Aviation Security: Airport Perimeter and Access Control Security Would Benefit from Risk Assessment and Strategy Updates
Highlights
What GAO Found
The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) has made progress in assessing the threat, vulnerability, and consequence components of risk to airport perimeter and access control security (airport security) since GAO last reported on the topic in 2009, such as developing its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment of Airport Security) in May 2013. However, TSA has not updated this assessment to reflect changes in the airport security risk environment, such as TSA's subsequent determination of risk from the insider threat—the potential of rogue aviation workers exploiting their credentials, access, and knowledge of security procedures throughout the airport for personal gain or to inflict damage. Updating the Risk Assessment of Airport Security with information that reflects this current threat, among other things, would better ensure that TSA bases its risk management decisions on current information and focuses its limited resources on the highest-priority risks to airport security. Further, TSA has not comprehensively assessed the vulnerability—one of the three components of risk—of TSA-regulated (i.e., commercial) airports system-wide through its joint vulnerability assessment (JVA) process, which it conducts with the Federal Bureau of Investigation (FBI), or another process. From fiscal years 2009 through 2015, TSA conducted JVAs at 81 (about 19 percent) of the 437 commercial airports nationwide. TSA officials stated that they have not conducted JVAs at all airports system-wide because of resource constraints. While conducting JVAs at all commercial airports may not be feasible given budget and resource constraints, other approaches, such as providing all commercial airports with a self-vulnerability assessment tool, may allow TSA to assess vulnerability at airports system-wide.
Since 2009, TSA has taken various actions to oversee and facilitate airport security; however, it has not updated its national strategy for airport security to reflect changes in its Risk Assessment of Airport Security and other security-related actions. TSA has taken various steps to oversee and facilitate airport security by, among other things, developing strategic goals and evaluating risks. For example, in 2012 TSA developed its National Strategy for Airport Perimeter and Access Control Security (Strategy), which defines how TSA seeks to secure the perimeters and security-restricted areas of the nation's commercial airports. However, TSA has not updated its Strategy to reflect actions it has subsequently taken, including results of the 2013 Risk Assessment and new and enhanced security activities, among other things. Updating the Strategy to reflect changes in the airport security risk environment and new and enhanced activities TSA has taken to facilitate airport security would help TSA to better inform management decisions and focus resources on the highest-priority risks, consistent with its strategic goals.
This is a public version of a sensitive report that GAO issued in March 2016. Information that TSA deems “Sensitive Security Information” has been removed.
Why GAO Did This Study
Incidents of aviation workers using access privileges to smuggle weapons and drugs into security-restricted areas and onto planes has heightened awareness about security at commercial airports. TSA, along with airport operators, has responsibility for securing the nation's approximately 440 commercial airports.
GAO was asked to review TSA's oversight of airport perimeter and access control security since GAO last reported on the topic in 2009. This report examines, for airport security, (1) the extent to which TSA has assessed the components of risk and (2) the extent to which TSA has taken actions to oversee and facilitate security, among other objectives.
GAO examined TSA documents related to risk assessment and security activities; analyzed relevant TSA security event data from fiscal years 2009 through 2015; obtained information from TSA and industry association officials as well as from a nongeneralizable sample of 11 airports, selected based on factors such as size.
Recommendations
GAO is making six recommendations, including that TSA update its Risk Assessment of Airport Security, develop and implement a method for conducting a system-wide assessment of airport vulnerability, and update its National Strategy for Airport Perimeter and Access Control Security . DHS concurred with the recommendations and identified planned actions to address the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the Risk Assessment of Airport Security to reflect changes to its risk environment, such as those updates reflected in Transportation Sector Security Risk Assessment (TSSRA) and JVA findings, and share results of this risk assessment with stakeholders on an ongoing basis. | In May 2016, we reported that the Transportation Security Administration (TSA) had made progress in assessing all three components of risk-threat, vulnerability, and consequence-by, among other things, developing its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment of Airport Security). However, we found that TSA had not updated this assessment since 2013 to reflect changes in the airport security risk environment nor had it identified timeframes for doing so. Consequently, we recommended that TSA update the Risk Assessment of Airport Security to reflect changes to its risk environment. In February 2019, TSA issued an update to its Risk Assessment... of Airport Security that included, among other things, new data from Joint Vulnerability Assessments (JVA) and the Transportation Sector Security Risk Assessment (TSSRA). According to TSA, it analyzed the new JVA and TSSRA data using a methodology that ranks airports according to perimeter and access control security risks. TSA further reported in June 2019 that it had posted the Risk Assessment of Airport Security on the Homeland Security Information Network, TSA's primary conduit for providing policy, alerts, intelligence, and guidance to designated airport users, such as airport security coordinators, and to industry associations. These actions should help TSA better ensure it is basing its risk management decisions on current information, focusing limited resources on the highest-priority risks to airport security, and sharing relevant information with airport operators to enrich their understanding of and ability to reduce vulnerabilities identified at their airports. As a result, this recommendation is closed as implemented.
View More |
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional risk assessment updates are needed. | In May 2016, we reported that the Transportation Security Administration (TSA) had made progress in assessing the threat, vulnerability, and consequence components of risk to airport perimeter and access control security (GAO-16-632) since GAO last reported on the topic in 2009 (GAO-09-399). During the course of our review, we found that while TSA released its Comprehensive Risk Assessment of Perimeter and Access Control Security (Risk Assessment) in May 2013, it had not updated this assessment to reflect changes in the airport security risk environment nor had it identified timeframes for updating the Risk Assessment. Consequently, we recommended that TSA establish and implement a...
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should develop and implement a method for conducting a system-wide assessment of airport vulnerability that will provide a more comprehensive understanding of airport perimeter and access control security vulnerabilities. | In May 2016, we reported that the Transportation Security Administration (TSA) had not comprehensively assessed the vulnerability of airports system-wide through its Joint Vulnerability Assessment (JVA) process-its primary measure for assessing vulnerability at commercial airports-and recommended that TSA develop and implement a method for conducting a system-wide assessment of airport vulnerability. In February 2019, TSA issued an update to its Risk Assessment of Airport Security that includes an assessment of the vulnerability of TSA-regulated (commercial) airports. The vulnerability assessment considers data from: Joint Vulnerability Assessments (JVA), TSA perimeter compliance...
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should use security event data for specific analysis of system-wide trends related to perimeter and access control security to better inform risk management decisions. | In May 2016, we reported that the Transportation Security Administration (TSA) requires Federal Security Directors (FSD) or their designees to report security (breach) events that occur at airports for which they are responsible; TSA collects and stores that information in numerous data systems. During our review we found that TSA did not analyze its security event data to monitor security events at airports specifically related to perimeter and access control security. TSA officials stated that although the agency had the capability to analyze such events and its weekly data reports included airport perimeter and access control security events, TSA had not seen the need to regularly...
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should update the 2012 Strategy for airport security to reflect changes in risk assessments, agency operations, and the status of goals and objectives. Specifically, this update should reflect: (1) information from the Risk Assessment of Airport Security, as well as information contained in the most recent TSSRA and JVAs; (2) new airport security-related activities; (3) the status of TSA efforts to address goals and objectives; and (4) finalized outcome-based performance measures and performance levels--or targets--for each relevant activity and strategic goal. | In May 2016, we reported that the Transportation Security Administration (TSA) had implemented a variety of actions since 2009 to oversee and facilitate perimeter and access control security at the nation's commercial airports, either through new activities or by enhancing ongoing efforts. However, we found that TSA has not updated its September 2012 National Strategy for Airport Perimeter and Access Control Security (Strategy) to reflect actions it had subsequently taken to assess the airport security risk environment, oversee and facilitate airport security, and address Strategy goals and objectives. Consequently, we recommended that TSA update the 2012 Strategy to reflect changes in...
|
| Transportation Security Administration | To help ensure TSA's actions in overseeing and facilitating airport security are based on the most recent available risk information that assesses vulnerabilities system-wide and evaluates security events, and that these actions are orchestrated according to a strategic plan that reflects the agency's goals and objectives and its progress in meeting those goals, the Administrator of TSA should establish and implement a process for determining when additional updates to the Strategy are needed. | In May 2016, we reported that while the Transportation Security Administration (TSA) had taken various actions to oversee and facilitate airport perimeter and access control security, it had not updated its September 2012 National Strategy for Airport Perimeter and Access Control Security (Strategy) to reflect changes in its risk assessment of airport perimeter and access control security and other security-related actions. Consequently, we recommended that TSA establish and implement a process for determining when additional updates to the Strategy are needed. In November 2016, TSA issued a memo identifying time frames and processes for updating the Strategy. Specifically, the agency...
|