Aviation Security: Airport Perimeter and Access Control Security Would Benefit from Risk Assessment and Strategy Updates
Highlights
What GAO Found
The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has made progress in assessing the threat, vulnerability, and consequence components of risk to airport perimeter and access control security (airport security) since GAO last reported on the topic in 2009, such as developing its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment of Airport Security) in May 2013. However, TSA has not updated this assessment to reflect changes in the airport security risk environment, such as TSA's subsequent determination of risk from the insider threat—the potential of rogue aviation workers exploiting their credentials, access, and knowledge of security procedures throughout the airport for personal gain or to inflict damage. Updating the Risk Assessment of Airport Security with information that reflects this current threat, among other things, would better ensure that TSA bases its risk management decisions on current information and focuses its limited resources on the highest-priority risks to airport security. Further, TSA has not comprehensively assessed the vulnerability—one of the three components of risk—of TSA-regulated (i.e., commercial) airports system-wide through its joint vulnerability assessment (JVA) process, which it conducts with the Federal Bureau of Investigation (FBI), or another process. From fiscal years 2009 through 2015, TSA conducted JVAs at 81 (about 19 percent) of the 437 commercial airports nationwide. TSA officials stated that they have not conducted JVAs at all airports system-wide because of resource constraints. While conducting JVAs at all commercial airports may not be feasible given budget and resource constraints, other approaches, such as providing all commercial airports with a self-vulnerability assessment tool, may allow TSA to assess vulnerability at airports system-wide.
Since 2009, TSA has taken various actions to oversee and facilitate airport security; however, it has not updated its national strategy for airport security to reflect changes in its Risk Assessment of Airport Security and other security-related actions. TSA has taken various steps to oversee and facilitate airport security by, among other things, developing strategic goals and evaluating risks. For example, in 2012 TSA developed its National Strategy for Airport Perimeter and Access Control Security (Strategy), which defines how TSA seeks to secure the perimeters and security-restricted areas of the nation's commercial airports. However, TSA has not updated its Strategy to reflect actions it has subsequently taken, including results of the 2013 Risk Assessment and new and enhanced security activities, among other things. Updating the Strategy to reflect changes in the airport security risk environment and new and enhanced activities TSA has taken to facilitate airport security would help TSA to better inform management decisions and focus resources on the highest-priority risks, consistent with its strategic goals.
This is a public version of a sensitive report that GAO issued in March 2016. Information that TSA deems “Sensitive Security Information” has been removed.
Why GAO Did This Study
Incidents of aviation workers using access privileges to smuggle weapons and drugs into security-restricted areas and onto planes has heightened awareness about security at commercial airports. TSA, along with airport operators, has responsibility for securing the nation's approximately 440 commercial airports.
GAO was asked to review TSA's oversight of airport perimeter and access control security since GAO last reported on the topic in 2009. This report examines, for airport security, (1) the extent to which TSA has assessed the components of risk and (2) the extent to which TSA has taken actions to oversee and facilitate security, among other objectives.
GAO examined TSA documents related to risk assessment and security activities; analyzed relevant TSA security event data from fiscal years 2009 through 2015; obtained information from TSA and industry association officials as well as from a nongeneralizable sample of 11 airports, selected based on factors such as size.
Recommendations
GAO is making six recommendations, including that TSA update its Risk Assessment of Airport Security, develop and implement a method for conducting a system-wide assessment of airport vulnerability, and update its National Strategy for Airport Perimeter and Access Control Security . DHS concurred with the recommendations and identified planned actions to address the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis. |
In May 2016, we reported that the Transportation Security Administration (TSA) had made progress in assessing all three components of risk-threat, vulnerability, and consequence-by, among other things, developing its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment of Airport Security). However, we found that TSA had not updated this assessment since 2013 to reflect changes in the airport security risk environment nor had it identified timeframes for doing so. Consequently, we recommended that TSA update the Risk Assessment of Airport Security to reflect changes to its risk environment. In February 2019, TSA issued an update to its Risk Assessment of Airport Security that included, among other things, new data from Joint Vulnerability Assessments (JVA) and the Transportation Sector Security Risk Assessment (TSSRA). According to TSA, it analyzed the new JVA and TSSRA data using a methodology that ranks airports according to perimeter and access control security risks. TSA further reported in June 2019 that it had posted the Risk Assessment of Airport Security on the Homeland Security Information Network, TSA's primary conduit for providing policy, alerts, intelligence, and guidance to designated airport users, such as airport security coordinators, and to industry associations. These actions should help TSA better ensure it is basing its risk management decisions on current information, focusing limited resources on the highest-priority risks to airport security, and sharing relevant information with airport operators to enrich their understanding of and ability to reduce vulnerabilities identified at their airports. As a result, this recommendation is closed as implemented.
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed. |
In May 2016, we reported that the Transportation Security Administration (TSA) had made progress in assessing the threat, vulnerability, and consequence components of risk to airport perimeter and access control security (GAO-16-632) since GAO last reported on the topic in 2009 (GAO-09-399). During the course of our review, we found that while TSA released its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment) in May 2013, it had not updated this assessment to reflect changes in the airport security risk environment nor had it identified timeframes for updating the Risk Assessment. Consequently, we recommended that TSA establish and implement a process for determining when additional Risk Assessment updates are needed. In November 2016, TSA issued a memo identifying time frames and processes for updating the Risk Assessment. Specifically, the agency stated that it would update the Risk Assessment every 3 to 5 years, depending on the availability of supporting data. According to TSA, 3 years is the minimum time frame needed to collect full assessment data across all airports and to begin identifying trends and patterns of risk within civil aviation security, to produce an updated Risk Assessment. If additional information from the Transportation Sector Security Risk Assessment or from Special Emphasis Inspections is required, additional time may be required to develop the Risk Assessment. In August 2017, TSA reported that it was identifying the necessary internal stakeholders from relevant offices to form a working group which, when formed, is to begin outlining and planning updates to the Risk Assessment. These actions to identify and implement a process for updating the Risk Assessment should help provide reasonable assurance that TSA bases its risk management decisions on current information and focuses its limited resources on the highest-priority risks to airport perimeter and access control security. As a result, this recommendation is closed as implemented.
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities. |
In May 2016, we reported that the Transportation Security Administration (TSA) had not comprehensively assessed the vulnerability of airports system-wide through its Joint Vulnerability Assessment (JVA) process-its primary measure for assessing vulnerability at commercial airports-and recommended that TSA develop and implement a method for conducting a system-wide assessment of airport vulnerability. In February 2019, TSA issued an update to its Risk Assessment of Airport Security that includes an assessment of the vulnerability of TSA-regulated (commercial) airports. The vulnerability assessment considers data from: Joint Vulnerability Assessments (JVA), TSA perimeter compliance inspections, an assessment of airport' access points, a review of airports' land area, and an assessment of lost credentials reported by airports in 2016 and 2017. The goal of the assessment is to provide a comparison of airports across security categories (TSA classifies commercial airports into five categories based on various factors, such as the number of take-offs and landings annually) from a vulnerability perspective. Although TSA specified that the assessment should not be used to compare airports to one another, it does provide an evaluation of airport vulnerability across airport categories nationwide and across five TSA geographical regions. The assessment should help TSA better ensure that it has comprehensively assessed vulnerabilities to commercial airports' perimeter and access control security system-wide. As a result, this recommendation is closed as implemented.
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions. |
In May 2016, we reported that the Transportation Security Administration (TSA) requires Federal Security Directors (FSD) or their designees to report security (breach) events that occur at airports for which they are responsible; TSA collects and stores that information in numerous data systems. During our review we found that TSA did not analyze its security event data to monitor security events at airports specifically related to perimeter and access control security. TSA officials stated that although the agency had the capability to analyze such events and its weekly data reports included airport perimeter and access control security events, TSA had not seen the need to regularly analyze these data for trends specifically related to perimeter and access control events. In April 2018, TSA reported that it had developed the Outcome-Focused Compliance (OFC) program, which uses data on investigations activated by, among other information, perimeter and access control security event data, to assess risk at airports and air carriers nationwide. The OFC program uses a "risk register" to rank airport and air carrier security requirements by risk level. Based on these rankings, OFC classifies investigations according to risk level, enabling TSA to prioritize identified security vulnerabilities with the highest security risk. TSA said it uses the OFC data at the local and nationwide level to collaboratively work with airports to enhance security compliance and reduce risk. These actions should help provide TSA with reasonable assurance that it is using security event data related to perimeter and access control security to identify system-wide trends to better inform risk management decisions. As a result, this recommendation is closed as implemented.
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal. |
In May 2016, we reported that the Transportation Security Administration (TSA) had implemented a variety of actions since 2009 to oversee and facilitate perimeter and access control security at the nation's commercial airports, either through new activities or by enhancing ongoing efforts. However, we found that TSA has not updated its September 2012 National Strategy for Airport Perimeter and Access Control Security (Strategy) to reflect actions it had subsequently taken to assess the airport security risk environment, oversee and facilitate airport security, and address Strategy goals and objectives. Consequently, we recommended that TSA update the 2012 Strategy to reflect changes in risk assessments, agency operations, and the status of goals and objectives, among other things. On January 3, 2019, TSA issued an update to its Strategy; the Strategy is scheduled to be reassessed in October 2021. The Strategy includes, among other things, (1) an updated review of the risk environment, including vulnerability assessments such as joint vulnerability assessments; (2) current programs and activities such as the Insider Threat Program; (3) the relationship between active programs and strategic goals and objectives; and (4) the Asset Target Value, which it uses to prioritize and allocate resources and measure risk reduction. These actions should help TSA to, among other things, better inform management decisions and focus resources on the highest-priority risks, better assess its progress by monitoring the status of objectives and goals, and better identify problems or weaknesses in individual programs and activities as well as the factors causing those problems. As a result, this recommendation is closed as implemented.
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed. |
In May 2016, we reported that while the Transportation Security Administration (TSA) had taken various actions to oversee and facilitate airport perimeter and access control security, it had not updated its September 2012 National Strategy for Airport Perimeter and Access Control Security (Strategy) to reflect changes in its risk assessment of airport perimeter and access control security and other security-related actions. Consequently, we recommended that TSA establish and implement a process for determining when additional updates to the Strategy are needed. In November 2016, TSA issued a memo identifying time frames and processes for updating the Strategy. Specifically, the agency stated that it would update the Strategy every 3 to 5 years, depending on the availability of supporting data. According to TSA, 3 years is the minimum time frame needed to collect full assessment data across all airports and to begin identifying trends and patterns of risk within civil aviation security, to produce an updated risk assessment for airport perimeter and access control security. Because this risk assessment is a key input for developing the Strategy, 3 years is also the minimum time frame needed to update the Strategy. TSA also stated that if additional information from the Transportation Sector Security Risk Assessment or from Special Emphasis Inspections is required to update the risk assessment, it might take as long as 5 years to develop both an updated risk assessment and an updated Strategy. In August 2017, TSA reported that it had completed an interim update to the 2012 Strategy. It also reported that once agency officials have completed an updated risk assessment for airport perimeter and access control security, the agency will use that information, among other things, to develop a complete Strategy. These actions to establish and implement a process for updating the Strategy should help provide reasonable assurance that TSA's management decisions are based on current assessments of the airport security risk environment and focus resources on the highest-priority risks, consistent with its strategic goals. As a result, this recommendation is closed as implemented.
|