This is the accessible text file for GAO report number GAO-10-650T 
entitled 'Surface Transportation Security: TSA Has Taken Actions to 
Manage Risk, Improve Coordination, and Measure Performance, but 
Additional Actions Would Enhance Its Efforts' which was released on 
April 21, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Committee on Commerce, Science, and Transportation, U.S. 
Senate: 

United States Government Accountability Office: 
GAO: 

For Release on Delivery: 
Expected at 2:30 p.m. EDT:
Wednesday, April 21, 2010: 

Surface Transportation Security: 

TSA Has Taken Actions to Manage Risk, Improve Coordination, and 
Measure Performance, but Additional Actions Would Enhance Its Efforts: 

Statement of Stephen M. Lord, Director: Homeland Security and Justice 
Issues: 

GAO-10-650T: 

GAO Highlights: 

Highlights of GAO-10-650T, a testimony before the Committee on 
Commerce, Science, and Transportation, U.S. Senate. 

Why GAO Did This Study: 

Terrorist attacks on surface transportation facilities in Moscow, 
Mumbai, London, and Madrid caused casualties and highlighted the 
vulnerability of such systems. The Transportation Security 
Administration (TSA), within the Department of Homeland Security 
(DHS), is the primary federal agency responsible for security of 
transportation systems. 

This testimony focuses on the extent to which (1) DHS has used risk 
management in strengthening surface transportation security, (2) TSA 
has coordinated its strategy and efforts for securing surface 
transportation with stakeholders, (3) TSA has measured the 
effectiveness of its surface transportation security-improvement 
actions, and (4) TSA has made progress in deploying surface 
transportation security inspectors and related challenges it faces in 
doing so. GAO’s statement is based on public GAO products issued from 
January to June 2009, selected updates from September 2009 to April 
2010, and ongoing work on pipeline security. For the updates and 
ongoing work, GAO analyzed TSA’s pipeline risk assessment model, 
reviewed relevant laws and program management documents, and 
interviewed TSA officials. 

What GAO Found: 

DHS has taken actions to implement a risk management approach but 
could do more to inform resource allocation based on risk across the 
surface transportation sector—including the mass transit and passenger 
rail, freight rail, highway, and pipeline modes. For example, in March 
2009, GAO reported that TSA had not conducted comprehensive risk 
assessments to compare risk across the entire transportation sector, 
which the agency could use to guide investment decisions, and 
recommended that TSA do so. TSA concurred, and in April 2010 noted 
planned actions. GAO has also made recommendations to strengthen risk 
assessments within individual modes, such as expanding TSA’s efforts 
to include all security threats in its freight rail security strategy, 
including potential sabotage to bridges, tunnels, and other critical 
infrastructure. DHS concurred and is addressing the recommendations. 

TSA has generally improved coordination with key surface 
transportation stakeholders, but additional actions could enhance its 
efforts. For example, GAO reported in April 2009 that although federal 
and industry stakeholders have taken steps to coordinate their freight 
rail security efforts, TSA was not requesting another federal agency’s 
data that could be useful in developing regulations for high-risk rail 
carriers. GAO recommended that DHS work with its federal partners to 
ensure that all relevant information, such as threat assessments, is 
shared. DHS concurred with this recommendation and recently stated 
that TSA has met with key federal stakeholders regarding sharing 
relevant assessment information and avoiding duplication. 

TSA has developed national strategies for each surface transportation 
mode, but using targeted, outcome-oriented performance measures could 
enable TSA to better monitor the effectiveness of these strategies and 
programs that support them. For example, GAO reported in June 2009 
that TSA’s mass transit strategy identified sectorwide goals, but did 
not contain measures or targets for program effectiveness. Such 
measures could help TSA track progress in securing transit and 
passenger rail systems. GAO also reported in April 2009 that TSA’s 
freight rail security strategy could be strengthened by including 
targets for three of its four performance measures and revising its 
approach for the other measure, such as including more reliable 
baseline data to improve consistency in quantifying results. GAO 
recommended in both instances that TSA strengthen its performance 
measures. DHS concurred and noted planned actions. Preliminary 
findings from GAO’s ongoing review of pipeline security show that TSA 
has taken some actions to monitor progress, but could better measure 
pipeline security improvements. GAO expects to issue a report by the 
end of 2010. 

GAO reported in June 2009 that TSA had more than doubled its surface 
transportation inspector workforce and expanded the roles and 
responsibilities of surface inspectors, but faced challenges balancing 
aviation and surface transportation priorities and had not completed a 
workforce plan to direct current and future program needs. TSA has 
initiated but not yet finished a staffing study to identify the 
optimal size of its inspector workforce. 

What GAO Recommends: 

GAO has made recommendations to DHS in prior reports to strengthen 
surface transportation security. DHS generally concurred with our 
recommendations and is making progress in implementing them. 

View [hyperlink, http://www.gao.gov/products/GAO-10-650T] or key 
components. For more information, contact Steve M. Lord at (202) 512-
4379 or lords@gao.gov. 

[End of section] 

Mr. Chairman and Members of the Committee: 

I appreciate the opportunity to participate in today's hearing to 
discuss key surface transportation security issues. Surface 
transportation modes include mass transit, freight rail, pipeline, and 
highway systems.[Footnote 1] Terrorist attacks on surface 
transportation systems in Moscow, Mumbai, London, and Madrid that 
caused significant loss of life and disruption have highlighted the 
vulnerability of transportation facilities to terrorist attacks 
worldwide.[Footnote 2] While there have been no successful terrorist 
attacks against U.S. surface transportation systems to date, securing 
these systems is a significant undertaking. In the United States, the 
surface transportation system includes more than 100,000 miles of 
rail, 600,000 bridges, more than 300 tunnels, and 2 million miles of 
pipeline. Securing these systems is further complicated by the number 
of private and public stakeholders involved in operating and 
protecting the system and the need to balance security with the 
expeditious flow of people and goods. Further, surface transportation 
systems generally rely on an open architecture that is difficult to 
monitor and secure due to its multiple access points, hubs serving 
multiple carriers, and, in some cases, lack of access barriers. An 
attack on these systems could potentially lead to significant 
casualties due to, for example, the high number of daily passengers, 
especially during peak commuting hours. In the 2011 budget request for 
the Department of Homeland Security's (DHS) Transportation Security 
Administration (TSA), $137.6 million of the $8.2 billion total request 
is for surface transportation security, while $6.5 billion is 
requested for aviation security, including the Federal Air Marshal 
Service.[Footnote 3] 

My testimony today focuses on the extent to which (1) DHS has used a 
risk management framework to guide efforts to strengthen the security 
of the surface transportation sector, (2) TSA has coordinated its 
strategy and efforts for securing the surface transportation sector 
with other federal entities, states, and private-sector stakeholders, 
(3) TSA has measured the effectiveness of its surface transportation 
security-improvement actions, and (4) TSA has made progress in 
deploying surface transportation security inspectors, and what 
challenges, if any, it faces in these efforts. 

This statement is based on related public GAO reports issued from 
January 2009 through June 2009.[Footnote 4] All of this work was 
conducted in accordance with generally accepted government auditing 
standards, and our previously published products contain additional 
details on the scope and methodology for those reviews. In addition, 
this statement includes preliminary observations based on ongoing work 
assessing the security of the nation's pipeline systems for this 
committee. This ongoing work, which will be completed later this year, 
is assessing, among other things, TSA's risk assessment efforts and 
performance measures for this area of surface transportation. For our 
ongoing review of pipeline security, we reviewed relevant laws and 
program management and planning documents, including pipeline 
performance measures, and interviewed TSA Pipeline Security Division 
officials to discuss, among other things, their identification of the 
most critical pipeline systems and their development and use of the 
pipeline risk assessment model and performance measures. We also 
analyzed TSA's pipeline risk assessment model by measuring the 
strength of the relationship between the frequency of Corporate 
Security Reviews for each pipeline system and that system's ranking 
based on risk.[Footnote 5] We determined that the data we analyzed 
were sufficiently reliable for the purposes of this statement. 
Specifically, we reviewed related documentation, interviewed 
knowledgeable agency officials, and tested those data to identify 
missing information or outliers. Our ongoing work related to pipeline 
security is being conducted in accordance with generally accepted 
government auditing standards. In addition, this statement contains 
selected updates conducted from September 2009 through April 2010 on 
TSA's efforts to implement our previous recommendations regarding 
surface transportation security. In conducting these updates, we 
obtained new information from TSA regarding the agency's efforts to 
enhance its surface transportation inspections and meet legislative 
requirements, among other things. We conducted these updates in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our 
findings based on our audit objectives. 

Background: 

TSA is the primary federal agency responsible for overseeing the 
security of surface transportation systems, including developing a 
national strategy and implementing security programs. However, several 
other agencies, including DHS's Federal Emergency Management Agency 
(FEMA) and the Department of Transportation's (DOT) Federal Transit 
Administration (FTA) and Federal Railroad Administration (FRA), also 
play a role in helping to fund and secure these systems. Since it is 
not practical or feasible to protect all assets and systems against 
every possible terrorist threat, DHS has called for using risk-
informed approaches to prioritize its security-related investments and 
for developing plans and allocating resources in a way that balances 
security and commerce.[Footnote 6] 

In June 2006, DHS issued the National Infrastructure Protection Plan 
(NIPP), which established a six-step risk management framework to 
establish national priorities, goals, and requirements for Critical 
Infrastructure and Key Resources protection so that federal funding 
and resources are applied in the most effective manner to deter 
threats, reduce vulnerabilities, and minimize the consequences of 
attacks and other incidents. The NIPP, updated in 2009, defines risk 
as a function of three elements: threat, vulnerability, and 
consequence. Threat is an indication of the likelihood that a specific 
type of attack will be initiated against a specific target or class of 
targets. Vulnerability is the probability that a particular attempted 
attack will succeed against a particular target or class of targets. 
Consequence is the effect of a successful attack. In May 2007, TSA 
issued the Transportation Systems Sector-Specific Plan (TS-SSP), which 
documents the risk management process to be used in carrying out the 
strategic priorities outlined in the NIPP. As required by Executive 
Order 13416, the TS-SSP also includes modal implementation plans or 
modal annexes that detail how TSA intends to achieve the sector's 
goals and objectives for each of the six transportation modes using 
the systems-based risk management approach.[Footnote 7] 

To address the objectives and goals laid out in the TS-SSP, TSA uses 
various programs to secure transportation systems throughout the 
country, including Visible Intermodal Prevention and Response (VIPR) 
teams and Surface Transportation Security Inspectors (STSI). VIPR 
teams employ a variety of tactics to deter terrorism, including random 
high-visibility patrols at mass transit and passenger rail stations 
using, among other things, behavior-detection officers, canine 
detection teams, and explosive-detection technologies.[Footnote 8] 
STSIs, among other things, conduct on-site inspections of U.S. rail 
systems--including mass transit, passenger rail, and freight rail 
systems--to identify best security practices, evaluate security system 
performance, and discover and correct deficiencies and vulnerabilities 
in the rail industry's security systems.[Footnote 9] 

In August 2007, the Implementing Recommendations of the 9/11 
Commission Act (9/11 Commission Act) was signed into law, which 
included provisions that task DHS and other public and private 
stakeholders with security actions related to surface transportation 
security.[Footnote 10] Among other things, these provisions include 
mandates for developing and issuing reports on TSA's strategy for 
securing public transportation, conducting and updating comprehensive 
security assessments for public transportation agencies, and ensuring 
that transportation modal security plans include threats, 
vulnerabilities, and consequences for transportation infrastructure 
assets including mass transit, railroads, highways, and pipelines. 

