Skip to main content

Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed

GAO-13-198 Published: May 08, 2013. Publicly Released: May 08, 2013.
Jump To:
Skip to Highlights

Highlights

What GAO Found

GAO's review of the pilot test aimed at assessing the technology and operational impact of using the Transportation Security Administration's (TSA) Transportation Worker Identification Credential (TWIC) with card readers showed that the test's results were incomplete, inaccurate, and unreliable for informing Congress and for developing a regulation (rule) about the readers. Challenges related to pilot planning, data collection, and reporting affected the completeness, accuracy, and reliability of the results. These issues call into question the program's premise and effectiveness in enhancing security.

Planning. The Department of Homeland Security (DHS) did not correct planning shortfalls that GAO identified in November 2009. GAO determined that these weaknesses presented a challenge in ensuring that the pilot would yield information needed to inform Congress and the regulation aimed at defining how TWICs are to be used with biometric card readers (card reader rule). GAO recommended that DHS components implementing the pilot--TSA and the U.S. Coast Guard (USCG)--develop an evaluation plan to guide the remainder of the pilot and identify how it would compensate for areas where the TWIC reader pilot would not provide the information needed. DHS agreed and took initial steps, but did not develop an evaluation plan, as GAO recommended.

Data collection. Pilot data collection and reporting weaknesses include:

  • Installed TWIC readers and access control systems could not collect required data, including reasons for errors, on TWIC reader use, and TSA and the independent test agent (responsible for planning, evaluating, and reporting on all test events) did not employ effective compensating data collection measures, such as manually recording reasons for errors in reading TWICs.
  • TSA and the independent test agent did not record clear baseline data for comparing operational performance at access points with TWIC readers.
  • TSA and the independent test agent did not collect complete data on malfunctioning TWIC cards.
  • Pilot participants did not document instances of denied access.

TSA officials said challenges, such as readers incapable of recording needed data, prevented them from collecting complete and consistent pilot data. Thus, TSA could not determine whether operational problems encountered at pilot sites were due to TWIC cards, readers, or users, or a combination of all three.

Issues with DHS's report to Congress and validity of TWIC security premise. DHS's report to Congress documented findings and lessons learned, but its reported findings were not always supported by the pilot data, or were based on incomplete or unreliable data, thus limiting the report's usefulness in informing Congress about the results of the TWIC reader pilot. For example, reported entry times into facilities were not based on data collected at pilot sites as intended. Further, the report concluded that TWIC cards and readers provide a critical layer of port security, but data were not collected to support this conclusion. For example, DHS's assumption that the lack of a common credential could leave facilities open to a security breach with falsified credentials has not been validated. Eleven years after initiation, DHS has not demonstrated how, if at all, TWIC will improve maritime security.

Why GAO Did This Study

Within DHS, TSA and USCG manage the TWIC program, which requires maritime workers to complete background checks and obtain biometric identification cards to gain unescorted access to secure areas of Maritime Transportation Security Act (MTSA)-regulated entities. TSA conducted a pilot program to test the use of TWICs with biometric card readers in part to inform the development of a regulation on using TWICs with card readers. As required by law, DHS reported its findings on the pilot to Congress on February 27, 2012. The Coast Guard Authorization Act of 2010 required that GAO assess DHS's reported findings and recommendations. Thus, GAO assessed the extent to which the results from the TWIC pilot were sufficiently complete, accurate, and reliable for informing Congress and the proposed TWIC card reader rule. GAO reviewed pilot test plans, results, and methods used to collect and analyze pilot data since August 2008, compared the pilot data with the pilot report DHS submitted to Congress, and conducted covert tests at four U.S. ports chosen for their geographic locations. The test's results are not generalizable, but provide insights.

Recommendations

Congress should halt DHS’s efforts to promulgate a final regulation until the successful completion of a security assessment of the effectiveness of using TWIC. In addition, GAO revised the report based on the March 22, 2013, issuance of the TWIC card reader notice of proposed rulemaking.

Matter for Congressional Consideration

Matter Status Comments
Given that the results of the pilot are unreliable for informing the TWIC card reader rule on the technology and operational impacts of using TWICs with readers, Congress should consider repealing the requirement that the Secretary of Homeland Security promulgate final regulations that require the deployment of card readers that are consistent with the findings of the pilot program. Instead, Congress should require that the Secretary of Homeland Security first complete an assessment that evaluates the effectiveness of using TWIC with readers for enhancing port security, as we recommended in our May 2011 report, and then use the results of this assessment to promulgate a final regulation as appropriate. Given DHS's challenges in implementing TWIC over the past decade, at a minimum, the assessment should include a comprehensive comparison of alternative credentialing approaches, which might include a more decentralized approach, for achieving TWIC program goals.
Closed – Implemented
On May 8, 2013, we reported that the Transportation Worker Identification Credential (TWIC) card reader pilot results are unreliable, and that the program's benefits need to be reassessed. Specifically, GAO's review of the pilot test aimed at assessing the technology and operational impact of using the Transportation Security Administration's (TSA) Transportation Worker Identification Credential (TWIC) with card readers showed that the test's results were incomplete, inaccurate, and unreliable for informing Congress and for developing a regulation (rule) about the readers. Challenges related to pilot planning, data collection, and reporting affected the completeness, accuracy, and reliability of the results. Specifically, the Department of Homeland Security's (DHS) report to Congress documented findings and lessons learned, but its reported findings were not always supported by the pilot data, or were based on incomplete or unreliable data, thus limiting the report's usefulness in informing Congress about the results of the TWIC reader pilot. Further, the report concluded that TWIC cards and readers provide a critical layer of port security, but data were not collected to support this conclusion. These issues call into question the program's premise and effectiveness in enhancing security. We therefore made a matter for Congressional consideration stating that given that the results of the pilot are unreliable for informing the TWIC card reader rule on the technology and operational impacts of using TWICs with readers, Congress should consider repealing the requirement that the Secretary of Homeland Security promulgate final regulations that require the deployment of card readers that are consistent with the findings of the pilot program. Instead, Congress should require that the Secretary of Homeland Security first complete an assessment that evaluates the effectiveness of using TWIC with readers for enhancing port security, as we recommended in our May 2011 report, and then use the results of this assessment to promulgate a final regulation as appropriate. Given DHS's challenges in implementing TWIC over the past decade, at a minimum, the assessment should include a comprehensive comparison of alternative credentialing approaches, which might include a more decentralized approach, for achieving TWIC program goals. In response, Congress has taken the following actions. On January 2014, the explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the assessment that we recommended within 90 days after the enactment of the Consolidated Appropriations Act of 2014 (by April 17, 2014). See explanatory statement accompanying Consolidated Appropriations Act, 2014, Pub. L. No. 113-76, 128 Stat. 5.

Full Report

Office of Public Affairs

Topics

BiometricsData collectionHomeland securityTransportationTransportation workersAccess controlSecure areas