This is the accessible text file for GAO report number GAO-04-728 
entitled 'Aviation Security: Further Steps Needed to Strengthen the 
Security of Commercial Airport Perimeters and Access Controls' which 
was released on June 08, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

GAO:

Report to Congressional Requesters:

June 2004:

Aviation Security:

Further Steps Needed to Strengthen the Security of Commercial Airport 
Perimeters and Access Controls:

GAO-04-728:

GAO Highlights:

Highlights of GAO-04-728, a report to congressional requesters 

Why GAO Did This Study:

In the 2 years since passage of the Aviation and Transportation 
Security Act (ATSA), the Transportation Security Administration (TSA) 
has primarily focused its efforts on improving aviation security 
through enhanced passenger and baggage screening. The act also 
contained provisions directing TSA to take actions to improve the 
security of airport perimeters, access controls, and airport workers. 
GAO was asked to assess TSA’s efforts to: (1) evaluate the security of 
airport perimeters and the controls that limit access into secured 
airport areas, (2) help airports implement and enhance perimeter 
security and access controls by providing them funding and technical 
guidance, and (3) implement measures to reduce the potential security 
risks posed by airport workers. 

What GAO Found:

TSA has begun evaluating the security of airport perimeters and the 
controls that limit access into secured airport areas. Specifically, 
TSA is conducting compliance inspections and vulnerability assessments 
at selected airports. These evaluations—though not complete—have 
identified perimeter and access control security concerns. While TSA 
officials acknowledged that conducting these airport security 
evaluations is essential to identifying additional perimeter and 
access control security measures and prioritizing their implementation, 
the agency has not determined how the results will be used to make 
improvements to the entire commercial airport system.

TSA has helped some airport operators enhance perimeter and access 
control security by providing funds for security equipment, such as 
electronic surveillance systems. TSA has also begun efforts to evaluate 
the effectiveness of security-related technologies, such as biometric 
identification systems. However, TSA has not begun to gather data on 
airport operators’ historical funding of security projects and current 
needs to aid the agency in setting funding priorities. Nor has TSA 
developed a plan for implementing new technologies or balancing the 
costs and effectiveness of these technologies with the security needs 
of individual airport operators and the commercial airport system as a 
whole.

TSA has taken some steps to reduce the potential security risks posed 
by airport workers. However, TSA had elected not to fully address all 
related ATSA requirements. In particular, TSA does not require 
fingerprint-based criminal history checks and security awareness 
training for all airport workers, as called for in ATSA. Further, TSA 
has not required airport vendors to develop security programs, another 
ATSA requirement. TSA said expanding these efforts would require a 
time-consuming rulemaking process and impose additional costs on 
airport operators. Finally, although not required by ATSA, TSA has not 
developed a plan detailing when and how it intends to address these 
challenges. 

Airport Perimeter Access Gate at a Large Commercial Airport: 

[See PDF for image]

Source: GAO.

[End of figure]

What GAO Recommends:

GAO is recommending that the Secretary of Homeland Security direct 
TSA’s Administrator to develop and provide Congress with a plan for 
meeting the requirements of the Aviation and Transportation Security 
Act and taking other actions to improve airport security.

TSA reviewed a draft of this report and generally agreed with GAO’s 
findings and recommendations. Technical comments were incorporated as 
appropriate.

www.gao.gov/cgi-bin/getrpt?GAO-04-728.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Cathleen Berrick at (202) 
512-3404 or berrickc@gao.gov.

[End of section]

Contents:

Letter:

Results in Brief:

Background:

TSA Has Begun Evaluating Commercial Airport Security but Needs a Better 
Approach for Assessing Results:

TSA Has Begun Efforts but Has Not Fully Developed Plans to Fund 
Security Enhancements and Assess Security Technologies:

TSA Has Helped to Reduce Potential Security Risks Posed by Airport 
Workers but Has Not Determined How to Fully Address Legislative 
Requirements:

Conclusions:

Recommendations for Executive Action:

Agency Comments:

Appendix I: Objectives, Scope, and Methodology:

Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a 
Risk Management Approach:

Appendix III: Comments from the Department of Homeland Security:

Appendix IV: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Staff Acknowledgments:

Tables:

Table 1: Types of Enforcement Actions Used by TSA to Address Airport 
Operator Noncompliance with Security Requirements between October 2003 
and February 2004:

Table 2: Distribution of AIP Grant Funds Awarded for Security Projects 
by Project Type, Fiscal Year 2002:

Table 3: Distribution of Airports Receiving Grants Awarded by TSA for 
Perimeter and Access Control-Related Security and Projects Funded:

Figures:

Figure 1: ATSA Requirements Directed to TSA Related to Perimeter, 
Access Control, and Airport Worker Security:

Figure 2: Diagram of Typical Commercial Airport Areas and a Comparison 
of Security Requirements That Apply to Each Airport Area:

Figure 3: Perimeter and Access Control Security Technologies Tested or 
Implemented at Selected Commercial Airports across the Nation:

Figure 4: Elements of a Risk Management Approach:

Figure 5: How a Risk Management Approach Can Guide Decision-Making:

Figure 6: TSA's Threat Assessment and Risk Management Approach:

Abbreviations:

AIP: Airport Improvement Program:

AOA: air operations area:

ATSA: Aviation and Transportation Security Act:

DHS: Department of Homeland Security:

FAA: Federal Aviation Administration:

FBI: Federal Bureau of Investigation:

FSD: federal security director:

NCIC: National Crime Information Center:

PARIS: Performance and Results Information System:

SIDA: security identification display area:

TSA: Transportation Security Administration:

TWIC: Transportation Workers Identification Credential Program:

United States General Accounting Office:

Washington, DC 20548:

June 4, 2004:

The Honorable Joseph I. Lieberman: 
Ranking Minority Member: 
Committee on Governmental Affairs: 
United States Senate:

The Honorable Jim Turner: 
Ranking Minority Member: 
Select Committee on Homeland Security: 
House of Representatives:

In November 2001, shortly after the September 11 terrorist attacks, 
President Bush signed into law the Aviation and Transportation Security 
Act, or ATSA (Pub. L. No. 107-71). The act established the 
Transportation Security Administration (TSA), giving it responsibility 
for securing all modes of transportation, including aviation. One of 
TSA's first challenges imposed by the act was to improve the security 
of airline passenger and baggage screening activities, activities for 
which TSA has direct responsibility. The agency is also taking action 
to address provisions of the act to improve three other areas of 
aviation security: the security of airport perimeters (such as airfield 
fencing and access gates), the adequacy of controls restricting 
unauthorized access to secured areas (such as building entry ways 
leading to aircraft), and security measures pertaining to individuals 
who work at airports. Recent media reports of security breaches and 
other illegal activities, such as drug smuggling, taking place at some 
airports highlight the importance of strengthening security in these 
areas. Taken as a whole, these areas, along with passenger and baggage 
screening, comprise key elements of the aviation security environment 
at commercial airports, both individually and as a nationwide system.

You requested that we examine TSA's efforts to strengthen security 
related to perimeter and access controls. This report assesses TSA's 
efforts to (1) evaluate the security of airport perimeters and the 
controls that limit access into secured airport areas, (2) help 
airports implement and enhance perimeter security and access controls 
by providing funding and technical guidance, and (3) implement measures 
to reduce the potential security risk posed by airport workers. Due to 
TSA's concern that the public release of some of our detailed findings 
could compromise aviation security, we also issued a restricted version 
of this report.

To perform these assessments, we analyzed TSA data on security 
evaluations conducted and funds distributed to commercial airports for 
security improvements. We also reviewed pertinent legislation, 
regulatory requirements, and policy guidance. To determine to what 
extent TSA had met requirements, we discussed with our Office of 
General Counsel specific requirements contained in three sections of 
the act:

* Section 106 (requirements for evaluating airport access controls, 
testing and evaluating security technologies, and providing technical 
and financial support to small and medium-sized airports);

* Section 136 (recommending commercially available measures to prevent 
access to secure airport areas and developing a deployment strategy for 
available technology at all large airports); and:

* Section 138 (performing background checks for all employees with 
unescorted access to secured airport areas, among others).

We obtained and analyzed TSA data on security breaches, covert testing, 
inspections of airport compliance with security regulations, and 
vulnerability assessments. (TSA's covert testing data and information 
on the test program are classified and are the subject of a separate 
classified GAO report.) We discussed the threat scenarios used in TSA 
vulnerability assessments with TSA officials to identify those related 
to perimeter and access control security. We obtained and analyzed data 
from the Federal Aviation Administration (FAA) and TSA on perimeter and 
access control-related security funds distributed to commercial airport 
nationwide. We reviewed reports on aviation security issued previously 
by GAO and the Department of Transportation Inspector General.

In addition, we conducted site visits at 12 commercial airports to 
observe airport security procedures and discuss issues related to 
perimeter and access control security with airport operator officials. 
These were Boston Logan International Airport, Atlanta Hartsfield 
Jackson International Airport, Ronald Reagan Washington National 
Airport, Washington Dulles International Airport, Orlando 
International Airport, Tampa International Airport, Miami 
International Airport, Los Angeles International Airport, San Francisco 
International Airport, Middle Georgia Regional Airport, Chattanooga 
Metropolitan Airport, and Columbus Metropolitan Airport. At 10 of these 
airports, we analyzed a sample of records to verify that the procedures 
to reduce the security risk of airport workers were followed. We also 
discussed security issues with TSA airport and headquarters officials, 
airport security coordinators at each of the nation's 21 largest and 
busiest airports (referred to by TSA as "category X" airports), as well 
as airport industry representatives. More detailed information on our 
scope and methodology is contained in appendix I. We conducted our 
review from June 2003 through March 2004 in accordance with generally 
accepted government auditing standards.

Results in Brief:

TSA has begun evaluating the security of airport perimeters and the 
controls that limit access into secured airport areas, but has not yet 
determined how the results of these evaluations could be used to make 
improvements to the nation's airport system as a whole. Specifically, 
TSA is conducting regulatory compliance inspections, covert testing of 
selected security procedures, and vulnerability assessments at selected 
airports. These evaluations--though not yet completed--have identified 
perimeter and access control security concerns. For example, TSA 
identified instances where airport operators failed to comply with 
existing security requirements, including access control-related 
regulations. (Our evaluation of TSA's covert testing of airport access 
controls is classified and is discussed in a separate classified 
report.) In addition, TSA identified threats to perimeter and access 
control security at each of the airports where vulnerability 
assessments were conducted in 2003. In January 2004, TSA temporarily 
suspended its assessment efforts to conduct higher-priority 
vulnerability assessments dealing with airport vulnerability to 
shoulder-fired missiles. TSA plans to begin conducting joint 
vulnerability assessments with the Federal Bureau of Investigation 
(FBI) but has not yet determined how it will allocate existing 
resources between its own independent airport assessments and the new 
joint assessments, or developed a schedule for conducting future 
vulnerability assessments. In addition, TSA has not yet determined how 
to use the results of its inspections in conjunction with its efforts 
to conduct covert testing and vulnerability assessments to enhance the 
overall security of the nation's commercial airport system.

TSA has helped some airports enhance perimeter and access control 
security by providing funds for security equipment, such as electronic 
surveillance systems. TSA has also begun efforts to evaluate the 
effectiveness of security-related technologies, such as biometric 
identification systems. Responsibility for funding most airport 
security projects shifted in December 2003 from FAA to TSA. As a 
result, TSA is developing new policies to determine how to review, 
approve, and prioritize security project funding. However, TSA has not 
yet begun to gather data on airport operators' historical funding of 
security projects and current needs to aid the agency in setting 
funding priorities. Nor has TSA developed a plan for implementing new 
technologies or balancing the costs and effectiveness of these 
technologies with the security needs of individual airports and the 
commercial airport system as a whole.

TSA has taken some steps to implement measures to reduce the potential 
security risk posed by airport workers. However, at the time of our 
review, TSA had not fully addressed all related requirements in the 
2001 Aviation and Transportation Security Act. For example, TSA 
required fingerprint-based criminal history records checks and security 
awareness training for most, but not all, airport workers called for in 
the act. TSA relies on background checks as a method of screening most 
airport workers in lieu of physical screening, as is conducted for 
passengers and their baggage. However, TSA has not analyzed the 
security threat posed by airport workers in terms of the potential 
costs and security benefits of physically screening all airport 
workers. Further, TSA has not addressed the act's provision that calls 
for the agency to require that airport vendors with direct access to 
the airfield and aircraft develop security programs to address security 
measures specific to vendor employees. TSA said that expanding 
requirements for background checks and security awareness training for 
additional workers and establishing requirements for vendor security 
programs would be costly to implement and would require time-consuming 
rule-making efforts to assess potential impacts and obtain and 
incorporate public comment on any proposed regulations.

This report contains recommendations to the Secretary of the Department 
of Homeland Security (DHS) to help the department articulate and 
justify future decisions on how best to proceed with security 
evaluations, fund and implement security improvements--including new 
security technologies--and implement additional measures to reduce the 
potential security risks posed by airport workers. We provided a draft 
of this report to TSA officials who generally concurred with our 
findings and recommendations. TSA's written comments are presented in 
appendix III.

Background:

ATSA, signed into law on November 19, 2001,[Footnote 1] shifted certain 
responsibilities for aviation security from commercial airport 
operators and air carriers to the federal government and the newly 
created Transportation Security Administration. Specifically, ATSA 
granted TSA direct operational responsibility for the screening of 
passengers and their baggage, as well as responsibility for overseeing 
U.S. airport operators' efforts to maintain and improve the security of 
commercial airport perimeters, access controls, and workers. While 
airport operators, not TSA, retain direct day-to-day operational 
responsibility for these areas of security, ATSA's sections 106, 136, 
and 138 direct TSA to improve the security of airport perimeters and 
the access controls leading to secured airport areas, as well as 
measures to reduce the security risks posed by airport workers, as 
shown in figure 1.

Figure 1: ATSA Requirements Directed to TSA Related to Perimeter, 
Access Control, and Airport Worker Security:

Requirements for evaluating airport access controls: 
Assess and test for airport compliance with access control requirements 
on an ongoing basis and report annually on the findings of the 
assessments; assess the effectiveness of penalties in ensuring 
compliance with security procedures and take any other appropriate 
enforcement actions when noncompliance is found. Sec.106(c)(2).

Requirements for strengthening the security of airport perimeters and 
access controls: 
Within 6 months after enactment of the act, recommend to airport 
operators commercially available measures or procedures to prevent 
access to secure airport areas by unauthorized persons. This 6-month 
assessment shall review emerging security technologies and procedures 
and shall include a 12- month deployment strategy for currently 
available technology at all category X (i.e., the largest and busiest) 
airports. Sec. 136.[A].

Requirements for strengthening the security of airport perimeters and 
access controls: 
Establish a pilot program in no fewer than 20 airports to test and 
evaluate technology for providing access control and security 
protections for closed or secure areas. Sec. 106(d).

Requirements for strengthening the security of airport perimeters and 
access controls: 
Develop a plan to provide technical support and financial assistance 
to small- and medium-sized airports to enhance security operations and 
to defray the cost of security. Sec. 106(b).

Requirements for reducing the risks posed by airport workers: 
Perform background checks for all employees with unescorted access to 
secured airport areas and individuals who have regularly escorted 
access to secured airport areas and review available law enforcement 
databases and records of other governmental and international agencies. Sec. 138.

Requirements for reducing the risks posed by airport workers: 
Require airports and air carriers to develop security awareness 
training programs for airport employees; ground crews; gate, ticket, 
curbside agents of the air carriers; and other individuals employed at 
airports. Sec. 106(e).

Requirements for reducing the risks posed by airport workers: 
Require vendors having direct access to the airfield and aircraft to 
develop their own security programs. Sec. 106(a).

Requirements for reducing the risks posed by airport workers: 
Require screening/ inspection of all persons, vehicles, equipment, 
goods, and property before entering secured areas of U.S. commercial 
airports. Sec. 106(a). 

Source: TSA and GAO.

[A] Section 136 also requires the Secretary of Transportation to 
conduct a review of reductions in unauthorized access at the category X 
airports no later than 18 months after the enactment of ATSA.

[End of figure]

* On February 17, 2002, TSA assumed responsibility from FAA for certain 
aspects of security at the nation's commercial airports, including 
FAA's existing aviation security programs, plans, regulations, orders, 
and directives.[Footnote 2] Soon thereafter, on February 22, 2002, the 
Department of Transportation issued regulations to reflect the change 
in jurisdiction from FAA to TSA.[Footnote 3] Also, TSA reissued 
security directives originally issued by FAA after September 11, 2001, 
related to perimeter and access control security.

TSA hired 158 federal security directors (FSDs) to oversee the 
implementation of these requirements at airports nationwide. The FSDs 
also work with inspection teams from TSA's Aviation Regulatory 
Inspection Division to conduct compliance inspections. In addition, as 
part of its oversight role, TSA headquarters staff conducts covert 
testing[Footnote 4] and vulnerability assessments to help individual 
airport operators determine how to improve security and to gather data 
to support systemwide analysis of security vulnerabilities and 
weaknesses. Airport operators are responsible for implementing TSA 
security requirements for airport perimeters, access controls, and 
airport workers. Each airport's security program, which must be 
approved by TSA, outlines the security policies, procedures, and 
systems the airport intends to use in order to comply with TSA security 
requirements.

There are about 450 commercial airports in the United States.[Footnote 
5] Depending upon the type of aircraft operations, airport operators 
must establish either complete, supporting, or partial security 
programs.[Footnote 6] Complete security programs include guidelines for 
performing background checks on airport workers, providing security 
training for these workers, and controlling access to secured airport 
areas, among other things. Federal regulations also require that 
commercial airports with complete security programs designate areas 
where specific security practices and measures are in place and provide 
a diagram of these areas. Figure 2 is a diagram of a typical commercial 
airport and the security requirements that apply to each airport area.

Figure 2: Diagram of Typical Commercial Airport Areas and a Comparison 
of Security Requirements That Apply to Each Airport Area:

[See PDF for image]

[End of figure]

TSA classifies airports into one of five categories (X, I, II, III, and 
IV) based on various factors, such as the total number of take-offs and 
landings annually, the extent to which passengers are screened at the 
airport, and other special security considerations. U.S. commercial 
airports are divided into different areas with varying levels of 
security. Individual airport operators determine the boundaries for 
each of these areas on a case-by-case basis, depending on the physical 
layout of the airport. As a result, some of these areas may overlap. 
Secured areas, security identification display areas (SIDA), and air 
operations areas (AOA) are not to be accessed by passengers, and 
typically encompass areas near terminal buildings, baggage loading 
areas, and other areas that are close to parked aircraft and airport 
facilities, including air traffic control towers and runways used for 
landing, taking off, or surface maneuvering. On the other hand, sterile 
areas are located within the terminal where passengers wait after 
screening to board departing aircraft. Access to these areas is 
controlled by TSA screeners at checkpoints where they conduct physical 
screening of passengers and their carry-on baggage for weapons and 
explosives.

According to TSA estimates, there are about 1,000,000 airport and 
vendor employees who work at the nation's commercial airports. About 
900,000 of these workers perform duties in the secured or SIDA areas. 
Airport operators issue SIDA badges to these airport workers. These 
badges identify the workers and grant them the authority to access the 
SIDA and secured areas without an escort. Examples of workers with 
unescorted access to the SIDA and secured areas include workers who 
access aircraft, including mechanics, catering employees, refuelers, 
cleaning crews, baggage handlers, and cargo loaders. TSA estimates 
there are an additional 100,000 employees who work in sterile airport 
areas, such as the concourse or gate area where passenger flights load 
and unload. Examples of employees who work or perform duties in the 
sterile area include those operating concessions and shops, and other 
air carrier or vendor employees. Other workers may, from time to time, 
need to enter the SIDA or secured area and must be accompanied by an 
escort who has been granted unescorted access authority. According to 
TSA, only a relatively small number of airport workers need regular 
escorted access to the SIDA and secured areas.[Footnote 7] Job 
functions in this category would include delivery personnel, 
construction workers, and specialized maintenance crews.

Methods used by airports to control access through perimeters or into 
secured areas vary because of differences in the design and layout of 
individual airports, but all access controls must meet minimum 
performance standards in accordance with TSA requirements. There are a 
variety of commercially available technologies that are currently used 
for these purposes or are used for other industries but could be 
applied to airports. In addition, TSA has a research and development 
program to develop new and emerging technologies for these and other 
security-related purposes.

TSA Has Begun Evaluating Commercial Airport Security but Needs a Better 
Approach for Assessing Results:

TSA has three efforts under way to evaluate the security of commercial 
airports' perimeters and the controls that limit unauthorized access 
into secured areas. While ATSA only requires that TSA perform 
compliance inspections, the agency also relies on covert 
testing[Footnote 8] of selected security procedures and vulnerability 
assessments to meet the legislation's mandate to strengthen perimeter 
and access control security. TSA acknowledged the importance of 
conducting these evaluation efforts as an essential step to determine 
the need for, and prioritization of, additional perimeter security and 
access control security measures. But the agency has not yet 
established several elements needed for effective short-and long-term 
management of these evaluations, such as schedules for conducting its 
efforts and an analytical approach to using the results of its 
evaluations to make systematic improvements to the nation's commercial 
airport system.

TSA Has Revised Its Approach to Conducting Airport Compliance 
Inspections but Has Not Determined How to Use Results to Strengthen 
Security:

ATSA, (Sec. 106 (c)(2)), requires TSA to assess and test for airport 
compliance with federal access control security requirements and report 
annually on its findings. TSA originally planned to conduct 
comprehensive assessments at each commercial airport periodically. 
Staff from TSA's Aviation Regulatory Inspection Division along with 
local airport inspection staff working under federal security directors 
completed relatively few comprehensive airport inspections in fiscal 
year 2002, although TSA completed considerably more in 2003. In 
addition, TSA records indicated that a significant number of 
individual, or "supplemental" inspections of specific areas of security 
or local airport security concerns were conducted in fiscal years 2002 
and 2003, respectively. TSA, however, did not identify the scope of 
these inspections, or how many airports were inspected through its 
supplemental inspections. In addition, the agency did not report on the 
results of these comprehensive or individual supplemental inspections, 
as required by ATSA. According to TSA, the agency was limited in its 
ability to analyze these data because compliance reports submitted 
during this time frame were compiled in a prototype reporting system 
that was under development. In July 2003, TSA deployed the automated 
system--Performance and Results Information System (PARIS)--and began 
to compile the results of compliance reviews.

In TSA's Annual Inspection and Assessment Plan for fiscal year 2004, 
TSA revised its approach for reviewing airport operator compliance with 
security regulations.[Footnote 9] According to TSA, the new inspection 
process uses risk management principles that consider threat factors, 
local security issues, and input from airport operators and law 
enforcement to target key vulnerabilities and critical assets. Under 
the new inspection process, the local federal security director at each 
airport is responsible for determining the scope and emphasis of the 
inspections, as well as managing local TSA inspection staff. According 
to the agency, the continuous inspections approach resulted in 
completion of a significant number of individual inspections of airport 
access controls and other security requirements in the first few months 
of fiscal year 2004.

The percentage of inspections that found airport operators to be in 
compliance with security requirements, including those related to 
perimeters and access control, was high. According to TSA, its goal is 
for airport operators to be in 100 percent compliance with security 
requirements. Despite the generally high compliance rates, TSA 
identified some instances of airport noncompliance involving access 
controls.

According to TSA, the agency's new approach to conducting compliance 
inspections is designed to be a cooperative process based on the 
premise that voluntary and collaborative airport operator compliance to 
facilitate solutions to security issues is more effective than the use 
of penalties to enforce compliance. This approach is intended to 
identify the root causes of security problems, develop solutions 
cooperatively with airport operators, and focus the use of civil 
enforcement actions on the most serious security risks revealed by 
TSA's inspections. As a result, TSA said that the majority of airport 
inspection violations related to airport security was addressed through 
on-site counseling with airport operator officials, rather than 
administrative actions or civil monetary penalties, which TSA is 
authorized to issue when airport operators fail to address identified 
areas of noncompliance.[Footnote 10] According to TSA, on-site 
counseling is used only for minor infractions that can be easily and 
quickly corrected. Administrative actions progress from a warning 
notice suggesting corrective steps to a letter of correction that 
requires an airport operator to take immediate action to avoid civil 
penalties. TSA was able to provide the number of cases in which it 
recommended the issuance of civil penalties to airport operators for 
violations of security requirement.[Footnote 11] Table 1 shows the 
various types of enforcement actions used by TSA to address airport 
operator noncompliance with security requirements for the period 
between October 2003 and February 2004.

Table 1: Types of Enforcement Actions Used by TSA to Address Airport 
Operator Noncompliance with Security Requirements between October 2003 
and February 2004:

Enforcement action: Resolved with counseling; 
Sanction used: None; 
Number of enforcement actions: 571.

Enforcement action: Administrative action; 
Sanction used: Warning notice; 
Number of enforcement actions: 106.

Enforcement action: Administrative action; 
Sanction used: Letter of correction; 
Number of enforcement actions: 123.

Enforcement action: Civil penalties recommended; 
Sanction used: Monetary; 
Number of enforcement actions: 67.

Enforcement action: Total; 
Number of enforcement actions: 867. 

Source: GAO analysis of TSA data.

[End of table]

TSA had not assessed the effectiveness of these penalties in ensuring 
airport compliance with security requirements as required by ATSA (Sec. 
106 (c)(2)). TSA said the agency was not able to conduct inspections at 
all commercial airports in prior years, or assess the effectiveness of 
the use of penalties to ensure airport compliance because of limited 
personnel assigned to perform these tasks and agency decisions to 
direct these resources to address other areas of aviation security, 
such as passenger and baggage screening operations. According to TSA, 
the primary focus of field inspectors was to monitor passenger and 
baggage screening operations immediately following the attacks of 
September 11. As a result, routine inspections were not assigned as 
high a priority during the months following the attacks. For example, 
while DHS authorized TSA to use 639 full-time employees for the purpose 
of performing airport security inspections in fiscal year 2003, TSA 
allocated 358 full-time employees for this purpose. TSA said that the 
agency is hiring new regulatory inspectors at airports to help conduct 
required inspections. In its fiscal year 2005 budget submission, TSA 
requested over 1,200 full-time employees to conduct compliance 
inspections.

TSA said airport compliance inspections are needed to ensure that 
airport operators take steps to address deficiencies as they are 
identified. TSA also said that the agency has proposed measuring the 
performance of individual airport against national performance 
averages, and airports that fall below accepted levels of compliance 
will receive additional inspections or other actions. However, TSA has 
not yet developed a plan outlining how the results of its compliance 
inspections will be used to interpret and help analyze the results of 
airport vulnerability assessments and covert testing. For example, at 
the time of our review, a majority of airports tested had high 
compliance rates, indicating that these airports are implementing most 
security regulations. However, assessing airport operator compliance 
with security requirements as a stand-alone measure does not provide a 
complete picture of the level of security at these airports. Covert 
testing and vulnerability assessments provide additional information 
that, taken together with the results of compliance inspections, 
provide a more complete picture of the security environment at 
commercial airports on a systemwide basis.

Initial Airport Vulnerability Assessments Reveal Security Concerns, but 
TSA Lacks Both a Timetable for Completion and a Plan for Making 
Systematic Improvements:

From September to December 2003,[Footnote 12] TSA conducted 
vulnerability assessments at some of the nation's commercial airports 
to help individual airport operators determine how to improve security. 
At the time of our review, TSA had not established a schedule for 
completing assessments at the remaining airports. TSA is conducting 
these vulnerability assessments as part of a broader effort to 
implement a risk management approach to better prepare for and 
withstand terrorist threats. A risk management approach is a systematic 
process to analyze threats, vulnerabilities, and the criticality (or 
relative importance) of assets to better support key decisions. (See 
app. II for a description of risk management principles and TSA's tools 
for implementing these principles.)[Footnote 13] TSA uses various 
threat scenarios that describe potentially dangerous situations as a 
basis for conducting its vulnerabilities assessments. During the 
assessments, TSA and airport operators review the scenarios and rank 
them according to the risk each poses to the individual airport.

As part of each vulnerability assessment, TSA provided airport 
operators with a report on the results and recommended short-and long-
term countermeasures to reduce the threats identified. According to 
TSA, some of these countermeasures may be difficult for (1) airport 
operators to implement because of limited availability of security 
funding and (2) TSA to mandate because issuing new security regulations 
is an often time-consuming process that involves public comment and 
analysis of potential impacts.[Footnote 14] However, TSA does have 
authority under 49 U.S.C. § 114(l)(2) to issue regulations or security 
directives immediately in order to protect transportation security.

Various sources have highlighted the importance of TSA's continuing 
efforts to assess airport vulnerabilities. For example, in December 
2003, the President issued a directive[Footnote 15] calling for 
assessments of the vulnerability of critical infrastructure, including 
airports, to assist in developing the nation's homeland security 
strategy. In addition, TSA data on reported security breaches[Footnote 
16] of airport access controls revealed that such known breaches have 
increased in recent years.[Footnote 17] Further, airport operator 
officials we spoke with noted the importance of vulnerability 
assessments as the key step in determining needed security enhancements 
at each airport. Specifically, airport security coordinators at 12 of 
the nation's 21 largest and busiest airports said that a TSA 
vulnerability assessment would facilitate their efforts to 
comprehensively identify and effectively address perimeter and access 
control security weaknesses.

At the time of our review, TSA had allocated 9 staff to conduct the 
vulnerability assessments and another 5 staff to analyze the 
results.[Footnote 18] According to TSA, these staff also perform other 
assessment and analytical tasks. Although TSA initially said that it 
expected to conduct additional assessments in 2004, the agency 
suspended its efforts to use established threat scenarios to assess 
vulnerabilities in January 2004. TSA said that the agency elected to 
redirect staff resources to conduct higher priority assessments of the 
threat posed by shoulder-fired missiles, also referred to as man 
portable air defense systems (MANPADS). In addition, TSA said that the 
agency planned to begin conducting joint vulnerability assessments with 
the FBI. The FBI previously conducted joint assessments with FAA in 
response to requirements established in the Federal Aviation 
Administration Reauthorization Act of 1996. At the time of our review, 
TSA said that the agency had not yet determined how to allocate its 
resources to conduct vulnerability assessments using established threat 
scenarios versus initiating joint assessment efforts with the FBI. When 
TSA resumes its scenario-based assessment efforts, the agency plans to 
prioritize its efforts by focusing on the most critical airports. (TSA 
said the agency intends to determine the criticality of commercial 
airports based on factors such as current threat intelligence, the 
number of fatalities that could occur during an attack on the airport, 
and the economic and sociopolitical importance of the facility.):

After TSA resumes its assessment efforts, the agency intends to compile 
baseline data on security vulnerabilities to enable it to conduct a 
systematic analysis of airport security vulnerabilities on a nationwide 
basis. TSA said such an analysis is essential since it will allow the 
agency to determine minimum standards and the adequacy of security 
policies and help the agency and airports better direct limited 
resources. Nonetheless, at the time of our review, TSA had not yet 
developed a plan that prioritizes its assessment efforts, provides a 
schedule for completing these assessments, or describes how assessment 
results will be used to help guide agency decisions on what, if any, 
security improvements are needed.

TSA Has Begun Efforts but Has Not Fully Developed Plans to Fund 
Security Enhancements and Assess Security Technologies:

Through funding of a limited number of security enhancements, TSA has 
helped to improve perimeter and access control security at some 
airports. However, at the time of our review, TSA had not yet developed 
a plan to prioritize expenditures to ensure that funds provided have 
the greatest impact in improving the security of the commercial airport 
system. Concerning evaluations of security technologies, ATSA contained 
three provisions (Secs. 136, 106(b), and 106(c)) directing TSA to 
assess security technologies related to perimeter and access control 
security and develop a plan to provide technical (and funding) 
assistance to small-and medium-sized airport operators. TSA has not 
fully addressed these provisions or developed plans for how and when 
these requirements will be met. Some airport operators are currently 
testing or implementing security technologies independently, while 
others are waiting for TSA to complete its own technology assessments 
and issue guidance.

TSA Assumed Responsibility for Funding Security Improvements but Has 
Not Yet Set Priorities:

In fiscal years 2002 and 2003, TSA worked with FAA to review and 
approve security-related Airport Improvement Program (AIP) grant 
applications[Footnote 19] for perimeter security and access control 
projects and other security-related projects. As we reported in October 
2002,[Footnote 20] perimeter and access control security measures--
fencing, surveillance and fingerprinting equipment, and access control 
systems--accounted for almost half of fiscal year 2002 AIP funding for 
security projects, as shown in table 2.

Table 2: Distribution of AIP Grant Funds Awarded for Security Projects 
by Project Type, Fiscal Year 2002:

Dollars in millions.

Type of security project: Access control; 
Grant award amount: $141.8; 
Percentage of total security funding: 25.3%.

Type of security project: Perimeter fencing; 
Grant award amount: $78.1; 
Percentage of total security funding: 13.9%.

Type of security project: Surveillance and fingerprinting equipment; 
Grant award amount: $51.4; 
Percentage of total security funding: 9.2%.

Subtotal; 
Grant award amount: $271.3; 
Percentage of total security funding: 48.4%.

Other security projects funded (primarily terminal modifications); 
Grant award amount: $289.8; 
Percentage of total security funding: 51.6%.

Total; 
Grant award amount: $561.1; 
Percentage of total security funding: 100.0%. 

Source: GAO analysis of AIP grant awards.

[End of table]

In fiscal year 2003, FAA provided a total of $491 million for security-
related AIP projects, including about $45.6 million for perimeter 
fencing projects and another $56.9 million for access control security, 
a total of about 21 percent of security funding. In addition, Congress 
appropriated a $175 million supplement to the program in January 2002 
to reimburse 317 airports for post-September 11 security 
mandates.[Footnote 21]

TSA said that FAA's AIP served as its plan to provide the financial 
assistance to small and medium-sized airports required by Section 
106(b) of ATSA. According to TSA, local federal security directors 
worked with FAA officials to review and approve security-related AIP 
grant applications submitted by individual airports, evaluating their 
merits on an airport-by-airport basis based on guidelines developed and 
provided by TSA. TSA has not, however, developed an approach to 
prioritize funding for perimeter and access control security projects 
at small-and medium-sized (or larger) airports. Without a plan to 
consider airports' security needs systematically, including those of 
small-and medium-sized airports, TSA could not ensure that the most 
critical security needs of the commercial airport system were 
identified and addressed in a priority order. More importantly, because 
TSA has assumed primary responsibility for funding security-related 
projects, FAA's AIP cannot continue to serve as TSA's plan for 
providing financial assistance to small-and medium-sized airports. 
Without a plan, TSA could be less able to document, measure, and 
improve the effectiveness of the agency's efforts to provide funding 
support for enhancing perimeter and access control security.

While acknowledging the lack of a specific plan, TSA said the agency 
had, in conjunction with FAA, deployed and installed explosive 
detection systems, explosive trace detection and metal detection 
devices, and other security equipment at many small-and medium-sized 
airports for use by federal screeners at those airports and that over 
300 small-and medium-sized airports had received technical support and 
equipment of some kind. However, in advising FAA throughout this 
process, TSA did not compile and analyze historical information on the 
cost and types of technology used or the specific airports receiving 
AIP assistance for perimeter and access control-related security 
enhancement projects (although TSA stated that historical data were 
available that could be used to conduct such analyses). FAA has 
historically maintained data on the uses of AIP funding (including the 
types of projects funded, amounts, and locations) in a commonly used 
commercial database system (Access). In addition, airport associations, 
such as the American Association of Airport Executives, also collect 
and disseminate information on the use of AIP funds for security 
enhancements.[Footnote 22] Without analyses of such historical 
information, TSA's ability to establish a baseline of security funding 
for current and future planning efforts to enhance perimeter and access 
controls could be limited.

In addition to consulting with FAA to provide funding for airport 
security projects through the AIP, TSA recently began providing 
security funding directly to airport operators. Specifically, in 
December 2003, TSA awarded approximately $8 million in grants to 8 
airports as part of $17 million appropriated by Congress for enhancing 
the security of airport terminals, including access controls and 
perimeter security.[Footnote 23] Table 3 provides a brief description 
of the perimeter and access control security-related projects at the 8 
airports TSA selected for funding.[Footnote 24]

Table 3: Distribution of Airports Receiving Grants Awarded by TSA for 
Perimeter and Access Control-Related Security and Projects Funded:

Airport: Providence T. F. Green; 
Funding: $2.38 million; 
Purpose of security project: Video surveillance system for detecting 
and tracking unauthorized persons and vehicles that may breach the 
perimeter of the airport and advanced ground radar-based security 
display system for detecting persons or vehicles inside the airport 
perimeter.

Airport: Newark International; 
Funding: $1.67 million; 
Purpose of security project: Video surveillance system for detecting 
and tracking persons and vehicles that breach the airport perimeter.

Airport: Helena Regional; 
Funding: $1.2 million; 
Purpose of security project: Sensors to detect intruders on airport 
property.

Airport: Boston Logan International Airport; 
Funding: $989,879; 
Purpose of security project: Automated system to manage security 
equipment.

Airport: Pittsburgh International; 
Funding: $600,453; 
Purpose of security project: Video surveillance system to monitor 
airport exits from controlled terminal areas.

Airport: Chicago Midway Airport; 
Funding: $533,016; 
Purpose of security project: Physical barrier system that can be 
deployed so that the evacuation of an entire concourse may be avoided 
should an incident occur at the checkpoint.

Airport: Denver International; 
Funding: $309,033; 
Purpose of security project: Video surveillance system to monitor 
airport exits from controlled terminal areas.

Airport: Key West International; 
Funding: $195,400; 
Purpose of security project: Video surveillance system for detecting 
and tracking persons and vehicles on the air operations area. 

Source: GAO analysis of TSA data.

[End of table]

The Vision 100--Century of Aviation Reauthorization Act shifted most of 
the responsibility for airport security project funding from FAA and 
the AIP to TSA by establishing a new Federal Aviation Security Capital 
Fund in December 2003.[Footnote 25] Through the new fund, Congress 
authorized up to $500 million for airport security for each fiscal year 
from 2004 through 2007. Of the total, $250 million will be derived from 
passenger security fees, along with an additional authorization of up 
to $250 million. Of this amount, half of the money from each funding 
source is to be allocated pursuant to a formula that considers airport 
size and security risk.[Footnote 26] The other half would be 
distributed at the Under Secretary's discretion, with priority given to 
fulfilling intentions to obligate under letters of intent that TSA has 
issued. TSA said it is working on, but had not yet developed policies 
and procedures for, first, defining how the agency will fund and 
prioritize airport security projects under the new program or second, 
determining how much, if any, of the new funding will be used for 
perimeter security and access control projects.[Footnote 27] However, 
TSA said that the administration requested in its 2005 budget 
justification that Congress eliminate the allocation formula so that 
the agency could allocate funds according to a threat-based, risk 
assessment approach, regardless of the size of the airport.

TSA Lacks a Technology Plan to Guide Future Enhancements to Airport 
Perimeter Security and Access Controls:

TSA has begun efforts to test commercially available and emerging 
security technologies to enhance perimeter and access control security. 
However, TSA has not yet fully addressed three ATSA requirements 
related to testing, assessing, recommending, and deploying airport 
security technologies and has not taken steps to otherwise compile and 
communicate the results of airport operators' independent efforts to 
test and deploy security technologies.[Footnote 28]

Two ATSA provisions required that TSA assess technologies for enhancing 
perimeter and access control security. The first provision (Sec. 136) 
required that TSA (1) recommend commercially available security 
measures or procedures for preventing access to secured airport areas 
by unauthorized persons within 6 months of the act's passage and (2) 
develop a 12-month deployment strategy for commercially available 
security technology at the largest and busiest airports (category 
X).[Footnote 29] TSA has not explicitly addressed the requirements in 
this provision and did not meet the associated legislative deadlines. 
For example, TSA has not recommended commercially available 
technologies to improve surveillance and use of controls at access 
points by May 2002 or developed a deployment strategy. TSA said the 
agency failed to meet these deadlines because resources and management 
attention were primarily focused on meeting the many deadlines and 
requirements associated with passenger and baggage screening, tasks for 
which TSA has direct operational responsibility.

The second technology provision of ATSA (Sec. 106(d)) requires that TSA 
establish a pilot program to test, assess, and provide information on 
new and emerging technologies[Footnote 30] for improving perimeter and 
access control security at 20 airports. TSA's $20 million Airport 
Access Control Pilot Program is intended to assist the agency in 
developing minimum performance standards for airport security systems, 
assess the suitability of emerging security technologies, and share 
resulting information with airport operators and other aviation 
industry stakeholders. In October 2003, TSA selected a systems 
integrator to oversee the program and coordinate testing; however, the 
agency has not selected the specific technologies to be evaluated. TSA 
plans to look at four areas: biometric identification systems, new 
identification badges, controls to prevent unauthorized persons from 
piggybacking (following authorized airport workers into secured areas), 
and intrusion detection systems.[Footnote 31] TSA said the agency will 
conduct the technology assessments in two phases and that the second 
phase is scheduled to be completed by the end of 2005.[Footnote 32] 
However, TSA has not developed a plan describing the steps it will take 
once the program is completed, although TSA said the agency intends to 
communicate the results of both assessment phases to airport operators. 
TSA also said the agency will determine how to use results of the 
technology assessments and if it will issue any new security or 
performance standards to airports nationwide when both program 
assessment phases are completed. Without a plan that considers the 
potential steps the agency may need to take to effectively use the 
results of the pilot tests--for example, by issuing new standards--
TSA's ability to take effective and immediate steps once the program is 
completed could be limited.

In addition to the pilot program, testing of a national credentialing 
system for workers in all modes of transportation--the Transportation 
Workers Identification Credential (TWIC) Program--is another effort 
that may help TSA address the requirement in Section 136 of ATSA 
related to testing and recommending commercially available security 
technologies to enhance perimeter and access control security. 
According to TSA, the program is intended to establish a uniform 
identification credential for 6 million workers who require unescorted 
physical or cyber access to secured areas of transportation facilities. 
The card is intended to combine standard background checks and new and 
emerging biometric technology so that a worker can be positively 
matched to his or her credential. According to TSA, the agency spent 
$15 million for the program in fiscal year 2003. In April 2003, TSA 
awarded a contract for $3.8 million to an independent contractor to 
assist TSA in the technology evaluation phase of the TWIC program and 
to test and evaluate different types of technologies at multiple 
facilities across different modes of transportation at pilot sites. 
Congress directed $50 million for the TWIC program for fiscal year 
2004. This program is scheduled for completion in 2008. We have a 
separate review under way looking at TSA's TWIC pilot testing at 
maritime ports and expect to report to the Senate Commerce Committee 
later this year.

Airport operators and aviation industry associations identified a 
number of operational issues that they said need to be resolved for the 
TWIC card to be feasible. For example, they said the TWIC card would 
have to be compatible with the many types of card readers used at 
airports around the country, or new card readers would have to be 
installed. At large airports, this could entail replacing hundreds of 
card readers, and airport representatives have expressed concerns about 
how this effort would be funded. According to TSA, however, the TWIC 
card is intended to be compatible with all airports' card readers. 
Nonetheless, TSA has not yet conducted an analysis of the cost and 
operational impacts of implementing the program at airports nationwide. 
TSA said it intends to gather additional information needed to conduct 
such an analysis at some point in the future.

The third provision of ATSA related to technology (Sec. 106(b)) 
requires that TSA develop a plan to provide technical (and funding) 
support to small-and medium-sized airports. TSA had not developed such 
a plan. As discussed earlier, TSA said that FAA's AIP was the agency's 
effort to meet this provision. However, this was an FAA plan and did 
not fully meet the requirement. More importantly, because the amount of 
money coming from the AIP for security-related projects will be 
significantly reduced, and thereby TSA's continuing in involvement with 
FAA in administering the program, the AIP cannot continue to serve as 
TSA's plan for providing technical assistance to small-and medium-sized 
airports. Without a plan, TSA could be less able to document, measure, 
and improve the effectiveness of the agency's efforts to provide 
technical support for enhancing perimeter and access control security.

Airport Operators' Response to Lack of TSA Guidance on Security 
Technology Varies:

We contacted airport operator officials responsible for security at the 
nation's 21 largest and busiest U.S. commercial airports to obtain 
their views on the need for technical guidance from TSA to enhance the 
security of perimeters and access controls. Some airport operators said 
they were waiting for TSA to complete its technology assessments before 
enhancing perimeter and access control security, while other airport 
operators were independently testing and deploying security 
technologies. Officials at these airports said they are waiting for TSA 
to provide guidance before proceeding with security upgrades. These 
airport operators also said that security technology is very costly, 
and they cannot afford to pay for testing technology prior to 
purchasing and installing such technology at their airports. They said 
that information or guidance from TSA about what technologies are 
available or most effective to safeguard airport perimeters would be 
beneficial. Conversely, officials at other airports also said they were 
assessing what is needed to improve their perimeter security and access 
controls by independently testing and installing security technologies. 
Several of these officials said that the trial-and-error approach to 
improving security would not be necessary if TSA would act as a 
clearinghouse for information on the most effective security 
technologies and how they can be applied. They said that their 
independent efforts did not always ensure that increasingly limited 
resources for enhancing security were used in the most effective way.

In addition to contacting the 21 largest and busiest airports, we 
identified 13 other airports as examples of airports that have tested 
or implemented technologies for improving airport perimeter and access 
control security.[Footnote 33] Figure 3 shows where various perimeter 
and access control security technologies were being tested at the time 
of our review or had been implemented at selected commercial airports 
across the nation.

Figure 3: Perimeter and Access Control Security Technologies Tested or 
Implemented at Selected Commercial Airports across the Nation:

[See PDF for image]

Source: GAO and American Association of Airport Executives.

[End of figure]

While some independent efforts have been successful in identifying 
effective security technologies, others have been less successful. For 
example, one airport operator said it contracted with a private 
technology vendor to install identity authentication technology to 
screen documents presented by job applicants. The airport completed a 
5-month pilot program in the fall of 2002 and subsequently purchased 
two workstations to implement the technology at the airport at a cost 
of $130,000. Another airport operator conducted an independent pilot 
program in 2002 to test a biometric recognition system in order to 
identify airport workers. The system compared 15 airport workers 
against a database of 250 airport workers, but operated at a high 
failure rate. Although compiling information on this pilot test and 
other airports' efforts would augment TSA's own efforts to assess 
technology, TSA has not considered the costs and benefits of compiling 
and assessing the information being collected through these independent 
efforts. TSA agreed that compiling such data could be beneficial, but 
the agency had not yet focused its attention on gathering data to 
generate useful information on such independent testing efforts. 
Without taking steps to collect and disseminate the results of these 
independent airport operator efforts to test and deploy security 
technologies, TSA could miss opportunities to enhance its own testing 
activities, as well as help other airport operators avoid potentially 
costly and less effective independent test programs.

TSA Has Helped to Reduce Potential Security Risks Posed by Airport 
Workers but Has Not Determined How to Fully Address Legislative 
Requirements:

TSA has taken steps to increase measures to reduce the potential 
security risks posed by airport workers, but it has not addressed all 
of the requirements in ATSA related to background checks, screening, 
security training, and vendor security programs or developed plans that 
describe the actions they intend to take to fully address these 
requirements. For example, TSA required criminal history records checks 
and security awareness training for most, but not all, the airport 
workers called for in ATSA (Secs. 138(a)(8) and 106(e), respectively). 
Finally, TSA does not require airport vendors with direct access to the 
airfield and aircraft to develop security programs, which would include 
security measures for vendor employees and property, as required by 
ATSA (Sec. 106(a)). TSA cited resource, regulatory, and operational 
concerns associated with performing checks on additional workers, and 
providing additional training, as well as the potentially significant 
costs to vendors to establish and enforce independent security 
programs. However, TSA had not yet completed analyses to quantify these 
costs, determine the extent to which the industry would oppose 
regulatory changes, or determine whether it would be operationally 
feasible for TSA to monitor implementation of such programs.

Background Checks Are Not Required for All Airport Workers, and the 
Checks Have Limitations:

TSA requires most airport workers who perform duties in secured and 
sterile areas to undergo a fingerprint-based criminal history records 
check, and it requires airport operators to compare applicants' names 
against TSA's aviation security watch lists.[Footnote 34] Once workers 
undergo this review, they are granted access to airport areas in which 
they perform duties. For example, those workers who have been granted 
unescorted access to secured areas are authorized access to these areas 
without undergoing physical screening for prohibited items (which 
passengers undergo prior to boarding a flight). To meet TSA 
requirements, airport operators transmit applicants' fingerprints to a 
TSA contractor, who in turn forwards the fingerprints to TSA, who 
submits them to the FBI to be checked for criminal histories that could 
disqualify an applicant for airport employment. TSA also requires that 
airport operators verify that applicants' names do not appear on TSA's 
"no fly" and "selectee" watch lists to determine whether applicants are 
eligible for employment.[Footnote 35]

According to TSA, all airport workers who have unescorted access to 
secured airport areas--approximately 900,000 individuals nationwide--
underwent a fingerprint-based criminal history records check and 
verification that they did not appear on TSA's watch lists by December 
6, 2002, as required by regulation. In late 2002, TSA required airport 
operators to conduct fingerprint-based checks and watch list 
verifications for an additional approximately 100,000 airport workers 
who perform duties in sterile areas. As of April 2004, TSA said that 
airport operators had completed all of these checks. To verify that 
required criminal checks were conducted, we randomly sampled airport 
employee files at 9 airports we visited during our review and examined 
all airport employee files at a 10th airport.[Footnote 36] Based on our 
samples, we estimate that criminal history record checks at 7 of the 
airports were conducted for 100 percent of the airport 
employees.[Footnote 37] In the other 2 airports in which samples were 
conducted, we estimate that criminal history checks were conducted for 
98 percent and 96 percent of the airport workers.[Footnote 38] At the 
10th airport, we examined all airport employee files.We found that 
criminal history checks were conducted for 93 percent of the airport 
employees there. Although airport operators could not provide 
documentation that the checks were conducted in a small number of 
cases, airport security officials said that no individuals were granted 
access to secured or sterile areas without the completion of such a 
check. TSA said that verification of airport compliance with background 
check requirements was a standard part of airport compliance 
inspections. For example, according to TSA, the agency conducted 
criminal history records check verification inspections at 103 airports 
between October 1, 2003, and February 9, 2004, and found that the 
airports were in compliance about 99 percent of the time.

TSA does not require airport workers who need access to secured areas 
from time to time (such as construction workers), and who must be 
regularly escorted, to undergo a fingerprint check or scan against law 
enforcement databases, even though such checks are also required by 
ATSA (Sec. 138(a)(6)). Although TSA does not require that airport 
operators conduct these checks, TSA drafted a proposed rule in 2002 to 
require checks on individuals escorted in secured areas. The draft rule 
also set forth minimum standards for providing escorts for these 
individuals. In a February 2003 report on TSA's efforts to enhance 
airport security, the Department of Transportation Inspector General 
recommended that TSA revise its proposed rule to enhance the security 
benefits that the new rule could provide by including (1) additional 
background check requirements, (2) a more specific description of 
escort procedures, and (3) a clarification on who would be exempt from 
such requirements.[Footnote 39] However, at the time of our review, TSA 
had not addressed these recommendations, issued the proposed rule, or 
developed a schedule for conducting and completing the rule making 
process. According to TSA, the agency plans to proceed with its rule 
making to address background checks for those who have regularly 
escorted access, and, in consultation with DHS and the Office of 
Management and Budget, has included this rule making as part of a 
priority list of 20 rule makings that the agency plans to initiate in 
the next 12 months.

The Effectiveness of Fingerprint-Based Criminal Checks Is Limited:

While TSA has taken steps to conduct fingerprint-based checks for 
airport employees who work in secured and sterile areas, certain 
factors limit the effectiveness of these checks. For example, 
fingerprint-based checks only identify individuals with fingerprints 
and a criminal record on file with the FBI's national fingerprint 
database. Limitations of these checks were highlighted by recent 
multifederal agency investigations, which found that thousands of 
airport workers falsified immigration, Social Security, or criminal 
history information to gain unescorted access to secured and sterile 
airport areas.[Footnote 40] In some of these cases, airport workers who 
had provided false information to obtain unescorted access underwent a 
fingerprint-based check and passed.[Footnote 41] TSA noted that the 
federal government had not yet developed a system that would allow 
interagency database searches to provide access to social security and 
immigration information.[Footnote 42]

Another limitation with TSA's process for conducting background checks 
on airport workers is that fingerprint checks do not include a review 
of, among other things, all available local (county and municipal) 
criminal record files. As a result, an individual could pass the 
fingerprint check although he or she had a local criminal record. TSA 
officials did not consider the lack of a local criminal records check 
to be a limiting factor because local criminal records are not likely 
to include any of the 28 criminal convictions that would disqualify an 
individual from obtaining unescorted access to secured airport areas. 
According to TSA, local criminal files do not include the more serious 
crimes such as murder, treason, arson, kidnapping, and espionage that 
are listed in state and federal criminal databases. Further, several 
airport operator officials we spoke with expressed concern about cases 
in which individuals had committed disqualifying criminal offenses and 
were ultimately granted access to secured areas because federal law 
(and TSA's implementing regulation) disqualifies an individual only if 
he or she has been convicted of an offense within 10 years of applying 
for employment at the airport. Others said that a few disqualifying 
criminal offenses, such as air piracy, warranted a lifetime rather than 
a 10-year ban on employment in secured airport areas. Also, current 
regulation requires that airport workers must report if they are 
convicted of a crime after the initial criminal check is conducted and 
surrender their security identification badges within 24 hours of their 
conviction.[Footnote 43] In addressing the issue of background checks 
in May 2003, the Department of Transportation's Inspector General 
issued a statement supporting random recurrent background 
checks.[Footnote 44]

TSA recognizes the potential limitations of current fingerprint check 
requirements and has taken steps to improve the process. For example, 
in 2002, TSA began conducting an additional two-part background check 
consisting of a name-based FBI National Crime Information Center (NCIC) 
check and a terrorist link analysis against selected terrorism 
databases for the approximately 100,000 airport workers who perform 
duties in sterile areas. TSA said it expanded the background check 
process for these workers because it believed that the cost was more 
feasible for airport operators to bear, given these workers represent a 
significantly smaller population than workers who have unescorted 
access to secured areas. TSA used the NCIC database, a computerized 
index of documented criminal justice information, to conduct a criminal 
history record check that compares an individual's name against 19 
nationwide criminal history lists.[Footnote 45] The terrorist link 
analysis determines whether an airport worker is known to pose a 
potential terrorist threat. TSA officials noted that the terrorist link 
analysis could identify personal information on airport employment 
applications, among other things, thus improving the current background 
check process.

TSA Faces Challenges in Expanding the Scope of Background Checks:

TSA faces challenges in expanding the scope and frequency of current 
background check requirements to include additional airport workers and 
more extensive background checks. In terms of expanding background 
checks to include airport workers who have regularly escorted access to 
secured areas, TSA said that determining how many workers are regularly 
escorted in secured airport areas is a challenge because these 
individuals (such as construction workers) enter the airport on an 
infrequent and unpredictable basis. TSA said airport officials could 
not easily determine how many workers are regularly escorted in secured 
areas and which workers would warrant a background check. TSA had not 
conducted any sampling or other analysis efforts to attempt to 
determine how many workers this might include.

In terms of expanding the scope of current background check 
requirements to include more extensive checks on airport workers who 
have unescorted access to secured areas, TSA cited the time needed to 
establish regulatory requirements for the more extensive checks and the 
potential costs of conducting the checks as challenges. In contrast, to 
reduce the security risk associated with federal airport screeners, TSA 
conducts far more extensive checks before providing screeners the same 
level or lower levels of airport access.

The agency supports conducting the expanded checks for all commercial 
aviation workers and estimated that the cost to perform fingerprint-
based criminal history records checks for all secured and sterile area 
workers nationwide has been approximately $60 million to $80 million 
(or about $60 to $80 for each of the approximately 1 million secured 
and sterile area workers). TSA had not estimated the costs of applying 
additional checks to all airport workers. In addition, TSA stated that 
increasing the frequency of background checks would also increase costs 
to airport operators. However, TSA had not developed a specific cost 
analysis to assess the costs of expanding the scope and frequency of 
the checks or whether the additional security provided by taking such 
steps would warrant the additional costs.

TSA said the agency is considering alternatives for how these 
additional checks would be funded. TSA also said that requiring airport 
workers themselves to pay for a portion of the background check, which 
is a common practice at some airports, could help to fund these 
additional checks. In recognition of the potential security risk posed 
by airport workers, TSA said the agency was weighing the costs and 
security benefits of expanding the scope and frequency of current 
background check requirements to include additional airport workers, as 
well as more extensive checks. However, TSA has not yet established a 
plan outlining how and when it will do so. For example, TSA has not yet 
proposed specific analyses to support its decision making or a schedule 
describing when it plans to decide this issue.

TSA Cites Challenges to Physically Screening All Airport Workers:

TSA has different requirements for screening airport workers. For 
sterile area workers, TSA requires, among other things, that they be 
screened at the checkpoint. According to TSA's Office of Chief Counsel, 
TSA intended that sterile area workers be required to enter sterile 
areas through the passenger-screening checkpoint and be physically 
screened. However, airport officials, with the FSD's approval, may 
allow sterile area workers to enter sterile areas through employee 
access points or may grant them unescorted access authority and SIDA 
badges.[Footnote 46]

TSA does not require airport workers who have been granted unescorted 
SIDA access to be physically screened for prohibited items when 
entering secured areas. According to TSA, the agency relies on its 
fingerprint-based criminal history records check as a means of meeting 
the ATSA requirement that all individuals entering secured areas at 
airports be screened and that the screening of airport workers provides 
at least the same level of protection that results from physical 
screening of passengers and their baggage. However, as previously 
noted, there are limitations with the scope and effectiveness of the 
background check process. TSA acknowledged that physically screening 
airport workers for access to secured areas could increase security, 
but it cited challenges such as the need (and associated costs) for 
more screening staff and increased passenger delays. Although TSA said 
fingerprint checks are a more economically feasible alternative, the 
agency had not conducted analyses to determine the actual costs, 
assessed the potential operational delays that could occur, or the 
reduction of the risk posed by airport workers that physical screening 
would provide. However, in October 2002, TSA conducted an analysis of 
threats posed by airport workers with access to secured areas, and one 
recommendation in the resulting report was to require airport operators 
to conduct random physical screening of workers entering secured 
areas.[Footnote 47] TSA elected not to adopt this recommendation 
because of what it characterized as the cost and operational 
difficulties in physically screening workers. However, TSA did not 
gather or analyze data from airports to substantiate its claim.

Some airport operator officials we contacted agreed with TSA that 
physically screening workers prior to entering secured areas would be 
costly and difficult. For example, some airport operator officials said 
physical screening of these airport workers would result in increased 
staffing costs and longer wait times for passengers at passenger-
screening checkpoints, or could require screening airport workers at a 
location separate from passengers to avoid passenger delays. In 
addition to the operational difficulty of physically screening each 
worker, TSA and airport operators noted that some airport workers must 
use prohibited items (such as box cutters and knives) to perform their 
job functions, and monitoring which workers are allowed to carry such 
items could be difficult. Also, these prohibited items would still be 
available to workers who wished to use them to cause harm even after 
they had been physically screened. At one airport we visited, airport 
workers who have access to secured areas are required to undergo 
physical screening when they arrive at work through centralized 
employee-screening checkpoints but are not screened when they 
subsequently enter secured areas through other access points.

TSA has not estimated the cost associated with requiring physical 
screening of secured area airport workers, although airport operators 
and industry associations believe the cost would be significant. While 
TSA is weighing the security benefits of requiring physical screening 
of workers who have access to secured airport areas against the 
associated costs, the agency has yet to determine whether such 
requirements will be established. According to TSA, screening in the 
form of enhanced background checks on all airport workers--checks that 
would investigate Social Security information, immigration status, and 
links to terrorism--would, if instituted, further ensure that airport 
workers were trustworthy and reduce risk, if not the need to physically 
screen workers. However, TSA has not developed a plan defining when and 
how the agency will determine whether it will institute these expanded 
checks or if physically screening airport workers who need access to 
secured areas is ultimately necessary and feasible.

TSA Requires Security Training for Some but Not All Airport Workers:

ATSA, (Sec. 106(e)), mandates that TSA require airport operators and 
air carriers to develop security awareness training programs for 
airport workers such as ground crews, and gate, ticket, and curbside 
agents of air carriers. However, while TSA requires such training for 
these airport workers if they have unescorted access to secured areas, 
the agency does not require training for airport workers who perform 
duties in sterile airport areas.[Footnote 48] According to TSA, 
training requirements for these airport workers have not been 
established because additional training would result in increased costs 
for airport operators. Nonetheless, officials at some airports we 
visited said that the added cost is warranted and have independently 
required security training for their airport employees that work in 
sterile areas to increase awareness of their security responsibilities. 
Among other things, security training teaches airport workers their 
responsibility to challenge suspicious persons who are not authorized 
to be in secured areas (an area included in TSA airport covert testing 
programs). Some airport operator officials said they also used 
challenge reward programs, whereby airport workers are given rewards 
for challenging suspicious persons or individuals who are not 
authorized to be in secured areas, as a way of reinforcing security 
awareness training.

Many airport operator officials we spoke with were concerned that 
security training for airport workers in secured areas is not required 
by TSA regulations on a recurrent basis, an issue previously raised by 
the Department of Transportation's Inspector General.[Footnote 49] TSA 
also agreed that recurrent training could be beneficial in raising the 
security awareness of airport workers. Although recurrent training is 
not required by ATSA or by TSA regulation, a federal law does require 
recurrent security training for the purpose of improving secured area 
access controls.[Footnote 50] Other airport operators independently 
provide recurrent training for individuals who demonstrate a lack of 
security awareness.

TSA has acknowledged the value of recurrent training for its own 
workforce. We previously identified that training for TSA employees--
airport screeners--should be recurrent, and TSA said it is developing a 
recurrent training program for its screening workforce to aid in 
maintaining security awareness, among other things.[Footnote 51] At the 
time of our review, TSA said it was considering the benefits of 
expanding the scope and frequency of security training against the 
associated costs in time and money to airport operators and businesses. 
However, TSA had not developed a plan or schedule for conducting the 
analyses needed to support its decision making or projected when a 
decision might be made.

TSA Does Not Require Airport Vendors to Develop Their Own Security 
Programs:

TSA has not issued a regulation requiring airport vendors[Footnote 52] 
(companies doing business in or with the airport) with direct access to 
the airfield and aircraft to develop a security program, as required by 
ATSA (Sec. 106(a)). TSA had not developed an estimate of the number of 
airport vendors nationwide, although TSA officials said the number 
could be in the thousands. As an example, security officials at an 
airport we visited said that over 550 airport vendors conducted 
business in or with the airport. According to TSA, existing airport 
security requirements address the potential security risks posed by 
vendors and their employees. For example, vendor employees that perform 
duties in secured or sterile areas are required to undergo a 
fingerprint-based criminal history records check, just as other airport 
workers are and are prevented by access controls from entering secured 
airport areas if they are not authorized to do so. However, as 
discussed above, fingerprint-based criminal history records checks may 
have limitations.

Many airport operator and airport association officials we spoke with 
said that requiring vendors to develop their own security program would 
be redundant because the airport's security program comprises all 
aspects that a vendor program would include, such as requirements for 
employee security training, procedures for challenging suspicious 
persons, background checks, monitoring and controlling employee 
identification badges, and securing equipment and vehicles. In 
addition, some said such a requirement would also place a financial and 
administrative burden on vendors doing business at the airport, 
particularly the smaller ones, to develop and update such programs. Two 
airport vendors we spoke with said that developing security programs 
could be costly, time-consuming, and require the use of a consultant 
with the necessary security expertise to develop such a plan. In 
addition, vendors said that airport operators are in the best position 
and have the necessary expertise to determine security policies for all 
workers, including vendors, working at the airport.[Footnote 53]

According to TSA, requiring vendors to develop and maintain their own 
security programs would also present a resource challenge to TSA's 
inspection staff. In addition to conducting reviews of airport operator 
and air carrier compliance with federal security regulations, the 
already understaffed inspection workforce would also have to determine 
a way to review vendor security programs and enforce any violations. 
According to TSA, the process of reviewing the programs and verifying 
implementation of the program's provisions could require visits to 
thousands of different vendor locations spread throughout the United 
States.[Footnote 54] Despite these challenges, TSA said the agency is 
considering the costs, benefits, and feasibility of issuing a 
regulation that would require airport vendors to develop security 
programs in order to meet the requirements in ATSA. TSA said that it 
has formed a working group to consider the best approach to take, and 
this group could become the core of any future rule-making team if 
necessary. However, the agency has not developed a plan detailing when 
this analysis will be complete or when any decisions about whether to 
issue a new rule will be made.

Conclusions:

During its first 2 years, TSA assumed a wide variety of 
responsibilities to ensure that airport perimeter and access controls 
are secure and that the security risks posed by airport workers are 
reduced. Given the range of TSA's responsibilities and its relative 
newness, it is understandable that airport security evaluations remain 
incomplete and that some provisions of ATSA--which pose operational and 
funding challenges--have not been met. TSA has begun efforts to 
evaluate the security environments at airports, fund security projects 
and test technologies, and reduce the risks posed by airport workers. 
However, these efforts have been in some cases fragmented rather than 
cohesive. As a result, TSA has not yet determined how it will address 
the resource, regulatory, and operational challenges the agency faces 
in (1) identifying security weaknesses of the commercial airport system 
as a whole, (2) prioritizing funding to address the most critical 
needs, or (3) taking additional steps to reduce the risks posed by 
airport workers. Without a plan to address the steps it will take to 
fulfill the wide variety of security oversight responsibilities the 
agency has assumed in the area of perimeter and access control 
security, TSA will be less able to justify its resource needs and 
clearly identify its progress in addressing requirements in ATSA and 
associated improvements in this area of airport security. Such a plan 
would also provide a better framework for Congress and others 
interested in holding TSA accountable for the effectiveness of its 
efforts.

Recommendations for Executive Action:

To help ensure that TSA is able to articulate and justify future 
decisions on how best to proceed with security evaluations, fund and 
implement security improvements--including new security technologies--
and implement additional measures to reduce the potential security 
risks posed by airport workers, we recommend that the Secretary of 
Homeland Security direct TSA's Administrator to develop and provide 
Congress with a plan for meeting the requirements of ATSA. In addition, 
at a minimum, we recommend the following four actions be addressed:

* Establish schedules and an analytical approach for completing 
compliance inspections and vulnerability assessments for evaluating 
airport security.

* Conduct assessments of technology, compile the results of these 
assessments as well as assessments conducted independently by airport 
operators, and communicate the integrated results of these assessments 
to airport operators.

* Use the information resulting from the security evaluation and 
technology assessment efforts cited above as a basis for providing 
guidance and prioritizing funding to airports for enhancing the 
security of the commercial airport system as a whole.

* Determine, in conjunction with aviation industry stakeholders, if and 
when additional security requirements are needed to reduce the risks 
posed by airport workers and develop related guidance, as needed.

Agency Comments:

We provided a draft copy of this report to the Department of Homeland 
Security and the Transportation Security Administration for their 
review and comment. TSA generally concurred with the findings and 
recommendations in the report and provided formal written comments that 
are presented in appendix III. These comments noted that TSA has 
started to, or plans to, implement many of the actions we recommended. 
TSA also provided technical comments that we incorporated as 
appropriate.

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
from the date of this report. At that time, we will send copies to 
appropriate congressional committees; the Secretary, DHS; the 
Secretary, DOT; the Director of Office of Management and Budget; and 
other interested parties. We will also make copies available to others 
upon request. In addition, the report will be available at no charge on 
GAO's Web site at http://www.gao.gov.

If you or your staff have any questions about this report, please 
contact me at (202) 512-3404 or at berrickc@gao.gov or Chris Keisling, 
Assistant Director, at (404) 679-1917 or at keislingc@gao.gov. Key 
contributors to this report are listed in appendix IV.

Signed by: 

Cathleen A. Berrick: 
Director, Homeland Security and Justice Issues:

[End of section]

Appendix I: Objectives, Scope, and Methodology:

To assess the Transportation Security Administration's (TSA) efforts to 
(1) evaluate the security of airport perimeters and the controls that 
limit access into secured airport areas, (2) help airports implement 
and enhance perimeter security and access controls by providing funding 
and technical guidance, and (3) implement measures to reduce the 
potential security risk posed by airport workers, we reviewed pertinent 
legislation (the Aviation and Transportation Security Act, or ATSA), 
regulatory requirements, and policy guidance. We discussed specific 
ATSA requirements related to Sections 106, 136, and 138, which address 
perimeter and access control security, as well as strengthening 
requirements for airport workers, with our Office of General Counsel to 
determine to what extent TSA had met these requirements. We limited our 
review of TSA's efforts to test, assess, and deploy security 
technologies as it related to provisions in Sections 106 and 136 of 
ATSA. We also obtained and analyzed TSA data on security breaches, 
inspections of airport compliance with security regulations, and 
vulnerability assessments. (TSA's covert testing data and information 
on the test program is classified and is the subject of a separate GAO 
report.) We discussed the threat scenarios used in TSA vulnerability 
assessments with TSA officials to identify those related to perimeter 
and access control security. We also obtained and analyzed data from 
the Federal Aviation Administration (FAA) and TSA on perimeter and 
access control-related security funds distributed to commercial 
airports nationwide. We also reviewed reports on aviation security 
issued previously by us and the Department of Transportation Inspector 
General.

We discussed the reliability of TSA's airport security breach data for 
fiscal years 2001, 2002, and 2003 (through October); vulnerability 
assessment data for 2003; and compliance inspection data for fiscal 
years 2002, 2003, and 2004 (to February) with TSA officials in charge 
of both efforts. Specifically, we discussed methods for inputting, 
compiling, and maintaining the data. In addition, we reviewed reports 
related to TSA's compliance reviews and vulnerability assessments to 
determine the results and identify any inconsistencies in the data. 
Subsequently, no inconsistencies were found, and we determined that the 
data provided by TSA were sufficiently reliable for the purposes of our 
review.

In addition, we conducted site visits at 12 commercial airports (8 
category X, 1 category I, 1 category II, 1 category III, and 1 category 
IV) to observe airport security procedures and discuss issues related 
to perimeter and access control security with airport officials. 
Airports we visited were Boston Logan International Airport, Atlanta 
Hartsfield Jackson International Airport, Ronald Reagan Washington 
National Airport, Washington Dulles International Airport, Orlando 
International Airport, Tampa International Airport, Miami 
International Airport, Los Angeles International Airport, San Francisco 
International Airport, Middle Georgia Regional Airport, Chattanooga 
Metropolitan Airport, and Columbus Metropolitan Airport. We chose these 
airports on the basis of several factors, including airport size, 
geographical dispersion, and airport efforts to test and implement 
security technologies. We also conducted semistructured interviews with 
airport security coordinators at each of the 21 category X airports to 
discuss their views on perimeter and access control security issues. In 
addition, we contacted or identified 13 other airports that had tested 
or implemented perimeter and access control security technologies.

We reviewed a random sample of 838 airport workers at 10 of the 12 
airports we visited (categories X, I, and II) where workers were 
indicated as having a fingerprint-based criminal history records check 
in calendar year 2003 to verify that these workers had undergone the 
check. We did not conduct a records review at the category III and IV 
commercial airports we visited. We randomly selected probability 
samples from the study populations of airport workers who underwent a 
fingerprint-based criminal history record check in the period between 
January 1, 2003, and the date in which we selected our sample or 
December 31, 2003, whichever was earlier. With these probability 
samples, each member of the study populations had a nonzero probability 
of being included, and that probability could be computed for any 
member. Each sample element selected was subsequently weighted in the 
analysis to account statistically for all the members of the population 
at each airport. Because we followed a probability procedure based on 
random selections at each airport, our samples are only one of a large 
number of samples that we might have drawn. Since each sample could 
have provided different estimates, we express our confidence in the 
precision of our particular samples' results as 95 percent confidence 
intervals (e.g., plus or minus 7 percentage points). These are the 
intervals that would contain the actual population value for 95 percent 
of the samples we could have drawn. As a result, we are 95 percent 
confident that each of the confidence intervals in this report will 
include the true values in the respective study populations.

Further, we interviewed TSA headquarters officials in Arlington, 
Virginia, and from the Office of Internal Affairs and Program Review, 
Office of Aviation Operations, Office of Chief Counsel, Credentialing 
Program Office, Office of Aviation Security Measures, and officials 
from the Office of Technology in Atlantic City, New Jersey, to discuss 
the agency's efforts to address perimeter and access control security. 
We also spoke with officials from two aviation industry associations--
the American Association of Airport Executives and Airports Council 
International--to obtain their views on the challenges associated with 
improving perimeter and access control security. We also interviewed 
airport vendors to determine the need and feasibility of requiring all 
vendors to develop their own security programs.

We conducted our work between June 2003 and March 2004 in accordance 
with generally accepted government auditing standards.

[End of section]

Appendix II: GAO's Risk Assessment Model and TSA's Tools to Implement a 
Risk Management Approach:

Risk management is a systematic and analytical process to consider the 
likelihood that a threat will endanger an asset, an individual, or a 
function and to identify actions to reduce the risk and mitigate the 
consequences of an attack. Risk management principles acknowledge that 
while risk cannot be eliminated, enhancing protection from existing or 
potential threats can help reduce it. Accordingly, a risk management 
approach is a systematic process to analyze threats, vulnerabilities, 
and the criticality (or relative importance) of assets to better 
support key decisions. The purpose of this approach is to link 
resources with efforts that are of the highest priority. Figure 4 
describes the elements of a risk management approach.

Figure 4: Elements of a Risk Management Approach:

A threat assessment identifies and evaluates potential threats on the 
basis of factors such as capabilities, intentions, and past activities. 
This assessment represents a systematic approach to identifying 
potential threats before they materialize, and is based on threat 
information gathered from both the intelligence and law enforcement 
communities. However, even if updated often, a threat assessment might 
not adequately capture some emerging threats. The risk management 
approach, therefore, uses vulnerability and criticality assessments as 
additional input to the decision-making process.: A vulnerability 
assessment identifies weaknesses that may be exploited by identified 
threats and suggests options to address those weaknesses. In general, a 
vulnerability assessment is conducted by a team of experts skilled in 
such areas as engineering, intelligence, security, information systems, 
finance, and other disciplines.

A threat assessment identifies and evaluates potential threats on the 
basis of factors such as capabilities, intentions, and past activities. 
This assessment represents a systematic approach to identifying 
potential threats before they materialize, and is based on threat 
information gathered from both the intelligence and law enforcement 
communities. However, even if updated often, a threat assessment might 
not adequately capture some emerging threats. The risk management 
approach, therefore, uses vulnerability and criticality assessments as 
additional input to the decision-making process.: A criticality 
assessment evaluates and prioritizes assets and functions in terms of 
specific criteria, such as their importance to public safety and the 
economy. The assessment provides a basis for identifying which 
structures or processes are relatively more important to protect from 
attack. As such, it helps managers to determine operational 
requirements and target resources at their highest priorities, while 
reducing the potential for targeting resources at lower priorities.

Source: GAO.

[End of figure]

Figure 5 illustrates how the risk management approach can guide 
decision making and shows that the highest risks and priorities emerge 
where the three elements of risk management overlap.

Figure 5: How a Risk Management Approach Can Guide Decision-Making:

[See PDF for image]

[End of figure]

For example, an airport that is determined to be a critical asset, 
vulnerable to attack, and a likely target would be at most risk and, 
therefore, would be a higher priority for funding compared with an 
airport that is only vulnerable to attack. In this vein, aviation 
security measures shown to reduce the risk to the most critical assets 
would provide the greatest protection for the cost.

According to TSA, once established, risk management principles will 
drive all decisions--from standard setting to funding priorities and to 
staffing. TSA has not yet fully implemented its risk management 
approach, but it has taken steps in this direction. Specifically, TSA's 
Office of Threat Assessment and Risk Management is in various stages of 
developing four assessment tools that will help assess threats, 
criticality, and vulnerabilities. TSA plans to fully implement and 
automate its risk management approach by September 2004. Figure 6 shows 
TSA's threat assessment and risk management approach.

Figure 6: TSA's Threat Assessment and Risk Management Approach:

[See PDF for image]

[End of figure]

The first tool, which will assess criticality, will determine a 
criticality score for a facility or transportation asset by 
incorporating factors such as the number of fatalities that could occur 
during an attack and the economic and sociopolitical importance of the 
facility or asset. This score will enable TSA, in conjunction with 
transportation stakeholders, to rank facilities and assets within each 
mode and thus focus resources on those that are deemed most important. 
TSA is working with another Department of Homeland Security (DHS) 
office--the Information and Analysis Protection Directorate--to ensure 
that the criticality tool will be consistent with DHS's overall 
approach for managing critical infrastructure.

A second tool--the Transportation Risk Assessment and Vulnerability 
Tool (TRAVEL)--assesses threats and analyzes vulnerabilities at those 
transportation assets TSA determines to be nationally critical. The 
tool is used in a TSA-led and -facilitated assessment that will be 
conducted on the site of the transportation asset. The facilitated 
assessments typically take several days to complete and are conducted 
by TSA subject matter experts, along with airport representatives such 
as operations management, regulatory personnel, security personnel, and 
law enforcement agents. Specifically, the tool assesses an asset's 
baseline security system and that system's effectiveness in detecting, 
deterring, and preventing various threat scenarios, and it produces a 
relative risk score for potential attacks against a transportation 
asset or facility. Established threat scenarios contained in the TRAVEL 
tool outlines a potential threat situation including the target, 
threatening act, aggressor type, tactic/dedication, contraband, 
contraband host, and aggressor path. In addition, TRAVEL will include a 
cost-benefit component that compares the cost of implementing a given 
countermeasure with the reduction in relative risk to that 
countermeasure. TSA is working with economists to develop the cost-
benefit component of this model and with the TSA Intelligence Service 
to develop relevant threat scenarios for transportation assets and 
facilities. According to TSA officials, a standard threat and 
vulnerability assessment tool is needed so that TSA can identify and 
compare threats and vulnerabilities across transportation modes. If 
different methodologies are used in assessing the threats and 
vulnerabilities, comparisons could be problematic. However, a standard 
assessment tool would ensure consistent methodology.

A third tool--the Transportation Self-Assessment Risk Module (TSARM)--
will be used to assess and analyze vulnerabilities for assets that the 
criticality assessment determines to be less critical. The self-
assessment tool included in TSARM will guide a user through a series of 
security-related questions in order to develop a comprehensive security 
baseline of a transportation entity and will provide mitigating 
strategies for use when the threat level increases. For example, as the 
threat level increases from yellow to orange, as determined by DHS, the 
assessment tool might advise an entity to take increased security 
measures, such as erecting barriers and closing selected entrances. TSA 
had deployed one self-assessment module in support of targeted maritime 
vessel and facility categories.[Footnote 55]

The fourth risk management tool that TSA is currently developing is the 
TSA Vulnerability Assessment Management System (TVAMS). TVAMS is TSA's 
intended repository of criticality, threat, and vulnerability 
assessment data. TVAMS will maintain the results of all vulnerability 
assessments across all modes of transportation. This repository will 
provide TSA with data analysis and reporting capabilities. TVAMS is 
currently in the conceptual stage and requirements are still being 
gathered.

[End of section]

Appendix III: Comments from the Department of Homeland Security:

U.S. Department of Homeland Security:

Office of the Administrator 
601 South 12th Street 
Arlington,VA 22202-4220:

Transportation Security Administration:

MAY 24, 2004:

Ms. Cathleen Berrick:

Director, Homeland Security & Justice Issues: 
U.S. General Accounting Office:
441 G Street, N.W. 
Washington, D.C. 20548:

Dear Ms. Berrick:

Thank you for the opportunity to comment on GAO's draft report 
entitled, "Aviation Security: Further Steps Needed to Strengthen the 
Security of Commercial Airport Perimeters and Access Control," GAO-04-
728.

The Transportation Security Administration (TSA) appreciates the work 
done in this report to identify areas where security of our Nation's 
airports may be enhanced. TSA believes that GAO's identification of 
areas where improvements are needed will contribute to our ongoing 
efforts to strengthen aviation security. We generally concur with the 
report and its recommendations and appreciate the discussion of 
challenges and next steps. However, there are a number of areas within 
the report about which we would like to comment.

On December 17, 2003, President Bush issued Homeland Security 
Presidential Directive 7 (HSPD-7), which directs the establishment of 
"a national policy for Federal departments and agencies to identify and 
prioritize United States critical infrastructure and key resources and 
to protect them from terrorist attacks." The Department of Homeland 
Security (DHS) is responsible under HSPD-7 for developing a National 
Critical Infrastructure Protection Plan, which is being managed by the 
DHS's Information Analysis and Infrastructure Protection Directorate 
(IAIP). This plan will be comprised of Sector Specific Plans (SSPs), 
and TSA has been assigned the primary responsibility to coordinate 
development of the SSP for Transportation. The development of this plan 
will involve intensive interaction with other DHS directorates and 
agencies, such as IAIP and the Coast Guard, and the Department of 
Transportation (DOT) and its modal administrations. The plan, which 
will be developed over the next several months will identify federal 
and private-sector stakeholders in each portion of the transportation 
sector, their roles and relationships; their means of communication; 
how important assets in the transportation sector will be identified, 
assessed, and prioritized; how protective programs will be developed; 
how progress in reducing risk will be measured and how program 
effectiveness will be communicated; and how research and development 
will be prioritized in the sector.

The development of the National Critical Infrastructure Protection Plan 
(NCIPP) and each sector chapter within the NCIPP is a monumental but 
essential task that requires the support and coordination of Federal 
departments and agencies, State and local governments, and the private 
sector.

TSA is on an aggressive timetable to complete the Transportation SSP to 
feed into the NCIPP. Therefore, while the GAO report concludes that TSA 
has not yet determined how it "will address the resource, regulatory, 
and operational challenges the agency faces in identifying security 
weaknesses of the commercial airport system as a whole," it is TSA's 
belief that the SSP and the NCIPP will provide the necessary framework 
and guidance to address challenges and prioritize resources according 
to the most critical needs across the entire transportation system, 
including the commercial aviation sector.

Additionally, TSA believes that the report creates the impression that 
TSA has done less than it actually has to provide security for 
commercial aviation. Much has been accomplished in the less than two 
years since enactment of the Aviation and Transportation Security Act 
(ATSA), and intervening time since completion of the Federalization of 
passenger security screening at U.S. airports on November 19, 2002. We 
have instituted a system of reinforcing rings of security to mitigate 
the risk of future terrorist or criminal acts. These security measures, 
supported by intelligence and threat analysis, work together to help 
secure aviation from curbside to cockpit. While no single component of 
our security system is infallible, we believe our system of mutually 
supporting rings of security has substantially improved the security of 
the traveling public. We believe the civil aviation sector is more 
secure today than it has ever been; however, we are always mindful that 
there is much yet to be done as we mature our many-layered "system of 
systems."

While we recognize that the scope of this report was confined to a 
review of airport perimeter security and access control, it is 
important to look at the totality of security measures put in place to 
protect civil aviation in order to completely assess where we are today 
in regards to aviation security.

[See PDF for image]

[End of figure]

All of the elements in our system of systems complement one another. 
First, the flow of intelligence information on terrorists, their 
methods and their plans, has greatly improved our understanding of the 
threats that we face and helped us to focus our resources on meeting 
those threats. TSA has also increased the level of existing 
coordination with our international partners at airports overseas and 
with air carriers that fly into and out of the United States. TSA and 
the Federal Aviation Administration (FAA) have helped fund many local 
airport projects to improve perimeter security, such as the 
construction of perimeter access roads, the installation of access 
control systems, electronic surveillance and intrusion detection 
systems, and security fencing.

Current security directives contain many requirements for 
implementation by airport and aircraft operators that relate to 
screening or inspecting people and material entering airport 
perimeters, including "secured" areas, security identification display 
areas, and the air operations area where commercial aircraft are 
located and serviced. For example, these security directives require 
specific measures at vehicle access gates, inspections of service 
personnel and their personal property, and identification checks at 
controlled access points to secured areas. Such countermeasures are 
implemented systematically at essentially all airports throughout the 
nation with some variations allowed by request.

TSA works closely with the FAA in the administration of the Airport 
Improvement Program (AIP), which is an FAA program, to assist in 
prioritizing applications for security related improvement projects. 
Federal Security Directors (FSDs) are also involved at the beginning of 
the AIP application process and actively collaborate with the airport 
operator to identify projects that would provide the greatest security 
impact for that particular airport. TSA plans to disseminate guidelines 
to FSDs to better define and provide guidance on the use of such funds. 
TSA headquarters personnel and FSDs will use information regarding the 
way in which these funds are used by the specific airports to make 
better-informed judgments about proposed security improvements 
occurring at U.S. airports.

TSA and other DHS component agencies, including Customs and Border 
Protection and Immigration and Customs Enforcement, continue to work 
daily with the FAA, DOT and other Federal and State agencies to 
effectively utilize communal resources to further secure and protect 
aviation. As we strive for nationwide consistency in the application of 
reasonable and prudent security measures, we will continue to take 
local concerns into account. Integrated planning with contributions 
from industry and local authorities is essential, but we must also 
maintain the ability to rapidly change security measures based upon the 
latest assessments from intelligence and law enforcement agencies:

Deploying screeners at almost 450 commercial airports around the 
country less than a year after our establishment was a remarkable feat. 
Similarly, by December 31, 2002, we met the Congressional deadline in 
the Aviation and Transportation Security Act to screen checked baggage 
for explosives. A highly trained force of screeners physically screens 
every passenger entering the sterile areas of airports. Aviation 
screeners receive a minimum of 40 hours of classroom training, 60 hours 
of on-the-job training, and are subject to periodic proficiency 
assessments and unannounced testing. Screeners are now provided 
continuous 
on-the-job training and immediate feedback and remediation through our 
deployment of the enhanced Threat Image Projection system. They are 
made aware of new threats and methods of concealment. We have also 
greatly improved the technology used at screening checkpoints and have 
improved our capability to detect weapons, explosives, and other 
prohibited items.

As part of our focus on improved perimeter security, TSA conducts 
assessments to identify vulnerable areas and needed security measures. 
The analysis of the results of these assessments will allow TSA to 
prioritize resources and take necessary steps to close any identified 
gaps. As you note in your report, TSA redirected resources from 
assessments using the Transportation Risk Assessment and Vulnerability 
Evaluation (TRAVEL) tool to conduct MANPADS assessments that were 
considered a higher priority at the time. Although resources were 
temporarily redirected from the TRAVEL to MANPADS assessments, a 
substantial number of compliance inspections were performed during this 
time, particularly in the areas of access control and access media. 
TSA's active completion of these MANPADS assessments ultimately 
provided valuable information for inclusion in broader airport 
perimeter security assessments at the airports at which they were 
conducted, helping us to fulfill our compliance inspection plan and 
develop the self assessment tool for aviation. All this was done in 
addition to the many layers of security that we have put in place since 
9/11. Since the completion of GAO's report, TSA has renewed its TRAVEL 
efforts, and has begun conducting joint vulnerability assessments (JVA) 
with the FBI. These vulnerability assessments are threat-based and will 
be applied at critical commercial airports. The JVA uses current, FBI-
developed threat information as its starting point, and then focuses on 
defining an airport's security system against a current threat. The 
application of the JVA tool will allow TSA to leverage existing FBI 
resources and knowledge base to better assess security gaps and 
vulnerabilities at particular airports. In addition to these government 
facilitated assessments, a self-assessment tool will be made available 
to airports that are deemed less critical which focus on prevention and 
mitigation of a base array of threat scenarios developed for various 
categories of transportation modes.

As part of our overall strategy to strengthen security of the aviation 
system, our analysis and evaluation of the results from the security 
evaluations, various assessments, and compliance inspections will be 
used to assess priorities and allocate resources to those areas which 
we believe require additional security measures.

TSA expanded the Federal Air Marshal Service (FAMS) from dozens of 
agents before 9/11 to thousands of highly trained law enforcement 
officers, flying the skies on both domestic and international flights. 
The FAMS transfer to U.S. Immigration and Customs Enforcement (ICE) 
created a "surge capacity" to effectively support overall homeland 
security efforts by cross-training FAMs and BICE agents to counter 
aviation security threats.

Under FAA rules, all commercial passenger aircraft that fly in the 
United States now have reinforced cockpit doors, making it highly 
unlikely that terrorists could successfully storm the cockpit. Pilots 
are now trained to refrain from opening the flight deck door, and if 
terrorists should somehow breach the reinforced flight deck door, they 
would meet with a flight deck crew determined to protect the flight 
deck at all costs. An increasing number of 
pilots are armed and trained to use lethal force against an intruder on 
the flight deck. The Federal Flight Deck Officers (FFDOs) that are 
currently flying have now flown over ten thousand flights, quietly 
providing another layer of security in our system of systems. As more 
FFDOs are deputized, this number will rise quickly into the hundreds of 
thousands of flights. With the enactment of the Vision 100 - Century of 
Aviation Reauthorization Act (Public Law 108-176), the FFDO program was 
expanded beyond commercial and charter passenger pilots. Now, cargo 
pilots and other flightcrew members - specifically flight engineers and 
navigators on both passenger and cargo planes - are also eligible and 
being trained for the program.

As you point out in your report, TSA is addressing ATSA requirements 
related to testing, assessing, and deploying airport security 
technologies. However, your report states that TSA has not developed a 
plan to fully address certain sections of ATSA related to perimeter and 
access control security. Working closely with the Department of 
Homeland Security (DHS) Science and Technology (S&T) Directorate, we 
have established an ambitious program to develop and deploy new 
security technologies and use technology to enhance human performance. 
Our efforts are well underway. TSA is currently involved in several 
programs that meet the ATSA requirements to assess security 
technologies and has provided guidance to FSDs and airport operators on 
security technologies. TSA recently selected eight airports to 
participate in Phase I of the Access Control Pilot Program, which will 
test Radio Frequency Identification (RFID) technology, anti-
piggybacking technology, advanced video surveillance technology, and 
various biometric technologies. Testing this off-the-shelf technology 
will give TSA the ability to determine the suitability of use in a 
real-world operational environment. Based on this analysis, TSA will 
then determine which technologies will be evaluated in Phase II. The 
information gleaned from this pilot will then be provided to industry 
representatives so that they may make informed decisions when designing 
access control systems to meet their security and regulatory needs. We 
also have a robust test and evaluation program that has evaluated a 
number of biometric devices, perimeter intrusion sensors, and anti-
piggybacking devices. Our program also includes developmental efforts 
such as the ASDE-3/X radar enhancement program to allow this deployed 
equipment to detect potential perimeter intrusion events. Additionally, 
TSA has developed a number of guides to assist in selecting and 
deploying security technologies, including reports with subjects such 
as perimeter security design, biometrics at domestic airports, and 
technology to address tailgating and piggybacking. 

In addition to the Access Control Pilot Program, TSA recently awarded 
Airport Terminal Security Enhancement grants totaling $8.2 million to 
ten airports. The grants will be used to deploy various technologies, 
including state-of-the-art video surveillance and RFID tags to track 
the location of mobile resources such as baggage carts and other 
vehicles in the secure areas of the airports. The first round of grants 
for terminal improvements was awarded in December 2003 to eight 
airports. This program is part of TSA's ongoing effort to work with the 
airports and private industry to explore and deploy the most advanced 
technology commercially available to enhance security for the aviation 
system.

As you also point out in your report, TSA expanded coverage of the 
aviation workforce with background checks when we directed that all 
sterile area workers undergo a two-part 
check in late 2002 and early 2003. Further, we are planning to conduct 
enhanced background checks on all sterile area and SIDA workers this 
year.

In further identifying the challenges that TSA faces in ensuring the 
effective and efficient security of the aviation system as a whole, TSA 
looks to partnerships created through stakeholder outreach, which has 
always been a priority for TSA. We work collaboratively with industry 
management and labor, and consumer stakeholders in identifying 
opportunities to increase efficiency and areas for improvement. We will 
continue to involve stakeholders in our decision-making process and 
communicate regularly and clearly with our customers, our partners, and 
our employees. In fact, TSA is actively involved in the development of 
a process tool to provide information to decision makers to achieve a 
balance of safety, security, and efficiency. The U.S. Commercial 
Aviation Partnership (USCAP) is a process that allows stakeholders to 
define areas of consensus and disagreement on the costs and benefits of 
significant security proposals. This tool is a means to focus 
stakeholder discussions on policy and economic impacts. TSA has the 
opportunity to use this tool as one source for the mandatory regulatory 
evaluation and to encourage policy discussions with meaningful cost and 
benefit comparisons.

TSA also continues to capitalize on its Federal partnerships and 
working with the DHS S&T Directorate, TSA is beginning a comprehensive 
review of the civil aviation security system now that over two years 
have passed since the enactment of the Aviation and Transportation 
Security Act and nearly fourteen years have passed since the Aviation 
Security Improvement Act of 1990. We are incorporating this review as 
part of our constant evaluation of the security measures we have put 
into place, and will be able to use the results of this report, along 
with our other evaluative efforts to consider other approaches to 
improved aviation security that may be available. We have learned a 
great deal very quickly, but there is still more to do to successfully 
accomplish our transportation security mission.

Much of this additional work hinges on understanding the bigger picture 
of our national transportation security system, which is intennodal, 
interdependent, and international in scope.

In sum, we appreciate your review of perimeter security and access 
control and commend you for the thorough analysis and discussion that 
comprises this report. We believe many of your recommendations are 
already being addressed by efforts well underway. As we 
continue to be cognizant of the areas where we can improve, we remain 
vigilant and focused on the security challenges we face.

Thank you for the opportunity to contribute comments to the draft 
report.

Sincerely,

Signed by: 

David M. Stone, ADM 
Acting Administrator:

[End of section]

Appendix IV: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Norman J. Rabkin (202) 512-3610 Cathleen A. Berrick (202) 512-3404 
Chris Keisling (404) 679-1917:

Staff Acknowledgments:

In addition to those named above, Leo Barbour, Amy Bernstein, 
Christopher Currie, Dave Hooper, Thomas Lombardi, Sara Ann Moessbauer, 
Jan Montgomery, Steve Morris, Octavia Parks, Dan Rodriguez, and Sidney 
Schwartz were key contributors to this report.

FOOTNOTES

[1] ATSA, Pub. L. No. 107-71, 115 Stat. 597 (2001).

[2] ATSA created TSA as an agency within the Department of 
Transportation and referred to the head of the TSA as the Under 
Secretary of Transportation for Security. Since the transfer of TSA to 
the newly created DHS pursuant to the Homeland Security Act of 2002, 
Pub. L. 107-296,116 Stat. 2135, the title of the head of TSA has been 
administratively changed to Administrator. Within DHS, TSA is a 
distinct entity under the authority of the Under Secretary for Border 
and Transportation Security.

[3] TSA regulations governing airport security are codified at Title 49 
of the Code of Federal Regulations, Chapter XII.

[4] Covert testing involves TSA agents working undercover to evaluate, 
among other things, the effectiveness of access control processes and 
procedures.

[5] According to TSA, the total number of commercial airports regulated 
for security in the United States varies from about 429 to 456, 
depending on various factors such as the type and level of commercial 
operations that an aircraft operator conducts at that particular 
airport, the time of year or season where a particular airport is 
located, and the economic stability of that airport's region. 

[6] Supporting and partial security programs contain fewer requirements 
and typically apply to smaller airports. An aircraft operator may 
receive permission from TSA to amend its security program, provided 
that the proposed amendments are consistent with safety and the public 
interest and provide the requisite level of security. Also, if TSA 
concludes that the needs of safety and the public interest require an 
amendment to an aircraft operator's security program, the agency may 
amend the program on its own initiative.

[7] Regular escorted access is not defined in statute or by regulation.

[8] Our evaluation of TSA's covert testing of airport access controls 
is classified and is discussed in a separate report.

[9] TSA's inspections review for compliance in 14 areas. 

[10] The statutory authority for TSA to issue fines and penalties to 
individual airport operators, air carriers, and individual airport or 
airline workers for not complying with established security procedures 
is 49 U.S.C. § 46301. The penalty for an aviation security violation is 
found at 49 U.S.C. § 46301(a)(4) and states that the maximum civil 
penalty for violating chapter 449 [49 U.S.C. §§ 44901 et seq.] or 
another requirement under this title administered by the TSA's 
administrator shall be $10,000 except that the maximum civil penalty 
shall be $25,000 in the case of a person operating an aircraft for the 
transportation of passengers or property for compensation. 

[11] According to TSA, the agency's new automated reporting system 
documents the number of cases in which a civil penalty was recommended. 
TSA did not confirm the number of penalties issued.

[12] Prior to September 2003, TSA completed a vulnerability assessment 
of a "generic" large airport that focused on threats coming through an 
airport's perimeter. According to TSA, the assessment and its results, 
which were issued in October 2002, were of limited value because they 
focused on one airport area (perimeters) in isolation, and thus needed 
to be revalidated and updated in the context of the entire airport 
operation environment.

[13] U.S. General Accounting Office, Homeland Security: A Risk 
Management Approach Can Guide Preparedness Efforts, GAO-02-208T 
(Washington, D.C.: Oct. 31, 2001). 

[14] We have previously reported on the challenges associated with the 
issuance of aviation regulations, see U.S. General Accounting Office, 
Aviation Rulemaking: Further Reform Is Needed to Address Long-standing 
Problems, GAO-01-821 (Washington, D.C.: July 6, 2001). 

[15] On December 17, 2003, President Bush issued a Homeland Security 
Presidential Directive (#7) addressing critical infrastructure 
identification, prioritization, and protection. The directive calls for 
federal departments and agencies to identify, prioritize, and 
coordinate the protection of critical infrastructure and key resources 
in order to prevent, deter, and mitigate the effects of deliberate 
efforts to destroy, incapacitate, or exploit them. The directive also 
requires federal departments and agencies to work with state and local 
governments and the private sector to accomplish this objective. 

[16] A breach of security does not necessarily mean that a threat was 
imminent or successful. According to TSA, the significance of a breach 
must be considered in light of several factors, including the intent of 
the perpetrator and whether existing security measures and procedures 
successfully responded to, and mitigated against, the breach so that no 
harm to persons, facilities, or other assets resulted. 

[17] According to TSA, differences in the way FAA reported and complied 
breach data may account for some portion of the increase from 2001 to 
2003. Through its PARIS, TSA hopes to standardize breach data reporting 
in the future. PARIS became operational in July 2003. 

[18] The Coast Guard, another agency within DHS, elected to hire a 
contractor to conduct similar assessments of seaports.

[19] Historically, FAA has provided technical support and financial 
assistance to airports through its AIP grant program, including the 
acquisition and installation of security equipment, based on formal 
requests airport operator officials submitted in accordance with 49 
U.S.C. §§ 47101 et seq., and the Airport and Airway Improvement Act of 
1982, Pub. L. No. 97-248, 96 Stat. 671.

[20] U.S. General Accounting Office, Airport Finance: Using Airport 
Grant Funds for Security Projects Has Affected Some Development 
Projects, GAO-03-27 (Washington, D.C.: Oct. 15, 2002).

[21] Department of Defense Appropriations Act, Pub. L. No. 107-117, 115 
Stat. 2230, 2328 (2002).

[22] We contacted several airport operators to obtain specific examples 
of how AIP funds were used. For example, one airport operator used 
about $2.5 million to upgrade perimeter security and access controls by 
installing an automatic security gate, connecting perimeter gates to 
security systems, adding new video screens in the airport emergency 
operations center, adding motion sensors along airport SIDA perimeters 
to detect unauthorized intrusion into the SIDA area, among other 
things. Another airport operator used $884,000 for additional law 
enforcement personnel, airport surveillance, and the revalidation of 
airport identification badges.

[23] As part of the 2002 Supplemental Appropriations Act for Further 
Recovery from and Response to Terrorist Attacks on the United States, 
Pub. L. No. 107-206, 116 Stat. 820, 879-80.

[24] After we completed our review, TSA announced the award of an 
additional $8.2 million in grants to 10 airports for perimeter and 
access control security-related enhancements. 

[25] Vision 100--Century of Aviation Reauthorization Act, Pub. L. No. 
108-176, § 605, 117 Stat. 2490, 2566-68 (2003).

[26] Forty percent is allocated to large hub airports, 20 percent for 
medium hub airports, 15 percent for small and nonhub airports, and 25 
percent distributed at the Secretary's discretion on the basis of 
security risks.

[27] The fiscal year 2004 Department of Homeland Security 
Appropriations Act, Pub. L. No. 108-90, 117 Stat.1137, 1141-42, 
precludes the obligation or expenditure of any funds to carry out 
provisions o f the Aviation Security Capital Fund.

[28] GAO has a separate, ongoing review of TSA's research and 
development program.

[29] Section 136 also requires the Secretary of Transportation to 
conduct a review of reductions in unauthorized access at the category X 
airports no later than 18 months after the enactment of ATSA. 

[30] TSA defines new and emerging technologies as commercial products 
that have not been implemented in an airport security application or 
products that will be produced in 9 months in sufficient quantities for 
large-scale deployment.

[31] The requirements to assess biometric identification systems and 
the controls that prevent unauthorized persons from piggybacking are 
specified in ATSA, Section 136.

[32] After we completed our review, TSA announced the selection of 8 
airports to participate in the first phase of the pilot program. 

[33] We identified these 13 airports through our site visits to 
selected airports and through discussions with officials from one of 
the primary associations representing airport operators, the American 
Association of Airport Executives. 

[34] In 49 U.S.C. § 44936 airports and air carriers are required to 
conduct fingerprint-based criminal history records checks for all 
workers seeking unescorted access to the SIDA. Specifically, no 
individual may be given unescorted access authority if he or she has 
been convicted, or found not guilty by reason of insanity, of any of 28 
disqualifying offenses during the 10 years before the date of the 
individual's application for unescorted access authority, or while the 
individual has unescorted access authority. 

[35] TSA's no-fly list contains the names of individuals that pose, or 
are suspected of posing, a threat to civil aviation or national 
security. Individuals on this list will not be permitted to board an 
aircraft. There is also a selectee process by which individuals who 
meet certain criteria are set aside for additional screening.

[36] We visited a total of 12 U.S. commercial airports. We did not 
conduct a records review at the category III and IV commercial airports 
we visited.

[37] The 95 percent confidence intervals associated with these 
estimates extend from 96 percent to 100 percent for 5 of the 7 
airports. The analogous interval for a 6th airport extends from 95 
percent to 100 percent, and the analogous interval for the 7th airport 
extends from 94 percent to 100 percent.

[38] The 95 percent confidence intervals for these estimates extend 
from 92 percent to 99.7 percent, and from 90 percent to 99 percent, 
respectively.

[39] Department of Transportation Office of Inspector General, Progress 
Implementing Sections 106 and 138 of the Aviation and Transportation 
Security Act, SC-2003-023, February 27, 2003.

[40] Operation Tarmac was a joint investigation initiated by the 
Immigration and Naturalization Service, U.S. Attorneys' offices, FBI, 
Department of Transportation Inspector General, Social Security 
Administration, and FAA after the September 11 attacks. The operation 
was aimed at identifying and arresting airport workers who obtained 
their positions and security status through fraud. Results of the 
sweeps through airports nationwide has resulted in over 4,200 airport 
workers being caught having falsified information in order to be hired 
and be granted SIDA badges. Most of the fraud is through falsification 
or misrepresentation of Social Security information and immigration 
documents.

[41] Other airport operator officials we spoke with use additional 
measures to ensure that an individual provides accurate information 
prior to being hired at the airport. One airport operator we contacted 
verifies the accuracy of Social Security numbers and immigration 
documents before hiring new workers. Officials at this and another 
airport said they conducted supplemental background checks at the 
airport operator's own expense to provide further assurance that 
applicants have no criminal record and have provided accurate 
information on employment applications. However, these employer checks 
are not to be confused with, or substitutes for, checks for secured 
area access badges issued by airport badging authorities.

[42] We previously reported that federal watch lists do not have the 
capability to automatically share information on immigration status and 
biographical, financial, and other data. See U.S. General Accounting 
Office, Information Technology: Terrorist Watch Lists Should Be 
Consolidated to Promote Better Integration and Sharing, GAO-03-322 
(Washington, D.C.: Apr. 15, 2003).

[43] 49 C.F.R. § 1542.209(l).

[44] Inspector General, United States Department of Transportation: 
Statement Before the National Commission on Terrorist Attacks Upon the 
U.S. on Aviation Security, CC-2003-117 (Washington, D.C.: May 22, 
2003).

[45] The 19 nationwide criminal files include: stolen article file, 
boat file, convicted person on supervised release file, convicted 
sexual offender registry, deported felon file, foreign fugitive file, 
gun file, license plate file, missing person file, originating agency 
identifier file, protection order file, securities file, SENTRY file, 
unidentified persons file, Secret Service Protective order file, 
vehicle file, violent gang and terrorist organization file, wanted 
persons file, and vehicle/boat part file.

[46] The issue of sterile area worker screening was raised at a March 
17, 2004, hearing of the Subcommittee on Aviation, House Committee on 
Transportation and Infrastructure. During the hearing, the chairman 
asked TSA to survey FSDs to determine how this requirement is being 
met. In addition, as part of a separate effort, GAO is surveying FSDs, 
to determine, among other things, the extent to which sterile area 
workers are being physically screened. 

[47] U.S. Department of Transportation, Transportation Security 
Administration, TSA Airside Security Risk Assessment, October 3, 2002.

[48] TSA regulations governing security training are virtually the same 
as those required previously under FAA. 

[49] Inspector General, United States Department of Transportation: 
Statement Before the National Commission on Terrorist Attacks Upon the 
United States on Aviation Security, CC-2003-117 (Washington, D.C.: May 
22, 2003).

[50] See 49 U.S.C. §§ 44903(g)(2)(B), 44935(a),(c).

[51] U.S. General Accounting Office, Airport Passenger Screening: 
Preliminary Observations on Progress Made and Challenges Remaining, 
GAO-03-1173 (Washington, D.C.: Sept. 24, 2003). 

[52] The Department of Transportation's Inspector General recommended 
that TSA issue this regulation in its Audit Report--Progress 
Implementing Sections 106 and 138 of the Aviation and Transportation 
Security Act; Report Number SC-2003-023 (February 27, 2003). Current 
TSA regulation (1542.113) allows for but does not require airport 
tenants (entities conducting business on airport property) to develop 
security programs. TSA did not maintain data on airport vendors or 
tenants that have developed such a program to date.

[53] According to TSA, current security directives address some aspects 
of vendor security; however, the specific content of security 
directives is security sensitive information protected from disclosure 
under 49 CFR 1520.7(b). As a result, the relevant sections are 
described in the restricted version of this report. 

[54] Depending upon the scope of the possible regulation, the term 
"vendor" could include all of the companies involved in the supply 
chain that serves an airport. TSA said that since the supply chain for 
delivery of office products to the businesses located in the airport's 
sterile areas could include stages conducted by manufacturers, 
suppliers, transporters, retailers, and customers, the aggregate number 
of potential vendors cannot be readily determined.

[55] TSA's Maritime Self-Assessment Risk Module was developed in 
response to requirements outlined in the Maritime Transportation 
Security Act of 2002. The act mandates that any facility or vessel that 
the Secretary believes might be involved in a transportation security 
incident will be subject to a vulnerability assessment and must submit 
a security plan to the U.S. Coast Guard.

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone: 	

	Voice: (202) 512-6000:

	TDD: (202) 512-2537:

	Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: