Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives
Highlights
Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) and the U.S. Coast Guard manage the Transportation Worker Identification Credential (TWIC) program, which requires maritime workers to complete background checks and obtain a biometric identification card to gain unescorted access to secure areas of regulated maritime facilities. As requested, GAO evaluated the extent to which (1) TWIC processes for enrollment, background checking, and use are designed to provide reasonable assurance that unescorted access to these facilities is limited to qualified individuals; and (2) the effectiveness of TWIC has been assessed. GAO reviewed program documentation, such as the concept of operations, and conducted site visits to four TWIC centers, conducted covert tests at several selected U.S. ports chosen for their size in terms of cargo volume, and interviewed agency officials. The results of these visits and tests are not generalizable but provide insights and perspective about the TWIC program. This is a public version of a sensitive report. Information DHS deemed sensitive has been redacted.
Internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of Maritime Transportation Security Act (MTSA)-regulated facilities is restricted to qualified individuals. To meet the stated program purpose, TSA designed TWIC program processes to facilitate the issuance of TWICs to maritime workers. However, TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals. GAO found that internal controls in the enrollment and background checking processes are not designed to provide reasonable assurance that (1) only qualified individuals can acquire TWICs; (2) adjudicators follow a process with clear criteria for applying discretionary authority when applicants are found to have extensive criminal convictions; or (3) once issued a TWIC, TWIC-holders have maintained their eligibility. Further, internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of MTSA-regulated facilities during covert tests conducted by GAO's investigators. During covert tests of TWIC use at several selected ports, GAO's investigators were successful in accessing ports using counterfeit TWICs, authentic TWICs acquired through fraudulent means, and false business cases (i.e., reasons for requesting access). Conducting a control assessment of the TWIC program's processes to address existing weaknesses could better position DHS to achieve its objectives in controlling unescorted access to the secure areas of MTSA-regulated facilities and vessels. DHS has not assessed the TWIC program's effectiveness at enhancing security or reducing risk for MTSA-regulated facilities and vessels. Further, DHS has not demonstrated that TWIC, as currently implemented and planned, is more effective than prior approaches used to limit access to ports and facilities, such as using facility specific identity credentials with business cases. Conducting an effectiveness assessment that further identifies and assesses TWIC program security risks and benefits could better position DHS and policymakers to determine the impact of TWIC on enhancing maritime security. Further, DHS did not conduct a risk-informed cost-benefit analysis that considered existing security risks, and it has not yet completed a regulatory analysis for the upcoming rule on using TWIC with card readers. Conducting a regulatory analysis using the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program, could help DHS ensure that the TWIC program is more effective and cost-efficient than existing measures or alternatives at enhancing maritime security. Among other things, GAO recommends that DHS assess TWIC program internal controls to identify needed corrective actions, assess TWIC's effectiveness, and use the information to identify effective and cost-efficient methods for meeting program objectives. DHS concurred with all of the recommendations.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. This assessment should consider weaknesses we identified in this report among other things, and include: (1) strengthening the TWIC program's controls for preventing and detecting identity fraud, such as requiring certain biographic information from applicants and confirming the information to the extent needed to positively identify the individual, or implementing alternative mechanisms to positively identify individuals; (2) defining the term extensive criminal history for use in the adjudication process and ensuring that adjudicators follow a clearly defined and consistently applied process, with clear criteria, in considering the approval or denial of a TWIC for individuals with extensive criminal convictions not defined as permanent or interim disqualifying offenses; and (3) identifying mechanisms for detecting whether TWIC holders continue to meet TWIC disqualifying criminal offense and immigration-related eligibility requirements after TWIC issuance to prevent unqualified individuals from retaining and using authentic TWICs. |
We reported that internal control weaknesses governing the enrollment, background checking, and use of TWIC potentially limit the program's ability to provide reasonable assurance that access to secure areas of MTSA-regulated facilities is restricted to qualified individuals. We further reported that TSA did not assess the internal controls designed and in place to determine whether they provided reasonable assurance that the program could meet defined mission needs for limiting access to only qualified individuals, and that internal control weaknesses in TWIC enrollment, background checking, and use could have contributed to the breach of selected MTSA-regulated facilities during covert tests conducted by our investigators. We recommended that DHS perform an internal control assessment of the TWIC program by (1) analyzing existing controls, (2) identifying related weaknesses and risks, and (3) determining cost-effective actions needed to correct or compensate for those weaknesses so that reasonable assurance of meeting TWIC program objectives can be achieved. In December 2017, a third party contracted by TSA reported on the results of its internal control assessment of the TWIC program, including the TWIC program's internal controls of the enrollment, background checking, and credential issuance processes. We believe that this is a positive step towards addressing our recommendation. However, the assessment did not include an evaluation of the use of TWIC, including Coast Guard's role in TWIC enforcement. In February 2018, TSA, with assistance from DHS's Science and Technology (DHS S&T) Directorate, further initiated a study with a Homeland Security Operational Analysis Center to conduct an assessment of the TWIC program's security effectiveness in the maritime environment. The study resulted in a 2019 report titled "The Risk Mitigation Value of the Transportation Worker Identification Credential: A Comprehensive Security Assessment of the TWIC Program." A copy of the report was recently provided to GAO for review. The study included consideration of systems and related control activities that could be used to potentially enhance access control activities in the maritime environment. The study further recognized that cyber vulnerabilities exist, but could have been enhanced by identifying potential controls for reasonably assuring that use of TWIC with readers and associated systems used for access control decisions are reliable and not surreptitiously altered. Together, the 2017 and 2019 reports reasonably address our recommendation that an internal control assessment be conducted. We therefore assess this recommendation as closed and implemented.
|
Department of Homeland Security |
Priority Rec.
To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks.
|
To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. We reported that DHS had not assessed the program's effectiveness at enhancing security. We recommended that DHS conduct an effectiveness assessment that includes addressing internal control weaknesses and, at a minimum, evaluates whether use of TWIC in its present form and planned use with readers would enhance the posture of security beyond efforts already in place given costs and program risks. DHS, through TSA, took steps to address this recommendation by having an internal controls assessment conducted of the TWIC program's enrollment, background checking, credential issuance, and continued eligibility review. In addition, a Homeland Security Operational Analysis Center study, initiated by TSA, with assistance from DHS's Science and Technology Directorate, resulted in a 2019 report titled "The Risk Mitigation Value of the Transportation Worker Identification Credential: A Comprehensive Security Assessment of the TWIC Program." With regard to security benefits given costs, the study reported that "for attack methods that would necessitate someone gaining physical access to a secure area, TWIC can play a risk-mitigation role." However, it also reported that "benefits brought by the TWIC-reader rule are unlikely to outweigh its costs." It further reported that the "study does not prove that further investment in TWIC is the most efficient security investment for facilities, and our observations during the port visits suggest that there are likely more cost-effective methods of reducing the risk that maritime facilities face." Altogether, the report reasonably addresses our recommendation that an effectiveness assessment be conducted. We therefore assess this recommendation to be closed and implemented.
|
Department of Homeland Security | To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. |
To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should use the information from the internal control and effectiveness assessments as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. We reported that prior to issuing the regulation on implementing the use of TWIC as a flashpass, DHS conducted a regulatory analysis which asserted that TWIC would increase security. The analysis included an evaluation of the costs and benefits related to implementing TWIC. We further reported that as a proposed regulation on the use of TWIC with biometric card readers is under development, DHS is to issue a new regulatory analysis. We recommended that DHS use the information from the internal control and effectiveness assessments we recommended as the basis for evaluating the costs, benefits, security risks, and corrective actions needed to implement the TWIC program in a manner that will meet stated mission needs and mitigate existing security risks as part of conducting the regulatory analysis on implementing a new regulation on the use of TWIC with biometric card readers. In April 2020, TSA reported that it worked with Coast Guard to incorporate results from the 2017 risk and internal controls assessment and the 2019 effectiveness assessments. Coast Guard's May 8, 2020 regulation titled "TWIC-Reader Requirements; Delay of Effective Date" further captures that some aspects of the effectiveness assessment were considered in the rule and are to be considered in future rules on the TWIC program. In addition, DHS's June 2020 Report to Congress titled "Corrective Action Plan from the Assessment of the Risk Mitigation Value of the Transportation Worker Identification Credential" identifies a number of near-term next steps, such as improving data collected in its MISLE system, as we recommended in 2011, and reassessing the need for TWIC readers at Certain Dangerous Cargo (CDC) facilities. We therefore assess this recommendation to be closed and implemented.
|
Department of Homeland Security | To identify effective and cost-efficient methods for meeting TWIC program objectives, and assist in determining whether the benefits of continuing to implement and operate the TWIC program in its present form and planned use with readers surpass the costs, the Secretary of Homeland Security should direct the Commandant of the Coast Guard to design effective methods for collecting, cataloguing, and querying TWIC-related compliance issues to provide the Coast Guard with the enforcement information needed to assess trends in compliance with the TWIC program and identify associated vulnerabilities. |
We found that Coast Guard's approach for monitoring and enforcing TWIC compliance could be improved by enhancing its collection and assessment of maritime security information. We reported that the Coast Guard uses its Marine Information for Safety and Law Enforcement (MISLE) database to provide the capability to collect, maintain, and retrieve information necessary for the administration, management, and documentation of Coast Guard Activities. However, because of limitations in the MISLE system design, the processes involved in the collection, cataloging, and querying of information cannot be relied upon to produce the management information needed to assess trends in compliance with the TWIC program or associated vulnerabilities. For instance, when inspectors document a TWIC card verification check, the system is set up to record the number of TWICs reviewed for different types of workers and whether the TWIC holders are compliant or noncompliant. However, other details on TWIC-related deficiencies, such as failure to ensure that all facility personnel with security duties are familiar with all relevant aspects of the TWIC program and how to carry them out, are not recorded in the system in a form that allows inspectors or other Coast Guard officials to easily and systematically identify that a deficiency was related to TWIC. Further, according to Coast Guard officials, local Coast Guard inspectors may not always or consistently record all inspection attempts. Consequently, while Coast Guard officials told us that inspectors verify TWICs as part of all security inspections, the Coast Guard could not reliably provide the number of TWICs checked during each inspection. We therefore reported that as a result of limitations in MISLE design and the collection and recording of inspection data, it will be difficult for the Coast Guard to identify trends nationwide in TWIC-related compliance, such as whether particular types of facilities or a particular region of the country have greater levels of noncompliance, on an ongoing basis. We therefore recommended that the Coast Guard design effective methods for collecting, cataloging, and querying TWIC-related compliance issues to provide the Coast Guard with the enforcement information needed to assess trends in compliance with the TWIC program and identify associated vulnerabilities. As of May 2016, Coast Guard reported that it has made updates to its MISLE system to address our recommendation. For example, Coast Guard can now query TWIC compliance reports by district. Coast Guard officials also report that they have requested additional adjustments to the system in order to better query and produce reports from its MISLE system but can provide no timetable for completion. Coast Guard officials, however, report that they will not be implementing certain reporting features highlighted in our report, such as the ability to query TWIC-related compliance issues that occur by the type of facility. Specifically, Coast Guard officials reported that they see no value in building a capability to sort TWIC data by the type of facility. They further reported that data showing that a given type of facility had a given rate of TWIC compliance would have no significance as it would represent many different companies in different locations. Given that impending TWIC regulation on the use of TWIC with readers is to be applied based on facility type, we continue to believe that such information would help inform the Coast Guard's implementation of TWIC requirements provide for a better understanding of its security-related enhancements. Given that this recommendation was issued 5 years ago and it remains incomplete with no timetable for completion, we are closing the recommendation as not implemented.
|