TSA Has Taken Some Actions to Implement a Risk Management Approach but 
Could Do More to Inform the Allocation of Resources across the Surface 
Transportation Sector: 

In March 2009, we reported that TSA has taken some actions called for 
by the NIPP's risk management process, but has not conducted 
comprehensive risk assessments across aviation and four major surface 
transportation modes.[Footnote 11] In 2007, TSA initiated but later 
discontinued an effort to conduct a comprehensive risk assessment for 
the entire transportation sector, known as the National Transportation 
Sector Risk Analysis.[Footnote 12] Consequently, we recommended that 
TSA conduct comprehensive risk assessments for the transportation 
sector to produce a comparative analysis of risk across the entire 
transportation sector, which the agency could use to guide current and 
future investment decisions. DHS and TSA concurred with our 
recommendation, and in April 2010 TSA identified planned actions, 
including integrating the results of risk assessments into a 
comparative risk analysis across the transportation sector. TSA 
officials stated in April 2010 that the agency has revised its risk 
management framework, TS-SSP, and modal annexes. They added that these 
documents are undergoing final agency review. 

In addition, we have previously reported that while TSA has collected 
information related to threat, vulnerability, and consequence within 
the surface transportation modes, it has not conducted risk 
assessments that integrate these three components for individual 
modes. For example, we reported in June 2009 that TSA had not 
conducted its own risk assessment of mass transit and passenger rail 
systems that combined all three risk elements, as called for by the 
NIPP.[Footnote 13] Thus, we recommended that TSA conduct a 
comprehensive risk assessment that combines threat, vulnerability, and 
consequence. DHS concurred with this recommendation, and in February 
2010, DHS officials said that TSA had undertaken a Transportation 
Systems Sector Risk Assessment that would incorporate all three 
elements of risk. In April 2010, TSA stated that this risk assessment 
is under review. Similarly, the Administration's Transborder Security 
Interagency Policy Committee (IPC) Surface Transportation 
Subcommittee's recently issued Surface Transportation Security 
Priority Assessment recognized that assessing transportation assets 
and infrastructure and ranking their criticality would help target the 
use of limited resources.[Footnote 14] Consequently, this subcommittee 
recommended that TSA identify appropriate methodologies to evaluate 
and rank surface transportation systems and critical infrastructure. 

We have also identified other opportunities to improve TSA's risk 
management efforts for surface transportation. For example, in April 
2009, we reported that TSA's efforts to assess security threats to 
freight rail could be strengthened.[Footnote 15] Specifically, we 
noted that while TSA had developed a freight rail security strategy, 
the agency had focused almost exclusively on rail shipments of toxic 
inhalation hazards (TIH), such as chlorine and anhydrous ammonia, 
which can be fatal if inhaled, despite other federal and industry 
assessments having identified additional potential security threats, 
such as risks to bridges, tunnels, and control centers.[Footnote 16] 
We reported that although TSA's focus on TIH has been a reasonable 
initial approach given the serious public harm these materials 
potentially pose to the public, there are other security threats for 
TSA to consider and evaluate as its freight rail strategy matures, 
including potential sabotage to critical infrastructure. We 
recommended that TSA expand its efforts to include all security 
threats in its freight rail security strategy. DHS concurred with this 
recommendation and has since reported that TSA has developed a 
Critical Infrastructure Risk Tool to measure the criticality and 
vulnerability of freight railroad bridges. As of April 2010, the 
agency has used this tool to assess 39 bridges, some of which 
transverse either the Mississippi or Missouri Rivers, and intends to 
assess 22 additional bridges by the end of fiscal year 2010.[Footnote 
17] 

Further, we reported in June 2009 that the Transit Security Grant 
Program (TSGP) risk model includes all three elements of risk, but can 
be strengthened by measuring variations in vulnerability.[Footnote 18] 
DHS has held vulnerability constant, which limits the model's overall 
ability to assess risk and more precisely allocate funds to transit 
agencies. We also found that although TSA allocated about 90 percent 
of funding to the highest-risk agencies, lower-risk agency awards were 
based on other factors in addition to risk, such as project quality. 
For example, a lower-risk agency with a high-quality project was more 
likely to receive funding than a higher-risk agency with a low-quality 
project. We recommended that DHS strengthen its methodology for 
determining risk by developing a cost-effective method for 
incorporating vulnerability information in its TSGP risk model. DHS 
concurred with the recommendation, and in April 2010 TSA stated that 
it is reevaluating the risk model for the fiscal year 2011 grant 
cycle. Further, TSA is evaluating the feasibility of incorporating an 
analysis of the current state of an asset, including its 
vulnerability, in determining fiscal year 2011 grant funding.[Footnote 
19] 

Additionally, we are currently conducting an assessment of TSA's 
efforts to help ensure pipeline security; the resulting report will 
include an evaluation of the extent to which TSA uses a risk 
management approach to help strengthen pipeline security. Our 
preliminary observations found that TSA has identified the 100 most-
critical pipeline systems in the United States and produced a pipeline 
risk assessment model, consistent with the NIPP. Furthermore, the 9/11 
Commission Act requires that risk assessment methodologies be used to 
prioritize actions to the highest-risk pipeline assets, and we found 
that TSA's stated policy is to consider risk when scheduling Corporate 
Security Reviews--assessments of pipeline operators' security plans. 
However, we found a weak statistical correlation between a pipeline 
system's risk rank and the time elapsed between a first and subsequent 
review.[Footnote 20] In addition, we found that among the 15 highest 
risk-ranked pipeline systems, the time between a first and second 
Corporate Security Review ranged from 1 to 6 years for those systems 
that had undergone a second review. Further, as of April 2010, 2 
systems among the top 15 had not undergone a second review despite 
more than 6 years passing since their first review. TSA officials told 
us that although a pipeline system's relative risk ranking is the 
primary factor driving the agency's decision of when to schedule a 
subsequent Corporate Security Review, it is not the only factor 
influencing this decision. They explained they also consider the 
geographical proximity of Corporate Security Review locations to each 
other in order to reduce travel time and costs, as well as the extent 
to which they have worked with pipeline operators through other 
efforts, such as their Critical Facility Inspection Program.[Footnote 
21] Better prioritizing its reviews based on risk could help TSA 
ensure its resources are more efficiently allocated toward the highest-
risk pipeline systems. We expect to issue this report by the end of 
this year. 

TSA Has Generally Improved Coordination with Key Stakeholders but 
Additional Actions Could Enhance Current Efforts to Improve Surface 
Transportation Security: 

TSA has developed several initiatives to improve coordination with its 
federal, state, and private sector stakeholders. However, we have 
previously reported that TSA's coordination efforts could be improved. 
For example, we reported in April 2009 that federal and industry 
stakeholders have taken a number of steps to coordinate their freight 
rail security efforts, such as implementing agreements to clarify 
roles and responsibilities and participating in various information-
sharing mechanisms.[Footnote 22] However, federal coordination could 
be enhanced by more fully leveraging the resources of all relevant 
federal agencies, such as TSA and FRA.[Footnote 23] For example, we 
reported that TSA was not requesting data on deficiencies in security 
plans and training activities collected by FRA, which could be useful 
to TSA in developing regulations requiring high-risk rail carriers to 
develop and implement security plans. To improve coordination, we 
recommended that DHS work with federal partners such as FRA to ensure 
that all relevant information, including threat assessments, is 
shared. DHS concurred with this recommendation and stated that it 
planned to better define stakeholder roles and responsibilities to 
facilitate information sharing. Since we issued our report, DHS 
reported that TSA continues to share information with security 
partners, including meeting with FRA and the DHS Office of 
Infrastructure Protection to discuss coordination and develop 
strategies for sharing relevant assessment information and avoiding 
duplication.[Footnote 24] 

In addition, we reported in January 2009 that although several federal 
entities, including TSA and the U.S. Coast Guard, have efforts 
underway to assess the risk to highway infrastructure, these 
assessments have not been systematically coordinated among key federal 
partners.[Footnote 25] We further reported that enhanced coordination 
with federal partners could better enable TSA to determine the extent 
to which specific critical assets had been assessed and whether 
potential adjustments in its methodology were necessary to target 
remaining critical infrastructure assets. We recommended that to 
enhance collaboration among entities involved in securing highway 
infrastructure and to better leverage federal resources, DHS establish 
a mechanism to systematically coordinate risk assessment activities 
and share the results of these activities among the federal partners. 
DHS concurred with the recommendation. In February 2010, TSA officials 
indicated that the agency had met with other federal agencies that 
conduct security reviews of highway structures to identify existing 
data resources, establish a data-sharing system among key agencies, 
and discuss standards for future assessments.[Footnote 26] The 
Administration's Surface Transportation Security Priority Assessment 
also highlighted the need for federal entities to coordinate their 
assessment efforts. That report included a recommendation to establish 
an integrated federal approach that consolidates capabilities in a 
unified effort for security assessments, audits, and inspections to 
produce more thorough evaluations and effective follow-up actions for 
reducing risk, enhancing security, and minimizing burdens on assessed 
surface transportation entities. 

We also reported in February 2009 that TSA, which has the primary 
federal responsibility for ensuring the security of the commercial 
vehicle sector, had taken actions to improve coordination with 
federal, state, and industry stakeholders with respect to commercial 
vehicle security.[Footnote 27] These actions included signing joint 
agreements with DOT and supporting the establishment of 
intergovernmental and industry councils. However, we also reported 
that additional opportunities exist to enhance security by more 
clearly defining stakeholder roles and responsibilities. For example, 
some state transportation officials stated that DHS and TSA had not 
clarified states' roles and responsibilities in securing the 
transportation sector or communicated to them TSA's strategy to secure 
commercial vehicles, which in some cases has caused delays in 
implementing state transportation security initiatives. Industry 
stakeholders also expressed concerns with respect to TSA communicating 
its strategy, roles, and responsibilities; leveraging industry 
expertise; and collaborating with industry representatives.[Footnote 
28] As a result, we recommended that TSA establish a process to 
strengthen coordination with the commercial vehicle industry, 
including ensuring that the roles and responsibilities of industry and 
government are fully defined and clearly communicated, and assess its 
coordination efforts. DHS concurred with this recommendation and in 
April 2010 reported that its TS-SSP Highway Modal Annex is under 
review and is expected to delineate methods to enhance communications 
and coordination with stakeholders. 

Using Targeted, Outcome-Oriented Performance Measures Could Help TSA 
Better Monitor Strategy and Program Effectiveness: 

In accordance with Executive Order 13416 and requirements of the 9/11 
Commission Act, DHS, through TSA, has developed national strategies 
for each surface transportation mode.[Footnote 29] However, we have 
previously reported the need for TSA to strengthen its evaluation of 
the results of its efforts through the use of targeted, measurable, 
and outcome-based performance measures. Our prior work has shown that 
long-term, action-oriented goals and a timeline with milestones can 
help track an organization's progress toward its goals. The NIPP also 
provides that DHS should work with its security partners, including 
other federal agencies, state and local government representatives, 
and the private sector, to develop sector-specific metrics. 

Using performance measures and an evaluation of the effectiveness of 
surface transportation security initiatives can help provide TSA with 
more meaningful information from which to determine whether its 
strategies are achieving their intended results, and to target any 
needed improvements. For example, in January 2009, we reported that 
TSA's completion of a Highway Security Modal Annex was an important 
first step in guiding national efforts to protect highway 
infrastructure, but it did not include performance goals and measures 
with which to assess the program's overall progress toward securing 
highway infrastructure.[Footnote 30] As a result, we recommended that 
TSA establish a time-frame for developing performance goals and 
measures for monitoring the implementation of the annex's goals, 
objectives, and activities. Similarly, in June 2009, we reported that 
TSA's Mass Transit Modal Annex identified sectorwide goals that apply 
to all modes of transportation as well as subordinate objectives 
specific to mass transit and passenger rail systems, but did not 
contain measures or targets on the effectiveness of operations of the 
security programs identified in the annex.[Footnote 31] As a result, 
we recommended that TSA should, to the extent feasible, incorporate 
performance measures in future annex updates. DHS concurred with both 
of these recommendations. In February 2010, TSA indicated that the 
updated annex would incorporate performance measures among other 
characteristics we recommended, and as of April 2010, the annex is 
under review. We will continue to monitor TSA's progress in addressing 
these recommendations. 

We also reported in April 2009 that three of the four performance 
measures in TSA's Freight Rail Modal Annex to the TS-SSP did not 
identify specific targets to gauge the effectiveness of federal and 
industry programs in achieving the measures or the transportation- 
sector security goals outlined in the annex.[Footnote 32] We also 
reported that TSA was limited in its ability to measure the effect of 
federal and industry efforts on achieving the agency's key performance 
measure for the freight rail program, which is to reduce the risk 
associated with the transportation of TIH in major cities identified 
as high-threat urban areas. This was because the agency was unable to 
obtain critical data necessary to consistently calculate cumulative 
results for this measure over the time period for which it calculated 
them--from 2005 to 2008. In particular, some baseline data needed to 
cumulatively calculate results for this measure were historical and 
could not be collected. As a result, the agency used a method for 
estimating risk for its baseline year that was different than what it 
used for calculating results for subsequent years. 

Consequently, to help ensure the strategic goals of the modal annex 
are met and that TSA is consistently and accurately measuring agency 
and industry performance in reducing the risk associated with TIH rail 
shipments in major cities, we recommended that TSA ensure that future 
updates (1) contain performance measures with defined targets that are 
linked to fulfilling goals and objectives; and (2) more systematically 
address specific milestones for completing activities and measuring 
progress toward meeting identified goals. We further recommended that 
TSA take steps to revise the baseline year associated with its TIH 
risk reduction performance measure to enable the agency to more 
accurately report results for this measure. DHS concurred with these 
recommendations and has indicated that it will incorporate them into 
future updates of its Freight Rail Modal Annex, which will be designed 
to more specifically address goal-oriented milestones and performance 
measures. In April 2010, TSA stated that the agency has revised its 
modal annexes and that these documents are undergoing final agency 
review. 

In addition to developing performance measures to assess the success 
of its security strategies, we have also identified the need for TSA 
to develop or enhance its performance measures for specific programs 
such as the TSGP, VIPR program, and pipeline security programs. 
Specifically, in June 2009, we reported that the TSGP lacked a plan 
and milestones for developing measures to track progress of achieving 
program goals.[Footnote 33] While FEMA--which administers the grants-- 
reported that it was beginning to develop measures to better manage 
its portfolio of grants, TSA and FEMA had not collaborated to produce 
performance measures for assessing the effectiveness of TSGP-funded 
projects, such as how funding is used to help protect critical 
infrastructure and the traveling public from possible acts of 
terrorism.[Footnote 34] We recommended that TSA and FEMA collaborate 
in developing a plan and milestones for measuring the effectiveness of 
the TSGP and its administration. DHS concurred with our 
recommendation, and in November 2009, FEMA stated that it will take 
steps to develop a plan with milestones in coordination with TSA. 
Likewise, the Administration's Surface Transportation Security 
Priority Assessment discussed the importance of establishing a 
measurable evaluation system to determine the effectiveness of surface 
transportation security grants and recommended that TSA coordinate 
with other federal agencies, including FEMA, to do so. 

In June 2009, we reported that TSA had measured the progress of its 
VIPR program in terms of the number of VIPR operations conducted, but 
had not yet developed measures or targets to report on the 
effectiveness of the operations themselves.[Footnote 35] TSA program 
officials reported, however, that they were planning to introduce 
additional performance measures no later than the first quarter of 
fiscal year 2010. They added that these measures would gather 
information on, among other things, (1) interagency collaboration by 
collecting performance feedback from federal, state, and local 
security, law enforcement, and transportation officials prior to and 
during VIPR deployments; and (2) stakeholder views on the 
effectiveness and value of VIPR deployment. In April 2010, TSA 
reported that the VIPR program introduced four performance measures 
for fiscal year 2010; these measures will be reported quarterly. 
[Footnote 36] TSA has also stated that it has identified performance 
targets for these measures, which it will revisit when baseline 
program data is available. 

As part of our ongoing review of TSA's efforts to help ensure pipeline 
security, we are assessing the extent to which TSA has measured 
efforts to strengthen pipeline security.[Footnote 37] While our work 
has not been completed, our preliminary observations have identified 
that TSA has taken actions to measure progress as called for by the 
NIPP, but could better measure pipeline security improvements. More 
specifically, our preliminary observations have identified that 
effective performance measurement data could better inform decision 
makers of the extent to which pipeline security programs and 
activities have been able to reduce risk and better enable them to 
determine funding priorities within and across agencies. Also, 
developing additional performance measures--particularly outcome-based 
measures--that assess the effects of TSA's efforts in strengthening 
pipeline security and are aligned with transportation-sector goals and 
pipeline security objectives could better enable TSA to evaluate 
security improvements in the pipeline industry. Our upcoming report 
that will be issued later this year will provide additional details. 

TSA Has More Than Doubled Its Surface Transportation Inspector 
Workforce but Faces Challenges in Balancing Priorities and Directing 
Current and Future Workforce Needs: 

[End of section] 

Over the past two years, TSA has reported having more than doubled the 
size of its Surface Transportation Security Inspection Program, 
expanding the program from 93 inspectors in June 2008 to 201 
inspectors in April 2010.[Footnote 38] Inspectors have conducted 
baseline security reviews that assess, among other things, the overall 
security posture of mass transit and passenger rail agencies and the 
implementation of security plans, programs, and measures, and best 
practices. However, TSA has not completed a workforce plan to direct 
current and future inspection program needs as the program assumes new 
responsibilities associated with the implementation of certain 
provisions of the 9/11 Commission Act by passenger and freight rail 
systems.[Footnote 39] 

Since establishing the inspection program in 2005 to identify and 
reduce vulnerabilities to passenger rail and ensure compliance with 
passenger rail security directives, TSA has expanded the roles and 
responsibilities of surface inspectors to include additional surface 
transportation modes--including mass transit bus and freight rail--and 
participation in VIPR operations. For example, TSA reported that as of 
April 2010 its surface inspectors had, among other things, conducted 
security assessments of 142 mass transit and passenger rail agencies, 
including Amtrak, and over 1,350 site visits to mass transit and 
passenger rail stations to complete station profiles, which gather 
detailed information on a station's physical security elements, 
geography, and emergency points of contact. However, we also reported 
that TSA faced challenges in the following areas:[Footnote 40] 

* Balancing aviation and surface transportation priorities: We 
reported in June 2009 that TSA has reorganized its field unit and 
reporting structure since establishing the inspection program, and 
surface inspectors raised concerns about its effect. These 
reorganizations placed TSA's surface inspectors under the command of 
Federal Security Directors and Assistant Federal Security Directors 
for Inspections--aviation-focused positions that historically have not 
had an active role in conducting surface transportation inspection 
duties.[Footnote 41] According to TSA, these changes were designed to 
support its pursuit of a multimodal workforce and ensure a more 
cohesive and streamlined approach to inspections. However, we noted 
that surface inspectors raised concerns that these changes had 
resulted in the surface transportation mission being diluted by TSA's 
aviation mission. Among these concerns is that the surface inspectors 
were being assigned airport-related duties, while aviation inspectors 
had been assigned surface responsibilities that had affected 
performance in conducting follow-up inspections to determine progress 
mass transit and passenger rail systems had made in addressing 
previously-identified weaknesses. TSA officials reported that they had 
selected their current command structure because Federal Security 
Directors were best equipped to make full use of the security network 
in their geographical location because they frequently interacted with 
state and local law enforcement and mass transit operators, and were 
aware of vulnerabilities in these systems. 

* Workforce Planning: At the time of our June 2009 report, TSA did not 
have a human capital or other workforce plan for its Surface 
Transportation Security Inspection Program, but the agency had plans 
to conduct a staffing study to identify the optimal workforce size to 
address its current and future program needs. TSA reported that it had 
initiated a study in January 2009, which, if completed, could provide 
TSA with a more reasonable basis for determining the surface inspector 
workforce needed to achieve its current and future workload needs. 
However, in March 2010, TSA officials told us that while they were 
continuing to work on the staffing study, TSA did not have a firm date 
for completion. 

Mr. Chairman this concludes my statement. I look forward to answering 
any questions that you or other members of the committee may have at 
this time. 

GAO Contact and Staff Acknowledgments: 

For further information on this testimony, please contact Steve Lord 
at (202) 512-4379 or at lords@gao.gov. Contact points for our Offices 
of Congressional Relations and Public Affairs may be found on the last 
page of this statement. Individuals making key contributions to this 
testimony include Jessica Lucas-Judy, Assistant Director; Jason 
Berman; Martene Bryan; Chris Currie; Vanessa Dillard; Chris Ferencik; 
Edward George; Dawn Hoff; Jeff Jensen; Valerie Kasindi; Lara Kaskie; 
Daniel Klabunde; Nancy Meyer; Jaclyn Nelson; Octavia Parks; Meg 
Ullengren; and Lori Weiss. 

[End of section] 

Footnotes: 

[1] The six major transportation modes defined in the Transportation 
Security Administration’s (TSA) Transportation Security Sector 
Specific Plan (TS-SSP) are: aviation; maritime; mass transit 
(including transit buses, subway and light rail, and passenger rail—
both commuter rail and long-distance); highway; freight rail; and 
pipeline. 

[2] Subway attacks occurred in Moscow March 29, 2010, in Mumbai on 
July 11, 2006, in London on July 7, 2005, and in Madrid on March 11, 
2004. Each attack caused dozens of deaths and injuries. 

[3] Additional funding is requested for accounts such as 
transportation security support, which supports both aviation and 
surface transportation security programs. Some of the Federal Air 
Marshal Service funding supports nonaviation activities. 

[4] GAO, Transportation Security: Key Actions Have Been Taken to 
Enhance Mass Transit and Passenger Rail Security, but Opportunities 
Exist to Strengthen Federal Strategy and Programs, [hyperlink, 
http://www.gao.gov/products/GAO-09-678] (Washington, D.C.: June 2009); 
Transit Security Grant Program: DHS Allocates Grants Based on Risk, 
but Its Risk Methodology, Management Controls and Grant Oversight Can 
Be Strengthened, [hyperlink, http://www.gao.gov/products/GAO-09-491] 
(Washington, D.C.: June 2009); Freight Rail Security: Actions Have 
Been Taken to Enhance Security, but the Federal Strategy Can Be 
Strengthened and Security Efforts Better Monitored, [hyperlink, 
http://www.gao.gov/products/GAO-09-243] (Washington, D.C.: Apr. 2009); 
Transportation Security: Comprehensive Risk Assessments and Stronger 
Internal Controls Needed to Help Inform TSA Resource Allocation, 
[hyperlink, http://www.gao.gov/products/GAO-09-492] (Washington, D.C.: 
Mar. 2009); Commercial Vehicle Security: Risk-Based Approach Needed to 
Secure the Commercial Vehicle Sector, [hyperlink, 
http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: Feb. 2009); 
Highway Infrastructure: Federal Efforts to Strengthen Security Should 
Be Better Coordinated and Targeted on the Nation’s Most Critical 
Highway Infrastructure, [hyperlink, 
http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: Jan. 2009). 

[5] Corporate Security Reviews are on-site security reviews that TSA’s 
Pipeline Security Division conducts with pipeline operators to develop 
a firsthand knowledge of operators’ security plans and implementation, 
establish working relationships with key pipeline security personnel, 
and identify and share good security practices. 

[6] A risk management approach entails a continuous process of 
managing risk through a series of actions, including setting strategic 
goals and objectives, assessing risk, evaluating alternatives, 
selecting initiatives to undertake, and implementing and monitoring 
those initiatives. 

[7] The TS-SSP includes modal annexes for Aviation, Maritime, Mass 
Transit, Highway Infrastructure and Motor Carrier, Freight Rail, and 
Pipeline. 

[8] TSA VIPR teams, which TSA has reported using since late 2005, work 
with local security and law enforcement officials to secure any mode 
of transportation. 

[9] STSIs conduct their work by building collaborative working 
relationships with freight rail carriers, the mass transit and 
passenger rail industry, and applicable local, state, and federal 
authorities. 

[10] Pub. L. No. 110-53, 121 Stat. 266 (2007). 

[11] [hyperlink, http://www.gao.gov/products/GAO-09-492]. The four 
major surface transportation modes are mass transit and passenger 
rail, freight rail, highway, and pipeline. A comprehensive risk 
assessment approach would assess threat, vulnerability, and 
consequence to inform the allocation of resources, as called for by 
the NIPP and the TS-SSP. 

[12] Through this effort, TSA intended to estimate the threat, 
vulnerability, and consequence of a range of hypothetical attack 
scenarios and integrate these estimates to produce risk scores for 
each scenario that could be compared among each of the modes of 
transportation. However, officials stated that TSA discontinued this 
work due to difficulties in estimating the likelihood of terrorist 
threats. 

[13] [hyperlink, http://www.gao.gov/products/GAO-09-678]. Although all 
levels of government are involved in mass transit and passenger rail 
security, the primary responsibility for securing the systems rests 
with the mass transit and passenger rail operators. We have reported 
that most mass transit and passenger rail systems have made 
operational enhancements to their security programs, such as adding 
security personnel or transit police. Some of the largest systems have 
also implemented varying types of random passenger or baggage 
inspection screening programs. Additionally, mass transit agencies 
have invested in capital improvements, including upgrading closed-
circuit television systems and installing explosives-detection 
equipment and silent alarms. 

[14] The White House Transborder Security Interagency Policy Committee 
Surface Transportation Subcommittee, Surface Transportation Security 
Priority Assessment (March 2010). In making its recommendations, the 
subcommittee gathered input from surface-transportation owners and 
operators, DHS and DOT, as well as state and local government 
representatives. 

[15] [hyperlink, http://www.gao.gov/products/GAO-09-243]. 

[16] Shipments of TIH, especially chlorine, frequently move through 
densely populated areas to reach, for example, water treatment 
facilities that use these products. We reported that TSA focused on 
securing TIH materials for several reasons, including limited 
resources and a decision in 2004 to prioritize TIH as a key risk 
requiring federal attention. Other federal and industry freight rail 
stakeholders agreed that focusing on TIH was a sound initial strategy 
because it is a key potential rail security threat and an overall 
transportation safety concern. 

[17] We have previously reported that certain bridges, such as those 
over large rivers, play a key role in the national railroad system 
because capacity constraints limit options to reroute trains. As a 
result, incidents limiting or preventing their use could negatively 
affect the economy by severely delaying rail traffic for significant 
periods of time and causing transportation system delays and 
disruption. 

[18] See [hyperlink, http://www.gao.gov/products/GAO-09-491]. DHS 
awards TSGP grant funding to owners and operators of mass transit and 
passenger rail systems that have used these funds for a variety of 
security purposes, including developing security plans, purchasing or 
upgrading security equipment, and providing security training to 
transit employees. 

[19] Industry entities have also reported undertaking independent 
efforts to assess security risks to their systems and operations. 
These effects include (1) a 2008 rail industry security assessment 
conducted by the Association of American Railroads, which resulted in 
the identification and prioritization of over 1,000 rail assets, 
including bridges, tunnels, and control centers; and (2) comprehensive 
risk assessments that incorporate and combine all three risk elements, 
which have been conducted by the National Railroad Passenger 
Corporation (Amtrak) and some individual transit systems. 

[20] We calculated a simple correlation coefficient to measure the 
strength and direction of the linear relationship between systems’ 
risk rankings and the time elapsed between TSA’s first and subsequent 
Corporate Security Reviews for pipeline systems. The magnitude of the 
correlation coefficient determines the strength of the correlation. 
Our preliminary analysis resulted in a weak correlation coefficient 
score. 

[21] The Pipeline Security Division began inspections under the 
Critical Facility Inspection Program in November 2008. The program 
involves on-site physical security inspections of each critical 
facility of the 100 most-critical pipeline systems. 

[22] Some rail industry stakeholders have independently implemented 
other types of operational and procedural changes to secure their 
hazardous rail shipments, such as making modifications to procedures 
for how rail companies manage and schedule trains and railcars. Rail 
industry organizations also play a role in disseminating pertinent 
information, such as threat communications from DHS and DOT, to their 
members. 

[23] See [hyperlink, http://www.gao.gov/products/GAO-09-243]. 

[24] DHS’s Office of Infrastructure Protection is an organizational 
entity within the National Protection and Programs Directorate, whose 
mission includes leading the coordinated national effort to reduce the 
risk to critical infrastructure and key resources posed by acts of 
terrorism. 

[25] [hyperlink, http://www.gao.gov/products/GAO-09-57]. The U.S. 
Coast Guard is the lead federal agency responsible for the security of 
the nation’s ports and waterways, which may include highway assets 
that have a maritime nexus, such as bridges. 

[26] In addition to federal efforts, highway-sector stakeholders have 
taken a variety of voluntary actions intended to enhance the security 
of highway infrastructure. Key efforts include developing security 
publications, sponsoring infrastructure security workshops, conducting 
research and development activities, and implementing specific 
protective measures intended to deter an attack or reduce potential 
consequences, such as security patrols, electronic detection systems, 
and physical barriers. 

[27] [hyperlink, http://www.gao.gov/products/GAO-09-85]. The term 
“commercial vehicles” refers to vehicles used in the commercial 
trucking industry (e.g., for-hire and private trucks moving freight, 
rental trucks, and trucks carrying hazardous materials) and the 
commercial motor coach industry (i.e., intercity, tour, and charter 
buses). For the purposes of this statement, we are including them in 
the highway infrastructure mode. 

[28] Although all levels of government are involved in the security of 
commercial vehicles, primary responsibility for securing these 
vehicles rests with the individual commercial vehicle companies 
themselves. Truck and bus companies have responsibility for the 
security of day-to-day operations. As part of these operations, they 
ensure that company personnel, vehicles, and terminals—as well as all 
of the material and passengers they transport-—are secured. 

[29] Strengthening Surface Transportation Security, Exec. Order No. 
13416, 71 Fed. Reg. 71033 (Dec. 5, 2006). The primary purpose of 
Executive Order 13416 is to strengthen the security of surface 
transportation. The executive order requires DHS to assess the 
security of each surface transportation mode, and evaluate the 
effectiveness and efficiency of current transportation security 
initiatives, among other things. 

[30] [hyperlink, http://www.gao.gov/products/GAO-09-57]. 

[31] [hyperlink, http://www.gao.gov/products/GAO-09-678]. 

[32] [hyperlink, http://www.gao.gov/products/GAO-09-243]. The 
transportation-sector goals identified in the Freight Rail Model Annex 
include: (1) prevent and deter acts of terrorism against the 
transportation system, (2) enhance resiliency of the U.S. 
transportation system, and (3) improve the cost-effective use of 
resources for transportation security. 

[33] [hyperlink, http://www.gao.gov/products/GAO-09-491]. The purpose 
of the TSGP is to provide funds to protect critical surface 
transportation infrastructure and the traveling public. 

[34] In fiscal year 2008, FEMA’s Grant Programs Directorate became 
responsible for administering TSGP grants. 

[35] [hyperlink, http://www.gao.gov/products/GAO-09-678]. 

[36] According to TSA, the four measures introduced in fiscal year 
2010 for the VIPR program include: (1) total VIPR asset deployments; 
(2) completion percentage at high risk locations; (3) percentage of 
national special security events; and (4) percentage of primary 
stakeholders with repeat deployments. 

[37] TSA has not issued pipeline security regulations, but works with 
the pipeline industry to implement suggested security measures to make 
pipeline systems more secure. Private companies who own and operate 
pipeline systems are responsible for assessing their own specific 
security needs and incur the costs associated with implementing 
security measures. 

[38] TSA intends to hire an additional 179 surface inspectors in 
fiscal year 2010. According to TSA, the April 2010 data includes 
headquarters staff. 

[39] See, for example, Pub. L. No. 110-53, §§ 1512, 1517, 121 Stat. 
266, 429-33, 439-41 (2007). 

[40] [hyperlink, http://www.gao.gov/products/GAO-09-678]. 

[41] TSA Federal Security Directors are the ranking TSA authorities 
responsible for the leadership and coordination of TSA security 
activities at commercial airports regulated by TSA. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: