This is the accessible text file for GAO report number GAO-09-399 entitled 'Aviation Security: A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls' which was released on October 1, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: September 2009: Aviation Security: A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls: GAO-09-399: GAO Highlights: Highlights of GAO-09-399, a report to congressional requesters. Why GAO Did This Study: Incidents of airport workers using access privileges to smuggle weapons through secured airport areas and onto planes have heightened concerns regarding commercial airport security. The Transportation Security Administration (TSA), along with airports, is responsible for security at TSA-regulated airports. To guide risk assessment and protection of critical infrastructure, including airports, the Department of Homeland Security (DHS) developed the National Infrastructure Protection Plan (NIPP). GAO was asked to examine the extent to which, for airport perimeters and access controls, TSA (1) assessed risk consistent with the NIPP; (2) implemented protective programs, and evaluated its worker screening pilots; and (3) established a strategy to guide decision making. GAO examined TSA documents related to risk assessment activities, airport security programs, and worker screening pilots; visited nine airports of varying size; and interviewed TSA, airport, and association officials. What GAO Found: Although TSA has implemented activities to assess risks to airport perimeters and access controls, such as a commercial aviation threat assessment, it has not conducted vulnerability assessments for 87 percent of the nation’s approximately 450 commercial airports or any consequence assessments. As a result, TSA has not completed a comprehensive risk assessment combining threat, vulnerability, and consequence assessments as required by the NIPP. While TSA officials said they intend to conduct a consequence assessment and additional vulnerability assessments, TSA could not provide further details, such as milestones for their completion. Conducting a comprehensive risk assessment and establishing milestones for its completion would provide additional assurance that intended actions will be implemented, provide critical information to enhance TSA’s understanding of risks to airports, and help ensure resources are allocated to the highest security priorities. Since 2004, TSA has taken steps to strengthen airport security and implement new programs; however, while TSA conducted a pilot program to test worker screening methods, clear conclusions could not be drawn because of significant design limitations and TSA did not document key aspects of the pilot. TSA has taken steps to enhance airport security by, among other things, expanding its requirements for conducting worker background checks and implementing a worker screening program. In fiscal year 2008 TSA pilot tested various methods to screen airport workers to compare the benefits, costs, and impacts of 100 percent worker screening and random worker screening. TSA designed and implemented the pilot in coordination with the Homeland Security Institute (HSI), a federally funded research and development center. However, because of significant limitations in the design and evaluation of the pilot, such as the limited number of participating airports—7 out of about 450—it is unclear which method is more cost- effective. TSA and HSI also did not document key aspects of the pilot’s design, methodology, and evaluation, such as a data analysis plan, limiting the usefulness of these efforts. A well-developed and well- documented evaluation plan can help ensure that pilots generate needed performance information to make effective decisions. While TSA has completed these pilots, developing an evaluation plan for future pilots could help ensure that they are designed and implemented to provide management and Congress with necessary information for decision making. TSA’s efforts to enhance the security of the nation’s airports have not been guided by a unifying national strategy that identifies key elements, such as goals, priorities, performance measures, and required resources. For example, while TSA’s various airport security efforts are implemented by federal and local airport officials, TSA officials said that they have not identified or estimated costs to airport operators for implementing security requirements. GAO has found that national strategies that identify these key elements strengthen decision making and accountability; in addition, developing a strategy with these elements could help ensure that TSA prioritizes its activities and uses resources efficiently to achieve intended outcomes. What GAO Recommends: GAO recommends, among other things, that TSA develop a comprehensive risk assessment of airport security, and milestones for its completion; an evaluation plan for any future airport security pilot programs; and a national strategy for airport security that includes key characteristics, such as goals and priorities. DHS reviewed a draft of this report and concurred with these recommendations. View [hyperlink, http://www.gao.gov/products/GAO-09-399] or key components. For more information, contact Steve Lord at (202) 512-4379 or lords@gao.gov. [End of section] Contents: Letter: Background: TSA Has Taken Steps to Assess Threats and Vulnerabilities for Airport Security, but Has Not Conducted a Comprehensive Risk Assessment to Help Identify Priorities and Allocate Resources: TSA Has Taken a Variety of Protective Actions to Strengthen Airport Security, but Did Not Follow Accepted Practices in Developing Its Worker Screening Pilot Program; Additionally, Issues Remain regarding Worker Security, Technology, and Other Initiatives: A National Strategy for Airport Security Could Help Ensure Program Effectiveness, Inform Cost and Resource Decisions, Ensure Collaboration, and Increase Accountability: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: TSA Actions to Address Selected Statutory Requirements for Airport Security: Appendix III: TSA Also Uses Compliance Inspections and Covert Testing to Detect Possible Airport Security Vulnerabilities: Appendix IV: Costs for Airport Security: Appendix V: TSA Worker Screening Pilot Program: Appendix VI: Additional TSA Efforts to Improve General Airport Security: Appendix VII: Alternative Methods Available to Assist TSA in Assessing the Effectiveness of Its Actions to Strengthen Airport Security: Appendix VIII: Comments from the Department of Homeland Security: Appendix IX: GAO Contact and Staff Acknowledgments: Tables: Table 1: Protective Actions TSA Has Taken since 2004 to Strengthen Airport Security: Table 2: Requirements Relating to Airport Perimeter and Access Control Security Imposed through Security Directives and Emergency Amendments: Table 3: TSA Actions since 2004 to Address Relevant ATSA Requirements through May 2009: Table 4: Summary of TSA-Identified Costs Related to Airport Security, Fiscal Years 2004-2008: Table 5: Summary of Explanatory Text Directing the Worker Screening Pilot Program: Figures: Figure 1: Commercial Airport Areas Typically Have Varying Levels of Security: Figure 2: Total Number of TSA-Reported Security Breaches from Fiscal Years 2004 through 2008: Figure 3: NIPP Risk Management Framework: Abbreviations: AACPP: Airport Access Control Pilot Program: ACIS: Aviation Credential Interoperability Solution: ADASP: Aviation Direct Access Screening Program: ADRA: air domain risk assessment: APS: Airport Perimeter Security: ASP: Airport Security Program: AOA: air operations area: ATSA: Aviation and Transportation Security Act: CHRC: criminal history records check: DHS: Department of Homeland Security: FAA: Federal Aviation Administration: FBI: Federal Bureau of Investigation: FSD: federal security director: GPRA: Government Performance and Results Act: HSI: Homeland Security Institute: HSPD: Homeland Security Presidential Directive: NIPP: National Infrastructure Protection Plan: JVA: joint vulnerability assessment: OIG: Office of Inspector General: OMB: Office of Management and Budget: SIDA: security identification display area: SPOT: Screening of Passengers by Observation Techniques: STA: security threat assessment: TSA: Transportation Security Administration: TSOB: Transportation Security Oversight Board: TS-SSP: Transportation Systems-Sector Specific Plan: VIPR: Visible Intermodal Prevention and Response: [End of section] United States Government Accountability Office: Washington, DC 20548: September 30, 2009: Congressional Requesters: Recent criminal incidents involving airport workers using their access privileges to smuggle weapons and drugs into secured areas of commercial airports and onto planes has heightened concerns about the risks posed by workers and the security of airport perimeters and access to secured areas.[Footnote 1] Moreover, the Transportation Security Administration (TSA), the agency primarily responsible for securing the nation's civil aviation system,[Footnote 2] has identified workers with access to secured airport areas as one of the greatest potential threats to aviation and highlighted the need to keep airport perimeters secure.[Footnote 3] Pursuant to the Aviation and Transportation Security Act (ATSA), which was signed into law shortly after the terrorist attacks of September 11, 2001, TSA assumed primary responsibility for implementing and overseeing security operations within the nation's civil aviation system.[Footnote 4] This includes overseeing U.S. airport operator efforts to maintain and improve the security of perimeters and the access controls, as well as implementing measures to reduce risks posed by workers at the nation's commercial airports.[Footnote 5] While airport operators, not TSA, generally retain direct day-to-day operational responsibility for these areas of security, TSA is responsible for establishing and implementing measures to improve the security of airport perimeters and access controls to secured areas within the airports and to reduce the security risks posed by airport workers. In 2004 we reported that TSA had taken steps to enhance the security of airport perimeters and access controls, but that it faced challenges in identifying security weaknesses of the commercial airport system, prioritizing funding to address the most critical security needs, and taking steps to reduce the risks posed by airport workers.[Footnote 6] We recommended, among other things, that TSA determine if and when additional security requirements are needed to reduce the risks posed by airport workers. TSA generally concurred with our findings and recommendations and has taken steps to address these recommendations. Since it is not feasible to protect all assets and systems against every possible threat, the Department of Homeland Security (DHS) has called for using a risk management approach to prioritize its investments, develop plans, and allocate resources in a risk-informed way that balances security and commerce.[Footnote 7] Risk management calls for a cost-effective use of resources and focuses on developing and implementing protective actions that offer the greatest mitigation of risk for any given expenditure. A risk management approach entails a continual process of managing risk through a series of actions, including setting goals and objectives, assessing risk, evaluating alternatives, selecting initiatives to undertake, and implementing and monitoring those initiatives. In 2009 DHS updated the National Infrastructure Protection Plan (NIPP), which names TSA as the primary federal agency responsible for coordinating critical infrastructure protection efforts within the transportation sector and establishes a risk management framework to guide security decisions.[Footnote 8] To respond to the threat posed by airport workers, the Explanatory Statement accompanying the DHS Appropriations Act, 2008, directed that TSA use $15 million of its appropriation to conduct a pilot program to help identify the potential costs and benefits of 100 percent worker screening and other worker screening methods.[Footnote 9] TSA worked with airport stakeholders to develop the program, and in May 2008 began to test various methods of screening workers--including 100 percent worker screening--at seven airports located throughout the nation. TSA issued a final report on the results of the pilot program in July 2009. [Footnote 10] You requested that we examine TSA's actions since 2004 to strengthen the security of commercial airport perimeters and access to secured airport areas. This report evaluates to what extent TSA has: * assessed the risk to airport security consistent with the NIPP risk management framework; * implemented protective programs to strengthen airport security, and evaluated its worker screening pilot program; and: * established a national strategy to guide airport security decision making. To conduct our review, we examined documents related to TSA's risk assessment and security activities and programs with regard to airport security, such as TSA's Civil Aviation Threat Assessment. We also reviewed documents related to TSA's airport perimeter and access controls security-related programs, such as standard operating procedures for the Aviation Direct Access Screening Program (TSA's random worker screening program), as well as relevant laws, presidential directives, and TSA management directives. We compared this information with criteria in DHS's NIPP, the Transportation Systems Sector-Specific Plan (TS-SSP),[Footnote 11] TSA's risk management methodology, and our prior work on risk management.[Footnote 12] We relied on TSA to identify its risk assessment activities for airport security, and we examined how these individual threat and vulnerability assessment activities addressed the security of airport perimeter and access controls. Because of the scope of our work, we did not assess the extent to which each of these activities met the NIPP core criteria for individual threat and vulnerability assessments; however, we examined the extent to which the various types of assessment activities TSA identified, taken together, met the NIPP criteria for completing a comprehensive risk assessment that combines threat, vulnerability, and consequence assessments. We also compared TSA's approach to securing the nation's airport perimeters and access to secured areas with guidance on security strategies and planning that we previously reported.[Footnote 13] We obtained data from TSA officials on vulnerability assessment activities and, by obtaining information on the processes used to schedule and track these activities, determined the data were sufficiently reliable for the purposes of this report. To better understand how TSA has used this information, we interviewed TSA officials responsible for risk management and security programs related to airport perimeters and access controls. We also collected TSA data on security breaches--any violations of security requirements--at commercial airports; however, TSA could not distinguish the number of breaches related only to airport perimeter and access control security from other types of breaches. By obtaining information on the processes used to collect, tabulate, and assess these data, we determined that the data were sufficiently reliable to present contextual information regarding all breaches to secured areas (including the airport perimeter). In addition, we asked TSA to identify agency-led activities and programs for strengthening airport security, as well as procedures for developing and issuing airport perimeter and access control security requirements through security directives. We then assessed and summarized the program information, operations directives, and standard operating procedures provided by TSA to determine if the agency addressed relevant statutory requirements and recommendations from our 2004 report.[Footnote 14] We also evaluated TSA's final report on its worker screening pilot program, including conclusions and limitations cited by the contractor--the Homeland Security Institute (HSI)--TSA hired to assist with the pilot's design, implementation, and evaluation.[Footnote 15] Further, we analyzed TSA and HSI's documentation of the pilot program's methodology and implementation, and compared it to criteria in standards for internal control in the federal government and our previous work on pilot program development and evaluation.[Footnote 16] At our request, TSA identified 25 security directives and emergency amendments that imposed requirements related to airport perimeter and access control security, which we examined to identify specific areas of regulation. To obtain additional information on TSA's efforts to strengthen airport security, we interviewed officials from the two industry associations that support commercial airport operators and their personnel,[Footnote 17] and conducted site visits at 9 of approximately 450 U.S. commercial airports. During these visits we toured airport facilities and interviewed federal security directors (FSD) and airport security coordinators.[Footnote 18] We selected these airports based on several factors, including airport size, category,[Footnote 19] geographical dispersion, and technological initiatives related to airport perimeter and access control security (such as infrared intrusion detection systems). In addition, we conducted interviews with officials from four airports that had voluntarily implemented or were considering implementing additional worker screening methods.[Footnote 20] While the experiences of these officials and airports cannot be generalized to all airports and security officials, they provided insight into how security efforts were chosen and developed. A more detailed discussion of our scope and methodology is contained in appendix I. We conducted this performance audit from May 2007 through September 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Airport Security Roles and Responsibilities: On February 17, 2002, pursuant to ATSA, TSA assumed responsibility for the security of the nation's civil aviation system from the Federal Aviation Administration (FAA), including FAA's existing aviation security programs, plans, regulations, orders, and directives covering airports, air carriers, and other related entities. Among other things, ATSA directs TSA to improve the security of airport perimeters and the access controls leading to secured areas, and take measures to reduce the security risks posed by airport workers. (See appendix II for more specific details on ATSA requirements and TSA's actions to address these requirements.) TSA has 158 FSDs who oversee the implementation of, and adherence to, TSA requirements at the approximately 450 commercial airports nationwide. As part of TSA's oversight role, it also conducts compliance inspections,[Footnote 21] covert testing, [Footnote 22] and vulnerability assessments to analyze and improve security. (See appendix III for information on how TSA uses compliance inspections and covert testing to identify possible airport security vulnerabilities.) In general, TSA funds its perimeter and access control security-related activities out of its annual appropriation and in accordance with direction set forth in congressional committee reports. For example, the Explanatory Statement accompanying the DHS Appropriations Act, 2008, directed that TSA allocate $15 million of its appropriation to a worker screening pilot program. TSA does not track the amount of funds spent in total for perimeter and access controls because related efforts and activities can be part of broader security programs that also serve other aspects of aviation security. In addition, airports may receive federal funding for perimeter and access control security, such as through federal grant programs or TSA pilot programs. (For more information on such airport security costs and funding, see appendix IV.) Airport operators have direct responsibility for day-to-day aviation operations, including, in general, the security of airport perimeters, access controls, and workers, as well as for implementing TSA security requirements. Airport operators implement security requirements in accordance with their TSA-approved security programs.[Footnote 23] Elements of a security program may include, among other things, procedures for performing background checks on airport workers, applicable training programs for these workers, and procedures and measures for controlling access to secured airport areas. Security programs may also be required to describe the secured areas of the airport, including a description and map detailing boundaries and pertinent features of the secured areas, and the measures used to control access to such areas.[Footnote 24] Commercial airports are generally divided into designated areas that have varying levels of security, known as secured areas, security identification display areas (SIDA), air operations areas (AOA), and sterile areas.[Footnote 25] Sterile areas, located within the terminal, are where passengers wait after screening to board departing aircraft. Access to sterile areas is controlled by TSA screeners at security checkpoints, where they conduct physical screening of passengers and their property.[Footnote 26] Airport workers may access the sterile area through the security checkpoint or through other access points secured by the airport operator in accordance with its security program. The SIDA and the AOA are not to be accessed by passengers, and typically encompass baggage loading areas, areas near terminal buildings, and other areas close to parked aircraft and airport facilities, as illustrated in figure 1. Figure 1: Commercial Airport Areas Typically Have Varying Levels of Security: [Refer to PDF for image: illustration] Commercial Airport Areas: the illustration identifies the following: Security identification display area; Air operations area (AOA); Sterile area. Source: GAO. Notes: This figure shows airport security areas designated in accordance with TSA requirements. Pursuant to 49 C.F.R. § 1542.205, each airport area defined as a secured area in a security program must be a SIDA, though other areas of the airport may also be designated as SIDAs by the airport operator. For example, some airport operators designate all AOAs as SIDAs. [End of figure] Securing access to the sterile area from other secured areas--such as the SIDA--and security within the area, is the responsibility of the airport operator, in accordance with its security program. Airport perimeter and access control security is intended to prevent unauthorized access into secured areas--either from outside the airport complex or from within the airport's sterile area. Individual airport operators determine the boundaries for each of these areas on a case- by-case basis, depending on the physical layout of the airport and in accordance with TSA requirements. As a result, some of these areas may overlap. Within these areas, airport operators are responsible for safeguarding their airfield barriers, preventing and detecting unauthorized entry into secured areas, and conducting background checks of workers with unescorted access to secured areas. Methods used by airports to control access through perimeters or into secured areas vary because of differences in the design and layout of individual airports, but all access controls must meet minimum performance standards in accordance with TSA requirements. These methods typically involve the use of one or more of the following: pedestrian and vehicle gates, keypad access codes using personal identification numbers, magnetic stripe cards and readers, turnstiles, locks and keys, and security personnel. According to TSA officials, airport security breaches occur within and around secured areas at domestic airports (see figure 2 for the number of security breaches reported by TSA from fiscal year 2004 through fiscal year 2008). While some breaches may represent dry runs by terrorists or others to test security or criminal incidents involving airport workers, most are accidental.[Footnote 27] TSA requires FSDs to report security breaches that occur both at the airports for which they are responsible and on board aircraft destined for their airports. TSA officials said that they review security breach data and report them to senior management as requested, and provide data on serious breaches to senior management on a daily basis, as applicable. Figure 2: Total Number of TSA-Reported Security Breaches from Fiscal Years 2004 through 2008: [Refer to PDF for image: vertical bar graph] Fiscal year: 2004; Number of security breaches: 1,442. Fiscal year: 2005; Number of security breaches: 2,073. Fiscal year: 2006; Number of security breaches: 2,258. Fiscal year: 2007; Number of security breaches: 2,758. Fiscal year: 2008; Number of security breaches: 2,819. Source: GAO analysis of TSA data. Notes: Because these data include security breaches that occurred within any type of secured area, including sterile areas frequented by passengers, they are not specific to perimeter and access controls and cannot be analyzed to identify trends related to breaches solely related to perimeter and access control security. At the time of our review, TSA officials told us that they were unable to identify how much of the increase in breaches could be specifically related to airport workers or to the security of airport perimeters and access controls. Finally, the data are based on total breaches and have not been adjusted to reflect potential issues that could influence how the data are interpreted, such as annual increases in passenger volume, changes in the number of commercial airports, or significant variations in the number of breaches at individual airports. [End of figure] According to a TSA official, the increase in known breaches from fiscal years 2004 through 2005 reflects a change in the requirements for reporting security breaches that TSA issued in December 2005.[Footnote 28] This change provided more specific instructions to FSDs on how to categorize different types of security incidents. Regarding increases in security breaches from fiscal years 2005 through 2008, TSA officials said that while they could not fully explain these increases, there could be several reasons to account for this growth. For example, according to TSA officials, changes in TSA management often trigger increases in specific types of breaches reported, such as since 2004, when the priorities of the new Administrator resulted in an increase in the reporting of restricted items. TSA officials also stated that a report of a security breach at a major U.S. airport is likely to cause security and law enforcement officials elsewhere to subsequently raise the overall awareness of security requirements for a period of time. In addition, TSA noted that certain inspections conducted by TSA officials tend to produce heightened awareness by federal and airport employees whose perimeter security and access control procedures are being inspected for compliance with regulations. Risk Management Approach Can Help Guide Homeland Security Efforts: Risk management is a tool for informing policymakers' decisions about assessing risks, allocating resources, and taking actions under conditions of uncertainty. We have previously reported that a risk management approach can help to prioritize and focus the programs designed to combat terrorism.[Footnote 29] Risk management, as applied in the transportation security context, can help federal decision makers determine where and how to invest limited resources within and among the various modes of transportation.[Footnote 30] In accordance with Homeland Security Presidential Directive (HSPD) 7, the Secretary of Homeland Security designated TSA as the sector-specific agency for the transportation security sector, requiring TSA to identify, prioritize, and coordinate the protection of critical infrastructure and key resources within this sector and integrate risk management strategies into its protective activities.[Footnote 31] In June 2006, in accordance with HSPD-7 and the Homeland Security Act of 2002, DHS released the NIPP, which it later updated in 2009. The NIPP developed a risk management framework for homeland security. In accordance with the NIPP, TSA developed the TS-SSP to govern its strategy for securing the transportation sector, as well as annexes for each mode of transportation, including aviation. The NIPP and TS-SSP set forth risk management principles, including a comprehensive risk assessment process for considering threat, vulnerability, and consequence assessments to determine the likelihood of terrorist attacks and the severity of the impacts. Figure 3 illustrates the interrelated activities of the NIPP's risk management framework. Figure 3: NIPP Risk Management Framework: [Refer to PDF for image: illustration] NIPP Risk Management Framework: Step 1: Set security goals; Step 2: Identify assets,systems, networks,and functions; Step 3: Assess risks (consequences, vulnerabilities, and threats); Step 4: Prioritize; Step 5: Implement protective programs; Step 6: Measure effectiveness. Sources: GAO presentation of DHS information. [End of figure] * Set security goals: Define specific outcomes, conditions, end points, or performance targets that collectively constitute an effective protective posture. * Identify assets, systems, networks, and functions: Develop an inventory of the assets, systems, and networks that constitute the nation's critical infrastructure, key resources, and critical functions. Collect information pertinent to risk management that takes into account the fundamental characteristics of each sector. * Assess risks: Determine risk by combining potential direct and indirect consequences of a terrorist attack or other hazards (including seasonal changes in consequences and dependencies and interdependencies associated with each identified asset, system, or network), known vulnerabilities to various potential attack vectors, and general or specific threat information.[Footnote 32] * Prioritize: Aggregate and analyze risk assessment results to develop a comprehensive picture of asset, system, and network risk; establish priorities based on risk; assess the mitigation of risk for each proposed activity based on a specific investment; and determine protection and business continuity initiatives that provide the greatest mitigation of risk. * Implement protective programs: To reduce or manage identified risk, select sector-appropriate protective actions or programs that offer the greatest mitigation of risk for any given resource/expenditure/ investment. Secure the resources needed to address priorities. * Measure effectiveness: Use metrics and other evaluation procedures at the national and sector levels to measure progress and assess the effectiveness of the national Critical Infrastructure and Key Resources Protection Program in improving protection, managing risk, and increasing resiliency.[Footnote 33] Within the risk management framework, the NIPP also establishes core criteria for risk assessments. According to the NIPP, risk assessments are a qualitative determination, a quantitative determination, or both of the likelihood of an adverse event occurring and are a critical element of the NIPP risk management framework. Risk assessments also help decision makers identify and evaluate potential risks so that countermeasures can be designed and implemented to prevent or mitigate the potential effects of the risks. The NIPP characterizes risk assessment as a function of three elements: * Threat: The likelihood that a particular asset, system, or network will suffer an attack or an incident. In the context of risk associated with a terrorist attack, the estimate of this is based on the analysis of the intent and the capability of an adversary; in the context of a natural disaster or accident, the likelihood is based on the probability of occurrence. * Vulnerability: The likelihood that a characteristic of, or flaw in, an asset's, system's, or network's design, location, security posture, process, or operation renders it susceptible to destruction, incapacitation, or exploitation by terrorist or other to intentional acts, mechanical failures, and natural hazards. * Consequence: The negative effects on public health and safety, the economy, public confidence in institutions, and the functioning of government, both direct and indirect, that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack, natural disaster, or other incident. Information from the three elements used in assessing risk--threat, vulnerability, and consequence--can lead to a risk characterization and provide input for prioritizing security goals. TSA Has Taken Steps to Assess Threats and Vulnerabilities for Airport Security, but Has Not Conducted a Comprehensive Risk Assessment to Help Identify Priorities and Allocate Resources: While TSA has taken steps to assess risk, it has not conducted a comprehensive risk assessment based on assessments of threats, vulnerabilities, and consequences. TSA officials reported that they have identified threats to airport security as part of an overall assessment of threats to the civil aviation system. While TSA has conducted vulnerability assessment activities at select airports, it has not analyzed whether the select assessments reflect the overall vulnerability of airport security nationwide. Further, TSA has not yet assessed the consequences of an attack against airport perimeter and access control security. TSA Has Taken Steps to Assess Risk, but a Comprehensive Risk Assessment Would Identify Priorities and Inform Resource Allocation: According to the NIPP, risk assessments are to be documented, reproducible (so that others can verify the results), defensible (technically sound and free of significant errors), and complete. The NIPP maintains that these qualities are necessary to risk assessments so they can be used to support national-level, comparative risk assessment, planning, and resource prioritization. For a risk assessment to be considered complete, the NIPP states that it must specifically assess threat, vulnerability, and consequence; after these three components have been assessed, they are to be combined to produce a risk estimate.[Footnote 34] According to the NIPP, comprehensive risk assessments are necessary for determining which assets or systems face the highest risk for prioritizing risk mitigation efforts and the allocation of resources and for effectively measuring how security programs reduce risks. In March 2009 we reported that a lack of information that fully depicts threats, vulnerabilities, and consequences limits an organization's ability to establish priorities and make cost-effective security measure decisions.[Footnote 35] TSA officials told us that they have not completed a comprehensive risk assessment for airport security, although they said that they have prepared and are currently reviewing a draft of a comprehensive, scenario-based air domain risk assessment (ADRA), which officials said is to serve as a comprehensive risk assessment for airport security.[Footnote 36] According to officials, the ADRA is to address all three elements of risk for domestic commercial aviation, general aviation, and air cargo.[Footnote 37] However, TSA has not released it as originally planned for in February 2008. As of May 2009 TSA officials had not provided revised dates for when the agency expects to finalize the ADRA, and they could not provide documentation to demonstrate to what extent the ADRA will address all three components of risk for airport perimeter and access control security. As a result, it is not clear whether the ADRA will provide the risk analysis needed to inform TSA's decisions and planning for airport perimeter and access control security.[Footnote 38] Standard practices in program management call for documenting the scope of the program and milestones (i.e., time frames) to ensure results are achieved.[Footnote 39] Conducting a comprehensive risk assessment for airport security and documenting milestones for its implementation would help ensure that TSA's intended actions will be implemented, and would allow TSA to more confidently ensure that its investments in airport security are risk informed and allocated toward the highest- priority risks. TSA Uses a Variety of Products to Assess Threat to Airport Security: A threat assessment is the identification and evaluation of adverse events that can harm or damage an asset.[Footnote 40] TSA uses several products to identify and assess potential threats to airport security, such as daily intelligence briefings, weekly suspicious incident reports, and situational awareness reports,[Footnote 41] all of which are available to internal and external stakeholders. TSA also issues an annual threat assessment of the U.S. civil aviation system, which includes an assessment of threats to airport perimeter and access control security. According to TSA officials, these products collectively form TSA's assessment of threats to airport perimeter and access control security. TSA's 2008 Civil Aviation Threat Assessment cites four potential threats related to perimeter and access control security, one of which is the threat from insiders--airport workers with authorized access to secured areas.[Footnote 42] The 2008 assessment characterized the insider threat as "one of the greatest threats to aviation,"[Footnote 43] which TSA officials explained is meant to reflect the opportunity insiders have to do damage, as well as the vulnerability of commercial airports to an insider attack, which these officials stated as being very high.[Footnote 44] As of May 2009, TSA had no knowledge of a specific plot by terrorists or others to breach the security of any domestic commercial airport. However, TSA has also noted that airports are seen as more accessible targets than aircraft, and that airport perimeters may become more desirable targets as terrorists look for new ways to circumvent aviation security. Intelligence is necessary to inform threat assessments. As we reported in March 2009,[Footnote 45] TSA has not clarified the levels of uncertainty--or varying levels of confidence--associated with the intelligence information it has used to identify threats to the transportation sector and guide its planning and investment decisions. Both Congress and the administration have recognized uncertainty inherent in intelligence analysis, and have required analytic products within the intelligence community to properly caveat and express uncertainties or confidence in resulting conclusions or judgments. [Footnote 46] As a result, the intelligence community and the Department of Defense have adopted this practice in reporting threat intelligence. Since TSA does not assign confidence levels to its analytic judgments, it is difficult for TSA to correctly prioritize its tactics and investments based on uncertain intelligence. In March 2009 we recommended that TSA work with the Director of National Intelligence to determine the best approach for assigning uncertainty or confidence levels to analytic intelligence products and apply this approach. [Footnote 47] TSA agreed with this recommendation and said that it has begun taking action to address it. Additional Analysis Could Help Inform TSA's Assessment Activities for Airport Security Vulnerabilities: Analyzing the Extent to Which Joint Vulnerability Assessments Provide an Assessment of Nationwide Vulnerabilities Could Strengthen TSA's Ability to Mitigate Risk: The NIPP requires that a risk assessment include a comprehensive assessment of vulnerabilities in assets or systems, such as a physical design feature or type of location, that make them susceptible to a terrorist attack.[Footnote 48] As we reported in June 2004,[Footnote 49] these assessments are intended to facilitate airport operators' efforts to comprehensively identify and effectively address perimeter and access control security weaknesses. TSA officials told us that their primary measures for assessing the vulnerability of commercial airports to attack are the collective results of joint vulnerability assessments (JVA) and professional judgment. TSA officials said that the agency plans to expand the number of JVAs conducted in the future but, as of May 2009, did not have a plan for doing so. According to TSA officials, JVAs are assessments that teams of TSA special agents and other officials conduct jointly with the Federal Bureau of Investigation (FBI) and, as required by law, are generally conducted every 3 years for airports identified as high risk.[Footnote 50] In response to our 2004 recommendation that TSA establish a schedule and analytical approach for completing vulnerability assessments for evaluating airport security, TSA developed criteria to select and prioritize airports as high-risk for assessment.[Footnote 51] TSA officials stated that in addition to assessing airports identified as high risk, the agency has also assessed the vulnerability of other airports at the request of FSDs. According to TSA's TS-SSP, after focusing initially on airports deemed high risk, JVAs are to be conducted at all commercial airports. TSA officials stated that JVA teams assess all aspects of airport security and operations, including fuel, cargo, catering, general aviation, terminal area and law enforcement operations, and the controls that limit access to secured areas and the integrity of the airport perimeter. However, officials emphasized that a JVA is not intended to be a review of an airport's compliance with security requirements and teams do not impose penalties for noncompliance. From fiscal years 2004 through 2008, TSA conducted 67 JVAs at a total of 57 airports[Footnote 52]--about 13 percent of the approximately 450 commercial airports nationwide. In 2007 TSA officials conducted a preliminary analysis of the results of JVAs conducted at 23 domestic airports during fiscal years 2004 and 2005, and found 6 areas in which 20 percent or more of the airports assessed were identified as vulnerable. Specific vulnerabilities included the absence of blast resistant glass in terminal windows, lack of bollards/barriers in front of terminals, lack of blast resistant trash receptacles, and insufficient electronic surveillance of perimeter lines and access points. As of May 2009 TSA officials said that the agency had not finalized this analysis and, as of that date, did not have plans to do so. TSA officials also told us that they have shared the results of JVA reports with TSA's Office of Security Technology to prioritize the distribution of relevant technology to those airports with vulnerabilities that these technologies could strengthen. TSA characterizes U.S. airports as a system of interdependent hubs and links (spokes) in which the security of all is affected or disrupted by the security of the weakest one. The interdependent nature of the system necessitates that TSA protect the overall system as well as individual assets.[Footnote 53] TSA maintains that such a "systems- based approach" allows it to focus resources on reducing risks across the entire system while maintaining cost-effectiveness and efficiency. TSA officials could not explain to what extent the collective JVAs of specific airports constitute a reasonable systems-based assessment of vulnerability across airports nationwide or whether the agency has considered assessing vulnerabilities across all airports. Although TSA has conducted JVAs at each category of airport, 58 of the 67 were at the largest airports.[Footnote 54] According to TSA data, 87 percent of commercial airports--most of the smaller Category II, III, and IV airports--have not received a JVA.[Footnote 55] TSA officials said that because they have not conducted JVAs for these airports, they do not know how vulnerable they are to an intentional security breach. In 2004 we reported that TSA intended to compile baseline data on airport security vulnerabilities to enable it to conduct a systematic analysis of airport security vulnerabilities nationwide.[Footnote 56] At that time TSA officials told us that such analysis was essential since it would allow the agency to determine the adequacy of security policies and help TSA and airport operators better direct limited resources. According to TSA officials, conducting JVAs at all airports would allow them to compile national baseline data on perimeter and access control security vulnerabilities. As of May 2009, however, TSA officials had not yet completed a nationwide vulnerability assessment, evaluated whether the current approach to JVAs would provide the desired systems- based approach to assessing airport security vulnerabilities, or explained why a nationwide assessment or evaluation has not been conducted. In subsequent discussions, TSA officials told us that based on our review they intend to increase the number of JVAs conducted at airports that are not categorized as high risk--primarily Category II, III, and IV airports. According to officials, the resulting data are to assist TSA in prioritizing the allocation of limited resources. However, TSA officials could not tell us how many additional airports they plan to assess in total or within each category, the analytical approach and time frames for conducting these assessments, and to what extent these additional assessments, in combination with past JVAs, will constitute a reasonable systems-based assessment of vulnerability across airports nationwide. Standard practices for program management call for establishing a management plan and milestones to meet stated objectives and achieve results.[Footnote 57] It is also unclear to what extent the ADRA, when it is completed, will represent a systems-based vulnerability assessment, an assessment of airports nationwide, or both. Given that TSA officials believe that the vulnerability of airports to an insider attack is very high and the security of airports is interconnected, this vulnerability would extend throughout the nationwide system of airports. Evaluating the extent to which the agency's current approach assesses systems-based vulnerabilities, including the vulnerabilities of smaller airports, would better position TSA to provide reasonable assurance that it is identifying and addressing the areas of greatest vulnerability and the spectrum of vulnerability across the entire airport system. Further, should TSA decide to conduct a nationwide assessment of airport vulnerability, developing a plan that includes milestones for completing the assessment would help TSA ensure that it takes the necessary actions to accomplish desired objectives within reasonable time frames. TSA Could Strengthen Its Understanding of Risks by Considering Vulnerability Assessment Activities Conducted by Airport Operators: According to the NIPP, DHS and lead security agencies, such as TSA, are to seek to use information from the risk assessments of security partners, whenever possible, to contribute to an understanding of sector and national risks. Moreover, the NIPP states that DHS and lead agencies are to work together to assist security partners in providing vulnerability assessment tools that may be used as part of self- assessment processes, and provide recommendations regarding the frequency of assessments, particularly in light of emergent threats. According to the NIPP, stakeholder vulnerability assessments may serve as a basis for developing common vulnerability reports that can help identify strategic needs and more fully investigate interdependencies. However, TSA officials could not explain to what extent they make use of relevant vulnerability assessments conducted independently by airport operators to contribute to the agency's understanding of airport security risks, or have worked with security partners to help ensure that tools are available for airports to conduct self-assessment processes of vulnerability. Officials from two prominent airport industry associations estimated that the majority of airports, particularly larger airports, have conducted vulnerability assessments, although they could not give us a specific number. In addition, officials from 8 of the 10 airports whom we interviewed on this issue told us that their airports had conducted vulnerability assessment activities.[Footnote 58] Some of these analyses could be useful to TSA in conducting a systematic analysis of airport security vulnerabilities nationwide. By taking advantage, to the extent possible, of existing vulnerability assessment activities conducted by airport operators, TSA could enrich its understanding of airport security vulnerabilities and therefore better inform federal actions for reducing airport vulnerabilities. TSA Has Not Conducted a Consequence Assessment for Airport Security: According to TSA officials, the agency has not assessed the consequences of a successful attack against airport perimeters or a breach to secured areas within airports, even though the NIPP asserts that the potential consequence of an incident is the first factor to be considered in developing a risk assessment. According to the NIPP, risk assessments should include consequence assessments that evaluate negative effects to public health and safety, the economy, public confidence in national economic and political institutions, and the functioning of government that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack. Although TSA officials agree that a consequence assessment for airport security is needed, and have stated that the ADRA is intended to provide a comprehensive consequence assessment based on risk scenarios, the agency has not provided additional details as to what the assessment will include, the extent to which it will assess consequence for airport security, or when it will be completed. Standard management practices call for documenting milestones (i.e., time frames) to ensure that results are achieved.[Footnote 59] TSA officials have agreed that a consequence assessment for airport perimeter and access controls security is an important element in assessing risk to airport security. In addition, TSA officials commented that although the immediate consequences of a breach of airport security would likely be limited, such an event could be the first step in a more significant attack against an airport terminal or aircraft, or an attempt to use an aircraft as a weapon. Conducting a consequence assessment could help TSA in developing a comprehensive risk assessment and increase its assurance that the resulting steps it takes to strengthen airport security will more effectively reduce risk and mitigate the consequences of an attack on individual airports and the aviation system as a whole. TSA Has Taken a Variety of Protective Actions to Strengthen Airport Security, but Did Not Follow Accepted Practices in Developing Its Worker Screening Pilot Program; Additionally, Issues Remain regarding Worker Security, Technology, and Other Initiatives: TSA has implemented a variety of programs and protective actions to strengthen airport security, from additional worker screening to assessing different technologies. For example, consistent with the Explanatory Statement, TSA piloted several methods to screen workers accessing secured areas, but clear conclusions could not be drawn because of significant design limitations, and TSA did not develop or document an evaluation plan to guide design and implementation of the pilot. Further, while TSA has strengthened other worker security programs, assessed various technologies, and added to programs aimed at improving general airport security, certain issues, such as whether security technologies meet airport needs, have not been fully resolved. TSA Has Taken a Variety of Protective Actions to Improve and Strengthen the Security of Commercial Airports since 2004: TSA has taken a variety of protective actions to improve and strengthen the security of commercial airports through the development of new programs or by enhancing existing efforts. Since we last reported on airport perimeter and access control security in June 2004,[Footnote 60] TSA has implemented efforts to strengthen worker screening and security programs, improve access control technology, and enhance general airport security by providing an additional security presence at airports. According to TSA, each of its security actions--or layers- -is capable of stopping a terrorist attack, but when used in combination (what TSA calls a layered approach), a much stronger system results.[Footnote 61] To better address the risks posed by airport workers, TSA, in accordance with the Explanatory Statement accompanying the DHS Appropriations Act, 2008, initiated a worker screening pilot program to assess various types of screening methods for airport workers.[Footnote 62] TSA also implemented a random worker screening program and is currently working to apply its screening procedures consistently across airports. In addition, TSA has expanded its requirements for conducting worker background checks. TSA has also taken steps, such as implementing two pilot programs, to identify and assess technologies to strengthen the security of airport perimeters and access controls to secured areas. Further, TSA has taken steps to strengthen general airport security processes. For example, TSA has developed a program in which teams of TSA officials, law enforcement officers, and airport officials temporarily augment airport security through various actions such as randomly inspecting workers, property, and vehicles and patrolling secured areas. Table 1 lists the actions TSA has taken since 2004 to strengthen airport security.[Footnote 63] Table 1: Protective Actions TSA Has Taken since 2004 to Strengthen Airport Security: Type of security: Worker screening pilot test; TSA program/action: Pilot program; Description: From May to July 2008, TSA implemented a worker screening pilot program at seven airports that was designed to assess various methods for screening airport workers before they enter secured areas. Three airports tested 100 percent worker screening, and four airports tested a variety of enhanced screening methods, such as random targeted physical inspections. Type of security: Worker security programs; TSA program/action: Aviation Direct Access Screening Program (ADASP); Description: Implemented in March 2007, ADASP is an airport worker screening program that is used to enforce access procedures, such as ensuring workers display appropriate credentials and do not possess unauthorized items when entering secure areas. Conducted on an unpredictable basis, ADASP varies in duration and can include temporary worker screening checkpoints, vehicle screening checkpoints, or both. Type of security: Worker security programs; TSA program/action: Worker background checks; Description: TSA has expanded requirements for background checks and the population of individuals who are subject to these checks; * In July 2004 TSA expanded security threat assessments (STA), which are name-based background checks, to require applicants who would be working in a SIDA or sterile area to submit biographical information, such as date of birth. In 2005 TSA began to require that STAs include a citizenship check. TSA subsequently required STAs for all workers seeking or holding airport-issued identification badges or credentials; * In July 2004 TSA enhanced criminal history records checks (CHRC), which are fingerprint-based background checks, for individuals working in a SIDA or sterile area by requiring applicants seeking unescorted access authority to successfully complete a CHRC. In June 2009, among other things, TSA required airports to renew all airport-identification media every 2 years and to require workers to resubmit biographical information in the event of certain changes. Type of security: Security technology; TSA program/action: Biometric access control initiatives; Description: TSA has taken steps to respond to statutory requirements related to biometric worker credentialing; * TSA has assisted the aviation industry and a federal aviation advisory committee in developing security standards for biometric access controls; * TSA is in the early stages of developing the Aviation Credential Interoperability Solution program, a standardized credentialing system. Airports will use biometrics to verify the identities of workers and confirm their access privileges before granting them entry to secured areas. Type of security: Security technology; TSA program/action: Technology pilot programs; Description: TSA has established two statutorily directed pilot programs to assess airport security technology: * In 2004 TSA initiated the Airport Access Control Pilot Program to test, assess, and provide information on new and emerging technologies. TSA issued a final report on the pilots in December 2006, but officials said that a second round of pilots would be needed for program evaluation; * In 2006 TSA initiated the Airport Perimeter Security pilot project to identify and mitigate existing perimeter security vulnerabilities using commercially available technology. This project was scheduled to conclude in December 2007, and five of the six pilots have been completed. Type of security: General airport security; TSA program/action: Security directive requirements; Description: TSA uses security directives to impose requirements for strengthening airport security. Since 2004, requirements implemented through security directives were expanded in the area of airport perimeter and access control security. TSA may decide to impose security directive requirements on airport operators through security directives if it determines that such security measures are needed to respond to general or specific threats against the civil aviation system.[A] Type of security: General airport security; TSA program/action: Visible Intermodal Prevention and Response (VIPR) program; Description: Established in December 2005, VIPR uses teams of TSA officials--such as transportation security inspectors, behavior detection officers, bomb appraisal officers, canine handlers, and federal air marshals--and local law enforcement and airport officials to temporarily augment security. VIPR teams perform various functions, including randomly inspecting workers, property, and vehicles, as well as patrolling secure areas across all modes of transportation, including the aviation sector. Type of security: General airport security; TSA program/action: Screening of Passengers by Observation Techniques (SPOT) program; Description: Piloted in 2004 and incrementally expanded as a nationwide program starting in October 2006, SPOT is a screening program in which behavior detection officers use behavior observation and analysis techniques to identify individuals who could pose a security threat. Type of security: General airport security; TSA program/action: Law Enforcement Officer Reimbursement Program[B]; Description: Initiated in April 2002, the Law Enforcement Officer Reimbursement Program was established to provide partial reimbursement for law enforcement presence in support of the passenger screening checkpoint. In June 2003 the program was expanded so officers may also patrol the perimeter, be stationed at access points to assist with worker and passenger screening, or both. Source: GAO analysis of TSA actions. [A] Pursuant to 49 C.F.R. part 1542.303, TSA may issue a security directive setting forth requirements when it determines that additional security measures are necessary to respond to a threat assessment or a specific threat against civil aviation. Each airport operator must comply with an applicable security directive within the time prescribed by the security directive. [B] Pursuant to 49 U.S.C. § 44903(c) and 49 C.F.R. § 1542.215, a commercial airport must maintain a law enforcement presence and capability at the airport in the number and manner adequate to support its security program and other security functions at the airport. According to TSA officials, as part of the Law Enforcement Officer Reimbursement Program, a reimbursable cooperative agreement is negotiated between TSA and the respective airport operator to reimburse the operator for funds expended on law enforcement efforts per the terms of the cooperative agreement. See 49 C.F.R. § 1542.219. [End of table] TSA Has Pilot Tested Various Worker Screening Methods, but Significant Program Limitations and Lack of a Sound Evaluation Plan May Limit the Usefulness of the Results: From May through July 2008 TSA piloted a program to screen 100 percent of workers at three airports and to test a variety of enhanced screening methods at four other airports.[Footnote 64] (See appendix V for more detailed information on the pilot program, including locations and types of screening methods used.) According to TSA, the objective of the pilot was to compare 100 percent worker screening and enhanced random worker screening based on (1) screening effectiveness, (2) impact on airport operations, and (3) cost considerations. TSA officials hired a contractor--HSI, a federally funded research and development center--to assist with the design, implementation, and evaluation of the data collected.[Footnote 65] In July 2009 TSA released a report on the results of the pilot program, which included HSI's findings.[Footnote 66] HSI concluded that random screening is a more cost-effective approach because it appears "roughly" as effective in identifying contraband items--or items of interest--at less cost than 100 percent worker screening. However, HSI also emphasized that the pilot program "was not a robust experiment" because of limitations in the design and evaluation, such as the limited number of participating airports, which led HSI to identify uncertainties in the results. Given the significance of these limitations, we believe that it is unclear whether random worker screening is more or less cost- effective than 100 percent worker screening. Specifically, HSI identified what we believe to be significant limitations related to the design of the pilot program and the estimation of costs and operational effects. Limitations related to program design include (1) a limited number of participating airports, (2) the short duration of screening operations (generally 90 days), (3) the variety of screening techniques applied, (4) the lack of a baseline, and (5) limited evaluation of enhanced methods.[Footnote 67] For example, HSI noted that while two of the seven pilot airports performed complete 100 percent worker screening, neither was a Category X airport; a third airport--a Category X--performed 100 percent screening at certain locations for limited durations.[Footnote 68] HSI also reported that the other four pilot airports used a range of tools and screening techniques--magnetometers,[Footnote 69] handheld metal detectors, pat-downs--which reduced its ability to assess in great detail any one screening process common to all the pilot airports. In addition, HSI cited issues regarding the use of baseline data for comparison of screening methods. HSI attempted to use previous Aviation Direct Access Screening Program (ADASP) screening data for comparison, but these data were not always comparable in terms of how the screening was conducted. In addition, HSI identified a significant limitation in generalizing pilot program results across airports nationwide, given the limited number and diversity of the pilot airports. HSI noted that because these airports were chosen based on geographic diversity and size, other unique airport factors that might affect worker screening operations--such as workforce size and the number and location of access points--may not have been considered. HSI also recognized what we believe to be significant limitations in the development of estimates of the costs and operational effects of implementing 100 percent worker screening and random worker screening nationwide.[Footnote 70] HSI's characterization of its cost estimates as "rough order of magnitude"--or imprecise--underscores the challenge of estimating costs for the entire airport system in the absence of detailed data on individual airports nationwide and in light of the limited amount of information gleaned from the pilot on operational effects and other costs. HSI noted that the cost estimates do not include costs associated with operational effects, such as longer wait times for workers, and potentially costly infrastructure modifications, such as construction of roads and shelters to accommodate vehicle screening. HSI developed high-and low-cost estimates based on current and optimal numbers of airport access points and the amount of resources (personnel, space, and equipment) needed to conduct 100 percent and random worker screening. According to these estimates, the direct cost--including personnel, equipment, and other operation needs-- of implementing 100 percent worker screening would range from $5.7 billion to $14.9 billion for the first year, while the direct costs of implementing enhanced random worker screening would range from $1.8 billion to $6.6 billion. HSI noted that the random worker screening methods applied in the worker screening pilot program were a "significant step" beyond TSA's ongoing worker screening program--ADASP--which the agency characterizes as a "random" worker screening program. For the four pilot airports that applied random screening methods, TSA and airport associations agreed to screen a targeted 20 percent of workers who entered secured areas each day.[Footnote 71] TSA officials also told us that this 20 percent threshold was significantly higher than that applied through ADASP, although officials said that they do not track the percentage of screening events processed through ADASP. TSA officials told us that they do not have sufficient resources to track this information. In addition to the limitations recognized by HSI, TSA and HSI did not document key aspects of the design and implementation of the pilot program. For example, while they did develop and document a data collection plan that outlined the data requirements, sources, and collection methods to be followed by the seven pilot airports in order to evaluate the program's costs, benefits, and impacts, they did not document a plan for how such data would be analyzed to formulate results. Standards for Internal Control for the Federal Government states that significant events are to be clearly documented and the documentation should be readily available for examination to inform management decisions.[Footnote 72] In addition, in November 2008, based in part on our guide for designing evaluations,[Footnote 73] we reported that pilot programs can more effectively inform future program rollout when an evaluation plan is developed to guide consistent implementation of the pilot and analysis of the results.[Footnote 74] At minimum, a well-developed, sound evaluation plan contains several key elements, including measurable objectives, standards for pilot performance, a clearly articulated methodology, detailed data collection methods, and a detailed data analysis plan.[Footnote 75] Incorporating these elements can help ensure that the implementation of a pilot generates performance information needed to make effective management decisions. While TSA and HSI completed a data collection plan, and generally defined specific measurable objectives for the pilot program, they did not address other key elements that collectively could have strengthened the effectiveness of the pilot program and the usefulness of the results: * Performance standards. TSA and HSI did not develop and document criteria or standards for determining pilot program performance, which are necessary for determining to what extent the pilot program is effective. * Clearly articulated evaluation methodology. TSA and HSI did not fully articulate and document the methodology for evaluating the pilot program. Such a methodology is to include plans for sound sampling methods, appropriate sample sizes, and comparing the pilot results with ongoing efforts. TSA and HSI documented relevant elements, such as certain sampling methods and sample sizes, in both its overall data collection plan for the program and in individual pilot operations plans for each airport implementing the pilot. However, while officials stated that the seven airports were selected to obtain a range of physical size, worker volume, and geographical dispersion information, they did not document the criteria they used in this process, and could not explain the rationale used to decide which screening methods would be piloted by the individual airports. Because the seven airports tested different screening methods, there were differences in the design of the individual pilots as well as in the type and frequency of the data collected. While design differences are to be expected given that the pilot program was testing disparate screening methods, there were discrepancies in the plans that limited HSI's ability to compare methods across sites. For example, those airports that tested enhanced screening methods--as opposed to 100 percent worker screening--used different rationales to determine how many inspections would be conducted each day. TSA officials said that this issue and other discrepancies and points of confusion were addressed through oral briefings with the pilot airports, but said that they did not provide additional written instructions to the airports responsible for conducting the pilots. TSA and HSI officials also did not document how they would address deviations from the piloted methods, such as workers who avoided the piloted screening by accessing alternative entry points, or suspension of the pilot because of excessive wait times for workers or passengers (some workers were screened through passenger screening checkpoints). Further, TSA and HSI officials did not develop and document a plan for comparing the results of the piloted worker screening methods with TSA's ongoing random worker screening program to determine whether the piloted methods had a greater impact on reducing insider risk than ongoing screening efforts. * Detailed data analysis. Although the agreement between TSA and HSI also called for the development of a data analysis plan, neither HSI nor TSA developed an analysis plan to describe how the collected data would be used to track the program's performance and evaluate the effectiveness of the piloted screening methods, including 100 percent worker screening. For example, HSI used the number of confiscated items as a means of comparing the relative effectiveness of each screening method.[Footnote 76] However, HSI reported that the number of items confiscated during pilot operations was "very low" at most pilot airports, and some did not detect any.[Footnote 77] Based on these data, HSI concluded that random worker screening appeared to be "roughly" as effective in identifying confiscated items as 100 percent worker screening. However, it is possible that there were few or no contraband items to detect, as workers at the pilot airports were warned in advance when the piloted screening methods would be in effect and disclosure signs were posted at access points.[Footnote 78] As a result, comparing the very low rate--and in some cases, nonexistence-- of confiscated items across pilots, coupled with the short assessment period, may not fully indicate the effectiveness of different screening methods at different airports. If a data analysis plan had been developed during pilot design, it could have been used to explain how such data would be analyzed, including how HSI's analysis of the pilots' effectiveness accounted for the low confiscation rates. Because of the significance of the pilot program limitations reported by HSI, as well as the lack of documentation and detailed information regarding the evaluation of the program, the reliability of the resulting data and any subsequent conclusions about the potential impacts, costs, benefits, and effectiveness of 100 percent worker screening and other screening methods cannot be verified. For these reasons, it would not be prudent to base major policy decisions regarding worker screening solely on the results of the pilot program. HSI reported that the wide variation--such as size, traffic flow, and design--of U.S. commercial airports makes it difficult to generalize the seven pilot results to all commercial airports. While we agree it is difficult to generalize the results of such a small sample to an entire population, a well-documented and sound evaluation plan could have helped ensure that the pilot program generated the data and performance information needed to draw reasonable conclusions about the effectiveness of 100 percent worker screening and other methods to inform nationwide implementation. Incorporating these elements into an evaluation plan when designing future pilots could help ensure that TSA's pilots generate the necessary data for making management decisions and that TSA can demonstrate that the results are reliable. TSA Has Taken Steps to Strengthen Worker Security Programs, but Issues Remain: Aviation Direct Access Screening Program: According to TSA officials, FSDs and others in the aviation community have long recognized the potential for insiders to do harm from within an airport.[Footnote 79] TSA officials said that they developed ADASP-- a random worker screening program--to counteract the potential vulnerability of airports to an insider attack. According to TSA officials, ADASP serves as an additional layer of security and as a deterrent to workers who seek to smuggle drugs or weapons or to do harm. According to senior TSA officials, FSDs decide when and how to implement ADASP, including the random screening of passengers at the boarding gate or workers at SIDA access points to the sterile area. [Footnote 80] TSA officials said that ADASP was initially developed as a pilot project at one airport in March 2005 to deter workers from breaching access controls and procedures for secured areas at that particular airport.[Footnote 81] According to officials, after concluding that the pilot was successful in deterring airport workers from bringing restricted items into secured areas, TSA began implementing ADASP on a nationwide voluntary basis in August 2006 using existing resources. In March 2007, in response to several incidents of insider criminal activity, TSA directed that ADASP be conducted at all commercial airports nationwide. For example, on March 5, 2007, two airline employees smuggled 14 firearms and 8 pounds of marijuana on board a commercial airplane at Orlando International Airport (based on information received through an anonymous tip, the contraband was confiscated when the plane landed in San Juan, Puerto Rico). In its October 2008 report, the DHS Office of the Inspector General (OIG) found that ADASP was being implemented in a manner that allowed workers to avoid being screened, and that the program had been applied inconsistently across airports.[Footnote 82] For example, at most of the seven airports the DHS OIG visited, ADASP screening stations were set up in front of worker access points, which allowed workers to identify that ADASP was being implemented and potentially choose another entry and avoid being screened. However, at another airport, the screening location was set up behind the access point, which prevented workers from avoiding being screened. ADASP standard operating procedures allow ADASP screening locations to be set up in front of or behind direct access points as long as there is signage alerting workers that ADASP screening is taking place. However, the DHS OIG found that the location of the screening stations--either in front of or behind direct access points--affected whether posted signs were visible to workers. The DHS OIG recommended that TSA apply consistent ADASP policies and procedures at all airports, and establish an ADASP working group to consider policy and procedure changes based on an accumulation of best practices across the country. TSA agreed with the DHS OIG's recommendations, and officials stated that they have begun to take action to address them. Expanded Worker Background Checks: Since April 2004, and in response to our prior recommendation,[Footnote 83] TSA has taken steps to enhance airport worker background checks. TSA background checks are composed of security threat assessments (STA), which are name-based records checks against various terrorist watch lists, and criminal history record checks (CHRC), which are fingerprint-based criminal records checks. TSA requires airport workers to undergo both STAs and CHRCs before being granted unescorted access to secured areas in which they perform their duties.[Footnote 84] In July 2004 TSA expanded STA requirements by requiring workers in certain secured areas to submit current biographical information, such as date of birth. TSA further augmented STAs in 2005 to include a citizenship check to identify individuals who may be subject to coercion because of their immigration status or who may otherwise pose a threat to transportation security. In 2007 TSA expanded STA requirements beyond workers with sterile area or SIDA access to apply to all individuals seeking or holding airport-issued identification badges or credentials. Finally, in June 2009 TSA began requiring airport operators to renew all airport identification media every 2 years, deactivate expired media and require workers to resubmit biographical information in the event of certain changes, and expand the STA requirement to include individuals with unescorted access to the AOA, among other things. TSA has taken steps to strengthen its background check requirements and is considering additional actions to address certain statutory requirements and issues that we identified in 2004.[Footnote 85] For example, TSA is considering revising its regulation listing the offenses that if a conviction occurred within 10 years of applying for this access, would disqualify a person from receiving unescorted access to secured areas. TSA officials told us that TSA and industry stakeholders are considering whether some disqualifying offenses may warrant a lifelong ban.[Footnote 86] In addition, while TSA has not yet specifically addressed a statutory provision requiring TSA to require, by regulation, that individuals with regularly escorted access to secured airport areas undergo background checks,[Footnote 87] TSA officials told us that they believe the agency's existing measures address the potential risk presented by such workers. They also said that it would be challenging to identify the population of workers who require regularly escorted access because such individuals--for example, construction workers--enter airports on an infrequent and unpredictable basis. TSA Has Taken Steps to Improve Security Technology, but the Extent to Which TSA Has Addressed Airport Technology Needs Is Unclear: Biometric Access Control Initiatives: Since 2004, TSA has taken some steps to develop biometric worker credentialing;[Footnote 88] however, it is unclear to what extent TSA plans to address statutory requirements regarding biometric technology, such as developing or requiring biometric access controls at commercial airports in consultation with industry stakeholders.[Footnote 89] For instance, in October 2008 the DHS OIG reported that TSA planned to mandate phased-in biometric upgrades for all airport access control systems to meet certain specifications.[Footnote 90] However, as of May 2009, according to TSA officials, the agency had not made a final decision on whether to require airports to implement biometric access controls, but it intends to pursue a combination of rule making and other measures to encourage airports to voluntarily implement biometric credentials and control systems.[Footnote 91] While TSA officials said that the agency issued a security directive in December 2008 that encourages airports to implement biometric access control systems that are aligned with existing federal identification standards,[Footnote 92] TSA officials also reported the need to ensure that airports incorporate up-to-date standards. These officials also said that TSA is considering establishing minimum requirements to ensure consistency in data collection, card information configuration, and biometric information. Airport operators and industry association officials have called for a consensus-based approach to developing biometric technology standards for airports, and have stressed the need for standards that allow for flexibility and consider the significant investment some airports have already made in biometric technology. Airport operators have also expressed a reluctance to move forward with individual biometric projects because of concerns that their enhancements will not conform to future federal standards. Although TSA has not decided whether it will mandate biometric credentials and access controls at airports, it has taken steps to assess and develop such technology in response to stakeholder concerns and statutory requirements. For example, TSA officials said the agency has assisted the aviation industry and RTCA, Inc., a federal aviation advisory committee, in developing recommended security standards for biometric access controls, which officials said provide guidelines for acquiring, designing, and implementing access control systems.[Footnote 93] TSA officials also noted that the agency has cooperated with the Biometric Airport Security Identification Consortium, or BASIC--a working group of airport operators and aviation association representatives--which has developed guidance on key principles that it believes should be part of any future biometric credential and access control system. In addition, TSA is in the early stages of developing the Aviation Credential Interoperability Solution (ACIS) program. [Footnote 94] ACIS is conceived as a credentialing system in which airports use biometrics to verify the identities and privileges of workers who have airport-or air carrier-issued identification badges before granting them entry to secured areas. According to TSA, ACIS would provide a trusted biometric credential based on smart card technology (about the size of a credit card, using circuit chips to store and process data) and specific industry standards, and establish standard airport processes for enrollment, card issuance, vetting, and the management of credentials. Although these processes would be standardized nationwide, airports would still be individually responsible for determining access authority. According to TSA officials, the agency is seeking to build ACIS on much of the airports' existing infrastructure and systems and has asked industry stakeholders for input on key considerations, including the population of workers who would receive the credential, program policies, process, technology considerations, operational impacts, and concerns regarding ACIS. However, as of May 2009, TSA officials could not explain the status of ACIS or provide additional information on the possible implementation of the program since the agency released the specifications for industry comment in April 2008. As a result, it is unclear when and how the agency plans to address the requirements of the Intelligence Reform and Terrorism Prevention Act, including establishing minimum standards for biometric systems and determining the best way to incorporate these decisions into airports' existing practices and systems. As of May 2009 TSA officials had not provided any further information, such as scheduled milestones, on TSA's plans to implement biometric technology at airports. Standard practices in program management suggest that developing scheduled milestones can help define the scope of the project, achieve key deliverables, and communicate with key stakeholders.[Footnote 95] In addition, until TSA communicates its decision on whether it plans to mandate--such as through a rule making-- or collaboratively implement biometric access controls at airports, and what approach is best--be it ACIS or another system--operators may be hesitant to upgrade airport security in this area. As we reported in 2004, airport operators do not want to run the risk of installing costly technology that may not comply with future TSA requirements and standards.[Footnote 96] Developing milestones for implementing a biometric system could help ensure that TSA addresses statutory requirements. In addition, such milestones will provide airports and the aviation industry with the scheduling information needed to plan future security improvements and expenditures. Technology Pilot Programs: In addition to biometric technology efforts, TSA has also initiated efforts to assess other airport perimeter and access control technology. Pursuant to ATSA, TSA established two pilot programs to assess perimeter and access control security technology, the Airport Access Control Pilot Program (AACPP) in 2004 and the Airport Perimeter Security (APS) pilot program in 2006.[Footnote 97] AACPP piloted various new and emerging airport security technologies, including biometrics. TSA issued the final report on AACPP in December 2006, but did not recommend any of the piloted technologies for full-scale implementation. TSA officials said that a second round of pilot projects would be necessary to allow time for project evaluation and limited deployments, but as of May 2009 TSA officials said that details for this second round were still being finalized. The purpose of the APS pilot, according to TSA officials, is to identify and mitigate existing airport perimeter security vulnerabilities using commercially available technology.[Footnote 98] APS was originally scheduled to be completed in December 2007, but according to TSA officials, though five of the six pilot projects have been completed, the remaining pilot has been delayed because of problems with the acquisition process. According to TSA officials, the final pilot project is to be completed by October 2009. TSA officials told us that the agency has also taken steps to provide some technical and financial support to small-and medium-sized airports through AACPP and the APS pilot program, as both tested technologies that could be suitable for airports of these sizes. TSA officials also stated that smaller airports could potentially benefit from the agency's efforts to test the Virtual Perimeter Monitoring System, which was developed by the U.S. Navy and is being installed and evaluated at four small airports. Further, officials noted that TSA has also provided significant funding to support cooperative agreements for the deployment of law enforcement officers at airports--including Category II, III, and IV airports--to help defray security costs. However, according to TSA officials, as of May 2009 TSA had not yet developed a plan, or a time frame for developing a plan, to provide technical information and funding to small-and medium-sized airports, as required by ATSA.[Footnote 99] According to TSA officials, funds had not been appropriated or specifically directed to develop such a plan, and TSA's resources and management attention have been focused on other statutory requirements for which it has more direct responsibility and deadlines, including passenger and baggage screening requirements. (For a summary of TSA actions to address certain statutory requirements for airport security technology, see appendix II.) TSA Has Taken Action to Improve General Airport Security, but Concerns Exist regarding Implementation of Security Requirements Established by Security Directives: TSA has taken actions to improve general airport security by establishing programs and requirements. For example, TSA has augmented access control screening and general airport security by increasing the presence of transportation security officers and law enforcement officials through the Screening of Passengers by Observation Techniques (SPOT) program and the Law Enforcement Officer Reimbursement Program. In addition, it uses the Visible Intermodal Prevention and Response (VIPR) program, which is used across the transportation sector, to augment airport security efforts. (For more information on these TSA programs, see appendix VI.) TSA uses a variety of regulatory mechanisms for imposing requirements within the transportation sector. In the aviation environment, TSA uses the security directive as one of its regulatory tools for imposing requirements to strengthen the security of civil aviation, including security at the nation's commercial airports.[Footnote 100] Pursuant to TSA regulation, the agency may decide to use security directives to impose requirements on airport operators if, for example, it determines that additional security measures are needed to respond to general or specific threats against the civil aviation system.[Footnote 101] As of March 2009 TSA identified 25 security directives or emergency amendments in effect that related to various aspects of airport perimeter and access control security. As shown in table 2, TSA imposed requirements through security directives that address areas such as worker and vehicle screening, criminal history record checks, and law enforcement officer deployments. Table 2: Requirements Relating to Airport Perimeter and Access Control Security Imposed through Security Directives and Emergency Amendments: Number of relevant security directives or emergency amendments; U.S. airports: 8; U.S. air carriers: 7; Foreign air carriers: 10; Total: 25. Areas of regulation addressed: Access control; U.S. airports: 6; U.S. air carriers: 1; Foreign air carriers: 5; Total: 12. Worker screening; U.S. airports: 3; U.S. air carriers: 3; Foreign air carriers: 3; Total: 9. Vehicle screening; U.S. airports: 3; U.S. air carriers: 0; Foreign air carriers: 1; Total: 4. Criminal history record check; U.S. airports: 2; U.S. air carriers: 1; Foreign air carriers: 1; Total: 4. Security threat assessment; U.S. airports: 1; U.S. air carriers: 2; Foreign air carriers: 3; Total: 6. No-Fly/Selectee lists[A]; U.S. airports: 3; U.S. air carriers: 4; Foreign air carriers: 2; Total: 9. Law enforcement officer deployment; U.S. airports: 4; U.S. air carriers: 0; Foreign air carriers: 1; Total: 5. Airport badging; U.S. airports: 3; U.S. air carriers: 1; Foreign air carriers: 3; Total: 7. Other/miscellaneous; U.S. airports: 5; U.S. air carriers: 2; Foreign air carriers: 5; Total: 12. Source: GAO analysis of TSA security directives and emergency amendments issued to U.S. airport and aircraft operators and foreign air carriers in accordance with 49 C.F.R. parts 1542 (airport security), 1544 (aircraft operator security), and 1546 (foreign air carrier security). Note: The 25 security directives and emergency amendments may address other areas of security in addition to those related to airport perimeter and access control security. [A] The No-Fly and Selectee lists contain the names of individuals with known or suspected links to terrorism who may pose a threat to the civil aviation system. In general, passengers identified as a match to the No-Fly list are prohibited from boarding a commercial flight, while those matched to the Selectee list are required to undergo additional screening. [End of table] According to TSA officials, security directives enable the agency to respond rapidly to immediate or imminent threats and provide the agency with flexibility in how it imposes requirements on airport operators. This function is especially relevant given the adaptive, dynamic nature of the terrorist threat. Moreover, according to TSA, imposing requirements through security directives is less time consuming than other processes, such as the lengthier notice-and-comment rule making process, which generally provides opportunity for more stakeholder input, requires cost-benefit analysis,[Footnote 102] and provides the regulated entities with more notice before implementation and enforcement.[Footnote 103] Officials from two prominent aviation associations and eight of nine airports we visited identified concerns regarding requirements established through security directive[Footnote 104]: * Officials from the two aviation associations noted inconsistencies between requirements established through separate security directives. For example, they noted that the requirements for airport-issued identification badges are different from those for badges issued by an air carrier. Workers employed by the airport, air carrier, or other entities who apply for an airport identification badge granting unescorted access to a secured area are required to undergo an immigration and citizenship status check, whereas workers who apply through an air carrier, which can grant similar unescorted access rights, are not.[Footnote 105] Both airport and air carrier workers can apply to an airport operator for airport-issued identification badges, but only air carrier workers can apply to their aircraft operator (employer) for an air carrier-issued identification badge. TSA officials told us that the agency plans to address this inconsistency-- which has been in effect since December 2002--and is working on a time frame for doing so. * Airport operator officials from eight of the nine airports we visited and officials from two industry associations expressed concern that requirements established through security directives related to airport security are often issued for an indefinite time period. Our review of 25 airport security directives and emergency amendments showed that all except one were issued with no expiration date. The two aviation industry associations have expressed concerns directly to TSA that security directive requirements should be temporary and include expiration dates so that they can be periodically reviewed for relevancy.[Footnote 106] According to senior officials, TSA does not have internal control procedures for monitoring and coordinating requirements established through security directives related to airport perimeter and access control security. In November 2008 TSA officials told us that the agency had drafted an operations directive that documents procedures for developing, coordinating, issuing, and monitoring civil aviation security directives. According to officials, this operations directive also is to identify procedures for conducting periodic reviews of requirements imposed through security directives. However, while TSA officials told us that they initially planned to issue the operations directive in April 2009, in May 2009 they said that they were in the process of adopting the recommendations of an internal team commissioned to review and identify improvements to TSA's policy review process, including the proposed operations directive. In addition, as of May 2009, officials did not have an expected date for finalizing the directive. TSA officials explained that because the review team's recommendations will require organizational changes and upgrades to TSA's information technology infrastructure, it will take a significant amount of time before an approved directive can be issued. As a result, it is unclear to what extent the operations directive will address concerns expressed by aviation operators and industry stakeholders. Standard practices in program management call for documented milestones to ensure that results are achieved.[Footnote 107] Establishing milestones for implementing guidance to periodically review airport security requirements imposed through security directives would help TSA formalize review of these directives within a time frame authorized by management. In addition to the stakeholder issues previously discussed, representatives from two prominent aviation industry associations have expressed concern that TSA has not issued security directives in accordance with the law. Specifically, these representatives noted that the Transportation Security Oversight Board (TSOB) has not reviewed TSA's airport perimeter and access control security directives in accordance with a provision set forth in ATSA.[Footnote 108] This provision, as amended, establishes emergency procedures by which TSA may immediately issue a regulation or security directive to protect transportation security, and provides that any such regulation or security directive is subject to review by the TSOB.[Footnote 109] The provision further states that any regulation or security directive issued pursuant to this authority may remain in effect for a period not to exceed 90 days unless ratified or disapproved by the TSOB. According to TSA officials, the agency has not issued security directives related to airport perimeter and access control security under this emergency authority. Rather, officials explained, the agency has issued such security directives (and all aviation-related security directives) in accordance with its aviation security regulations governing airport and aircraft operators, which predate ATSA and the establishment of TSA.[Footnote 110] FAA implemented regulations--promulgated through the notice-and-comment rule making process--establishing FAA's authority to issue security directives to impose requirements on U.S. airport and aircraft operators. With the establishment of TSA, FAA's authority to regulate civil aviation security, including its authority to issue security directives, transferred to the new agency. TSA does not consider ATSA to have altered this existing authority. A National Strategy for Airport Security Could Help Ensure Program Effectiveness, Inform Cost and Resource Decisions, Ensure Collaboration, and Increase Accountability: Although TSA has developed a variety of individual protective actions to mitigate identified airport security risks, it has not developed a unified national strategy aimed at enhancing airport perimeter and access control security. Through our prior work on national security planning, we have identified characteristics of effective security strategies,[Footnote 111] several of which are relevant to TSA's numerous efforts to enhance perimeter and access control security. For example, TSA has not developed goals and objectives for related programs and activities, prioritized protective security actions, or developed performance measures to assess the results of its perimeter and access control security efforts beyond tracking outputs (the level of activity provided over a period of time). Further, although TSA has identified some cost information that is used to inform programmatic decision making, it has not fully assessed the costs and resources necessary to implement its airport security efforts. Finally, TSA has not fully outlined how activities are to be coordinated among stakeholders, integrated with other aviation security priorities, or implemented within the agency.[Footnote 112] Leading Practices Show That Strategies Help Guide Decision Making and Increase Accountability: Developing a strategy to accomplish goals and desired outcomes helps organizations manage their programs more effectively and is an essential mechanism to guide progress in achieving desired results. Strategies are the starting point and foundation for defining what an agency seeks to accomplish, and we have reported that effective strategies provide an overarching framework for setting and communicating goals and priorities and allocating resources to inform decision making and help ensure accountability.[Footnote 113] Moreover, a strategy that outlines security goals, as well as mechanisms and measures to achieve such goals, and that is understood and available to all relevant stakeholders strengthens implementation of and accountability to common principles. A national strategy to guide and integrate the nation's airport security activities could strengthen decision making and accountability for several reasons. First, TSA has identified airport perimeter and access control security--particularly the mitigation of risks posed by workers who have unescorted access to secured areas--as a top priority.[Footnote 114] Historically, TSA has recognized the importance of developing strategies for high-priority security programs involving high levels of perceived risk and resources, such as air cargo security and the SPOT program. Second, in security networks that rely on the cooperation of all security partners--in this case TSA, airport operators, and air carriers--strategies can provide a basis for communication and mutual understanding between security partners that is fundamental for such integrated protective programs and activities. In addition, because of the mutually dependent roles that TSA and its security partners have in airport security operations, TSA's ability to achieve results depends on the ability of all security partners to operate under common procedures and achieve shared security goals. Finally, officials from two prominent industry organizations that represent the majority of the nation's airport operators said that the industry would significantly benefit from a TSA-led strategy that identified long-term goals for airport perimeter and access control security. In addition to providing a unifying framework, a strategy that clearly identifies milestones, developed in cooperation with industry security partners, could make it easier for airport operators to plan, fund, and implement security enhancements that according to industry officials can require intensive capital improvements. While TSA has taken steps to assess threat and vulnerability related to airport security and developed a variety of protective actions to mitigate risk, TSA has not developed a unifying strategy to guide the development, implementation, and assessment of these varied actions and those of its security partners. TSA officials cited three reasons why the agency has not developed a strategy to guide national efforts to enhance airport security. First, TSA officials cited a lack of congressional emphasis on airport perimeter and access control security relative to other high-risk areas, such as passenger and baggage screening. Second, these officials noted that airport operators, not TSA, have operational responsibility for airport security. Third, they cited a lack of resources and funding. While these issues may present challenges, they should be considered in light of other factors. First, Congress has long recognized the importance of airport security, and has contributed to the establishment of a variety of requirements pertaining to this issue. [Footnote 115] For example, the appropriations committees, through reports accompanying DHS's annual appropriations acts, have directed TSA to focus its efforts on enhancing several aspects of airport perimeter and access control security.[Footnote 116] Moreover, developing a strategy that clearly articulates the risk to airport security and demonstrates how those risks can be addressed through protective actions could help inform decision making. Second, though we recognize that airport operators, not TSA, generally have operational responsibility for airport perimeter and access control security, TSA- -as the regulatory authority for airport security and the designated lead agency for transportation security--is responsible for identifying, prioritizing, and coordinating protection efforts within aviation, including those related to airport security. TSA currently exercises this authority by ensuring compliance with TSA-approved airport operator security programs and, pursuant to them, by issuing and ensuring compliance with requirements imposed through security directives or other means. Finally, regarding resource and funding constraints, federal guidelines for strategies and planning include linking program activities and anticipated outcomes with expected program costs.[Footnote 117] In this regard, a strategy could strengthen decision making to help allocate limited resources to mitigate risk, which is a cornerstone of homeland security policy. Additionally, DHS's risk management approach recognizes that resources are to be focused on the greatest risks, and on protective activities designed to achieve the biggest reduction in those risks given the limited resources at hand. The NIPP risk management framework provides guidance for agencies to develop strategies and prioritize activities to those ends. A strategy helps to link individual programs to specific performance goals and describe how the programs will contribute to the achievement of those goals. A national strategy could help TSA, airport operators, and industry stakeholders in aligning their activities, processes, and resources to support mission-related outcomes for airport perimeter and access control security, and, as a result, in determining whether their efforts are effective in meeting their goals for airport security. TSA Has Not Identified Security Goals or Priorities or Fully Assessed the Effectiveness of Its Actions to Strengthen Airport Security: Our previous work has identified that an essential characteristic of effective strategies is the setting of goals, priorities, and performance measures. This characteristic addresses what a strategy is trying to achieve and the steps needed to achieve and measure those results. A strategy can provide a description of an ideal overall outcome, or "end-state," and link individual programs and activities to specific performance goals, describing how they will contribute to the achievement of the end-state. The prioritization of programs and activities, and the identification of milestones and performance measures, can aid implementing parties in achieving results according to specific time frames, as well as enable effective oversight and accountability. The NIPP also calls for the development of goals, priorities, and performance measures to guide DHS components, including TSA, in achieving a desired end-state. Goals: Security goals allow stakeholders to identify the desired outcomes that a security program intends to achieve and that all security partners are to work to attain. Defining goals and desired outcomes, in turn, enables stakeholders to better guide their decision making to develop protective security programs and activities that mitigate risks. The NIPP also states that security goals should be used in the development of specific protective programs and considered for distinct assets and systems. However, according to TSA officials, the agency has not developed goals and objectives for airport security, including specific targets or measures related to the effectiveness of security programs and activities.[Footnote 118] TSA officials told us that the agency sets goals for aviation security as a whole but has not set goals and objectives for the airport perimeter and access control security area. Developing a baseline set of security goals and objectives that consider, if not reflect, the airport perimeter and access control security environment would help provide TSA and its security partners with the fundamental tools needed to define outcomes for airport perimeter and access control security. Furthermore, a defined outcome that all security partners can work toward will better position TSA to provide reasonable assurance that it is taking the most appropriate steps for ensuring airport security. Priorities: Our past work has also shown that the identification of program priorities in a strategy aids implementing parties in achieving results, which enables more effective oversight and accountability. Although TSA has implemented protective programs and activities that address risks to airport security, according to TSA officials it has not prioritized these activities nor has it yet aligned them with specific goals and objectives. TSA officials told us that in keeping with legislative mandates, they have focused agency resources on aviation security programs and activities that were of higher priority, such as passenger and baggage screening and air cargo security. Identifying priorities related to airport perimeter and access control security could assist TSA in achieving results within specified time frames and limited resources because it would allow the agency to concentrate on areas of greatest importance. Performance Measures: In addition to our past work on national strategies, the NIPP and other federal guidance require agencies to assess whether their efforts are effective in achieving key security goals and objectives so as to help drive future investment and resource decisions and adapt and adjust protective efforts as risks change.[Footnote 119] Decision makers use performance measurement information, including activity outputs and descriptive information regarding program operations, to identify problems or weaknesses in individual programs, identify factors causing the problems, and modify services or processes to try to address problems.[Footnote 120] Decision makers can also use performance information collectively, and, according to the NIPP, examine a variety of data to provide a holistic picture of the health and effectiveness of a security approach from which to make security improvements. [Footnote 121] If significant limitations on performance measures exist, the strategy might address plans to obtain better data or measurements, such as national standards or indicators of preparedness. TSA officials told us that TSA has not fully assessed the effectiveness of its protective activities for airport perimeters and secured areas, but they said that the agency has taken some steps to collect certain performance data for some airport security programs and activities to help inform programmatic decision making. For example, TSA officials told us that they require protective programs, such as ADASP and VIPR, to report certain output data and descriptive program information, which officials use to inform administrative or programmatic decisions. For ADASP, TSA requires FSDs to collect information on, among other things, the number of workers screened, vehicles inspected, and prohibited items surrendered. TSA officials said that they use these descriptive and output data to inform programmatic decisions, such as determining the number of staff days needed to support ADASP operations nationwide. However, TSA was not able to provide documentation on how such analysis has been conducted. For VIPR, officials said that they require team members to complete after-action reports that include data on the number of participants, locations, and types of activities conducted. TSA officials said that they are analyzing and categorizing this descriptive and output information to determine trends and identify areas of success and failure, which they will use to improve future operations, though they did not provide us with examples of how they have done this. TSA officials also told us that they require SPOT to report descriptive operations data and situational report information, which are to be used to assign necessary duties and correct problems with program implementation. However, TSA officials could not tell us how they use these descriptive and output data to inform program development and administrative decisions. While the use of descriptive and output data to inform program development and administration is both appropriate and valuable, leading management practices emphasize that successful performance measurement focuses on assessing the results of individual programs and activities.[Footnote 122] TSA officials also told us that while they recognize the importance of assessing the effectiveness of airport security programs and activities in reducing known threats, it is difficult to do so because the primary purpose of these activities is deterrence. Assessing the deterrent benefits of a program is inherently challenging because it involves determining what would have happened in the absence of an intervention, or protective action, and it is often difficult to isolate the impact of the individual program on behavior that may be affected by multiple other factors. Because of this difficulty, officials told us that they have instead focused their efforts on assessing the extent to which each airport security activity supports TSA's overall layered approach to security. We recognize that assessing the effectiveness of deterrence-related activities is challenging and that it continues to be the focus of ongoing analytic effort and policy review. For example, a January 2007 report by the Department of Transportation addressed issues related to measuring deterrence in the maritime sector,[Footnote 123] and a February 2007 report by the RAND Corporation acknowledged the challenges associated with measuring the benefits of security programs aimed at reducing terrorist risk.[Footnote 124] However, as a feature of TSA's layered security approach, many of its airport activities address other aspects of security in addition to deterrence. Like other homeland security efforts, TSA's airport security activities also seek to limit the potential for attack, safeguard critical infrastructure and property, identify wrongdoing, and ensure an effective and efficient response in the event of an attack; the desired outcome of its efforts is to reduce the risk of an attack. Deterrence is an inherent benefit of any protective action, and methods designed to detect wrongdoing and measures taken to safeguard critical infrastructure and property, for example, also help deter terrorist attacks. There are a number of activities that TSA has implemented that seek to reduce this risk, such as requiring security threat assessments for all airport workers. Some of these activities serve principally to deter, such as ADASP, while others are more focused on safeguarding critical infrastructure and property, such as conducting compliance inspections of aviation security regulations or installing perimeter fencing. Some activities serve multiple purposes, such as VIPR, which seeks to provide a visual deterrent to terrorist or other criminal activity, but also seeks to safeguard critical infrastructure in various modes of transportation. Examining the extent to which its activities have effectively addressed these various purposes would enable TSA to more efficiently implement and manage its programs. There are several methods available that TSA could explore to gain insight on the extent to which its security activities have met their desired purpose and to ultimately improve program performance. For example, TSA could work with stakeholders, such as airport operators and other security partners, to identify and share lessons learned and best practices across airports to better tailor its efforts and resources and continuously improve security. TSA could also use information gathered through covert testing or compliance inspections-- such as noncompliance or security breaches--to make adjustments to specific security activities and to identify which aspects require additional investigation. In addition, TSA could develop proxy measures--indirect measures or signs that approximate or represent the direct measure--to show how security efforts correlate to an improved security outcome. Appendix VII provides a complete discussion on these methods, as well as information on other alternatives TSA could explore. TSA Has Identified Costs for Some Airport Security Activities, but Has Not Fully Identified Costs and Resource Needs, and Has Generally Not Conducted Cost-Benefit Analysis to Prioritize and Allocate Resources for Airport Security Activities: Our prior work shows that effective strategies address costs, resources, and resource allocation issues. Specifically, effective strategies address the costs of implementing the individual components of the strategy, the sources and types of resources needed (such as human capital or research and development), and where those resources should be targeted to better balance risk reductions with costs. [Footnote 125] Effective strategies may also address in greater detail how risk management will aid implementing parties in prioritizing and allocating resources based on expected benefits and costs. Our prior work found that strategies that provide guidance on costs and needed resources help implementing parties better allocate resources according to priorities, track costs and performance, and shift resources as appropriate. Costs and Resources: Statutory requirements and federal cost accounting standards also stress the benefits of developing and reporting on the cost of federal programs and activities, as well as using that information to more effectively allocate resources and inform program management decisions. [Footnote 126] TSA has identified the costs and resources it needs for some specific activities and programs that exclusively support airport security, such as JVAs of selected commercial airports. However, for programs that serve airport security as well as other aspects of aviation security, TSA has not identified the costs and resources devoted to airport security. For example, TSA has identified its expenditures for compliance inspections and other airport security- related programs and activities, which collectively totaled nearly $850 million from fiscal years 2004 through 2008. However, TSA has not identified what portion of these funds was directly allocated for airport security activities versus other aviation security activities, such as passenger screening. (For a more detailed discussion of airport security costs, see appendix IV.) Further, TSA has not fully identified the resources it needs to mitigate risks to airport perimeter and access control security. According to TSA officials, identifying collective agency costs and resource needs for airport security activities is challenging because airport security is not a separately funded TSA program, and many airport security activities are part of broader security programs. However, without attempting to identify total agency costs, it will be difficult for TSA to identify costs associated with individual security activities, and therefore it will be hindered in determining the resources it needs to sustain desired activity levels and realize targeted results. While TSA officials told us that they are starting to identify costs for airport security activities and plan to complete this effort by the end of 2009, they could provide no additional information to illustrate their approach for doing so. As a result, it is unclear what costs the agency will identify, and to what extent TSA will be able to identify costs for specific security activities in order to identify the resources it needs to sustain desired activity levels and realize targeted results. TSA officials also told us that they have not yet identified or estimated costs to the aviation industry for implementing airport security requirements, such as background checks for their workers, or capital costs--such as construction and equipment--that airport operators incur to enhance the security of their facilities.[Footnote 127] According to these officials, the agency does not have the resources and funds to collect cost information from airport operators. However, TSA officials could not tell us how and to what extent they had assessed the resources and funds needed to collect this information or whether they had explored other options for collecting cost data, such as working with industry associations to survey airport operators. Estimating general cost information on the types and levels of resources needed for desired outcomes would provide TSA and other stakeholders with valuable information with which to make informed resource and investment decisions, including decisions about future allocation needs, to mitigate risks to airport security. Prioritizing and Allocating Resources: According to our previous work on effective national strategies, as well as NIPP guidance, risk management focuses security efforts on those activities that bring about the greatest reduction in risk given the resources used.[Footnote 128] According to federal guidance, employing systematic cost-benefit analysis helps ensure that agencies choose the security priorities that most efficiently and effectively mitigate risk for the resources available. The Office of Management and Budget (OMB) cites cost-benefit analysis as one of the key principles to be considered when an agency allocates resources for capital expenditures because it provides decision makers with a clear indication of the most efficient alternative.[Footnote 129] DHS's Cost- Benefit Analysis Guidebook also states that cost-benefit analysis identifies the superior financial solution among competing alternatives, and that it is a proven management tool to support planning and managing costs and risks.[Footnote 130] While TSA has made efforts to consider costs for some airport security programs, it has not used cost-benefit analysis to allocate or prioritize resources toward the most cost-effective alternative actions for mitigating risk. [Footnote 131] According to TSA officials, certain factors have limited TSA's ability to conduct cost-benefit analysis, such as resource constraints and the need to take immediate action to address new and emerging security threats. However, officials could not demonstrate that they had attempted to conduct cost-benefit analysis for programs and activities related to airport security within the constraints of current resources, or explain how, or to what extent, they had assessed the resources that would be needed to conduct cost-benefit analysis. Further, TSA officials could not cite a situation in which the need to take immediate action--outside of issuing security directives--in response to a threat prevented them from conducting cost-benefit analysis.[Footnote 132] TSA officials agreed that conducting cost- benefit analysis is beneficial, but also said that it is not always practical because of the difficulty in quantifying the benefits of deterrence-based activities. Because of this challenge, officials said that they have used professional judgment, past experience, law enforcement principles, and intelligence information to evaluate alternative airport security activities to mitigate risks.[Footnote 133] While TSA's approach to identifying security actions includes accepted risk reduction decision-making tools, such as professional judgment, it does not provide a means to fully weigh the benefits versus the costs of implementing alternative actions. However, despite the challenges TSA cited to developing cost-benefit analysis, TSA officials told us that as of January 2009, the agency was in the early stages of investigating costs and benefits related to airport perimeter access control. According to these officials, TSA plans to initially focus on developing cost estimates associated with improving access control, a process the agency expects to complete by the end of 2009. However, because TSA officials did not explain how they expect to identify and estimate these costs and how, in the future, they plan to identify and estimate benefits for alternative actions, especially those actions that focus on deterrence, it is not yet clear to what extent TSA's efforts will constitute cost-benefit analysis. The use of systematic cost-benefit analysis when considering future airport security measures would help TSA to choose the most cost- effective security options for mitigating risk. We recognize the difficulties in quantifying the benefits of deterrence-based activities, but there are alternatives that TSA could pursue to assess benefits, such as examining the extent to which its activities address other purposes besides deterrence. Moreover, OMB recognizes that in some circumstances--such as when data are insufficient--costs and benefits cannot be quantified, in which case costs and benefits are to be assessed in qualitative terms.[Footnote 134] By exploring ways to identify expected costs associated with alternatives, and balancing these with estimated security benefits, TSA can more fully ensure that it is efficiently allocating and prioritizing its limited resources, as well as those of individual airports, in a way that maximizes the effectiveness of its airport security efforts. TSA Has Collaborated with Stakeholders regarding Airport Security Activities, but Has Not Always Fully Coordinated or Integrated Airport Security with Other Aspects of Aviation Security: Our prior work shows that effective national strategies address how to coordinate efforts and resolve conflicts among stakeholders, address ways in which each strategy relates to the goals of other strategies, and devise plans for implementing the strategies.[Footnote 135] Because the responsibility for airport perimeter and access control security involves multiple stakeholders, including federal entities, individual airport operators, air carriers, and industry organizations, coordination among stakeholders is critical. In such an environment, the implementation of security activities is strengthened when a strategy addresses how federal efforts will coordinate and integrate with other federal and private sector initiatives, relate to the goals and objectives of other strategies and plans, and be implemented and coordinated by relevant parties. Coordination: Representatives from industry associations told us that while TSA has collaborated with industry stakeholders on the development of multiple airport security activities and initiatives, the agency has not always fully coordinated the development and implementation of specific security activities and initiatives. For example, although TSA has worked with the industry in the development of some aspects of airport security technology, such as biometrics, industry association officials told us that the agency has not yet recommended specific technology based on the results of technology-based pilot programs it completed over 2 years ago in 2007. These officials also noted that TSA did not fully coordinate with the industry in its decision to impose stronger requirements on worker credentialing practices in the wake of security incidents at individual airports. TSA officials said that they have worked closely with industry stakeholders in addressing airport security issues, and have established working groups to continue to coordinate on issues such as biometric access control security. Our prior work found that a strategy should provide both direction and guidance to government and private entities so that missions and contributions can be more appropriately coordinated.[Footnote 136] Integration and Implementation: TSA has not demonstrated how it relates the activities of airport security to the goals, objectives, and activities of TSA's other aviation security strategies, such as passenger screening, air cargo screening, and baggage screening. In addition, TSA has not identified how these various security areas are coordinated at the national level. For example, TSA officials told us that some security efforts, such as the random worker screening program and roving security response teams, [Footnote 137] are used to address multiple security needs, such as both passenger and worker screening, but could not identify the extent to which program resources are planned for and applied between competing security needs. TSA officials said that decisions to allocate random worker screening resources between passenger and worker screening are made at the local airport level by FSDs. However, a clear understanding of how TSA's needs and goals for airport security align with those of its other security responsibilities would enable the agency to better coordinate its programs, gauge the effectiveness of its actions, and allocate resources to its highest-priority needs. Finally, it is not clear to what extent TSA has coordinated airport security activities within the agency, the responsibilities for which are spread among multiple offices. TSA officials explained that agency efforts to enhance and oversee airport perimeter and access control security are spread across multiple programs within five TSA component offices. No one office or program has responsibility for coordinating and integrating actions that affect the numerous aspects of perimeter and access control security, including operations, technology, intelligence, program policy, credentialing, and threat assessments. TSA officials agreed that the diffusion of responsibilities across offices can present coordination challenges. Developing an overarching, integrated framework for coordinating actions between implementing parties could better position TSA to avoid unnecessary duplication, overlap, and conflict in the implementation of these actions. According to our past work, strategies that provide guidance to clarify and link the roles, responsibilities, and capabilities of the implementing parties can foster more effective implementation and accountability. Conclusions: Commercial airports facilitate the movement of millions of passengers and tons of goods each week and are an essential link in the nation's transportation network. Given TSA's position that the interconnected commercial airport network is only as strong as its weakest asset, determining vulnerability across this network is fundamental to determining the actions and resources that are necessary to reasonably protect it. Evaluating whether existing, select vulnerability assessments reflect the network of airports will help TSA ensure that its actions strengthen the whole airport system. If TSA finds that additional assessments are needed to identify the extent of vulnerabilities nationwide, then developing a plan with milestones for conducting those assessments, and leveraging existing available assessment information from stakeholders, would help ensure the completion of these assessments and that intended results are achieved. In addition, although the consequences of a successful terrorist breach in airport security have not been assessed, based on the past events, the potential impact on U.S. assets, safety, and public morale could be profound. For this reason, assessing the likely consequences of an attack is an essential step in assessing risks to the nation's airports. Further, a comprehensive risk assessment that combines threat, vulnerability, and consequence would help TSA determine which risks should be addressed--and to what degree--and would help guide the agency in identifying the necessary resources for addressing these risks. Moreover, documenting milestones for completing the risk assessment would help ensure its timely completion. Implementing and evaluating a pilot program can be challenging, especially given the individual characteristics of the sites involved in the worker screening pilot, such as the variation in airport size, traffic flows, and layouts. However, a well-developed and documented evaluation plan, with well-defined and measurable objectives and standards as well as a clearly articulated methodology and data analysis plan, can help ensure that a pilot program is implemented and evaluated in ways that generate reliable information to inform future program development decisions. By making such a plan a cornerstone of future pilot programs, TSA will be better able to ensure that the results of those pilot programs will produce the reliable data necessary for making the best program and policy decisions. Integrating biometric technology into existing airport access control systems will not be easy given the range of technologies available, the number of stakeholders involved, and potential differences in the biometric controls already in use at airports. Yet Congress, the administration, and the aviation industry have emphasized the need to move forward in implementing such technology to better control access to sensitive airport areas. But until TSA decides whether, when, and how it will mandate biometric access controls at airports, individual airport operators will likely continue to delay investing in potentially costly technology in case it does not comply with future federal standards. Establishing milestones for addressing requirements would not only provide airports with the necessary information to appropriately plan future security upgrades, but give all stakeholders a road map by which they can anticipate future developments. TSA uses security directives as a means for establishing additional security measures in response to general or specific threats against the civil aviation system, including the security of airport perimeters and the controls that limit access to secured airport areas. Just as it is important that federal agencies have flexible mechanisms for responding to the adaptive, dynamic nature of the terrorist threat, it is also important that requirements remain consistent with current threat information. Establishing milestones for periodically reviewing airport perimeter and access control requirements imposed through security directives would help provide TSA and stakeholders with reasonable assurance that TSA's personnel will review these directives within a time frame authorized by management. TSA, along with industry partners, has taken a variety of steps to implement protective measures to strengthen airport security, and many of these efforts have required numerous stakeholders to implement a range of activities to achieve desired results. These various actions, however, have not been fully integrated and unified toward achieving common outcomes and effectively using resources. A national risk- informed strategy--that establishes measurable goals, priorities, and performance measures; identifies needed resources; and is aligned and integrated with related security efforts--would help guide decision making and hold all public and private security partners accountable for achieving key shared outcomes within available resources. Moreover, a strategy that identifies these key elements would allow TSA to better articulate its needs--and the challenge of meeting those needs--to industry stakeholders and to Congress. Furthermore, balancing estimated costs against expected security benefits, and developing measures to assess the effectiveness of security activities, would help TSA provide reasonable assurance that it is properly allocating and prioritizing its limited resources, or those of airports, in a way that maximizes the effectiveness of its airport security efforts. Recommendations for Executive Action: To help ensure that TSA's actions in enhancing airport security are guided by a systematic risk management approach that appropriately assesses risk and evaluates alternatives, and that it takes a more strategic role in ensuring that government and stakeholder actions and resources are effectively and efficiently applied across the nationwide network of airports, we recommend that the Assistant Secretary of TSA work with aviation stakeholders to implement the following five actions: * Develop a comprehensive risk assessment for airport perimeter and access control security, along with milestones (i.e., time frames) for completing the assessment, that (1) uses existing threat and vulnerability assessment activities, (2) includes consequence analysis, and (3) integrates all three elements of risk--threat, vulnerability, and consequence. - As part of this effort, evaluate whether the current approach to conducting JVAs appropriately and reasonably assesses systems vulnerabilities, and whether an assessment of security vulnerabilities at airports nationwide should be conducted. - If the evaluation demonstrates that a nationwide assessment should be conducted, develop a plan that includes milestones for completing the nationwide assessment. As part of this effort, leverage existing assessment information from industry stakeholders, to the extent feasible and appropriate, to inform its assessment. * Ensure that future airport security pilot program evaluation and implementation efforts include a well-developed and well-documented evaluation plan that includes: - measurable objectives, - criteria or standards for determining program performance, - a clearly articulated methodology, - a detailed data collection plan, and: - a detailed data analysis plan. * Develop milestones for meeting statutory requirements, in consultation with appropriate aviation industry stakeholders, for establishing system requirements and performance standards for the use of biometric airport access control systems. * Develop milestones for establishing agency procedures for reviewing airport perimeter and access control requirements imposed through security directives. * To better ensure a unified approach among airport security stakeholders for developing, implementing, and assessing actions for securing airport perimeters and access to controlled areas, develop a national strategy for airport security that incorporates key characteristics of effective security strategies, including the following: - Measurable goals, priorities, and performance measures. TSA should also consider using information from other methods, such as covert testing and proxy measures, to gauge progress toward achieving goals. - Program cost information and the sources and types of resources needed. TSA should also identify where those resources would be most effectively applied by exploring ways to develop and implement cost- benefit analysis to identify the most cost-effective alternatives for reducing risk. - Plans for coordinating activities among stakeholders, integrating airport security goals and activities with those of other aviation security priorities, and implementing security activities within the agency. Agency Comments and Our Evaluation: We provided a draft of our report to DHS and TSA on August 3, 2009, for review and comment. On September 24, 2009, DHS provided written comments, which are reprinted in appendix VIII. In commenting on our report, DHS stated that it concurred with all five recommendations and identified actions planned or under way to implement them. In its comments to our draft report, DHS stated that the Highlights page of our report includes a statement that is inaccurate. We disagree. Specifically, DHS contends that it is not accurate to state that TSA "has not conducted vulnerability assessments for 87 percent of the nation's 450 commercial airports" because this statement does not recognize that TSA uses other activities to assess airport vulnerabilities, and that these activities are conducted for every commercial airport. For example, DHS stated that (1) every commercial airport must have a TSA-approved ASP, which is to cover personnel, physical, and operational security measures; (2) each ASP is reviewed on a regular basis by a FSD; and (3) such FSD reviews "include a review of security measures applied at the perimeter." As we noted in our report, TSA identified JVAs, along with professional judgment, as the agency's primary mechanism for assessing airport security vulnerabilities in accordance with NIPP requirements. Moreover, it is not clear to what extent the FSD reviews and other activities TSA cites in its comments address airport perimeter and access control vulnerabilities or to what extent such reviews have been applied consistently on a nationwide basis, since TSA has not provided us with any documentary evidence regarding these or other reviews. Finally, in meeting with TSA, its officials acknowledged that because they have not conducted a joint vulnerability assessment for 87 percent of commercial airports, they do not know how vulnerable these airports are to an intentional breach in security or an attack. Thus, we consider the statement on our Highlights page to be accurate. TSA also stated that "as provided in our draft report" the foundation of TSA's national strategy is its individual layers--or actions--of security, which, when combined, generate an exponential increase in deterrence and detection capability. However, we did not evaluate TSA's layered approach to security or the extent to which this approach provides increased deterrence and detection capabilities. Regarding our first recommendation that TSA develop a comprehensive risk assessment for airport perimeter and access control security, DHS stated that TSA will develop such an assessment through its ongoing efforts to conduct a comprehensive risk assessment for the transportation sector. TSA intends to provide the results of the assessment to Congress by January 2010. According to DHS, the aviation domain portion of the sector risk assessment is to address, at the national level, nine airport perimeter and access control security scenarios. It also stated that the assessment is to integrate all three elements of risk--threat, vulnerability and consequence--and will rely on existing assessment activities, including JVAs. In developing this assessment, it will be important that TSA evaluate whether its current approach to conducting JVAs, which it identifies as one element of its risk assessment efforts, appropriately assesses vulnerabilities across the commercial airport system, and whether additional steps are needed. Since TSA has repeatedly stated the need to develop baseline data on airport security vulnerabilities to enable it to conduct systematic analysis of vulnerabilities on a nationwide basis, TSA could also benefit from exploring the feasibility of leveraging existing assessment information from industry stakeholders to inform this assessment. DHS also agreed with our second recommendation that a well-developed and well-documented evaluation plan should be part of TSA's efforts to evaluate and implement future airport security pilot programs. In addition, DHS concurred with our third recommendation that TSA develop milestones for meeting statutory requirements for establishing system requirements and performance standards for the use of biometric airport access control systems. DHS noted that while mandatory use of such systems is not required by statute, TSA is still considering whether it will mandate the use of biometric access control systems at airports, and in the meantime it will continue to encourage airport operators to voluntarily utilize biometrics in their access control systems. We agree that mandatory use of biometric access control systems is not required by statute, but establishing milestones would help guide TSA's continued work with the airport industry to develop and refine existing biometric access control standards. In regard to our fourth recommendation that TSA develop milestones for establishing agency procedures for reviewing airport security requirements imposed through security directives, DHS concurred that milestones are necessary. Finally, in regard to our fifth recommendation that TSA develop a national strategy for airport security that incorporates key characteristics of effective security strategies, DHS concurred and stated that TSA will develop a national strategy by updating the TS- SSP. DHS stated that TSA intends to solicit input on the plan from its Sector Coordinating Council, which represents key private sector stakeholders from the transportation sector, before releasing the updated TS-SSP in the summer of 2010. However, given that the TS-SSP is to focus on detailing how the NIPP framework will apply to the entire transportation sector, it may not be the most appropriate vehicle for developing a national strategy that addresses the various management issues specific to airport security that we identified in our report. A more effective approach might be to issue the strategy as a stand-alone plan, in keeping with the format TSA has used for its air cargo, passenger checkpoint screening, and SPOT strategies. A stand-alone strategy might better facilitate key stakeholder involvement, focus attention on airport security needs, and allow TSA to more thoroughly address relevant challenges and goals. But irrespective of the format, it will be important that TSA fully address the key characteristics of an effective strategy, as identified in our report. The intent of a national strategy is to provide a unifying framework that guides and integrates stakeholder activities toward desired results, which may be best achieved when planned efforts are clear and sustainable, and transparent enough to ensure accountability. Thus, it is important that the strategy fully incorporate the following characteristics: (1) measurable goals, priorities, and performance measures; (2) program cost information, including the sources and types of resources needed; and (3) plans for coordinating activities among stakeholders, integrating airport security goals and activities with those of other aviation security priorities, and implementing security activities within the agency. TSA also provided us with technical comments, which we considered and incorporated in the report where appropriate. We are sending copies of this report to the Secretary of Homeland Security, the Secretary of Transportation, the Assistant Secretary of the Transportation Security Administration, appropriate congressional committees, and other interested parties. The report also is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any further questions about this report or wish to discuss these matters further, please contact me at (202) 512- 4379 or lords@gao.govberrickc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IX. Signed by: Stephen M. Lord: Director, Homeland Security and Justice Issues: List of Requesters: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: The Honorable John D. Rockefeller, IV: Chairman: Committee on Commerce, Science, and Transportation: United States Senate: The Honorable Loretta Sanchez: Chairwoman: Subcommittee on Border, Maritime and Global Counterterrorism: Committee on Homeland Security: House of Representatives: The Honorable Jane Harman: Chairwoman: Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment: Committee on Homeland Security: House of Representatives: The Honorable Sheila Jackson-Lee: Chairwoman: Subcommittee on Transportation Security and Infrastructure Protection: Committee on Homeland Security: House of Representatives: The Honorable Donna M. Christensen: The Honorable Peter A. DeFazio: The Honorable Norman D. Dicks: The Honorable Bob Etheridge: The Honorable James R. Langevin: The Honorable Zoe Lofgren: The Honorable Nita Lowey: The Honorable Ed Markey: The Honorable Kendrick B. Meek: The Honorable Eleanor Holmes Norton: The Honorable Bill Pascrell, Jr. House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: This report evaluates to what extent the Transportation Security Administration (TSA) has: * assessed the risk to airport security consistent with the National Infrastructure Protection Plan's (NIPP) risk management framework; * implemented protective programs to strengthen airport security, and evaluated its worker screening pilot program; and: * established a national strategy to guide airport security decision making. To evaluate the extent to which TSA has assessed risks for airport perimeter and access control security efforts, we relied on TSA to identify risk assessment activities for these areas, and we then examined documentation for these activities, such as TSA's 2008 Civil Aviation Threat Assessment, and interviewed TSA officials responsible for conducting assessment efforts. We examined the extent to which TSA generally conducted activities intended to assess threats, vulnerabilities, and consequences to the nation's approximately 450 airports. We also reviewed the extent to which TSA's use of these three types of assessments met the NIPP criteria for completing a comprehensive risk assessment. However, while we assessed the extent to which the individual threat and vulnerability assessment activities that TSA identified addressed the area of airport perimeter and access controls, the scope of our work did not include individual evaluations of these activities to determine whether they were consistent with the NIPP criteria for conducting threat and vulnerability assessments. In addition, we reviewed and summarized critical infrastructure and aviation security requirements set out by Homeland Security Presidential Directives 7 and 16, the Aviation and Transportation Security Act (ATSA),[Footnote 138] and other statutes and related materials. We also examined the individual threat and vulnerability assessment activities and discussed them with senior TSA and program officials, to evaluate how TSA uses this information to set goals and inform its decision making. We compared this information with the NIPP, TSA's Transportation Security Sector-Specific Plan, and our past guidance and reports on recommended risk management practices.[Footnote 139] In addition, we obtained and analyzed data from TSA regarding joint vulnerability assessments, which are conducted with the Federal Bureau of Investigation (FBI), to determine the extent to which TSA has used this information to assess risk to airport perimeter and access control security. We also obtained information on the processes used to schedule and track these activities to determine the reliability with which these data were collected and managed, and we determined that the data were sufficiently reliable for the purposes of this report. We interviewed TSA and FBI officials responsible for conducting joint vulnerability assessments to discuss the number conducted by TSA since 2004, the scope of these assessments, and how they are conducted. In addition, we interviewed selected TSA officials responsible for risk management and security programs related to airport perimeter and access control to clarify the extent to which TSA has assessed risk in these areas. We selected these officials based upon their relevant expertise with TSA's risk management efforts and its airport perimeter and access control efforts. We also analyzed TSA data on security breaches by calculating the total number of security breaches from fiscal years 2004 through 2008. To determine that the data were sufficiently reliable to present contextual information regarding all breaches to secured areas (including airport perimeters) in this report, we obtained information on the processes used to collect, tabulate, and assess these data, and discussed data quality control procedures with appropriate officials and found that the data were sufficiently reliable for this purpose. Because the data include security breaches that occurred within any type of secured areas, including passenger-related breaches, they are not specific to perimeter and access control security. In addition, the data have not been adjusted to reflect potential issues that could also influence or skew the number of overall breaches, such as annual increases in the number of passengers or specific incidences occurring within individual airports that account for more breaches than others. Furthermore, because TSA does not require its inspectors to enter a description of the breach when documenting an incident, and general reports on breach data do not show much variation between incidences unless a report includes a description of the breach, we did not ask TSA for descriptive information on breaches that occurred. To evaluate the extent to which TSA has implemented protective programs to strengthen airport security consistent with the NIPP risk management framework, we asked TSA to identify agency-led activities and programs for strengthening airport security. For the purposes of this report, we categorized TSA's responses into four main areas of effort: (1) worker screening pilot program, (2) worker security programs, (3) technology, and (4) general airport security. To determine the extent to which TSA evaluated its worker screening pilot program, we analyzed TSA's final report on it worker screening pilot program, including conclusions and limitations cited by the contractor--the Homeland Security Institute (HSI)--TSA hired to assist with the pilot's design, implementation, and evaluation.[Footnote 140] We also reviewed standards for internal control in the federal government and our previous work on pilot program development and evaluation to identify accepted practices for ensuring reliable results, including key features of a sound evaluation plan.[Footnote 141] Further, we analyzed TSA and HSI's documentation of the worker screening pilot program methodology to determine whether TSA and HSI had documented their plans for conducting the program, whether each pilot was carried out in a consistent manner, and if participating airports were provided with written requirements or guidance for conducting the pilots. To evaluate TSA's efforts for its worker security programs, we assessed and summarized relevant program information, operations directives, and standard operating procedures for the Aviation Direct Access Screening Program (ADASP) and enhanced background checks. We also informed this assessment with recent work by the Department of Homeland Security's (DHS) Office of the Inspector General (OIG) regarding worker screening.[Footnote 142] We reviewed the DHS OIG's methodology and analysis to determine whether its findings were reliable for use in our report. We analyzed TSA's documentation of its background checks to determine if TSA sufficiently addressed relevant ATSA requirements and recommendations from our 2004 report on airport security.[Footnote 143] We also interviewed TSA officials responsible for worker background checks to determine the agency's efforts to develop a plan to meet outstanding ATSA requirements. With respect to perimeter and access control technology, we reviewed and summarized TSA documentation and evaluations of the Airport Access Control Pilot Program (AACPP), documentation related to the Airport Perimeter Security (APS) pilot program, and the dissemination of information regarding technology to airports. We interviewed officials with the DHS Directorate for Science and Technology, the National Safe Skies Alliance, and RTCA, Inc., regarding research, development, and testing efforts, and challenges and potential limitations of applicable technologies to airport perimeter and access control security. We selected these entities because of their role in the development of such technology. We also interviewed TSA Headquarters officials to obtain views on the nature and scope of technology-related efforts and other relevant considerations, such as how they addressed relevant ATSA requirements and recommendations from our 2004 report, or how they plan to do so. With regard to TSA's efforts for general airport security, we examined TSA's procedures for developing and issuing airport perimeter and access control requirements through security directives and other methods, and analyzed the extent to which TSA disseminated security requirements to airports through security directives. At our request, TSA identified 25 security directives and emergency amendments that imposed requirements related to airport perimeter and access control security, which we examined to identify specific areas of regulation. In addition, we assessed and summarized relevant program information and documentation, such as operations directives, for other programs identified by TSA, such as the Visible Intermodal Prevention and Response (VIPR) program, Screening of Passengers by Observation Techniques (SPOT) program, and the Law Enforcement Officer Reimbursement Program. To evaluate the extent to which TSA established a national strategy to guide airport security decision making, we considered guidance on effective characteristics for security strategies and planning that we previously reported, Government Performance and Results Act (GPRA) requirements,[Footnote 144] and generally accepted strategic planning practices for government agencies. In order to evaluate TSA's approach to airport security, we reviewed TSA documents to identify major security goals and subordinate objectives for airport perimeter and access control security, and relevant priorities, goals, objectives, and performance measures. We also analyzed relevant program documentation, including budget, cost, and performance information, including relevant information TSA developed and maintains for the Office of Management and Budget's Performance Assessment Rating Tool. We compared TSA's approach with criteria identified in NIPP, other DHS guidance, GPRA, and other leading practices in strategies and planning. We also interviewed relevant TSA program and budget officials, Federal Aviation Administration (FAA) officials, and selected aviation industry officials regarding the cost of airport perimeter and access control security for fiscal years 2004 through 2008. To determine the extent to which TSA collaborated with stakeholders on airport security activities, and to obtain their insights on airport security operations, costs, and regulation, we interviewed industry officials from the Airports Council International-North America--whose commercial airport members represent 95 percent of domestic airline passenger and air cargo traffic in North America--and from the American Association of Airport Executives--whose members represent 850 domestic airports.[Footnote 145] We selected these industry associations based on input from TSA and from industry stakeholders, who identified the two associations representing commercial airport operators. We also attended aviation association conferences at which industry officials presented information on national aviation security policy and operations, and we conducted a group discussion with 17 officials representing various airport and aircraft operators and aviation associations to obtain their views regarding key issues affecting airport security. While the views expressed by these industry, airport, and aircraft operator officials cannot be generalized to all airport industry associations and operators, these interviews provided us with additional perspectives on airport security and an understanding of the extent to which TSA has worked and collaborated with airport stakeholders. We also conducted site visits at nine U.S. commercial airports--Orange County John Wayne Airport, Washington-Dulles International Airport, Miami International Airport, Orlando International Airport, John F. Kennedy International Airport, Westchester County Airport, Logan International Airport, Barnstable Municipal Airport, and Salisbury/ Wicomico County Regional Airport. During these visits we observed airport security operations and discussed issues related to perimeter and access control security with airport officials and on-site TSA officials, including federal security directors (FSD). We selected these airports based on several factors, including airport category, size, and geographical dispersion; whether they faced problems with perimeter and access control security; and the types of technological initiatives tested or implemented. Because we selected a nonprobability sample of airports to visit, those results cannot be generalized to other U.S. commercial airports; however, the information gathered provides insight into TSA and airport programs and procedures. In addition, at Miami International Airport and John F. Kennedy International Airport we conducted separate interviews with airport officials to discuss their ongoing, or anticipated, efforts to implement additional worker screening methods at their respective airports. We also conducted telephone interviews with airport officials and FSDs from four airports that had implemented, or planned to implement, various forms of 100 percent screening of airport workers to discuss their efforts. These were Cincinnati/Northern Kentucky International Airport, Dallas/Fort Worth International Airport, Denver International Airport, and Phoenix Sky Harbor International Airport. While the views of the officials we spoke with regarding additional worker screening methods cannot be generalized to all airport security officials, they provided insight into how airport security programs were chosen and developed. We also conducted an additional site visit at Logan International Airport to observe TSA's implementation of various worker screening methods as part of the agency's worker screening pilot program. While the experiences of this pilot location cannot be generalized to all airports participating in the pilot, we chose this airport based on airport category and the variety of worker screening methods piloted at this location. We conducted this performance audit from May 2007 through September 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: TSA Actions to Address Selected Statutory Requirements for Airport Security: TSA has taken steps since 2004 to address some of the requirements related to airport perimeter and access control security prescribed by ATSA.[Footnote 146] The related ATSA requirements, and TSA's actions as of May 2009 to address these requirements, are summarized in table 3. Table 3: TSA Actions since 2004 to Address Relevant ATSA Requirements through May 2009: Requirement for evaluating airport access controls: ATSA requirements related to airport perimeter and access control security: TSA shall, on an ongoing basis, accept and test for compliance with access control requirements, report annually on the findings of the assessments, and assess the effectiveness of penalties in ensuring compliance with security procedures and take any other appropriate enforcement actions when noncompliance is found. See 49 U.S.C. § 44903(g)(2)(D); TSA actions taken in response: The agency has established schedules and developed an analytical approach for completing compliance inspections. In doing so, TSA developed inspection prompts that target critical areas of the airport. TSA officials told us that the agency has not developed measures to assess the effectiveness of its penalties, but believes that its current approach of requiring documentation of issues and prompt corrective action by the operator upon the discovery of noncompliance results in acceptable performance. Requirements for strengthening the security of airport perimeters and access controls: ATSA requirements related to airport perimeter and access control security: Within 6 months after enactment of ATSA (enacted Nov. 19, 2001), TSA shall recommend to airport operators commercially available measures or procedures to prevent access to secure airport areas by unauthorized persons. As part of the assessment, TSA shall review the effectiveness of biometrics systems currently in use, increased surveillance at access points, card-or key-based access systems, and emergency exit systems, as well as specifically targeting the elimination of "piggybacking," where one person follows another through an access point. The assessment shall include a 12-month deployment strategy for currently available technology at all Category X-- generally the largest and busiest--airports. Not later than 18 months after enactment, the Secretary of Transportation was to conduct a review of reductions in unauthorized access at Category X airports. See 49 U.S.C. § 44903(j)(1)[A]; TSA actions taken in response: TSA officials said that in an effort to assist aviation stakeholders in determining the effectiveness of access control technologies, TSA has provided information to airports on available technology through (1) AACPP, a pilot program designed to test new and emerging access controls technology, and (2) a list of biometric products that meet standards set by TSA. However, TSA officials also stated that while the agency has not yet recommended commercially available measures or a deployment strategy, it plans to implement a second phase of AACPP, which may result in recommended technologies. ATSA requirements related to airport perimeter and access control security: TSA shall establish pilot programs in no fewer than 20 airports to test and evaluate technology for providing access control and security protections for closed or secure areas. See 49 U.S.C. § 44903(c)(3); TSA actions taken in response: In 2003 TSA established AACPP, as described above. In December 2006, TSA issued a final report that summarized the results of the 20 pilot projects involved in the program. ATSA requirements related to airport perimeter and access control security: TSA shall develop a plan to provide technical support and financial assistance to airports with less than 1 percent of the total annual enplanements for the most recent calendar year for which data are available, to enhance security operations and to defray the costs of such enhancements. See Pub. L. No. 107-71, § 106(b)(1), 115 Stat. 571, 609; TSA actions taken in response: According to TSA officials, the agency has in part met this requirement by providing technical assistance through AACPP, the APS pilot program, and the Law Enforcement Officer Reimbursement Program. However, officials explained that as of May 2009 the agency had not yet developed a plan to provide technical information and funding to small-and medium-sized airports, because TSA has not been specifically directed to obligate funding for this purpose, and that its resources and management attention have focused on requirements for which it has direct responsibility and deadlines, including passenger and baggage screening. Requirements for reducing the risks posed by airport workers: ATSA requirements related to airport perimeter and access control security: TSA shall, as part of the employment investigation for escorted or unescorted access to aircraft or secured areas of an airport, include a review of available law enforcement databases and records of other government and international agencies, to the extent determined practicable. See 49 U.S.C. § 44936; TSA actions taken in response: While TSA requires background checks-- which include fingerprint and name-based checks--on all workers with unescorted access to secured airport areas, it does not require such checks for workers who have regularly escorted access. According to TSA officials, it is not necessary to conduct checks on workers who have regularly escorted access because the agency has taken other steps that adequately address the threat that may be posed by regularly escorted workers, such as random screening. In addition, in October 2007, TSA issued a security directive that contained a requirement limiting the number of workers who can escort nonauthorized workers. TSA officials also stated that airports typically seal off or isolate the area where workers with escorted access are located. ATSA requirements related to airport perimeter and access control security: TSA shall require scheduled passenger carriers, and airports operating under TSA-approved security programs, to develop security awareness training programs for airport employees; ground crews; gate, ticket, and curbside agents of the air carriers; and other individuals employed at such airports. See Pub. L. No. 107-71, § 106(e), 115 Stat. 571, at 610; TSA actions taken in response: According to TSA officials, this requirement is addressed through a security directive that requires airports to implement a security awareness plan to keep employees, contractors, and new hires informed of the increased threat to airport security and their individual security responsibilities. Workers must report suspicious items or activities that come to their attention at the airport to the appropriate official, in accordance with local procedures. In addition, according to TSA officials, TSA-approved aircraft operator programs should contain specific and detailed requirements for initial and recurrent security training of aircraft workers. ATSA requirements related to airport perimeter and access control security: TSA shall require vendors having direct access to the airfield and aircraft to develop their own security programs. See 49 U.S.C. § 44903(h)(4)(D); TSA actions taken in response: According to TSA officials, this requirement is addressed through the airport security program plans that airport operators are required by law and regulation to develop; these plans are to include vendor operations. Further, TSA officials noted that airport security directives require vendor workers who have access to a secured area to undergo fingerprint-based criminal history background checks. In addition, according to officials, airports are required to inspect all vendor deliveries, vendor employees, and delivery personnel. TSA officials noted that the agency can assist airports in these efforts by screening employees though ADASP. ATSA requirements related to airport perimeter and access control security: TSA shall require, as soon as practicable after enactment, screening or inspection of all persons, vehicles, equipment, goods, and property before they enter secured areas of airports operating under TSA-approved security programs. See 49 U.S.C. § 44903(h)(4)(A); TSA actions taken in response: TSA officials stated that the agency has met this requirement through collective airport security activities, such as airport worker background checks and the random screening of airport workers and vehicles. Sources: Pub. L. No. 107-71, §§ 106, 136, 138, 115 Stat. 597, 608-10, 36-37, 39-41 (2001), and GAO summary and analysis of TSA actions taken. [A] Pursuant to the Homeland Security Act of 2002, TSA transferred from the Department of Transportation to the newly established DHS. See Pub. L. No. 107-296, § 403, 116 Stat. 2135, 2178 (2002). [End of table] [End of section] Appendix III: TSA Also Uses Compliance Inspections and Covert Testing to Detect Possible Airport Security Vulnerabilities: TSA officials told us that they use the results of compliance inspections and covert testing to augment their assessment of potential vulnerabilities in airport security. Compliance inspections examine a regulated entity's--such as an airport operator or air carrier-- adherence to federal regulations, which TSA officials say they use to determine if airports adequately address known threats and vulnerabilities.[Footnote 147] According to TSA, while regulatory compliance is just one dimension of airport security, compliance with federal requirements allows TSA to determine the general level of security within an airport. As a result, according to TSA, compliance with regulations suggests less vulnerability within an airport and, conversely, failure to meet critical compliance rates suggests the likelihood of a larger problem within an airport and helps the agency identify and assess vulnerabilities. TSA allows its inspectors to conduct compliance inspections based on observations of various activities, such as ADASP, VIPR, and local covert testing, and to conduct additional inspections based on vulnerabilities identified through assessments or the results of regular inspections. Covert tests are any test of security systems, personnel, equipment, and procedures to obtain a snapshot of the effectiveness of that security measure, and they are used to improve airport performance, safety, and security. TSA officials stated that covert testing assists the agency in identifying airport vulnerabilities because such tests are designed based on threat assessments and intelligence to approximate techniques that terrorists may use to exploit gaps in airport security. TSA conducts four types of covert tests for airport access controls: * Access to security identification display areas (SIDA): TSA inspectors not wearing appropriate identification attempt to penetrate SIDA access points, such as boarding gates, employee doors, and other entrances. * Access to air operations areas (AOA): TSA inspectors not wearing appropriate identification attempt to penetrate AOA via access points from public areas, such as perimeter gates and cargo areas. * Access to aircraft: TSA inspectors not wearing appropriate identification (or not carrying valid boarding passes) attempt to penetrate passenger access points that lead to aircraft from sterile areas, such as boarding gates, employee doors, and jet ways. * SIDA challenges: Once inside a SIDA, TSA inspectors attempt to walk around these areas, such as the tarmac and baggage loading areas, without displaying appropriate identification. TSA also requires FSDs to conduct similar, locally controlled tests of access controls to ensure compliance and identify possible vulnerabilities with airport security. These tests are selected by the FSDs and based on locally identified risks and can include challenging procedures in the secure area, piggybacking (following authorized airport workers into secured areas), and attempting to access an aircraft from sterile area. According to TSA officials, the agency uses the results of its covert tests to inform decision making for airport security, but officials could not provide examples of how this information has specifically informed past decisions.[Footnote 148] [End of section] Appendix IV: Costs for Airport Security: Various TSA offices and programs contribute to the overall operations and costs of airport perimeter and access control security. According to TSA officials, the agency does not develop a cost estimate specific to perimeter and access control security because such efforts are often part of broader security activities or related programs--for example, VIPR and SPOT are also used for passenger screening. As a result, it is difficult to identify what percentage of program costs has been expended on airport perimeter and access control security activities. At our request, TSA officials identified the estimated spending related to perimeter and access control security programs from fiscal years 2004 through 2008 (see table 4).[Footnote 149] Table 4: Summary of TSA-Identified Costs Related to Airport Security, Fiscal Years 2004-2008 (Present year dollars in millions): Program/office: Office of Law Enforcement/Federal Air Marshal Service; Joint Vulnerability Assessment Program; Present year dollars in millions: FY04: $0.03; Present year dollars in millions: FY05: $0.08; Present year dollars in millions: FY06: $0.06; Present year dollars in millions: FY07: $0.10; Present year dollars in millions: FY08: $0.08; Present year dollars in millions: Total: $0.35. Program/office: Office of Law Enforcement/Federal Air Marshal Service; Law Enforcement Reimbursement Program; Present year dollars in millions: FY04: $64.24; Present year dollars in millions: FY05: $63.61; Present year dollars in millions: FY06: $67.36; Present year dollars in millions: FY07: $66.22; Present year dollars in millions: FY08: $66.90; Present year dollars in millions: Total: $328.33. Program/office: Office of Security Operations: ADASP[A]; Present year dollars in millions: FY04: N/A; Present year dollars in millions: FY05: N/A; Present year dollars in millions: FY06: N/A; Present year dollars in millions: FY07: $38.00; Present year dollars in millions: FY08: $70.60; Present year dollars in millions: Total: $108.60. Program/office: Office of Security Operations: SPOT[B]; Present year dollars in millions: FY04: N/A; Present year dollars in millions: FY05: N/A; Present year dollars in millions: FY06: $5.01; Present year dollars in millions: FY07: $21.46; Present year dollars in millions: FY08: $87.07; Present year dollars in millions: Total: $113.54. Program/office: Office of Security Operations: VIPR; Present year dollars in millions: FY04: N/A; Present year dollars in millions: FY05: N/A; Present year dollars in millions: FY06: N/A; Present year dollars in millions: FY07: $$1.94; Present year dollars in millions: FY08: NSI[C]; Present year dollars in millions: Total: NSI. Program/office: Office of Security Operations: Compliance Inspections; Present year dollars in millions: FY04: N/A; Present year dollars in millions: FY05: $68.34; Present year dollars in millions: FY06: $70.65; Present year dollars in millions: FY07: $74.30; Present year dollars in millions: FY08: $75.70; Present year dollars in millions: Total: $288.99. Program/office: Office of Transportation Threat Assessment and Credentialing; Present year dollars in millions: FY04: N/A; Present year dollars in millions: FY05: N/A; Present year dollars in millions: FY06: $2.00; Present year dollars in millions: FY07: $2.00; Present year dollars in millions: FY08: $2.00; Present year dollars in millions: Total: $6.00. Program/office: Office of Intelligence Special Operations Covert Test Program; Present year dollars in millions: FY04: $0.18; Present year dollars in millions: FY05: $0.15; Present year dollars in millions: FY06: $0.06; Present year dollars in millions: FY07: $0.12; Present year dollars in millions: FY08: $0.05; Present year dollars in millions: Total: $0.56. Program/office: Office of Transportation Sector Network Management[D]; Present year dollars in millions: FY04: N/A; Present year dollars in millions: FY05: N/A; Present year dollars in millions: FY06: NSI; Present year dollars in millions: FY07: NSI; Present year dollars in millions: FY08: NSI; Present year dollars in millions: Total: NSI. Total Identified Costs Total: $846.37. Source: GAO summary of TSA data. Legend: N/A = not applicable; NSI = not separately identified. Notes: This table includes funds either obligated or expended by TSA for programs and activities related to airport perimeter and access control security (figures rounded to the nearest one hundredth). However, many of these programs and activities also include efforts that apply to other areas of aviation security. For example, compliance inspections are used to assess the extent to which airports comply with perimeter and access control requirements, as well as to assess the extent to which air carriers comply with other TSA regulations. Because of rounding, numbers may not add to totals. [A] The ADASP fiscal year 2007 figure is an estimate based upon ADASP staff days allocated to all commercial airports calculated by using the average cost of 1 staff day devoted to ADASP activities. [B] Cost figures for SPOT are TSA's estimates of expenditures for the respective fiscal years; they do not reflect allocations. TSA allotted $40.8 million to SPOT activities for fiscal year 2007 and $144.1 million for fiscal year 2008. According to TSA officials, approximately $80 million that the agency initially allotted for SPOT activities in fiscal years 2007 and 2008 was not spent on the program, but was expended for general transportation security officer performance, compensation, and benefits. [C] NSI indicates that the specific costs for these programs were unknown because the activities were elements of a larger program and could not be separately identified by TSA. For example, in fiscal year 2008 TSA was allocated $20 million for VIPR, but the amount to be applied to airport perimeter and access controls security was not separately identified. [D] TSA officials said that they did not track and could not separately identify the estimated costs for perimeter and access control-related activities conducted by the Office of Transportation Sector Network Management in fiscal years 2006 through 2008 because such activities are part of normal staff hour and contractor support costs. According to TSA officials, such activities include those related to SIDA II, the APS pilot program, and security directive development and implementation. [End of table] Airports can receive funding for purposes related to perimeter and access control security via grants awarded through FAA's Airport Improvement Program. TSA officials also told us that the agency generally does not collect or track cost information for airport security efforts funded through the Airport Improvement Program. [Footnote 150] This program is one of the principal sources of funding for airport capital improvements in the United States, providing approximately $3 billion in grants annually to enhance airport capacity, safety, and environmental protection, as well as perimeter security. According to FAA officials, many factors are considered when awarding grants to airports for perimeter security enhancements, although security projects required by statute or regulation receive the highest priority. Projects that receive funding have included computerized access controls for ramps, infrastructure improvements to house central computers, surveillance systems, and perimeter fencing. According to FAA, more than $365 million in airport perimeter and access control-related grants were provided through the Airport Improvement Program for fiscal years 2004 through 2008. TSA officials also told us that the agency does not track funds spent by individual airport operators to enhance or maintain perimeter and access control security. In 2009 the Airports Council International- North America--an aviation industry association--surveyed commercial airports regarding the funding needed for airport capital projects from 2009 to 2013. As part of this effort, the association surveyed airport operators on the amount of funds they planned to expend on airport security as a percentage of their overall budgets.[Footnote 151] The association reported that planned airport operator spending on airport security, as a percentage of total spending, ranged from 3.8 percent (about $2 billion) for large hub airports to 3.9 percent (about $230 million) for small hub airports.[Footnote 152] The association surveys did not include information on the types of security projects undertaken by airports. However, during our site visits we obtained data from selected airport operators on the costs of perimeter and access control security projects they had recently concluded or estimated costs for projects in progress. Examples of airport spending on perimeter and access control security include: * $30 million to install a full biometric access system; * $6.5 million to install an over 8,000-foot-long blast/crash resistant wall along the airport perimeter; * $8 million to install over 680 bollards in front of passenger terminals and vehicle access points; and: * $3 million to develop and install an infrared intrusion detection system. [End of section] Appendix V: TSA Worker Screening Pilot Program: From May through July 2008 TSA implemented worker screening pilots at seven airports in accordance with the Explanatory Statement accompanying the DHS Appropriations Act, 2008 (see table 5 for a summary of text directing the worker screening pilot program). At three airports, TSA conducted 100 percent worker screening--inspections of all airport workers and vehicles entering secure areas; at four others TSA randomly screened 20 percent of workers and tested other enhanced security measures. Screening of airport workers was to be done at either the airport perimeter or the passenger screening checkpoints. TSA was directed to collect data on the methods it utilized, and evaluate the benefits, costs, and impacts of 100 percent worker screening to determine the most effective and cost-efficient method of addressing and deterring potential security risks posed by airport workers. Table 5: Summary of Explanatory Text Directing the Worker Screening Pilot Program: Categories: Funding; Explanatory text: $15,000,000. Categories: Duration; Explanatory text: TSA shall screen all airport workers at three airports for no less than 90 days. Categories: Implementation; Explanatory text: Undertake other screening methods at up to four additional airports. Categories: Alternatives; Explanatory text: Other methods to enhance screening could include physical inspections, behavioral recognition, biometric access controls, cameras, and body imaging. Categories: Data collection; Explanatory text: TSA shall collect data on the benefits, costs, and impacts of 100 percent airport worker screening as well as on the other methods utilized. Categories: Reporting results; Explanatory text: TSA shall report to the Committees on Appropriations of the Senate and House of Representatives on (1) the results of the pilots, including the average wait times at screening checkpoints for passengers and workers; (2) the estimated cost of the infrastructure and personnel necessary to implement a screening program for airport workers at all U.S. commercial service airports in order to meet a 10- minute standard for processing passengers and workers through screening checkpoints; (3) the ways in which the current methods for screening airport workers could be strengthened; and (4) the impact of screening airport workers on other security-related duties at airports; TSA shall provide an interim briefing to the committees on the progress and results of these pilots not later than September 1, 2008. Source: Explanatory Statement accompanying Division E of the Consolidated Appropriations Act, 2008; Pub. L. No. 110-161, 121 Stat. 1844, 2042 (2007), at 1048. [End of table] The enhanced measures that TSA tested at the four airports not implementing 100 percent screening are summarized below: * Employee training: TSA provided a security awareness training video, which all SIDA badgeholders were required to complete. According to TSA, the training intended reduce security breaches by increasing workers' understanding of their security responsibilities and awareness of threats and abnormal behaviors. * Behavioral recognition training: TSA provided funding to participating airports to teach select law enforcement officers and airport personnel to identify potentially high-risk individuals based on their behavior. A condensed version of the SPOT course, this training was intended to equip personnel with skills to enhance existing duties, according to TSA officials. * Targeted physical inspections: TSA conducted random inspections of vehicles and individuals entering the secured areas of airports to increase the coverage of ADASP. Inspections consisted of bag, vehicle, and identification checks; scanning bottled liquids; and random security sweeps of specific airport areas. * Deployment of technology: TSA employed additional technology at selected airports to assist with the screening of employees, such as walk-through and handheld metal detectors, bottled liquid scanners, and explosive detection systems. TSA also tested biometric access control systems at selected airports. [End of section] Appendix VI: Additional TSA Efforts to Improve General Airport Security: VIPR: According to TSA, VIPR operations augment existing airport security activities, such as ADASP, and provide a visual deterrent to terrorist or other criminal activity. VIPR was first implemented in 2005, and according to TSA officials, VIPR operations are deployed through a risk- based approach and in response to specific intelligence information or known threats. In a VIPR operation, TSA officials, including transportation security officers and inspectors, behavioral detection officers, bomb appraisal officers, and federal air marshals work with local law enforcement and airport officials to temporarily enhance aviation security. According to TSA officials, VIPR operations for perimeter and access control security can include random inspections of individuals, property, and vehicles, as well as patrols of secured areas and random checks to ensure that employees have the proper credentials. TSA officials told us that although they do not know how many VIPR deployments have specifically addressed airport perimeter and access control security, from March 2008 through April 2009 TSA performed 1,042 commercial and general aviation airport or cargo VIPR operations. According to TSA officials, the majority of these operations involved the observation and patrolling of secured airport areas and airport perimeters. As of May 2009 TSA officials also said that the agency is in the process of enhancing its VIPR database to more accurately capture and track specific operational objectives, such as enhancing the security of airport perimeters and access controls, and developing an estimated time frame for completing this effort. [Footnote 153] SPOT: Since 2004 TSA has used SPOT--a passenger screening program in which behavior detection officers observe and analyze passenger behavior to identify potentially high-risk individuals--to determine if an individual or individuals may pose a risk to aircraft or airports. Although SPOT was originally designed for passenger screening, TSA officials stated that FSDs can also use behavior detection officers to assess worker behavior as they pass through the passenger checkpoint, as part of random worker screening operations or as part of VIPR teams deployed at an airport. However, TSA officials could not determine how often behavior detection officers have participated in random worker screening or VIPR operations, or identify which airports have used behavior detection officers for random worker screening. According to TSA officials, the agency is in the process of redesigning its data collection efforts and anticipates that it will be able to more accurately track this information in the future, though officials did not provide a time frame for doing so. TSA officials also told us that when participating in random worker screening, behavior detection officers observe workers for suspicious behavior as they are being screened and may engage workers in casual conversation to assess potential threats. According to TSA officials, the agency has provided behavior detection training to law enforcement personnel as part of its worker screening pilot program, as well as to selected airport security and operations personnel at more than 20 airports.[Footnote 154] We currently have ongoing work assessing SPOT, and will issue a report on this program at a later date. Law Enforcement Officer Reimbursement Program: TSA undertakes efforts to facilitate the deployment of law enforcement personnel authorized to carry firearms at airport security checkpoints, and in April 2002, the Law Enforcement Officer Reimbursement Program was established to provide partial reimbursement for enhanced, on-site law enforcement presence in support of the passenger screening checkpoints. Since 2004, the program has expanded to include law enforcement support along the perimeter and to assist with worker screening. According to TSA, the program is implemented through a cooperative agreement process that emphasizes the ability of both parties to identify and agree as to how law enforcement officers will support the specific security requirements at an airport. For example, the FSD, in consultation with the airport operator and local law enforcement, may determine that rather than implementing fixed-post stationing of law enforcement officers, it may be more appropriate to implement flexible stationing of law enforcement officers. TSA may also provide training or briefings on an as-needed basis on relevant security topics, including improvised explosive device recognition, federal criminal statutes pertinent to aviation security, and procedures and processes for armed law enforcement officers. Awards made under the reimbursement program are subject to the availability of appropriated funds, among other things, and are to supplement not supplant state and local funding. According to TSA officials, however, no applicant has been denied funds based on lack of appropriated funds. [End of section] Appendix VII: Alternative Methods Available to Assist TSA in Assessing the Effectiveness of Its Actions to Strengthen Airport Security: Program evaluation methods exist whereby TSA could attempt to assess whether its activities are meeting intended objectives. These methods center on reducing the risk of both external and internal threats to the security of airport perimeters and access controls, and seek to use information and resources available to help capture pertinent information. First, recognizing that there are challenges associated with measuring the effectiveness of deterrence-related activities, the NIPP's Risk Management Framework provides mechanisms for qualitative feedback that although not considered a metric, could be applied to augment and improve the effectiveness and efficiency of protective programs and activities. For example, working with stakeholders--such as airport operators and other security partners--to identify and share lessons learned and best practices across airports could assist TSA in better tailoring its efforts and resources and continuously improving security. Identifying a range of qualitative program information--such as information gathered through vulnerability assessment activities or compliance inspections--could also allow TSA to determine whether activities are effective. As discussed in appendix III, compliance inspections and covert tests could be used to identify noncompliance with regulations or security breaches within designated secured areas. For example, TSA could use covert tests to determine if transportation security officers are following TSA procedures when screening airport workers or whether certain worker screening procedures detect prohibited items. However, in order to improve the usefulness of this technique, we previously recommended to TSA that the agency develop a systematic process for gathering and analyzing specific causes of all covert testing failures, record information on processes that may not be working properly during covert tests, and identify effective practices used at airports that perform well on covert tests.[Footnote 155] Second, as TSA has already begun to do with some activities, it could use data it already collects to identify trends and establish baseline data for a future comparison of effectiveness.[Footnote 156] For example, a cross-sectional analysis of the number of workers caught possessing prohibited items at specific worker screening locations over time, while controlling for variables such as increased law enforcement presence or airport size, could provide insights into what type of security activities help to reduce the possession of prohibited items. Similarly, an examination of airport workers apprehended, fired, or referred to law enforcement while on the job could provide insights into the quality of worker background checks and security threat assessments. Essentially, the these types of analyses provide a useful context for drawing conclusions about whether certain security practices are reasonable and appropriate given certain conditions and, gradually, with the accumulation of relevant data, should allow TSA to start identifying cause-and-effect relationships. Third, according to the Office of Management and Budget (OMB), the use of proxy measures may also allow TSA to determine how well its activities are functioning. Proxy measures are indirect measures or indicators that approximate or represent the direct measure. TSA could use proxy measures to address deterrence, other security goals as identified above, or a combination of both. According to OMB, proxy measures are to be correlated to an improved security outcome, and the program should be able to demonstrate--for example, through the use of modeling--how the proxies tie to the eventual outcome. The Department of Transportation has also highlighted the need for proxy measures when assessing maritime security efforts pertaining to deterrence. For example, according to the Department of Transportation, while a direct measure of access to seaports might be the number of unauthorized intruders detected, proxy measures for seaport access may include related information on gates and guards--combined with crime statistics relating to unauthorized entry in the area of the port--to support a broader view of port security. In terms of aviation security, because failure to prevent a worker from placing a bomb on a plane could be catastrophic, proxy measures may include information on access controls, worker background checks, and confiscated items. Proxy measures could also include information on aircraft operators' efforts to secure the aircraft. In using a variety of proxy measures, failure in any one of the identified measures could provide an indication on the overall risk to security. Lastly, the use of likelihood, or "what-if scenarios," which are used to describe a series of steps leading to an outcome, could allow TSA to assess whether potential activities and efforts effectively work together to hypothetically achieve a positive outcome. For example, the development of such scenarios could help TSA to consider whether an activity's procedures could be modified in response to identified or projected changes in terrorist behaviors, or if an activity's ability to reduce or combat a threat is greater if used in combination with other activities. [End of section] Appendix VIII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: September 24, 2009: Mr. Steve Lord: Director: Homeland Security & Justice: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Lord: Thank you for the opportunity to comment on the draft report: "Aviation Security-A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls" (GAO-09-399SU). The Transportation Security Administration (TSA) appreciates the U.S. Government Accountability Office's (GAO) work in planning, conducting, and issuing this report. As provided in the draft report, the foundation of TSA's national strategy is that each of the Agency's security actions serves as a layer. When the layers are used in a combined approach, there is an exponential increase in deterrence and detection capability. As the GAO is aware, TSA provides regulatory oversight of U.S. commercial airport operator security programs, of which access control and perimeter security are components. TSA does not directly fund or provide perimeter security or access controls for commercial airports. As the Agency continually enhances the layers of security specific to commercial airports, we rely on strategic partnerships with our stakeholders, including individual airports and their professional associations, to ensure we obtain their understanding and support of TSA efforts toward development of biometric access control systems, perimeter security improvements, employee screening, security directives, and risk assessment methodologies. Our commitment to ongoing communication and collaboration with the airport industry continues to assist TSA in enhancing the security of our Nation's commercial airports allowing the Agency to achieve continued progress toward Congressional requirements. In support of our overarching national strategy and our commitment to work in partnership with the airport industry, TSA utilizes several risk assessment and methodology tools, including the National Infrastructure Protection Plan (NIPP) and the Transportation Systems Sector-Specific Plan (TS-SSP), which support TSA requirements as pertains to the Homeland Security Presidential Directive (HSPD) -7 and the Homeland Security Act of 2002. As GAO acknowledged in the draft report, the NIPP characterizes risk as a function of threat, vulnerability, and consequence (TVC). In support of the NIPP, the TSA also utilizes the Aviation Domain Risk Analysis (ADRA) and Joint Vulnerability Assessments (JVAs). Specific to framing the Agency's approach to U.S. commercial airport access control and perimeter security, we rely on three products: daily intelligence briefings, weekly suspicious incident reports, and situational awareness reports. These specific products are shared with internal and external stakeholders, which affirm our ongoing commitment to work in collaboration and partnership with the commercial airport industry. TSA agrees with GAO in that continued collaboration with our airport industry stakeholders and improvements to risk assessment processes will better focus the Agency's National strategy for U.S. commercial airport security. Since its inception, the Agency has made significant progress toward enhancing airport access control and perimeter security systems, as well as strengthening our risk assessment methodologies and tools. We would like to specifically address a comment we feel is inaccurate. In the Highlights summary, GAO states that TSA "has not conducted vulnerability assessments for 87 percent of the Nation's approximately 450 commercial airports." While the full report correctly addresses the scope of joint vulnerability assessments, it is not accurate to expand the issue to all types of assessments and all airports. As GAO is aware, every TSA regulated commercial service airport must have a TSA- approved Airport Security Program (ASP) covering personnel, physical and operational security measures. The ASP is reviewed on a regular basis by TSA's Federal Security Directors, including a review of security measures applied at the perimeter. In addition, a wide array of TSA activity takes place at airports to expose and reduce vulnerability beyond the use of joint vulnerability assessments, the gold standard for perimeter assessments. This statement as written excludes this activity and inaccurately describes the state of security at our commercial service airports. In conclusion, TSA will continue to work in collaboration with our commercial airport stakeholders and refine our risk assessment methodologies and tools so that the Agency may better support its established national strategy. Our ongoing progress demonstrates our commitment to continuous improvement to ensure the security of the traveling public and commercial airports. In support of this, the Agency concurs with all of the GAO's recommendations and offers the following responses to the specific recommendations. Recommendation 1: Develop a comprehensive risk assessment for airport perimeter and access control security, along with milestones (i.e., time frames) for completing the assessment that (1) uses existing threat and vulnerability assessment activities, (2) includes consequence analysis, and (3) integrates all three elements of risk- threat, vulnerability, and consequence. * As part of this effort, evaluate whether the current approach to conducting Joint Vulnerability Assessments appropriately and reasonably assesses systems vulnerabilities, and whether an assessment of security vulnerabilities at airports nationwide should be conducted. * If the evaluation demonstrates that a nationwide assessment should be conducted, TSA should develop a plan that includes milestones for completing the nationwide assessment. As part of this effort, TSA should also leverage existing assessment information from industry stakeholders, to the extent feasible and appropriate, to inform its assessment. Concur: The Transportation Security Administration (TSA) will accomplish this task by conducting a comprehensive risk assessment that addresses security across the sector, including the aviation domain. Within that mode, this risk assessment will address nine access control/perimeter security scenarios. TSA is using the Transportation Sector Security Risk Assessment tool to conduct the assessment, and the assessment is being scoped at the national level. TSA began this assessment in early 2009. The assessment relies on existing assessments, to include Joint Vulnerability Assessments (JVAs), which are intended to provide one of several perspectives in an overall risk assessment. The assessment also includes consequence analysis and integrates all three risk elements. TSA anticipates providing the results of this assessment to Congress by January 2010. TSA notes that JVAs are intended to provide one component of the overall risk assessment. JVAs alone are not intended to provide a complete and/or full risk assessment of our Nation's airports. Recommendation 2: Ensure that future airport security pilot program evaluation and implementation efforts include a well-developed and documented evaluation plan that includes: * measureable objectives, * criteria or standards for determining program performance, * a clearly articulated methodology, * a detailed data collection plan, and, * a detailed analysis plan. Concur: TSA concurs with the GAO recommendation for future pilot programs involving airport perimeter and access control systems. Recommendation 3: Develop milestones for meeting statutory requirements, in consultation with appropriate aviation industry stakeholders, for establishing system requirements and performance standards for the use of biometric airport access control systems. Concur: Although the mandatory use of biometric airport access control systems is not required by statute, TSA is still considering whether or not it will mandate the use of biometric airport access control systems. In the interim, TSA continues to encourage airport operators, via voluntary measures, to utilize biometrics in their credentialing and access control systems. As to establishing milestones, TSA will continue to work in collaboration with the airport industry toward the continued development and refinement of existing biometric airport access control standards. As noted in the draft report, TSA did work in collaboration with the industry, specific to development of biometric access control standards, which resulted in the publication of RTCA DO- 230B, titled Integrated Security System Standard_ for Airport Access Control, dated June 19, 2008. Recommendation 4: Develop milestones for establishing agency procedures for reviewing airport perimeter and access control requirements imposed through security directives. Concur: Milestones for establishing Agency procedures for reviewing airport perimeter and access control requirements imposed through security directives (SDs) are necessary. However, TSA must maintain its flexibility in processing those SDs, as some of the security issues addressed in these documents have greater implications than others. TSA has issued SDs as a means to immediately mitigate risk in the aviation sector. Over the years, there have been risks that have arisen that required action in a manner quicker than the rule making process would allow. For example, the issuance of an SD limiting liquids, gels, and aerosols in commercial airport sterile areas, issued in August 2006, was developed as a result of intelligence revealing a direct and immediate threat to the traveling public. Unfortunately, that threat, like others, has not gone away, hence the need to sustain the SD. In more recent times, an SD was issued in December of 2008 on the subject of airport employee badging procedures. This directive had the U.S. Department of Homeland Security level impetus and was issued as a result of significant security issues identified nationwide at commercial airports. This SD was coordinated with industry through a non-disclosure procedure and reviewed before it was issued. In this instance, there was ample time to allow for that level of coordination. The SD issuance procedures include an internal TSA review and an evaluation of TSA's legal authority to issue SDs. The procedure also takes into consideration the industry's ability to carry out the security measures to mitigate the threat while continuing operations and meeting the needs of the public. SDs are revised as necessary, and reflective of changed conditions and/or airport stakeholder feedback. Recommendation 5: To better ensure a unified approach among airport security stake holders for developing, implementing, and assessing actions for securing airport perimeters and access to controlled areas, TSA should develop a national strategy for airport security that incorporates key characteristics of effective security strategies, including: * Measurable goals, priorities, and performance measures. TSA should also consider using information from other methods, such as covert testing and proxy measures, to gauge progress toward achieving goals. * Program cost information and the sources and types of resources needed TSA should also identify where those resource would be most effectively applied by exploring ways to develop and implement cost- benefit analysis to identify the most cost-effective alternatives for reducing risk. * Plans for coordinating activities among stakeholders, integrating airport security goals and activities with those of other aviation security priorities, and implementing security activities within the agency. Concur: TSA will accomplish this task by updating the Transportation Systems Sector Specific Plan, a document which subsumes the National Strategy for Transportation Security, which, in turn, includes airport security within its scope. This plan includes measurable goals, priorities, and performance measures, as well as cost information. TSA will socialize the document with its Sector Coordinating Councils (SCC) while it is in draft form, and will receive SCC concurrence before finalizing the document. TSA expects to release this updated document in the summer of 2010. An example of TSA's efforts to work toward a national strategy is the Compliance and Enforcement Program supported by the Transportation Security Inspection (TSI) function. Inspections of commercial airports are conducted on a regular basis and are based on Title 49, Code of Federal Regulations (CFR), Part 1542, which outlines the security measures a commercial airport must implement for Federal compliance. To ensure compliance and to provide a foundation for our national strategy. TSA has initiated several mechanisms to airport security goals and activities with those of other security priorities, as well as implementing security activities within the Agency. TSA Headquarters (HQ) accomplishes this by holding monthly teleconferences with commercial airport representatives and airport associations in which perimeter and access to controlled areas is often discussed. In addition, it manages an industry web board on which guidance and direction are posted in a timely manner. Another example of coordination would be the management of a commercial airport electronic mailbox that allows for the submission of questions directly to HQ. On the local level, each federal Security Director has a stakeholder manager or liaison on staff to ensure coordination of security activities. Thank you for the opportunity to provide comments to the draft report. Sincerely, Signed by: Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix IX: GAO Contact and Staff Acknowledgments: GAO Contact: Stephen M. Lord (202) 512-4379 or lords@gao.gov: Acknowledgments: In addition to the contact named above, Steve Morris, Assistant Director, and Barbara Guffy, Analyst-in-Charge, managed this assignment. Scott Behen, Valerie Colaiaco, Dorian Dunbar, Christopher Keisling, Matthew Lee, Sara Margraf, Spencer Tacktill, Fatema Wachob, and Sally Williamson made significant contributions to the work. Chuck Bausell, Jr. provided expertise on risk management and cost-benefit analysis. Virginia Chanley and Michele Fejfar assisted with design, methodology, and data analysis. Thomas Lombardi provided legal support; Elizabeth Curda and Anne Inserra provided expertise on performance measurement; and Pille Anvelt developed the report's graphics. [End of section] Footnotes: [1] See, for example, Department of Homeland Security, Office of the Inspector General, TSA's Security Screening Procedures for Employees at Orlando International Airport and the Feasibility of 100 Percent Employee Screening (Revised for Public Disclosure), OIG-09-05 (Washington, D.C., Oct. 28, 2008). [2] In general, civil aviation includes all nonmilitary aviation operations, including scheduled and chartered air carrier operations, cargo operations, and general aviation, as well as the airports servicing these operations (including commercial airports). [3] Access controls can include security measures such as pedestrian and vehicle gates, keypad access codes that use personal identification numbers, magnetic stripe cards and readers, fingerprint readers or other biometric technology, turnstiles, locks and keys, and security personnel. [4] See Pub. L. No. 107-71, 115 Stat. 597 (2001). [5] In this report, "airport workers" refers to any individuals employed at an airport who require access to areas not otherwise accessible by the general traveling public, including individuals directly employed by the airport operator as well as individuals employed by retail, air carrier, maintenance, custodial, or other entities operating on airport property. In addition, "airport security" refers specifically to airport perimeter and access control security, which we use interchangeably, and "commercial airport" refers to a U.S. airport operating under a TSA-approved security program that services air carriers with regularly scheduled passenger operations. [6] GAO, Aviation Security: Further Steps Needed to Strengthen the Security of Commercial Airport Perimeters and Access Controls, [hyperlink, http://www.gao.gov/products/GAO-04-728] (Washington, D.C.: June 4, 2004). [7] In the context of risk management, "risk-based" and "risk-informed" are often used interchangeably to describe the related decision-making processes. However, according to the DHS Risk Lexicon, risk-based decision making uses the assessment of risk as the primary decision driver, while risk-informed decision making may consider other relevant factors in addition to risk assessment information. Because it is an acceptable DHS practice to use other information in addition to risk assessment information to inform decisions, we have used "risk- informed" throughout this report. [8] The NIPP provides a unifying structure for the integration of a range of efforts for the protection and resilience of the nation's critical infrastructure and key resources. [9] Explanatory Statement accompanying Division E of the Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, 121 Stat. 1844, 2042 (2007). The Statement refers to these pilot projects as airport employee screening pilots. However, for the purposes of this report, we use "worker screening" to refer to the screening of all individuals who work at the airport and require access beyond public areas, such as vendor, airport, air carrier, and maintenance employees. According to TSA, it expended about $8 million to design, implement, and evaluate this pilot program. [10] Transportation Security Administration, Airport Employee Screening Pilot Program Study: Fiscal Year 2008 Report to Congress (Washington, D.C., July 7, 2009). [11] TSA developed the TS-SSP to conform to NIPP requirements, which required TSA and other sector-specific agencies to develop strategic risk management frameworks for their sectors that aligned with NIPP guidance. [12] GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91] (Washington, D.C.: Dec. 15, 2005); Risk Management: Strengthening the Use of Risk Management Principles in Homeland Security, [hyperlink, http://www.gao.gov/products/GAO-08-904T] (Washington, D.C.: June 25, 2008); and Transportation Security: Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocation, [hyperlink, http://www.gao.gov/products/GAO-09-492] (Washington, D.C.: Mar. 27, 2009). [13] In prior work we identified a set of desirable characteristics to aid responsible parties in further developing and implementing national strategies--and to enhance their usefulness in resource and policy decisions and to better ensure accountability. For a more detailed discussion of these characteristics, see GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, [hyperlink, http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3, 2004). [14] [hyperlink, http://www.gao.gov/products/GAO-04-728]. [15] Transportation Security Administration, Airport Employee Screening Pilot Program Study: Fiscal Year 2008 Report to Congress. [16] See GAO, Internal Control: Standards for Internal Controls in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999), and Tax Administration: IRS Needs to Strengthen Its Approach for Evaluating the SRFMI Data-Sharing Pilot Program, [hyperlink, http://www.gao.gov/products/GAO-09-45] (Washington, D.C.: Nov. 7, 2008). [17] According to these industry associations, their combined membership includes thousands of airport management personnel, and represents approximately 95 percent of domestic airline passenger and air cargo traffic in North America. [18] FSDs are the ranking TSA authorities responsible for leading and coordinating TSA security activities at the nation's more than 450 commercial airports. [19] TSA classifies the nation's approximately 450 commercial airports into one of five categories (X, I, II, III, and IV) based on various factors, such as the number of take-offs and landings annually, the extent of passenger screening at the airport, and other security considerations. In general, Category X airports have the largest number of passenger boardings, and Category IV airports have the smallest. [20] We also discussed with airport officials additional employee screening methods that had been implemented at two of the airports we visited. [21] On an ongoing basis, TSA must assess and test for compliance with access control requirements. See 49 U.S.C. § 44903(g)(2)(D). [22] Covert tests are any test of security systems, personnel, equipment, and procedures to obtain a snapshot of the effectiveness of airport passenger security checkpoint screening, checked baggage screening, and airport access controls to improve airport performance, safety, and security. [23] Most commercial airports discussed in this report, which are those servicing domestic and foreign air carriers with regularly scheduled passenger operations, operate under "complete" security programs. See 49 C.F.R. § 1542.103(a). "Supporting" and "partial" security programs generally apply to airports servicing smaller air carrier operations and contain fewer requirements. See § 1542.103(b), (c). In general, security programs may be amended, with TSA approval, provided that the proposed amendment provides the requisite level of security, among other things. See § 1542.105. [24] See § 1542.103(a). [25] For the purposes of this report "secured area" is used generally to refer to areas specified in an airport security program that require restricted access, including the SIDA, the AOA, and the sterile area. While security measures governing access to such areas may vary, in general a SIDA is an area in which appropriate identification must be worn, an AOA is an area providing access to aircraft movement and parking areas, and a sterile area provides passengers access to boarding aircraft and is an area to which access is generally controlled by TSA or a private screening entity under TSA oversight. See 49 C.F.R. § 1540.5. [26] At airports participating in TSA's Screening Partnership Program (SPP), employees of private companies under contract to TSA perform screening operations, with TSA oversight. See 49 U.S.C. § 44920. For more information on the SPP, see GAO, Aviation Security: TSA's Cost and Performance Study of Private-Sector Airport Screening, [hyperlink, http://www.gao.gov/products/GAO-09-27R] (Washington, D.C: Jan. 9, 2009). [27] According to a TSA official, a breach of security does not necessarily mean that a threat existed or was successful. The significance of a breach must be considered in light of several factors, including the intent of the perpetrator and whether existing security measures and procedures successfully responded to, and mitigated against, the breach so that no harm to persons, facilities, or other assets resulted. [28] Transportation Security Administration, Reporting Security Incidents Via PARIS, Operations Directive OD-400-18-1 (Washington, D.C., Dec. 16, 2005). According to TSA officials, these reporting requirements (1) allow FSDs to better distinguish between different types of security breaches and other incidences, (2) reflect changes in data collection methods, and (3) provide for greater accuracy in the reporting of security incidences. [29] See [hyperlink, http://www.gao.gov/products/GAO-09-492], and GAO, Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sector, [hyperlink, http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: Feb. 27, 2009); Highway Infrastructure: Federal Efforts to Strengthen Security Should Be Better Coordinated and Targeted on the Nation's Most Critical Highway Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: Jan. 30, 2009); Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts, [hyperlink, http://www.gao.gov/products/GAO-07-225T] (Washington, D.C.: Jan. 18, 2007); and Transportation Security: Systematic Planning Needed to Optimize Resources, [hyperlink, http://www.gao.gov/products/GAO-05-357T] (Washington, D.C.: Feb. 15, 2005). [30] "Modes of transportation" refers to the different means that are used to transport people or cargo. There are six modes of transportation: aviation, maritime, mass transit, highway, freight rail, and pipeline. [31] HSPD-7 specifically directed the Departments of Transportation and Homeland Security to collaborate on all matters relating to transportation security and transportation infrastructure protection. [32] In the context of the NIPP, risk is the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. The NIPP framework calls for risk to be assessed from any scenario as a function of threat, vulnerability, and consequence. Once the three components of risk have been assessed, they must be integrated into a defensible model to produce a risk estimate. The NIPP allows an agency to determine whether to assess the risk to an asset, system, network, or function, depending on the characteristics of the infrastructure being examined. TSA has adopted a systems-based approach to risk assessment. [33] According to the NIPP, the national Critical Infrastructure and Key Resources Protection Program is designed to reduce the vulnerability of critical infrastructure and key resources in order to deter and mitigate terrorist attacks. The program identifies, prioritizes, and coordinates the protection of critical infrastructure and key resources with an emphasis on those that could be exploited to cause catastrophic health effects or mass casualties, which would be comparable to those resulting from a weapon of mass destruction. [34] As updated in 2009, the NIPP states that to be complete a risk assessment is to assess threat, vulnerability, and consequence for every defined risk scenario. However, because the original 2006 version of the NIPP described risk assessments that included all three components as "credible," our previous reports use this term rather than "complete" (e.g., see GAO-09-492). [35] See [hyperlink, http://www.gao.gov/products/GAO-09-492]. [36] The ADRA is part of TSA's effort to meet the requirements of HSPD- 16, National Strategy for Aviation Security, which assigned roles and responsibilities to federal stakeholders, including the Secretaries of Homeland Security, State, Defense, Commerce, Energy, and Transportation; the Attorney General; and the Director of National Intelligence, and called for coordination with state, local, and tribal governments and the private sector, to optimize and integrate governmentwide aviation security efforts. [37] Commercial aviation includes that sector of the nation's civil aviation system that provides for the transportation of individuals by scheduled or chartered operations for a fee, including air carriers and airports. General aviation encompasses all civil aviation other than commercial and military operations, including flight operations such as personal/family transportation, emergency services, wildlife and land surveys, traffic reporting, agricultural aviation, firefighting, and law enforcement. Air cargo is defined as cargo carried on passenger and all-cargo aircraft. [38] The ADRA is to have three parts: (1) assessments of over 130 terrorist attack scenarios and the extent to which they pose a threat, (2) assessments of known vulnerabilities through which these terrorist attacks could be carried out, and (3) assessments of the consequences of the attack scenarios. TSA officials stated that the primary source for the scenarios included professional judgment of subject matter experts, intelligence information on potential threats, and other information. [39] The Project Management Institute, The Standard for Program Management© (Newtown Square, Penn., 2006). [40] For the purposes of estimating risk, according to the NIPP, the threat of an intentional adverse event is generally estimated as the likelihood of such an event; in the case of terrorist attacks, the likelihood is estimated based on the intent and capability of the adversary. [41] Daily intelligence briefings include a 24-hour snapshot of transportation-related intelligence based on TSA operational reports and other sources. These briefings are used internally by TSA and by other agencies. TSA also provides weekly analysis of suspicious activities and surveillance directed against all transportation modes, which it disseminates within the agency and to other law enforcement agencies. In addition, TSA provides in-depth analysis on specific topics within transportation modes, which may be used to provide situational awareness of an ongoing or recent event. [42] Transportation Security Administration, Civil Aviation Threat Assessment (Washington, D.C., Dec. 30, 2008). The other three threat types discussed in the 2008 assessment are the threat from standoff weapons (such as antitank weapons), which pose a threat to the AOA; the threat from outside the airport perimeter; and the threat of a perimeter breach, which terrorists may see as an attractive target. [43] TSA's 2007 Threat Assessment also included this conclusion of the insider threat, and the 2006 Threat Assessment characterized the insider threat as "very dangerous." According to the 2008 assessment, the insider is considered extremely difficult to counter because of the individual's position of trust. [44] According to TSA officials, the risk that insiders will do damage to an airport or aircraft--which they refer to as insider risk--is perceived as both a threat and vulnerability. [45] [hyperlink, http://www.gao.gov/products/GAO-09-492]. [46] See Pub. L. No. 108-458, § 1019, 118 Stat. 3638, 3671-72 (2004) (requiring the Director of National Intelligence to assign an individual or entity with responsibility for ensuring that finished intelligence products produced by any element or elements of the intelligence community, which includes the Federal Bureau of Investigation, Central Intelligence Agency, and Defense Intelligence Agency, are timely, objective, independent of political consideration, and employ the standards of proper analytic tradecraft). See also Intelligence Community Directive 203 (June 2007) (establishing the Intelligence Community Analytic Standards). The directive provides that each analytic product "properly caveats and expresses uncertainties or confidence in analytic judgments. Analytic products should indicate both the level of confidence in analytic judgments and explain the basis for ascribing it. Sources of uncertainty--including information gaps and significant contrary reporting--should be noted and linked logically and consistently to confidence levels in judgments. As appropriate, products should also identify indicators that would enhance or reduce confidence or prompt revision of existing judgments." [47] [hyperlink, http://www.gao.gov/products/GAO-09-492. [48] The NIPP states that this analysis is to also take into consideration factors such as protective measures that are in place that may reduce the risk of an attack, and is to include estimates of the likelihood of success for each attack scenario. [49] [hyperlink, http://www.gao.gov/products/GAO-04-728]. [50] TSA and the FBI are to conduct joint threat and vulnerability assessments at each high-risk U.S. airport at least every 3 years. See 49 U.S.C. § 44904(a)-(b). See also Pub. L. No. 104-264, § 310, 110 Stat. 3213, 3253 (1996) (establishing the requirement that FAA and the FBI conduct joint threat and vulnerability assessments). Pursuant to ATSA, responsibility for conducting the joint assessments transferred from FAA to TSA. According to FBI officials, the agency's role in JVAs is to develop a national-level threat assessment for each selected airport and provide it to TSA for comparison with the TSA vulnerability assessment, to identify areas of imminent vulnerability. [51] See GAO-04-728. TSA's criteria give first priority to airports identified as critical infrastructure by DHS's Office of Infrastructure Protection. Second priority is given to airports that are to support a National Security Special Event, such as the Republican or Democratic National Conventions, or an event of national significance (e.g., the Super Bowl). Third priority is given to airports whose FSDs have requested a JVA, or those that TSA Headquarters has identified as needing a JVA. According to TSA officials, FSD requests are usually prompted by changes in airport environment--such as construction--while TSA headquarters requests are in response to specific threats, such as those identified by TSA. [52] From fiscal years 2004 through 2008, 10 airports received 2 JVAs. [53] Transportation Security Administration, "Our Security Strategy: Systems-Based Perspective." TSA characterizes transportation systems as being subject to "cascading failures," where small changes in one part of the system can sometimes lead to large consequences. This is of particular concern in systems like the airport network, which are highly interconnected and interdependent. In the past, terrorists have sought to inflict maximum damage relative to their efforts by attacking parts of the aviation system that would lead to cascading failure. [54] Of the 67 JVAs conducted at 57 airports from fiscal years 2004 through 2008, 58--or 87 percent--were for Category X and I airports. Of the remaining 9 assessments, 6 were at Category II airports, 1 at a Category III airport, and 2 at Category IV airports. [55] The category designation of some airports has changed since they received a JVA; in these cases, we used the category designation assigned at the time of the JVA. For the total number of airports in each category, we used TSA data as of June 1, 2009. [56] See [hyperlink, http://www.gao.gov/products/GAO-04-728]. We also reported that according to TSA this baseline analysis would allow the agency to determine minimum standards and the adequacy of airport security policies. [57] Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK® Guide), Third Edition (Newtown Square, Penn., 2006). [58] We discussed this issue with officials from seven Category X airports, one Category I airport, one Category II airport, and one Category III airport; however, we did not obtain documentation to verify this information. [59] Project Management Institute, The Standard for Program Management©. [60] [hyperlink, http://www.gao.gov/products/GAO-04-728]. [61] Many of TSA's security layers have direct application to airport perimeter and access control security, while some layers apply to other aspects of aviation security, such as hardened cockpit doors, and also to the security of other modes of transportation, such as rail and mass transit. In commenting on a draft of this report, TSA officials noted that in December 2008 the agency implemented "Playbook," a program that authorizes FSDs to carry out variable and unpredictable combinations of operations--or security layers--to address the threat environment at airports. TSA officials consider this program to be an additional layer of security, which is applied to all areas of an airport. [62] Specifically, the Explanatory Statement directed TSA to pilot various methods for screening airport employees at seven airports, and that all employees be screened at three of the selected airports. [63] TSA officials told us that the agency has two additional initiatives in development that are intended to strengthen airport security. The first, called SIDA II, is intended to reassess the security of airport secured areas and has been under development for 3 years. The second initiative was the "5-Point Plan" intended to mitigate risks posed by airport workers with enhanced screening measures. However, this initiative was conceived before TSA was directed to implement the worker screening pilot projects, and TSA officials said that the agency is waiting to reassess this effort after the results of the pilot projects are finalized. [64] The Explanatory Statement specifically directed TSA to pilot various methods to screen airport employees (referred to in this report as workers) at a total of seven airports, including 100 percent screening of airport employees at three of the airports for not less than 90 days. At two airports TSA conducted 100 percent worker screening at the passenger screening checkpoint, and one airport conducted 100 percent screening at specifically designated access points in combination with biometric access controls. The enhanced screening methods conducted at four other airports consisted of employee security awareness training, behavioral recognition training, random targeted physical inspections of vehicles and airport workers, new technology, and enhancement of security threat assessment background data checks. [65] The Secretary of Homeland Security established HSI pursuant to section 312 of the Homeland Security Act of 2002. See 6 U.S.C. § 192. [66] Transportation Security Administration, Airport Employee Screening Pilot Program Study: Fiscal Year 2008 Report to Congress. [67] Transportation Security Administration, Airport Employee Screening Pilot Program Study: Fiscal Year 2008 Report to Congress. [68] This airport did not perform complete 100 percent worker screening because of resource constraints. [69] A magnetometer is an instrument used to detect prohibited materials. [70] Transportation Security Administration, Airport Employee Screening Pilot Program Study: Fiscal Year 2008 Report to Congress. [71] HSI reported that for those airports conducting random worker screening, it was difficult to determine the number of unique individuals screened; for the purposes of the pilot analysis, HSI used the number of screening "events" as a rough proxy for the number of workers screened. [72] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. Internal control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. [73] GAO, Designing Evaluations, [hyperlink, http://www.gao.gov/products/GAO/PEMD-10.1.4] (Washington, D.C.: May 1991). [74] [hyperlink, http://www.gao.gov/products/GAO-09-45]. [75] Specifically, GAO-09-45 reported that a sound, well-developed and documented evaluation plan includes, at minimum, (1) well-defined, clear, and measurable objectives; (2) criteria or standards for determining pilot program performance; (3) clearly articulated methodology, including sound sampling methods, determination of appropriate sample size for the evaluation design, and a strategy for comparing the pilot results with other efforts; (4) a clear plan that details the type and source of data necessary to evaluate the pilot, methods for data collection, and the timing and frequency of data collection; and (5) a detailed data analysis plan to track the program's performance and evaluate the final results of the project. [76] HSI defined confiscated items, or "items of interest," as those which TSA did not allow to pass through screening and the possession of which resulted in legal action, disciplinary action, or both against the worker. [77] HSI reported that seven items of interest were confiscated. [78] HSI reported that the incident rate--the number of items of interest confiscated compared to the number of workers screened--at both 100 percent and random worker screening airports was less than during the previous 3 months of screening under ADASP, TSA's random screening program. [79] TSA officials said that although FSDs and others had long recognized the threat posed by airport workers, it was considered a "known and accepted risk." According to these officials, when FSDs raised concerns about the insider threat before 2005, they were told that background checks performed on airport workers were a sufficient safeguard against insider risk. [80] According to TSA officials, although practices for scheduling ADASP operations vary by airport location, usually FSDs judgmentally schedule them on a staggered and unpredictable basis, varying the time of day, location, and duration. Transportation Security Officers (TSO) typically screen each worker who enters the secured area during these operations, along with property, vehicles, or both, but they may instead decide to screen workers according to a predetermined pattern, such as every second worker. Under TSA procedures, screening locations do not need to cover all access points within an airport, and workers may use alternative entry points to avoid ADASP screenings. [81] TSA officials also told us that from 2001 through 2006, some airports conducted random worker screening activities similar to ADASP. [82] Department of Homeland Security, Office of the Inspector General, TSA's Security Screening Procedures for Employees at Orlando International Airport and the Feasibility of 100 Percent Employee Screening. [83] See [hyperlink, http://www.gao.gov/products/GAO-04-728]. We recommended that TSA determine if and when additional security requirements are needed to reduce the risk posed by airport workers, such as additional background check information. [84] In accordance with 49 U.S.C. § 44936, TSA requires airports and air carriers to conduct fingerprint-based records checks for all workers seeking unescorted access to secured areas (which may or may not include the AOA). See 49 C.F.R. §§1542.209, and1544.229. However, TSA requires only STAs for airport workers who apply for unescorted access to an AOA that is not designated as a SIDA. [85] See GAO-04-728. One issue we raised in 2004 was that of recurrent background checks, and in October 2008, the DHS OIG recommended that TSA mandate recurrent CHRCs and financial records checks for workers with unescorted access to secured areas (see Department of Homeland Security, Office of the Inspector General, TSA's Security Screening Procedures for Employees at Orlando International Airport and the Feasibility of 100 Percent Employee Screening). TSA stated that it is working on standards for recurrent CHRCs. However, TSA officials said that they do not have evidence that financial problems are a predictor of terrorist activity, so the agency does not plan to require financial records checks. [86] See 49 C.F.R. § 1542.209(d) (listing 28 offenses that if resulting in a conviction or a verdict of not guilty by reason of insanity within 10 years before the individual applies for unescorted access authority or while the individual has unescorted access authority, would disqualify or revoke that individual's access authority). See also 49 U.S.C. § 44936(b). [87] See 49 U.S.C. § 44936(a)(1)(B)(iii). [88] Biometrics are measurements of an individual's unique characteristics, such as fingerprints, irises, and facial characteristics, used to verify identity. [89] Among other things, the Intelligence Reform and Terrorism Prevention Act of 2004 directed TSA, in consultation with representatives of the aviation industry, the biometric identifier industry, and the National Institute of Standards and Technology, to establish, at a minimum, (1) comprehensive technical and operational system requirements and performance standards for the use of biometric identifier technology in airport access control systems, (2) a list of products and vendors that meet these requirements, (3) procedures for implementing biometric identifier systems, and (4) best practices for effectively incorporating biometric identifier technology into airport access control systems, including a process to best utilize existing systems and infrastructure. See Pub. L. No. 108-458, § 4011, 118 Stat. 3638, 3712-14 (2004) (codified at 49 U.S.C. § 44903(h)(5)). ATSA also addressed the use of biometric technology to strengthen access control points in secured areas to ensure the security of passengers and aircraft and to consider the deployment of biometric or similar technologies. See 49 U.S.C. § 44903(g)(2)(G), (h)(4)(E). [90] Department of Homeland Security, Office of the Inspector General, TSA's Security Screening Procedures for Employees at Orlando International Airport and the Feasibility of 100 Percent Employee Screening. In this report the DHS OIG recommended that TSA alter regulatory requirements to mandate a phasing in of biometric access controls; according to the report, TSA agreed with this recommendation. [91] Rule making is a process used by federal agencies to develop, impose, and oversee requirements, and generally affords the regulated entities and other interested parties the opportunity to participate in the process, for example, through public hearings or comment periods. See generally 5 U.S.C. § 553. [92] The security directive provides that TSA encourages the implementation and use of airport biometric access control systems aligned with Federal Information Processing Standards 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors." (National Institute of Standards and Technology, March 2006.) [93] RTCA, Inc., Integrated Security System Standards for Airport Access Control, DO 230-B (Washington, D.C., June 19, 2008). These standards provide guidelines for procuring, designing, and implementing access control systems, including testing and evaluating system performance. They also identify, among other things, requirements for physical access controls, video surveillance, security operating centers, intrusion detection, and communications infrastructure. (RTCA, Inc., was formerly known as the Radio Technical Commission for Aeronautics.) [94] In May 2008, TSA issued ACIS technical specifications to the airport industry, which describe the ACIS system components and requirements, for comment; according to TSA officials, these specifications also discuss many of the technical issues that the agency will consider in establishing standards. As of May 2009, funds had not been appropriated or directed specifically to this initiative, and TSA officials could not provide further information as to the implementation of ACIS. [95] Project Management Institute, The Standard for Program Management©, and A Guide to the Project Management Body of Knowledge (PMBOK® Guide). [96] [hyperlink, http://www.gao.gov/products/GAO-04-728]. [97] According to TSA officials, the agency established AACPP and APS in response to provisions originally enacted through ATSA. See Pub. L. No.107-71 § 106(d), 115 Stat. at 610 (codified at 49 U.S.C. § 44903(c)(3)). [98] The Conference Report accompanying the DHS Appropriations Act, 2006, Pub. L. No. 109-90, 119 Stat. 2064 (2005), allocated $5 million for competitive awards to airports to enhance perimeter security. See H.R. Conf. Rep. No. 109-241, at 54 (2005). [99] See Pub. L. No. 107-71 § 106(b), 115 Stat. at 609. [100] According to TSA officials, security directives have been the primary means by which the agency imposes security requirements on commercial airports, in addition to measures implemented through the airport operators' TSA-approved security programs. For this reason, we focused our review on requirements related to perimeter and access control security established through security directives. TSA may also impose requirements by amending air carrier security programs and more immediately by issuing emergency amendments to such programs. See, e.g., 49 C.F.R. § 1542.105(d). [101] See 49 C.F.R. § 1542.303. [102] TSA officials told us that although they have not performed cost- benefit analysis when developing perimeter and access control security requirements through security directives, they have considered relevant costs as well as security benefits. However, they could not provide documentation or examples of instances in which they had considered relevant costs as well as security benefits. [103] Consistent with TSA regulation and as provided for in TSA-issued security directives and emergency amendments, TSA provides regulated entities with an option to request permission to use alternative measures in place of those more specifically imposed by a security directive or emergency amendment. See, e.g., 49 C.F.R § 1542.303(d). For example, from September 2003 through December 2008 TSA received 42 requests for alternatives to requirements imposed through security directives and emergency amendments--TSA officials approved 32 of these requests and denied 9, with 1 remaining pending as of December 2008. (These data do not include the period from August 16, 2006, through September 30, 2006; TSA did not provide data for this period.) [104] These concerns represent the views of airport operators and industry officials we contacted. We did not independently verify their statements. [105] This assumes that access privileges for airport and air carrier workers apply to the same or comparable secured areas. [106] Our review of the 25 security directives and emergency amendments, however, shows that many of the directives and emergency amendments have been amended one or more times since issuance. [107] Project Management Institute, The Standard for Program Management©. [108] See Pub. L. No. 107-71, § 101(a), 115 Stat. at 600-01 (codified as amended at 49 U.S.C. § 114(l)). [109] The TSOB is responsible for, among other things, reviewing and either ratifying or disapproving any regulation or security directive issued by TSA under § 114(l)(2) within 30 days after the date of issuance. See 49 U.S.C. § 115. The TSOB, which is composed of seven cabinet-level members or their designees--the Secretary of Homeland Security (who serves as the chairperson), the Secretary of Transportation, the Attorney General, the Secretary of Defense, the Secretary of the Treasury, the Director of the Central Intelligence Agency, and one member appointed by the President to represent the National Security Council--is to meet at least quarterly, though DHS could not tell us the number of times the TSOB has met since it was established. [110] See, e.g., 49 C.F.R. §§ 1542.303 (authorizing the issuance of security directives to airport operators) and 1544.305 (authorizing the issuance of security directives to air carriers). FAA possessed and exercised the same authority when it was responsible for aviation security, before the creation of TSA. See 66 Fed. Reg. 37,274 (July 17, 2001) (establishing FAA's authority to issue security directives to airport operators) and 54 Fed. Reg. 28,982 (July 10, 1989) (establishing FAA's authority to issue security directives to aircraft operators). As interpreted by TSA, ATSA intended to give the agency more robust authority to take action in response to emerging threats across all modes of transportation, and in doing so it did not intend to alter (or limit) TSA's existing authority as transferred from FAA. [111] See [hyperlink, http://www.gao.gov/products/GAO-04-408T], and GAO, Rebuilding Iraq: More Comprehensive National Strategy Needed to Help Achieve U.S. Goals, [hyperlink, http://www.gao.gov/products/GAO-06-788] (Washington, D.C.: July 11, 2006). [112] Another recommended characteristic of effective strategies is "risk assessment." However, because we provided details earlier in our report on the steps TSA has taken to assess risks to airport security, we do not discuss risk assessment as a separate characteristic here, rather focusing on risk assessment as one of the many actions that could be aided with the development of an overarching strategy. [113] GAO, Agencies' Strategic Plans Under GPRA: Key Questions to Facilitate Congressional Review, [hyperlink, http://www.gao.gov/products/GAO/GGD-10.1.16], Version 1 (Washington, D.C.: May 1997), and [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [114] For each transportation mode TSA has identified areas it plans to target for reducing risk to the maximum extent possible. TSA's fiscal year 2009 focus for commercial airports is high-risk airports and airport workers. It is not clear, however, what actions TSA has taken, or plans to take, to achieve this reduction in risk. As of March 2009 TSA had not provided documentation on the details of its plans. We have previously reported that TSA's approach to identifying high-risk focus areas is not based on criteria established in the NIPP, and recommended that TSA work with DHS to validate its risk management approach by establishing a plan and time frame for assessing the appropriateness of its approach (see [hyperlink, http://www.gao.gov/products/GAO-09-492]). [115] For example, ATSA contained a variety of provisions addressing risks posed by airport workers, such as amending requirements related to TSA background checks of workers with access to secured areas, mandating that TSA establish a pilot program to test and evaluate access control protections for secured areas, and establishing an ongoing requirement that TSA assess and test airport operator compliance with access control requirements and report annually on its findings. See, e.g., 49 U.S.C. §§ 44903(c)(3), (g)(2)(D), 44936(a)(1)(B)(iii), (a)(1)(C)(i). Appendix II provides a list of related ATSA provisions and TSA's efforts to address these requirements. [116] For example, of amounts appropriated to TSA through Division E of the Consolidated Appropriations Act, 2008, Pub. L. No. 110-161, Div. E, 121 Stat. 1844, 2042 (2007), the accompanying Explanatory Statement directed $37 million of its appropriation for, among other things, airport worker screening. [117] Office of Management and Budget Circular No. A-11, Part 6, Preparation and Submission of Strategic Plans, Annual Performance Plans, and Annual Program Performance Reports (June 2005). [118] TSA has documented, measurable goals for two specific activities-- compliance inspections (95 percent compliance rate for airports with respect to leading security indicators) and security threat assessments (100 percent assessment of workers who have airport-issued badges). [119] Internal control standards and the Government Performance and Results Act of 1993 also call for agencies to have measures and indicators linked to mission, goals, and objectives to allow for comparisons to be made among different sets of data (for example, desired performance against actual performance), so that corrective actions can be taken if necessary. See, generally, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], Pub. L. No. 103-62, 107 Stat. 285 (1993); and Office of Management and Budget Circular No. A-11, Part 6, Preparation and Submission of Strategic Plans, Annual Performance Plans, and Annual Program Performance Reports (Washington, D.C.: June 2005). [120] Performance measurement is the ongoing monitoring and reporting of program accomplishments and progress toward preestablished goals. [121] According to the NIPP, there are three types of performance measures: descriptive measures, which generally describe sector resources and activities, but do not reflect performance; output measures, which are used to measure whether specific activities are performed as planned, track the progression of a task, or report on the output of a process; and outcome measures, which track progress toward an intended goal by beneficial results rather than level of activity. [122] See S. Rep. No. 103-58 (1993) (accompanying the Government Performance and Results Act). [123] The Department of Transportation, Assessment of Performance Measures for Security of Maritime Transportation Network, Port Security Metrics: Proposed Measurement of Deterrence Capability (Washington, D.C., January 2007). [124] Brian A. Jackson, Assessing the Benefits of Homeland Security Efforts Deployed Against a Dynamic Terrorist Threat (Santa Monica, Calif.: Rand Corporation, February 2007). [125] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [126] See Chief Financial Officers Act of 1990, Pub. L. No. 101-576, 104 Stat. 2838 (1990); The Statement of Federal Financial Accounting Standards No. 4, Managerial Cost Accounting Concepts and Standards for the Federal Government; the Joint Financial Management Improvement Program, Framework for Federal Financial Management Systems; and the Federal Financial Management Improvement Act of 1996, Pub. L. No. 104- 208, Div. A., tit. VIII, 110 Stat. 3009, 3009-389 (1996). [127] In November 2008 TSA officials stated that the agency plans to hire a contractor in 2009 to develop relevant cost data for the background checks program. [128] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [129] See OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget (July 2007); OMB Circular No. A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs; and OMB Circular No. A-4, Regulatory Analysis (September 2003). According to federal guidance, cost-benefit analysis is a systematic method for assessing the desirability of alternative projects or policies by combining estimated costs with benefits. The goal of cost-benefit analysis is to promote efficient resource allocation through well- informed decision making, and it is considered a proven management tool that assists in planning a project and managing costs and risks. [130] Department of Homeland Security, Cost-Benefit Analysis Guidebook, Version 2.0 (Washington, D.C., February 2006). [131] In 2007, TSA worked with the United States Commercial Aviation Partnership to evaluate the cost and operational impacts of several proposed worker screening alternatives, including 100 percent worker screening. However, this evaluation focused solely upon the economic and operational impacts of these alternatives and did not evaluate benefits to security. TSA has also conducted a congressionally directed pilot program to help better identify the potential costs and benefits of 100 percent worker screening as an alternative to random worker screening. Based on the results of this pilot program, TSA concluded that random screening is a more cost-effective approach than 100 percent worker screening because it appeared "roughly" as effective in identifying contraband items at less cost. However, because of the significant limitations related to the design and evaluation of the pilot program, we believe that it is unclear based on the program results whether random worker screening is more or less cost-effective than 100 percent worker screening. [132] According to TSA officials, in the event of an immediate or imminent threat the agency uses security directives to impose requirements on airport operators, which does not require TSA to conduct cost-benefit analysis. However, officials told us that even in these circumstances they have considered relevant costs as well as benefits to proposed requirements, although they could not provide documentation or relevant examples. [133] For example, TSA officials said that they used professional judgment to determine that ADASP was the most appropriate security action to mitigate the insider risk, and did not study alternatives to random screening, such as 100 percent worker screening, or assess whether random screening was the most cost-effective option. Officials said that at the time they developed ADASP, staffing and budget options made 100 percent worker screening an unrealistic option. TSA officials also said that they used a similar approach to develop SPOT, in that they did not use cost-benefit analysis to compare the advantages and costs of other alternative programs. [134] See OMB Circular No. A-4. Examples of qualitative measures cited by OMB include the costs and benefits of privacy protection. [135] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [136] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [137] These programs--ADASP and VIPR--are discussed in more detail later in this report. [138] Pub. L. No. 107-71, 115 Stat. 597 (2001). [139] [hyperlink, http://www.gao.gov/products/GAO-06-91], [hyperlink, http://www.gao.gov/products/GAO-08-904T], and [hyperlink, http://www.gao.gov/products/GAO-09-492]. [140] Transportation Security Administration, Airport Employee Screening Pilot Program Study: Fiscal Year 2008 Report to Congress. [141] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-09-45]. [142] Department of Homeland Security, Office of the Inspector General, TSA's Security Screening Procedures for Employees at Orlando International Airport and the Feasibility of 100 Percent Employee Screening. [143] [hyperlink, http://www.gao.gov/products/GAO-04-728]. [144] Pub. L. No. 103-62, 107 Stat. 285 (1993). [145] According to the Airports Council International-North America, it represents over 400 aviation-related businesses and approximately 190 governing bodies of more than 400 commercial and general aviation airports in the United States and Canada; collectively, its members enplane about 95 percent of the domestic and nearly 100 percent of international airline passenger and cargo traffic in North America. According to the American Association of Airport Executives, it is the world's largest professional organization for airport executives, with members representing approximately 850 commercial and general aviation airports and the companies and organizations that support airports. [146] Pub. L. No. 107-71, 115 Stat. 597 (2001). [147] For example, pursuant to ATSA, TSA shall, on an ongoing basis, accept and test for compliance with access control requirements, report annually on the findings of the assessments, assess the effectiveness of penalties in ensuring compliance with security procedures, and take any other appropriate enforcement actions when noncompliance is found. See 49 U.S.C. § 44903(g)(2)(D). [148] See GAO, Transportation Security: TSA Has Developed a Risk-Based Covert Testing Program, but Could Better Mitigate Aviation Security Vulnerabilities Identified Through Covert Tests, [hyperlink, http://www.gao.gov/products/GAO-08-958] (Washington, D.C.: Aug. 8, 2008). TSA conducts national covert tests of three aspects of aviation security at a commercial airport: (1) passenger checkpoint, (2) checked baggage, and (3) access controls to secure areas and airport perimeters. [149] In addition to the costs in table 4, TSA officials identified a total of $49.2 million in estimated costs from fiscal years 2003 through 2008 related to pilot programs specific to airport security: $19.6 million to AACPP for fiscal years 2003 through 2005, $16.9 million for the Airport Terminal Security Grant Program for fiscal years 2004 and 2005, $5.0 million for the APS pilot program in fiscal year 2006, and $7.7 million for the worker screening pilot program in fiscal year 2008. [150] TSA assumed primary responsibility for aviation security from FAA in February 2002; FAA-administered Airport Improvement Program grants are available to airports for limited security purposes. According to TSA officials, TSA monitors $5 million of this funding awarded annually to the National Safe Skies Alliance (a nonprofit membership consortium that tests airport security equipment, systems, and processes at airports throughout the United States and abroad). FAA provides not less than $5 million each fiscal year for this grant. According to FAA and TSA officials, the National Safe Skies Alliance uses these funds to test innovative security systems and technology. [151] Airports Council International-North America, Airport Capital Development Cost Survey 2009-2013 (Washington, D.C., February 2009). [152] In 2007, for the period 2007 through 2011, the association reported that airport operator spending ranged from 6.6 percent (about $3 billion) for large hub airports to 4.8 percent (about $300 million) for small hub airports. The Airports Council International-North America used its own survey data and FAA National Plan Integrated Airport System data to develop these estimates. Past GAO work explains the differences between the association's survey estimates and FAA's data. See GAO, Airport Finance: Preliminary Analysis of Proposed Changes in the Airport Improvement Program May Not Resolve Funding Needs for Smaller Airports, [hyperlink, http://www.gao.gov/products/GAO-07-617T] (Washington, D.C.: Mar. 28, 2007). [153] TSA uses VIPR to augment security in transportation areas other than aviation. As discussed in our June 2009 report on mass transit and passenger rail security we found that opinions regarding VIPR's additional security value and effectiveness for that mode were varied among municipal transit agency officials (see GAO, Transportation Security: Key Actions Have Been Taken to Enhance Mass Transit and Passenger Rail Security, but Opportunities Exist to Strengthen Federal Strategy and Programs, [hyperlink, http://www.gao.gov/products/GAO-09-678] (Washington, D.C.: June 24, 2009)). For example, some officials told us that they welcomed the additional manpower of VIPR teams, while others reported that deploying VIPR for a single day did not significantly enhance security. While airport operators did not raise such issues to us, lessons learned from TSA's application of VIPR in other modes of transportation can inform its use in airport security. TSA officials agreed that VIPR has experienced challenges and said that they have taken steps to address these issues, such as providing information to help agencies customize VIPR operations to their needs. [154] For fiscal year 2008, TSA has allocated approximately $100 million to expand SPOT beyond fiscal year 2007 levels, resulting in a total program cost of approximately $140 million for fiscal year 2008. According to agency officials, as of April 2009 TSA had stationed approximately 2,836 behavior detection officers at all Category X, I, and II airports and one Category III airport; no SPOT teams had been assigned to Category IV airports. [155] [hyperlink, http://www.gao.gov/products/GAO-08-958]. [156] Analyzing trends over time allows agencies to establish a baseline for security activities. Examining trends can assist in identifying what specific security measures in place allowed for certain security breaches to occur or increase. [157] Office of Management and Budget, Performance Measure Challenges and Strategies (Washington, D.C., June 18, 2003). [158] Department of Transportation, Assessment of Performance Measures for Security of Maritime Transportation Network, Port Security Metrics: Proposed Measurement of Deterrence Capability. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: