aviation stakeholders to better ensure a unified approach among airport security stakeholders for developing, implementing, and assessing actions for securing airport perimeters and access to controlled areas, develop a national strategy for airport security that incorporates key characteristics of effective security strategies, including the following: (1) Measurable goals, priorities, and performance measures. TSA should also consider using information from other methods, such as covert testing and proxy measures, to gauge progress toward achieving goals. (2) Program cost information and the sources and types of resources needed. TSA should also identify where those resources would be most effectively applied by exploring ways to develop and implement cost-benefit analysis to identify the most cost-effective alternatives for reducing risk. (3) Plans for coordinating activities among stakeholders, integrating airport security goals and activities with those of other aviation security priorities, and implementing security activities within the agency.
Closed – Implemented
In September 2009, GAO recommended, among other things, that the Transportation Security Administration (TSA) work with aviation stakeholders to develop a national strategy for airport security that incorporates key characteristics of effective security strategies, such as measurable goals, priorities, performance measures, program cost information, and plans for implementing security activities within the agency. In response to GAO's recommendation, in September 2012, TSA issued a national strategy for airport perimeter and access control security. This strategy includes, among other things, strategic objectives and goals, such as promoting the use of innovative and cost effective measures for reducing risk to airport perimeter and controlled access areas. It also states that TSA will identify outcome-based performance targets and levels for each strategic goal, against which progress can be measured, noting that current performance measures, which are primarily output based, do not measure the effectiveness of protection and mitigation activities. Towards this end, a matrix of proposed, high-level outcome-oriented metrics is also provided. Additionally, the strategy discusses areas in which program cost information may be developed, such as personnel costs associated with the airport assessment and inspection activities. The strategy also identifies challenges to securing commercial airports as well as potential risk areas. GAO reviewed a draft of the strategy and provided comments for TSA's consideration. TSA's actions are consistent with the intent of our recommendation. This recommendation is closed as implemented.

Full Report

Office of Public Affairs

Topics

Access controlAccountabilityAirport securityBackground investigationsCommercial aviationCost effectiveness analysisCritical infrastructure protectionDecision makingHomeland securityInternal controlsPort security assessment programProgram evaluationRisk assessmentRisk managementSafety standardsSecurity assessmentsStrategic planningTerrorism