This is the accessible text file for GAO report number GAO-09-292 entitled 'Aviation Security: TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks' which was released on May 14, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: May 2009: Aviation Security: TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks: GAO-09-292: GAO Highlights: Highlights of GAO-09-292, a report to congressional committees. Why GAO Did This Study: To enhance aviation security, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) developed a program— known as Secure Flight—to assume from air carriers the function of matching passenger information against terrorist watch-list records. In accordance with a mandate in the Department of Homeland Security Appropriations Act, 2008, GAO’s objective was to assess the extent to which TSA met the requirements of 10 statutory conditions related to the development of the Secure Flight program. GAO is required to review the program until all 10 conditions are met. In September 2008, DHS certified that it had satisfied all 10 conditions. To address this objective, GAO (1) identified key activities related to each of the 10 conditions; (2) identified federal guidance and best practices that are relevant to successfully meeting each condition; (3) analyzed whether TSA had demonstrated, through program documentation and oral explanation, that the guidance was followed and best practices were met; and (4) assessed the risks associated with not fully following applicable guidance and meeting best practices. What GAO Found: As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities for this condition). Also, TSA’s actions completed and those planned have reduced the risks associated with implementing the program. Although DHS asserted that TSA had satisfied all 10 conditions in September 2008, GAO completed its initial assessment in January 2009 and found that TSA had not demonstrated Secure Flight’s operational readiness and that the agency had generally not achieved 5 of the 10 statutory conditions. Consistent with the statutory mandate, GAO continued to review the program and, in March 2009, provided a draft of this report to DHS for comment. In the draft report, GAO noted that TSA had made significant progress and had generally achieved 6 statutory conditions, conditionally achieved 3 conditions, and had generally not achieved 1 condition. After receiving the draft report, TSA took additional actions and provided GAO with documentation to demonstrate progress related to 4 conditions. Thus, GAO revised its assessment in this report, as is reflected in the table below. Table: GAO Assessment of Whether DHS Has Achieved the 10 Statutory Conditions, as of April 2009: Statutory condition topic: System of Due Process (Redress): Generally achieved. Statutory condition topic: Extent of False-Positive Errors (Misidentifications): Generally achieved. Statutory condition topic: Performance of Stress Testing and Efficacy and Accuracy of Search Tools: Generally achieved. Statutory condition topic: Establishment of an Internal Oversight Board: Generally achieved. Statutory condition topic: Operational Safeguards to Reduce Abuse Opportunities: Generally achieved. Statutory condition topic: Substantial Security Measures to Prevent Unauthorized Access by Hackers: Generally achieved. Statutory condition topic: Effective Oversight of System Use and Operation: Generally achieved. Statutory condition topic: No Specific Privacy Concerns with the System’s Technological Architecture: Generally achieved. Statutory condition topic: Accommodation of States with Unique Transportation Needs: Generally achieved. Statutory condition topic: Appropriateness of Life-Cycle Cost Estimates and Program Plans: Conditionally achieved[A]. Source: GAO analysis. [A] For conditionally achieved, TSA has completed some key activities and has defined plans for completing remaining activities that, if effectively implemented as planned, should result in a reduced risk of the program experiencing cost, schedule, or performance shortfalls. [End of table] Related to the condition that addresses the efficacy and accuracy of search tools, TSA had not yet developed plans to periodically assess the performance of the Secure Flight system’s name-matching capabilities, which would help ensure that the system is working as intended. GAO will continue to review the Secure Flight program until all 10 conditions are generally achieved. What GAO Recommends: GAO recommends that DHS take action to periodically assess the performance of the Secure Flight system’s name-matching capabilities and results. DHS concurred with GAO’s recommendation. View [hyperlink, http://www.gao.gov/products/GAO-09-292] or key components. For more information, contact Cathleen A. Berrick at (202) 512-3404 or berrickc@gao.gov; or Randolph C. Hite at (202) 512-3439 or hiter@gao.gov; or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Background: TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Details on TSA's Testing of the Efficacy and Accuracy of Secure Flight's Matching System (Condition 3): Appendix III: Secure Flight's Oversight Entities (Condition 4): Appendix IV: TSA's Activities Related to the Effective Oversight of System Use and Operation (Condition 7): Appendix V: TSA's Actions to Address Fair Information Practices (Condition 8): Appendix VI: GAO Analyses of Secure Flight's Life-Cycle Cost Estimate and Schedule against Best Practices (Condition 10): Appendix VII: Comments from the Department of Homeland Security: Appendix VIII: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Simplified Description of 10 Statutory Conditions Related to Secure Flight: Table 2: GAO Assessment of Whether DHS Has Generally Achieved 10 Statutory Conditions, as of April 2009: Table 3: Fair Information Practice Principles: Table 4: Responsibilities of Secure Flight's Oversight Entities and Selected Oversight Actions, as of March 2009: Table 5: GAO Analysis of Secure Flight Cost Estimate Compared to Best Practices for a Reliable Cost Estimate Based on Information Provided by TSA as of March 20, 2009: Table 6: GAO Reassessment of Secure Flight Cost Estimate Compared to Best Practices for a Reliable Cost Estimate Based on Information Provided by TSA as of April 3, 2009: Table 7: GAO Analysis of Secure Flight Schedule Compared to Best Practices for Schedule Estimating Based on Information Provided by TSA as of March 20, 2009: Table 8: GAO Reassessment of Secure Flight Schedule Compared to Best Practices for Schedule Estimating Based on Information Provided by TSA as of April 3, 2009: Figure: Figure 1: Secure Flight Watch-List Matching Process: Abbreviations: AO: Aircraft Operator: APB: Acquisition Program Baseline: BPPR: Boarding Pass Printing Result: CAPPS: Computer-Assisted Passenger Prescreening System: CBP: U.S. Customs and Border Protection: CSA: Customer Service Agent: DHS: Department of Homeland Security: EAB: Enterprise Architecture Board: eSecure Flight: Electronic Secure Flight: ICE: independent cost estimate: IGCE: independent government cost estimate: IMS: Integrated Master Schedule: IRB: Investment Review Board: KDP: Key Decision Point: LCCE: life-cycle cost estimate: MDP: Milestone Decision Point: NARA: National Archives and Records Administration: OI: Office of Intelligence: OMB: Office of Management and Budget: OTSR: Office of Transportation Security Redress: PIA: Privacy Impact Assessment: PII: personally identifiable information: POA&M: plans of actions and milestones: PRR: Preliminary Review Required: RFA: Referred for Action: SFA: Secure Flight Analyst: SFPD: Secure Flight Passenger Data: SORN: System of Records Notice: TRIP: Traveler Redress Inquiry Program: TSA: Transportation Security Administration: TSC: Terrorist Screening Center: TSDB: Terrorist Screening Database: TSOU: Terrorist Screening Operations Unit: WBS: work breakdown structure: [End of section] United States Government Accountability Office: Washington, DC 20548: May 13, 2009: Congressional Committees: The matching of airline passenger information against terrorist watch- list records (watch-list matching) is a frontline defense against acts of terrorism that target the nation's civil aviation system. In general, passengers identified by air carriers as a match to the No-Fly list are prohibited from boarding a commercial flight, while those matched to the Selectee list are required to undergo additional screening.[Footnote 1] Historically, airline passenger prescreening has been performed by commercial air carriers. As required by the Intelligence Reform and Terrorism Prevention Act of 2004, the Transportation Security Administration (TSA) developed an advanced passenger prescreening program known as Secure Flight that will allow TSA to assume from air carriers the function of watch-list matching.[Footnote 2] Since fiscal year 2004, GAO has been mandated to assess the development and implementation of the Secure Flight program. [Footnote 3] Most recently, in February 2008, we reported that TSA had instilled more discipline and rigor into Secure Flight's development, but that the program continued to face challenges related to completing performance testing, fully defining and testing security requirements, and establishing reliable cost and schedule estimates.[Footnote 4] We made recommendations to address these challenges and TSA generally agreed with them. Section 522(a) of the Department of Homeland Security (DHS) Appropriations Act, 2005, set forth 10 conditions related to the development and implementation of the Secure Flight program that the Secretary of Homeland Security must certify have been successfully met before the program may be implemented or deployed on other than a test basis (see table 1).[Footnote 5] On September 24, 2008, DHS certified that it had satisfied all 10 conditions. Table 1: Simplified Description of 10 Statutory Conditions Related to Secure Flight: Condition 1: System of Due Process (Redress)[A]. Condition 2: Extent of False-Positive Errors (Misidentifications). Condition 3: Performance of Stress Testing and Efficacy and Accuracy of Search Tools. Condition 4: Establishment of an Internal Oversight Board. Condition 5: Operational Safeguards to Reduce Abuse Opportunities. Condition 6: Substantial Security Measures to Prevent Unauthorized Access by Hackers. Condition 7: Effective Oversight of System Use and Operation. Condition 8: No Specific Privacy Concerns with the System's Technological Architecture. Condition 9: Accommodation of States with Unique Transportation Needs[B]. Condition 10: Appropriateness of Life-Cycle Cost Estimates and Program Plans. Source: GAO summary of the10 statutory conditions in Section 522 of Public Law 108-334. [A] In general, the term "redress" refers to an agency's complaint resolution process whereby individuals may seek resolution of their concerns about an agency action. [B] Condition 9 is related to the Computer-Assisted Passenger Prescreening System (CAPPS), a TSA-mandated automated program operated by air carriers that considers characteristics of a passenger's travel arrangements to select passengers for secondary screening. CAPPS is distinct from the Secure Flight program. TSA did not incorporate CAPPS into the Secure Flight program and, therefore, Secure Flight will have no effect on CAPPS selection rates. [End of table] In accordance with section 513 of the Department of Homeland Security Appropriations Act, 2008, our objective was to assess the extent to which TSA met 10 statutory conditions and the associated risks of any shortfalls in meeting the requirements.[Footnote 6] Our overall methodology included (1) identifying key activities related to each condition; (2) identifying federal guidance and related best practices, if applicable, that are relevant to successfully meeting each condition (e.g., GAO's Standards for Internal Control in the Federal Government); [Footnote 7] (3) analyzing whether TSA has demonstrated through verifiable analysis and documentation, as well as oral explanation, that the guidance has been followed and best practices have been met; and (4) assessing the risks associated with not fully following applicable guidance and meeting best practices. Based on our assessment, we categorized each condition as generally achieved, conditionally achieved, or generally not achieved. * Generally achieved--TSA has demonstrated that it completed all key activities related to the condition in accordance with applicable federal guidelines and related best practices, which should reduce the risk of the program experiencing cost, schedule, or performance shortfalls. * Conditionally achieved--TSA has demonstrated that it completed some key activities related to the condition in accordance with applicable federal guidelines and related best practices and has defined plans for completing remaining key activities that, if effectively implemented as planned, should result in a reduced risk that the program will experience cost, schedule, or performance shortfalls. * Generally not achieved--TSA has not demonstrated that it completed all key activities related to the condition in accordance with applicable federal guidelines and related best practices and does not have defined plans for completing the remaining activities, and the uncompleted activities result in an increased risk of the program experiencing cost, schedule, or performance shortfalls. On January 7, 2009, we briefed staff of the Senate and House Appropriations Committees' Subcommittees on Homeland Security on the results of our initial work, and reported that TSA had not demonstrated Secure Flight's operational readiness and that the agency had generally not achieved 5 of the 10 statutory conditions. Our briefing also included several recommendations for DHS to mitigate risks of Secure Flight cost, schedule, or performance shortfalls and strengthen management of the program.[Footnote 8] In addition, under this mandate, GAO is required to continue to review the Secure Flight program until it determines that all 10 conditions have been successfully met. In accordance with this requirement, we conducted additional work from January through April 2009, which included assessing information DHS provided after we submitted a copy of our draft report to the department for formal agency comment. Based on this additional work, we revised the status of several conditions and now consider three of the recommendations we made in our draft report to be met. This report contains information on our initial January 2009 assessment and recommendations, and related updates through April 2009. We conducted this performance audit from May 2008 to May 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I presents more details about our scope and methodology. Background: Overview of Secure Flight: The prescreening of airline passengers who may pose a security risk before they board an aircraft is one of many layers of security intended to strengthen commercial aviation. In July 2004, the National Commission on Terrorist Attacks Upon the United States, also known as the 9/11 Commission, reported that the current system of matching passenger information to the No-Fly and Selectee lists needed improvements. The commission recommended, among other things, that watch-list matching be performed by the federal government rather than by air carriers. Consistent with this recommendation and as required by law, TSA has undertaken to develop a program--Secure Flight--to assume from air carriers the function of watch-list matching. Secure Flight is intended to: * eliminate inconsistencies in current passenger watch-list matching procedures conducted by air carriers and use a larger set of watch-list records when warranted, * reduce the number of individuals who are misidentified as being on the No-Fly or Selectee list, * reduce the risk of unauthorized disclosure of sensitive watch-list information, and: * integrate information from DHS's redress process into watch-list matching so that individuals are less likely to be improperly or unfairly delayed or prohibited from boarding an aircraft.[Footnote 9] Statutory requirements govern the protection of personal information by federal agencies, including the use of air passengers' information by Secure Flight. For example, the Privacy Act of 1974 places limitations on agencies' collection, disclosure, and use of personal information maintained in systems of records.[Footnote 10] The Privacy Act requires agencies to publish a notice--known as a System of Records Notice (SORN)--in the Federal Register identifying, among other things, the type of data collected, the types of individuals about whom information is collected, the intended "routine" use of the data, and procedures that individuals can use to review and correct personal information. Also, the E-Government Act of 2002 requires agencies to conduct Privacy Impact Assessments (PIA) that analyze how personal information is collected, stored, shared, and managed in a federal system.[Footnote 11] Agencies are required to make their PIAs publicly available if practicable. Secure Flight Development and Watch-List Matching Process: According to TSA, the agency developed and is implementing Secure Flight's domestic watch-list matching function in 3 releases: * Release 1--Systems development and testing. * Release 2--First stages of parallel operations with airline operators during which both Secure Flight and air carriers perform watch-list matching. * Release 3--Continued parallel operations with airline operators and preparation for airline cutovers, in which Secure Flight will perform passenger watch-list matching for domestic flights. Under the Secure Flight watch-list matching process (see fig. 1), air carriers submit passenger information, referred to as Secure Flight Passenger Data, electronically through a DHS router or eSecure Flight, a Web-based access system for air carriers that do not use automated reservation systems to send and receive the data. Secure Flight Passenger Data are matched automatically against watch-list records, with results provided to air carriers through a Boarding Pass Printing Result. Passengers are subject to three possible outcomes from the watch-list matching process: cleared to fly, selected for additional screening, or prohibited from flying. Individuals initially selected for additional screening and those prohibited from flying undergo additional review, which results in the final Boarding Pass Printing Result and may lead to law enforcement involvement. Figure 1: Secure Flight Watch-List Matching Process: [Refer to PDF for image: illustration] Aircraft operators: Network connection through DHS router to Secure Flight: SFPD to Automated watchlist monitoring. Network connection from Automated watchlist monitoring through DHS router to Aircraft operator: BPPR. Network connection to eSecure Flight: SFPD to eSecure Flight, then to Automated watchlist monitoring. Network connection from Automated watchlist monitoring through eSecure Flight to Aircraft operator: BPPR. Phone, fax, or email communications to CSA: Additional identifying information. Phone, fax, or email communications from CSA: Information request/AO guidance and assistance. Secure Flight: Information received and sent as indicated above; Additional network connections: Automated watchlist monitoring to Secure Flight User Interface: PRR; Automated watchlist monitoring from Secure Flight User Interface: Trigger unsolicited BPPR. Secure Flight User Interface to and from CSA: Matching information; Secure Flight User Interface to and from TSA-OI analyst: Matching information; Secure Flight User Interface to SFA: Matching information; Secure Flight User Interface from SFA: Comments/matching result update. SFA to and from CSA: conference calls. Additional connections: TSA-OI analyst to TSC: TSC RFA (call/email); TSA-OI analyst from TSC: TSC RFA disposition (call/email). TSC to TSOU: Law enforcement encounter request (call/fax); TSC from TSOU: Law enforcement encounter information (call/fax). Legend: AO: Aircraft Operator; BPPR: Boarding Pass Printing Result; CSA: Customer Service Agent; eSecure Flight: Electronic Secure Flight; PRR: Preliminary Review Required; RFA: Referred for Action; SFA: Secure Flight Analyst; SFPD: Secure Flight Passenger Data; TSC: Terrorist Screening Center; TSOU: Terrorist Screening Operations Unit. Source: GAO analysis; Art Explosion. [End of figure] TSA is to use discretion to determine what constitutes a possible match between passenger information and a watch-list record, based on matching settings made in the system. The matching settings include (1) the relative importance of each piece of passenger information (e.g., name versus date of birth); (2) the numeric threshold over which a passenger will be flagged as a potential match (e.g., a scoring threshold of 95 would result in fewer matches than a scoring threshold of 85); and (3) the criteria used to determine whether an element of passenger information is a potential match to the watch list (e.g., the types of name variations or the date-of-birth range that the system considers a match). The Secure Flight matching system will use this information to assign each passenger record a numeric score that indicates its strength as a potential match to a watch-list record. Raising the scoring threshold would result in more names cleared and fewer names identified as possible matches, which would raise the risk of the subject of a watch-list record being allowed to board an airplane (false-negative matches). Conversely, lowering the scoring threshold would raise the risk of passengers being mistakenly matched to the watch list (false-positive matches). In October 2008, TSA issued the Secure Flight Final Rule, which specifies requirements for air carriers to follow as TSA implements and operates Secure Flight, including the collection of full name and date-of-birth information from airline passengers to facilitate watch-list matching.[Footnote 12] In late-January 2009, TSA began to assume the watch-list matching function for a limited number of domestic flights for one airline, and has since phased in additional flights and airlines. TSA plans to complete assumption of the watch-list matching function for all domestic flights in March 2010 and to then assume from U.S. Customs and Border Protection this watch-list-matching function for international flights departing to and from the United States. According to TSA, since fiscal year 2004, it has received approximately $300 million in appropriated funds for the development and implementation of the Secure Flight program. Related System Also Prescreens Airline Passengers: In addition to matching passenger information against terrorist watch- list records, TSA requires air carriers to prescreen passengers using the Computer-Assisted Passenger Prescreening System (CAPPS). Through CAPPS, air carriers compare data related to a passenger's reservation and travel itinerary to a set of weighted characteristics and behaviors (CAPPS rules) that TSA has determined correlate closely with the characteristics and behaviors of terrorists. Passengers identified by CAPPS as exhibiting these characteristics--termed selectees--must undergo additional security screening. This system is separate from the Secure Flight watch-list matching process and thus Secure Flight has no effect on CAPPS selection rates. TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks: In a January 2009 briefing to congressional staff, we reported that TSA had not demonstrated Secure Flight's operational readiness and that the agency had generally not achieved 5 of the 10 statutory conditions (Conditions 3, 5, 6, 8, 10), although DHS asserted that it had satisfied all 10 conditions. Since then, TSA has made progress in developing the Secure Flight program and meeting the requirements of the 10 conditions, and the activities completed to date and those planned reduce the risks associated with implementing the program. Table 2 shows the status of the 10 conditions as of April 2009. Table 2: GAO Assessment of Whether DHS Has Generally Achieved 10 Statutory Conditions, as of April 2009: Statutory condition topic: Condition 1: System of Due Process (Redress); Generally Achieved[A]. Statutory condition topic: Condition 2: Extent of False-Positive Errors; Generally Achieved[A]. Statutory condition topic: Condition 3: Performance of Stress Testing and Efficacy and Accuracy of Search Tools; Generally Achieved[A]. Statutory condition topic: Condition 4: Establishment of an Internal; Oversight Board; Generally Achieved[A]. Statutory condition topic: Condition 5: Operational Safeguards to Reduce Abuse Opportunities; Generally Achieved[A]. Statutory condition topic: Condition 6: Substantial Security Measures to Prevent Unauthorized Access by Hackers; Generally Achieved[A]. Statutory condition topic: Condition 7: Effective Oversight of System Use and Operation; Generally Achieved[A]. Statutory condition topic: Condition 8: No Specific Privacy Concerns with the System's Technological Architecture; Generally Achieved[A]. Statutory condition topic: Condition 9: Accommodation of States with Unique Transportation Needs; Generally Achieved[A]. Statutory condition topic: Condition 10: Appropriateness of Life-Cycle Cost Estimates and Program Plans; Conditionally Achieved[B]. Source: GAO analysis. [A] For generally achieved, TSA has completed all key activities, which should reduce the risk of the program experiencing cost, schedule, or performance shortfalls. [B] For conditionally achieved, TSA has completed some key activities and has defined plans for completing remaining activities that, if effectively implemented as planned, should result in a reduced risk of the program experiencing cost, schedule, or performance shortfalls. [C] For generally not achieved, TSA has not completed all key activities, and the uncompleted activities result in an increased risk of the program experiencing cost, schedule, or performance shortfalls. [End of table] TSA Has Generally Achieved 9 of the 10 Statutory Conditions, but Additional Actions Would Help Mitigate Future Risks: Condition 1: Redress: Condition 1 requires that a system of due process exist whereby aviation passengers determined to pose a threat who are either delayed or prohibited from boarding their scheduled flights by TSA may appeal such decisions and correct erroneous information contained in the Secure Flight program. TSA has generally achieved this condition. For the Secure Flight program, TSA plans to use the existing redress process that is managed by the DHS Traveler Redress Inquiry Program (TRIP). TRIP, which was established in February 2007, serves as the central processing point within DHS for travel-related redress inquiries. TRIP refers redress inquiries submitted by airline passengers to TSA's Office of Transportation Security Redress (OTSR) for review. This process provides passengers who believe their travels have been adversely affected by a TSA screening process with an opportunity to be cleared if they are determined to be an incorrect match to watch-list records, or to appeal if they believe that they have been wrongly identified as the subject of a watch-list record. Specifically, air travelers who apply for redress and who TSA determines pose no threat to aviation security are added to a list that should automatically "clear" them and allow them to board an aircraft (the "cleared list"), thereby reducing any inconvenience experienced as a result of the watch-list matching process.[Footnote 13] After a review of the passenger's redress application, if OTSR determines that an individual was, in fact, misidentified as being on the No-Fly or Selectee list, it will add the individual to the cleared list. If OTSR determines that an individual is actually on the No-Fly or Selectee list, it will refer the matter to the Terrorist Screening Center, which determines whether the individual is appropriately listed and should remain on the list or is wrongly assigned and should be removed from the list. Although Secure Flight will use the same redress process that is used by the current air carrier-run watch-list matching process, some aspects of the redress process for air travelers are to change as the program is implemented. For example, individuals who apply for redress are issued a redress number by TRIP that they will be able to submit during future domestic air travel reservations that will assist in the preclearing process before they arrive at the airport. TSA expects this will reduce the likelihood of travel delays at check-in for those passengers who have been determined to pose no threat to aviation security. According to TSA officials, individuals who have applied for redress in the past and were placed on the cleared list will need to be informed of their new ability to use their redress number to preclear themselves under Secure Flight. These officials stated that they intend to send mailings to past redress applicants with information on this change. TSA has also coordinated with key stakeholders to identify and document shared redress processes and to clarify roles and responsibilities, consistent with relevant GAO guidance for coordination and documentation of internal controls.[Footnote 14] In addition, Secure Flight, TSA OTSR, and TSA's Office of Intelligence (OI) have jointly produced guidance that clarifies how the entities will coordinate their respective roles in the redress process, consistent with GAO best practices on coordinating efforts across government stakeholders. [Footnote 15] For example, the guidance clarifies the roles and responsibilities for each entity with respect to reviewing potential watch-list matches. Furthermore, TSA is developing performance measures to monitor the timeliness and accuracy of Secure Flight redress, as we recommended in February 2008.[Footnote 16] TRIP and OTSR's performance goals are to process redress applications as quickly and as accurately as possible. In February 2008, we reported that TRIP and OTSR track only one redress performance measure, related to the timeliness of case completion. We further reported that by not measuring all key defined program objectives, TRIP and OTSR lack the information needed to oversee the performance of the redress program. We recommended that DHS and TSA reevaluate the redress performance measures and consider creating and implementing additional measures, consistent with best practices that among other things address all program goals, to include the accuracy of the redress process. In response to GAO's recommendation, representatives from the TRIP office are participating in a Redress Timeliness Working Group, with other agencies involved in the watch-list redress process, to develop additional timeliness measures. According to DHS officials, the TRIP office has also established a quality assurance review process to improve the accuracy of redress application processing and will collect and report on these data. Secure Flight officials are developing additional performance measures to measure new processes that will be introduced once Secure Flight is operational, such as the efficacy of the system to preclear individuals who submit a redress number. Condition 2: Minimizing False Positives: Condition 2 requires that the underlying error rate of the government and private databases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false-positives (mistakenly matched) that will result in a significant number of passengers being treated mistakenly or security resources being diverted. TSA has generally achieved this condition by taking a range of actions that should minimize the number of false-positive matches. For example, the Secure Flight Final Rule requires air carriers to (1) collect date- of-birth information from airline passengers and (2) be capable of collecting redress numbers from passengers.[Footnote 17] Collecting date-of-birth information should improve the system's ability to correctly match passengers against watch-list records since each record contains a date of birth. TSA conducted a test in 2004 that concluded that the use of date-of-birth information would reduce the number of false-positive matches. In addition, airline passengers who have completed the redress process and are determined by DHS to not pose a threat to aviation security can submit their redress number when making a flight reservation. The submission of redress numbers by airline passengers should reduce the likelihood of passengers being mistakenly matched to watch list records, which in turn should reduce the overall number of false-positive matches. TSA has established a performance measure and target for the system's false-positive rate, which should allow the agency to track the extent to which it is minimizing false-positive matches and whether the rate at any point in time is consistent with the program's goals. TSA officials stated that they tested the system's false-positive performance during Secure Flight's parallel testing with selected air carriers in January 2009 and found that the false-positive rate was consistent with the established target and program's goals. Condition 3: Efficacy and Accuracy of the System and Stress Testing: Condition 3 requires TSA to demonstrate the efficacy and accuracy of the search tools used as part of Secure Flight and to perform stress testing on the Secure Flight system.[Footnote 18] We addressed efficacy and accuracy separately from stress testing because they require different activities and utilize different criteria. Efficacy and Accuracy of the System: TSA has generally achieved the part of Condition 3 that requires TSA to demonstrate the efficacy and accuracy of the search tools used as part of Secure Flight. According to TSA, as a screening system, Secure Flight is designed to identify subjects of watch-list records without generating an unacceptable number of false-positive matches[Footnote 19]. To accomplish this goal, TSA officials stated that Secure Flight's matching system and related search parameters were designed to identify potential matches to watch-list records if a passenger's date of birth is within a defined range of the date of birth on a watch-list record. [Footnote 20] According to TSA officials, the matching system and related search parameters were designed based on TSA OI policy and in consultation with TSA OI, the Federal Bureau of Investigation, and others. TSA conducted a series of tests--using a simulated passenger list and a simulated watch list created by a contractor with expertise in watch- list matching--that jointly assessed the system's false-negative and false-positive performance. However, in conducting these tests, the contractor used a wider date-of-birth matching range than TSA used in designing the Secure Flight matching system, which the contractor determined was appropriate to test the capabilities of a name-matching system. The tests showed that the Secure Flight system did not identify all of the simulated watch-list records that the contractor identified as matches to the watch list (the false-negative rate).[Footnote 21] Officials from TSA OI reviewed the test results and determined that the records not matched did not pose an unacceptable risk to aviation security.[Footnote 22] These officials further stated that increasing the date-of-birth range would unacceptably increase the number of false positives generated by the system. Moving forward, TSA is considering conducting periodic reviews of the Secure Flight system's matching capabilities and results (i.e., false positives and false negatives) to determine whether the system is performing as intended. However, final decisions regarding whether to conduct such reviews have not been made. Relevant guidance on internal controls identifies the importance of ongoing monitoring of programs, documenting control activities, and establishing performance measures to assess performance over time.[Footnote 23] By periodically monitoring the system's matching criteria as well as documenting and measuring any results to either (1) confirm that the system is producing effective and accurate matching results or (2) modify the settings as needed, TSA would be able to better assess whether the system is performing as intended. Without such activities in place, TSA will not be able to assess the system's false-negative rate, which increases the risk of the system experiencing future performance shortfalls. Given the inverse relationship between false positives and false negatives--that is, an increase in one rate may lead to a decrease in the other rate--it is important to assess both rates concurrently to fully test the system's matching performance. In our January 2009 briefing, we recommended that TSA periodically assess the performance of the Secure Flight system's matching capabilities to determine whether the system is accurately matching watch-listed individuals while minimizing the number of false positives. TSA agreed with our recommendation. Separate from the efficacy and accuracy of Secure Flight search tools, a security concern exists. Specifically, passengers could attempt to provide fraudulent information when making an airline reservation to avoid detection. TSA officials stated that they are aware of this situation and are taking actions to mitigate it. We did not assess TSA's progress in taking actions to address this issue or the effectiveness of TSA's efforts as part of this review.[Footnote 24] Stress Testing: The second part of Condition 3 requires TSA to perform stress testing on the Secure Flight system. In our January 2009 briefing to the Senate and House Appropriations Committees' Subcommittees on Homeland Security, we reported that TSA had generally not achieved this part of the condition because despite provisions for stress testing in Secure Flight test plans, such stress testing had not been performed at the time DHS certified that it had met the 10 statutory conditions, or prior to the completion of our audit work on December 8, 2008. However, TSA has since generally achieved this part of the condition. According to the Secure Flight Test and Evaluation Master Plan, the system was to be stress tested in order to assess performance when abnormal or extreme conditions are encountered, such as during periods of diminished resources or an extremely high number of users. Further, the Secure Flight Performance, Stress, and Load Test Plan states that the system's performance, throughput, and capacity are to be stressed at a range beyond its defined performance parameters in order to find the operational bounds of the system.[Footnote 25] In lieu of stress testing, program officials stated that Release 2 performance testing included "limit testing" to determine if the system could operate within the limits of expected peak loads (i.e., defined performance requirements).[Footnote 26] According to the officials, this testing would provide a sufficient basis for predicting which system components would experience degraded performance and potential failure if these peak loads were exceeded. However, in our view, such "limit testing" does not constitute stress testing because it focuses on the system's ability to meet defined performance requirements only, and does not stress the system beyond the requirements. Moreover, this "limit testing" did not meet the provisions for stress testing in TSA's own Secure Flight test plans. Program officials agreed that the limit testing did not meet the provisions for stress testing in accordance with test plans and revised program test plans and procedures for Release 3 to include stress testing. Beyond stress testing, our analysis at the time of our January 2009 briefing showed that TSA had not yet sufficiently conducted performance testing. According to the Secure Flight Test and Evaluation Master Plan, performance and load tests should be conducted to assess performance against varying operational conditions and configurations. Further, the Secure Flight Performance, Stress, and Load Test Plan states that each test should begin within a limited scope and build up to longer runs with a greater scope, periodically recording system performance results. These tests also should be performed using simulated interfaces under real-world conditions and employ several pass/fail conditions, including overall throughput. However, Secure Flight Release 2 performance testing was limited in scope because it did not include 10 of the 14 Secure Flight performance requirements. According to program officials, these 10 requirements were not tested because they were to be tested as part of Release 3 testing that was scheduled for December 2008.[Footnote 27] Moreover, 2 of the 10 untested performance requirements were directly relevant to stress testing. According to program officials, these 2 requirements were not tested as part of Release 2 because the subsystems supporting them were not ready at that time. Further, the performance testing only addressed the 4 requirements as isolated capabilities, and thus did not reflect real-world conditions and demands, such as each requirement's competing demands for system resources. Program officials agreed and stated that they planned to employ real world conditions in testing all performance requirements during Release 3 testing. In our January 2009 briefing, we recommended that TSA execute performance and stress tests in accordance with recently developed plans and procedures and report any limitations in the scope of the tests performed and shortfalls in meeting requirements to its oversight board, the DHS Investment Review Board. Since then, based on our analysis of updated performance, stress, and load test procedures and results, we found that TSA has now completed performance testing and significantly stress tested the vetting system portion of Secure Flight. For example, the stress testing demonstrated that the vetting system can process more than 10 names in 4 seconds, which is the system's performance requirement. As a result of the performance and stress testing that TSA has recently conducted, we now consider this condition to be generally achieved and the related recommendation we made at our January 2009 briefing to be met. Condition 4: Establishment of an Internal Oversight Board: Condition 4 requires the Secretary of Homeland Security to establish an internal oversight board to monitor the manner in which the Secure Flight programs is being developed and prepared. TSA has generally achieved this condition through the presence of five oversight entities that have met at key program intervals to monitor Secure Flight. In accordance with GAO's Standards for Internal Control in the Federal Government, a system of internal controls should include, among other things, an organizational structure that establishes appropriate lines of authority, a process that tracks agency performance against key objectives, and ongoing monitoring activities to ensure that recommendations made were addressed.[Footnote 28] Consistent with these practices, the internal oversight entities monitoring the Secure Flight program have defined missions with established lines of authority, have met at key milestones to review program performance, and have made recommendations designed to strengthen Secure Flight's development. Our review of a selection of these recommendations showed that the Secure Flight program addressed these recommendations. The oversight entities for the Secure Flight program are the following: * DHS Steering Committee, * TSA Executive Oversight Board, * DHS Investment Review Board (IRB),[Footnote 29] * TSA IRB, and: * DHS Enterprise Architecture Board (EAB). The DHS Steering Committee and TSA Executive Oversight Board are informal oversight entities that were established to provide oversight and guidance to the Secure Flight program, including in the areas of funding, and coordination with U.S. Customs and Border Protection (CBP) on technical issues. According to TSA officials, the DHS Steering Committee and TSA Executive Oversight Board do not have formalized approval requirements outlined in management directives. The DHS IRB, TSA IRB, and DHS EAB are formal entities that oversee DHS information technology projects and focus on ensuring that investments directly support missions and meet schedule, budget, and operational objectives. (App. III contains additional information on these oversight boards.) GAO has previously reported on oversight deficiencies related to the DHS IRB, such as the board's failure to conduct required departmental reviews of major DHS investments (including the failure to review and approve a key Secure Flight requirements document).[Footnote 30] To address these deficiencies, GAO made a number of recommendations to DHS, such as ensuring that investment decisions are transparent and documented as required. DHS generally agreed with these recommendations. Moving forward, it will be critical for these oversight entities to actively monitor Secure Flight as it progresses through future phases of systems development and implementation and ensure that the recommendations we make in this report are addressed. Conditions 5 and 6: Information Security: Conditions 5 and 6 require TSA to build in sufficient operational safeguards to reduce the opportunities for abuse, and to ensure substantial security measures are in place to protect the Secure Flight system from unauthorized access by hackers and other intruders. TSA has generally achieved the statutory requirements related to systems information security based on, among other things, actions to mitigate high-and moderate-risk vulnerabilities associated with Release 3. As of completion of our initial audit work on December 8, 2008, which we reported on at our January 2009 briefing, we identified deficiencies in TSA's information security safeguards that increased the risk that the system will be vulnerable to abuse and unauthorized access from hackers and other intruders. Federal law, standards, and guidance identify the need to address information security throughout the life cycle of information systems.[Footnote 31] Accordingly, the guidance and standards specify a minimum set of security steps needed to effectively incorporate security into a system during its development. These steps include: * categorizing system impact, performing a risk assessment, and determining security control requirements for the system; * documenting security requirements and controls and ensuring that they are designed, developed, tested, and implemented; * performing tests and evaluations to ensure controls are working properly and effectively, and implementing remedial action plans to mitigate identified weaknesses; and: * certifying and accrediting the information system prior to operation.[Footnote 32] To its credit, TSA had performed several of these key security steps for Release 1, such as: * categorizing the system as high-impact, performing a risk assessment, and identifying and documenting the associated recommended security control requirements; * preparing security documentation such as a system security plan and loading security requirements into the developer's requirements management tool; * testing and evaluating security controls for the Secure Flight system and incorporating identified weaknesses in remedial action plans; and: * conducting security certification and accreditation activities. However, as of December 8, 2008, TSA had not taken sufficient steps to ensure that operational safeguards and substantial security measures were fully implemented for Release 3 of Secure Flight. This is important because Release 3 is the version that is to be placed into production. Moreover, Release 3 provides for (1) a change in the Secure Flight operating environment from a single operational site with a "hot" backup site to dual processing sites where each site processes passenger data simultaneously,[Footnote 33] and (2) the eSecure Flight Web portal, which provides an alternative means for air carriers to submit passenger data to Secure Flight. While these changes could expose the Secure Flight program to security risks not previously identified, TSA had not completed key security activities to address these risks. Further, we found that TSA had not completed testing and evaluating of key security controls or performed disaster recovery tests for the Release 3 environment. These tests are important to ensure that the operational safeguards and security measures in the production version of the Secure Flight operating environment are effective, operate as intended, and appropriately mitigate risks. In addition, TSA had not updated or completed certain security documents for Release 3, such as its security plan, disaster recovery plan, security assessment report, and risk assessment, nor had it certified and accredited Release 3 of the Secure Flight environment it plans to put into production. Further, TSA had also not demonstrated that CBP had implemented adequate security controls over its hardware and software devices that interface with the Secure Flight system to ensure that Secure Flight data are not vulnerable to abuse and unauthorized access. Finally, TSA had not corrected 6 of 38 high-and moderate-risk vulnerabilities identified in Release 1 of the Secure Flight program. [Footnote 34] For example, TSA did not apply key security controls to its operating systems for the Secure Flight environment, which could then allow an attacker to view, change, or delete sensitive Secure Flight information. While TSA officials assert that they had mitigated 4 of the 6 uncorrected vulnerabilities, we determined the documentation provided was not sufficient to demonstrate that the vulnerabilities were mitigated. As a result of the security risks that existed as of December 8, 2008, we recommended that TSA take steps to complete its security testing and update key security documentation prior to initial operations. After our January 2009 briefing, TSA provided documentation showing that it had implemented or was in the process of implementing our recommendation. For example, TSA had completed security testing of the most recent release of Secure Flight (Release 3), updated security documents, certified and accredited Release 3, received an updated certification and accreditation decision from CBP for its interface with the Secure Flight program, and mitigated the high-and moderate- risk vulnerabilities related to Release 1. In addition, TSA had prepared plans of actions and milestones (POA&M) for the 28 high-risk and 32 moderate-risk vulnerabilities it identified during security testing of Release 3. The POA&Ms stated that TSA would correct the high- risk vulnerabilities within 60 days and the moderate-risk vulnerabilities within 90 days. Based on these actions, we concluded that TSA had conditionally achieved this condition as of January 29, 2009. Further, after we submitted our draft report to DHS for formal agency comment on March 20, 2009, TSA provided us updated information that demonstrated that it had completed the actions discussed above. Based on our review of documentation provided by TSA on March 31, 2009, we concluded that TSA had mitigated all 60 high-and moderate-risk vulnerabilities associated with Release 3. Therefore, we concluded that TSA had generally achieved the statutory requirements related to systems information security and we consider the related recommendation to be met. Condition 7: Oversight of the Use and Operation of the System: Condition 7 requires TSA to adopt policies establishing effective oversight of the use and operation of the Secure Flight system. As of the completion of our initial audit work on December 8, 2008, TSA had generally achieved this condition, but we nevertheless identified opportunities for strengthening oversight and thus made a recommendation aimed at doing so. According to GAO's best practices for internal control, effective oversight includes (1) the plans and procedures used to meet mission goals and objectives, and (2) activities that ensure the effectiveness and efficiency of operations, safeguard assets, prevent and detect errors and fraud, and provide reasonable assurance that a program is meeting its intended objectives. [Footnote 35] To its credit, TSA had finalized the vast majority of key documents related to the effective oversight of the use and operation of the system as of the completion of our initial audit work on December 8, 2008. For example, TSA had established performance measures to monitor and assess the effectiveness of the Secure Flight program; provided training to air carriers on transitioning their watch-list matching functions to TSA; developed a plan to oversee air carriers' compliance with Secure Flight program requirements; and finalized key standard operating procedures. However, TSA had not yet finalized or updated all key program documents or completed necessary training, which was needed prior to the program beginning operations. Accordingly, we recommended that TSA finalize or update all key Secure Flight program documents--including the agreement with the Terrorist Screening Center for exchanging watch-list and passenger data and standard operating procedures--and complete training before the program begins operations. In response, TSA finalized its memorandum of understanding with the Terrorist Screening Center on December 30, 2008, and completed program training in January 2009. Based on these actions, we consider this recommendation to be met. Appendix IV contains additional information on Condition 7. Condition 8: Privacy: Condition 8 requires TSA to take action to ensure that no specific privacy concerns remain with the technological architecture of the Secure Flight system. TSA has generally achieved the statutory requirement related to privacy based on progress the agency has made in establishing a privacy program as well as recent actions taken to address security vulnerabilities related to conditions 5 and 6. In our January 2009 briefing, we identified deficiencies in TSA's information security safeguards that posed a risk to the confidentiality of the personally identifiable information maintained by the Secure Flight system. The Fair Information Practices, a set of principles first proposed in 1973 by a U.S. government advisory committee, are used with some variation by organizations to address privacy considerations in their business practices and are also the basis of privacy laws and related policies in many countries, including the United States, Australia, and New Zealand, as well as the European Union. The widely-adopted version developed by the Organisation for Economic Co-operation and Development in 1980 is shown in table 3. Table 3: Fair Information Practice Principles: Principle: Collection limitation; Description: The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual. Principle: Data quality; Description: Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose. Principle: Purpose specification; Description: The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes. Principle: Use limitation; Description: Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority. Principle: Security safeguards; Description: Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure. Principle: Openness; Description: The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information. Principle: Individual participation; Description: Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights. Principle: Accountability; Description: Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles. Source: Organisation for Economic Co-operation and Development. Note: A version of the Fair Information Practices, which has been widely adopted, was developed by the Organisation for Economic Co- operation and Development and published as Guidelines on the Protection of Privacy and Transborder Flow of Personal Data (Sept. 23, 1980). [End of table] At the time of our January 2009 briefing, TSA had established a variety of programmatic and technical controls for Secure Flight, including: * involving privacy experts in major aspects of Secure Flight development, * developing privacy training for all Secure Flight staff and incident response procedures to address and contain privacy incidents, * tracking privacy issues and performing analysis when significant privacy issues are identified, * instituting access controls to ensure that data are not accidentally or maliciously altered or destroyed, * filtering unauthorized data from incoming data to ensure collection is limited to predefined types of information, * establishing standard formats for the transmission of personally identifiable information (PII) in order to reduce variance in data and improve data quality, and: * maintaining audit logs to track access to PII and document privacy incidents. In addition, TSA had issued required privacy notices--including a Privacy Impact Assessment and System of Records Notice--that meet legal requirements and address key privacy principles. These notices describe, among other things, the information that will be collected from passengers and airlines, the purpose of collection, and planned uses of the data. Through its privacy program, TSA had taken actions to implement most Fair Information Practice Principles. For information on the actions TSA has taken to generally address Fair Information Practices, see appendix V. However, at our January 2009 briefing, we also concluded that the weaknesses in Secure Flight's security posture--as described in our earlier discussion of information security--created an increased risk that the confidentiality of the personally identifiable information maintained by the Secure Flight system could be compromised. As a result, we recommended that TSA take steps to complete its security testing and update key security documentation prior to initial operations. After our January 2009 briefing, TSA provided documentation that it had implemented or was in the process of implementing our recommendation related to information security and we concluded that this condition had been conditionally achieved as of January 29, 2009. Further, after we submitted our draft report to DHS for formal agency comment on March 20, 2009, TSA provided us updated information that demonstrated that it had completed the actions to implement our recommendation. Based on our review of documentation provided by TSA on March 31, 2009, we believe TSA has generally achieved the condition related to privacy. Condition 9: CAPPS Rules: Condition 9 requires that TSA--pursuant to the requirements of section 44903(i)(2)(A)[sic] of title 49, United States Code--modify Secure Flight with respect to intrastate transportation to accommodate states with unique air transportation needs and passengers who might otherwise regularly trigger primary selectee status. TSA has generally achieved this condition. TSA is developing the Secure Flight program without incorporating the CAPPS rules and, therefore, Secure Flight will have no effect on CAPPS selection rates. According to TSA, the agency has modified the CAPPS rules to address air carriers operating in states with unique transportation needs and passengers who might otherwise regularly trigger primary selectee status.[Footnote 36] However, our review found that TSA lacked data on the effect of its modifications on air carrier selectee rates. We interviewed four air carriers to determine (1) the extent to which the CAPPS modifications and a related security amendment affected these carriers' selectee rates and (2) whether TSA had outreached to these carriers to assess the effect of the modifications and amendment on their selectee rates. The carriers provided mixed responses regarding whether the modifications and amendment affected their selectee rates. Further, three of the four air carriers stated that TSA had not contacted them to determine the effect of these initiatives. According to GAO best practices for internal control, agencies should ensure adequate means of communicating with, and obtaining information from, external stakeholders that may have a significant effect on achieving goals. [Footnote 37] Without communications with air carriers, and given the agency's lack of data on carrier selectee rates, TSA cannot ensure that the CAPPS modifications and related security amendment have their intended effect. In our January 2009 briefing, we recommended that TSA conduct outreach to air carriers--particularly carriers in states with unique transportation needs--to determine whether modifications to the CAPPS rules and security amendment have achieved their intended effect. TSA agreed with our recommendation. TSA Has Conditionally Achieved 1 of the 10 Conditions, but Further Actions Are Needed to Mitigate the Risk of Cost and Schedule Overruns: Condition 10: Life-Cycle Cost and Schedule Estimates: Condition 10 requires the existence of appropriate life-cycle cost estimates and expenditure and program plans. TSA has conditionally achieved this statutory requirement based on our review of its plan of action for developing appropriate cost and schedule estimates and other associated documents submitted after we provided a copy our draft report to DHS for formal comment on March 20, 2009. The plan includes proposed activities and time frames for addressing weaknesses that we identified in the Secure Flight program's cost estimate and schedule and was the basis for our reassessment of this condition. At the time of our January 2009 briefing, we reported that this condition had generally not been achieved. Specifically, while TSA had made improvements to its life-cycle cost estimate and schedule, neither were developed in accordance with key best practices outlined in our Cost Assessment Guide.[Footnote 38] Our research has identified several practices that are the basis for effective program cost estimating. We have issued guidance that associates these practices with four characteristics of a reliable cost estimate: comprehensive, well documented, accurate, and credible. The Office of Management and Budget (OMB) endorsed our guidance as being sufficient for meeting most cost and schedule estimating requirements. In addition, the best practices outlined in our guide closely match DHS's own guidance for developing life-cycle cost estimates. Reliable cost and schedule estimates are critical to the success of a program, as they provide the basis for informed investment decision making, realistic budget formulation, program resourcing, meaningful progress measurement, proactive course correction, and accountability for results. As we reported at our January 2009 briefing, Secure Flight's $1.36 billion Life Cycle Cost Estimate (LCCE) is well documented in that it clearly states the purpose, source, assumptions, and calculations. However, it is not comprehensive, fully accurate, or credible. As a result, the life-cycle cost estimate does not provide a meaningful baseline from which to track progress, hold TSA accountable, and provide a basis for sound investment decision making. In our January 2009 briefing, we recommended that DHS take actions to address these weaknesses. TSA agreed with our recommendation. The success of any program depends in part on having a reliable schedule specifying when the program's set of work activities will occur, how long they will take, and how they relate to one another. As such, the schedule not only provides a road map for the systematic execution of a program, but it also provides the means by which to gauge progress, identify and address potential problems, and promote accountability. As we reported in January 2009, the November 15, 2008, TSA's Integrated Master Schedule (IMS) for Secure Flight--which provided supporting activities leading up to the program's initial operations in January 2009--was a significant improvement over its February 2008 version. For example, after meeting with GAO and its schedule analysis consultant, TSA took actions to improve the Secure Flight schedule, including adding initial efforts for domestic and international cutover activities, removing constraints that kept its schedule rigid, and providing significant status updates. Our research has identified nine practices associated with effective schedule estimating, which we used to assess Secure Flight.[Footnote 39] These practices are: capturing key activities, sequencing key activities, establishing duration of key activities, assigning resources to key activities, integrating key activities horizontally and vertically, establishing critical path, identifying float time, performing a schedule risk analysis, and distributing reserves to high risk activities.[Footnote 40] In assessing the November 15, 2008, schedule against our best practices, we found that TSA had met one of the nine best practices, but five were only partially met and three were not met. Despite the improvements TSA made to its schedule for activities supporting initial operational capability, the remaining part of the schedule associated with implementing Secure Flight for domestic and international flights was represented as milestones rather than the detailed work required to meet milestones and events. As such, the schedule was more characteristic of a target deliverable plan than the work involved with TSA assuming the watch-list matching function. Moreover, likely program completion dates were not being driven by the schedule logic, but instead were being imposed by the program office in the form of target dates. This practice made it difficult for TSA to use the schedule to reflect the program's status. Without fully employing all key scheduling practices, TSA cannot assure a sufficiently reliable basis for estimating costs, measuring progress, and forecasting slippages. In our January 2009 briefing, we recommended that DHS take actions to address these weaknesses. TSA agreed with our recommendation. In January 2009, TSA provided us with a new schedule, dated December 15, 2008. Our analysis showed that this new schedule continued to not follow best practices, did not correct the deficiencies we previously identified, and therefore could not be used as a reliable management tool. For example, a majority of the scheduled activities did not have baseline dates that allow the schedule to be tracked against a plan moving forward. In addition, best practices require that a schedule identify the longest duration path through the sequenced list of key activities--known as the schedule's critical path--where if any activity slips along this path, the entire program will be delayed. TSA's updated schedule did not include a critical path, which prevents the program from understanding the effect of any delays. Further, updating the Secure Flight program's schedule is important because of the significant cost and time that remains to be incurred to cutover all domestic flights to operations as planned by March 2010 and to develop, test, and deploy the functionality to assume watch-list matching for international flights. After we submitted a copy of our draft report to DHS for formal agency comment on March 20, 2009, TSA provided us its plan of action, dated April 2009, that details the steps the Secure Flight program management office intends to carry out to address weaknesses that we identified in the program's cost and schedule estimates. With regard to the program's cost estimate, TSA's plan has established a timeline of activities that, if effectively implemented, should result in (1) a more detailed work breakdown structure that would define the work necessary to accomplish the program's objectives; (2) the cost estimate and schedule work breakdown structures being aligned properly; (3) an independent cost estimate performed by a contractor; (4) an assessment of the life- cycle cost estimate by the DHS Cost Analysis Division; and (5) cost uncertainty and sensitivity analyses. In addition, TSA's plan has estimated government costs that were originally missing from its cost estimate. According to TSA, these costs will be addressed in its life- cycle cost estimate documentation. With regard to the Secure Flight program's schedule, TSA's plan of action has established a timeline of activities that, if effectively implemented, should result in, most notably: (1) a sequenced and logical schedule that will accurately calculate float time and a critical path; (2) a fully resource-loaded schedule based on subject- matter-expert opinion that does not overburden resources; (3) a schedule that includes realistic activity duration estimates; and (4) a schedule risk analysis that will be used by TSA leadership to distribute reserves to high-risk activities. According to TSA, this revised schedule will forecast the completion date for the project based on logic, duration, and resource estimates rather than artificial date constraints. The plan of action provides the Secure Flight program management office with a clearer understanding of the steps that need to be taken to address our concerns regarding the Secure Flight life-cycle cost estimate and schedule. Based on our review of the plan and the associated documentation provided, we therefore now consider this legislative requirement to be conditionally achieved and the related recommendations that we made at our January 2009 briefing to be met. It should be noted that a significant level of effort is involved in completing these activities, yet the actions--with the exception of the independent cost estimate--are planned to be completed by June 5, 2009. According to TSA, the independent cost estimate is to be completed by October 2009. While TSA's ability to fully meet the requirements of Condition 10 does not affect the Secure Flight system's operational readiness, having reliable cost and schedule estimates allows for better insight into the management of program resources and time frames as the program is deployed. We will continue to assess TSA's progress in carrying out the plan of action to address the weaknesses that we identified in the program's cost estimate and schedule and fully satisfying this condition. Appendix VI contains additional information on our analysis of TSA's efforts relative to GAO's best practices. Conclusions: TSA has made significant progress in developing the Secure Flight program, and the activities completed to date, as well planned, reduce the risks associated with implementing the program. However, TSA is still in the process of taking steps to address key activities related to testing the system's watch-list matching capability and cost and schedule estimates, which should be completed to mitigate risks and to strengthen the management of the program. Until these activities are completed, TSA lacks adequate assurance that Secure Flight will fully achieve its desired purpose and operate as intended. Moreover, if these activities are not completed expeditiously, the program will be at an increased risk of cost, schedule, or performance shortfalls. Specifically, the system might not perform as intended in the future if its matching capabilities and results (that is, false positives and false negatives) are not periodically assessed. In addition, cost overruns and missed deadlines will likely occur if reliable benchmarks are not established for managing costs and the remaining schedule. In addition to the issues and risks we identified related to the Secure Flight program, our work revealed one other TSA prescreening-related issue that should be addressed to mitigate risks and ensure that passenger prescreening is working as intended. Specifically, the effect that modifications to the CAPPS rules and a related security amendment have had on air carriers--particularly carriers in states with unique transportation needs--will remain largely unknown unless TSA conducts outreach to these air carriers to determine the effect of these changes. Recommendations for Executive Action: We are recommending that the Secretary of Homeland Security take the following two actions: * To mitigate future risks of performance shortfalls and strengthen management of the Secure Flight program moving forward, we recommend that the Secretary of Homeland Security direct the Assistant Secretary for the Transportation Security Administration to periodically assess the performance of the Secure Flight system's matching capabilities and results to determine whether the system is accurately matching watch- listed individuals while minimizing the number of false positives-- consistent with the goals of the program; document how this assessment will be conducted and how its results will be measured; and use these results to determine whether the system settings should be modified. * To ensure that passenger prescreening is working as intended, we recommend that the Secretary of Homeland Security direct the Assistant Secretary for the Transportation Security Administration to conduct outreach to air carriers--particularly carriers in states with unique transportation needs--to determine whether modifications to the CAPPS rules and related security amendment have achieved their intended effect. Agency Comments and Our Evaluation: We provided a draft of this report to DHS for review and comment on March 20, 2009. Subsequently, TSA provided us additional information related to several of the conditions, which resulted in a reassessment of the status of these conditions. Specifically, in the draft report that we provided for agency comment, we had concluded that Conditions 5 and 6 (information security) and Condition 8 (privacy) were conditionally achieved and Condition 10 (cost and schedule) was generally not achieved. Based on our review of the additional documentation provided by TSA, we are now concluding that Conditions 5, 6, and 8 are generally achieved and Condition 10 is conditionally achieved. In addition, in the draft report we provided to DHS for agency comment, we made five recommendations, four of which were related to the Secure Flight program. The fifth recommendation was related to Condition 9 (CAPPS rules), which is not related to the Secure Flight program. Based on the additional information that TSA provided during the agency comment period, we now consider three of these recommendations to be met (those related to information security, the cost estimate, and the program schedule). The other two recommendations have not been met and, therefore, are still included in this report (those related to monitoring the performance of the system's matching capability and assessing the effect of modifications on CAPPS rules). We provided our updated assessment to DHS and on April 23, 2009, DHS provided us written comments, which are presented in appendix VII. In its comments, DHS stated that TSA concurred with our updated assessment. We are sending copies of this report to the appropriate congressional committees and other interested parties. We are also sending a copy to the Secretary of Homeland Security. This report will also be available at no charge on our Web site at [hyperlink, http://www.gao.gov]. Should you or your staff have any questions about this report, please contact Cathleen A. Berrick at (202) 512-3404 or berrickc@gao.gov; Randolph C. Hite at (202) 512-3439 or hiter@gao.gov; or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are acknowledged in appendix VIII. Signed by: Cathleen A. Berrick: Managing Director, Homeland Security and Justice Issues: Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: Signed by: Gregory C. Wilshusen: Director, Information Security Issues: List of Congressional Committees: The Honorable Daniel K. Inouye: Chairman: The Honorable Thad Cochran: Vice Chairman: Committee on Appropriations: United States Senate: The Honorable John D. Rockefeller, IV: Chairman: The Honorable Kay Bailey Hutchison: Ranking Member: Committee on Commerce, Science, and Transportation: United States Senate: The Honorable Joseph I. Lieberman: Chairman: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United State Senate: The Honorable Patrick J. Leahy: Chairman: The Honorable Jeff Sessions: Ranking Member: Committee on the Judiciary: United States Senate: The Honorable Robert C. Byrd: Chairman: The Honorable George Voinovich: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable David R. Obey: Chairman: The Honorable Jerry Lewis: Ranking Member: Committee on Appropriations: House of Representatives: The Honorable Bennie G. Thompson: Chairman: The Honorable Peter T. King: Ranking Member: Committee on Homeland Security: House of Representatives: The Honorable Edolphus Towns: Chairman: The Honorable Darrell Issa: Ranking Member: Committee on Oversight and Government Reform: House of Representatives: The Honorable James L. Oberstar: Chairman: The Honorable John L. Mica: Ranking Member: Committee on Transportation and Infrastructure: House of Representatives: The Honorable David E. Price: Chairman: The Honorable Harold Rogers: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: Objectives: In accordance with section 513 of the Department of Homeland Security Appropriations Act, 2008, our objective was to assess the extent to which the Transportation Security Administration (TSA) met the requirements of 10 statutory conditions related to the development and implementation of the Secure Flight program and the associated risks of any shortfalls in meeting the requirements.[Footnote 41] Specifically, the act requires the Secretary of Homeland Security to certify, and GAO to report, that the 10 statutory conditions have been successfully met before TSA implements or deploys the program on other than a test basis.[Footnote 42] Pursuant to the act, after the Department of Homeland Security (DHS) certified that it had satisfied all 10 conditions--which it did on September 24, 2008--we were required to report within 90 days on whether the 10 conditions had been successfully met. It further requires GAO to report periodically thereafter until it determines that all 10 conditions have been successfully met. Scope and Methodology: Our overall methodology included (1) identifying key activities related to each condition; (2) identifying federal guidance and related best practices, if applicable, that are relevant to successfully meeting each condition (e.g., GAO's Standards for Internal Control in the Federal Government);[Footnote 43] (3) analyzing whether TSA has demonstrated through verifiable analysis and documentation, as well as oral explanation, that the guidance has been followed and best practices have been met; and (4) assessing the risks associated with not fully following applicable guidance and meeting best practices. Based on our assessment, we categorized each condition as generally achieved, conditionally achieved, or generally not achieved. * Generally achieved--TSA has demonstrated that it completed all key activities related to the condition in accordance with applicable federal guidelines and related best practices, which should reduce the risk of the program experiencing cost, schedule, or performance shortfalls. * Conditionally achieved--TSA has demonstrated that it completed some key activities related to the condition in accordance with applicable federal guidelines and related best practices and has defined plans for completing remaining key activities that, if effectively implemented as planned, should result in reduced risk that the program will experience cost, schedule, or performance shortfalls. * Generally not achieved--TSA has not demonstrated that it completed all key activities related to the condition in accordance with applicable federal guidelines and related best practices and does not have defined plans for completing the remaining activities, and the uncompleted activities result in an increased risk of the program experiencing cost, schedule, or performance shortfalls. In conducting this review, we worked constructively with TSA officials. We provided TSA with our criteria for assessing each of the 10 conditions and periodically met with TSA officials to discuss TSA's progress and our observations. To meet our 90-day reporting requirement, we conducted audit work until December 8, 2008, which included assessing activities and documents that TSA completed after DHS certified that it had met the 10 conditions. We reported the initial results of our review to the mandated reporting committees in two restricted briefings, first on December 19, 2008, and then on January 7, 2009. Because we concluded that TSA had not successfully met all 10 conditions, we conducted additional work from January through April 2009, the results of which are also included in this report. Further, after we submitted a copy of our draft report to DHS for formal agency comment on March 20, 2009, TSA provided us additional information related to Conditions 5, 6, 8, and 10 which resulted in our reassessment of the status of these conditions. The report has been updated to include the additional information and reassessments. Condition 1: Redress: To assess Condition 1 (redress), we interviewed program officials and reviewed and assessed agency documentation to determine how, once Secure Flight becomes operational, the DHS redress process will be coordinated with the Secure Flight program, based upon GAO best practices for coordination; as well as whether the process was documented, consistent with GAO best practices on documenting internal controls.[Footnote 44] We also reviewed performance measures for the Secure Flight redress process as well as TSA's progress in addressing a February 2008 GAO recommendation that DHS consider creating and implementing additional measures for its redress process.[Footnote 45] Condition 2: Minimizing False Positives: To assess Condition 2 (minimizing false positives), we interviewed program and TSA Office of Intelligence (OI) officials and reviewed and assessed Secure Flight performance objectives, tests, and other relevant documentation to determine the extent to which TSA's activities demonstrate that the Secure Flight system will minimize its false-positive rate. Additionally, we interviewed program and TSA OI officials and reviewed and assessed Secure Flight documentation to determine how the program established performance goals for its false- positive and false-negative rates. We also interviewed a representative from the contractor that designed a dataset that TSA used to test the efficacy and accuracy of Secure Flight's matching system to discuss the methodology of that dataset. Our engagement team, which included a social science analyst with extensive research methodology experience and engineers with extensive experience in systems testing, reviewed the test methodologies for the appropriateness and logical structure of their design and implementation, any data limitations, and the validity of the results. Our review focused on steps TSA is taking to reduce false-positive matches produced by Secure Flight's watch-list matching process, which is consistent with TSA's interpretation of the requirements of this condition. We did not review the Terrorist Screening Center's role in ensuring the quality of records in the Terrorist Screening Database (TSDB).[Footnote 46] Condition 3: Efficacy and Accuracy of the System and Stress Testing: To assess the first part of Condition 3 (efficacy and accuracy of the system), we interviewed program and TSA OI officials and reviewed and assessed Secure Flight performance objectives, tests, and other documentation that address the type and extent of testing and other activities that demonstrate that Secure Flight will minimize the number of false positives while not allowing an unacceptable number of false negatives. We also interviewed a representative from the contractor that designed a dataset that TSA used to test the efficacy and accuracy of Secure Flight's matching system to discuss the methodology of that dataset. Our engagement team, which included a social science analyst with extensive research methodology experience and engineers with extensive experience in systems testing, reviewed the test methodologies for the appropriateness and logical structure of their design and implementation and the validity of the results. However, we did not assess the appropriateness of TSA's definition of what should constitute a match to the watch list. We did not assess the accuracy of the system's predictive assessment, as this is no longer applicable to the Secure Flight program given the change in its mission scope compared to its predecessor program CAPPS II (i.e., Secure Flight only includes comparing passenger information to watch-list records whereas CAPPS II was to perform different analyses and access additional data, including data from commercial databases, to classify passengers according to their level of risk). To assess the second part of Condition 3, stress testing, we reviewed Secure Flight documentation--including test plans, test procedures, and test results--and interviewed program officials to determine whether TSA has defined and managed system performance and stress requirements in a manner that is consistent with relevant guidance and standards. [Footnote 47] We also determined whether the testing that was performed included testing the performance of Secure Flight search tools under increasingly heavy workloads, demands, and conditions to identify points of failure. For example, in January 2009, we met with the Secure Flight development team and a program official to observe test results related to the 14 Secure Flight performance and stress requirements. We walked through each of the 14 requirements and observed actual test scenarios and results. Condition 4: Establishment of an Internal Oversight Board: To assess Condition 4 (internal oversight), we interviewed DHS and TSA program officials and reviewed and analyzed documentation related to various DHS and TSA oversight boards--the DHS and TSA Investment Review Boards, the DHS Enterprise Architecture Board, the TSA Executive Oversight Board, and the DHS Steering Committee--to identify the types of oversight provided to the Secure Flight program. We also reviewed agency documentation to determine whether the oversight entities met as intended and, in accordance with GAO's Standards for Internal Control in the Federal Government,[Footnote 48] the extent to which the Secure Flight program has addressed a selection of recommendations and action items made by the oversight bodies. We evaluated oversight activities related to key milestones in the development of the Secure Flight system. Conditions 5 and 6: Information Security: To assess Conditions 5 and 6 (information security), we reviewed TSA's design of controls for systems supporting Secure Flight. Using federal law, standards, and guidelines on minimum security steps needed to effectively incorporate security into a system, we examined artifacts to assess how system impact was categorized, risk assessments were performed, security control requirements for the system were determined, and security requirements and controls were documented to ensure that they are designed, developed, tested, and implemented. [Footnote 49] We also examined artifacts to determine whether TSA assessed that controls were working properly and effectively, implemented remedial action plans to mitigate identified weaknesses, and certified and accredited information systems prior to operation. We interviewed TSA, U.S. Customs and Border Protection, and other officials on the current status of systems supporting, and controls, over Secure Flight. In addition, we observed the hardware and software environments of systems supporting Secure Flight to determine the status of information security controls, as appropriate. We reassessed the status of Conditions 5 and 6 based on our review of documentation provided by TSA on March 31, 2009, showing that it had mitigated all high-and moderate-risk information security vulnerabilities associated with the Secure Flight program's Release 3. Condition 7: Oversight of the Use and Operation of the System: In regard to Condition 7 (oversight of the system), for purposes of certification, TSA primarily defined effective oversight of the system in relation to information security. However, we assessed DHS's oversight activities against a broader set of internal controls for managing the program, as outlined in GAO's Standards for Internal Control in the Federal Government, to oversee the Secure Flight system during development and implementation. We interviewed Secure Flight program officials and reviewed agency documentation--including policies, standard operating procedures, and performance measures--to determine the extent to which policies and procedures addressed the management, use, and operation of the system. We also interviewed program officials at TSA's Office of Security Operations to determine how TSA intends to oversee internal and external compliance with system security, privacy requirements, and other functional requirements. We did not assess the quality of documentation provided by TSA. Our methodology for assessing information security is outlined under Conditions 5 and 6. Condition 8: Privacy: To assess Condition 8 (privacy), we analyzed legally-required privacy documentation, including systems-of-record notices and privacy impact assessments, as well as interviewed Secure Flight and designated TSA privacy officials to determine the completeness of privacy safeguards. In addition, we assessed available systems development documentation to determine the extent to which privacy protections have been addressed based on the Fair Information Practices.[Footnote 50] We also assessed whether key documentation had been finalized and key provisions, such as planned privacy protections, had been clearly determined. We reassessed the status of Condition 8 based on our review of documentation provided by TSA on March 31, 2009, showing that it had mitigated all high-and moderate-risk information security vulnerabilities associated with the Secure Flight program's Release 3. Condition 9: CAPPS Rules: To assess Condition 9 (CAPPS rules), we reviewed TSA documentation to identify modifications to the CAPPS rules and a related security program amendment to address air carriers operating in states with unique transportation needs and passengers who might otherwise regularly trigger primary selectee status. In addition, we interviewed TSA officials to determine the extent to which TSA assessed the effect of these activities on air carriers' selectee rates--either through conducting tests or by communicating with and obtaining information from air carriers--in accordance with GAO best practices for coordinating with external stakeholders.[Footnote 51] We also interviewed officials from four air carriers to obtain their views regarding the effect of CAPPS changes on the air carriers' selectee rates. These carriers were selected because they operate in states with unique transportation needs or have passengers who might otherwise regularly trigger primary selectee status as a result of CAPPS rules. Condition 10: Life-Cycle Cost and Schedule Estimates: To assess Condition 10 (cost and schedule estimates), we reviewed the program's life-cycle cost estimate, integrated master schedule, and other relevant agency documentation against best practices, including GAO's Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs.[Footnote 52] We also interviewed key program officials overseeing these activities and consulted with a scheduling expert to identify risks to the integrated master schedule. We reassessed the status of Condition 10, based on TSA's plan of action provided to us on April 3, 2009. The Plan of Action, dated April 2009, details the steps the Secure Flight program management office intends to carry out to address weaknesses that we identified in the program's cost and schedule estimates. Appendix VI contains additional information on our analysis of TSA's efforts relative to GAO's best practices. We conducted this performance audit from May 2008 to May 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Details on TSA's Testing of the Efficacy and Accuracy of Secure Flight's Matching System (Condition 3): The Transportation Security Administration (TSA) hired a contractor with expertise in matching systems to construct a dataset against which to test the Secure Flight matching system and assess the system's false- positive and false-negative performance. Given the inverse relationship between false positives and false negatives--that is, a decrease in one may lead to an increase in the other--it is important to assess both rates concurrently to fully test the system's matching performance. The contractor developed the dataset specifically for Secure Flight using name-matching software and expert review by analysts and linguists. The dataset consisted of a passenger list and a watch list using name types that were consistent with those on the actual No-Fly and Selectee lists. Each record included a passenger name and date of birth. The passenger list consisted of about 12,000 records, of which nearly 1,500 were "seeded" records that represented matches to the simulated watch list.[Footnote 53] According to the contractor, the seeded records were plausible variations to passenger names and dates of birth based on the contractor's analysis of real watch-list records. The passenger list was run through Secure Flight's automated matching system to determine its ability to accurately match the passenger records against the simulated watch list. The system used name-matching criteria outlined in the TSA No-Fly List security directive,[Footnote 54] and a defined date-of-birth matching criteria that TSA officials state was consistent with TSA Office of Intelligence policy.[Footnote 55] According to TSA, Secure Flight officials reviewed the test results to determine whether the system was accurately applying its matching criteria for passenger name and date of birth. TSA officials concluded that all matches and nonmatches made by the system were in accordance with these criteria. The test results for the system's default matching rules showed that the system produced a number of false-negative matches--that is, of the passenger records deemed by the contractor to be matches to the watch list, Secure Flight did not match a number of those records.[Footnote 56] TSA officials stated that the false- negative rate in the test was primarily due to the Secure Flight system's criteria for a date-of-birth match, which differed from the contractor's criteria. TSA determined a criteria range for a date-of-birth match that was consistent with TSA Office of Intelligence policy. According to TSA officials, these matching criteria are consistent with Secure Flight's responsibilities as a screening program--that is, the system must process high passenger volumes and quickly provide results to air carriers--and that those responsibilities were considered when balancing the risk presented by the system's false-positive and false- negative rates. The contractor's date-of-birth criteria range, however, was wider than the range used by TSA, which the contractor stated was established based on expert analysis of an excerpt from the watch list. According to TSA officials, officials from TSA's Office of Intelligence reviewed the test results and determined that the records identified as false negatives by the contractor--that is, the records that were matched by the contractor but not by the Secure Flight system--did not pose an unacceptable risk and should not have been flagged, and that these nonmatches were designated as such in accordance with Office of Intelligence policies and TSA's No Fly list security directive. These officials further stated that increasing the date-of-birth range would unacceptably increase the number of false positives generated by the system. TSA officials stated that the Secure Flight system's matching setting could be reconfigured in the future to adjust the system's false- positive and false-negative matching results should the need arise--for example, due to relevant intelligence information or improvements in the system's matching software. [End of section] Appendix III: Secure Flight's Oversight Entities (Condition 4): Table 4 shows the entities responsible for overseeing the development of the Secure Flight program and a sample of activities that had been completed. Table 4: Responsibilities of Secure Flight's Oversight Entities and Selected Oversight Actions, as of March 2009: Entity: Department of Homeland Security (DHS) Steering Committee; Oversight responsibilities: Review Secure Flight's progress in achieving key milestones and address operational issues. Prepare Secure Flight for other oversight processes (e.g., DHS Investment Review Board (IRB) review); Completed activities: Met quarterly since April 2007 to monitor Secure Flight's schedule, funding and implementation approach; Sample recommendation: The committee recommended improvements to Secure Flight concerning program documentation, such as the Mission Needs Statement, Concept of Operations, and briefing materials; Remaining activities: Meet quarterly to monitor program. Entity: Transportation Security Administration (TSA) Executive Oversight Board; Oversight responsibilities: Review policy-related issues and assess the program's progress in meeting milestones. Monitor key program activities related to funding and system testing. Ensure coordination with other agencies such as CBP; Completed activities: Met at least quarterly starting in November 2007 to oversee system, schedule and budget performance; Sample recommendation: The board recommended that Secure Flight improve coordination with CBP, which resulted in a weekly forum on technical issues; Remaining activities: Meet quarterly to oversee program. Entity: DHS IRB; Oversight responsibilities: Review Secure Flight's investments and authorize the program to move through Key Decision Points (KDP): (1) Program Initiation, (2) Concept and Technology Development, (3) Capability Development and Demonstration, (4) Production and Deployment, and (5) Operations and Support. Review and approve the program's Acquisition Program Baseline (APB) for cost, schedule, and performance; Completed activities: Authorized Secure Flight to proceed through KDPs 1-3 and approved the APB; Sample recommendation: Approved Secure Flight's progression to KDP 3 based on the program taking several actions including rescoping its business model to align more strongly with mission, which TSA addressed through a 60-day reassessment process; Remaining activities: Provide oversight for KDPs 4-5. Entity: TSA IRB; Oversight responsibilities: Prepare Secure Flight to move through the KDPs governed by the DHS IRB and review and approve the system performance parameters delineated in the APB; Completed activities: Met in conjunction with KDPs 1-3 and approved the APB; Sample recommendation: Directed Secure Flight to coordinate program privacy and security compliance requirements with appropriate points of contact, which resulted in the updating of security and privacy documentation for the DHS IRB; Remaining activities: Provide guidance for KDPs 4-5. Entity: DHS EAB; Oversight responsibilities: Perform evaluations of Secure Flight to ensure the program is aligned with DHS enterprise architecture and technology strategies and capabilities. This occurs at the following Milestone Decision Points (MDP): (1) Project Authorization, (2) Alternative Selection, (3) Project Decision, (4) Pre-Deployment, and (5) Executive Review; Completed activities: Authorized Secure Flight to move through MDP 1, 2, and 3; Sample recommendation: Authorized Secure Flight to proceed through MDP 1 contingent on implementation of an Independent Verification and Validation capability, which TSA secured through a contract; Remaining activities: Provide oversight for MDP 4 and 5. [End of table] Source: GAO analysis. [End of section] Appendix IV: TSA's Activities Related to the Effective Oversight of System Use and Operation (Condition 7): The Transportation Security Administration (TSA) completed several internal control activities related to the management, use, and operation of the Secure Flight system. For example: * TSA developed 21 standard operating procedures related to Secure Flight's business processes. In addition, TSA incorporated additional programmatic procedures into various plans and manuals that will provide support for the program once it becomes operational. According to a Secure Flight official, all 21 standard operating procedures were finalized as of December 12, 2008. * TSA released its Airline Operator Implementation Plan, which is a written procedure describing how and when an aircraft operator transmits passenger and nontraveler information to TSA. The plan amends an aircraft operator's Aircraft Operator Standard Security Program to incorporate the requirements of the Secure Flight program. * TSA finalized its plan to oversee air carrier compliance with Secure Flight's policies and procedures. All domestic air carriers and foreign carriers covered under the Secure Flight rule will be required to comply with and implement requirements set forth in the final rule. * The Airline Operator Implementation Plan and the Consolidated User Guide will provide air carriers with the requirements for compliance monitoring during the initial cutover phases. * The Airline Implementation Team, which assists air carriers' transition to Secure Flight, will ensure that air carriers are in compliance with program requirements prior to cutover. * TSA developed performance measures to monitor and assess the effectiveness of the Secure Flight program, such as measures to address privacy regulations, training requirements, data quality and submission requirements, and the functioning of the Secure Flight matching engine. TSA will also use performance measures to ensure that air carriers are complying with Secure Flight data requirements. * TSA developed written guidance for managing Secure Flight's workforce, including a Comprehensive Training Plan that outlines training requirements for users and operators of the system and service centers. * According to TSA officials, TSA completed programmatic training, which includes privacy and program-related training, for the entire Secure Flight workforce. * TSA provided stakeholder training for covered U.S. air carriers and foreign air carriers on the Secure Flight program. This training, while not required of stakeholders, provided air carriers with information on changes to the Secure Flight program after the Final Rule was released and technical and operational guidance as outlined in the Consolidated User Guide. The Airline Implementation, Communications, and Training Teams will support requests from air carriers for additional training throughout deployment. * According to TSA, the agency planned to pilot its operational training, which is necessary for employees and contractors to effectively undertake their assigned responsibilities, during the week of December 8, 2008. TSA officials stated that piloting this training would allow them to make any needed updates to Secure Flight's standard operating procedures. However, TSA officials said that updates to the Standard Operating Procedures as a result of training were expected to be minimal and would not have an effect on initial cutover in their view. [End of section] Appendix V: TSA's Actions to Address Fair Information Practices (Condition 8): The Transportation Security Administration (TSA) has taken actions that generally address the following Fair Information Practices. The Purpose Specification principle states that the purposes for a collection of personal information should be disclosed before collection and upon any change to that purpose. TSA addressed this principle by issuing privacy notices that define a specific purpose for the collection of passenger information. According to TSA privacy notices, the purpose of the Secure Flight Program is to identify and prevent known or suspected terrorists from boarding aircraft or accessing sterile areas of airports and better focus passenger and baggage screening efforts on persons likely to pose a threat to civil aviation, to facilitate the secure and efficient travel of the public while protecting individuals' privacy. The Data Quality principle states that personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose. TSA addressed this principle through its planned use of the Department of Homeland Security's (DHS) Traveler Redress Inquiry Program (TRIP), collecting information directly from passengers, and setting standard data formats. More specifically, TSA is planning to use DHS TRIP as a mechanism to correct erroneous data. TSA also believes that relying on passengers to provide their own name, date of birth, and gender will further help ensure the quality of the data collected. Moreover, TSA has developed a Consolidated User Guide that provides standard formats for air carriers to use when submitting passenger information to reduce variance and improve data quality. We reported previously that the consolidated terrorist watch list, elements of which are matched with passenger data to make Secure Flight screening decisions, has had data- quality issues[Footnote 57]. However, this database is administered by the Terrorist Screening Center and is not overseen by TSA. The Openness principle states that the public should be informed about privacy policies and practices, and that individuals should have a ready means of learning about the use of personal information. TSA addressed this principle by publishing and receiving comments on required privacy notices. TSA has issued a Final Rule, Privacy Impact Assessment, and System of Records Notice that discuss the purposes, uses, and protections for passenger data, and outline which data elements are to be collected and from whom. TSA obtained and responded to public comments on its planned measures for protecting the data a passenger is required to provide. The Individual Participation principle states that individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights. TSA addressed this principle through its planned use of DHS TRIP and its Privacy Act access and correction process. As previously mentioned, TSA plans to use DHS TRIP in order to allow passengers to request correction of erroneous data. Passengers can also request access to the information that is maintained by Secure Flight through DHS's Privacy Act request process. As permitted by the Privacy Act, TSA has claimed exemptions from the Privacy Act that limit what information individuals can access about themselves. For example, individuals will not be permitted to view information concerning whether they are in the Terrorist Screening Database (TSDB). However, TSA has stated that it may waive certain exemptions when disclosure would not adversely affect law enforcement or national security. The Use Limitation principle states that personal information should not be used for other than a specified purpose without consent of the individual or legal authority. TSA addressed this principle by identifying permitted disclosures of data and establishing mechanisms to ensure that disclosures are limited to those authorized. The Secure Flight system design requires that data owners initiate transfers of information, a provision that helps to assure that data is being used only for specified purposes. According to TSA privacy notices, the Secure Flight Records system is intended to be used to identify and protect against potential and actual threats to transportation security through watch-list matching against the No-Fly and Selectee components of the consolidated and integrated terrorist watch list known as the Terrorist Screening Database. TSA plans to allow other types of disclosures, as permitted by the Privacy Act. For example, TSA is permitted to share Secure Flight data with: * federal, state, local, tribal, territorial, foreign, or international agencies responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order regarding a violation or potential violation of civil or criminal law or regulation; and: * international and foreign governmental authorities in accordance with law and formal or informal international agreements. The Collection Limitation principle states that the collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual. TSA addressed this principle by conducting a data- element analysis, developing a data retention schedule, and establishing technical controls to filter unauthorized data and purge data. TSA has performed a data element analysis to determine the least amount of personal information needed to perform effective automated matching of passengers with individuals on the watch list. As a result, TSA has limited collection by only requiring that passengers provide their full name, gender, and date of birth. In addition, TSA requires air carriers to request other specific information, such as a passenger's redress number, and to provide TSA with other specific information in the airline's possession, such as the passenger's passport information. TSA established a data-purging control to rid the system of data according to its data-retention schedule. Further, TSA established technical controls to filter unauthorized data to ensure that collection is limited to authorized data fields. TSA is also developing a data-retention schedule which was issued for public comment and is in accordance with the Terrorist Screening Center's National Archives and Records Administration (NARA)---approved record- retention schedule for TSDB records. * The Accountability principle states that individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles. TSA addressed the Accountability principle by designating a program privacy officer and a team of privacy experts working on various aspects of the Secure Flight program, and by planning to establish several oversight mechanisms: * TSA implemented a system for tracking privacy issues that arise throughout the development and use of Secure Flight, and TSA is conducting follow-up analysis of significant privacy issues and providing resolution strategies for management consideration. * TSA developed privacy rules of behavior, which require that individuals handling personally identifiable information (PII) only use it for a stated purpose. * TSA is planning to maintain audit logs of system and user events to provide oversight of system activities, such as access to PII and transfer of PII in or out of the system. * TSA is planning to issue periodic privacy compliance reports, intended to track and aggregate privacy concerns or incidents, but it has not finalized the reporting process. * TSA developed general privacy training for all Secure Flight staff and is developing role-based privacy training for employees handling PII. While TSA has also taken steps related to the Security Safeguards principle, this principle had not been fully addressed at the time of our January 2009 briefing. The Security Safeguards principle states that personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure. TSA actions to address the Security Safeguards principle include planning to prevent unauthorized access to data stored in its system through technical controls including firewalls, intrusion detection, encryption, and other security methods. Although TSA had laid out a plan to protect the confidentiality of sensitive information through various security safeguards, our security review--discussed in more detail under conditions 5 and 6 on information security--identified weaknesses in Secure Flight's security posture that create an increased risk that the confidentiality of the personally identifiable information maintained by the Secure Flight system could be compromised. As a result of the security risks we identified and reported on at our January 2009 briefing, and their corresponding effect on privacy, we recommended that TSA take steps to complete its security testing and update key security documentation prior to initial operations. TSA agreed with our recommendation. Since our January 2009 briefing, TSA provided documentation that it has implemented our recommendation related to information security. In light of these actions, we believe TSA has now generally achieved the condition related to privacy and we consider the related recommendation we made at the briefing to be met. [End of section] Appendix VI: GAO Analyses of Secure Flight's Life-Cycle Cost Estimate and Schedule against Best Practices (Condition 10): After submitting a copy of our draft report to the Department of Homeland Security (DHS) for formal agency comment on March 20, 2009, the Transportation Security Administration (TSA) provided us its plan of action, dated April 2009, that details the steps the Secure Flight program management office intends to carry out to address weaknesses that we identified in the program's cost and schedule estimates. We reviewed TSA's plan and associated documentation and reassessed the program against our Cost and Schedule Best Practices. The following tables show our original assessment and reassessment of TSA's cost and schedule against our best practices. Table 5 summarizes the results of our analysis relative to the four characteristics of a reliable cost estimate based on information provided by TSA as of March 20, 2009. Table 5: GAO Analysis of Secure Flight Cost Estimate Compared to Best Practices for a Reliable Cost Estimate Based on Information Provided by TSA as of March 20, 2009: Best practice: Comprehensive; Explanation: The cost estimates should include both government and contractor costs over the program's full life cycle, from the inception of the program through design, development, deployment, and operation and maintenance to retirement. They should also provide an appropriate level of detail to ensure that cost elements are neither omitted nor double-counted and include documentation of all cost-influencing ground rules and assumptions; Satisfied?: Partially; GAO analysis: TSA's Life Cycle Cost Estimate (LCCE) included more cost elements (e.g., airline implementation, facility leasing costs, etc.) than the estimate it presented to us in February 2008. However, we found that support costs by other TSA groups assisting with Secure Flight were omitted, which resulted in an underreported cost estimate. In addition, because the costs for airline implementation were at a summary level, we could not determine what costs TSA estimated for implementing their assumed watch-list matching function for domestic and international flights. As a result, we could not determine if all costs were captured. Best practice: Well documented; Explanation: The cost estimates should have clearly defined purposes and be supported by documented descriptions of key program or system characteristics. Additionally, they should capture in writing such things as the source data used and their significance, the calculations performed and their results, and the rationale for choosing a particular estimating method. Moreover, this information should be captured in such a way that the data used to derive the estimate can be traced back to, and verified against, their sources. The final cost estimate should be reviewed and accepted by management; Satisfied?: Yes; GAO analysis: The cost estimate explicitly identified the primary methods, calculations, results, assumptions, and sources of the data used to generate each cost element. The estimate was based on the engineering build up method, using actual costs when available, and included detail regarding the basis of estimate, the underlying data, and support for the labor hours, labor rates, and material costs. The estimate was reviewed by TSA's Chief Financial Officer group who verified that the figures presented were consistent with DHS and OMB summary of spending documentation. Best practice: Accurate; Explanation: The cost estimates should provide for results that are unbiased and should not be overly conservative or optimistic. In addition, the estimates should be updated regularly to reflect material changes in the program, and steps should be taken to minimize mathematical mistakes and their significance. Among other things, the estimate should be grounded in a historical record of cost estimating and actual experiences on comparable programs; Satisfied?: Partially; GAO analysis: Our data checks showed that the estimates were accurate; however, because TSA omitted some costs, it underestimated the LCCE. We also found that the work plan in the Integrated Master Schedule (IMS) was not reflected in the cost estimate, making variances between estimated and actual costs difficult. For example, while TSA's Secure Flight schedule shows domestic cutovers to be carried out in 12 groups, the cost estimate is based on labor categories, hours, and rates at a summary level. Tracking variances at this high level will not promote accountability and TSA will lose the opportunity to collect valuable estimating data that could improve the accuracy of international cutover cost estimates. Best practice: Credible; Explanation: The cost estimates should discuss any limitations in the analysis performed due to uncertainty surrounding data or assumptions. Further, the estimates' derivation should provide for varying any major assumptions and recalculating outcomes based on sensitivity analyses, and their associated risks/uncertainty should be disclosed. Also, the estimates should be verified based on cross-checks using other estimating methods and by comparing the results with independent cost estimates; Satisfied?: Partially; GAO analysis: TSA performed independent government cost estimates (IGCE) for some cost elements including contract support efforts. However, TSA did not compare its LCCE to an independent cost estimate for the entire Secure Flight program and therefore cannot gauge its reasonableness. In addition, we found no evidence that TSA performed cross-checks to determine if other cost estimating techniques produced similar results. TSA also did not perform an uncertainty analysis to quantify the risk associated with domestic and international cutovers. Finally, the Secure Flight program lacks a reliable schedule baseline, which is a key component of a reliable cost estimate because it serves as a basis for future work to be performed. Source: GAO analysis. [End of table] Table 6 summarizes the results of our reassessment of the Secure Flight program's cost estimate relative to the four characteristics of a reliable cost estimate based on information provided by TSA as of April 3, 2009. Table 6: GAO Reassessment of Secure Flight Cost Estimate Compared to Best Practices for a Reliable Cost Estimate Based on Information Provided by TSA as of April 3, 2009: Best practice: Comprehensive; Explanation: The cost estimates should include both government and contractor costs over the program's full life cycle, from the inception of the program through design, development, deployment, and operation and maintenance to retirement. They should also provide an appropriate level of detail to ensure that cost elements are neither omitted nor double-counted and include documentation of all cost-influencing ground rules and assumptions; Satisfied?: Partially; GAO analysis: The program management office has estimated additional support costs associated with the Secure Flight program. These are government support costs expected to be incurred by TSA over the 3-year estimated period. The support costs are minor and will be noted in the LCCE assumptions. In planning to fully meet the Accurate best practice, TSA is planning to update its work breakdown structure (WBS) to define in detail the work necessary to accomplish Secure Flight's program objectives. TSA's Plan of Action states that each Secure Flight WBS area will be broken out into at least three levels. This work will be completed by July 2009. Best practice: Well documented; Explanation: The cost estimates should have clearly defined descriptions of key program or system characteristics. Additionally, they should capture in writing such things as the source data used and their significance, the calculations performed and their results, and the rationale for choosing a particular estimating method. Moreover, this information should be captured in such a way that the data used to derive the estimate can be traced back to, and verified against, their sources. The final cost estimate should be reviewed and accepted by management; Satisfied?: Yes; GAO analysis: TSA has fully met this criterion and therefore has no Plan of Action for reevaluation. Best practice: Accurate; Explanation: The cost estimates should provide for results that are unbiased and should not be overly conservative or optimistic. In addition, the estimates should be updated regularly to reflect material changes in the program, and steps should be taken to minimize mathematical mistakes and their significance. Among other things, the estimate should be grounded in a historical record of cost estimating and actual experiences on comparable programs; Satisfied?: Partially; GAO analysis: As noted in the Comprehensive best practice, the program management office has estimated additional support costs associated with the Secure Flight program. These are minor costs that will be noted in the LCCE assumptions. TSA's Plan of Action includes effort to fully align its cost estimate with the schedule WBS. TSA's Plan of Action also states that each Secure Flight WBS area will be broken out into at least three levels. A consistent framework between the IMS and cost estimate will promote accountability and will improve the accuracy of the cost estimate through the ability to track variances at lower levels. This work will be completed by July 2009. Best practice: Credible; Explanation: The cost estimates should discuss any limitations in the analysis performed due to uncertainty surrounding data or assumptions. Further, the estimates' derivation should provide for varying any major assumptions and recalculating outcomes based on sensitivity analyses, and their associated risks/uncertainty should be disclosed. Also, the estimates should be verified based on cross-checks using other estimating methods and by comparing the results with independent cost estimates; Satisfied?: Partially; GAO analysis: TSA's Plan of Action includes effort to use engineering build-up estimating techniques for each WBS work package, to be completed by July 2009. TSA will schedule an independent cost estimate (ICE) to be completed by a contractor by October 2009. In accordance with DHS directives, the DHS Cost Analysis Division will perform an assessment of the Secure Flight LCCE by April 2009. The ICE will be used to assess the reasonableness of the program office estimate and will be completed by April 2009. The Plan also includes effort to conduct a statistically based cost risk analysis. A Monte Carlo analysis will determine potential cost outcomes and will include a sensitivity analysis to identify key cost drivers. This uncertainty and sensitivity analysis will leverage results from the ICE effort and will be completed by May 2009. Source: GAO analysis. [End of table] Table 7 summarizes the results of our analysis relative to the nine schedule-estimating best practices based on information provided by TSA as of March 20, 2009. Table 7: GAO Analysis of Secure Flight Schedule Compared to Best Practices for Schedule Estimating Based on Information Provided by TSA as of March 20, 2009: Best Practice: Capturing key activities; Explanation: The schedule should reflect all key activities as defined in the program's work breakdown structure (WBS), to include activities to be performed by both the government and its contractors; Satisfied?: Partially; GAO Analysis: TSA only identified at a summary level key activities associated with domestic and international airline operator cutovers even though a significant amount of uncertainty exists within this work. Without these data it will be difficult to estimate the true completion of the project. The schedule also did not include a project completion date activity which was necessary for conducting a schedule risk analysis. Best Practice: Sequencing key activities; Explanation: The schedule should be planned so that it can meet critical program dates. To meet this objective, key activities need to be logically sequenced in the order that they are to be carried out. In particular, activities that must finish prior to the start of other activities (i.e., predecessor activities), as well as activities that cannot begin until other activities are completed (i.e., successor activities), should be identified. By doing so, interdependencies among activities that collectively lead to the accomplishment of events or milestones can be established and used as a basis for guiding work and measuring progress; Satisfied?: Partially; GAO Analysis: There were some key missing logic links in the schedule and we found excessive and questionable use of nonstandard logic for sequencing activities. The schedule also contained little information regarding historical performance and lacked a reasonable representation of the work to be carried out, especially future effort related to domestic and international cutovers. As a result, the schedule was not adequate for planning, tracking, and maintaining detailed project control. TSA said it was challenging to tie four disparate schedules into a single IMS. Best Practice: Establishing the duration of key activities; Explanation: The schedule should realistically reflect how long each activity will take to execute. In determining the duration of each activity, the same rationale, historical data, and assumptions used for cost estimating should be used. Durations should be as short as possible and have specific start and end dates. Excessively long periods needed to execute an activity should prompt further decomposition so that shorter execution durations will result. The schedule should be continually monitored to determine when forecasted completion dates differ from the planned dates, which can be used to determine whether schedule variances will affect downstream work; Satisfied?: Partially; GAO Analysis: TSA's schedule showed that activity durations were hidden in lags rather than being identified in discrete activities that can be statused and monitored for progress. Many activities were represented as milestones instead of duration-driven tasks. Furthermore, rather than estimating remaining duration for activities, TSA overrode the finish date and the constraint type. This is not a standard scheduling practice and resulted in percent-complete errors and overly optimistic forecasting. Best Practice: Assigning resources to key activities; Explanation: The schedule should reflect what resources (e.g., labor, material, and overhead) are needed to do the work, whether all required resources will be available when needed, and whether any funding or time constraints exist; Satisfied?: No; GAO Analysis: TSA did not see the value in resource loading their schedule even though cost loading the schedule would provide an effective means of tracking cost overruns or underruns and keep the cost estimate updated in accordance with best practices. Best Practice: Integrating key activities horizontally and vertically; Explanation: The schedule is horizontally integrated, meaning that it linked the products and outcomes associated with already-sequenced activities. These links are commonly referred to as "handoffs" and serve to verify that activities are arranged in the right order to achieve aggregated products or outcomes. The schedule should also be vertically integrated, meaning that traceability exists among varying levels of activities and supporting tasks and subtasks. Such mapping or alignment among levels enables different groups to work to the same master schedule; Satisfied?: Yes; GAO Analysis: The majority of the schedule was both horizontally and vertically integrated, meaning that the activities across the multiple teams were arranged in the right order to achieve aggregated products or outcomes. In addition, traceability existed among varying levels of activities, which allowed multiple teams to work to the same master schedule. Best Practice: Establishing the critical path for key activities; Explanation: Using scheduling software, the critical path--the longest duration path through the sequenced list of key activities--should be identified. The establishment of a program's critical path is necessary for examining the effects of any activity slipping along this path. Potential problems that might occur along or near the critical path should also be identified and reflected in the scheduling of the time for high-risk activities; Satisfied?: Partially; GAO Analysis: TSA cannot completely identify the critical path because domestic and international cutover activities need to broken down into further detail, logic links need to be fixed, and activity durations need to be clearly identified. Furthermore, TSA's schedule for Secure Flight represented a "target-driven" schedule due to its high degree of milestones and target dates vs. dynamically calculated dates from the Microsoft Project software. Best Practice: Identifying the "float time" between key activities; Explanation: The schedule should identify float time--the time that a predecessor activity can slip before the delay affects successor activities--so that schedule flexibility can be determined. As a general rule, activities along the critical path typically have the least amount of float time. Total float describes the amount of time flexibility an activity has without delaying the project completion (if everything else goes according to plan). Total float is used to find out which activities or paths are crucial to project completion; Satisfied?: Partially; GAO Analysis: TSA identified float time in its schedule for some key activities it captured. However, this float was not a true indication of schedule flexibility because it was inflated due to the fact that many activities in the schedule had no successors. To fix the schedule, TSA would need to identify activity successors in order to properly identify float time. Best Practice: Schedule risk analysis should be performed; Explanation: A schedule risk analysis should be performed using statistical techniques to predict the level of confidence in meeting a program's completion date. This analysis focuses not only on critical path activities but also on activities near the critical path, since they can potentially affect program status; Satisfied?: No; GAO Analysis: TSA had not performed a schedule risk analysis. GAO conducted such an analysis in July 2008 and updated it in November 2008. GAO's schedule risk analysis was limited in its ability to account for risk due to the lack of detail provided by TSA for activities associated with domestic and international cutovers. Best Practice: Distributing reserves to high risk activities; Explanation: The baseline schedule should include a buffer or a reserve of extra time. Schedule reserve for contingencies should be calculated by performing a schedule risk analysis. As a general rule, the reserve should be applied to high-risk activities, which are typically found along the critical path; Satisfied?: No; GAO Analysis: Because TSA had not conducted its own Schedule Risk Analysis, it cannot identify appropriate schedule reserves. Source: GAO analysis. [End of table] Table 8 summarizes the results of our reassessment of the Secure Flight program's schedule relative to the nine schedule estimating best practices based on information provided by TSA as of April 3, 2009. Table 8: GAO Reassessment of Secure Flight Schedule Compared to Best Practices for Schedule Estimating Based on Information Provided by TSA as of April 3, 2009: Best practice: Capturing key activities; Explanation: The schedule should reflect all key activities as defined in the program's work breakdown structure, to include activities to be performed by both the government and its contractors; Satisfied?: Partially; GAO analysis: In planning to fully meet the Accurate cost estimating best practice, TSA is planning to update its WBS to define in detail the work necessary to accomplish Secure Flight's program objectives. TSA's Plan states that each Secure Flight WBS area will be broken out into at least three levels. The estimated completion date for domestic deployment activities is April 2009 and June 2009 for international deployment activities. Best practice: Sequencing key activities; Explanation: The schedule should be planned so that it can meet critical program dates. To meet this objective, key activities need to be logically sequenced in the order that they are to be carried out. In particular, activities that must finish prior to the start of other activities (i.e., predecessor activities), as well as activities that cannot begin until other activities are completed (i.e., successor activities), should be identified. By doing so, interdependencies among activities that collectively lead to the accomplishment of events or milestones can be established and used as a basis for guiding work and measuring progress; Satisfied?: Partially; GAO analysis: As the schedule is updated to reflect domestic and international deployment activities, TSA is planning to "add dates and durations for key activities" that will be "supported by standard logic for sequencing activities." All detail tasks will have logical relationships in order for the scheduling software to dynamically calculate the completion date. This will allow the effect of actual and potential delays to be seen downstream. The plan further states that constraints and lags will be avoided and the schedule will have" accurate durations," but no mention is made of incorporating historical productivity. The estimated completion date for domestic deployment activities is April 2009 and June 2009 for international deployment activities. Best practice: Establishing the duration of key activities; Explanation: The schedule should realistically reflect how long each activity will take to execute. In determining the duration of each activity, the same rationale, historical data, and assumptions used for cost estimating should be used. Durations should be as short as possible and have specific start and end dates. Excessively long periods needed to execute an activity should prompt further decomposition so that shorter execution durations will result. The schedule should be continually monitored to determine when forecasted completion dates differ from the planned dates, which can be used to determine whether schedule variances will affect downstream work; Satisfied?: Partially; GAO analysis: According to the Plan of Action, constraints and lags will be avoided. The plan further states that the schedule will have "accurate durations," but no mention is made of incorporating historical productivity. However, based on GAO's recommendation, 1-day durations will operate off a 60-80 percent productivity day rather than the default 100 percent productive 8-hour day. These updates will be implemented as schedule activities are generated while the 1-day durations will be updated by April 24, 2009. Best practice: Assigning resources to key activities; Explanation: The schedule should reflect what resources (e.g., labor, material, and overhead) are needed to do the work, whether all required resources will be available when needed, and whether any funding or time constraints exist; Satisfied?: No; GAO analysis: According to the Plan of Action, the Secure Flight schedule is "completely resource loaded through domestic deployment." Resource loading was based on subject-matter-expert input and care was taken to ensure that resources were not overloaded. Resource loading is to be implemented as international deployment activities are generated, and completed by June 2009. Best practice: Integrating key activities horizontally and vertically; Explanation: The schedule is horizontally integrated, meaning that it linked the products and outcomes associated with already sequenced activities. These links are commonly referred to as "handoffs" and serve to verify that activities are arranged in the right order to achieve aggregated products or outcomes. The schedule should also be vertically integrated, meaning that traceability exists among varying levels of activities and supporting tasks and subtasks. Such mapping or alignment among levels enables different groups to work to the same master schedule; Satisfied?: Yes; GAO analysis: While this condition was originally met. TSA's Plan of Action guarantees that the updated schedule (including updated activities, durations, logic relationships, and resource loading) will continue to be horizontally and vertically integrated. The estimated completion date for domestic deployment activities is April 2009 and June 2009 for international deployment activities. Best practice: Establishing the critical path for key activities; Explanation: Using scheduling software, the critical path--the longest duration path through the sequenced list of key activities--should be identified. The establishment of a program's critical path is necessary for examining the effects of any activity slipping along this path. Potential problems that might occur along or near the critical path should also be identified and reflected in the scheduling of the time for high-risk activities; Satisfied?: Partially; GAO analysis: While not explicitly targeted in the Plan of Action, establishing the critical path is addressed through other scheduling efforts in the plan. In addition to updating the logic and incorporating realistic durations, the plan also states that dates will not be target-driven. In other words, the scheduling software will dictate a realistic finish date rather than the program office forcing tasks into the schedule to fit a predetermined date. The plan also notes that Level of Effort tasks will not show up in the critical path. This will be completed by June 2009. Best practice: Identifying the "float time" between key activities; Explanation: The schedule should identify float time--the time that a predecessor activity can slip before the delay affects successor activities--so that schedule flexibility can be determined. As a general rule, activities along the critical path typically have the least amount of float time. Total float describes the amount of time flexibility an activity has without delaying the project completion (if everything else goes according to plan). Total float is used to find out which activities or paths are crucial to project completion; Satisfied?: Partially; GAO analysis: As described previously, the Plan of Action calls for updating the logic relationships and incorporating realistic durations, as well as avoiding target -driven dates. Realistic float, as determined by the schedule, will then be available to the program office for resource leveling and schedule contingency. This will be implemented by April 2009 as international deployment activities are identified. Best practice: Schedule risk analysis should be performed; Explanation: A schedule risk analysis should be performed using statistical techniques to predict the level of confidence in meeting a program's completion date. This analysis focuses not only on critical path activities but also on activities near the critical path, since they can potentially affect program status; Satisfied?: No; GAO analysis: TSA has contracted with an independent company to (1) review the Secure Flight program plan, and (2) conduct and document a schedule risk analysis. The schedule risk analysis is to be completed by July 2009. Best practice: Distributing reserves to high risk activities; Explanation: The baseline schedule should include a buffer or a reserve of extra time. Schedule reserve for contingencies should be calculated by performing a schedule risk analysis. As a general rule, the reserve should be applied to high-risk activities, which are typically found along the critical path; Satisfied?: No; GAO analysis: According to the TSA Plan of Action, once the schedule risk analysis is completed, the results will be reviewed with program leadership to decide upon tasks that warrant reserves. This will be completed by August 2009. Source: GAO analysis. [End of table] [End of section] Appendix VII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: April 23, 2009: Ms. Cathleen A. Berrick: Managing Director, Homeland Security and Justice Team: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20458: Dear Ms. Berrick: The Department of Homeland Security (DHS) appreciates the opportunity to review and comment on the Government Accountability Office (GAO) draft report titled, Aviation Security: TSA Has Completed Key Activities Associated with Implementing Secure Flight, but Additional Actions Are Needed to Mitigate Risks (GAO-09-292). GAO issued the aforementioned draft report to the Transportation Security Administration (TSA) on March 20, 2009. TSA noted that the information contained in the report concerning TSA's progress in achieving the statutory conditions was dated. Accordingly, between March 20, 2009 and April 10, 2009, TSA provided additional information and documentation to the GAO. As a result, the GAO advised TSA on April 13, 2009, that the Secure Flight program has generally achieved Conditions 1 through 9 and conditionally achieved Condition 10. TSA concurs with the updated GAO assessment. The Department of Homeland Security through TSA will continue to collaborate with the GAO until Condition 10 has been generally achieved. Sincerely, Signed by: [Illegible] for: Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix VIII GAO Contacts and Staff Acknowledgments: GAO Contacts: Cathleen A. Berrick, (202) 512-3404 or berrickc@gao.gov: Randolph C. Hite, (202) 512-3439 or hiter@gao.gov: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Acknowledgments: In addition to the contacts listed above, Idris Adjerid, David Alexander, Mathew Bader, Timothy Boatwright, John de Ferrari, Katherine Davis, Eric Erdman, Anthony Fernandez, Ed Glagola, Richard Hung, Jeff Jensen, Neela Lakhmani, Jason Lee, Thomas Lombardi, Sara Margraf, Vernetta Marquis, Victoria Miller, Daniel Patterson, David Plocher, Karen Richey, Karl Seifert, Maria Stattel, Margaret Vo, and Charles Vrabel made key contributions to this report. [End of section] Footnotes: [1] The No-Fly and Selectee lists contain the names of individuals with known or suspected links to terrorism. These lists are subsets of the consolidated terrorist watch list that is maintained by the Federal Bureau of Investigation's Terrorist Screening Center. [2] See Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-18 (2004) (codified at 49 U.S.C. § 44903(j)(2)(C)). [3] GAO has performed this work in accordance with statutory mandates, beginning in fiscal year 2004 with the Department of Homeland Security Appropriations Act, 2004, Pub. L. No. 108-90, § 519, 117 Stat. 1137, 1155-56 (2003) (establishing the initial mandate that GAO assess the Computer-Assisted Passenger Prescreening System (CAPPS) II, the precursor to Secure Flight, and setting forth the original eight statutory conditions related to the development and implementation of the prescreening system), and pursuant to the requests of various congressional committees. [4] GAO, Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviation Security Programs, but More Work Remains, [hyperlink, http://www.gao.gov/products/GAO-08-456T] (Washington, D.C. Feb. 28, 2008). [5] See Pub. L. No. 108-334, § 522, 118 Stat. 1298, 1319-20 (2004). [6] See Pub. L. No. 110-161, Div. E, § 513, 121 Stat. 1844, 2072 (2007); see also Pub. L. No. 110-329, Div. D, § 512, 122 Stat. 3574, 3682-83 (2008). [7] See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). These standards, issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 1982, provide the overall framework for establishing and maintaining internal control in the federal government. Also pursuant to the 1982 act, the Office of Management and Budget (OMB) issued circular A-123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in OMB Circular A-123 are based on GAO's Standards for Internal Control in the Federal Government. Appendix I contains more details on federal guidance and related best practices. [8] On December 19, 2008, we provided the initial results of our work to staff of the Senate and House Appropriations Committees' Subcommittees on Homeland Security, which was based on work conducted as of December 8, 2008. Section 513(b) of the Department of Homeland Security Appropriations Act, 2008, mandated that GAO report to these committees within 90 days after the DHS Secretary's certification. [9] In general, the term "redress" refers to an agency's complaint resolution process whereby individuals may seek resolution of their concerns about an agency action. [10] See 5 U.S.C. § 552a. [11] See Pub. L. No. 107-347, § 208, 116 Stat. 2899, 2921-23 (2002). [12] See 73 Fed. Reg. 64,018 (Oct. 28, 2008) (codified at 49 C.F.R. pt. 1560). [13] We have previously reported that the cleared list is not consistently used by air carriers, and that matched air travelers must still go to the airline ticket counter to provide information to confirm that they are the individual on the cleared list. See GAO, Aviation Security: TSA Is Enhancing Its Oversight of Air Carrier Efforts to Identify Passengers on the No Fly and Selectee Lists, but Expects Ultimate Solution to Be Implementation of Secure Flight, [hyperlink, http://www.gao.gov/products/GAO-08-992] (Washington, D.C. Sept. 9, 2008). [14] GAO, Agency Performance Plans: Examples of Practices That Can Improve Usefulness to Decisionmakers, [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69] (Washington, D.C.: February 1999) and GAO/AIMD-00-21.3.1. [15] See [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69]. TSA OI is responsible for disseminating the cleared list. [16] See [hyperlink, http://www.gao.gov/products/GAO-08-456T}. [17] The Secure Flight Final Rule provides that air carriers must request a passenger's full name, gender, date of birth, and Redress or Known Traveler Numbers (if available), but it only requires that passengers provide their full name, gender, and date of birth. [18] Condition 3 also requires that TSA demonstrate that Secure Flight can make an accurate predictive assessment of those passengers who may constitute a threat to aviation. As TSA did not design Secure Flight with this capability, this element of the condition is not applicable to the Secure Flight program. [19] TSA officials stated that they considered the Secure Flight program's objectives--for example, the system must process high volumes of passengers and quickly provide results to air carriers while also accounting for the TSA resources required to review potential matches- -in determining an acceptable balance between mistakenly matching passengers (false-positives) and failing to identify passengers who match watch-list records (false-negatives). [20] Details about the Secure Flight matching system and related search parameters are Sensitive Security Information and, therefore, are not included in this report. TSA designates certain information, such as information that would be detrimental to the security of transportation if publicly disclosed, as Sensitive Security Information pursuant to 49 U.S.C. § 114(r) and its implementing regulations, codified at 49 C.F.R. part 1520. [21] Details about the specific false-negative rate resulting from these tests are Sensitive Security Information and, therefore, are not included in this report. [22] See Appendix II for additional details about these tests. [23] See [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69] and [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [24] Additional details on this issue were determined to be Sensitive Security Information by TSA and, therefore, are not included in this report. [25] Details about the specific stress test requirements are Sensitive Security Information and, therefore, are not included in this report. [26] Performance tests are intended to determine how well a system meets specified performance requirements, while stress tests are intended to analyze system behavior under increasingly heavy workloads and severe operating conditions to identify points of system degradation and failure. [27] Our analysis showed that the Secure Flight Integrated Master Schedule (IMS) erroneously shows that performance testing for Release 3 was completed on July 31, 2008, which program officials confirmed was incorrect. According to program officials, the IMS was being updated to reflect its ongoing efforts to update and execute test plans in December 2008. [28] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [29] DHS Acquisition Directive 102-01 supersedes the previous investment review policy (Management Directive 1400). Under the new acquisition directive, issued in November 2008, the DHS Investment Review Board is now referred to as the Acquisition Review Board. [30] GAO, Department of Homeland Security: Billions Invested in Major Programs Lack Appropriate Oversight, GAO-09-29 (Washington, D.C.: Nov. 18, 2008) and GAO, Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments, [hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.: Apr. 27, 2007). [31] We considered federal criteria including the Federal Information Security Management Act of 2002, Pub. L. No. 107-347, §§ 301-05, 116 Stat. 2899, 2946-61 (as amended), OMB policies, and National Institute of Standards and Technology standards and guidelines. [32] Certification is a comprehensive assessment of management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision to authorize operation of an information system and to explicitly accept the risk to agency operations based on implementation of controls. [33] A hot site is a fully operation off-site data-processing facility equipped with hardware and system software to be used in the event of a disaster. [34] TSA defines a vulnerability as high risk if the probability of serious incident is likely and the risk is not normally acceptable. According to TSA, there is a strong need for corrective action and the authorization of operation status may be rescinded or not granted. For moderate-risk vulnerability, the probability of an incident is elevated with increased probability of unauthorized disclosure or denial of service of critical systems. [35] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [36] The CAPPS rules and TSA's actions in response to this condition are Sensitive Security Information and, therefore, are not included in this report. [37] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [38] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [39] [hyperlink, http://www.gao.gov/products/GAO-09-3SP]. [40] See appendix VI for additional details on GAO's best practices for cost and schedule estimation. [41] See Pub. L. No. 110-161, Div. E, § 513, 121 Stat. 1844, 2072 (2007); see also Pub. L. No. 110-329, Div. D, § 512, 122 Stat. 3574, 3682-83 (2008). [42] Section 522(a) of the Department of Homeland Security Appropriations Act, 2005 (Pub. L. No. 108-334, 118 Stat., 1298, 1319 (2004)), sets forth these 10 conditions. [43] See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). These standards, issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 1982, provide the overall framework for establishing and maintaining internal control in the federal government. Also pursuant to the 1982 Act, the Office of Management and Budget (OMB) issued circular A-123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in OMB Circular A-123 are based on GAO's Standards for Internal Control in the Federal Government. [44] GAO, Agency Performance Plans: Examples of Practices That Can Improve Usefulness to Decisionmakers, [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69]. [45] GAO, Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviation Security Programs, but More Work Remains, [hyperlink, http://www.gao.gov/products/GAO-08-456T] (Washington, D.C. Feb. 28, 2008). [46] We reported on the quality of watch-list records in October 2007 and the steps the Terrorist Screening Center is taking to improve their quality; see GAO, Terrorist Watch List: Screening Opportunities Exist to Enhance Management Oversight, Reduce Vulnerabilities in Agency Screening Processes, and Expand Use of the List, [hyperlink, http://www.gao.gov/products/GAO-08-110] (Washington, D.C. Oct. 11, 2007). The Department of Justice's Inspector General also reported on the quality of records in the terrorist screening database in June 2005 and September 2007. [47] Software Engineering Institute, "A Framework for Software Product Line Practice, Version 5.0"; "Robustness Testing of Software-Intensive Systems: Explanation and Guide," CMU/SEI-2005-TN-015; and GAO, Year 2000 Computing Crisis: A Testing Guide [hyperlink, http://www.gao.gov/products/GAO/AIMD-10.1.21] (Washington, D.C.: Nov. 1, 1998). [48] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [49] We considered federal criteria including the Federal Information Security Management Act of 2002, Office of Management and Budget policies, and National Institute of Standards and Technology standards and guidelines. [50] The version of the Fair Information Practices that we used, which has been widely adopted, was developed by the Organisation for Economic Co-operation and Development and published as Guidelines on the Protection of Privacy and Transborder Flow of Personal Data (Sept. 23, 1980). [51] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [52] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [53] The number of seeded records, which represented matches to the watch list, does not reflect the actual number of watch-list matches in a real-world setting. [54] A security directive is a regulatory tool through which TSA may impose security measures on a regulated entity, in this case air carrier, generally in response to an immediate or imminent threat. The No-Fly list security directive--SD 1544-01-20F (Apr. 9, 2008) specifies the number of name variations that must be used by air carriers for current watch-list matching. The specific number of name variations required in the directive and the Secure Flight's name-matching capabilities are Sensitive Security Information and therefore, not included in this report. [55] This defined range is Sensitive Security Information and, therefore, is not included in this report. [56] Details about the specific false-negative rate resulting from these tests are Sensitive Security Information and, therefore, not included in this report. [57] We reported on the quality of watch-list records in October 2007 and the steps the Terrorist Screening Center is taking to improve their quality; see GAO, Terrorist Watch List: Screening Opportunities Exist to Enhance Management Oversight, Reduce Vulnerabilities in Agency Screening Processes, and Expand Use of the List, [hyperlink, http://www.gao.gov/products/GAO-08-110] (Washington, D.C.: Oct. 11, 2007). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: