This is the accessible text file for GAO report number GAO-09-292 
entitled 'Aviation Security: TSA Has Completed Key Activities 
Associated with Implementing Secure Flight, but Additional Actions Are 
Needed to Mitigate Risks' which was released on May 14, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 
GAO: 

May 2009: 

Aviation Security: 

TSA Has Completed Key Activities Associated with Implementing Secure 
Flight, but Additional Actions Are Needed to Mitigate Risks: 

GAO-09-292: 

GAO Highlights: 

Highlights of GAO-09-292, a report to congressional committees. 

Why GAO Did This Study: 

To enhance aviation security, the Department of Homeland Security’s 
(DHS) Transportation Security Administration (TSA) developed a program—
known as Secure Flight—to assume from air carriers the function of 
matching passenger information against terrorist watch-list records. In 
accordance with a mandate in the Department of Homeland Security 
Appropriations Act, 2008, GAO’s objective was to assess the extent to 
which TSA met the requirements of 10 statutory conditions related to 
the development of the Secure Flight program. GAO is required to review 
the program until all 10 conditions are met. In September 2008, DHS 
certified that it had satisfied all 10 conditions. To address this 
objective, GAO (1) identified key activities related to each of the 10 
conditions; (2) identified federal guidance and best practices that are 
relevant to successfully meeting each condition; (3) analyzed whether 
TSA had demonstrated, through program documentation and oral 
explanation, that the guidance was followed and best practices were 
met; and (4) assessed the risks associated with not fully following 
applicable guidance and meeting best practices. 

What GAO Found: 

As of April 2009, TSA had generally achieved 9 of the 10 statutory 
conditions related to the development of the Secure Flight program and 
had conditionally achieved 1 condition (TSA had defined plans, but had 
not completed all activities for this condition). Also, TSA’s actions 
completed and those planned have reduced the risks associated with 
implementing the program. Although DHS asserted that TSA had satisfied 
all 10 conditions in September 2008, GAO completed its initial 
assessment in January 2009 and found that TSA had not demonstrated 
Secure Flight’s operational readiness and that the agency had generally 
not achieved 5 of the 10 statutory conditions. Consistent with the 
statutory mandate, GAO continued to review the program and, in March 
2009, provided a draft of this report to DHS for comment. In the draft 
report, GAO noted that TSA had made significant progress and had 
generally achieved 6 statutory conditions, conditionally achieved 3 
conditions, and had generally not achieved 1 condition. After receiving 
the draft report, TSA took additional actions and provided GAO with 
documentation to demonstrate progress related to 4 conditions. Thus, 
GAO revised its assessment in this report, as is reflected in the table 
below. 

Table: GAO Assessment of Whether DHS Has Achieved the 10 Statutory 
Conditions, as of April 2009: 

Statutory condition topic: System of Due Process (Redress): 
Generally achieved. 

Statutory condition topic: Extent of False-Positive Errors 
(Misidentifications): 
Generally achieved. 

Statutory condition topic: Performance of Stress Testing and Efficacy 
and Accuracy of Search Tools: 
Generally achieved. 

Statutory condition topic: Establishment of an Internal Oversight 
Board: 
Generally achieved. 

Statutory condition topic: Operational Safeguards to Reduce Abuse 
Opportunities: 
Generally achieved. 

Statutory condition topic: Substantial Security Measures to Prevent 
Unauthorized Access by Hackers: 
Generally achieved. 

Statutory condition topic: Effective Oversight of System Use and 
Operation: 
Generally achieved. 

Statutory condition topic: No Specific Privacy Concerns with the 
System’s Technological Architecture: 
Generally achieved. 

Statutory condition topic: Accommodation of States with Unique 
Transportation Needs: 
Generally achieved. 

Statutory condition topic: Appropriateness of Life-Cycle Cost Estimates 
and Program Plans: 
Conditionally achieved[A]. 

Source: GAO analysis. 

[A] For conditionally achieved, TSA has completed some key activities 
and has defined plans for completing remaining activities that, if 
effectively implemented as planned, should result in a reduced risk of 
the program experiencing cost, schedule, or performance shortfalls. 

[End of table] 

Related to the condition that addresses the efficacy and accuracy of 
search tools, TSA had not yet developed plans to periodically assess 
the performance of the Secure Flight system’s name-matching 
capabilities, which would help ensure that the system is working as 
intended. GAO will continue to review the Secure Flight program until 
all 10 conditions are generally achieved. 

What GAO Recommends: 

GAO recommends that DHS take action to periodically assess the 
performance of the Secure Flight system’s name-matching capabilities 
and results. DHS concurred with GAO’s recommendation. 

View [hyperlink, http://www.gao.gov/products/GAO-09-292] or key 
components. For more information, contact Cathleen A. Berrick at (202) 
512-3404 or berrickc@gao.gov; or Randolph C. Hite at (202) 512-3439 or 
hiter@gao.gov; or Gregory C. Wilshusen at (202) 512-6244 or 
wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

TSA Has Completed Key Activities Associated with Implementing Secure 
Flight, but Additional Actions Are Needed to Mitigate Risks: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Details on TSA's Testing of the Efficacy and Accuracy of 
Secure Flight's Matching System (Condition 3): 

Appendix III: Secure Flight's Oversight Entities (Condition 4): 

Appendix IV: TSA's Activities Related to the Effective Oversight of 
System Use and Operation (Condition 7): 

Appendix V: TSA's Actions to Address Fair Information Practices 
(Condition 8): 

Appendix VI: GAO Analyses of Secure Flight's Life-Cycle Cost Estimate 
and Schedule against Best Practices (Condition 10): 

Appendix VII: Comments from the Department of Homeland Security: 

Appendix VIII: GAO Contacts and Staff Acknowledgments: 

Tables: 

Table 1: Simplified Description of 10 Statutory Conditions Related to 
Secure Flight: 

Table 2: GAO Assessment of Whether DHS Has Generally Achieved 10 
Statutory Conditions, as of April 2009: 

Table 3: Fair Information Practice Principles: 

Table 4: Responsibilities of Secure Flight's Oversight Entities and 
Selected Oversight Actions, as of March 2009: 

Table 5: GAO Analysis of Secure Flight Cost Estimate Compared to Best 
Practices for a Reliable Cost Estimate Based on Information Provided by 
TSA as of March 20, 2009: 

Table 6: GAO Reassessment of Secure Flight Cost Estimate Compared to 
Best Practices for a Reliable Cost Estimate Based on Information 
Provided by TSA as of April 3, 2009: 

Table 7: GAO Analysis of Secure Flight Schedule Compared to Best 
Practices for Schedule Estimating Based on Information Provided by TSA 
as of March 20, 2009: 

Table 8: GAO Reassessment of Secure Flight Schedule Compared to Best 
Practices for Schedule Estimating Based on Information Provided by TSA 
as of April 3, 2009: 

Figure: 

Figure 1: Secure Flight Watch-List Matching Process: 

Abbreviations: 

AO: Aircraft Operator: 

APB: Acquisition Program Baseline: 

BPPR: Boarding Pass Printing Result: 

CAPPS: Computer-Assisted Passenger Prescreening System: 

CBP: U.S. Customs and Border Protection: 

CSA: Customer Service Agent: 

DHS: Department of Homeland Security: 

EAB: Enterprise Architecture Board: 

eSecure Flight: Electronic Secure Flight: 

ICE: independent cost estimate: 

IGCE: independent government cost estimate: 

IMS: Integrated Master Schedule: 

IRB: Investment Review Board: 

KDP: Key Decision Point: 

LCCE: life-cycle cost estimate: 

MDP: Milestone Decision Point: 

NARA: National Archives and Records Administration: 

OI: Office of Intelligence: 

OMB: Office of Management and Budget: 

OTSR: Office of Transportation Security Redress: 

PIA: Privacy Impact Assessment: 

PII: personally identifiable information: 

POA&M: plans of actions and milestones: 

PRR: Preliminary Review Required: 

RFA: Referred for Action: 

SFA: Secure Flight Analyst: 

SFPD: Secure Flight Passenger Data: 

SORN: System of Records Notice: 

TRIP: Traveler Redress Inquiry Program: 

TSA: Transportation Security Administration: 

TSC: Terrorist Screening Center: 

TSDB: Terrorist Screening Database: 

TSOU: Terrorist Screening Operations Unit: 

WBS: work breakdown structure: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

May 13, 2009: 

Congressional Committees: 

The matching of airline passenger information against terrorist watch- 
list records (watch-list matching) is a frontline defense against acts 
of terrorism that target the nation's civil aviation system. In 
general, passengers identified by air carriers as a match to the No-Fly 
list are prohibited from boarding a commercial flight, while those 
matched to the Selectee list are required to undergo additional 
screening.[Footnote 1] Historically, airline passenger prescreening has 
been performed by commercial air carriers. 

As required by the Intelligence Reform and Terrorism Prevention Act of 
2004, the Transportation Security Administration (TSA) developed an 
advanced passenger prescreening program known as Secure Flight that 
will allow TSA to assume from air carriers the function of watch-list 
matching.[Footnote 2] Since fiscal year 2004, GAO has been mandated to 
assess the development and implementation of the Secure Flight program. 
[Footnote 3] Most recently, in February 2008, we reported that TSA had 
instilled more discipline and rigor into Secure Flight's development, 
but that the program continued to face challenges related to completing 
performance testing, fully defining and testing security requirements, 
and establishing reliable cost and schedule estimates.[Footnote 4] We 
made recommendations to address these challenges and TSA generally 
agreed with them. 

Section 522(a) of the Department of Homeland Security (DHS) 
Appropriations Act, 2005, set forth 10 conditions related to the 
development and implementation of the Secure Flight program that the 
Secretary of Homeland Security must certify have been successfully met 
before the program may be implemented or deployed on other than a test 
basis (see table 1).[Footnote 5] On September 24, 2008, DHS certified 
that it had satisfied all 10 conditions. 

Table 1: Simplified Description of 10 Statutory Conditions Related to 
Secure Flight: 

Condition 1: System of Due Process (Redress)[A]. 

Condition 2: Extent of False-Positive Errors (Misidentifications). 

Condition 3: Performance of Stress Testing and Efficacy and Accuracy of 
Search Tools. 

Condition 4: Establishment of an Internal Oversight Board. 

Condition 5: Operational Safeguards to Reduce Abuse Opportunities. 

Condition 6: Substantial Security Measures to Prevent Unauthorized 
Access by Hackers. 

Condition 7: Effective Oversight of System Use and Operation. 

Condition 8: No Specific Privacy Concerns with the System's 
Technological Architecture. 

Condition 9: Accommodation of States with Unique Transportation 
Needs[B]. 

Condition 10: Appropriateness of Life-Cycle Cost Estimates and Program 
Plans. 

Source: GAO summary of the10 statutory conditions in Section 522 of 
Public Law 108-334. 

[A] In general, the term "redress" refers to an agency's complaint 
resolution process whereby individuals may seek resolution of their 
concerns about an agency action. 

[B] Condition 9 is related to the Computer-Assisted Passenger 
Prescreening System (CAPPS), a TSA-mandated automated program operated 
by air carriers that considers characteristics of a passenger's travel 
arrangements to select passengers for secondary screening. CAPPS is 
distinct from the Secure Flight program. TSA did not incorporate CAPPS 
into the Secure Flight program and, therefore, Secure Flight will have 
no effect on CAPPS selection rates. 

[End of table] 

In accordance with section 513 of the Department of Homeland Security 
Appropriations Act, 2008, our objective was to assess the extent to 
which TSA met 10 statutory conditions and the associated risks of any 
shortfalls in meeting the requirements.[Footnote 6] Our overall 
methodology included (1) identifying key activities related to each 
condition; (2) identifying federal guidance and related best practices, 
if applicable, that are relevant to successfully meeting each condition 
(e.g., GAO's Standards for Internal Control in the Federal Government); 
[Footnote 7] (3) analyzing whether TSA has demonstrated through 
verifiable analysis and documentation, as well as oral explanation, 
that the guidance has been followed and best practices have been met; 
and (4) assessing the risks associated with not fully following 
applicable guidance and meeting best practices. Based on our 
assessment, we categorized each condition as generally achieved, 
conditionally achieved, or generally not achieved. 

* Generally achieved--TSA has demonstrated that it completed all key 
activities related to the condition in accordance with applicable 
federal guidelines and related best practices, which should reduce the 
risk of the program experiencing cost, schedule, or performance 
shortfalls. 

* Conditionally achieved--TSA has demonstrated that it completed some 
key activities related to the condition in accordance with applicable 
federal guidelines and related best practices and has defined plans for 
completing remaining key activities that, if effectively implemented as 
planned, should result in a reduced risk that the program will 
experience cost, schedule, or performance shortfalls. 

* Generally not achieved--TSA has not demonstrated that it completed 
all key activities related to the condition in accordance with 
applicable federal guidelines and related best practices and does not 
have defined plans for completing the remaining activities, and the 
uncompleted activities result in an increased risk of the program 
experiencing cost, schedule, or performance shortfalls. 

On January 7, 2009, we briefed staff of the Senate and House 
Appropriations Committees' Subcommittees on Homeland Security on the 
results of our initial work, and reported that TSA had not demonstrated 
Secure Flight's operational readiness and that the agency had generally 
not achieved 5 of the 10 statutory conditions. Our briefing also 
included several recommendations for DHS to mitigate risks of Secure 
Flight cost, schedule, or performance shortfalls and strengthen 
management of the program.[Footnote 8] In addition, under this mandate, 
GAO is required to continue to review the Secure Flight program until 
it determines that all 10 conditions have been successfully met. In 
accordance with this requirement, we conducted additional work from 
January through April 2009, which included assessing information DHS 
provided after we submitted a copy of our draft report to the 
department for formal agency comment. Based on this additional work, we 
revised the status of several conditions and now consider three of the 
recommendations we made in our draft report to be met. This report 
contains information on our initial January 2009 assessment and 
recommendations, and related updates through April 2009. 

We conducted this performance audit from May 2008 to May 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. Appendix I presents more 
details about our scope and methodology. 

Background: 

Overview of Secure Flight: 

The prescreening of airline passengers who may pose a security risk 
before they board an aircraft is one of many layers of security 
intended to strengthen commercial aviation. In July 2004, the National 
Commission on Terrorist Attacks Upon the United States, also known as 
the 9/11 Commission, reported that the current system of matching 
passenger information to the No-Fly and Selectee lists needed 
improvements. The commission recommended, among other things, that 
watch-list matching be performed by the federal government rather than 
by air carriers. Consistent with this recommendation and as required by 
law, TSA has undertaken to develop a program--Secure Flight--to assume 
from air carriers the function of watch-list matching. Secure Flight is 
intended to: 

* eliminate inconsistencies in current passenger watch-list matching 
procedures conducted by air carriers and use a larger set of watch-list 
records when warranted, 

* reduce the number of individuals who are misidentified as being on 
the No-Fly or Selectee list, 

* reduce the risk of unauthorized disclosure of sensitive watch-list 
information, and: 

* integrate information from DHS's redress process into watch-list 
matching so that individuals are less likely to be improperly or 
unfairly delayed or prohibited from boarding an aircraft.[Footnote 9] 

Statutory requirements govern the protection of personal information by 
federal agencies, including the use of air passengers' information by 
Secure Flight. For example, the Privacy Act of 1974 places limitations 
on agencies' collection, disclosure, and use of personal information 
maintained in systems of records.[Footnote 10] The Privacy Act requires 
agencies to publish a notice--known as a System of Records Notice 
(SORN)--in the Federal Register identifying, among other things, the 
type of data collected, the types of individuals about whom information 
is collected, the intended "routine" use of the data, and procedures 
that individuals can use to review and correct personal information. 
Also, the E-Government Act of 2002 requires agencies to conduct Privacy 
Impact Assessments (PIA) that analyze how personal information is 
collected, stored, shared, and managed in a federal system.[Footnote 
11] Agencies are required to make their PIAs publicly available if 
practicable. 

Secure Flight Development and Watch-List Matching Process: 

According to TSA, the agency developed and is implementing Secure 
Flight's domestic watch-list matching function in 3 releases: 

* Release 1--Systems development and testing. 

* Release 2--First stages of parallel operations with airline operators 
during which both Secure Flight and air carriers perform watch-list 
matching. 

* Release 3--Continued parallel operations with airline operators and 
preparation for airline cutovers, in which Secure Flight will perform 
passenger watch-list matching for domestic flights. 

Under the Secure Flight watch-list matching process (see fig. 1), air 
carriers submit passenger information, referred to as Secure Flight 
Passenger Data, electronically through a DHS router or eSecure Flight, 
a Web-based access system for air carriers that do not use automated 
reservation systems to send and receive the data. Secure Flight 
Passenger Data are matched automatically against watch-list records, 
with results provided to air carriers through a Boarding Pass Printing 
Result. Passengers are subject to three possible outcomes from the 
watch-list matching process: cleared to fly, selected for additional 
screening, or prohibited from flying. Individuals initially selected 
for additional screening and those prohibited from flying undergo 
additional review, which results in the final Boarding Pass Printing 
Result and may lead to law enforcement involvement. 

Figure 1: Secure Flight Watch-List Matching Process: 

[Refer to PDF for image: illustration] 

Aircraft operators: 

Network connection through DHS router to Secure Flight: SFPD to 
Automated watchlist monitoring. 

Network connection from Automated watchlist monitoring through DHS 
router to Aircraft operator: BPPR. 

Network connection to eSecure Flight: SFPD to eSecure Flight, then to 
Automated watchlist monitoring. 

Network connection from Automated watchlist monitoring through eSecure 
Flight to Aircraft operator: BPPR. 

Phone, fax, or email communications to CSA: Additional identifying 
information. 

Phone, fax, or email communications from CSA: Information request/AO 
guidance and assistance. 

Secure Flight: 

Information received and sent as indicated above; 

Additional network connections: 

Automated watchlist monitoring to Secure Flight User Interface: PRR; 
Automated watchlist monitoring from Secure Flight User Interface: 
Trigger unsolicited BPPR. 

Secure Flight User Interface to and from CSA: Matching information; 
Secure Flight User Interface to and from TSA-OI analyst: Matching 
information; 
Secure Flight User Interface to SFA: Matching information; 
Secure Flight User Interface from SFA: Comments/matching result update. 

SFA to and from CSA: conference calls. 

Additional connections: 

TSA-OI analyst to TSC: TSC RFA (call/email); 
TSA-OI analyst from TSC: TSC RFA disposition (call/email). 

TSC to TSOU: Law enforcement encounter request (call/fax); 
TSC from TSOU: Law enforcement encounter information (call/fax). 

Legend: 

AO: Aircraft Operator; 
BPPR: Boarding Pass Printing Result; 
CSA: Customer Service Agent; 
eSecure Flight: Electronic Secure Flight; 
PRR: Preliminary Review Required; 
RFA: Referred for Action; 
SFA: Secure Flight Analyst; 
SFPD: Secure Flight Passenger Data; 
TSC: Terrorist Screening Center; 
TSOU: Terrorist Screening Operations Unit. 

Source: GAO analysis; Art Explosion. 

[End of figure] 

TSA is to use discretion to determine what constitutes a possible match 
between passenger information and a watch-list record, based on 
matching settings made in the system. The matching settings include (1) 
the relative importance of each piece of passenger information (e.g., 
name versus date of birth); (2) the numeric threshold over which a 
passenger will be flagged as a potential match (e.g., a scoring 
threshold of 95 would result in fewer matches than a scoring threshold 
of 85); and (3) the criteria used to determine whether an element of 
passenger information is a potential match to the watch list (e.g., the 
types of name variations or the date-of-birth range that the system 
considers a match). The Secure Flight matching system will use this 
information to assign each passenger record a numeric score that 
indicates its strength as a potential match to a watch-list record. 

Raising the scoring threshold would result in more names cleared and 
fewer names identified as possible matches, which would raise the risk 
of the subject of a watch-list record being allowed to board an 
airplane (false-negative matches). Conversely, lowering the scoring 
threshold would raise the risk of passengers being mistakenly matched 
to the watch list (false-positive matches). In October 2008, TSA issued 
the Secure Flight Final Rule, which specifies requirements for air 
carriers to follow as TSA implements and operates Secure Flight, 
including the collection of full name and date-of-birth information 
from airline passengers to facilitate watch-list matching.[Footnote 12] 

In late-January 2009, TSA began to assume the watch-list matching 
function for a limited number of domestic flights for one airline, and 
has since phased in additional flights and airlines. TSA plans to 
complete assumption of the watch-list matching function for all 
domestic flights in March 2010 and to then assume from U.S. Customs and 
Border Protection this watch-list-matching function for international 
flights departing to and from the United States. According to TSA, 
since fiscal year 2004, it has received approximately $300 million in 
appropriated funds for the development and implementation of the Secure 
Flight program. 

Related System Also Prescreens Airline Passengers: 

In addition to matching passenger information against terrorist watch- 
list records, TSA requires air carriers to prescreen passengers using 
the Computer-Assisted Passenger Prescreening System (CAPPS). Through 
CAPPS, air carriers compare data related to a passenger's reservation 
and travel itinerary to a set of weighted characteristics and behaviors 
(CAPPS rules) that TSA has determined correlate closely with the 
characteristics and behaviors of terrorists. Passengers identified by 
CAPPS as exhibiting these characteristics--termed selectees--must 
undergo additional security screening. This system is separate from the 
Secure Flight watch-list matching process and thus Secure Flight has no 
effect on CAPPS selection rates. 

TSA Has Completed Key Activities Associated with Implementing Secure 
Flight, but Additional Actions Are Needed to Mitigate Risks: 

In a January 2009 briefing to congressional staff, we reported that TSA 
had not demonstrated Secure Flight's operational readiness and that the 
agency had generally not achieved 5 of the 10 statutory conditions 
(Conditions 3, 5, 6, 8, 10), although DHS asserted that it had 
satisfied all 10 conditions. Since then, TSA has made progress in 
developing the Secure Flight program and meeting the requirements of 
the 10 conditions, and the activities completed to date and those 
planned reduce the risks associated with implementing the program. 
Table 2 shows the status of the 10 conditions as of April 2009. 

Table 2: GAO Assessment of Whether DHS Has Generally Achieved 10 
Statutory Conditions, as of April 2009: 

Statutory condition topic: Condition 1: System of Due Process 
(Redress); 
Generally Achieved[A]. 

Statutory condition topic: Condition 2: Extent of False-Positive 
Errors; 
Generally Achieved[A]. 

Statutory condition topic: Condition 3: Performance of Stress Testing 
and Efficacy and Accuracy of Search Tools; 
Generally Achieved[A]. 

Statutory condition topic: Condition 4: Establishment of an Internal; 
Oversight Board; 
Generally Achieved[A]. 

Statutory condition topic: Condition 5: Operational Safeguards to 
Reduce Abuse Opportunities; 
Generally Achieved[A]. 

Statutory condition topic: Condition 6: Substantial Security Measures 
to Prevent Unauthorized Access by Hackers; 
Generally Achieved[A]. 

Statutory condition topic: Condition 7: Effective Oversight of System 
Use and Operation; 
Generally Achieved[A]. 

Statutory condition topic: Condition 8: No Specific Privacy Concerns 
with the System's Technological Architecture; 
Generally Achieved[A]. 

Statutory condition topic: Condition 9: Accommodation of States with 
Unique Transportation Needs; 
Generally Achieved[A]. 

Statutory condition topic: Condition 10: Appropriateness of Life-Cycle 
Cost Estimates and Program Plans; 
Conditionally Achieved[B]. 

Source: GAO analysis. 

[A] For generally achieved, TSA has completed all key activities, which 
should reduce the risk of the program experiencing cost, schedule, or 
performance shortfalls. 

[B] For conditionally achieved, TSA has completed some key activities 
and has defined plans for completing remaining activities that, if 
effectively implemented as planned, should result in a reduced risk of 
the program experiencing cost, schedule, or performance shortfalls. 

[C] For generally not achieved, TSA has not completed all key 
activities, and the uncompleted activities result in an increased risk 
of the program experiencing cost, schedule, or performance shortfalls. 

[End of table] 

TSA Has Generally Achieved 9 of the 10 Statutory Conditions, but 
Additional Actions Would Help Mitigate Future Risks: 

Condition 1: Redress: 

Condition 1 requires that a system of due process exist whereby 
aviation passengers determined to pose a threat who are either delayed 
or prohibited from boarding their scheduled flights by TSA may appeal 
such decisions and correct erroneous information contained in the 
Secure Flight program. 

TSA has generally achieved this condition. For the Secure Flight 
program, TSA plans to use the existing redress process that is managed 
by the DHS Traveler Redress Inquiry Program (TRIP). TRIP, which was 
established in February 2007, serves as the central processing point 
within DHS for travel-related redress inquiries. TRIP refers redress 
inquiries submitted by airline passengers to TSA's Office of 
Transportation Security Redress (OTSR) for review. This process 
provides passengers who believe their travels have been adversely 
affected by a TSA screening process with an opportunity to be cleared 
if they are determined to be an incorrect match to watch-list records, 
or to appeal if they believe that they have been wrongly identified as 
the subject of a watch-list record. Specifically, air travelers who 
apply for redress and who TSA determines pose no threat to aviation 
security are added to a list that should automatically "clear" them and 
allow them to board an aircraft (the "cleared list"), thereby reducing 
any inconvenience experienced as a result of the watch-list matching 
process.[Footnote 13] After a review of the passenger's redress 
application, if OTSR determines that an individual was, in fact, 
misidentified as being on the No-Fly or Selectee list, it will add the 
individual to the cleared list. If OTSR determines that an individual 
is actually on the No-Fly or Selectee list, it will refer the matter to 
the Terrorist Screening Center, which determines whether the individual 
is appropriately listed and should remain on the list or is wrongly 
assigned and should be removed from the list. 

Although Secure Flight will use the same redress process that is used 
by the current air carrier-run watch-list matching process, some 
aspects of the redress process for air travelers are to change as the 
program is implemented. For example, individuals who apply for redress 
are issued a redress number by TRIP that they will be able to submit 
during future domestic air travel reservations that will assist in the 
preclearing process before they arrive at the airport. TSA expects this 
will reduce the likelihood of travel delays at check-in for those 
passengers who have been determined to pose no threat to aviation 
security. According to TSA officials, individuals who have applied for 
redress in the past and were placed on the cleared list will need to be 
informed of their new ability to use their redress number to preclear 
themselves under Secure Flight. These officials stated that they intend 
to send mailings to past redress applicants with information on this 
change. 

TSA has also coordinated with key stakeholders to identify and document 
shared redress processes and to clarify roles and responsibilities, 
consistent with relevant GAO guidance for coordination and 
documentation of internal controls.[Footnote 14] In addition, Secure 
Flight, TSA OTSR, and TSA's Office of Intelligence (OI) have jointly 
produced guidance that clarifies how the entities will coordinate their 
respective roles in the redress process, consistent with GAO best 
practices on coordinating efforts across government stakeholders. 
[Footnote 15] For example, the guidance clarifies the roles and 
responsibilities for each entity with respect to reviewing potential 
watch-list matches. 

Furthermore, TSA is developing performance measures to monitor the 
timeliness and accuracy of Secure Flight redress, as we recommended in 
February 2008.[Footnote 16] TRIP and OTSR's performance goals are to 
process redress applications as quickly and as accurately as possible. 
In February 2008, we reported that TRIP and OTSR track only one redress 
performance measure, related to the timeliness of case completion. We 
further reported that by not measuring all key defined program 
objectives, TRIP and OTSR lack the information needed to oversee the 
performance of the redress program. We recommended that DHS and TSA 
reevaluate the redress performance measures and consider creating and 
implementing additional measures, consistent with best practices that 
among other things address all program goals, to include the accuracy 
of the redress process. 

In response to GAO's recommendation, representatives from the TRIP 
office are participating in a Redress Timeliness Working Group, with 
other agencies involved in the watch-list redress process, to develop 
additional timeliness measures. According to DHS officials, the TRIP 
office has also established a quality assurance review process to 
improve the accuracy of redress application processing and will collect 
and report on these data. 

Secure Flight officials are developing additional performance measures 
to measure new processes that will be introduced once Secure Flight is 
operational, such as the efficacy of the system to preclear individuals 
who submit a redress number. 

Condition 2: Minimizing False Positives: 

Condition 2 requires that the underlying error rate of the government 
and private databases that will be used both to establish identity and 
assign a risk level to a passenger will not produce a large number of 
false-positives (mistakenly matched) that will result in a significant 
number of passengers being treated mistakenly or security resources 
being diverted. 

TSA has generally achieved this condition by taking a range of actions 
that should minimize the number of false-positive matches. For example, 
the Secure Flight Final Rule requires air carriers to (1) collect date- 
of-birth information from airline passengers and (2) be capable of 
collecting redress numbers from passengers.[Footnote 17] Collecting 
date-of-birth information should improve the system's ability to 
correctly match passengers against watch-list records since each record 
contains a date of birth. TSA conducted a test in 2004 that concluded 
that the use of date-of-birth information would reduce the number of 
false-positive matches. In addition, airline passengers who have 
completed the redress process and are determined by DHS to not pose a 
threat to aviation security can submit their redress number when making 
a flight reservation. The submission of redress numbers by airline 
passengers should reduce the likelihood of passengers being mistakenly 
matched to watch list records, which in turn should reduce the overall 
number of false-positive matches. 

TSA has established a performance measure and target for the system's 
false-positive rate, which should allow the agency to track the extent 
to which it is minimizing false-positive matches and whether the rate 
at any point in time is consistent with the program's goals. TSA 
officials stated that they tested the system's false-positive 
performance during Secure Flight's parallel testing with selected air 
carriers in January 2009 and found that the false-positive rate was 
consistent with the established target and program's goals. 

Condition 3: Efficacy and Accuracy of the System and Stress Testing: 

Condition 3 requires TSA to demonstrate the efficacy and accuracy of 
the search tools used as part of Secure Flight and to perform stress 
testing on the Secure Flight system.[Footnote 18] 

We addressed efficacy and accuracy separately from stress testing 
because they require different activities and utilize different 
criteria. 

Efficacy and Accuracy of the System: 

TSA has generally achieved the part of Condition 3 that requires TSA to 
demonstrate the efficacy and accuracy of the search tools used as part 
of Secure Flight. According to TSA, as a screening system, Secure 
Flight is designed to identify subjects of watch-list records without 
generating an unacceptable number of false-positive matches[Footnote 
19]. To accomplish this goal, TSA officials stated that Secure Flight's 
matching system and related search parameters were designed to identify 
potential matches to watch-list records if a passenger's date of birth 
is within a defined range of the date of birth on a watch-list record. 
[Footnote 20] According to TSA officials, the matching system and 
related search parameters were designed based on TSA OI policy and in 
consultation with TSA OI, the Federal Bureau of Investigation, and 
others. 

TSA conducted a series of tests--using a simulated passenger list and a 
simulated watch list created by a contractor with expertise in watch- 
list matching--that jointly assessed the system's false-negative and 
false-positive performance. However, in conducting these tests, the 
contractor used a wider date-of-birth matching range than TSA used in 
designing the Secure Flight matching system, which the contractor 
determined was appropriate to test the capabilities of a name-matching 
system. The tests showed that the Secure Flight system did not identify 
all of the simulated watch-list records that the contractor identified 
as matches to the watch list (the false-negative rate).[Footnote 21] 
Officials from TSA OI reviewed the test results and determined that the 
records not matched did not pose an unacceptable risk to aviation 
security.[Footnote 22] These officials further stated that increasing 
the date-of-birth range would unacceptably increase the number of false 
positives generated by the system. 

Moving forward, TSA is considering conducting periodic reviews of the 
Secure Flight system's matching capabilities and results (i.e., false 
positives and false negatives) to determine whether the system is 
performing as intended. However, final decisions regarding whether to 
conduct such reviews have not been made. Relevant guidance on internal 
controls identifies the importance of ongoing monitoring of programs, 
documenting control activities, and establishing performance measures 
to assess performance over time.[Footnote 23] By periodically 
monitoring the system's matching criteria as well as documenting and 
measuring any results to either (1) confirm that the system is 
producing effective and accurate matching results or (2) modify the 
settings as needed, TSA would be able to better assess whether the 
system is performing as intended. Without such activities in place, TSA 
will not be able to assess the system's false-negative rate, which 
increases the risk of the system experiencing future performance 
shortfalls. Given the inverse relationship between false positives and 
false negatives--that is, an increase in one rate may lead to a 
decrease in the other rate--it is important to assess both rates 
concurrently to fully test the system's matching performance. In our 
January 2009 briefing, we recommended that TSA periodically assess the 
performance of the Secure Flight system's matching capabilities to 
determine whether the system is accurately matching watch-listed 
individuals while minimizing the number of false positives. TSA agreed 
with our recommendation. 

Separate from the efficacy and accuracy of Secure Flight search tools, 
a security concern exists. Specifically, passengers could attempt to 
provide fraudulent information when making an airline reservation to 
avoid detection. TSA officials stated that they are aware of this 
situation and are taking actions to mitigate it. We did not assess 
TSA's progress in taking actions to address this issue or the 
effectiveness of TSA's efforts as part of this review.[Footnote 24] 

Stress Testing: 

The second part of Condition 3 requires TSA to perform stress testing 
on the Secure Flight system. In our January 2009 briefing to the Senate 
and House Appropriations Committees' Subcommittees on Homeland 
Security, we reported that TSA had generally not achieved this part of 
the condition because despite provisions for stress testing in Secure 
Flight test plans, such stress testing had not been performed at the 
time DHS certified that it had met the 10 statutory conditions, or 
prior to the completion of our audit work on December 8, 2008. However, 
TSA has since generally achieved this part of the condition. 

According to the Secure Flight Test and Evaluation Master Plan, the 
system was to be stress tested in order to assess performance when 
abnormal or extreme conditions are encountered, such as during periods 
of diminished resources or an extremely high number of users. Further, 
the Secure Flight Performance, Stress, and Load Test Plan states that 
the system's performance, throughput, and capacity are to be stressed 
at a range beyond its defined performance parameters in order to find 
the operational bounds of the system.[Footnote 25] In lieu of stress 
testing, program officials stated that Release 2 performance testing 
included "limit testing" to determine if the system could operate 
within the limits of expected peak loads (i.e., defined performance 
requirements).[Footnote 26] According to the officials, this testing 
would provide a sufficient basis for predicting which system components 
would experience degraded performance and potential failure if these 
peak loads were exceeded. However, in our view, such "limit testing" 
does not constitute stress testing because it focuses on the system's 
ability to meet defined performance requirements only, and does not 
stress the system beyond the requirements. Moreover, this "limit 
testing" did not meet the provisions for stress testing in TSA's own 
Secure Flight test plans. Program officials agreed that the limit 
testing did not meet the provisions for stress testing in accordance 
with test plans and revised program test plans and procedures for 
Release 3 to include stress testing. 

Beyond stress testing, our analysis at the time of our January 2009 
briefing showed that TSA had not yet sufficiently conducted performance 
testing. According to the Secure Flight Test and Evaluation Master 
Plan, performance and load tests should be conducted to assess 
performance against varying operational conditions and configurations. 
Further, the Secure Flight Performance, Stress, and Load Test Plan 
states that each test should begin within a limited scope and build up 
to longer runs with a greater scope, periodically recording system 
performance results. These tests also should be performed using 
simulated interfaces under real-world conditions and employ several 
pass/fail conditions, including overall throughput. However, Secure 
Flight Release 2 performance testing was limited in scope because it 
did not include 10 of the 14 Secure Flight performance requirements. 
According to program officials, these 10 requirements were not tested 
because they were to be tested as part of Release 3 testing that was 
scheduled for December 2008.[Footnote 27] Moreover, 2 of the 10 
untested performance requirements were directly relevant to stress 
testing. According to program officials, these 2 requirements were not 
tested as part of Release 2 because the subsystems supporting them were 
not ready at that time. Further, the performance testing only addressed 
the 4 requirements as isolated capabilities, and thus did not reflect 
real-world conditions and demands, such as each requirement's competing 
demands for system resources. Program officials agreed and stated that 
they planned to employ real world conditions in testing all performance 
requirements during Release 3 testing. 

In our January 2009 briefing, we recommended that TSA execute 
performance and stress tests in accordance with recently developed 
plans and procedures and report any limitations in the scope of the 
tests performed and shortfalls in meeting requirements to its oversight 
board, the DHS Investment Review Board. Since then, based on our 
analysis of updated performance, stress, and load test procedures and 
results, we found that TSA has now completed performance testing and 
significantly stress tested the vetting system portion of Secure 
Flight. For example, the stress testing demonstrated that the vetting 
system can process more than 10 names in 4 seconds, which is the 
system's performance requirement. As a result of the performance and 
stress testing that TSA has recently conducted, we now consider this 
condition to be generally achieved and the related recommendation we 
made at our January 2009 briefing to be met. 

Condition 4: Establishment of an Internal Oversight Board: 

Condition 4 requires the Secretary of Homeland Security to establish an 
internal oversight board to monitor the manner in which the Secure 
Flight programs is being developed and prepared. 

TSA has generally achieved this condition through the presence of five 
oversight entities that have met at key program intervals to monitor 
Secure Flight. In accordance with GAO's Standards for Internal Control 
in the Federal Government, a system of internal controls should 
include, among other things, an organizational structure that 
establishes appropriate lines of authority, a process that tracks 
agency performance against key objectives, and ongoing monitoring 
activities to ensure that recommendations made were addressed.[Footnote 
28] Consistent with these practices, the internal oversight entities 
monitoring the Secure Flight program have defined missions with 
established lines of authority, have met at key milestones to review 
program performance, and have made recommendations designed to 
strengthen Secure Flight's development. Our review of a selection of 
these recommendations showed that the Secure Flight program addressed 
these recommendations. 

The oversight entities for the Secure Flight program are the following: 

* DHS Steering Committee, 

* TSA Executive Oversight Board, 

* DHS Investment Review Board (IRB),[Footnote 29] 

* TSA IRB, and: 

* DHS Enterprise Architecture Board (EAB). 

The DHS Steering Committee and TSA Executive Oversight Board are 
informal oversight entities that were established to provide oversight 
and guidance to the Secure Flight program, including in the areas of 
funding, and coordination with U.S. Customs and Border Protection (CBP) 
on technical issues. According to TSA officials, the DHS Steering 
Committee and TSA Executive Oversight Board do not have formalized 
approval requirements outlined in management directives. The DHS IRB, 
TSA IRB, and DHS EAB are formal entities that oversee DHS information 
technology projects and focus on ensuring that investments directly 
support missions and meet schedule, budget, and operational objectives. 
(App. III contains additional information on these oversight boards.) 

GAO has previously reported on oversight deficiencies related to the 
DHS IRB, such as the board's failure to conduct required departmental 
reviews of major DHS investments (including the failure to review and 
approve a key Secure Flight requirements document).[Footnote 30] To 
address these deficiencies, GAO made a number of recommendations to 
DHS, such as ensuring that investment decisions are transparent and 
documented as required. DHS generally agreed with these 
recommendations. Moving forward, it will be critical for these 
oversight entities to actively monitor Secure Flight as it progresses 
through future phases of systems development and implementation and 
ensure that the recommendations we make in this report are addressed. 

Conditions 5 and 6: Information Security: 

Conditions 5 and 6 require TSA to build in sufficient operational 
safeguards to reduce the opportunities for abuse, and to ensure 
substantial security measures are in place to protect the Secure Flight 
system from unauthorized access by hackers and other intruders. 

TSA has generally achieved the statutory requirements related to 
systems information security based on, among other things, actions to 
mitigate high-and moderate-risk vulnerabilities associated with Release 
3. As of completion of our initial audit work on December 8, 2008, 
which we reported on at our January 2009 briefing, we identified 
deficiencies in TSA's information security safeguards that increased 
the risk that the system will be vulnerable to abuse and unauthorized 
access from hackers and other intruders. 

Federal law, standards, and guidance identify the need to address 
information security throughout the life cycle of information 
systems.[Footnote 31] Accordingly, the guidance and standards specify a 
minimum set of security steps needed to effectively incorporate 
security into a system during its development. These steps include: 

* categorizing system impact, performing a risk assessment, and 
determining security control requirements for the system; 

* documenting security requirements and controls and ensuring that they 
are designed, developed, tested, and implemented; 

* performing tests and evaluations to ensure controls are working 
properly and effectively, and implementing remedial action plans to 
mitigate identified weaknesses; and: 

* certifying and accrediting the information system prior to 
operation.[Footnote 32] 

To its credit, TSA had performed several of these key security steps 
for Release 1, such as: 

* categorizing the system as high-impact, performing a risk assessment, 
and identifying and documenting the associated recommended security 
control requirements; 

* preparing security documentation such as a system security plan and 
loading security requirements into the developer's requirements 
management tool; 

* testing and evaluating security controls for the Secure Flight system 
and incorporating identified weaknesses in remedial action plans; and: 

* conducting security certification and accreditation activities. 

However, as of December 8, 2008, TSA had not taken sufficient steps to 
ensure that operational safeguards and substantial security measures 
were fully implemented for Release 3 of Secure Flight. This is 
important because Release 3 is the version that is to be placed into 
production. Moreover, Release 3 provides for (1) a change in the Secure 
Flight operating environment from a single operational site with a 
"hot" backup site to dual processing sites where each site processes 
passenger data simultaneously,[Footnote 33] and (2) the eSecure Flight 
Web portal, which provides an alternative means for air carriers to 
submit passenger data to Secure Flight. While these changes could 
expose the Secure Flight program to security risks not previously 
identified, TSA had not completed key security activities to address 
these risks. 

Further, we found that TSA had not completed testing and evaluating of 
key security controls or performed disaster recovery tests for the 
Release 3 environment. These tests are important to ensure that the 
operational safeguards and security measures in the production version 
of the Secure Flight operating environment are effective, operate as 
intended, and appropriately mitigate risks. In addition, TSA had not 
updated or completed certain security documents for Release 3, such as 
its security plan, disaster recovery plan, security assessment report, 
and risk assessment, nor had it certified and accredited Release 3 of 
the Secure Flight environment it plans to put into production. Further, 
TSA had also not demonstrated that CBP had implemented adequate 
security controls over its hardware and software devices that interface 
with the Secure Flight system to ensure that Secure Flight data are not 
vulnerable to abuse and unauthorized access. 

Finally, TSA had not corrected 6 of 38 high-and moderate-risk 
vulnerabilities identified in Release 1 of the Secure Flight program. 
[Footnote 34] For example, TSA did not apply key security controls to 
its operating systems for the Secure Flight environment, which could 
then allow an attacker to view, change, or delete sensitive Secure 
Flight information. While TSA officials assert that they had mitigated 
4 of the 6 uncorrected vulnerabilities, we determined the documentation 
provided was not sufficient to demonstrate that the vulnerabilities 
were mitigated. As a result of the security risks that existed as of 
December 8, 2008, we recommended that TSA take steps to complete its 
security testing and update key security documentation prior to initial 
operations. 

After our January 2009 briefing, TSA provided documentation showing 
that it had implemented or was in the process of implementing our 
recommendation. For example, TSA had completed security testing of the 
most recent release of Secure Flight (Release 3), updated security 
documents, certified and accredited Release 3, received an updated 
certification and accreditation decision from CBP for its interface 
with the Secure Flight program, and mitigated the high-and moderate- 
risk vulnerabilities related to Release 1. In addition, TSA had 
prepared plans of actions and milestones (POA&M) for the 28 high-risk 
and 32 moderate-risk vulnerabilities it identified during security 
testing of Release 3. The POA&Ms stated that TSA would correct the high-
risk vulnerabilities within 60 days and the moderate-risk 
vulnerabilities within 90 days. Based on these actions, we concluded 
that TSA had conditionally achieved this condition as of January 29, 
2009. 

Further, after we submitted our draft report to DHS for formal agency 
comment on March 20, 2009, TSA provided us updated information that 
demonstrated that it had completed the actions discussed above. Based 
on our review of documentation provided by TSA on March 31, 2009, we 
concluded that TSA had mitigated all 60 high-and moderate-risk 
vulnerabilities associated with Release 3. Therefore, we concluded that 
TSA had generally achieved the statutory requirements related to 
systems information security and we consider the related recommendation 
to be met. 

Condition 7: Oversight of the Use and Operation of the System: 

Condition 7 requires TSA to adopt policies establishing effective 
oversight of the use and operation of the Secure Flight system. 

As of the completion of our initial audit work on December 8, 2008, TSA 
had generally achieved this condition, but we nevertheless identified 
opportunities for strengthening oversight and thus made a 
recommendation aimed at doing so. According to GAO's best practices for 
internal control, effective oversight includes (1) the plans and 
procedures used to meet mission goals and objectives, and (2) 
activities that ensure the effectiveness and efficiency of operations, 
safeguard assets, prevent and detect errors and fraud, and provide 
reasonable assurance that a program is meeting its intended objectives. 
[Footnote 35] To its credit, TSA had finalized the vast majority of key 
documents related to the effective oversight of the use and operation 
of the system as of the completion of our initial audit work on 
December 8, 2008. For example, TSA had established performance measures 
to monitor and assess the effectiveness of the Secure Flight program; 
provided training to air carriers on transitioning their watch-list 
matching functions to TSA; developed a plan to oversee air carriers' 
compliance with Secure Flight program requirements; and finalized key 
standard operating procedures. However, TSA had not yet finalized or 
updated all key program documents or completed necessary training, 
which was needed prior to the program beginning operations. 
Accordingly, we recommended that TSA finalize or update all key Secure 
Flight program documents--including the agreement with the Terrorist 
Screening Center for exchanging watch-list and passenger data and 
standard operating procedures--and complete training before the program 
begins operations. In response, TSA finalized its memorandum of 
understanding with the Terrorist Screening Center on December 30, 2008, 
and completed program training in January 2009. Based on these actions, 
we consider this recommendation to be met. Appendix IV contains 
additional information on Condition 7. 

Condition 8: Privacy: 

Condition 8 requires TSA to take action to ensure that no specific 
privacy concerns remain with the technological architecture of the 
Secure Flight system. 

TSA has generally achieved the statutory requirement related to privacy 
based on progress the agency has made in establishing a privacy program 
as well as recent actions taken to address security vulnerabilities 
related to conditions 5 and 6. In our January 2009 briefing, we 
identified deficiencies in TSA's information security safeguards that 
posed a risk to the confidentiality of the personally identifiable 
information maintained by the Secure Flight system. 

The Fair Information Practices, a set of principles first proposed in 
1973 by a U.S. government advisory committee, are used with some 
variation by organizations to address privacy considerations in their 
business practices and are also the basis of privacy laws and related 
policies in many countries, including the United States, Australia, and 
New Zealand, as well as the European Union. The widely-adopted version 
developed by the Organisation for Economic Co-operation and Development 
in 1980 is shown in table 3. 

Table 3: Fair Information Practice Principles: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safeguards; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

Principle: Individual participation; 
Description: Individuals should have the following rights: to know 
about the collection of personal information, to access that 
information, to request correction, and to challenge the denial of 
those rights. 

Principle: Accountability; 
Description: Individuals controlling the collection or use of personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source: Organisation for Economic Co-operation and Development. 

Note: A version of the Fair Information Practices, which has been 
widely adopted, was developed by the Organisation for Economic Co- 
operation and Development and published as Guidelines on the Protection 
of Privacy and Transborder Flow of Personal Data (Sept. 23, 1980). 

[End of table] 

At the time of our January 2009 briefing, TSA had established a variety 
of programmatic and technical controls for Secure Flight, including: 

* involving privacy experts in major aspects of Secure Flight 
development, 

* developing privacy training for all Secure Flight staff and incident 
response procedures to address and contain privacy incidents, 

* tracking privacy issues and performing analysis when significant 
privacy issues are identified, 

* instituting access controls to ensure that data are not accidentally 
or maliciously altered or destroyed, 

* filtering unauthorized data from incoming data to ensure collection 
is limited to predefined types of information, 

* establishing standard formats for the transmission of personally 
identifiable information (PII) in order to reduce variance in data and 
improve data quality, and: 

* maintaining audit logs to track access to PII and document privacy 
incidents. 

In addition, TSA had issued required privacy notices--including a 
Privacy Impact Assessment and System of Records Notice--that meet legal 
requirements and address key privacy principles. These notices 
describe, among other things, the information that will be collected 
from passengers and airlines, the purpose of collection, and planned 
uses of the data. Through its privacy program, TSA had taken actions to 
implement most Fair Information Practice Principles. For information on 
the actions TSA has taken to generally address Fair Information 
Practices, see appendix V. 

However, at our January 2009 briefing, we also concluded that the 
weaknesses in Secure Flight's security posture--as described in our 
earlier discussion of information security--created an increased risk 
that the confidentiality of the personally identifiable information 
maintained by the Secure Flight system could be compromised. As a 
result, we recommended that TSA take steps to complete its security 
testing and update key security documentation prior to initial 
operations. 

After our January 2009 briefing, TSA provided documentation that it had 
implemented or was in the process of implementing our recommendation 
related to information security and we concluded that this condition 
had been conditionally achieved as of January 29, 2009. Further, after 
we submitted our draft report to DHS for formal agency comment on March 
20, 2009, TSA provided us updated information that demonstrated that it 
had completed the actions to implement our recommendation. Based on our 
review of documentation provided by TSA on March 31, 2009, we believe 
TSA has generally achieved the condition related to privacy. 

Condition 9: CAPPS Rules: 

Condition 9 requires that TSA--pursuant to the requirements of section 
44903(i)(2)(A)[sic] of title 49, United States Code--modify Secure 
Flight with respect to intrastate transportation to accommodate states 
with unique air transportation needs and passengers who might otherwise 
regularly trigger primary selectee status. 

TSA has generally achieved this condition. TSA is developing the Secure 
Flight program without incorporating the CAPPS rules and, therefore, 
Secure Flight will have no effect on CAPPS selection rates. According 
to TSA, the agency has modified the CAPPS rules to address air carriers 
operating in states with unique transportation needs and passengers who 
might otherwise regularly trigger primary selectee status.[Footnote 36] 
However, our review found that TSA lacked data on the effect of its 
modifications on air carrier selectee rates. We interviewed four air 
carriers to determine (1) the extent to which the CAPPS modifications 
and a related security amendment affected these carriers' selectee 
rates and (2) whether TSA had outreached to these carriers to assess 
the effect of the modifications and amendment on their selectee rates. 
The carriers provided mixed responses regarding whether the 
modifications and amendment affected their selectee rates. Further, 
three of the four air carriers stated that TSA had not contacted them 
to determine the effect of these initiatives. According to GAO best 
practices for internal control, agencies should ensure adequate means 
of communicating with, and obtaining information from, external 
stakeholders that may have a significant effect on achieving goals. 
[Footnote 37] Without communications with air carriers, and given the 
agency's lack of data on carrier selectee rates, TSA cannot ensure that 
the CAPPS modifications and related security amendment have their 
intended effect. In our January 2009 briefing, we recommended that TSA 
conduct outreach to air carriers--particularly carriers in states with 
unique transportation needs--to determine whether modifications to the 
CAPPS rules and security amendment have achieved their intended effect. 
TSA agreed with our recommendation. 

TSA Has Conditionally Achieved 1 of the 10 Conditions, but Further 
Actions Are Needed to Mitigate the Risk of Cost and Schedule Overruns: 

Condition 10: Life-Cycle Cost and Schedule Estimates: 

Condition 10 requires the existence of appropriate life-cycle cost 
estimates and expenditure and program plans. 

TSA has conditionally achieved this statutory requirement based on our 
review of its plan of action for developing appropriate cost and 
schedule estimates and other associated documents submitted after we 
provided a copy our draft report to DHS for formal comment on March 20, 
2009. The plan includes proposed activities and time frames for 
addressing weaknesses that we identified in the Secure Flight program's 
cost estimate and schedule and was the basis for our reassessment of 
this condition. 

At the time of our January 2009 briefing, we reported that this 
condition had generally not been achieved. Specifically, while TSA had 
made improvements to its life-cycle cost estimate and schedule, neither 
were developed in accordance with key best practices outlined in our 
Cost Assessment Guide.[Footnote 38] Our research has identified several 
practices that are the basis for effective program cost estimating. We 
have issued guidance that associates these practices with four 
characteristics of a reliable cost estimate: comprehensive, well 
documented, accurate, and credible. The Office of Management and Budget 
(OMB) endorsed our guidance as being sufficient for meeting most cost 
and schedule estimating requirements. In addition, the best practices 
outlined in our guide closely match DHS's own guidance for developing 
life-cycle cost estimates. Reliable cost and schedule estimates are 
critical to the success of a program, as they provide the basis for 
informed investment decision making, realistic budget formulation, 
program resourcing, meaningful progress measurement, proactive course 
correction, and accountability for results. 

As we reported at our January 2009 briefing, Secure Flight's $1.36 
billion Life Cycle Cost Estimate (LCCE) is well documented in that it 
clearly states the purpose, source, assumptions, and calculations. 
However, it is not comprehensive, fully accurate, or credible. As a 
result, the life-cycle cost estimate does not provide a meaningful 
baseline from which to track progress, hold TSA accountable, and 
provide a basis for sound investment decision making. In our January 
2009 briefing, we recommended that DHS take actions to address these 
weaknesses. TSA agreed with our recommendation. 

The success of any program depends in part on having a reliable 
schedule specifying when the program's set of work activities will 
occur, how long they will take, and how they relate to one another. As 
such, the schedule not only provides a road map for the systematic 
execution of a program, but it also provides the means by which to 
gauge progress, identify and address potential problems, and promote 
accountability. As we reported in January 2009, the November 15, 2008, 
TSA's Integrated Master Schedule (IMS) for Secure Flight--which 
provided supporting activities leading up to the program's initial 
operations in January 2009--was a significant improvement over its 
February 2008 version. For example, after meeting with GAO and its 
schedule analysis consultant, TSA took actions to improve the Secure 
Flight schedule, including adding initial efforts for domestic and 
international cutover activities, removing constraints that kept its 
schedule rigid, and providing significant status updates. 

Our research has identified nine practices associated with effective 
schedule estimating, which we used to assess Secure Flight.[Footnote 
39] These practices are: capturing key activities, sequencing key 
activities, establishing duration of key activities, assigning 
resources to key activities, integrating key activities horizontally 
and vertically, establishing critical path, identifying float time, 
performing a schedule risk analysis, and distributing reserves to high 
risk activities.[Footnote 40] In assessing the November 15, 2008, 
schedule against our best practices, we found that TSA had met one of 
the nine best practices, but five were only partially met and three 
were not met. Despite the improvements TSA made to its schedule for 
activities supporting initial operational capability, the remaining 
part of the schedule associated with implementing Secure Flight for 
domestic and international flights was represented as milestones rather 
than the detailed work required to meet milestones and events. As such, 
the schedule was more characteristic of a target deliverable plan than 
the work involved with TSA assuming the watch-list matching function. 
Moreover, likely program completion dates were not being driven by the 
schedule logic, but instead were being imposed by the program office in 
the form of target dates. This practice made it difficult for TSA to 
use the schedule to reflect the program's status. Without fully 
employing all key scheduling practices, TSA cannot assure a 
sufficiently reliable basis for estimating costs, measuring progress, 
and forecasting slippages. In our January 2009 briefing, we recommended 
that DHS take actions to address these weaknesses. TSA agreed with our 
recommendation. 

In January 2009, TSA provided us with a new schedule, dated December 
15, 2008. Our analysis showed that this new schedule continued to not 
follow best practices, did not correct the deficiencies we previously 
identified, and therefore could not be used as a reliable management 
tool. For example, a majority of the scheduled activities did not have 
baseline dates that allow the schedule to be tracked against a plan 
moving forward. In addition, best practices require that a schedule 
identify the longest duration path through the sequenced list of key 
activities--known as the schedule's critical path--where if any 
activity slips along this path, the entire program will be delayed. 
TSA's updated schedule did not include a critical path, which prevents 
the program from understanding the effect of any delays. Further, 
updating the Secure Flight program's schedule is important because of 
the significant cost and time that remains to be incurred to cutover 
all domestic flights to operations as planned by March 2010 and to 
develop, test, and deploy the functionality to assume watch-list 
matching for international flights. 

After we submitted a copy of our draft report to DHS for formal agency 
comment on March 20, 2009, TSA provided us its plan of action, dated 
April 2009, that details the steps the Secure Flight program management 
office intends to carry out to address weaknesses that we identified in 
the program's cost and schedule estimates. With regard to the program's 
cost estimate, TSA's plan has established a timeline of activities 
that, if effectively implemented, should result in (1) a more detailed 
work breakdown structure that would define the work necessary to 
accomplish the program's objectives; (2) the cost estimate and schedule 
work breakdown structures being aligned properly; (3) an independent 
cost estimate performed by a contractor; (4) an assessment of the life- 
cycle cost estimate by the DHS Cost Analysis Division; and (5) cost 
uncertainty and sensitivity analyses. In addition, TSA's plan has 
estimated government costs that were originally missing from its cost 
estimate. According to TSA, these costs will be addressed in its life- 
cycle cost estimate documentation. 

With regard to the Secure Flight program's schedule, TSA's plan of 
action has established a timeline of activities that, if effectively 
implemented, should result in, most notably: (1) a sequenced and 
logical schedule that will accurately calculate float time and a 
critical path; (2) a fully resource-loaded schedule based on subject- 
matter-expert opinion that does not overburden resources; (3) a 
schedule that includes realistic activity duration estimates; and (4) a 
schedule risk analysis that will be used by TSA leadership to 
distribute reserves to high-risk activities. According to TSA, this 
revised schedule will forecast the completion date for the project 
based on logic, duration, and resource estimates rather than artificial 
date constraints. 

The plan of action provides the Secure Flight program management office 
with a clearer understanding of the steps that need to be taken to 
address our concerns regarding the Secure Flight life-cycle cost 
estimate and schedule. Based on our review of the plan and the 
associated documentation provided, we therefore now consider this 
legislative requirement to be conditionally achieved and the related 
recommendations that we made at our January 2009 briefing to be met. It 
should be noted that a significant level of effort is involved in 
completing these activities, yet the actions--with the exception of the 
independent cost estimate--are planned to be completed by June 5, 2009. 
According to TSA, the independent cost estimate is to be completed by 
October 2009. 

While TSA's ability to fully meet the requirements of Condition 10 does 
not affect the Secure Flight system's operational readiness, having 
reliable cost and schedule estimates allows for better insight into the 
management of program resources and time frames as the program is 
deployed. We will continue to assess TSA's progress in carrying out the 
plan of action to address the weaknesses that we identified in the 
program's cost estimate and schedule and fully satisfying this 
condition. Appendix VI contains additional information on our analysis 
of TSA's efforts relative to GAO's best practices. 

Conclusions: 

TSA has made significant progress in developing the Secure Flight 
program, and the activities completed to date, as well planned, reduce 
the risks associated with implementing the program. However, TSA is 
still in the process of taking steps to address key activities related 
to testing the system's watch-list matching capability and cost and 
schedule estimates, which should be completed to mitigate risks and to 
strengthen the management of the program. 

Until these activities are completed, TSA lacks adequate assurance that 
Secure Flight will fully achieve its desired purpose and operate as 
intended. Moreover, if these activities are not completed 
expeditiously, the program will be at an increased risk of cost, 
schedule, or performance shortfalls. Specifically, the system might not 
perform as intended in the future if its matching capabilities and 
results (that is, false positives and false negatives) are not 
periodically assessed. In addition, cost overruns and missed deadlines 
will likely occur if reliable benchmarks are not established for 
managing costs and the remaining schedule. 

In addition to the issues and risks we identified related to the Secure 
Flight program, our work revealed one other TSA prescreening-related 
issue that should be addressed to mitigate risks and ensure that 
passenger prescreening is working as intended. Specifically, the effect 
that modifications to the CAPPS rules and a related security amendment 
have had on air carriers--particularly carriers in states with unique 
transportation needs--will remain largely unknown unless TSA conducts 
outreach to these air carriers to determine the effect of these 
changes. 

Recommendations for Executive Action: 

We are recommending that the Secretary of Homeland Security take the 
following two actions: 

* To mitigate future risks of performance shortfalls and strengthen 
management of the Secure Flight program moving forward, we recommend 
that the Secretary of Homeland Security direct the Assistant Secretary 
for the Transportation Security Administration to periodically assess 
the performance of the Secure Flight system's matching capabilities and 
results to determine whether the system is accurately matching watch- 
listed individuals while minimizing the number of false positives-- 
consistent with the goals of the program; document how this assessment 
will be conducted and how its results will be measured; and use these 
results to determine whether the system settings should be modified. 

* To ensure that passenger prescreening is working as intended, we 
recommend that the Secretary of Homeland Security direct the Assistant 
Secretary for the Transportation Security Administration to conduct 
outreach to air carriers--particularly carriers in states with unique 
transportation needs--to determine whether modifications to the CAPPS 
rules and related security amendment have achieved their intended 
effect. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to DHS for review and comment on 
March 20, 2009. Subsequently, TSA provided us additional information 
related to several of the conditions, which resulted in a reassessment 
of the status of these conditions. Specifically, in the draft report 
that we provided for agency comment, we had concluded that Conditions 5 
and 6 (information security) and Condition 8 (privacy) were 
conditionally achieved and Condition 10 (cost and schedule) was 
generally not achieved. Based on our review of the additional 
documentation provided by TSA, we are now concluding that Conditions 5, 
6, and 8 are generally achieved and Condition 10 is conditionally 
achieved. 

In addition, in the draft report we provided to DHS for agency comment, 
we made five recommendations, four of which were related to the Secure 
Flight program. The fifth recommendation was related to Condition 9 
(CAPPS rules), which is not related to the Secure Flight program. Based 
on the additional information that TSA provided during the agency 
comment period, we now consider three of these recommendations to be 
met (those related to information security, the cost estimate, and the 
program schedule). The other two recommendations have not been met and, 
therefore, are still included in this report (those related to 
monitoring the performance of the system's matching capability and 
assessing the effect of modifications on CAPPS rules). We provided our 
updated assessment to DHS and on April 23, 2009, DHS provided us 
written comments, which are presented in appendix VII. In its comments, 
DHS stated that TSA concurred with our updated assessment. 

We are sending copies of this report to the appropriate congressional 
committees and other interested parties. We are also sending a copy to 
the Secretary of Homeland Security. This report will also be available 
at no charge on our Web site at [hyperlink, http://www.gao.gov]. Should 
you or your staff have any questions about this report, please contact 
Cathleen A. Berrick at (202) 512-3404 or berrickc@gao.gov; Randolph C. 
Hite at (202) 512-3439 or hiter@gao.gov; or Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov. 

Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. Key contributors 
to this report are acknowledged in appendix VIII. 

Signed by: 

Cathleen A. Berrick: 
Managing Director, Homeland Security and Justice Issues: 

Signed by: 

Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

List of Congressional Committees: 

The Honorable Daniel K. Inouye: 
Chairman: 
The Honorable Thad Cochran: 
Vice Chairman: 
Committee on Appropriations: 
United States Senate: 

The Honorable John D. Rockefeller, IV: 
Chairman: 
The Honorable Kay Bailey Hutchison: 
Ranking Member: 
Committee on Commerce, Science, and Transportation: 
United States Senate: 

The Honorable Joseph I. Lieberman: 
Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United State Senate: 

The Honorable Patrick J. Leahy: 
Chairman: 
The Honorable Jeff Sessions: 
Ranking Member: 
Committee on the Judiciary: 
United States Senate: 

The Honorable Robert C. Byrd: 
Chairman: 
The Honorable George Voinovich: 
Ranking Member: 
Subcommittee on Homeland Security: 
Committee on Appropriations: 
United States Senate: 

The Honorable David R. Obey: 
Chairman: 
The Honorable Jerry Lewis: 
Ranking Member: 
Committee on Appropriations: 
House of Representatives: 

The Honorable Bennie G. Thompson: 
Chairman: 
The Honorable Peter T. King: 
Ranking Member: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Edolphus Towns: 
Chairman: 
The Honorable Darrell Issa: 
Ranking Member: 
Committee on Oversight and Government Reform: 
House of Representatives: 

The Honorable James L. Oberstar: 
Chairman: 
The Honorable John L. Mica: 
Ranking Member: 
Committee on Transportation and Infrastructure: 
House of Representatives: 

The Honorable David E. Price: 
Chairman: 
The Honorable Harold Rogers: 
Ranking Member: 
Subcommittee on Homeland Security: 
Committee on Appropriations: 
House of Representatives: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Objectives: 

In accordance with section 513 of the Department of Homeland Security 
Appropriations Act, 2008, our objective was to assess the extent to 
which the Transportation Security Administration (TSA) met the 
requirements of 10 statutory conditions related to the development and 
implementation of the Secure Flight program and the associated risks of 
any shortfalls in meeting the requirements.[Footnote 41] Specifically, 
the act requires the Secretary of Homeland Security to certify, and GAO 
to report, that the 10 statutory conditions have been successfully met 
before TSA implements or deploys the program on other than a test 
basis.[Footnote 42] Pursuant to the act, after the Department of 
Homeland Security (DHS) certified that it had satisfied all 10 
conditions--which it did on September 24, 2008--we were required to 
report within 90 days on whether the 10 conditions had been 
successfully met. It further requires GAO to report periodically 
thereafter until it determines that all 10 conditions have been 
successfully met. 

Scope and Methodology: 

Our overall methodology included (1) identifying key activities related 
to each condition; (2) identifying federal guidance and related best 
practices, if applicable, that are relevant to successfully meeting 
each condition (e.g., GAO's Standards for Internal Control in the 
Federal Government);[Footnote 43] (3) analyzing whether TSA has 
demonstrated through verifiable analysis and documentation, as well as 
oral explanation, that the guidance has been followed and best 
practices have been met; and (4) assessing the risks associated with 
not fully following applicable guidance and meeting best practices. 
Based on our assessment, we categorized each condition as generally 
achieved, conditionally achieved, or generally not achieved. 

* Generally achieved--TSA has demonstrated that it completed all key 
activities related to the condition in accordance with applicable 
federal guidelines and related best practices, which should reduce the 
risk of the program experiencing cost, schedule, or performance 
shortfalls. 

* Conditionally achieved--TSA has demonstrated that it completed some 
key activities related to the condition in accordance with applicable 
federal guidelines and related best practices and has defined plans for 
completing remaining key activities that, if effectively implemented as 
planned, should result in reduced risk that the program will experience 
cost, schedule, or performance shortfalls. 

* Generally not achieved--TSA has not demonstrated that it completed 
all key activities related to the condition in accordance with 
applicable federal guidelines and related best practices and does not 
have defined plans for completing the remaining activities, and the 
uncompleted activities result in an increased risk of the program 
experiencing cost, schedule, or performance shortfalls. 

In conducting this review, we worked constructively with TSA officials. 
We provided TSA with our criteria for assessing each of the 10 
conditions and periodically met with TSA officials to discuss TSA's 
progress and our observations. To meet our 90-day reporting 
requirement, we conducted audit work until December 8, 2008, which 
included assessing activities and documents that TSA completed after 
DHS certified that it had met the 10 conditions. We reported the 
initial results of our review to the mandated reporting committees in 
two restricted briefings, first on December 19, 2008, and then on 
January 7, 2009. Because we concluded that TSA had not successfully met 
all 10 conditions, we conducted additional work from January through 
April 2009, the results of which are also included in this report. 
Further, after we submitted a copy of our draft report to DHS for 
formal agency comment on March 20, 2009, TSA provided us additional 
information related to Conditions 5, 6, 8, and 10 which resulted in our 
reassessment of the status of these conditions. The report has been 
updated to include the additional information and reassessments. 

Condition 1: Redress: 

To assess Condition 1 (redress), we interviewed program officials and 
reviewed and assessed agency documentation to determine how, once 
Secure Flight becomes operational, the DHS redress process will be 
coordinated with the Secure Flight program, based upon GAO best 
practices for coordination; as well as whether the process was 
documented, consistent with GAO best practices on documenting internal 
controls.[Footnote 44] We also reviewed performance measures for the 
Secure Flight redress process as well as TSA's progress in addressing a 
February 2008 GAO recommendation that DHS consider creating and 
implementing additional measures for its redress process.[Footnote 45] 

Condition 2: Minimizing False Positives: 

To assess Condition 2 (minimizing false positives), we interviewed 
program and TSA Office of Intelligence (OI) officials and reviewed and 
assessed Secure Flight performance objectives, tests, and other 
relevant documentation to determine the extent to which TSA's 
activities demonstrate that the Secure Flight system will minimize its 
false-positive rate. Additionally, we interviewed program and TSA OI 
officials and reviewed and assessed Secure Flight documentation to 
determine how the program established performance goals for its false- 
positive and false-negative rates. We also interviewed a representative 
from the contractor that designed a dataset that TSA used to test the 
efficacy and accuracy of Secure Flight's matching system to discuss the 
methodology of that dataset. Our engagement team, which included a 
social science analyst with extensive research methodology experience 
and engineers with extensive experience in systems testing, reviewed 
the test methodologies for the appropriateness and logical structure of 
their design and implementation, any data limitations, and the validity 
of the results. Our review focused on steps TSA is taking to reduce 
false-positive matches produced by Secure Flight's watch-list matching 
process, which is consistent with TSA's interpretation of the 
requirements of this condition. We did not review the Terrorist 
Screening Center's role in ensuring the quality of records in the 
Terrorist Screening Database (TSDB).[Footnote 46] 

Condition 3: Efficacy and Accuracy of the System and Stress Testing: 

To assess the first part of Condition 3 (efficacy and accuracy of the 
system), we interviewed program and TSA OI officials and reviewed and 
assessed Secure Flight performance objectives, tests, and other 
documentation that address the type and extent of testing and other 
activities that demonstrate that Secure Flight will minimize the number 
of false positives while not allowing an unacceptable number of false 
negatives. We also interviewed a representative from the contractor 
that designed a dataset that TSA used to test the efficacy and accuracy 
of Secure Flight's matching system to discuss the methodology of that 
dataset. Our engagement team, which included a social science analyst 
with extensive research methodology experience and engineers with 
extensive experience in systems testing, reviewed the test 
methodologies for the appropriateness and logical structure of their 
design and implementation and the validity of the results. However, we 
did not assess the appropriateness of TSA's definition of what should 
constitute a match to the watch list. We did not assess the accuracy of 
the system's predictive assessment, as this is no longer applicable to 
the Secure Flight program given the change in its mission scope 
compared to its predecessor program CAPPS II (i.e., Secure Flight only 
includes comparing passenger information to watch-list records whereas 
CAPPS II was to perform different analyses and access additional data, 
including data from commercial databases, to classify passengers 
according to their level of risk). 

To assess the second part of Condition 3, stress testing, we reviewed 
Secure Flight documentation--including test plans, test procedures, and 
test results--and interviewed program officials to determine whether 
TSA has defined and managed system performance and stress requirements 
in a manner that is consistent with relevant guidance and standards. 
[Footnote 47] We also determined whether the testing that was performed 
included testing the performance of Secure Flight search tools under 
increasingly heavy workloads, demands, and conditions to identify 
points of failure. For example, in January 2009, we met with the Secure 
Flight development team and a program official to observe test results 
related to the 14 Secure Flight performance and stress requirements. We 
walked through each of the 14 requirements and observed actual test 
scenarios and results. 

Condition 4: Establishment of an Internal Oversight Board: 

To assess Condition 4 (internal oversight), we interviewed DHS and TSA 
program officials and reviewed and analyzed documentation related to 
various DHS and TSA oversight boards--the DHS and TSA Investment Review 
Boards, the DHS Enterprise Architecture Board, the TSA Executive 
Oversight Board, and the DHS Steering Committee--to identify the types 
of oversight provided to the Secure Flight program. We also reviewed 
agency documentation to determine whether the oversight entities met as 
intended and, in accordance with GAO's Standards for Internal Control 
in the Federal Government,[Footnote 48] the extent to which the Secure 
Flight program has addressed a selection of recommendations and action 
items made by the oversight bodies. We evaluated oversight activities 
related to key milestones in the development of the Secure Flight 
system. 

Conditions 5 and 6: Information Security: 

To assess Conditions 5 and 6 (information security), we reviewed TSA's 
design of controls for systems supporting Secure Flight. Using federal 
law, standards, and guidelines on minimum security steps needed to 
effectively incorporate security into a system, we examined artifacts 
to assess how system impact was categorized, risk assessments were 
performed, security control requirements for the system were 
determined, and security requirements and controls were documented to 
ensure that they are designed, developed, tested, and implemented. 
[Footnote 49] We also examined artifacts to determine whether TSA 
assessed that controls were working properly and effectively, 
implemented remedial action plans to mitigate identified weaknesses, 
and certified and accredited information systems prior to operation. We 
interviewed TSA, U.S. Customs and Border Protection, and other 
officials on the current status of systems supporting, and controls, 
over Secure Flight. In addition, we observed the hardware and software 
environments of systems supporting Secure Flight to determine the 
status of information security controls, as appropriate. We reassessed 
the status of Conditions 5 and 6 based on our review of documentation 
provided by TSA on March 31, 2009, showing that it had mitigated all 
high-and moderate-risk information security vulnerabilities associated 
with the Secure Flight program's Release 3. 

Condition 7: Oversight of the Use and Operation of the System: 

In regard to Condition 7 (oversight of the system), for purposes of 
certification, TSA primarily defined effective oversight of the system 
in relation to information security. However, we assessed DHS's 
oversight activities against a broader set of internal controls for 
managing the program, as outlined in GAO's Standards for Internal 
Control in the Federal Government, to oversee the Secure Flight system 
during development and implementation. We interviewed Secure Flight 
program officials and reviewed agency documentation--including 
policies, standard operating procedures, and performance measures--to 
determine the extent to which policies and procedures addressed the 
management, use, and operation of the system. We also interviewed 
program officials at TSA's Office of Security Operations to determine 
how TSA intends to oversee internal and external compliance with system 
security, privacy requirements, and other functional requirements. We 
did not assess the quality of documentation provided by TSA. Our 
methodology for assessing information security is outlined under 
Conditions 5 and 6. 

Condition 8: Privacy: 

To assess Condition 8 (privacy), we analyzed legally-required privacy 
documentation, including systems-of-record notices and privacy impact 
assessments, as well as interviewed Secure Flight and designated TSA 
privacy officials to determine the completeness of privacy safeguards. 
In addition, we assessed available systems development documentation to 
determine the extent to which privacy protections have been addressed 
based on the Fair Information Practices.[Footnote 50] We also assessed 
whether key documentation had been finalized and key provisions, such 
as planned privacy protections, had been clearly determined. We 
reassessed the status of Condition 8 based on our review of 
documentation provided by TSA on March 31, 2009, showing that it had 
mitigated all high-and moderate-risk information security 
vulnerabilities associated with the Secure Flight program's Release 3. 

Condition 9: CAPPS Rules: 

To assess Condition 9 (CAPPS rules), we reviewed TSA documentation to 
identify modifications to the CAPPS rules and a related security 
program amendment to address air carriers operating in states with 
unique transportation needs and passengers who might otherwise 
regularly trigger primary selectee status. In addition, we interviewed 
TSA officials to determine the extent to which TSA assessed the effect 
of these activities on air carriers' selectee rates--either through 
conducting tests or by communicating with and obtaining information 
from air carriers--in accordance with GAO best practices for 
coordinating with external stakeholders.[Footnote 51] We also 
interviewed officials from four air carriers to obtain their views 
regarding the effect of CAPPS changes on the air carriers' selectee 
rates. These carriers were selected because they operate in states with 
unique transportation needs or have passengers who might otherwise 
regularly trigger primary selectee status as a result of CAPPS rules. 

Condition 10: Life-Cycle Cost and Schedule Estimates: 

To assess Condition 10 (cost and schedule estimates), we reviewed the 
program's life-cycle cost estimate, integrated master schedule, and 
other relevant agency documentation against best practices, including 
GAO's Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs.[Footnote 52] We also 
interviewed key program officials overseeing these activities and 
consulted with a scheduling expert to identify risks to the integrated 
master schedule. We reassessed the status of Condition 10, based on 
TSA's plan of action provided to us on April 3, 2009. The Plan of 
Action, dated April 2009, details the steps the Secure Flight program 
management office intends to carry out to address weaknesses that we 
identified in the program's cost and schedule estimates. Appendix VI 
contains additional information on our analysis of TSA's efforts 
relative to GAO's best practices. 

We conducted this performance audit from May 2008 to May 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Appendix II: Details on TSA's Testing of the Efficacy and Accuracy of 
Secure Flight's Matching System (Condition 3): 

The Transportation Security Administration (TSA) hired a contractor 
with expertise in matching systems to construct a dataset against which 
to test the Secure Flight matching system and assess the system's false-
positive and false-negative performance. Given the inverse relationship 
between false positives and false negatives--that is, a decrease in one 
may lead to an increase in the other--it is important to assess both 
rates concurrently to fully test the system's matching performance. The 
contractor developed the dataset specifically for Secure Flight using 
name-matching software and expert review by analysts and linguists. 

The dataset consisted of a passenger list and a watch list using name 
types that were consistent with those on the actual No-Fly and Selectee 
lists. Each record included a passenger name and date of birth. The 
passenger list consisted of about 12,000 records, of which nearly 1,500 
were "seeded" records that represented matches to the simulated watch 
list.[Footnote 53] According to the contractor, the seeded records were 
plausible variations to passenger names and dates of birth based on the 
contractor's analysis of real watch-list records. 

The passenger list was run through Secure Flight's automated matching 
system to determine its ability to accurately match the passenger 
records against the simulated watch list. The system used name-matching 
criteria outlined in the TSA No-Fly List security directive,[Footnote 
54] and a defined date-of-birth matching criteria that TSA officials 
state was consistent with TSA Office of Intelligence policy.[Footnote 
55] 

According to TSA, Secure Flight officials reviewed the test results to 
determine whether the system was accurately applying its matching 
criteria for passenger name and date of birth. TSA officials concluded 
that all matches and nonmatches made by the system were in accordance 
with these criteria. The test results for the system's default matching 
rules showed that the system produced a number of false-negative 
matches--that is, of the passenger records deemed by the contractor to 
be matches to the watch list, Secure Flight did not match a number of 
those records.[Footnote 56] TSA officials stated that the false- 
negative rate in the test was primarily due to the Secure Flight 
system's criteria for a date-of-birth match, which differed from the 
contractor's criteria. 

TSA determined a criteria range for a date-of-birth match that was 
consistent with TSA Office of Intelligence policy. According to TSA 
officials, these matching criteria are consistent with Secure Flight's 
responsibilities as a screening program--that is, the system must 
process high passenger volumes and quickly provide results to air 
carriers--and that those responsibilities were considered when 
balancing the risk presented by the system's false-positive and false- 
negative rates. The contractor's date-of-birth criteria range, however, 
was wider than the range used by TSA, which the contractor stated was 
established based on expert analysis of an excerpt from the watch list. 

According to TSA officials, officials from TSA's Office of Intelligence 
reviewed the test results and determined that the records identified as 
false negatives by the contractor--that is, the records that were 
matched by the contractor but not by the Secure Flight system--did not 
pose an unacceptable risk and should not have been flagged, and that 
these nonmatches were designated as such in accordance with Office of 
Intelligence policies and TSA's No Fly list security directive. These 
officials further stated that increasing the date-of-birth range would 
unacceptably increase the number of false positives generated by the 
system. 

TSA officials stated that the Secure Flight system's matching setting 
could be reconfigured in the future to adjust the system's false- 
positive and false-negative matching results should the need arise--for 
example, due to relevant intelligence information or improvements in 
the system's matching software. 

[End of section] 

Appendix III: Secure Flight's Oversight Entities (Condition 4): 

Table 4 shows the entities responsible for overseeing the development 
of the Secure Flight program and a sample of activities that had been 
completed. 

Table 4: Responsibilities of Secure Flight's Oversight Entities and 
Selected Oversight Actions, as of March 2009: 

Entity: Department of Homeland Security (DHS) Steering Committee; 
Oversight responsibilities: Review Secure Flight's progress in 
achieving key milestones and address operational issues. Prepare Secure 
Flight for other oversight processes (e.g., DHS Investment Review Board 
(IRB) review); 
Completed activities: Met quarterly since April 2007 to monitor Secure 
Flight's schedule, funding and implementation approach; 
Sample recommendation: The committee recommended improvements to Secure 
Flight concerning program documentation, such as the Mission Needs 
Statement, Concept of Operations, and briefing materials; 
Remaining activities: Meet quarterly to monitor program. 

Entity: Transportation Security Administration (TSA) Executive 
Oversight Board; 
Oversight responsibilities: Review policy-related issues and assess the 
program's progress in meeting milestones. Monitor key program 
activities related to funding and system testing. Ensure coordination 
with other agencies such as CBP; 
Completed activities: Met at least quarterly starting in November 2007 
to oversee system, schedule and budget performance; 
Sample recommendation: The board recommended that Secure Flight improve 
coordination with CBP, which resulted in a weekly forum on technical 
issues; 
Remaining activities: Meet quarterly to oversee program. 

Entity: DHS IRB; 
Oversight responsibilities: Review Secure Flight's investments and 
authorize the program to move through Key Decision Points (KDP): (1) 
Program Initiation, (2) Concept and Technology Development, (3) 
Capability Development and Demonstration, (4) Production and 
Deployment, and (5) Operations and Support. Review and approve the 
program's Acquisition Program Baseline (APB) for cost, schedule, and 
performance; 
Completed activities: Authorized Secure Flight to proceed through KDPs 
1-3 and approved the APB; 
Sample recommendation: Approved Secure Flight's progression to KDP 3 
based on the program taking several actions including rescoping its 
business model to align more strongly with mission, which TSA addressed 
through a 60-day reassessment process; 
Remaining activities: Provide oversight for KDPs 4-5. 

Entity: TSA IRB; 
Oversight responsibilities: Prepare Secure Flight to move through the 
KDPs governed by the DHS IRB and review and approve the system 
performance parameters delineated in the APB; 
Completed activities: Met in conjunction with KDPs 1-3 and approved the 
APB; 
Sample recommendation: Directed Secure Flight to coordinate program 
privacy and security compliance requirements with appropriate points of 
contact, which resulted in the updating of security and privacy 
documentation for the DHS IRB; 
Remaining activities: Provide guidance for KDPs 4-5. 

Entity: DHS EAB; 
Oversight responsibilities: Perform evaluations of Secure Flight to 
ensure the program is aligned with DHS enterprise architecture and 
technology strategies and capabilities. This occurs at the following 
Milestone Decision Points (MDP): (1) Project Authorization, (2) 
Alternative Selection, (3) Project Decision, (4) Pre-Deployment, and 
(5) Executive Review; 
Completed activities: Authorized Secure Flight to move through MDP 1, 
2, and 3; 
Sample recommendation: Authorized Secure Flight to proceed through MDP 
1 contingent on implementation of an Independent Verification and 
Validation capability, which TSA secured through a contract; 
Remaining activities: Provide oversight for MDP 4 and 5. 

[End of table] 

Source: GAO analysis. 

[End of section] 

Appendix IV: TSA's Activities Related to the Effective Oversight of 
System Use and Operation (Condition 7): 

The Transportation Security Administration (TSA) completed several 
internal control activities related to the management, use, and 
operation of the Secure Flight system. For example: 

* TSA developed 21 standard operating procedures related to Secure 
Flight's business processes. In addition, TSA incorporated additional 
programmatic procedures into various plans and manuals that will 
provide support for the program once it becomes operational. According 
to a Secure Flight official, all 21 standard operating procedures were 
finalized as of December 12, 2008. 

* TSA released its Airline Operator Implementation Plan, which is a 
written procedure describing how and when an aircraft operator 
transmits passenger and nontraveler information to TSA. The plan amends 
an aircraft operator's Aircraft Operator Standard Security Program to 
incorporate the requirements of the Secure Flight program. 

* TSA finalized its plan to oversee air carrier compliance with Secure 
Flight's policies and procedures. All domestic air carriers and foreign 
carriers covered under the Secure Flight rule will be required to 
comply with and implement requirements set forth in the final rule. 

* The Airline Operator Implementation Plan and the Consolidated User 
Guide will provide air carriers with the requirements for compliance 
monitoring during the initial cutover phases. 

* The Airline Implementation Team, which assists air carriers' 
transition to Secure Flight, will ensure that air carriers are in 
compliance with program requirements prior to cutover. 

* TSA developed performance measures to monitor and assess the 
effectiveness of the Secure Flight program, such as measures to address 
privacy regulations, training requirements, data quality and submission 
requirements, and the functioning of the Secure Flight matching engine. 
TSA will also use performance measures to ensure that air carriers are 
complying with Secure Flight data requirements. 

* TSA developed written guidance for managing Secure Flight's 
workforce, including a Comprehensive Training Plan that outlines 
training requirements for users and operators of the system and service 
centers. 

* According to TSA officials, TSA completed programmatic training, 
which includes privacy and program-related training, for the entire 
Secure Flight workforce. 

* TSA provided stakeholder training for covered U.S. air carriers and 
foreign air carriers on the Secure Flight program. This training, while 
not required of stakeholders, provided air carriers with information on 
changes to the Secure Flight program after the Final Rule was released 
and technical and operational guidance as outlined in the Consolidated 
User Guide. The Airline Implementation, Communications, and Training 
Teams will support requests from air carriers for additional training 
throughout deployment. 

* According to TSA, the agency planned to pilot its operational 
training, which is necessary for employees and contractors to 
effectively undertake their assigned responsibilities, during the week 
of December 8, 2008. TSA officials stated that piloting this training 
would allow them to make any needed updates to Secure Flight's standard 
operating procedures. However, TSA officials said that updates to the 
Standard Operating Procedures as a result of training were expected to 
be minimal and would not have an effect on initial cutover in their 
view. 

[End of section] 

Appendix V: TSA's Actions to Address Fair Information Practices 
(Condition 8): 

The Transportation Security Administration (TSA) has taken actions that 
generally address the following Fair Information Practices. 

The Purpose Specification principle states that the purposes for a 
collection of personal information should be disclosed before 
collection and upon any change to that purpose. TSA addressed this 
principle by issuing privacy notices that define a specific purpose for 
the collection of passenger information. According to TSA privacy 
notices, the purpose of the Secure Flight Program is to identify and 
prevent known or suspected terrorists from boarding aircraft or 
accessing sterile areas of airports and better focus passenger and 
baggage screening efforts on persons likely to pose a threat to civil 
aviation, to facilitate the secure and efficient travel of the public 
while protecting individuals' privacy. 

The Data Quality principle states that personal information should be 
relevant to the purpose for which it is collected, and should be 
accurate, complete, and current as needed for that purpose. TSA 
addressed this principle through its planned use of the Department of 
Homeland Security's (DHS) Traveler Redress Inquiry Program (TRIP), 
collecting information directly from passengers, and setting standard 
data formats. More specifically, TSA is planning to use DHS TRIP as a 
mechanism to correct erroneous data. TSA also believes that relying on 
passengers to provide their own name, date of birth, and gender will 
further help ensure the quality of the data collected. Moreover, TSA 
has developed a Consolidated User Guide that provides standard formats 
for air carriers to use when submitting passenger information to reduce 
variance and improve data quality. We reported previously that the 
consolidated terrorist watch list, elements of which are matched with 
passenger data to make Secure Flight screening decisions, has had data- 
quality issues[Footnote 57]. However, this database is administered by 
the Terrorist Screening Center and is not overseen by TSA. 

The Openness principle states that the public should be informed about 
privacy policies and practices, and that individuals should have a 
ready means of learning about the use of personal information. TSA 
addressed this principle by publishing and receiving comments on 
required privacy notices. TSA has issued a Final Rule, Privacy Impact 
Assessment, and System of Records Notice that discuss the purposes, 
uses, and protections for passenger data, and outline which data 
elements are to be collected and from whom. TSA obtained and responded 
to public comments on its planned measures for protecting the data a 
passenger is required to provide. 

The Individual Participation principle states that individuals should 
have the following rights: to know about the collection of personal 
information, to access that information, to request correction, and to 
challenge the denial of those rights. TSA addressed this principle 
through its planned use of DHS TRIP and its Privacy Act access and 
correction process. As previously mentioned, TSA plans to use DHS TRIP 
in order to allow passengers to request correction of erroneous data. 
Passengers can also request access to the information that is 
maintained by Secure Flight through DHS's Privacy Act request process. 
As permitted by the Privacy Act, TSA has claimed exemptions from the 
Privacy Act that limit what information individuals can access about 
themselves. For example, individuals will not be permitted to view 
information concerning whether they are in the Terrorist Screening 
Database (TSDB). However, TSA has stated that it may waive certain 
exemptions when disclosure would not adversely affect law enforcement 
or national security. 

The Use Limitation principle states that personal information should 
not be used for other than a specified purpose without consent of the 
individual or legal authority. TSA addressed this principle by 
identifying permitted disclosures of data and establishing mechanisms 
to ensure that disclosures are limited to those authorized. The Secure 
Flight system design requires that data owners initiate transfers of 
information, a provision that helps to assure that data is being used 
only for specified purposes. According to TSA privacy notices, the 
Secure Flight Records system is intended to be used to identify and 
protect against potential and actual threats to transportation security 
through watch-list matching against the No-Fly and Selectee components 
of the consolidated and integrated terrorist watch list known as the 
Terrorist Screening Database. TSA plans to allow other types of 
disclosures, as permitted by the Privacy Act. For example, TSA is 
permitted to share Secure Flight data with: 

* federal, state, local, tribal, territorial, foreign, or international 
agencies responsible for investigating, prosecuting, enforcing, or 
implementing a statute, rule, regulation, or order regarding a 
violation or potential violation of civil or criminal law or 
regulation; and: 

* international and foreign governmental authorities in accordance with 
law and formal or informal international agreements. 

The Collection Limitation principle states that the collection of 
personal information should be limited, should be obtained by lawful 
and fair means, and, where appropriate, with the knowledge or consent 
of the individual. TSA addressed this principle by conducting a data- 
element analysis, developing a data retention schedule, and 
establishing technical controls to filter unauthorized data and purge 
data. TSA has performed a data element analysis to determine the least 
amount of personal information needed to perform effective automated 
matching of passengers with individuals on the watch list. As a result, 
TSA has limited collection by only requiring that passengers provide 
their full name, gender, and date of birth. In addition, TSA requires 
air carriers to request other specific information, such as a 
passenger's redress number, and to provide TSA with other specific 
information in the airline's possession, such as the passenger's 
passport information. TSA established a data-purging control to rid the 
system of data according to its data-retention schedule. Further, TSA 
established technical controls to filter unauthorized data to ensure 
that collection is limited to authorized data fields. TSA is also 
developing a data-retention schedule which was issued for public 
comment and is in accordance with the Terrorist Screening Center's 
National Archives and Records Administration (NARA)---approved record- 
retention schedule for TSDB records. 

* The Accountability principle states that individuals controlling the 
collection or use of personal information should be accountable for 
taking steps to ensure the implementation of these principles. TSA 
addressed the Accountability principle by designating a program privacy 
officer and a team of privacy experts working on various aspects of the 
Secure Flight program, and by planning to establish several oversight 
mechanisms: 

* TSA implemented a system for tracking privacy issues that arise 
throughout the development and use of Secure Flight, and TSA is 
conducting follow-up analysis of significant privacy issues and 
providing resolution strategies for management consideration. 

* TSA developed privacy rules of behavior, which require that 
individuals handling personally identifiable information (PII) only use 
it for a stated purpose. 

* TSA is planning to maintain audit logs of system and user events to 
provide oversight of system activities, such as access to PII and 
transfer of PII in or out of the system. 

* TSA is planning to issue periodic privacy compliance reports, 
intended to track and aggregate privacy concerns or incidents, but it 
has not finalized the reporting process. 

* TSA developed general privacy training for all Secure Flight staff 
and is developing role-based privacy training for employees handling 
PII. 

While TSA has also taken steps related to the Security Safeguards 
principle, this principle had not been fully addressed at the time of 
our January 2009 briefing. The Security Safeguards principle states 
that personal information should be protected with reasonable security 
safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. TSA actions to address 
the Security Safeguards principle include planning to prevent 
unauthorized access to data stored in its system through technical 
controls including firewalls, intrusion detection, encryption, and 
other security methods. Although TSA had laid out a plan to protect the 
confidentiality of sensitive information through various security 
safeguards, our security review--discussed in more detail under 
conditions 5 and 6 on information security--identified weaknesses in 
Secure Flight's security posture that create an increased risk that the 
confidentiality of the personally identifiable information maintained 
by the Secure Flight system could be compromised. As a result of the 
security risks we identified and reported on at our January 2009 
briefing, and their corresponding effect on privacy, we recommended 
that TSA take steps to complete its security testing and update key 
security documentation prior to initial operations. TSA agreed with our 
recommendation. 

Since our January 2009 briefing, TSA provided documentation that it has 
implemented our recommendation related to information security. In 
light of these actions, we believe TSA has now generally achieved the 
condition related to privacy and we consider the related recommendation 
we made at the briefing to be met. 

[End of section] 

Appendix VI: GAO Analyses of Secure Flight's Life-Cycle Cost Estimate 
and Schedule against Best Practices (Condition 10): 

After submitting a copy of our draft report to the Department of 
Homeland Security (DHS) for formal agency comment on March 20, 2009, 
the Transportation Security Administration (TSA) provided us its plan 
of action, dated April 2009, that details the steps the Secure Flight 
program management office intends to carry out to address weaknesses 
that we identified in the program's cost and schedule estimates. We 
reviewed TSA's plan and associated documentation and reassessed the 
program against our Cost and Schedule Best Practices. The following 
tables show our original assessment and reassessment of TSA's cost and 
schedule against our best practices. 

Table 5 summarizes the results of our analysis relative to the four 
characteristics of a reliable cost estimate based on information 
provided by TSA as of March 20, 2009. 

Table 5: GAO Analysis of Secure Flight Cost Estimate Compared to Best 
Practices for a Reliable Cost Estimate Based on Information Provided by 
TSA as of March 20, 2009: 

Best practice: Comprehensive; 
Explanation: The cost estimates should include both government and 
contractor costs over the program's full life cycle, from the inception 
of the program through design, development, deployment, and operation 
and maintenance to retirement. They should also provide an appropriate 
level of detail to ensure that cost elements are neither omitted nor 
double-counted and include documentation of all cost-influencing ground 
rules and assumptions; 
Satisfied?: Partially; 
GAO analysis: TSA's Life Cycle Cost Estimate (LCCE) included more cost 
elements (e.g., airline implementation, facility leasing costs, etc.) 
than the estimate it presented to us in February 2008. However, we 
found that support costs by other TSA groups assisting with Secure 
Flight were omitted, which resulted in an underreported cost estimate. 
In addition, because the costs for airline implementation were at a 
summary level, we could not determine what costs TSA estimated for 
implementing their assumed watch-list matching function for domestic 
and international flights. As a result, we could not determine if all 
costs were captured. 

Best practice: Well documented; 
Explanation: The cost estimates should have clearly defined purposes 
and be supported by documented descriptions of key program or system 
characteristics. Additionally, they should capture in writing such 
things as the source data used and their significance, the calculations 
performed and their results, and the rationale for choosing a 
particular estimating method. Moreover, this information should be 
captured in such a way that the data used to derive the estimate can be 
traced back to, and verified against, their sources. The final cost 
estimate should be reviewed and accepted by management; 
Satisfied?: Yes; 
GAO analysis: The cost estimate explicitly identified the primary 
methods, calculations, results, assumptions, and sources of the data 
used to generate each cost element. The estimate was based on the 
engineering build up method, using actual costs when available, and 
included detail regarding the basis of estimate, the underlying data, 
and support for the labor hours, labor rates, and material costs. The 
estimate was reviewed by TSA's Chief Financial Officer group who 
verified that the figures presented were consistent with DHS and OMB 
summary of spending documentation. 

Best practice: Accurate; 
Explanation: The cost estimates should provide for results that are 
unbiased and should not be overly conservative or optimistic. In 
addition, the estimates should be updated regularly to reflect material 
changes in the program, and steps should be taken to minimize 
mathematical mistakes and their significance. Among other things, the 
estimate should be grounded in a historical record of cost estimating 
and actual experiences on comparable programs; 
Satisfied?: Partially; 
GAO analysis: Our data checks showed that the estimates were accurate; 
however, because TSA omitted some costs, it underestimated the LCCE. We 
also found that the work plan in the Integrated Master Schedule (IMS) 
was not reflected in the cost estimate, making variances between 
estimated and actual costs difficult. For example, while TSA's Secure 
Flight schedule shows domestic cutovers to be carried out in 12 groups, 
the cost estimate is based on labor categories, hours, and rates at a 
summary level. Tracking variances at this high level will not promote 
accountability and TSA will lose the opportunity to collect valuable 
estimating data that could improve the accuracy of international 
cutover cost estimates. 

Best practice: Credible; 
Explanation: The cost estimates should discuss any limitations in the 
analysis performed due to uncertainty surrounding data or assumptions. 
Further, the estimates' derivation should provide for varying any major 
assumptions and recalculating outcomes based on sensitivity analyses, 
and their associated risks/uncertainty should be disclosed. Also, the 
estimates should be verified based on cross-checks using other 
estimating methods and by comparing the results with independent cost 
estimates; 
Satisfied?: Partially; 
GAO analysis: TSA performed independent government cost estimates 
(IGCE) for some cost elements including contract support efforts. 
However, TSA did not compare its LCCE to an independent cost estimate 
for the entire Secure Flight program and therefore cannot gauge its 
reasonableness. In addition, we found no evidence that TSA performed 
cross-checks to determine if other cost estimating techniques produced 
similar results. TSA also did not perform an uncertainty analysis to 
quantify the risk associated with domestic and international cutovers. 
Finally, the Secure Flight program lacks a reliable schedule baseline, 
which is a key component of a reliable cost estimate because it serves 
as a basis for future work to be performed. 

Source: GAO analysis. 

[End of table] 

Table 6 summarizes the results of our reassessment of the Secure Flight 
program's cost estimate relative to the four characteristics of a 
reliable cost estimate based on information provided by TSA as of April 
3, 2009. 

Table 6: GAO Reassessment of Secure Flight Cost Estimate Compared to 
Best Practices for a Reliable Cost Estimate Based on Information 
Provided by TSA as of April 3, 2009: 

Best practice: Comprehensive; 
Explanation: The cost estimates should include both government and 
contractor costs over the program's full life cycle, from the inception 
of the program through design, development, deployment, and operation 
and maintenance to retirement. They should also provide an appropriate 
level of detail to ensure that cost elements are neither omitted nor 
double-counted and include documentation of all cost-influencing ground 
rules and assumptions; 
Satisfied?: Partially; 
GAO analysis: The program management office has estimated additional 
support costs associated with the Secure Flight program. These are 
government support costs expected to be incurred by TSA over the 3-year 
estimated period. The support costs are minor and will be noted in the 
LCCE assumptions. In planning to fully meet the Accurate best practice, 
TSA is planning to update its work breakdown structure (WBS) to define 
in detail the work necessary to accomplish Secure Flight's program 
objectives. TSA's Plan of Action states that each Secure Flight WBS 
area will be broken out into at least three levels. This work will be 
completed by July 2009. 

Best practice: Well documented; 
Explanation: The cost estimates should have clearly defined 
descriptions of key program or system characteristics. Additionally, 
they should capture in writing such things as the source data used and 
their significance, the calculations performed and their results, and 
the rationale for choosing a particular estimating method. Moreover, 
this information should be captured in such a way that the data used to 
derive the estimate can be traced back to, and verified against, their 
sources. The final cost estimate should be reviewed and accepted by 
management; 
Satisfied?: Yes; 
GAO analysis: TSA has fully met this criterion and therefore has no 
Plan of Action for reevaluation. 

Best practice: Accurate; 
Explanation: The cost estimates should provide for results that are 
unbiased and should not be overly conservative or optimistic. In 
addition, the estimates should be updated regularly to reflect material 
changes in the program, and steps should be taken to minimize 
mathematical mistakes and their significance. Among other things, the 
estimate should be grounded in a historical record of cost estimating 
and actual experiences on comparable programs; 
Satisfied?: Partially; 
GAO analysis: As noted in the Comprehensive best practice, the program 
management office has estimated additional support costs associated 
with the Secure Flight program. These are minor costs that will be 
noted in the LCCE assumptions. TSA's Plan of Action includes effort to 
fully align its cost estimate with the schedule WBS. TSA's Plan of 
Action also states that each Secure Flight WBS area will be broken out 
into at least three levels. A consistent framework between the IMS and 
cost estimate will promote accountability and will improve the accuracy 
of the cost estimate through the ability to track variances at lower 
levels. This work will be completed by July 2009. 

Best practice: Credible; 
Explanation: The cost estimates should discuss any limitations in the 
analysis performed due to uncertainty surrounding data or assumptions. 
Further, the estimates' derivation should provide for varying any major 
assumptions and recalculating outcomes based on sensitivity analyses, 
and their associated risks/uncertainty should be disclosed. Also, the 
estimates should be verified based on cross-checks using other 
estimating methods and by comparing the results with independent cost 
estimates; 
Satisfied?: Partially; 
GAO analysis: TSA's Plan of Action includes effort to use engineering 
build-up estimating techniques for each WBS work package, to be 
completed by July 2009. TSA will schedule an independent cost estimate 
(ICE) to be completed by a contractor by October 2009. In accordance 
with DHS directives, the DHS Cost Analysis Division will perform an 
assessment of the Secure Flight LCCE by April 2009. The ICE will be 
used to assess the reasonableness of the program office estimate and 
will be completed by April 2009. The Plan also includes effort to 
conduct a statistically based cost risk analysis. A Monte Carlo 
analysis will determine potential cost outcomes and will include a 
sensitivity analysis to identify key cost drivers. This uncertainty and 
sensitivity analysis will leverage results from the ICE effort and will 
be completed by May 2009. 

Source: GAO analysis. 

[End of table] 

Table 7 summarizes the results of our analysis relative to the nine 
schedule-estimating best practices based on information provided by TSA 
as of March 20, 2009. 

Table 7: GAO Analysis of Secure Flight Schedule Compared to Best 
Practices for Schedule Estimating Based on Information Provided by TSA 
as of March 20, 2009: 

Best Practice: Capturing key activities; 
Explanation: The schedule should reflect all key activities as defined 
in the program's work breakdown structure (WBS), to include activities 
to be performed by both the government and its contractors; 
Satisfied?: Partially; 
GAO Analysis: TSA only identified at a summary level key activities 
associated with domestic and international airline operator cutovers 
even though a significant amount of uncertainty exists within this 
work. Without these data it will be difficult to estimate the true 
completion of the project. The schedule also did not include a project 
completion date activity which was necessary for conducting a schedule 
risk analysis. 

Best Practice: Sequencing key activities; 
Explanation: The schedule should be planned so that it can meet 
critical program dates. To meet this objective, key activities need to 
be logically sequenced in the order that they are to be carried out. In 
particular, activities that must finish prior to the start of other 
activities (i.e., predecessor activities), as well as activities that 
cannot begin until other activities are completed (i.e., successor 
activities), should be identified. By doing so, interdependencies among 
activities that collectively lead to the accomplishment of events or 
milestones can be established and used as a basis for guiding work and 
measuring progress; 
Satisfied?: Partially; 
GAO Analysis: There were some key missing logic links in the schedule 
and we found excessive and questionable use of nonstandard logic for 
sequencing activities. The schedule also contained little information 
regarding historical performance and lacked a reasonable representation 
of the work to be carried out, especially future effort related to 
domestic and international cutovers. As a result, the schedule was not 
adequate for planning, tracking, and maintaining detailed project 
control. TSA said it was challenging to tie four disparate schedules 
into a single IMS. 

Best Practice: Establishing the duration of key activities; 
Explanation: The schedule should realistically reflect how long each 
activity will take to execute. In determining the duration of each 
activity, the same rationale, historical data, and assumptions used for 
cost estimating should be used. Durations should be as short as 
possible and have specific start and end dates. Excessively long 
periods needed to execute an activity should prompt further 
decomposition so that shorter execution durations will result. The 
schedule should be continually monitored to determine when forecasted 
completion dates differ from the planned dates, which can be used to 
determine whether schedule variances will affect downstream work; 
Satisfied?: Partially; 
GAO Analysis: TSA's schedule showed that activity durations were hidden 
in lags rather than being identified in discrete activities that can be 
statused and monitored for progress. Many activities were represented 
as milestones instead of duration-driven tasks. Furthermore, rather 
than estimating remaining duration for activities, TSA overrode the 
finish date and the constraint type. This is not a standard scheduling 
practice and resulted in percent-complete errors and overly optimistic 
forecasting. 

Best Practice: Assigning resources to key activities; 
Explanation: The schedule should reflect what resources (e.g., labor, 
material, and overhead) are needed to do the work, whether all required 
resources will be available when needed, and whether any funding or 
time constraints exist; 
Satisfied?: No; 
GAO Analysis: TSA did not see the value in resource loading their 
schedule even though cost loading the schedule would provide an 
effective means of tracking cost overruns or underruns and keep the 
cost estimate updated in accordance with best practices. 

Best Practice: Integrating key activities horizontally and vertically; 
Explanation: The schedule is horizontally integrated, meaning that it 
linked the products and outcomes associated with already-sequenced 
activities. These links are commonly referred to as "handoffs" and 
serve to verify that activities are arranged in the right order to 
achieve aggregated products or outcomes. The schedule should also be 
vertically integrated, meaning that traceability exists among varying 
levels of activities and supporting tasks and subtasks. Such mapping or 
alignment among levels enables different groups to work to the same 
master schedule; 
Satisfied?: Yes; 
GAO Analysis: The majority of the schedule was both horizontally and 
vertically integrated, meaning that the activities across the multiple 
teams were arranged in the right order to achieve aggregated products 
or outcomes. In addition, traceability existed among varying levels of 
activities, which allowed multiple teams to work to the same master 
schedule. 

Best Practice: Establishing the critical path for key activities; 
Explanation: Using scheduling software, the critical path--the longest 
duration path through the sequenced list of key activities--should be 
identified. The establishment of a program's critical path is necessary 
for examining the effects of any activity slipping along this path. 
Potential problems that might occur along or near the critical path 
should also be identified and reflected in the scheduling of the time 
for high-risk activities; 
Satisfied?: Partially; 
GAO Analysis: TSA cannot completely identify the critical path because 
domestic and international cutover activities need to broken down into 
further detail, logic links need to be fixed, and activity durations 
need to be clearly identified. Furthermore, TSA's schedule for Secure 
Flight represented a "target-driven" schedule due to its high degree of 
milestones and target dates vs. dynamically calculated dates from the 
Microsoft Project software. 

Best Practice: Identifying the "float time" between key activities; 
Explanation: The schedule should identify float time--the time that a 
predecessor activity can slip before the delay affects successor 
activities--so that schedule flexibility can be determined. As a 
general rule, activities along the critical path typically have the 
least amount of float time. Total float describes the amount of time 
flexibility an activity has without delaying the project completion (if 
everything else goes according to plan). Total float is used to find 
out which activities or paths are crucial to project completion; 
Satisfied?: Partially; 
GAO Analysis: TSA identified float time in its schedule for some key 
activities it captured. However, this float was not a true indication 
of schedule flexibility because it was inflated due to the fact that 
many activities in the schedule had no successors. To fix the schedule, 
TSA would need to identify activity successors in order to properly 
identify float time. 

Best Practice: Schedule risk analysis should be performed; 
Explanation: A schedule risk analysis should be performed using 
statistical techniques to predict the level of confidence in meeting a 
program's completion date. This analysis focuses not only on critical 
path activities but also on activities near the critical path, since 
they can potentially affect program status; 
Satisfied?: No; 
GAO Analysis: TSA had not performed a schedule risk analysis. GAO 
conducted such an analysis in July 2008 and updated it in November 
2008. GAO's schedule risk analysis was limited in its ability to 
account for risk due to the lack of detail provided by TSA for 
activities associated with domestic and international cutovers. 

Best Practice: Distributing reserves to high risk activities; 
Explanation: The baseline schedule should include a buffer or a reserve 
of extra time. Schedule reserve for contingencies should be calculated 
by performing a schedule risk analysis. As a general rule, the reserve 
should be applied to high-risk activities, which are typically found 
along the critical path; 
Satisfied?: No; 
GAO Analysis: Because TSA had not conducted its own Schedule Risk 
Analysis, it cannot identify appropriate schedule reserves. 

Source: GAO analysis. 

[End of table] 

Table 8 summarizes the results of our reassessment of the Secure Flight 
program's schedule relative to the nine schedule estimating best 
practices based on information provided by TSA as of April 3, 2009. 

Table 8: GAO Reassessment of Secure Flight Schedule Compared to Best 
Practices for Schedule Estimating Based on Information Provided by TSA 
as of April 3, 2009: 

Best practice: Capturing key activities; 
Explanation: The schedule should reflect all key activities as defined 
in the program's work breakdown structure, to include activities to be 
performed by both the government and its contractors; 
Satisfied?: Partially; 
GAO analysis: In planning to fully meet the Accurate cost estimating 
best practice, TSA is planning to update its WBS to define in detail 
the work necessary to accomplish Secure Flight's program objectives. 
TSA's Plan states that each Secure Flight WBS area will be broken out 
into at least three levels. The estimated completion date for domestic 
deployment activities is April 2009 and June 2009 for international 
deployment activities. 

Best practice: Sequencing key activities; 
Explanation: The schedule should be planned so that it can meet 
critical program dates. To meet this objective, key activities need to 
be logically sequenced in the order that they are to be carried out. In 
particular, activities that must finish prior to the start of other 
activities (i.e., predecessor activities), as well as activities that 
cannot begin until other activities are completed (i.e., successor 
activities), should be identified. By doing so, interdependencies among 
activities that collectively lead to the accomplishment of events or 
milestones can be established and used as a basis for guiding work and 
measuring progress; 
Satisfied?: Partially; 
GAO analysis: As the schedule is updated to reflect domestic and 
international deployment activities, TSA is planning to "add dates and 
durations for key activities" that will be "supported by standard logic 
for sequencing activities." All detail tasks will have logical 
relationships in order for the scheduling software to dynamically 
calculate the completion date. This will allow the effect of actual and 
potential delays to be seen downstream. The plan further states that 
constraints and lags will be avoided and the schedule will have" 
accurate durations," but no mention is made of incorporating historical 
productivity. The estimated completion date for domestic deployment 
activities is April 2009 and June 2009 for international deployment 
activities. 

Best practice: Establishing the duration of key activities; 
Explanation: The schedule should realistically reflect how long each 
activity will take to execute. In determining the duration of each 
activity, the same rationale, historical data, and assumptions used for 
cost estimating should be used. Durations should be as short as 
possible and have specific start and end dates. Excessively long 
periods needed to execute an activity should prompt further 
decomposition so that shorter execution durations will result. The 
schedule should be continually monitored to determine when forecasted 
completion dates differ from the planned dates, which can be used to 
determine whether schedule variances will affect downstream work; 
Satisfied?: Partially; 
GAO analysis: According to the Plan of Action, constraints and lags 
will be avoided. The plan further states that the schedule will have 
"accurate durations," but no mention is made of incorporating 
historical productivity. However, based on GAO's recommendation, 1-day 
durations will operate off a 60-80 percent productivity day rather than 
the default 100 percent productive 8-hour day. These updates will be 
implemented as schedule activities are generated while the 1-day 
durations will be updated by April 24, 2009. 

Best practice: Assigning resources to key activities; 
Explanation: The schedule should reflect what resources (e.g., labor, 
material, and overhead) are needed to do the work, whether all required 
resources will be available when needed, and whether any funding or 
time constraints exist; 
Satisfied?: No; 
GAO analysis: According to the Plan of Action, the Secure Flight 
schedule is "completely resource loaded through domestic deployment." 
Resource loading was based on subject-matter-expert input and care was 
taken to ensure that resources were not overloaded. Resource loading is 
to be implemented as international deployment activities are generated, 
and completed by June 2009. 

Best practice: Integrating key activities horizontally and vertically; 
Explanation: The schedule is horizontally integrated, meaning that it 
linked the products and outcomes associated with already sequenced 
activities. These links are commonly referred to as "handoffs" and 
serve to verify that activities are arranged in the right order to 
achieve aggregated products or outcomes. The schedule should also be 
vertically integrated, meaning that traceability exists among varying 
levels of activities and supporting tasks and subtasks. Such mapping or 
alignment among levels enables different groups to work to the same 
master schedule; 
Satisfied?: Yes; 
GAO analysis: While this condition was originally met. TSA's Plan of 
Action guarantees that the updated schedule (including updated 
activities, durations, logic relationships, and resource loading) will 
continue to be horizontally and vertically integrated. The estimated 
completion date for domestic deployment activities is April 2009 and 
June 2009 for international deployment activities. 

Best practice: Establishing the critical path for key activities; 
Explanation: Using scheduling software, the critical path--the longest 
duration path through the sequenced list of key activities--should be 
identified. The establishment of a program's critical path is necessary 
for examining the effects of any activity slipping along this path. 
Potential problems that might occur along or near the critical path 
should also be identified and reflected in the scheduling of the time 
for high-risk activities; 
Satisfied?: Partially; 
GAO analysis: While not explicitly targeted in the Plan of Action, 
establishing the critical path is addressed through other scheduling 
efforts in the plan. In addition to updating the logic and 
incorporating realistic durations, the plan also states that dates will 
not be target-driven. In other words, the scheduling software will 
dictate a realistic finish date rather than the program office forcing 
tasks into the schedule to fit a predetermined date. The plan also 
notes that Level of Effort tasks will not show up in the critical path. 
This will be completed by June 2009. 

Best practice: Identifying the "float time" between key activities; 
Explanation: The schedule should identify float time--the time that a 
predecessor activity can slip before the delay affects successor 
activities--so that schedule flexibility can be determined. As a 
general rule, activities along the critical path typically have the 
least amount of float time. Total float describes the amount of time 
flexibility an activity has without delaying the project completion (if 
everything else goes according to plan). Total float is used to find 
out which activities or paths are crucial to project completion; 
Satisfied?: Partially; 
GAO analysis: As described previously, the Plan of Action calls for 
updating the logic relationships and incorporating realistic durations, 
as well as avoiding target -driven dates. Realistic float, as 
determined by the schedule, will then be available to the program 
office for resource leveling and schedule contingency. This will be 
implemented by April 2009 as international deployment activities are 
identified. 

Best practice: Schedule risk analysis should be performed; 
Explanation: A schedule risk analysis should be performed using 
statistical techniques to predict the level of confidence in meeting a 
program's completion date. This analysis focuses not only on critical 
path activities but also on activities near the critical path, since 
they can potentially affect program status; 
Satisfied?: No; 
GAO analysis: TSA has contracted with an independent company to (1) 
review the Secure Flight program plan, and (2) conduct and document a 
schedule risk analysis. The schedule risk analysis is to be completed 
by July 2009. 

Best practice: Distributing reserves to high risk activities; 
Explanation: The baseline schedule should include a buffer or a reserve 
of extra time. Schedule reserve for contingencies should be calculated 
by performing a schedule risk analysis. As a general rule, the reserve 
should be applied to high-risk activities, which are typically found 
along the critical path; 
Satisfied?: No; 
GAO analysis: According to the TSA Plan of Action, once the schedule 
risk analysis is completed, the results will be reviewed with program 
leadership to decide upon tasks that warrant reserves. This will be 
completed by August 2009. 

Source: GAO analysis. 

[End of table] 

[End of section] 

Appendix VII: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

April 23, 2009: 

Ms. Cathleen A. Berrick: 
Managing Director, Homeland Security and Justice Team: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20458: 

Dear Ms. Berrick: 

The Department of Homeland Security (DHS) appreciates the opportunity 
to review and comment on the Government Accountability Office (GAO) 
draft report titled, Aviation Security: TSA Has Completed Key 
Activities Associated with Implementing Secure Flight, but Additional 
Actions Are Needed to Mitigate Risks (GAO-09-292). 

GAO issued the aforementioned draft report to the Transportation 
Security Administration (TSA) on March 20, 2009. TSA noted that the 
information contained in the report concerning TSA's progress in 
achieving the statutory conditions was dated. Accordingly, between 
March 20, 2009 and April 10, 2009, TSA provided additional information 
and documentation to the GAO. As a result, the GAO advised TSA on April 
13, 2009, that the Secure Flight program has generally achieved 
Conditions 1 through 9 and conditionally achieved Condition 10. TSA 
concurs with the updated GAO assessment. 

The Department of Homeland Security through TSA will continue to 
collaborate with the GAO until Condition 10 has been generally 
achieved. 

Sincerely, 

Signed by: 

[Illegible] 
for: Jerald E. Levine: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix VIII GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Cathleen A. Berrick, (202) 512-3404 or berrickc@gao.gov: 

Randolph C. Hite, (202) 512-3439 or hiter@gao.gov: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Acknowledgments: 

In addition to the contacts listed above, Idris Adjerid, David 
Alexander, Mathew Bader, Timothy Boatwright, John de Ferrari, Katherine 
Davis, Eric Erdman, Anthony Fernandez, Ed Glagola, Richard Hung, Jeff 
Jensen, Neela Lakhmani, Jason Lee, Thomas Lombardi, Sara Margraf, 
Vernetta Marquis, Victoria Miller, Daniel Patterson, David Plocher, 
Karen Richey, Karl Seifert, Maria Stattel, Margaret Vo, and Charles 
Vrabel made key contributions to this report. 

[End of section] 

Footnotes: 

[1] The No-Fly and Selectee lists contain the names of individuals with 
known or suspected links to terrorism. These lists are subsets of the 
consolidated terrorist watch list that is maintained by the Federal 
Bureau of Investigation's Terrorist Screening Center. 

[2] See Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-18 (2004) 
(codified at 49 U.S.C. § 44903(j)(2)(C)). 

[3] GAO has performed this work in accordance with statutory mandates, 
beginning in fiscal year 2004 with the Department of Homeland Security 
Appropriations Act, 2004, Pub. L. No. 108-90, § 519, 117 Stat. 1137, 
1155-56 (2003) (establishing the initial mandate that GAO assess the 
Computer-Assisted Passenger Prescreening System (CAPPS) II, the 
precursor to Secure Flight, and setting forth the original eight 
statutory conditions related to the development and implementation of 
the prescreening system), and pursuant to the requests of various 
congressional committees. 

[4] GAO, Aviation Security: Transportation Security Administration Has 
Strengthened Planning to Guide Investments in Key Aviation Security 
Programs, but More Work Remains, [hyperlink, 
http://www.gao.gov/products/GAO-08-456T] (Washington, D.C. Feb. 28, 
2008). 

[5] See Pub. L. No. 108-334, § 522, 118 Stat. 1298, 1319-20 (2004). 

[6] See Pub. L. No. 110-161, Div. E, § 513, 121 Stat. 1844, 2072 
(2007); see also Pub. L. No. 110-329, Div. D, § 512, 122 Stat. 3574, 
3682-83 (2008). 

[7] See GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). These standards, issued pursuant to 
the requirements of the Federal Managers' Financial Integrity Act of 
1982, provide the overall framework for establishing and maintaining 
internal control in the federal government. Also pursuant to the 1982 
act, the Office of Management and Budget (OMB) issued circular A-123, 
revised December 21, 2004, to provide the specific requirements for 
assessing the reporting on internal controls. Internal control 
standards and the definition of internal control in OMB Circular A-123 
are based on GAO's Standards for Internal Control in the Federal 
Government. Appendix I contains more details on federal guidance and 
related best practices. 

[8] On December 19, 2008, we provided the initial results of our work 
to staff of the Senate and House Appropriations Committees' 
Subcommittees on Homeland Security, which was based on work conducted 
as of December 8, 2008. Section 513(b) of the Department of Homeland 
Security Appropriations Act, 2008, mandated that GAO report to these 
committees within 90 days after the DHS Secretary's certification. 

[9] In general, the term "redress" refers to an agency's complaint 
resolution process whereby individuals may seek resolution of their 
concerns about an agency action. 

[10] See 5 U.S.C. § 552a. 

[11] See Pub. L. No. 107-347, § 208, 116 Stat. 2899, 2921-23 (2002). 

[12] See 73 Fed. Reg. 64,018 (Oct. 28, 2008) (codified at 49 C.F.R. pt. 
1560). 

[13] We have previously reported that the cleared list is not 
consistently used by air carriers, and that matched air travelers must 
still go to the airline ticket counter to provide information to 
confirm that they are the individual on the cleared list. See GAO, 
Aviation Security: TSA Is Enhancing Its Oversight of Air Carrier 
Efforts to Identify Passengers on the No Fly and Selectee Lists, but 
Expects Ultimate Solution to Be Implementation of Secure Flight, 
[hyperlink, http://www.gao.gov/products/GAO-08-992] (Washington, D.C. 
Sept. 9, 2008). 

[14] GAO, Agency Performance Plans: Examples of Practices That Can 
Improve Usefulness to Decisionmakers, [hyperlink, 
http://www.gao.gov/products/GAO/GGD/AIMD-99-69] (Washington, D.C.: 
February 1999) and GAO/AIMD-00-21.3.1. 

[15] See [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69]. 
TSA OI is responsible for disseminating the cleared list. 

[16] See [hyperlink, http://www.gao.gov/products/GAO-08-456T}. 

[17] The Secure Flight Final Rule provides that air carriers must 
request a passenger's full name, gender, date of birth, and Redress or 
Known Traveler Numbers (if available), but it only requires that 
passengers provide their full name, gender, and date of birth. 

[18] Condition 3 also requires that TSA demonstrate that Secure Flight 
can make an accurate predictive assessment of those passengers who may 
constitute a threat to aviation. As TSA did not design Secure Flight 
with this capability, this element of the condition is not applicable 
to the Secure Flight program. 

[19] TSA officials stated that they considered the Secure Flight 
program's objectives--for example, the system must process high volumes 
of passengers and quickly provide results to air carriers while also 
accounting for the TSA resources required to review potential matches-
-in determining an acceptable balance between mistakenly matching 
passengers (false-positives) and failing to identify passengers who 
match watch-list records (false-negatives). 

[20] Details about the Secure Flight matching system and related search 
parameters are Sensitive Security Information and, therefore, are not 
included in this report. TSA designates certain information, such as 
information that would be detrimental to the security of transportation 
if publicly disclosed, as Sensitive Security Information pursuant to 49 
U.S.C. § 114(r) and its implementing regulations, codified at 49 C.F.R. 
part 1520. 

[21] Details about the specific false-negative rate resulting from 
these tests are Sensitive Security Information and, therefore, are not 
included in this report. 

[22] See Appendix II for additional details about these tests. 

[23] See [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69] 
and [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[24] Additional details on this issue were determined to be Sensitive 
Security Information by TSA and, therefore, are not included in this 
report. 

[25] Details about the specific stress test requirements are Sensitive 
Security Information and, therefore, are not included in this report. 

[26] Performance tests are intended to determine how well a system 
meets specified performance requirements, while stress tests are 
intended to analyze system behavior under increasingly heavy workloads 
and severe operating conditions to identify points of system 
degradation and failure. 

[27] Our analysis showed that the Secure Flight Integrated Master 
Schedule (IMS) erroneously shows that performance testing for Release 3 
was completed on July 31, 2008, which program officials confirmed was 
incorrect. According to program officials, the IMS was being updated to 
reflect its ongoing efforts to update and execute test plans in 
December 2008. 

[28] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[29] DHS Acquisition Directive 102-01 supersedes the previous 
investment review policy (Management Directive 1400). Under the new 
acquisition directive, issued in November 2008, the DHS Investment 
Review Board is now referred to as the Acquisition Review Board. 

[30] GAO, Department of Homeland Security: Billions Invested in Major 
Programs Lack Appropriate Oversight, GAO-09-29 (Washington, D.C.: Nov. 
18, 2008) and GAO, Information Technology: DHS Needs to Fully Define 
and Implement Policies and Procedures for Effectively Managing 
Investments, [hyperlink, http://www.gao.gov/products/GAO-07-424] 
(Washington, D.C.: Apr. 27, 2007). 

[31] We considered federal criteria including the Federal Information 
Security Management Act of 2002, Pub. L. No. 107-347, §§ 301-05, 116 
Stat. 2899, 2946-61 (as amended), OMB policies, and National Institute 
of Standards and Technology standards and guidelines. 

[32] Certification is a comprehensive assessment of management, 
operational, and technical security controls in an information system, 
made in support of security accreditation, to determine the extent to 
which the controls are implemented correctly, operating as intended and 
producing the desired outcome with respect to meeting the security 
requirements for the system. Accreditation is the official management 
decision to authorize operation of an information system and to 
explicitly accept the risk to agency operations based on implementation 
of controls. 

[33] A hot site is a fully operation off-site data-processing facility 
equipped with hardware and system software to be used in the event of a 
disaster. 

[34] TSA defines a vulnerability as high risk if the probability of 
serious incident is likely and the risk is not normally acceptable. 
According to TSA, there is a strong need for corrective action and the 
authorization of operation status may be rescinded or not granted. For 
moderate-risk vulnerability, the probability of an incident is elevated 
with increased probability of unauthorized disclosure or denial of 
service of critical systems. 

[35] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[36] The CAPPS rules and TSA's actions in response to this condition 
are Sensitive Security Information and, therefore, are not included in 
this report. 

[37] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[38] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). 

[39] [hyperlink, http://www.gao.gov/products/GAO-09-3SP]. 

[40] See appendix VI for additional details on GAO's best practices for 
cost and schedule estimation. 

[41] See Pub. L. No. 110-161, Div. E, § 513, 121 Stat. 1844, 2072 
(2007); see also Pub. L. No. 110-329, Div. D, § 512, 122 Stat. 3574, 
3682-83 (2008). 

[42] Section 522(a) of the Department of Homeland Security 
Appropriations Act, 2005 (Pub. L. No. 108-334, 118 Stat., 1298, 1319 
(2004)), sets forth these 10 conditions. 

[43] See GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). These standards, issued pursuant to 
the requirements of the Federal Managers' Financial Integrity Act of 
1982, provide the overall framework for establishing and maintaining 
internal control in the federal government. Also pursuant to the 1982 
Act, the Office of Management and Budget (OMB) issued circular A-123, 
revised December 21, 2004, to provide the specific requirements for 
assessing the reporting on internal controls. Internal control 
standards and the definition of internal control in OMB Circular A-123 
are based on GAO's Standards for Internal Control in the Federal 
Government. 

[44] GAO, Agency Performance Plans: Examples of Practices That Can 
Improve Usefulness to Decisionmakers, [hyperlink, 
http://www.gao.gov/products/GAO/GGD/AIMD-99-69]. 

[45] GAO, Aviation Security: Transportation Security Administration Has 
Strengthened Planning to Guide Investments in Key Aviation Security 
Programs, but More Work Remains, [hyperlink, 
http://www.gao.gov/products/GAO-08-456T] (Washington, D.C. Feb. 28, 
2008). 

[46] We reported on the quality of watch-list records in October 2007 
and the steps the Terrorist Screening Center is taking to improve their 
quality; see GAO, Terrorist Watch List: Screening Opportunities Exist 
to Enhance Management Oversight, Reduce Vulnerabilities in Agency 
Screening Processes, and Expand Use of the List, [hyperlink, 
http://www.gao.gov/products/GAO-08-110] (Washington, D.C. Oct. 11, 
2007). The Department of Justice's Inspector General also reported on 
the quality of records in the terrorist screening database in June 2005 
and September 2007. 

[47] Software Engineering Institute, "A Framework for Software Product 
Line Practice, Version 5.0"; "Robustness Testing of Software-Intensive 
Systems: Explanation and Guide," CMU/SEI-2005-TN-015; and GAO, Year 
2000 Computing Crisis: A Testing Guide [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-10.1.21] (Washington, D.C.: Nov. 
1, 1998). 

[48] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[49] We considered federal criteria including the Federal Information 
Security Management Act of 2002, Office of Management and Budget 
policies, and National Institute of Standards and Technology standards 
and guidelines. 

[50] The version of the Fair Information Practices that we used, which 
has been widely adopted, was developed by the Organisation for Economic 
Co-operation and Development and published as Guidelines on the 
Protection of Privacy and Transborder Flow of Personal Data (Sept. 23, 
1980). 

[51] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[52] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). 

[53] The number of seeded records, which represented matches to the 
watch list, does not reflect the actual number of watch-list matches in 
a real-world setting. 

[54] A security directive is a regulatory tool through which TSA may 
impose security measures on a regulated entity, in this case air 
carrier, generally in response to an immediate or imminent threat. The 
No-Fly list security directive--SD 1544-01-20F (Apr. 9, 2008) specifies 
the number of name variations that must be used by air carriers for 
current watch-list matching. The specific number of name variations 
required in the directive and the Secure Flight's name-matching 
capabilities are Sensitive Security Information and therefore, not 
included in this report. 

[55] This defined range is Sensitive Security Information and, 
therefore, is not included in this report. 

[56] Details about the specific false-negative rate resulting from 
these tests are Sensitive Security Information and, therefore, not 
included in this report. 

[57] We reported on the quality of watch-list records in October 2007 
and the steps the Terrorist Screening Center is taking to improve their 
quality; see GAO, Terrorist Watch List: Screening Opportunities Exist 
to Enhance Management Oversight, Reduce Vulnerabilities in Agency 
Screening Processes, and Expand Use of the List, [hyperlink, 
http://www.gao.gov/products/GAO-08-110] (Washington, D.C.: Oct. 11, 
2007). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: