Skip to main content

Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sector

GAO-09-85 Published: Feb 27, 2009. Publicly Released: Mar 27, 2009.
Jump To:
Skip to Highlights

Highlights

 

Numerous incidents around the world have highlighted the vulnerability of commercial vehicles to terrorist acts. Commercial vehicles include over 1 million highly diverse truck and intercity bus firms. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary federal responsibility for ensuring the security of the commercial vehicle sector, while vehicle operators are responsible for implementing security measures for their firms. GAO was asked to examine: (1) the extent to which TSA has assessed security risks for commercial vehicles; (2) actions taken by key stakeholders to mitigate identified risks; and (3) TSA efforts to coordinate its security strategy with other federal, state, and private sector stakeholders. GAO reviewed TSA plans, assessments, and other documents; visited a nonrandom sample of 26 commercial truck and bus companies of varying sizes, locations, and types of operations; and interviewed TSA and other federal and state officials and industry representatives.

TSA has taken actions to evaluate the security risks associated with the commercial vehicle sector, including assessing threats and initiating vulnerability assessments, but more work remains to fully gauge security risks. Risk assessment uses a combined analysis of threat, vulnerability, and consequence to estimate the likelihood of terrorist attacks and the severity of their impact. TSA conducted threat assessments of the commercial vehicle sector and has also cosponsored a vulnerability assessment pilot program in Missouri. However, TSA's threat assessments generally have not identified the likelihood of specific threats, as required by DHS policy. TSA has also not determined the scope, method, and time frame for completing vulnerability assessments of the commercial vehicle sector. In addition, TSA has not conducted consequence assessments, or leveraged the consequence assessments of other sectors. As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs. Moreover, TSA has not developed a plan or time frame to complete a risk assessment of the sector. Nor has TSA completed a report on commercial trucking security as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act). Key government and industry stakeholders have taken actions to strengthen the security of commercial vehicles, but TSA has not assessed the effectiveness of federal programs. TSA and the Department of Transportation (DOT) have implemented programs to strengthen security, particularly those emphasizing the protection of hazardous materials. States have also worked collaboratively to strengthen commercial vehicle security through their transportation and law enforcement officials' associations, and the establishment of fusion centers. TSA also has begun developing and using performance measures to monitor the progress of its program activities to secure the commercial vehicle sector, but has not developed measures to assess the effectiveness of these actions in mitigating security risks. Without such information, TSA will be limited in its ability to measure its success in enhancing commercial vehicle security. While TSA has also taken actions to improve coordination with federal, state, and industry stakeholders, more can be done to ensure that these coordination efforts enhance security for the sector. TSA signed joint agreements with DOT and supported the establishment of intergovernmental and industry councils to strengthen collaboration. TSA and DOT completed an agreement to avoid duplication of effort as required by the 9/11 Commission Act. However, some state and industry officials GAO interviewed reported that TSA had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies. TSA has not developed a means to monitor and assess the effectiveness of its coordination efforts. Without enhanced coordination with the states, TSA will have difficulty expanding its vulnerability assessments.

 

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Transportation Security Administration To assist the Transportation Security Administration in more fully evaluating, selecting, and implementing commercial vehicle security risk mitigation activities, and to help strengthen the security of commercial vehicles in the United States and leverage the knowledge and practices employed by key federal and nonfederal stakeholders, the Assistant Secretary for the Transportation Security Administration should establish a plan and a time frame for completing risk assessments of the commercial vehicle sector, and use this information to support future updates to the Transportation Sector Strategic Plan, to include conducting: (1) to the extent feasible, assessments that include information about the likelihood of a terrorist attack method on a particular asset, system, or network as required by the National Infrastructure Protection Plan; (2) a vulnerability assessment of the commercial vehicle sector, including: assessing the scope and method of assessments required to gauge the sector's vulnerabilities; considering the findings and recommendations of the Missouri pilot evaluation report to strengthen future Corporate Security Reviews; and enhancing direct coordination with state governments to expand the Transportation Security Administration's field inspection Corporate Security Review capacities; (3) consequence assessments of the commercial vehicle sector, or developing alternative strategies to assess potential consequences of attacks, such as coordinating with other Sector-Specific Agencies to leverage their consequence assessment efforts.
Closed – Implemented
We reported in February 2009 that the Transportation Security Administration (TSA) had begun conducting risk assessments of the commercial vehicle sector, but had not yet completed these efforts. Specifically, TSA's threat assessments generally had not identified the likelihood of specific threats as required by Department of Homeland Security policy, and the commercial vehicle sector vulnerability and consequence assessment efforts were either in early stages or had not yet begun. As a result, we recommended that TSA establish a plan and time frame for completing the risk assessments of the commercial vehicle sector and use this information to support future updates to the Transportation Systems Sector-Specific Plan, including specific information on threats, vulnerabilities, and consequences. In August 2012, TSA provided us with an updated annex to its Transportation Systems Sector-Specific Plan for the commercial vehicle sector as well as all of the risk assessments described in the annex, all of which used a threat-vulnerability-consequence risk analysis approach based on specific threat scenarios. These actions are consistent with the intent of our recommendation.
Transportation Security Administration To assist the Transportation Security Administration in more fully evaluating, selecting, and implementing commercial vehicle security risk mitigation activities, and to help strengthen the security of commercial vehicles in the United States and leverage the knowledge and practices employed by key federal and nonfederal stakeholders, the Assistant Secretary for the Transportation Security Administration should, in future updates to the Highway Infrastructure and Motor Carrier Annex to the Transportation Sector Security Plan, clarify the basis for the agency's security strategy of focusing on the transportation of hazardous materials, the relative risk of vehicle-borne improvised explosive devices to the sector, and, based on the relative risk of these threats, any risk mitigation activities to be implemented to address them.
Closed – Implemented
We reported in February 2009 that the Transportation Security Administration's (TSA) rationale for focusing its highway infrastructure and motor carrier security strategy on the transportation of hazardous materials, as opposed to other threats like vehicle borne improvised explosive devices (VBIED), was unclear. As a result, we recommended that, in future updates to the highway infrastructure and motor carrier annex to the Transportation Systems Sector-Specific Plan, TSA clarify the basis for the agency's security strategy of focusing on the transportation of hazardous materials and providing information on the relative risk of VBIEDs. In August 2012, TSA provided us with the updated annex as well as all of the risk assessments described in the annex. According to TSA, the agency is no longer focusing solely on the transportation of hazardous materials. The updated annex also provides information on the relative risk of various threats, including VBIEDs and IEDs. Further, all of the risk assessments include scenarios measuring the relative risk of certain types of attacks, describe current risk mitigation activities, and make recommendations to reduce risk. These actions are consistent with the intent of our recommendation.
Transportation Security Administration To assist the Transportation Security Administration in more fully evaluating, selecting, and implementing commercial vehicle security risk mitigation activities, and to help strengthen the security of commercial vehicles in the United States and leverage the knowledge and practices employed by key federal and nonfederal stakeholders, the Assistant Secretary for the Transportation Security Administration should develop outcome-based performance measures, to the extent possible, to assess the effectiveness of federal programs to enhance the security of the commercial vehicle sector.
Closed – Implemented
We reported in February 2009 that the Transportation Security Administration (TSA) lacked effectiveness measures for key security programs. Specifically, while TSA had begun developing and using performance measures to assess the progress of commercial vehicle security programs, it did not have outcome data to monitor how effectively its programs are achieving their intended purpose. As a result, we recommended that TSA develop such outcome-based performance measures. In August 2012, TSA provided GAO with an updated highway infrastructure and motor carrier annex - which includes the commercial vehicle sector - to its Transportation Systems Sector-Specific Plan. According to the annex, the timeframe for developing outcome-based performance measures for monitoring the goals, objectives, and individual risk mitigating activities related to highway infrastructure and motor carriers is predicated on the completion of the program portfolio prioritization initiative, anticipated to be complete in calendar year 2013. In the meantime, TSA developed a dashboard to track the effectiveness of its efforts in all transportation modes, including the commercial vehicle sector, in reducing risk. According to TSA, the purpose of this dashboard is to measure risk-reducing progress across all modes of transportation, assess the value of each activity as a function of risk, quantify risk reduction progress, and provide TSA senior leadership with a means of monitoring TSA and industry efforts to raise the security baseline throughout the transportation enterprise and of identifying areas for improvement. This dashboard provides TSA with outcome-based measures to monitor how effectively its programs are achieving their intended purpose. Therefore, this recommendation is closed as implemented.
Transportation Security Administration To assist the Transportation Security Administration in more fully evaluating, selecting, and implementing commercial vehicle security risk mitigation activities, and to help strengthen the security of commercial vehicles in the United States and leverage the knowledge and practices employed by key federal and nonfederal stakeholders, the Assistant Secretary for the Transportation Security Administration should establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that the roles and responsibilities of industry and government are fully defined and clearly communicated; new approaches to enhance communication are considered; and monitoring and assessing the effectiveness of its coordination efforts.
Closed – Not Implemented
We reported in February 2009 that the Transportation Security Administration (TSA) could do more to improve coordination with federal, state, and industry stakeholders to strengthen commercial vehicle security. Specifically, some state and industry officials reported that TSA had not clearly defined stakeholder roles and responsibilities, and we found that TSA had not developed a means to monitor the effectiveness of its coordination efforts. As a result, we recommended that TSA establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that the roles and responsibilities of industry and government are fully defined and clearly communicated, and monitoring the effectiveness of its coordination efforts. In response, in August 2012, TSA provided us with an update to the highway and motor carrier annex of its Transportation Systems Sector-Specific plan, in which the agency clarified roles and responsibilities of federal, state, and industry stakeholders. In August 2012, TSA also provided us with an action memorandum describing two new policies to strengthen coordination between TSA and the surface transportation industry, which includes the commercial vehicle sector. First, peer advisory groups that would address coordination issues were to be established for each transportation mode by the end of calendar year 2012. Second, each transportation mode or appropriate industry segment is required to perform at least one exercise each year to address coordination issues. The memorandum also stated that in order to ensure that these actions are being implemented and carried out appropriately, each TSA branch manager must provide a progress report on these items to the director of the surface division as part of their annual performance review and assessment process. In November 2012, a senior TSA official told us that the agency is conducting an efficiency review of its efforts to share information with the surface transportation industry (which includes commercial vehicles). As of August 2013, that review was scheduled to be completed by September 2013. In addition, TSA has expanded its Transit and Rail Intelligence Awareness Daily (TRIAD) bulletins - which summarize information on suspicious activities, terrorism and counterterrorism analysis, and general security awareness - to include highway and commercial vehicle issues. TSA is also combining the previously-dormant Highway Information Sharing and Analysis Center with the Public Transit and Surface Transportation Information Sharing and Analysis Centers to facilitate and streamline efforts to share information with stakeholders. In 2013, members of the Highway and Motor Carrier Sector Coordinating Council told us that the clarity of their roles and responsibilities and the quality of coordination with DHS has improved, but not all members were in agreement and said more could be done. TSA has begun implementing other new approaches to enhance communication, for example, by improving its public web page to list basic security guidance brochures for each sector that could provide trucking and busing firms and drivers with easy nationwide access to this information. However, as to monitoring and assessing effectiveness of its coordination efforts, DHS told us in July 2013 that TSA had not addressed how to coordinate and get feedback from its over 800,000 trucking firms, the majority of which are small owner-operator firms, nor had TSA addressed how to monitor and assess the effectiveness of its coordination efforts. Thus, while TSA has taken some initial steps in the right direction, it has not developed a process to measure whether or not its efforts have had an impact and made the sector more secure. Therefore, we consider this recommendation closed as not implemented.

Full Report

Office of Public Affairs

Topics

BombingsCommercial motor vehicle operatorsComputer securityExplosivesFacility securityHazardous substancesHomeland securityMotor carriersMotor vehicle safetyMotor vehiclesPerformance measuresReporting requirementsRisk assessmentRisk managementSafetySafety standardsSecurities regulationSecurity assessmentsSecurity policiesSecurity threatsStrategic planningTerrorismTerroristsTrucking operationsStakeholder consultations