This is the accessible text file for GAO report number GAO-10-887 
entitled 'Supply Chain Security: DHS Should Test and Evaluate 
Container Security Technologies Consistent with All Identified 
Operational Scenarios to Ensure the Technologies Will Function as 
Intended' which was released on September 29, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Committee on Homeland Security, House of 
Representatives: 

United States Government Accountability Office:
GAO: 

September 2010: 

Supply Chain Security: 

DHS Should Test and Evaluate Container Security Technologies 
Consistent with All Identified Operational Scenarios to Ensure the 
Technologies Will Function as Intended: 

GAO-10-887: 

GAO Highlights: 

Highlights of GAO-10-887, a report to the Chairman, Committee on 
Homeland Security, House of Representatives. 

Why GAO Did This Study: 

Cargo containers could be used to transport unlawful cargo, including 
weapons of mass destruction, illicit arms, stowaways, and illegal 
narcotics into the United States. Within the Department of Homeland 
Security (DHS), U.S. Customs and Border Protection (CBP) is 
responsible for container security. To enhance container security, CBP 
has partnered with DHS’s Science and Technology (S&T) Directorate to 
develop performance standards—requirements that must be met by 
products to ensure they will function as intended—for container 
security technologies. After successful completion of testing, S&T 
plans to deliver performance standards to DHS’s Office of Policy 
Development and CBP. As requested, this report addresses (1) the 
extent to which DHS has made progress in conducting research and 
development and defining performance standards for the technologies, 
and (2) the remaining steps and challenges, if any, DHS could face in 
implementing the technologies. GAO, among other things, reviewed 
master test plans for S&T’s four ongoing container security technology 
projects, and interviewed DHS officials. 

What GAO Found: 

DHS has conducted research and development for four container security 
technology projects, but has not yet developed performance standards 
for them. From 2004 through 2009, S&T spent approximately $60 million 
and made varying levels of progress in the research and development of 
its four container security technology projects. These projects 
include the Advanced Container Security Device (ACSD), to detect 
intrusion on all six sides of a container; the Container Security 
Device (CSD), to detect the opening or removal of container doors; the 
Hybrid Composite Container, a lightweight container with an embedded 
sensor grid to detect intrusion on all six sides of the container; and 
the Marine Asset Tag Tracking System (MATTS), to track containers. The 
ACSD and Hybrid Composite Container technologies have not yet 
completed laboratory testing, but the CSD and MATTS are proceeding to 
testing in an operational environment, which will determine if the 
technologies can operate in the global supply chain—the flow of goods 
from manufacturers to retailers. S&T’s master plans for conducting 
operational environment testing, however, do not reflect all of the 
operational scenarios the Office of Policy Development and CBP are 
considering for implementation. According to DHS guidance, before S&T 
can provide performance standards to the Office of Policy Development 
and CBP, the technologies are to have been proven to work in their 
final form and under expected operational conditions. Until the 
container security technologies are tested and evaluated consistent 
with all of the operational scenarios DHS identified for potential 
implementation, S&T cannot provide reasonable assurance that the 
technologies will effectively function as the Office of Policy 
Development and CBP intend to implement them. 

If S&T determines that the container security technologies are mature 
enough to provide performance standards for these technologies to the 
Office of Policy Development and CBP, key steps and challenges remain 
before implementation can occur. These key steps involve (1) obtaining 
support from the trade industry and international partners, (2) 
developing a concept of operations (CONOPS) detailing how the 
technologies are to be deployed, and (3) certifying the technologies 
for use. The Office of Policy Development and CBP plan to take these 
steps if and when S&T provides performance standards. 

Table: Description of DHS S&T’s Four Container Security Projects: 

Project name: ACSD; 
Project description and goal: Develop a device that can detect and 
report container intrusion on all six sides of a container. 

Project name: CSD; 
Project description and goal: Develop a device that can detect and 
report the opening or removal of container doors. 

Project name: Hybrid Composite Container; 
Project description and goal: Develop a composite container with 
embedded security sensors to detect intrusion on all six sides. 

Project name: MATTS; 
Project description and goal: Establish a system to track containers, 
and increase the range that CSDs and ACSDs can communicate. 

Source: GAO analysis of DHS S&T information. 

[End of table] 

What GAO Recommends: 

GAO recommends that DHS test and evaluate the container security 
technologies consistent with all the operational scenarios DHS 
identified for potential implementation. DHS concurred with our 
recommendation. 

View [hyperlink, http://www.gao.gov/products/GAO-10-887] or key 
components. For more information, contact Stephen Caldwell at (202) 
512-9610 or caldwells@gao.gov or Timothy Persons at (202) 512-6412 or 
personst@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

DHS Has Made Progress in Researching and Developing Container Security 
Technologies, but Needs to Conduct Testing Using Defined Operational 
Scenarios before Delivering Performance Standards: 

Key Steps and Challenges Remain before Implementation of Container 
Security Technologies Can Move Forward: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments: 

Appendix I: Vendors Selected to Participate in Container Security 
Technology Projects: 

Appendix II: Description of Container Security Technologies' 
Communications Systems: 

Appendix III: Comments from the Department of Homeland Security: 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

Glossary: 

Related GAO Products: 

Tables: 

Table 1: Description of CBP's Core Cargo Security Programs: 

Table 2: Description of DHS S&T's Four Container Security Projects: 

Table 3: Members of the Container Security Test and Evaluation (CSTE) 
Team and Their Respective Roles and Responsibilities on the Container 
Security Technology Projects: 

Table 4: Status of Container Security Technology Projects: 

Table 5: Description of CSTE's Testing of the ACSD Prototypes: 

Table 6: Description of CSTE's Testing of the CSD Prototypes: 

Table 7: Selection and Funding of Vendors for Development of Container 
Security Technologies: 

Figures: 

Figure 1: The Maritime Supply Chain Process: 

Figure 2: Drawings of a Typical Cargo Container, Its Parts, and 
Dimensions: 

Figure 3: A Container Sealed with a Bolt Seal: 

Figure 4: DHS S&T Testing Process: 

Figure 5: Photographs of GTRI's and SAIC's Container Security Devices: 

Figure 6: Photograph of iControl, Inc.'s MATTS Tag: 

Figure 7: Certification Testing Process: 

Figure 8: Security Device System Supporting Container Security 
Technology Communications: 

Abbreviations: 

9/11 Act: Implementing Recommendations of the 9/11 Commission Act of 
2007: 

ACSD: Advanced Container Security Device: 

BAA: broad agency announcement: 

C-TPAT: Customs-Trade Partnership Against Terrorism: 

CBP: Customs and Border Protection: 

CM: communications module: 

CONOPS: concept of operations: 

CSD: Container Security Device: 

CSI: Container Security Initiative: 

CSTE Team: Container Security Test and Evaluation Team: 

DHS: Department of Homeland Security: 

DOD: Department of Defense: 

DOE: Department of Energy: 

GTRI: Georgia Tech Research Institute: 

ISO: International Organization for Standardization: 

MATTS: Marine Asset Tag Tracking System: 

MSC: Maine Secure Composites: 

MTSA: Maritime Transportation Security Act of 2002: 

NII: non-intrusive inspection: 

RF: radio frequency: 

S&T: Science and Technology: 

SAFE Port Act: Security and Accountability for Every Port Act: 

SAIC: Science Applications International Corporation: 

SBIR: Small Business Innovative Research: 

SFI: Secure Freight Initiative: 

TEU: twenty-foot equivalent unit: 

WCO: World Customs Organization: 

WMD: weapons of mass destruction: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

September 29, 2010: 

The Honorable Bennie G. Thompson: 
Chairman: 
Committee on Homeland Security: 
House of Representatives: 

Dear Mr. Chairman: 

In addition to serving an important role in transporting legitimate 
cargo, cargo containers can also be used to transport unlawful cargo, 
including weapons of mass destruction (WMD), illicit arms, stowaways, 
and illegal narcotics, into the United States. In fiscal year 2009, 
9.8 million cargo containers arrived at U.S. ports. Within the federal 
government, the Department of Homeland Security's (DHS) U.S. Customs 
and Border Protection (CBP) is responsible for administering container 
security and reducing the vulnerabilities associated with the supply 
chain--the flow of goods from manufacturers to retailers. As it 
performs this mission, CBP maintains two overarching and sometimes 
conflicting goals--increasing security while efficiently facilitating 
legitimate trade. To address these goals, CBP has developed a layered 
security strategy.[Footnote 1] Core components of this strategy 
include analyzing information to identify cargo containers that may 
pose a security risk, working with host governments to examine high-
risk containers at foreign ports before they are loaded onto vessels 
bound for the United States, and providing benefits, such as reduced 
examination of cargo, to private-sector companies that comply with 
predetermined security measures. 

Recognizing that security can be further enhanced, CBP has partnered 
with DHS's Science and Technology (S&T) Directorate to develop 
performance standards--requirements that must be met by products to 
ensure they will function as intended--for container security 
technologies that can (1) detect and report container intrusion, (2) 
alert officials to possible security threats, and (3) track the 
movement of cargo containers through the supply chain. S&T is 
responsible for researching, developing, testing, and evaluating new 
technologies in order to develop performance standards.[Footnote 2] If 
S&T is able to demonstrate through testing and evaluation that 
container security technologies exist that can meet CBP's 
requirements, then it plans to provide performance standards to CBP 
and the Transportation, Cargo & Infrastructure Unit within DHS's 
Office of Policy Development to pursue for implementation.[Footnote 3] 
The Transportation, Cargo & Infrastructure Unit is responsible for, 
among other things, developing, implementing, and coordinating policy 
relating to the security of the global supply chain. 

You requested information on DHS's efforts to develop and implement 
container security technologies. In particular, this report addresses 
the following questions: 

* To what extent has DHS made progress in conducting research and 
development and defining performance standards for container security 
technologies? 

* What remaining steps and challenges, if any, does DHS face in 
implementing container security technologies? 

To address the first objective, we reviewed all four ongoing container 
security projects initiated by S&T to develop technologies that can 
detect cargo container intrusions and track the movement of cargo 
containers through the supply chain. For each of the four projects, we 
reviewed project requirements documents, test plans, technology 
transition agreements, and task orders to determine the projects' 
scope and requirements. We then evaluated DHS's plans against criteria 
for planning in DHS's Developing Operational Requirements guide. 
[Footnote 4] To assess DHS's progress in developing technologies, we 
reviewed the test reports outlining the performance of the 
technologies under evaluation to identify the capabilities of the 
technologies and performance deficiencies. We also reviewed each of 
the project schedules and compared them to the current status of each 
of the container security technology projects as of June 2010. We 
interviewed senior officials in S&T's Borders and Maritime Security 
Division in Washington, D.C., who are responsible for the four 
container security projects to discuss the status of the projects. We 
also interviewed officials representing the four members of the 
Container Security Test and Evaluation (CSTE) team created by S&T to 
test and evaluate the technologies--Lawrence Livermore National 
Laboratory, Pacific Northwest National Laboratory, Sandia National 
Laboratories, and the Space and Naval Warfare Systems Center Pacific--
to discuss the results of the four projects' test and evaluation 
processes. In addition to these interviews, we also conducted a site 
visit to Sandia National Laboratories in Albuquerque, New Mexico--the 
location for all laboratory testing of the container security 
technologies--to view technology prototypes, observe the test 
facilities, and to learn more about the specific laboratory tests that 
have been conducted on the container security technologies. We also 
met with officials representing the vendors whose technologies were 
under testing and evaluation at the time our audit began in October 
2009--Georgia Tech Research Institute (GTRI); iControl, Inc.; Maine 
Secure Composites (MSC); and Science Applications International 
Corporation (SAIC)--to discuss how they have developed and modified 
their technologies. Further, we reviewed the contracts and interagency 
agreements that provided funds to the CSTE team and vendors to 
determine the amount of money DHS has spent on testing, evaluating, 
and developing the technologies since funding for the container 
security technologies began, in April 2004, through 2009. 

To address the second objective, we discussed container security 
technology implementation plans with officials from DHS's Office of 
Policy Development Transportation, Cargo & Infrastructure Unit, and 
with CBP officials from its Office of Field Operations and its Customs-
Trade Partnership Against Terrorism (C-TPAT) Office.[Footnote 5]We 
also spoke with Department of Defense (DOD) entities, including the 
U.S. Army and the U.S. Transportation Command, to identify any lessons 
learned from DOD's implementation of container security devices in 
transporting supplies and equipment to support war efforts in 
Afghanistan. With representatives of the International Organization 
for Standardization (ISO)[Footnote 6] and World Customs Organization 
(WCO),[Footnote 7] we discussed the process for obtaining 
international adoption of container security technology standards, and 
the imposition of duties and taxes on container security technologies, 
respectively. Further, we spoke with trade industry representatives to 
understand the trade industry's perspective on how container security 
technologies could be implemented in the global supply chain, and to 
identify any potential challenges to implementation. Specifically, we 
spoke with officials from the World Shipping Council, which represents 
vessel carriers that transport cargo containers, as well as with two 
individual vessel carriers and one non-vessel operating common 
carrier.[Footnote 8] We also spoke with representatives from two trade 
industry associations--the American Association of Exporters and 
Importers and the National Association of Manufacturers--as well as 22 
individual U.S. importers the trade association members identified for 
us among their membership. We conducted interviews with these 
importers in group settings. This interview format allowed us to 
determine consensus and also identify and examine instances where 
viewpoints differed among importers. As a result of the group 
settings, we do not explicitly identify the number of importers who 
expressed particular views. Rather, we express these views as those of 
some of the importers we interviewed. Further, we met with an official 
from the Institute of International Container Lessors, which 
represents companies that lease containers to members of the trade 
industry, including vessel carriers and importers. Our interviews with 
these trade industry representatives were based on a nonprobability 
sample, so they are not generalizable to the entire maritime trade 
industry, but they did provide us with insights into the willingness 
of members of the maritime trade industry to partner with DHS and CBP 
to implement container security technologies, and identify potential 
challenges to implementation. 

We conducted this performance audit from October 2009 through 
September 2010 in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

Background: 

Global Supply Chain: 

Given the complexity of the supply chain and the vast number of cargo 
containers that are shipped to the United States, the supply chain is 
vulnerable to threats. The typical supply chain process for 
transporting cargo containers to the United States involves many steps 
and participants. The cargo container, and material in it, can be 
affected not only by the manufacturer or supplier of the material 
being shipped, but also by vessel carriers who are responsible for 
transporting the material to a port, as well as by personnel who load 
and unload cargo containers onto vessels. Others who may interact with 
the cargo or have access to the records of the goods being shipped 
include exporters who make arrangements for shipping and loading, 
freight consolidators who package disparate cargo into containers, and 
forwarders who manage and process the information about what is being 
loaded onto a vessel. Figure 1 depicts the key participants and points 
of transfer involved in the supply chain--from the time that a 
container is packed with cargo in a foreign location to its arrival at 
a U.S. port. 

Figure 1: The Maritime Supply Chain Process: 

[Refer to PDF for image: 7 photographs] 

Foreign factory: 
Packing and sealing container; 
Entry to foreign port of embarkation; 
Loading on vessel; 
In transit; 
Unloading; 
Dwelling on terminal; 
Exiting terminal. 

Source: GAO (analysis); GAO and DHS S&T (photos). 

[End of figure] 

Containers serve, in essence, as packing crates and portable 
warehouses for virtually every type of general cargo moving in the 
supply chain. The ISO recommends the standard size of containers. The 
recommended lengths for cargo containers, according to ISO, are 10 
feet, 20 feet, 30 feet, and 40 feet. However, the most common 
containers are the 20-foot and the 40-foot models.[Footnote 9] 
Container sizes are standardized so that containers can be stacked, 
and so that loading and unloading equipment can be designed to those 
standards. Figure 2 shows a typical cargo container and parts of the 
container door, and summarizes the standard dimensions of 20-foot and 
40-foot containers. The basic parts of a typical cargo container are 
the floor, roof, sides and doors. The floor may be hard or soft 
laminated wood, planks, or plywood. Modern steel containers have 
corrugated or flat steel sheet roofs welded to the frame. The sides of 
steel containers have corrugated steel panels. The hinged doors have 
plastic-or rubber-lined door gaskets as seals to protect against 
moisture. 

Figure 2: Drawings of a Typical Cargo Container, Its Parts, and 
Dimensions: 

[Refer to PDF for image: 2 illustrations] 

Container box: 

Dimensions: Length; 
Standard 20 feet: Outside: 20 feet; Inside: 19 feet, 4 inches; 
Standard 40 feet: Outside: 40 feet; Inside: 39 feet, 5 inches. 

Dimensions: Width; 
Standard 20 feet: Outside: 8 feet; Inside: 7 feet, 8 inches; 
Standard 40 feet: Outside: 8 feet; Inside: 7 feet, 8 inches. 

Dimensions: Height; 
Standard 20 feet: Outside: 8 feet, 6 inches; Inside: 7 feet, 10 inches; 
Standard 40 feet: Outside: 8 feet, 6 inches; Inside: 7 feet, 10 inches. 

Dimensions: Door; 
Standard 20 feet: Outside: 7 feet, 8 inches; Inside: 7 feet, 6 inches; 
Standard 40 feet: Outside: 7 feet, 8 inches; Inside: 7 feet, 6 inches. 

Source: GAO. 

[End of figure] 

CBP Has Developed a Layered Strategy to Secure Cargo Containers: 

CBP has developed a layered security strategy to mitigate the risk of 
an attack using cargo containers. CBP's strategy is based on a layered 
approach of related programs that attempt to focus resources on 
potentially risky cargo shipped in containers while allowing other 
cargo containers to proceed without unduly disrupting commerce into 
the United States. The strategy is based on obtaining advanced cargo 
information to identify high-risk containers, utilizing technology to 
inspect containers, and partnering with foreign governments and the 
trade industry. A brief description of the core programs that comprise 
CBP's layered security strategy for cargo containers is provided in 
table 1. 

Table 1: Description of CBP's Core Cargo Security Programs: 

Obtaining advanced information to identify high-risk containers: 

Program and year introduced: Automated Targeting System (ATS), 1999; 
Description: CBP uses ATS--a mathematical model that uses weighted 
rules to assign a risk score to arriving cargo shipments based on 
shipping information--to help identify and prevent potential 
terrorists and terrorist weapons from entering the United States. ATS 
is used by CBP to review documentation, including cargo manifest 
information[A] submitted by the vessel carriers on all U.S.-bound 
shipments, and entry data (more detailed information about the cargo) 
submitted by brokers, to develop risk scores that help identify 
containers for additional examination. 

Program and year introduced: 24-hour Rule, 2002; 
Description: CBP generally requires vessel carriers to electronically 
transmit cargo manifests to CBP's Automated Manifest System 24 hours 
before U.S.-bound cargo is loaded onto a vessel at a foreign port. The 
information is used by ATS in its calculation of risk scores. The 
cargo manifest information is submitted by vessel carriers for all 
arriving cargo shipments. 

Program and year introduced: Importer Security Filing and Additional 
Carrier Requirements (also known as 10+2), 2009; 
Description: CBP requires importers and vessel carriers to provide 
data elements for improved identification of containers that may pose 
a risk for terrorism. The importer is responsible for supplying CBP 
with 10 shipping data elements, such as country of origin, 24 hours 
prior to loading, while the vessel carrier is required to provide 2 
data elements, container status messages and stow plans, not required 
by the 24-hour Rule. 

Domestic scanning technology deployments: 

Program and year introduced: Non-intrusive inspection (NII) equipment, 
2001; 
Description: CBP uses NII equipment to actively scan both randomly 
selected containers and those identified by ATS as high-risk. NII uses 
X-rays or gamma rays to scan a container and create images of the 
container's contents without opening it. According to CBP, as of 
August 2010, it had deployed 92 NII systems to U.S. seaports to scan 
containers. In fiscal year 2009, 4.6 percent of containers arriving at 
U.S. seaports were scanned. 

Program and year introduced: Radiation Portal Monitors, 2007; 
Description: CBP program to passively scan 100 percent of containers 
arriving in the United States with radiation detection equipment prior 
to leaving a domestic port. According to CBP, as of August 2010, it 
had deployed 453 radiation portal monitors at U.S. seaports, through 
which approximately 99 percent of all containers arriving by sea 
passed. 

Partnerships with foreign governments: 

Program and year introduced: Container Security Initiative (CSI), 2002; 
Description: CBP places staff at participating foreign ports to work 
with host country customs officials to target and examine high-risk 
container cargo for weapons of mass destruction before they are 
shipped to the United States. CBP officials identify the containers 
that may pose a risk for terrorism and request that their foreign 
counterparts examine the contents of the containers. 

Program and year introduced: Secure Freight Initiative (SFI), 2006; 
Description: CBP and Department of Energy program at selected ports to 
actively and passively scan 100 percent of U.S.-bound container cargo 
for nuclear and radiological materials overseas using integrated 
examination systems that couple NII and radiation detection equipment. 

Partnership with trade industry: 

Program and year introduced: Customs-Trade Partnership Against 
Terrorism (C-TPAT), 2001; 
Description: CBP develops voluntary partnerships with members of the 
international trade community comprised of importers; manufacturers; 
customs brokers; forwarders; air, sea, and land carriers; and contract 
logistics providers. Private companies agree to improve the security 
of their supply chains in return for various benefits, such as a 
reduced examination of their cargo. 

Source: GAO summary of information provided by DHS. 

[A] Cargo manifests are prepared by the vessel carrier for each 
shipment of cargo loaded on a vessel to describe the contents of the 
shipment. 

[End of table] 

Legislation Enacted to Improve Cargo Container Security: 

Several U.S. laws and regulations govern the security of cargo 
containers and the supply chain within which they are transported. In 
2006, Congress passed, and the President signed, the Security and 
Accountability for Every (SAFE) Port Act.[Footnote 10] The SAFE Port 
Act established a statutory framework for some of the programs 
comprising CBP's layered security strategy, including CSI and C-TPAT, 
which previously had been agency programs not required by law. The 
SAFE Port Act also required that DHS initiate a rulemaking process and 
subsequently issue an interim final rule to establish minimum 
standards and procedures for securing containers in transit to the 
United States. In August 2007, the Implementing Recommendations of the 
9/11 Commission Act of 2007 (9/11 Act) was enacted, amending this SAFE 
Port Act requirement.[Footnote 11] Specifically, the 9/11 Act required 
that if the interim final rule was not issued by April 1, 2008, then 
effective no later than October 15, 2008, all containers in transit to 
the United States would be required to use an ISO 17712 compliant 
seal.[Footnote 12] DHS did not establish standards by the set 
deadline, so all maritime containers in transit to the United States 
are now required to be sealed with an ISO 17712 compliant seal. 
According to DHS, it did not establish minimum standards for securing 
cargo containers in transit because there were no available technology 
solutions at the time that would adequately improve container security 
without significantly disrupting the flow of commerce. Although the 
9/11 Act default standard is now in effect, the act provides that this 
standard will cease to be effective upon the effective date of a rule 
issued in the future pursuant to the original SAFE Port Act 
requirement. 

In addition to the possibility of a future rulemaking in this area, 
DHS remains responsible for implementing an earlier provision enacted 
by the Maritime Transportation Security Act of 2002 (MTSA).[Footnote 
13] This provision requires DHS to establish a program to evaluate and 
certify secure systems of international, intermodal transportation. 
This program is to include standards and procedures for securing cargo 
and monitoring security while in transit, as well as performance 
standards to enhance the physical security of shipping containers, 
including standards for seals and locks. This provision continues to 
govern DHS efforts to establish standards for new technology in the 
cargo container security area. 

Past CBP Efforts Identified Need for Container Security Technologies: 

In response to a July 2002 memo from the then-CBP Commissioner, CBP 
undertook a study to identify and evaluate available technologies to 
improve container security. The study demonstrated that existing 
container seals provided inadequate security against physical 
intrusions. We reported in January 2006 that despite the widespread 
use of container seals, they are not effective in preventing 
tampering.[Footnote 14] For example, entry into a container through 
the roof or sides will not be indicated by a container seal affixed to 
the doors. Further, various methods to circumvent seals installed on 
container door hasps (see figure 3) have been demonstrated by the 
Department of Defense and the Vulnerability Assessment Team at Los 
Alamos National Laboratory. Seals installed through the door hasp can 
be bypassed and left intact by simply removing an entire container 
door. Recognizing the limitations of existing container technology, 
CBP desired a technology with the ability to monitor and record door 
openings and eventually detect and report intrusions on all six sides 
of a container. Figure 3 shows a container with a bolt seal affixed to 
the door hasp. 

Figure 3: A Container Sealed with a Bolt Seal: 

[Refer to PDF for image: photograph] 

Identified on the photo: 
Door handle; 
Locking rod; 
Door hasp; 
Bolt seal. 

Source: CBP (photo), GAO (presentation). 

[End of figure] 

CBP initiated the Smart Box program in 2004 in order to develop 
technologies with the ability to monitor the physical integrity of a 
container, among other things. In September 2005, CBP, in consultation 
with Johns Hopkins University Applied Physics Laboratory, determined 
through operational testing that there was no existing container 
security device that could meet its requirements. CBP made a second 
attempt, in December 2007, to find a commercially available container 
security device with the ability to monitor container doors for 
intrusion. According to CBP officials, only one security device-- 
offered by General Electric--demonstrated the potential to meet CBP's 
requirements. However, according to CBP, subsequent operational 
testing revealed that the device had a relatively high false alarm 
rate, which, according to CBP officials, would have resulted in an 
unmanageable workload for CBP staff at ports given the number of 
containers they would have to examine because of the alarms. According 
to CBP officials, before they could schedule another round of testing 
to determine if a revised prototype of the device would meet CBP's 
requirements, General Electric decided to stop producing the device. 

DHS S&T Initiated Four Projects to Develop Container Security 
Technologies: 

S&T is developing four container security technologies, which are 
described in table 2, in response to MTSA requirements and CBP's need 
for container security technologies with the ability to detect 
intrusion and track the movement of containers through the supply 
chain. In May 2004, S&T issued a broad agency announcement for the 
Advanced Container Security Device (ACSD) project seeking industry 
submissions for technologies that could be developed to provide six- 
sided intrusion detection for cargo containers. The initial results of 
ACSD testing demonstrated that a solution would require years of 
additional investment and development. As a result of the challenges, 
DHS created the Hybrid Composite Container to embed six-sided 
detection in a container made of composite material, and the Container 
Security Device (CSD) project to provide the capability to detect 
container door intrusion as an interim solution until six-sided 
detection is available. In November 2003, S&T issued a small business 
innovative research (SBIR)[Footnote 15] solicitation seeking a Marine 
Asset Tag Tracking System (MATTS) with the capability to provide both 
worldwide container tracking, and communicate the security status of 
the CSD and ACSD in the supply chain. Table 2 provides a description 
of each of the four container security technology projects, including 
the projects' goals, key vendors, and time frames. 

Table 2: Description of DHS S&T's Four Container Security Technology 
Projects: 

Project name: Advanced Container Security Device; 
Project description and goal: Develop a device that can detect and 
report container intrusion on all six sides of a container; 
Key vendors[A]: 
* L-3 Communications; 
* SAIC; 
Project start[B]: 2005; 
Project completion[C]: 2012. 

Project name: Container Security Device; 
Project description and goal: Develop a device that can detect and 
report the opening and removal of container doors; 
Key vendors[A]: 
* GTRI; 
* SAIC; 
Project start[B]: 2007; 
Project completion[C]: 2011. 

Project name: Hybrid Composite Container; 
Project description and goal: Develop an ISO certified container using 
a steel frame and fiber reinforced polymer composite material for the 
walls, floor, and doors, with embedded security sensors to detect 
intrusion on all six sides of a container; 
Key vendors[A]: 
* Maine Secure Composites (container); 
* GTRI (sensor grid); 
Project start[B]: 2005; 
Project completion[C]: 2012. 

Project name: Marine Asset Tag Tracking System; 
Project description and goal: Establish a system to track containers, 
and increase the range that CSD and ACSD status information can be 
transmitted; 
Key vendors[A]: 
* iControl, Inc.; 
Project start[B]: 2004; 
Project completion[C]: 2010. 

Source: GAO analysis of DHS S&T information. 

[A] Key vendors are those selected in the most recent round of vendor 
selection for each project. Appendix I provides additional details on 
the vendor selection process. 

[B] The project start date is the fiscal year in which a vendor award 
was first made. 

[C] The project completion date is the anticipated fiscal year in 
which the performance standards are to be provided to the Office of 
Policy Development and CBP, as stated in S&T's Five-Year Research and 
Development Plan: Fiscal Years 2008-2013. 

[End of table] 

S&T's overall objective for each of these container security 
technology projects is the development and delivery of performance 
standards for the technologies to DHS's Office of Policy Development 
and CBP. Performance standards define a set of requirements that must 
be met by products to ensure they will function as intended. Before 
S&T can provide performance standards to the Office of Policy 
Development and CBP, the capability of the technologies to meet stated 
requirements must be demonstrated through the successful completion of 
testing and evaluation activities, as described in the technology 
transition agreements.[Footnote 16] S&T has defined two phases of 
testing and evaluation for these projects: 

* Phase I--Laboratory Testing: The purpose of Phase I is to identify 
capabilities and deficiencies in prototypes in a controlled 
environment to determine the likelihood of a prototype functioning 
under a variety of anticipated environmental and usage conditions. At 
least 10 prototypes are used for Phase I testing of a technology. 

* Phase II--Trade Lane Testing: Phase II is designed to determine 
whether a prototype can enhance supply chain security while minimizing 
the effect on cargo operations. Phase II includes testing in an 
operational trade lane--the route a container travels--using 100 trips 
from the container packing location to arrival at a U.S. port. 

After successful completion of both phases of testing, S&T is to 
deliver performance standards--including system requirements and test 
plans--to the Office of Policy Development and CBP. Figure 4 shows how 
the testing process leads to the development of performance standards. 

Figure 4: DHS S&T Testing Process: 

[Refer to PDF for image: illustration] 

DHS S&T roles: 

Phase I: Laboratory Testing; 
Phase II: Trade Lane Testing; 
Delivery of Performance Standards to DHS Office of Policy Development 
and CBP. 

Source: GAO analysis of DHS S&T information. 

[End of figure] 

DHS Has Made Progress in Researching and Developing Container Security 
Technologies, but Needs to Conduct Testing Using Defined Operational 
Scenarios before Delivering Performance Standards: 

From 2004 through 2009, S&T spent over $60 million and made varying 
levels of progress in the research and development of its four 
container security technology projects--ACSD, CSD, Hybrid Composite 
Container, and MATTS--to support the development of performance 
standards for these container security projects. Each of these 
projects has undergone Phase I laboratory testing, but S&T has not yet 
conducted Phase II trade lane testing in an operational environment to 
ensure that the prototypes will satisfy the requirements so that S&T 
can provide performance standards to the Office of Policy Development 
and CBP. Prior to the development of performance standards by S&T, 
each of the technology prototypes will need to undergo Phase II trade 
lane testing consistent with the operational scenarios that have been 
identified for potential implementation. According to S&T, the master 
test plans do not reflect all operational scenarios being considered 
because DHS is currently focused on using the technologies in the 
maritime environment. 

DHS S&T Has Identified and Funded Vendors' Container Security 
Technologies for Development: 

S&T used a multiple-round process to select vendors' technologies for 
development. Several vendors responded to S&T's 2004 broad agency 
announcement for the ACSD project and 2003 SBIR solicitation for 
MATTS. The vendors' technology proposals were evaluated on their 
ability to meet the project requirements, and those technologies 
considered to be viable were funded by S&T to develop prototypes for 
test and evaluation. Because of the challenges in developing an ACSD 
solution, S&T created the CSD project and selected vendors for the 
project based on the performance of vendors' prototypes during ACSD 
project testing. Similarly, selection for the Hybrid Composite 
Container project was based on performance in the ACSD project. From 
2004 through 2009, S&T has provided a total of about $24 million in 
funding to vendors to develop container security technologies. 
Appendix I provides additional details on the vendor selection process. 

S&T created the Container Security Test and Evaluation (CSTE) team to 
develop requirements and independently monitor and evaluate the 
performance of container security technologies. CSTE membership is 
composed of three Department of Energy national laboratories--Lawrence 
Livermore National Laboratory, Pacific Northwest National Laboratory, 
and Sandia National Laboratories--and the Navy's Space and Naval 
Warfare Systems Center Pacific. As described in table 3, these 
organizations were each selected for participation based on their 
areas of applicable technical expertise in fields such as sensor 
systems, wireless communications, and maritime environment product 
testing. From 2004 through 2009, S&T obligated nearly $36 million to 
the CSTE team to develop requirements and conduct testing and 
evaluation of container security technologies. 

Table 3: Members of the Container Security Test and Evaluation (CSTE) 
Team and Their Respective Roles and Responsibilities on the Container 
Security Technology Projects: 

CSTE team member: Lawrence Livermore National Laboratory; 
Key responsibility/Field of expertise: Determine maritime 
environmental conditions to establish laboratory tests to determine 
the ability of container security technology prototypes to function in 
the maritime environment. 

CSTE team member: Pacific Northwest National Laboratory; 
Key responsibility/Field of expertise: Contribute expertise in sensor 
development, wireless technologies, electronics management, and 
embedded systems. 

CSTE team member: Sandia National Laboratories; 
Key responsibility/Field of expertise: Perform all container security 
technology prototype testing at their facilities in New Mexico. 
Provide red teaming--the capability to identify and exploit weaknesses 
in a technology--and general systems engineering support. 

CSTE team member: Space and Naval Warfare Systems Center Pacific; 
Key responsibility/Field of expertise: Serve as the contracting 
office--create vendor contracts, issue work orders, and distribute 
funding. Develop wireless communications requirements and device 
readers. 

Source: GAO summary of Department of Energy and DOD information. 

[End of table] 

One of the responsibilities of the CSTE team was to develop test plans 
that specify the testing activities that technologies need to 
successfully undergo in order to move on to later phases of testing 
and eventually the development of performance standards. These test 
plans require that technologies be evaluated on their installation and 
usability, functionality, performance (including under adverse 
environmental conditions), and vulnerability to attack by an adversary. 

S&T Has Identified Deficiencies That Could Delay or Prevent the 
Development of Standards for Some Container Security Technologies: 

The CSD project is expected to be completed on time, and MATTS is 
slightly behind schedule, as performance standards are expected to be 
delivered in December 2010 rather than fiscal year 2010. The ACSD 
project is not currently being funded due to the deficiencies 
identified during Phase I laboratory testing, although funding may 
resume if one of the vendors demonstrates progress. The Hybrid 
Composite Container project is undergoing contract negotiations to 
resume work on the composite container after challenges were 
encountered with the vendor. Table 4 summarizes the status and 
expected completion date for each of S&T's container security 
technology projects. 

Table 4: Status of Container Security Technology Projects: 

Project name: Advanced Container Security Device (ACSD); 
Key project requirements: 
* Detect container door opening, door closing, and door removal; 
* Detect a 3-inch diameter hole in the container on any six sides; 
* Detect human presence within the container; 
* Provide a 95 percent probability of intrusion detection; 
* Provide a combined probability of false alarm and critical failure 
of 0.2 percent; 
* Possess a power source to operate for one trip (1,680 hours); 
* Cost less than $175 per container trip; 
Project status: Stopped in Phase I laboratory testing. Because of 
deficiencies in satisfying ACSD requirements during laboratory 
testing, no ACSD prototypes are currently being funded for 
development. S&T may resume funding of one vendor's prototype if the 
vendor demonstrates progress in improving performance of its CSD; 
Expected completion (fiscal year): 2012. 

Project name: Container Security Device (CSD); 
Key project requirements: 
* Detect container door opening, door closing, and door removal; 
* Monitor the status of any seals or locks; 
* Provide a 95 percent probability of intrusion detection; 
* Provide a combined probability of false alarm and critical failure 
of 0.2 percent; 
* Possess a power source to operate for one trip (1,680 hours); 
Project status: Progressing to Phase II trade lane testing. CSDs have 
shown promise in laboratory testing, and S&T anticipates beginning 
Phase II trade lane tests for one CSD prototype in September 2010; 
Expected completion (fiscal year): 2011. 

Project name: Hybrid Composite Container; 
Key project requirements: Composite container; 
* Meet or exceed ISO requirements; 
Sensor grid: 
* Detect a 3-inch diameter hole in any six sides of a container; 
* Provide a 95 percent probability of intrusion detection; 
* Provide a combined probability of false alarm and critical failure 
of 0.2 percent; 
* Possess a power source to operate for one trip (1,680 hours); 
Project status: Stopped in Phase I laboratory testing. S&T terminated 
the contract with the vendor because of internal management issues the 
vendor was having. S&T plans to initiate a new contract to continue 
the work before the end of September 2010; 
Expected completion (fiscal year): 2012. 

Project name: Marine Asset Tag Tracking System (MATTS); 
Key project requirements: 
* Communicate a container intrusion alarm within 5 minutes of the 
alarm occurring; 
* Provide operational availability at least 95 percent of the time; 
* Possess a power source to operate for 30,000 hours; 
* Cost less than $175 per container trip; 
Project status: Progressing to Phase II trade lane testing. MATTS is 
scheduled to participate in Phase II trade lane tests with the CSD in 
September 2010; 
Expected completion (fiscal year): 2011. 

Source: GAO analysis of DHS S&T information. 

[End of table] 

In order for these container security technologies to provide the 
functionality that DHS desires, they must interface with readers--both 
handheld and fixed in place--that can use wireless communications to 
send commands to or gather operational or intrusion alarm status 
information from the technologies for CBP's use. Readers also serve as 
a means to arm and disarm ACSDs (including the sensor grid embedded in 
the Hybrid Composite Container) and CSDs. Because ACSDs and CSDs are 
mounted on the interior of a container in a manner that protects them 
from being physically accessed from outside of a container, a remote, 
wireless device such as a reader is needed to turn on the devices' 
intrusion detection functionality upon sealing the container (arming 
the device) and to turn off the devices' intrusion detection 
functionality when the container is opened by authorized parties 
(disarming the device). A handheld reader would also allow an official 
in close proximity to the container to detect and read the ACSD or CSD 
to determine if the container had been opened after it was sealed. In 
contrast, a fixed reader has a longer range and would be designed to 
automatically relay such status information to a centralized data 
center. ACSDs and CSDs must also support an encryption scheme for two 
reasons. First, commands to disarm a device must be encrypted to 
prevent unauthorized parties from circumventing the device by 
disarming it. Second, status information that a device sends may 
contain sensitive information, so status messages must be encrypted to 
protect the information during wireless transmission. Devices, such as 
handheld readers, would then be "trusted," in that they would have the 
ability to handle encrypted communications with ACSDs and CSDs. 
Appendix II provides further information on the planned communications 
system supporting ACSDs and CSDs. 

S&T Halted ACSD Funding during Phase I Laboratory Testing Because of 
Performance Deficiencies: 

According to S&T, because of deficiencies observed in Phase I 
laboratory testing, it is not currently funding the development of any 
vendor's ACSD prototype beyond Phase I laboratory testing. S&T 
officials added that L-3 Communications (L-3) and SAIC, the two 
vendors selected to participate in Phase I laboratory testing, did not 
demonstrate enough progress meeting the requirements. According to S&T 
and CSTE team officials, meeting the requirements of the ACSD program, 
including detecting intrusion on all six sides of a container, has 
proven to be very challenging. According to S&T, it may resume funding 
for the development of the SAIC ACSD if SAIC demonstrates sufficient 
improvement in its CSD, which uses similar technology. If no ACSD is 
found to demonstrate enough progress in meeting the requirements, 
performance standards will not be delivered for this project. Table 5 
summarizes the test results for the ACSDs. 

Table 5: Description of CSTE's Testing of the ACSD Prototypes: 

Vendor: L-3[A]; Testing status: Phase I laboratory testing was 
conducted from April to September 2008, and resulted in the CSTE team 
recommendation that no further testing be conducted; 
Test summary: 
* Installation was difficult and could potentially injure the 
installing personnel; 
* Device confounded by environmental noise; 
* Detected 10 percent of wall penetration events, but near 0 percent 
when the container was loaded with cargo near the device; 
* Detected 96 percent of door openings; 
* No specific environmental testing, but observed to possibly be 
vulnerable to damage from dropping and condensation. 

Vendor: SAIC[B]; Testing status: Phase I laboratory testing was 
conducted from April to June 2008, and resulted in the CSTE team 
recommendation that no further testing be conducted. Testing may 
resume if progress is made on SAIC's CSD; 
Test summary: 
* Installation was reasonable and safe, but includes a complicated 
calibration step; 
* Operation was inconsistent and unpredictable; 
* It could not reliably detect a 3-inch diameter hole in the 
container, but could more easily detect when an object is inserted 
into or removed from the container through such a hole; 
* Extensive false alarms occurred, so no specific environmental 
testing was done. 

Source: GAO analysis of DHS S&T information. 

[A] The L-3 ACSD is a large, 50-pound device that is to be mounted 
inside the container, above the door, and run the full width of the 
interior of the container. It relies on a suite of light, acoustic, 
carbon dioxide, and other sensors to detect intrusion and human 
presence inside a container. 

[B] The SAIC ACSD consists of a single unit mounted inside the 
container, over the door. It uses radio frequency resonance to detect 
intrusion attempts. The device emits radio frequency signals and 
monitors the characteristics of the reflected signal to infer any 
changes in the structure of the container. Changes in the radio 
frequency reflections may indicate an opening in the container. This 
technique may not be as effective on Hybrid Composite Containers. 

[End of table] 

During Phase I laboratory testing, conducted from April 2008 to 
September 2008, the L-3 ACSD prototype successfully detected container 
door openings. However, it failed to identify preexisting holes in 
containers, was unable to consistently detect wall intrusions in ideal 
(empty container) conditions, and was largely unable to detect wall 
intrusions in a loaded container. Consequently, the L-3 ACSD prototype 
failed the project requirement that a device detect a hole in a 
container. According to S&T, based on the conclusions of the CSTE 
Team, in October 2008, S&T decided not to fund the L-3 ACSD for 
additional testing and evaluation. 

During Phase I laboratory testing, conducted from April 2008 to June 
2008, the SAIC ACSD prototype detected door openings and closings, but 
it generated a false alarm rate higher than that permitted by the ACSD 
project requirements. Similar to the L-3 ACSD, in September 2008, the 
CSTE team concluded the SAIC ACSD was deficient. S&T decided that no 
further funding be provided to SAIC for the ACSD project. However, 
according to S&T officials, SAIC's ACSD prototype is closely related 
to that of its CSD (see below), and therefore, if SAIC's CSD 
demonstrates improvement, S&T will consider funding SAIC's ACSD for 
further tests and evaluations. 

CSD Performance Has Varied and S&T Anticipates One Vendor's CSD 
Prototype Will Begin Phase II Trade Lane Testing: 

Performance of the two CSD prototypes varied during Phase I laboratory 
testing and, according to the S&T program manager, Phase II trade lane 
testing is expected to begin for one of the prototypes in late 2010. 
S&T anticipates that Phase II trade lane testing will begin for the 
GTRI CSD in September 2010. According to S&T officials, the SAIC CSD 
began another round of Phase I laboratory testing in May 2010, but 
testing has since ceased due to the high false alarm rate the device 
exhibited. The S&T program manager expects to meet a November1, 2010, 
due date for completion of CSD performance standards for the Office of 
Policy Development and CBP. Table 6 summarizes the test results for 
the CSDs. 

Table 6: Description of CSTE's Testing of the CSD Prototypes: 

Vendor: GTRI[A]; 
Testing status: Phase I laboratory testing was conducted in 2007, and 
another round in 2009. A new version addressing the identified 
deficiencies was delivered to DHS in 2010. Phase II trade lane tests 
are anticipated to begin in September 2010; 
Test summary: 
* Installation was reasonable; 
* Detected 100 percent of door openings during valid tests; 
* CSTE noted false alarms or failures, or both, during temperature 
shock, humidity, and vibration tests; 
* Communications system required improved reliability and consistency; 
* Vulnerability testing revealed some weaknesses, such as a lack of 
built-in tamper resistance. 

Vendor: SAIC[B]; 
Testing status: Phase I laboratory testing was conducted from April to 
November 2008. A new version addressing the identified deficiencies 
was delivered to DHS in May 2010 and is being evaluated by the CSTE; 
Test summary: 
* Installation was reasonable and safe, but includes a complicated 
calibration step; 
* Detected 98 percent of door openings in empty containers and 96 
percent in loaded containers; 
* False alarm rates ranging from 0 to 100 percent occurred when the 
test team shifted the location of cargo in the container; 
* False alarms occurred during container stacking tests and during 
humidity, saltwater mist, static discharge, and vibration tests. 

Source: GAO analysis of DHS S&T information. 

[A] The GTRI CSD consists of three components--two door-mounted units, 
and a header-beam-mounted controller unit. The GTRI CSD uses light- 
emitting diodes and light sensors to measure the position of the 
container doors. The infrared light-emitting diodes in each of the two 
door units emit light pulses, which the controller unit authenticates 
as having come from a CSD door unit. The device alarms when it detects 
a door opening of 1 inch or greater, or a decrease in signal strength 
past a set threshold. 

[B] The SAIC CSD is identical in appearance and general function to 
the company's ACSD. The primary difference between the two devices is 
in the sensing algorithm. The ACSD attempts to monitor all six sides 
of the container, whereas the CSD is focused on detecting the opening 
or removal of the container doors. 

[End of table] 

While the GTRI CSD reliably and consistently detected container door 
openings, minor deficiencies in environmental durability and physical 
security were identified in the first set of Phase I laboratory 
testing. GTRI responded to the identified deficiencies and submitted a 
revised prototype for additional Phase I laboratory testing. According 
to the S&T program manager, S&T determined that GTRI appropriately 
modified its prototype to resolve the deficiencies identified in the 
last round of Phase I laboratory testing, and S&T plans to include 
this device in Phase II trade lane testing scheduled to begin in 
September 2010. The S&T program manager added that during Phase II 
trade lane testing, the CSD will be installed on containers that will 
travel from the Port of Shanghai, China, to Savannah, Georgia. Figure 
5 shows photographs of GTRI's and SAIC's CSDs, which are mounted on 
the interior of cargo containers. 

Figure 5: Photographs of GTRI's and SAIC's Container Security Devices: 

[Refer to PDF for image: 2 photographs] 

GTRI CSD mounted inside a container; 
SAIC CSD mounted inside a container, above container doors. 

Source: DHS. 

[End of figure] 

The SAIC CSD reliably and consistently detected door openings, but 
frequent false alarms, deficiencies in the connections of electrical 
components, and deficiencies in the device's installation and mounting 
system were identified during Phase I laboratory testing. According to 
SAIC, it is adjusting the detection algorithms, which is expected to 
reduce the device's sensitivity to normal cargo shifting during 
transit in an effort to reduce the device's false alarm rate, and it 
expects to simplify the installation procedure to address S&T's 
concerns. According to the S&T program manager, the new version of 
SAIC's CSD was delivered to S&T in May 2010 and during Phase I testing 
and evaluation it exhibited a high false alarm rate. 

The Hybrid Composite Container Project Has Demonstrated Potential, but 
S&T Terminated the Vendor's Contract during Phase I Laboratory Testing 
Because of Internal Management Issues: 

According to S&T, it terminated MSC's contract to build the composite 
container for the Hybrid Composite Container Project in June 2010 
because MSC was experiencing internal management issues that were 
preventing the project from progressing. MSC had been building an ISO- 
compliant 20-foot shipping container made out of a composite fiber 
material instead of steel. The container consists of 4-foot by 8-foot 
corrugated, fiber-reinforced polymer panels welded to a steel frame. 
Five of the panels are welded together to form a 20-foot container 
wall. The container is 15 percent lighter than a steel container of 
the same size, and according to an official at the University of Maine 
(a subcontractor to MSC), it is expected to exhibit three to five 
times greater resistance to corrosion than a steel container. Damaged 
panels must be replaced, however, rather than repaired with a patch as 
can be done on a steel container. The container incorporates an 
embedded sensor grid to provide six-sided intrusion detection. In 
addition to the sensor grid, the composite container is to use a CSD 
for door-opening detection. Finally, a communications chip is 
integrated into the sensor grid to allow for wireless communications 
with readers. 

Previous test results of the composite container indicate that the 
container would likely meet or exceed ISO standards and, therefore, be 
suitable for use in international trade. S&T selected GTRI to develop 
a sensor grid that could be embedded within the walls of the composite 
container to provide intrusion detection capability. The sensor grid 
provides ACSD-like security for the container in that a hole in the 
container wall would be detected by the sensor grid triggering an 
alarm. However, one of the composite panels with the embedded sensor 
grid failed durability testing conducted by the vendor. Although 
development of the composite container has been halted, S&T has 
directed GTRI to continue developing its sensor grid to address this 
deficiency because S&T is exploring other contracting options to 
continue the development of the composite container. According to S&T, 
it anticipates that work on the composite container will resume in 
September 2010. 

Marine Asset Tag Tracking System Is Progressing to Phase II Trade Lane 
Testing: 

One vendor, iControl, Inc., is currently being supported by S&T to 
develop MATTS, which includes the iTAG, a communications tag mounted 
on the exterior of containers, and the iGATE, a remote reader used to 
communicate with the iTAG. MATTS will participate in Phase II trade 
lane testing with the GTRI CSD in September 2010. MATTS provides the 
capability to globally track the location of containers. In addition, 
the MATTS iTag provides a long-range wireless communications system 
for CSD and ACSD devices.[Footnote 17] A CSD or ACSD device mounted on 
the interior of a container has a short-range wireless communications 
system, but the iTAG, when mounted outside of a container, can act as 
a relay to pass messages from the CSD or ACSD to centralized locations 
at a designated read point, such as a port of departure.[Footnote 18] 
The CSTE team conducted limited Phase I laboratory testing of the 
iTAG, but it did not conduct all needed laboratory testing because 
changes were still being made to the iTAG. According to the S&T 
program manager, the iTAG will undergo all required testing when it is 
produced in its final form. 

While MATTS has not undergone DHS's Phase II trade lane tests, 
iControl, Inc., conducted two trade lane tests of MATTS beginning in 
2007 and 2008. During each of these trade lane tests, iControl, Inc., 
placed 100 iTAGs on 100 cargo containers and shipped them from the 
Port of Yokohama, Japan, to the Port of Los Angeles. At the conclusion 
of these tests, 199 of the 200 MATTS iTAGs arrived at their 
destinations. However, the trade lane testing identified deficiencies 
with iControl, Inc.'s MATTS iTAG. Specifically, 13 to 15 percent of 
the iTAGs sustained damage during the tests, including loose 
connectors that affected the performance of the MATTS tags. In one 
test, power management features did not function as intended, 
resulting in battery usage in excess of that allowed by the project 
requirements. During the trade lane tests, iControl, Inc., did not 
test MATTS in conjunction with any ACSD or CSD prototypes. However, 
iControl, Inc., did test the environmental durability of the iTAG, as 
well as its power management and container tracking capabilities. 
According to the S&T program manager, the deficiencies identified in 
MATTS are being addressed by iControl, Inc., and a new version of the 
iTAG, in conjunction with the GTRI CSD device, will undergo Phase II 
trade lane testing from the Port of Shanghai, China, to Savannah, 
Georgia, in September 2010. The S&T program manager anticipates 
providing MATTS performance standards to the Office of Policy 
Development and CBP in December 2010. Figure 6 shows the MATTS tag 
mounted on a cargo container. 

Figure 6: Photograph of iControl, Inc.'s MATTS Tag: 

[Refer to PDF for image: photograph] 

iControl's MATTS tag mounted on the outside of a container, above 
container doors. 

Source: DHS. 

[End of figure] 

Testing All Operational Scenarios Would Enable S&T to Better Determine 
the Performance of Container Security Technologies in Their Intended 
Operational Environments: 

Before S&T can provide container security technology performance 
standards to the Office of Policy Development and CBP, all technology 
prototypes have to undergo Phase II trade lane testing, according to 
the master test plans. According to S&T, the MATTS tag and GTRI's CSD 
are expected to undergo Phase II trade lane testing in September 2010. 
However, S&T's plans for conducting Phase II trade lane testing of 
these container security technologies do not reflect all the 
operational scenarios agreed upon within DHS for how the technologies 
could be implemented. S&T's master test plans define Phase II trade 
lane testing as 100 maritime moves to a U.S. port. However, some of 
the operational scenarios being considered for implementation by the 
Office of Policy Development and CBP involve using technologies on 
cargo containers that would either not be placed on a vessel, or only 
applied during overland shipping after their arrival in the United 
States.[Footnote 19] Before S&T can provide performance standards, per 
the technology transition agreements signed by S&T, the Office of 
Policy Development, and CBP, the technologies are to have been proven 
to work in their final form and under expected operational conditions. 
DHS acknowledged that the testing is limited and that future testing 
should reflect all the operational scenarios. Unless the container 
security technologies are tested in all operational scenarios, the 
performance standards that are delivered by S&T to the Office of 
Policy Development and CBP may not fully meet DHS's or CBP's needs. 
Our prior work has shown that when operational requirements are not 
established prior to acquisition, it can negatively affect program 
performance.[Footnote 20] Conducting Phase II trade lane testing for 
the container security technologies consistent with all operational 
scenarios would better position S&T to determine if the technologies 
will be suitable for use in their intended operational environments. 

Key Steps and Challenges Remain before Implementation of Container 
Security Technologies Can Move Forward: 

If S&T determines that the container security technologies are mature 
enough to provide performance standards for these technologies to the 
Office of Policy Development and CBP, key steps and associated 
challenges remain before DHS and CBP can implement the container 
security technologies in the supply chain that meet those performance 
standards. Based on our discussions with Office of Policy Development 
and CBP officials, we identified three key steps that remain before 
implementation can occur: (1) obtaining support from trade industry 
and international partners, (2) developing a concept of operations 
(CONOPS)[Footnote 21] that describes how the technologies are to be 
deployed, and (3) certifying the technologies for use in the supply 
chain. According to Office of Policy Development and CBP officials, 
they will take these steps if and when S&T is able to provide 
performance standards. Our work indicates that the Office of Policy 
Development and CBP could face challenges when executing some of these 
steps. 

Obtaining Trade Industry and International Partners' Support to 
Implement Container Security Technologies Could Be Challenging: 

DHS could face challenges in obtaining support from the trade industry 
and international partners as it pursues implementation of the 
container security technologies. According to an Office of Policy 
Development director, there are two approaches DHS could likely pursue 
to implement container security technologies--mandatory or voluntary 
participation by the trade industry. The director added that if DHS 
determines that the universal use of container technologies would 
provide a worthwhile security benefit, DHS would likely pursue a 
rulemaking approach to mandate the use of the technologies on all U.S.-
bound containers. If DHS determines that the technologies would be 
primarily beneficial in a more limited portion of the supply chain, 
though, it would work with the trade industry to encourage voluntary 
use of the technologies. Some members of the trade industry we spoke 
with were resistant to purchasing and using the technologies given the 
number of container security programs they already have to comply 
with.[Footnote 22] Representatives of the World Shipping Council and 
both vessel carriers we spoke with questioned the role of vessel 
carriers in implementation because of the uncertainties that presently 
exist concerning how the technologies could be implemented and which 
parties are to be involved. The representatives of the two vessel 
carriers we spoke with expressed interest in purchasing the Hybrid 
Composite Container because of the commercial benefit that could be 
provided by its reduced weight, but they added that they are not 
interested in spending additional money on the embedded sensor grid 
that is to provide the security benefit. Further, the importers we 
spoke with questioned their role and whether they have the authority 
to affix technologies on containers they do not own, as the containers 
they use are typically leased. 

If CBP adopts a voluntary approach, it may also have challenges 
getting support from C-TPAT members--its trusted private sector 
partners. Container security technologies could provide security 
benefits in the supply chain, but using technology that detects 
intrusion into a cargo container when there is no assurance illicit 
materials or contraband were not earlier introduced could give the 
false impression that the container is secure or could have the effect 
of potentially locking dangerous or illicit cargo in a container. 
Since C-TPAT members are committed to a comprehensive security 
process, including procedures for securing containers at the point of 
packing, they provide such assurance. According to DHS's 2007 Strategy 
to Enhance International Supply Chain Security,[Footnote 23] the 
department intended to use C- TPAT Tier III[Footnote 24] members to 
implement commercially available container security devices that CBP 
previously tested. However, C-TPAT Tier III members we spoke with were 
resistant to the idea of having to purchase and use technologies, such 
as the CSD and ACSD, on their containers to maintain their Tier III 
status. In particular, some of the members stated that from a 
financial standpoint, the additional benefit of reduced number of 
container inspections that CBP provided to Tier III members over Tier 
II[Footnote 25] members, would not outweigh the costs of using the 
technologies. As a result, they stated that they would likely 
downgrade to Tier II status rather than have to purchase the 
technologies. The C-TPAT Tier III members, as well as other trade 
industry representatives we spoke with, said DHS should demonstrate, 
through a risk-benefit analysis, that using the technologies would 
provide a clear security benefit before making the use of such 
technologies a requirement. CBP officials told us that they are aware 
that the trade industry is generally not willing to spend money on 
container security technologies and that C-TPAT members question 
whether the cost is worth the benefit. 

In addition to obtaining trade industry support, DHS will also need to 
obtain support from international organizations and WCO to implement 
the new container security technologies. In order for the container 
security technologies to be admitted into foreign countries without 
being subject to import duties and taxes, as well as import 
prohibitions and restrictions, the technologies first have to be 
recognized as accessories and equipment of the containers under the 
Customs Convention on Containers. The convention essentially provides 
for the temporary admission and reexportation of containers and their 
accessories and equipment that meet certain requirements without the 
imposition of duties or taxes by any customs authority. According to a 
WCO director, while an individual device attached to a container most 
likely would be viewed as an accessory to the container, if multiple 
devices are shipped in bulk for reuse on other containers, the 
question of how to treat them for import duty purposes would be more 
difficult. He also noted that, if requested by a member country, WCO 
could provide an advisory opinion as to whether the technologies 
should be treated as container accessories and equipment pursuant to 
the Customs Convention on Containers, but the ultimate decision as to 
whether to classify the technologies as exempt from import duties and 
taxes resides with each individual foreign government. 

Other options under consideration for how the container security 
technologies are to be implemented would also require support from 
foreign governments. CBP officials told us that they are considering 
implementing the use of container security technologies in high-risk 
trade lanes--trade routes that have been determined to pose the 
highest risk of transporting threats to the United States. S&T 
officials stated that another option would be to use the technologies 
on cargo containers departing from ports participating in the 
Container Security Initiative.[Footnote 26] CBP officials recognize 
that they will need to work with international partners, and plan to 
do so when S&T provides performance standards. 

Developing a Feasible Concept of Operations Could Prove Difficult: 

The successful implementation of container security technologies 
depends on the security procedures throughout the supply chain as well 
as the people engaged in those procedures. These procedures are 
typically documented in a concept of operations (CONOPS)---a user- 
oriented document that describes how an asset is to be employed and 
supported from the users' viewpoint. A CONOPS also describes the 
operations that must be performed, who must perform them, and where 
and how the operations will be carried out. DHS and CBP could face 
challenges developing a feasible CONOPS that addresses the necessary 
technology infrastructure needs and protocols. Container security 
technologies require a supporting technology infrastructure, including 
readers to communicate to customs officials whether a technology has 
identified an unauthorized intrusion, and a means to capture and store 
the data. CBP will be faced with determining who will have access to 
the container security technologies through readers, where to place 
these readers, and obtaining permission to install fixed readers at 
both domestic and foreign ports. Prior work we conducted on container 
scanning technologies identified challenges in obtaining permission 
and space from terminal operators at both domestic and foreign ports 
to install equipment.[Footnote 27] Further, several pilots previously 
conducted to test the feasibility of using container security 
technologies have also noted challenges with establishing the reader 
infrastructure at ports. For example, during Operation Safe Commerce, 
difficulties were encountered with the installation and maintenance of 
fixed readers at both foreign and domestic ports.[Footnote 28] 
Furthermore, several foreign ports did not allow installation of the 
fixed readers, and problems were also encountered in installing and 
maintaining power to fixed readers at domestic port facilities. In 
addition, databases are needed to collect the data obtained by the 
readers from the container security technologies. Pilots have also 
demonstrated the challenges with establishing information systems to 
collect the data provided by the technologies. 

Establishing protocols regarding which supply chain participants will 
be involved in arming and disarming the technologies, reading the 
status messages generated by the technologies, responding to alarms, 
and accessing data will also be important. For example, if the CONOPS 
calls for technologies to first be affixed to a container at the point 
of packing, it will require the packers to have the ability to first 
install and arm the technologies. The packing of goods into cargo 
containers can be handled by a number of different parties, including 
the shipper (i.e., seller), a third-party consolidator, or the buyer. 
Regardless of which party is packing the container, these participants 
have the last visual check of the goods before they are sealed for 
transport. At any point during the transfer of the container from its 
packing point to the port of embarkation, foreign customs may need to 
stop and open a container for inspection. In these instances, it will 
be important to ensure foreign customs officials have the ability to 
arm and disarm the technologies so they can open a container without 
triggering the alarm. Response protocols will need to be developed 
that include information on which parties are to respond to an alarm 
and the associated processes for responding. While CBP would likely 
respond to a container alarm by first scanning the container with NII 
equipment to mitigate any potential danger to a CBP officer entering 
the container to conduct a physical examination, CBP officers may not 
be nearby when an alarm occurs, particularly if it occurs during a 
container's transport to a foreign port, at a non-Container Security 
Initiative port, or while on a vessel in-transit. Furthermore, CBP 
will also need to consider whether foreign governments' customs 
agencies will be allowed access to the data generated by the 
technologies on containers departing their respective ports. 

CBP Plans to Certify Technologies before They Can Be Used in the 
Supply Chain: 

Once a CONOPS is developed, certification testing can take place to 
determine the suitability of technologies consistent with the CONOPS. 
According to CBP officials, CBP plans to conduct certification testing 
to demonstrate whether technology products meet the performance 
standards issued by S&T and are suitable for implementation consistent 
with its operational concept. CBP officials stated they would begin 
the certification process by issuing a request for information seeking 
vendors to submit technologies for certification testing. Interested 
container security technology vendors would submit their products to 
CBP for certification testing, which consists of a mix of laboratory 
and trade lane testing to demonstrate whether the products meet the 
performance standards. According to CBP officials, they would 
determine a means to select vendor products for testing and then 
establish detailed methods to test and evaluate the technology 
products submitted by the vendors. 

Office of Policy Development and CBP officials we spoke with 
anticipate certification testing would take approximately 3 to 4 
months. The officials added that in advance of the testing, 
preparation time is needed to solicit participants from the trade 
industry and select trade lanes for testing. After conducting the 
tests, additional time will be needed to analyze the results to 
determine if the vendor's technology product will function as intended 
in the supply chain. If a technology product successfully completes 
certification testing, DHS will certify it as meeting its standards 
and the trade industry would be able to purchase it for use in the 
supply chain. Technologies that are successful during certification 
testing are expected to be implemented in the supply chain, according 
to an Office of Policy Development director. Figure 7 shows the 
process of developing an approved products list. 

Figure 7: Certification Testing Process: 

[Refer to PDF for image: illustration] 

DHS S&T roles: 

Phase I: Laboratory Testing; 
Phase II: Trade Lane Testing; 
Delivery of Performance Standards to DHS Office of Policy Development 
and CBP. 

CBP roles: 

Certification Testing; 
Approval Product List. 

Source: GAO analysis of DHS S&T information. 

[End of figure] 

Conclusions: 

Container security technologies have the potential to contribute to 
CBP's layered security strategy by tracking containers, and detecting 
and reporting intrusions, while containers move through the supply 
chain. S&T has made progress in testing and evaluating certain 
container security technologies, and continues to work with vendors to 
develop these technologies, but challenges continue in finding 
technologies that can provide intrusion detection through any of the 
six sides of a container. The ACSD project is not currently being 
funded due to the deficiencies identified during Phase I laboratory 
testing and the Hybrid Composite Container project is undergoing 
contract negotiations to resume work on the composite container after 
challenges were encountered with the vendor. In contrast, the CSD and 
MATTS projects--which will provide intrusion detection through 
container doors and a communications system, respectively--are nearing 
their completion and S&T expects to deliver performance standards to 
the Office of Policy Development and CBP by the end of 2010. Before 
delivering the performance standards, S&T must demonstrate that these 
container security technologies can work in the operational 
environments in which they are intended to be used. However, the 
operational environment testing that S&T plans to conduct is limited 
to the maritime environment and does not fully address the operational 
scenarios being considered by the Office of Policy Development and 
CBP. Until all intended operational scenarios are tested, S&T cannot 
provide reasonable assurance that the container security technologies 
would effectively function in all the operational scenarios identified 
by the Office of Policy Development and CBP for potential 
implementation. Conducting Phase II trade lane testing for the 
container security technologies in all intended operational scenarios 
would better position S&T to determine if the technologies will be 
suitable for use in their intended operational environments. 

Recommendation for Executive Action: 

To ensure that the container security technologies being developed 
will function in their intended operational environments, we recommend 
that the Secretary of Homeland Security instruct the Assistant 
Secretary of the Office of Policy, the Commissioner of U.S. Customs 
and Border Protection, and the Under Secretary of the Science and 
Technology Directorate, to test and evaluate the container security 
technologies consistent with all of the operational scenarios DHS 
identified for potential implementation, before S&T provides 
performance standards to the Office of Policy Development and CBP. 

Agency Comments: 

We provided draft copies of this report to the Secretaries of Homeland 
Security, Energy, and Defense for review and comments. DOE and DOD did 
not provide official written comments to include in the report. DHS 
provided official written comments, which are reprinted in appendix 
III. DHS concurred with our recommendation. In addition, DHS and CBP 
provided technical comments, which we incorporated as appropriate. In 
response to DHS's technical comments and subsequent discussion with 
agency officials, we modified our recommendation to clarify its intent 
that DHS test and evaluate container security technologies consistent 
with all of the operational scenarios it has identified for potential 
implementation. 

We are sending copies of this report to the Secretaries of Homeland 
Security, Energy, and Defense; and interested congressional 
committees. In addition, the report will be available on GAO's Web 
site at [hyperlink, http://www.gao.gov]. 

If you or your staff members have any questions about this report, 
please contact Stephen L. Caldwell at (202) 512-9610 or Timothy M. 
Persons at (202) 512-6412, or by e-mail at caldwells@gao.gov or 
personst@gao.gov, respectively. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. Key contributors to this report are listed in 
appendix IV. 

Sincerely yours, 

Signed by: 

Stephen L. Caldwell: 
Director, Homeland Security and Justice: 

Signed by: 

Timothy M. Persons, Ph.D.
Chief Scientist:
Director, Center for Science, Technology, and Engineering: 

[End of section] 

Appendix I: Vendors Selected to Participate in Container Security 
Technology Projects: 

This appendix provides information on how the Department of Homeland 
Security's (DHS) Science and Technology (S&T) Directorate selected 
vendors to participate in the four container security technology 
projects. S&T used a multiple-round process to select vendors' 
technologies for development. Several vendors responded to S&T's 2004 
broad agency announcement (BAA) for the Advanced Container Security 
Device (ACSD) project and 2003 small business innovative research 
(SBIR) solicitation for the Marine Asset Tag Tracking System (MATTS). 
Respondents' technology proposals were evaluated on their ability to 
meet the project requirements, and those considered to be viable were 
selected by S&T to participate in Round I. S&T selected vendors for 
subsequent rounds of development based on vendor performance and 
proposals. Vendor selection for the Container Security Device (CSD) 
project was based on the performance of prototypes during Round I of 
the ACSD project. Similarly, selection for the Hybrid Composite 
Container project was based on performance in the ACSD project. Table 
7 provides information on the vendors selected to participate in each 
of the projects and the funds provided to the vendors. 

Table 7: Selection and Funding of Vendors for Development of Container 
Security Technologies: 

Project name: Advanced Container Security Device (ACSD); 
Timeline of vendor selection: 2004--BAA published; 
Funds provided to vendors (dollars in millions): not applicable; 
Number of vendor awards: 30 respondents. 

Project name: Advanced Container Security Device (ACSD); 
Timeline of vendor selection: 2005--Round I; 
Funds provided to vendors (dollars in millions): $3.4; 
Number of vendor awards: 5 awardees. 

Project name: Advanced Container Security Device (ACSD); 
Timeline of vendor selection: 2006--Round II; 
Funds provided to vendors (dollars in millions): $6.1; 
Number of vendor awards: 2 awardees: L-3 Communications and SAIC. 

Project name: Container Security Device (CSD); 
Timeline of vendor selection: 2006--Project initiated during Round II 
of ACSD project to provide interim door sensor capabilities while ACSD 
progressed; 
Funds provided to vendors (dollars in millions): $2.7; 
Number of vendor awards: 2 awardees: GTRI and SAIC (selected from the 
ACSD project). 

Project name: Hybrid Composite Container; 
Timeline of vendor selection: 2005--Project initiated during ACSD 
project to provide ACSD capability in a composite container; 
Funds provided to vendors (dollars in millions): 5.8; 
Number of vendor awards: 2 awardees: Maine Secure Composites 
(composite container) and GTRI (sensor grid). 

Project name: Marine Asset Tag Tracking System (MATTS); 
Timeline of vendor selection: 2003--SBIR solicitation; 
Funds provided to vendors (dollars in millions): not applicable; 
[Empty]; Number of vendor awards: 85 respondents. 

Project name: Marine Asset Tag Tracking System (MATTS); 
Timeline of vendor selection: 2004--Round I; 
Funds provided to vendors (dollars in millions): $1.4; 
Number of vendor awards: 14 awardees. 

Project name: Marine Asset Tag Tracking System (MATTS); 
Timeline of vendor selection: 2005--Round II; 
Funds provided to vendors (dollars in millions): $2.4; 
Number of vendor awards: 3 awardees. 

Project name: Marine Asset Tag Tracking System (MATTS); 
Timeline of vendor selection: 2006--Round III; 
Funds provided to vendors (dollars in millions): $2.3; 
Number of vendor awards: 1 awardee: iControl, Inc. 

Source: GAO analysis of DHS S&T information. 

[End of table] 

[End of section] 

Appendix II: Description of Container Security Technologies' 
Communications Systems: 

Appendix II provides information on the communications system used to 
support container security technologies. Because ACSDs (including the 
sensor grid embedded in the Hybrid Composite Container) and CSDs are 
mounted inside of a container without a physical connection accessible 
from the outside of a closed container, a wireless communications 
system is to facilitate the remote arming (activating the intrusion 
detection capabilities) and disarming (deactivating the intrusion 
detection) of the ACSDs or CSDs. Furthermore, the communications 
system is to allow U.S. Customs and Border Protection (CBP) remote 
access to status information from an ACSD or CSD, including 
information about the health of the device and whether the device had 
detected an intrusion. 

ACSDs and CSDs are intended to be a single component of a larger 
Security Device System, which may also include the following 
components (see figure 8): 

* Communications Modules (CM): These devices are mounted on the 
exterior of a container. A CM is to relay status information from an 
ACSD or CSD to a fixed status reader using radio frequency (RF) at 2.4 
GHz or cellular communications. iControl, Inc. is developing a device 
known as the iTAG under the MATTS project to serve as a CM. 

* Fixed status readers: These devices are to receive status 
information from ACSDs or CSDs located within 100 feet of the reader 
(or status updates relayed by a CM) and relay that status information 
using a variety of methods, such as RF, cellular, or Ethernet access, 
to a centralized data center. iControl, Inc., is developing a device 
known as the iGATE under the MATTS project to serve as a fixed status 
reader. 

* Handheld readers: These are to be used by CBP or other authorized 
parties to receive status information from ACSDs or CSDs located 
within 10 feet of the reader. 

* Centralized data centers: These centers are to receive status 
information from CMs and readers and allow CBP or other authorized 
parties to remotely monitor status information from all ACSDs and CSDs 
in the area served by the data center. 

Figure 8: Security Device System Supporting Container Security 
Technology Communications: 

[Refer to PDF for image: illustration] 

Depicted on the illustration: 

Container: CSD/ACSD; 
Container: CSD/ACSD (Trusted); 
Communication module; 
Communication module (Trusted); 
Handheld reader (Trusted); 
Fixed reader; 
Connection (RF); 
Connection (RF/cellular/other); 
Data Center (Trusted); CBP database. 

Source: GAO analysis of DHS S&T information. 

[End of figure] 

ACSDs and CSDs should be able to communicate to a reader with or 
without the use of a CM. If no CM is mounted with an ACSD or CSD, the 
ACSD or CSD can communicate--by means of short-range RF at 2.4 GHz 
using communications capabilities on the ACSD or CSD itself--intrusion 
alerts and periodic general status updates to a fixed status reader 
located within 100 feet of the monitored container or to a handheld 
reader located within 10 feet of the monitored container. If a CM is 
associated with an ACSD or CSD, the ACSD or CSD can use short-range RF 
communications to relay messages through its CM to a more remote 
reader. If an ACSD or CSD needs to send status information to the data 
center while out of range of a reader, the external CM can attempt to 
relay the information through other CMs mounted on nearby containers 
until a reader is in range. This relayed communications process is 
known as "meshing." Similarly, if a reader is unable to communicate to 
the data center, it may attempt to pass messages to other nearby 
readers until communication with the data center is achieved. 

Secure data generated by the ACSDs and CSDs are to be protected by 
translating the data into an unreadable form using a code 
(encryption). This encryption is to occur directly on the ACSDs and 
CSDs to avoid possible interception of confidential information 
transmitted during normal operation. Transmitted information includes 
security-related information used by CBP to determine the status of a 
container, but it may also include proprietary shipping information 
used by carriers or shippers (although such information must be 
encrypted separately). The encryption scheme also allows remote 
disarming of the devices (arming need not be done with an encrypted 
command), as only those devices with the encryption key will be 
capable of sending commands that the ACSDs or CSDs will recognize. The 
ACSDs, CSDs, handheld readers, and data centers (but not the fixed 
readers, as they are unattended and insecure) will be provided with 
the encryption key, allowing these components of the Security Device 
System to exchange information in a secure manner. 

Communication of status information to remote readers for transfer to 
a data center is to occur, at minimum, at all points where reading is 
specified by DHS. These read points include the point of packing, the 
entrance gate at the port of departure, the exit gate at the port of 
arrival, and the entrance gate at the point of deconsolidation (where 
a container is unpacked). Communications should be designed in a 
nonproprietary format designed specifically for this application. This 
standard ensures that a Security Device System is permissible under 
all necessary international communications standards. 

[End of section] 

Appendix III: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

September 21, 2010: 

Stephen L. Caldwell: 
Director, Homeland Security and Justice: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Caldwell: 

RE: Response to Draft Report GAO-10-887SU, Supply Chain Security: To 
Ensure Effective Testing of Container Security Technologies, DHS 
Components Should Agree on How They Will Be Used (GAO 440824). 

Thank you for the opportunity to review and comment on the Government 
Accountability Office's (GAO) draft report referenced above. 

The Department of Homeland Security (DHS), including the Office of 
Policy (Policy), U.S. Customs and Border Protection (CBP) and Science 
and Technology (S&T), appreciates the investigative team's review of 
ongoing efforts to develop conveyance security technologies that can 
enhance the security of goods moving across our borders and traveling 
within our Nation. We appreciate the professionalism and subject 
matter expertise demonstrated by GAO's team members in conducting this 
review. 

DHS concurs with the sole recommendation in this report that container 
security technologies should be tested and evaluated consistent with 
each of the intended operational scenarios before S&T provides 
performance standards to Policy and CBP. DHS agrees that 
identification of operational scenarios is a necessary prerequisite to 
the research and development process and the creation of performance 
standards; as discussed in the report, CBP. Policy, and S&T have 
identified a number of scenarios where technologies have the potential 
to be implemented in the future and therefore should be tested. 

However, as a matter of additional clarification, DHS does not 
anticipate completion of testing in all possible operational scenarios 
prior to delivery of any container security technology performance 
standards to CBP and Policy. For example, the performance standards 
currently under development by S&T for a Container Security Device 
(CSD) reflect the first generation of such a device and are focused 
exclusively on maritime container routes. Phase II trade lane testing 
master plans, and any resulting performance standards, therefore will 
reflect only one of the many operational scenarios previously agreed 
upon within DHS. This 'phased approach' for delivery of performance 
standards to CBP and Policy will permit additional time and 
opportunity for consideration of potential implementation of these 
devices in specific, limited trade routes. 

DHS remains committed to also pursing technologies that will work 
within different types of routes in the air and sea environments, as 
well as inter-modally (for example, within or between a sea and land 
route). While a technology that works within a single mode of 
transport is a start, DHS acknowledges that the complexity and inter-
connectedness of global supply chains and transportation systems 
necessitate more comprehensive solutions. 

That said, DHS anticipates future work on CSD technologies for non-
maritime routes or on devices that can be used even as goods 
transition between transportation systems in the coming years. The 
development, testing, and resulting performance standards will be 
based on the operational scenarios that have been identified to-date, 
as well as scenarios that may be proposed as our knowledge of supply 
chains continues to evolve. In fact, DHS is considering a pilot in 
Fiscal Year 2011 to evaluate potential applications for different 
types of container security technologies, including a CSD for non-
maritime environments and the Marine Asset Tag Tracking System (MATTS) 
for several cross-border surface routes. 

Once again, thank you for the opportunity to comment on this draft 
report. We look forward to working with you on future homeland 
security issues. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Stephen L. Caldwell, (202) 512-9610 or caldwells@gao.gov: 

Timothy M. Persons, (202) 512-6412 or personst@gao.gov: 

Staff Acknowledgments: 

In addition to the contacts named above, Christopher Conrad and 
Richard Hung, Assistant Directors, and Lisa Canini, Analyst-in-Charge, 
managed this review. Leah Anderson, Alana Finley, Scott Fletcher, Adam 
Mirvis, and Matthew Tabbert made significant contributions to the 
work. In addition, Stanley Kostyla assisted with design and 
methodology; Frances Cook provided legal support; Katherine Davis and 
Lara Miklozek provided assistance in report preparation; and Pille 
Anvelt and Avy Ashery helped develop the report's graphics. 

[End of section] 

Glossary: 

The terms below are defined for the purposes of this GAO report. 

Cargo: 

The freight (goods or products) carried by a vessel, barge, train, 
truck, or plane. 

Concept of Operations (CONOPS): 

A CONOPS is a user-oriented document that describes how an asset, 
system, or capability will be employed and supported from the users' 
viewpoint. A CONOPS also describes the operations that must be 
performed, who must perform them, and where and how the operations 
will be carried out. 

Consolidator: 

The party who packs the container or arranges for the packing of the 
container. 

Container: 

A box made of aluminum, steel, or fiberglass used to transport cargo 
by ship, rail, truck, or barge. Common dimensions are about 20 feet x 
8 feet x 8 feet (called a TEU, or 20-foot-equivalent unit) or about 40 
feet x 8 feet x 8 feet. 

Customs: 

Government agency charged with enforcing the laws and rules passed to 
enforce the country's import and export revenues. In the United States 
these responsibilities are handled by U.S. Customs and Border 
Protection. 

Customs Broker: 

The person who prepares the needed documentation for importing goods 
(just as a freight forwarder does for exports). In the United States, 
the broker is licensed under federal regulations to act on behalf of 
others in conducting transactions related to federal import and export 
requirements. 

Exporter: 

A person or company that is responsible for the sending of goods out 
of one country to another. 

Freight Forwarder: 

An individual or company that prepares the documentation and 
coordinates the movement and storage of export cargoes. See also 
customs broker. 

Importer: 

A person or company that brings in goods from a foreign country. 

Maritime Move: 

A one-way trip through the supply chain from stuffing to U.S. port of 
arrival on an ocean-going vessel. 

Nonintrusive Inspection: 

Using technologies to scan the contents of a container without opening 
the container. 

Non-vessel operating common carrier: 

A non-vessel operating common carrier buys space aboard a ship to get 
a lower volume rate and then sells that space to various small 
shippers, consolidates their freight, issues bills of lading, and 
books space aboard a ship. 

Performance Standards: 

Requirements that must be met by products to ensure they will function 
as intended. 

Physical Inspection: 

The opening of a container and removal of its contents for inspection. 

Probability of Detection: 

The likelihood that a device will properly alarm when in the armed 
mode. 

Probability of False Alarm: 

The likelihood that a device will improperly alarm, when in the armed 
mode, due to environmental conditions or conditions other than opening 
or removing the door(s). 

Prototype: 

A functional preproduction version of a new type of product. 

Red Teaming: 

Red teaming is performed from the perspective of an attacker with 
malevolent intentions, to identify and exploit weaknesses in a 
technology. The results of these tests allow for a better 
understanding of the risk associated with the corresponding device or 
system. 

Scanning: 

Nonintrusively inspecting the contents of a container using 
technologies. 

Screening: 

Assessing the security risk posed by a container based on available 
information. 

Shipper: 

The person or company that is usually the supplier or owner of 
commodities shipped. 

Supply Chain: 

The international network of retailers, distributors, transporters, 
storage facilities and suppliers that participate in the sale, 
delivery, and production of goods. 

Trade Lane: 

A sea route ordinarily used by vessels. 

Twenty-Foot Equivalent Unit (TEU): 

A unit of measurement equal to the space occupied by a standard 20-
foot container. Used in stating the capacity of container vessel or 
storage area. One 40-foot container is equal to 2 TEUs. 

Vendor: 

An entity that develops container security technology prototypes. 

Vessel: 

A ship or large boat. 

Vessel Carrier: 

Any person or entity who, in a contract of carriage, undertakes to 
perform or to procure the performance of carriage by sea. 

Vessel Manifest: 

Includes, among other things, a list of cargo being carried by the 
vessel. 

[End of section] 

Related GAO Products: 

Maritime Security: DHS Progress and Challenges in Key Areas of Port 
Security. [hyperlink, http://www.gao.gov/products/GAO-10-940T]. 
Washington, D.C.: July 21, 2010. 

Combating Nuclear Smuggling: DHS Has Made Some Progress but Not Yet 
Completed a Strategic Plan for Its Global Nuclear Detection Efforts or 
Closed Identified Gaps. [hyperlink, 
http://www.gao.gov/products/GAO-10-883T]. Washington, D.C.: June 30, 
2010. 

Supply Chain Security: Feasibility and Cost-Benefit Analysis Would 
Assist DHS and Congress in Assessing and Implementing the Requirement 
to Scan 100 Percent of U.S.-Bound Containers. [hyperlink, 
http://www.gao.gov/products/GAO-10-12]. Washington, D.C.: October 30, 
2009. 

Combating Nuclear Smuggling: DHS Improved Testing of Advanced 
Radiation Detection Portal Monitors, but Preliminary Results Show 
Limits of the New Technology. [hyperlink, 
http://www.gao.gov/products/GAO-09-655]. Washington, D.C.: May 21, 
2009. 

Combating Nuclear Smuggling: DHS's Phase 3 Test Report on Advanced 
Portal Monitors Does Not Fully Disclose the Limitations of the Test 
Results. [hyperlink, http://www.gao.gov/products/GAO-08-979]. 
Washington, D.C.: September 20, 2008. 

Supply Chain Security: CBP Works with International Entities to 
Promote Global Customs Security Standards and Initiatives, but 
Challenges Remain. [hyperlink, 
http://www.gao.gov/products/GAO-08-538]. Washington, D.C.: August 15, 
2008: 

Supply Chain Security: Challenges to Scanning 100 Percent of U.S.-
Bound Cargo Containers. [hyperlink, 
http://www.gao.gov/products/GAO-08-533T]. Washington, D.C.: June 12, 
2008. 

Supply Chain Security: Examinations of High-Risk Cargo at Foreign 
Seaports Have Increased, but Improved Data Collection and Performance 
Measures Are Needed. [hyperlink, 
http://www.gao.gov/products/GAO-08-187]. Washington, D.C.: January 25, 
2008. 

Maritime Security: The SAFE Port Act: Status and Implementation One 
Year Later. [hyperlink, http://www.gao.gov/products/GAO-08-126T]. 
Washington, D.C.: October 30, 2007. 

Maritime Security: One Year Later: A Progress Report on the SAFE Port 
Act. [hyperlink, http://www.gao.gov/products/GAO-08-171T]. Washington, 
D.C.: October 16, 2007. 

Maritime Security: The SAFE Port Act and Efforts to Secure Our 
Nation's Seaports. [hyperlink, 
http://www.gao.gov/products/GAO-08-86T]. Washington, D.C.: October 4, 
2007. 

International Trade: Persistent Weaknesses in the In-Bond Cargo System 
Impede Customs and Border Protection's Ability to Address Revenue, 
Trade, and Security Concerns. [hyperlink, 
http://www.gao.gov/products/GAO-07-561]. Washington, D.C.: April 17, 
2007. 

Cargo Container Inspections: Preliminary Observations on the Status of 
Efforts to Improve the Automated Targeting System. [hyperlink, 
http://www.gao.gov/products/GAO-06-591T]. Washington, D.C.: March 30, 
2006. 

Homeland Security: Key Cargo Security Programs Can Be Improved. 
[hyperlink, http://www.gao.gov/products/GAO-05-466T]. Washington, 
D.C.: May 26, 2005. 

Container Security: A Flexible Staffing Model and Minimum Equipment 
Requirements Would Improve Overseas Targeting and Inspection Efforts. 
[hyperlink, http://www.gao.gov/products/GAO-05-557]. Washington, D.C.: 
April 26, 2005. 

Preventing Nuclear Smuggling: DOE Has Made Limited Progress in 
Installing Radiation Detection Equipment at Highest Priority Foreign 
Seaports. [hyperlink, http://www.gao.gov/products/GAO-05-375]. 
Washington, D.C.: March 31, 2005. 

[End of section] 

Footnotes: 

[1] We have previously reviewed components of CBP's layered security 
strategy. See, for example, GAO, Supply Chain Security: Feasibility 
and Cost-Benefit Analysis Would Assist DHS and Congress in Assessing 
and Implementing the Requirement to Scan 100 Percent of U.S.-Bound 
Containers, [hyperlink, http://www.gao.gov/products/GAO-10-12] 
(Washington, D.C.: Oct. 30, 2009); Supply Chain Security: Examinations 
of High-Risk Cargo at Foreign Seaports Have Increased, but Improved 
Data Collection and Performance Measures Are Needed, [hyperlink, 
http://www.gao.gov/products/GAO-08-187] (Washington, D.C.: Jan. 25, 
2008); and Supply Chain Security: U.S. Customs and Border Protection 
Has Enhanced Its Partnership with Import Trade Sectors, but Challenges 
Remain in Verifying Security Practices, [hyperlink, 
http://www.gao.gov/products/GAO-08-240] (Washington, D.C.: Apr. 25, 
2008). 

[2] The container security technology projects will not directly lead 
to a DHS acquisition program, as it is envisioned that the trade 
industry will purchase the technologies, but rather are intended to 
demonstrate the ability of the technologies to meet DHS's technical 
requirements. 

[3] The Office of Policy Development is located within DHS's Office of 
Policy. 

[4] DHS, Developing Operational Requirements: A Guide to the Cost 
Effective and Efficient Communication of Needs, Version 2.0 (November 
2008). 

[5] Through the C-TPAT program, CBP develops voluntary partnerships 
with members of the international trade community comprised of 
importers; manufacturers; customs brokers; forwarders; air, sea, and 
land carriers; and contract logistics providers. Private companies 
agree to improve the security of their supply chains in return for 
various benefits, such as reduced examination of their cargo. See 
[hyperlink, http://www.gao.gov/products/GAO-08-240] for our previous 
work reviewing the C-TPAT program. 

[6] ISO is a nongovernmental organization that develops and publishes 
international standards for which there is a market requirement. ISO 
standards are voluntary, as ISO has no authority to enforce the 
implementation of its standards. 

[7] The WCO is an independent intergovernmental body whose mission is 
to enhance the effectiveness and efficiency of customs administrations. 

[8] A non-vessel operating common carrier buys space aboard a vessel 
and then sells the space to small shippers. 

[9] The standard measure of the volume of containerized cargo is a 
twenty-foot equivalent unit (TEU). For example, one 40-foot cargo 
container, the most common size in U.S. trade, would be counted as 2 
TEUs of cargo. 

[10] Pub. L. No. 109-347, 120 Stat. 1884. 

[11] Pub. L. No. 110-53, § 1701(b), 121 Stat. 266, 491 (amending 6 
U.S.C. § 944(a)(4)). 

[12] Generally, ISO 17712 requires that container seals meet or exceed 
standards for strength and durability so as to prevent accidental 
breakage, early deterioration (due to weather conditions, chemical 
action, etc.) or undetectable tampering under normal usage. ISO 17712 
also requires that each seal be clearly and legibly marked with a 
unique identification number. 

[13] 46 U.S.C. § 70116. 

[14] This report is restricted and not available to the public. 

[15] The goal of a small business innovative research (SBIR) program 
is to incentivize increased participation of innovative and creative 
small businesses in federal research/federal research and development 
programs and to challenge industry to bring innovative homeland 
security solutions to reality. 

[16] Technology transition agreements are agreements signed by S&T and 
its customers that describe the capability gap that the S&T project 
will fill, the project deliverable, the technical requirements and 
parameters, and the project plan. 

[17] During testing, the performance of the iTAG's long-range 
communications system varied from 341 meters to 3,699 meters. 

[18] ACSDs and CSDs are required to communicate with handheld readers 
within 10 feet and fixed readers within 100 feet. 

[19] Three of the four operational scenarios consist of affixing 
container security devices on containers after their arrival by vessel 
or for overland shipping and include: (1) C-TPAT members' containers 
transiting from Mexico to the United States by truck; (2) containers 
arriving at the Port of Los Angeles and transiting by truck to Texas 
for immediate export into Mexico; and (3) containers transiting by 
truck from Mexico to Canada carrying agricultural products potentially 
containing pests. 

[20] GAO, Department of Homeland Security: Assessments of Selected 
Complex Acquisitions, [hyperlink, 
http://www.gao.gov/products/GAO-10-588SP] (Washington, D.C.: June 30, 
2010); and Defense Acquisitions: DOD Must Prioritize Its Weapon System 
Acquisitions and Balance Them with Available Resources, GAO-09-501T 
(Washington, D.C.: Mar. 25, 2009). 

[21] A CONOPS is a user-oriented document that describes how an asset, 
system, or capability will be employed and supported from the users' 
viewpoint. 

[22] As noted earlier, we conducted interviews with importers in group 
settings. As a result of the group settings, we do not explicitly 
identify the number of importers who expressed particular views. 
Rather, we express these views as those of some of the importers we 
interviewed. 

[23] DHS, Strategy to Enhance International Supply Chain Security 
(July 2007). 

[24] Tier III is for those C-TPAT members that exceed minimum security 
criteria and demonstrate a commitment to the highest levels of supply 
chain security. 

[25] While Tier II members must meet minimum security requirements set 
by the C-TPAT program, Tier III membership is achieved by exceeding 
minimum requirements. In addition, Tier III members are required to 
maintain a record that is clear of security breaches or incidents. 

[26] Through the Container Security Initiative, CBP places staff at 58 
participating foreign ports through which 86 percent of U.S.-bound 
cargo containers pass, to work with host country customs officials to 
target and examine high-risk container cargo for weapons of mass 
destruction before they are shipped to the United States. See 
[hyperlink, http://www.gao.gov/products/GAO-08-187]. 

[27] [hyperlink, http://www.gao.gov/products/GAO-10-12]. 

[28] Operation Safe Commerce was a public/private partnership 
developed after September 11, 2001, to improve supply chain security 
by testing security practices and commercially available technologies 
in an operational environment, including technologies for tracking and 
tracing containers, and sealing containers. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: