This is the accessible text file for GAO report number GAO-10-887 entitled 'Supply Chain Security: DHS Should Test and Evaluate Container Security Technologies Consistent with All Identified Operational Scenarios to Ensure the Technologies Will Function as Intended' which was released on September 29, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Homeland Security, House of Representatives: United States Government Accountability Office: GAO: September 2010: Supply Chain Security: DHS Should Test and Evaluate Container Security Technologies Consistent with All Identified Operational Scenarios to Ensure the Technologies Will Function as Intended: GAO-10-887: GAO Highlights: Highlights of GAO-10-887, a report to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: Cargo containers could be used to transport unlawful cargo, including weapons of mass destruction, illicit arms, stowaways, and illegal narcotics into the United States. Within the Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP) is responsible for container security. To enhance container security, CBP has partnered with DHS’s Science and Technology (S&T) Directorate to develop performance standards—requirements that must be met by products to ensure they will function as intended—for container security technologies. After successful completion of testing, S&T plans to deliver performance standards to DHS’s Office of Policy Development and CBP. As requested, this report addresses (1) the extent to which DHS has made progress in conducting research and development and defining performance standards for the technologies, and (2) the remaining steps and challenges, if any, DHS could face in implementing the technologies. GAO, among other things, reviewed master test plans for S&T’s four ongoing container security technology projects, and interviewed DHS officials. What GAO Found: DHS has conducted research and development for four container security technology projects, but has not yet developed performance standards for them. From 2004 through 2009, S&T spent approximately $60 million and made varying levels of progress in the research and development of its four container security technology projects. These projects include the Advanced Container Security Device (ACSD), to detect intrusion on all six sides of a container; the Container Security Device (CSD), to detect the opening or removal of container doors; the Hybrid Composite Container, a lightweight container with an embedded sensor grid to detect intrusion on all six sides of the container; and the Marine Asset Tag Tracking System (MATTS), to track containers. The ACSD and Hybrid Composite Container technologies have not yet completed laboratory testing, but the CSD and MATTS are proceeding to testing in an operational environment, which will determine if the technologies can operate in the global supply chain—the flow of goods from manufacturers to retailers. S&T’s master plans for conducting operational environment testing, however, do not reflect all of the operational scenarios the Office of Policy Development and CBP are considering for implementation. According to DHS guidance, before S&T can provide performance standards to the Office of Policy Development and CBP, the technologies are to have been proven to work in their final form and under expected operational conditions. Until the container security technologies are tested and evaluated consistent with all of the operational scenarios DHS identified for potential implementation, S&T cannot provide reasonable assurance that the technologies will effectively function as the Office of Policy Development and CBP intend to implement them. If S&T determines that the container security technologies are mature enough to provide performance standards for these technologies to the Office of Policy Development and CBP, key steps and challenges remain before implementation can occur. These key steps involve (1) obtaining support from the trade industry and international partners, (2) developing a concept of operations (CONOPS) detailing how the technologies are to be deployed, and (3) certifying the technologies for use. The Office of Policy Development and CBP plan to take these steps if and when S&T provides performance standards. Table: Description of DHS S&T’s Four Container Security Projects: Project name: ACSD; Project description and goal: Develop a device that can detect and report container intrusion on all six sides of a container. Project name: CSD; Project description and goal: Develop a device that can detect and report the opening or removal of container doors. Project name: Hybrid Composite Container; Project description and goal: Develop a composite container with embedded security sensors to detect intrusion on all six sides. Project name: MATTS; Project description and goal: Establish a system to track containers, and increase the range that CSDs and ACSDs can communicate. Source: GAO analysis of DHS S&T information. [End of table] What GAO Recommends: GAO recommends that DHS test and evaluate the container security technologies consistent with all the operational scenarios DHS identified for potential implementation. DHS concurred with our recommendation. View [hyperlink, http://www.gao.gov/products/GAO-10-887] or key components. For more information, contact Stephen Caldwell at (202) 512-9610 or caldwells@gao.gov or Timothy Persons at (202) 512-6412 or personst@gao.gov. [End of section] Contents: Letter: Background: DHS Has Made Progress in Researching and Developing Container Security Technologies, but Needs to Conduct Testing Using Defined Operational Scenarios before Delivering Performance Standards: Key Steps and Challenges Remain before Implementation of Container Security Technologies Can Move Forward: Conclusions: Recommendation for Executive Action: Agency Comments: Appendix I: Vendors Selected to Participate in Container Security Technology Projects: Appendix II: Description of Container Security Technologies' Communications Systems: Appendix III: Comments from the Department of Homeland Security: Appendix IV: GAO Contacts and Staff Acknowledgments: Glossary: Related GAO Products: Tables: Table 1: Description of CBP's Core Cargo Security Programs: Table 2: Description of DHS S&T's Four Container Security Projects: Table 3: Members of the Container Security Test and Evaluation (CSTE) Team and Their Respective Roles and Responsibilities on the Container Security Technology Projects: Table 4: Status of Container Security Technology Projects: Table 5: Description of CSTE's Testing of the ACSD Prototypes: Table 6: Description of CSTE's Testing of the CSD Prototypes: Table 7: Selection and Funding of Vendors for Development of Container Security Technologies: Figures: Figure 1: The Maritime Supply Chain Process: Figure 2: Drawings of a Typical Cargo Container, Its Parts, and Dimensions: Figure 3: A Container Sealed with a Bolt Seal: Figure 4: DHS S&T Testing Process: Figure 5: Photographs of GTRI's and SAIC's Container Security Devices: Figure 6: Photograph of iControl, Inc.'s MATTS Tag: Figure 7: Certification Testing Process: Figure 8: Security Device System Supporting Container Security Technology Communications: Abbreviations: 9/11 Act: Implementing Recommendations of the 9/11 Commission Act of 2007: ACSD: Advanced Container Security Device: BAA: broad agency announcement: C-TPAT: Customs-Trade Partnership Against Terrorism: CBP: Customs and Border Protection: CM: communications module: CONOPS: concept of operations: CSD: Container Security Device: CSI: Container Security Initiative: CSTE Team: Container Security Test and Evaluation Team: DHS: Department of Homeland Security: DOD: Department of Defense: DOE: Department of Energy: GTRI: Georgia Tech Research Institute: ISO: International Organization for Standardization: MATTS: Marine Asset Tag Tracking System: MSC: Maine Secure Composites: MTSA: Maritime Transportation Security Act of 2002: NII: non-intrusive inspection: RF: radio frequency: S&T: Science and Technology: SAFE Port Act: Security and Accountability for Every Port Act: SAIC: Science Applications International Corporation: SBIR: Small Business Innovative Research: SFI: Secure Freight Initiative: TEU: twenty-foot equivalent unit: WCO: World Customs Organization: WMD: weapons of mass destruction: [End of section] United States Government Accountability Office: Washington, DC 20548: September 29, 2010: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: Dear Mr. Chairman: In addition to serving an important role in transporting legitimate cargo, cargo containers can also be used to transport unlawful cargo, including weapons of mass destruction (WMD), illicit arms, stowaways, and illegal narcotics, into the United States. In fiscal year 2009, 9.8 million cargo containers arrived at U.S. ports. Within the federal government, the Department of Homeland Security's (DHS) U.S. Customs and Border Protection (CBP) is responsible for administering container security and reducing the vulnerabilities associated with the supply chain--the flow of goods from manufacturers to retailers. As it performs this mission, CBP maintains two overarching and sometimes conflicting goals--increasing security while efficiently facilitating legitimate trade. To address these goals, CBP has developed a layered security strategy.[Footnote 1] Core components of this strategy include analyzing information to identify cargo containers that may pose a security risk, working with host governments to examine high- risk containers at foreign ports before they are loaded onto vessels bound for the United States, and providing benefits, such as reduced examination of cargo, to private-sector companies that comply with predetermined security measures. Recognizing that security can be further enhanced, CBP has partnered with DHS's Science and Technology (S&T) Directorate to develop performance standards--requirements that must be met by products to ensure they will function as intended--for container security technologies that can (1) detect and report container intrusion, (2) alert officials to possible security threats, and (3) track the movement of cargo containers through the supply chain. S&T is responsible for researching, developing, testing, and evaluating new technologies in order to develop performance standards.[Footnote 2] If S&T is able to demonstrate through testing and evaluation that container security technologies exist that can meet CBP's requirements, then it plans to provide performance standards to CBP and the Transportation, Cargo & Infrastructure Unit within DHS's Office of Policy Development to pursue for implementation.[Footnote 3] The Transportation, Cargo & Infrastructure Unit is responsible for, among other things, developing, implementing, and coordinating policy relating to the security of the global supply chain. You requested information on DHS's efforts to develop and implement container security technologies. In particular, this report addresses the following questions: * To what extent has DHS made progress in conducting research and development and defining performance standards for container security technologies? * What remaining steps and challenges, if any, does DHS face in implementing container security technologies? To address the first objective, we reviewed all four ongoing container security projects initiated by S&T to develop technologies that can detect cargo container intrusions and track the movement of cargo containers through the supply chain. For each of the four projects, we reviewed project requirements documents, test plans, technology transition agreements, and task orders to determine the projects' scope and requirements. We then evaluated DHS's plans against criteria for planning in DHS's Developing Operational Requirements guide. [Footnote 4] To assess DHS's progress in developing technologies, we reviewed the test reports outlining the performance of the technologies under evaluation to identify the capabilities of the technologies and performance deficiencies. We also reviewed each of the project schedules and compared them to the current status of each of the container security technology projects as of June 2010. We interviewed senior officials in S&T's Borders and Maritime Security Division in Washington, D.C., who are responsible for the four container security projects to discuss the status of the projects. We also interviewed officials representing the four members of the Container Security Test and Evaluation (CSTE) team created by S&T to test and evaluate the technologies--Lawrence Livermore National Laboratory, Pacific Northwest National Laboratory, Sandia National Laboratories, and the Space and Naval Warfare Systems Center Pacific-- to discuss the results of the four projects' test and evaluation processes. In addition to these interviews, we also conducted a site visit to Sandia National Laboratories in Albuquerque, New Mexico--the location for all laboratory testing of the container security technologies--to view technology prototypes, observe the test facilities, and to learn more about the specific laboratory tests that have been conducted on the container security technologies. We also met with officials representing the vendors whose technologies were under testing and evaluation at the time our audit began in October 2009--Georgia Tech Research Institute (GTRI); iControl, Inc.; Maine Secure Composites (MSC); and Science Applications International Corporation (SAIC)--to discuss how they have developed and modified their technologies. Further, we reviewed the contracts and interagency agreements that provided funds to the CSTE team and vendors to determine the amount of money DHS has spent on testing, evaluating, and developing the technologies since funding for the container security technologies began, in April 2004, through 2009. To address the second objective, we discussed container security technology implementation plans with officials from DHS's Office of Policy Development Transportation, Cargo & Infrastructure Unit, and with CBP officials from its Office of Field Operations and its Customs- Trade Partnership Against Terrorism (C-TPAT) Office.[Footnote 5]We also spoke with Department of Defense (DOD) entities, including the U.S. Army and the U.S. Transportation Command, to identify any lessons learned from DOD's implementation of container security devices in transporting supplies and equipment to support war efforts in Afghanistan. With representatives of the International Organization for Standardization (ISO)[Footnote 6] and World Customs Organization (WCO),[Footnote 7] we discussed the process for obtaining international adoption of container security technology standards, and the imposition of duties and taxes on container security technologies, respectively. Further, we spoke with trade industry representatives to understand the trade industry's perspective on how container security technologies could be implemented in the global supply chain, and to identify any potential challenges to implementation. Specifically, we spoke with officials from the World Shipping Council, which represents vessel carriers that transport cargo containers, as well as with two individual vessel carriers and one non-vessel operating common carrier.[Footnote 8] We also spoke with representatives from two trade industry associations--the American Association of Exporters and Importers and the National Association of Manufacturers--as well as 22 individual U.S. importers the trade association members identified for us among their membership. We conducted interviews with these importers in group settings. This interview format allowed us to determine consensus and also identify and examine instances where viewpoints differed among importers. As a result of the group settings, we do not explicitly identify the number of importers who expressed particular views. Rather, we express these views as those of some of the importers we interviewed. Further, we met with an official from the Institute of International Container Lessors, which represents companies that lease containers to members of the trade industry, including vessel carriers and importers. Our interviews with these trade industry representatives were based on a nonprobability sample, so they are not generalizable to the entire maritime trade industry, but they did provide us with insights into the willingness of members of the maritime trade industry to partner with DHS and CBP to implement container security technologies, and identify potential challenges to implementation. We conducted this performance audit from October 2009 through September 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Global Supply Chain: Given the complexity of the supply chain and the vast number of cargo containers that are shipped to the United States, the supply chain is vulnerable to threats. The typical supply chain process for transporting cargo containers to the United States involves many steps and participants. The cargo container, and material in it, can be affected not only by the manufacturer or supplier of the material being shipped, but also by vessel carriers who are responsible for transporting the material to a port, as well as by personnel who load and unload cargo containers onto vessels. Others who may interact with the cargo or have access to the records of the goods being shipped include exporters who make arrangements for shipping and loading, freight consolidators who package disparate cargo into containers, and forwarders who manage and process the information about what is being loaded onto a vessel. Figure 1 depicts the key participants and points of transfer involved in the supply chain--from the time that a container is packed with cargo in a foreign location to its arrival at a U.S. port. Figure 1: The Maritime Supply Chain Process: [Refer to PDF for image: 7 photographs] Foreign factory: Packing and sealing container; Entry to foreign port of embarkation; Loading on vessel; In transit; Unloading; Dwelling on terminal; Exiting terminal. Source: GAO (analysis); GAO and DHS S&T (photos). [End of figure] Containers serve, in essence, as packing crates and portable warehouses for virtually every type of general cargo moving in the supply chain. The ISO recommends the standard size of containers. The recommended lengths for cargo containers, according to ISO, are 10 feet, 20 feet, 30 feet, and 40 feet. However, the most common containers are the 20-foot and the 40-foot models.[Footnote 9] Container sizes are standardized so that containers can be stacked, and so that loading and unloading equipment can be designed to those standards. Figure 2 shows a typical cargo container and parts of the container door, and summarizes the standard dimensions of 20-foot and 40-foot containers. The basic parts of a typical cargo container are the floor, roof, sides and doors. The floor may be hard or soft laminated wood, planks, or plywood. Modern steel containers have corrugated or flat steel sheet roofs welded to the frame. The sides of steel containers have corrugated steel panels. The hinged doors have plastic-or rubber-lined door gaskets as seals to protect against moisture. Figure 2: Drawings of a Typical Cargo Container, Its Parts, and Dimensions: [Refer to PDF for image: 2 illustrations] Container box: Dimensions: Length; Standard 20 feet: Outside: 20 feet; Inside: 19 feet, 4 inches; Standard 40 feet: Outside: 40 feet; Inside: 39 feet, 5 inches. Dimensions: Width; Standard 20 feet: Outside: 8 feet; Inside: 7 feet, 8 inches; Standard 40 feet: Outside: 8 feet; Inside: 7 feet, 8 inches. Dimensions: Height; Standard 20 feet: Outside: 8 feet, 6 inches; Inside: 7 feet, 10 inches; Standard 40 feet: Outside: 8 feet, 6 inches; Inside: 7 feet, 10 inches. Dimensions: Door; Standard 20 feet: Outside: 7 feet, 8 inches; Inside: 7 feet, 6 inches; Standard 40 feet: Outside: 7 feet, 8 inches; Inside: 7 feet, 6 inches. Source: GAO. [End of figure] CBP Has Developed a Layered Strategy to Secure Cargo Containers: CBP has developed a layered security strategy to mitigate the risk of an attack using cargo containers. CBP's strategy is based on a layered approach of related programs that attempt to focus resources on potentially risky cargo shipped in containers while allowing other cargo containers to proceed without unduly disrupting commerce into the United States. The strategy is based on obtaining advanced cargo information to identify high-risk containers, utilizing technology to inspect containers, and partnering with foreign governments and the trade industry. A brief description of the core programs that comprise CBP's layered security strategy for cargo containers is provided in table 1. Table 1: Description of CBP's Core Cargo Security Programs: Obtaining advanced information to identify high-risk containers: Program and year introduced: Automated Targeting System (ATS), 1999; Description: CBP uses ATS--a mathematical model that uses weighted rules to assign a risk score to arriving cargo shipments based on shipping information--to help identify and prevent potential terrorists and terrorist weapons from entering the United States. ATS is used by CBP to review documentation, including cargo manifest information[A] submitted by the vessel carriers on all U.S.-bound shipments, and entry data (more detailed information about the cargo) submitted by brokers, to develop risk scores that help identify containers for additional examination. Program and year introduced: 24-hour Rule, 2002; Description: CBP generally requires vessel carriers to electronically transmit cargo manifests to CBP's Automated Manifest System 24 hours before U.S.-bound cargo is loaded onto a vessel at a foreign port. The information is used by ATS in its calculation of risk scores. The cargo manifest information is submitted by vessel carriers for all arriving cargo shipments. Program and year introduced: Importer Security Filing and Additional Carrier Requirements (also known as 10+2), 2009; Description: CBP requires importers and vessel carriers to provide data elements for improved identification of containers that may pose a risk for terrorism. The importer is responsible for supplying CBP with 10 shipping data elements, such as country of origin, 24 hours prior to loading, while the vessel carrier is required to provide 2 data elements, container status messages and stow plans, not required by the 24-hour Rule. Domestic scanning technology deployments: Program and year introduced: Non-intrusive inspection (NII) equipment, 2001; Description: CBP uses NII equipment to actively scan both randomly selected containers and those identified by ATS as high-risk. NII uses X-rays or gamma rays to scan a container and create images of the container's contents without opening it. According to CBP, as of August 2010, it had deployed 92 NII systems to U.S. seaports to scan containers. In fiscal year 2009, 4.6 percent of containers arriving at U.S. seaports were scanned. Program and year introduced: Radiation Portal Monitors, 2007; Description: CBP program to passively scan 100 percent of containers arriving in the United States with radiation detection equipment prior to leaving a domestic port. According to CBP, as of August 2010, it had deployed 453 radiation portal monitors at U.S. seaports, through which approximately 99 percent of all containers arriving by sea passed. Partnerships with foreign governments: Program and year introduced: Container Security Initiative (CSI), 2002; Description: CBP places staff at participating foreign ports to work with host country customs officials to target and examine high-risk container cargo for weapons of mass destruction before they are shipped to the United States. CBP officials identify the containers that may pose a risk for terrorism and request that their foreign counterparts examine the contents of the containers. Program and year introduced: Secure Freight Initiative (SFI), 2006; Description: CBP and Department of Energy program at selected ports to actively and passively scan 100 percent of U.S.-bound container cargo for nuclear and radiological materials overseas using integrated examination systems that couple NII and radiation detection equipment. Partnership with trade industry: Program and year introduced: Customs-Trade Partnership Against Terrorism (C-TPAT), 2001; Description: CBP develops voluntary partnerships with members of the international trade community comprised of importers; manufacturers; customs brokers; forwarders; air, sea, and land carriers; and contract logistics providers. Private companies agree to improve the security of their supply chains in return for various benefits, such as a reduced examination of their cargo. Source: GAO summary of information provided by DHS. [A] Cargo manifests are prepared by the vessel carrier for each shipment of cargo loaded on a vessel to describe the contents of the shipment. [End of table] Legislation Enacted to Improve Cargo Container Security: Several U.S. laws and regulations govern the security of cargo containers and the supply chain within which they are transported. In 2006, Congress passed, and the President signed, the Security and Accountability for Every (SAFE) Port Act.[Footnote 10] The SAFE Port Act established a statutory framework for some of the programs comprising CBP's layered security strategy, including CSI and C-TPAT, which previously had been agency programs not required by law. The SAFE Port Act also required that DHS initiate a rulemaking process and subsequently issue an interim final rule to establish minimum standards and procedures for securing containers in transit to the United States. In August 2007, the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) was enacted, amending this SAFE Port Act requirement.[Footnote 11] Specifically, the 9/11 Act required that if the interim final rule was not issued by April 1, 2008, then effective no later than October 15, 2008, all containers in transit to the United States would be required to use an ISO 17712 compliant seal.[Footnote 12] DHS did not establish standards by the set deadline, so all maritime containers in transit to the United States are now required to be sealed with an ISO 17712 compliant seal. According to DHS, it did not establish minimum standards for securing cargo containers in transit because there were no available technology solutions at the time that would adequately improve container security without significantly disrupting the flow of commerce. Although the 9/11 Act default standard is now in effect, the act provides that this standard will cease to be effective upon the effective date of a rule issued in the future pursuant to the original SAFE Port Act requirement. In addition to the possibility of a future rulemaking in this area, DHS remains responsible for implementing an earlier provision enacted by the Maritime Transportation Security Act of 2002 (MTSA).[Footnote 13] This provision requires DHS to establish a program to evaluate and certify secure systems of international, intermodal transportation. This program is to include standards and procedures for securing cargo and monitoring security while in transit, as well as performance standards to enhance the physical security of shipping containers, including standards for seals and locks. This provision continues to govern DHS efforts to establish standards for new technology in the cargo container security area. Past CBP Efforts Identified Need for Container Security Technologies: In response to a July 2002 memo from the then-CBP Commissioner, CBP undertook a study to identify and evaluate available technologies to improve container security. The study demonstrated that existing container seals provided inadequate security against physical intrusions. We reported in January 2006 that despite the widespread use of container seals, they are not effective in preventing tampering.[Footnote 14] For example, entry into a container through the roof or sides will not be indicated by a container seal affixed to the doors. Further, various methods to circumvent seals installed on container door hasps (see figure 3) have been demonstrated by the Department of Defense and the Vulnerability Assessment Team at Los Alamos National Laboratory. Seals installed through the door hasp can be bypassed and left intact by simply removing an entire container door. Recognizing the limitations of existing container technology, CBP desired a technology with the ability to monitor and record door openings and eventually detect and report intrusions on all six sides of a container. Figure 3 shows a container with a bolt seal affixed to the door hasp. Figure 3: A Container Sealed with a Bolt Seal: [Refer to PDF for image: photograph] Identified on the photo: Door handle; Locking rod; Door hasp; Bolt seal. Source: CBP (photo), GAO (presentation). [End of figure] CBP initiated the Smart Box program in 2004 in order to develop technologies with the ability to monitor the physical integrity of a container, among other things. In September 2005, CBP, in consultation with Johns Hopkins University Applied Physics Laboratory, determined through operational testing that there was no existing container security device that could meet its requirements. CBP made a second attempt, in December 2007, to find a commercially available container security device with the ability to monitor container doors for intrusion. According to CBP officials, only one security device-- offered by General Electric--demonstrated the potential to meet CBP's requirements. However, according to CBP, subsequent operational testing revealed that the device had a relatively high false alarm rate, which, according to CBP officials, would have resulted in an unmanageable workload for CBP staff at ports given the number of containers they would have to examine because of the alarms. According to CBP officials, before they could schedule another round of testing to determine if a revised prototype of the device would meet CBP's requirements, General Electric decided to stop producing the device. DHS S&T Initiated Four Projects to Develop Container Security Technologies: S&T is developing four container security technologies, which are described in table 2, in response to MTSA requirements and CBP's need for container security technologies with the ability to detect intrusion and track the movement of containers through the supply chain. In May 2004, S&T issued a broad agency announcement for the Advanced Container Security Device (ACSD) project seeking industry submissions for technologies that could be developed to provide six- sided intrusion detection for cargo containers. The initial results of ACSD testing demonstrated that a solution would require years of additional investment and development. As a result of the challenges, DHS created the Hybrid Composite Container to embed six-sided detection in a container made of composite material, and the Container Security Device (CSD) project to provide the capability to detect container door intrusion as an interim solution until six-sided detection is available. In November 2003, S&T issued a small business innovative research (SBIR)[Footnote 15] solicitation seeking a Marine Asset Tag Tracking System (MATTS) with the capability to provide both worldwide container tracking, and communicate the security status of the CSD and ACSD in the supply chain. Table 2 provides a description of each of the four container security technology projects, including the projects' goals, key vendors, and time frames. Table 2: Description of DHS S&T's Four Container Security Technology Projects: Project name: Advanced Container Security Device; Project description and goal: Develop a device that can detect and report container intrusion on all six sides of a container; Key vendors[A]: * L-3 Communications; * SAIC; Project start[B]: 2005; Project completion[C]: 2012. Project name: Container Security Device; Project description and goal: Develop a device that can detect and report the opening and removal of container doors; Key vendors[A]: * GTRI; * SAIC; Project start[B]: 2007; Project completion[C]: 2011. Project name: Hybrid Composite Container; Project description and goal: Develop an ISO certified container using a steel frame and fiber reinforced polymer composite material for the walls, floor, and doors, with embedded security sensors to detect intrusion on all six sides of a container; Key vendors[A]: * Maine Secure Composites (container); * GTRI (sensor grid); Project start[B]: 2005; Project completion[C]: 2012. Project name: Marine Asset Tag Tracking System; Project description and goal: Establish a system to track containers, and increase the range that CSD and ACSD status information can be transmitted; Key vendors[A]: * iControl, Inc.; Project start[B]: 2004; Project completion[C]: 2010. Source: GAO analysis of DHS S&T information. [A] Key vendors are those selected in the most recent round of vendor selection for each project. Appendix I provides additional details on the vendor selection process. [B] The project start date is the fiscal year in which a vendor award was first made. [C] The project completion date is the anticipated fiscal year in which the performance standards are to be provided to the Office of Policy Development and CBP, as stated in S&T's Five-Year Research and Development Plan: Fiscal Years 2008-2013. [End of table] S&T's overall objective for each of these container security technology projects is the development and delivery of performance standards for the technologies to DHS's Office of Policy Development and CBP. Performance standards define a set of requirements that must be met by products to ensure they will function as intended. Before S&T can provide performance standards to the Office of Policy Development and CBP, the capability of the technologies to meet stated requirements must be demonstrated through the successful completion of testing and evaluation activities, as described in the technology transition agreements.[Footnote 16] S&T has defined two phases of testing and evaluation for these projects: * Phase I--Laboratory Testing: The purpose of Phase I is to identify capabilities and deficiencies in prototypes in a controlled environment to determine the likelihood of a prototype functioning under a variety of anticipated environmental and usage conditions. At least 10 prototypes are used for Phase I testing of a technology. * Phase II--Trade Lane Testing: Phase II is designed to determine whether a prototype can enhance supply chain security while minimizing the effect on cargo operations. Phase II includes testing in an operational trade lane--the route a container travels--using 100 trips from the container packing location to arrival at a U.S. port. After successful completion of both phases of testing, S&T is to deliver performance standards--including system requirements and test plans--to the Office of Policy Development and CBP. Figure 4 shows how the testing process leads to the development of performance standards. Figure 4: DHS S&T Testing Process: [Refer to PDF for image: illustration] DHS S&T roles: Phase I: Laboratory Testing; Phase II: Trade Lane Testing; Delivery of Performance Standards to DHS Office of Policy Development and CBP. Source: GAO analysis of DHS S&T information. [End of figure] DHS Has Made Progress in Researching and Developing Container Security Technologies, but Needs to Conduct Testing Using Defined Operational Scenarios before Delivering Performance Standards: From 2004 through 2009, S&T spent over $60 million and made varying levels of progress in the research and development of its four container security technology projects--ACSD, CSD, Hybrid Composite Container, and MATTS--to support the development of performance standards for these container security projects. Each of these projects has undergone Phase I laboratory testing, but S&T has not yet conducted Phase II trade lane testing in an operational environment to ensure that the prototypes will satisfy the requirements so that S&T can provide performance standards to the Office of Policy Development and CBP. Prior to the development of performance standards by S&T, each of the technology prototypes will need to undergo Phase II trade lane testing consistent with the operational scenarios that have been identified for potential implementation. According to S&T, the master test plans do not reflect all operational scenarios being considered because DHS is currently focused on using the technologies in the maritime environment. DHS S&T Has Identified and Funded Vendors' Container Security Technologies for Development: S&T used a multiple-round process to select vendors' technologies for development. Several vendors responded to S&T's 2004 broad agency announcement for the ACSD project and 2003 SBIR solicitation for MATTS. The vendors' technology proposals were evaluated on their ability to meet the project requirements, and those technologies considered to be viable were funded by S&T to develop prototypes for test and evaluation. Because of the challenges in developing an ACSD solution, S&T created the CSD project and selected vendors for the project based on the performance of vendors' prototypes during ACSD project testing. Similarly, selection for the Hybrid Composite Container project was based on performance in the ACSD project. From 2004 through 2009, S&T has provided a total of about $24 million in funding to vendors to develop container security technologies. Appendix I provides additional details on the vendor selection process. S&T created the Container Security Test and Evaluation (CSTE) team to develop requirements and independently monitor and evaluate the performance of container security technologies. CSTE membership is composed of three Department of Energy national laboratories--Lawrence Livermore National Laboratory, Pacific Northwest National Laboratory, and Sandia National Laboratories--and the Navy's Space and Naval Warfare Systems Center Pacific. As described in table 3, these organizations were each selected for participation based on their areas of applicable technical expertise in fields such as sensor systems, wireless communications, and maritime environment product testing. From 2004 through 2009, S&T obligated nearly $36 million to the CSTE team to develop requirements and conduct testing and evaluation of container security technologies. Table 3: Members of the Container Security Test and Evaluation (CSTE) Team and Their Respective Roles and Responsibilities on the Container Security Technology Projects: CSTE team member: Lawrence Livermore National Laboratory; Key responsibility/Field of expertise: Determine maritime environmental conditions to establish laboratory tests to determine the ability of container security technology prototypes to function in the maritime environment. CSTE team member: Pacific Northwest National Laboratory; Key responsibility/Field of expertise: Contribute expertise in sensor development, wireless technologies, electronics management, and embedded systems. CSTE team member: Sandia National Laboratories; Key responsibility/Field of expertise: Perform all container security technology prototype testing at their facilities in New Mexico. Provide red teaming--the capability to identify and exploit weaknesses in a technology--and general systems engineering support. CSTE team member: Space and Naval Warfare Systems Center Pacific; Key responsibility/Field of expertise: Serve as the contracting office--create vendor contracts, issue work orders, and distribute funding. Develop wireless communications requirements and device readers. Source: GAO summary of Department of Energy and DOD information. [End of table] One of the responsibilities of the CSTE team was to develop test plans that specify the testing activities that technologies need to successfully undergo in order to move on to later phases of testing and eventually the development of performance standards. These test plans require that technologies be evaluated on their installation and usability, functionality, performance (including under adverse environmental conditions), and vulnerability to attack by an adversary. S&T Has Identified Deficiencies That Could Delay or Prevent the Development of Standards for Some Container Security Technologies: The CSD project is expected to be completed on time, and MATTS is slightly behind schedule, as performance standards are expected to be delivered in December 2010 rather than fiscal year 2010. The ACSD project is not currently being funded due to the deficiencies identified during Phase I laboratory testing, although funding may resume if one of the vendors demonstrates progress. The Hybrid Composite Container project is undergoing contract negotiations to resume work on the composite container after challenges were encountered with the vendor. Table 4 summarizes the status and expected completion date for each of S&T's container security technology projects. Table 4: Status of Container Security Technology Projects: Project name: Advanced Container Security Device (ACSD); Key project requirements: * Detect container door opening, door closing, and door removal; * Detect a 3-inch diameter hole in the container on any six sides; * Detect human presence within the container; * Provide a 95 percent probability of intrusion detection; * Provide a combined probability of false alarm and critical failure of 0.2 percent; * Possess a power source to operate for one trip (1,680 hours); * Cost less than $175 per container trip; Project status: Stopped in Phase I laboratory testing. Because of deficiencies in satisfying ACSD requirements during laboratory testing, no ACSD prototypes are currently being funded for development. S&T may resume funding of one vendor's prototype if the vendor demonstrates progress in improving performance of its CSD; Expected completion (fiscal year): 2012. Project name: Container Security Device (CSD); Key project requirements: * Detect container door opening, door closing, and door removal; * Monitor the status of any seals or locks; * Provide a 95 percent probability of intrusion detection; * Provide a combined probability of false alarm and critical failure of 0.2 percent; * Possess a power source to operate for one trip (1,680 hours); Project status: Progressing to Phase II trade lane testing. CSDs have shown promise in laboratory testing, and S&T anticipates beginning Phase II trade lane tests for one CSD prototype in September 2010; Expected completion (fiscal year): 2011. Project name: Hybrid Composite Container; Key project requirements: Composite container; * Meet or exceed ISO requirements; Sensor grid: * Detect a 3-inch diameter hole in any six sides of a container; * Provide a 95 percent probability of intrusion detection; * Provide a combined probability of false alarm and critical failure of 0.2 percent; * Possess a power source to operate for one trip (1,680 hours); Project status: Stopped in Phase I laboratory testing. S&T terminated the contract with the vendor because of internal management issues the vendor was having. S&T plans to initiate a new contract to continue the work before the end of September 2010; Expected completion (fiscal year): 2012. Project name: Marine Asset Tag Tracking System (MATTS); Key project requirements: * Communicate a container intrusion alarm within 5 minutes of the alarm occurring; * Provide operational availability at least 95 percent of the time; * Possess a power source to operate for 30,000 hours; * Cost less than $175 per container trip; Project status: Progressing to Phase II trade lane testing. MATTS is scheduled to participate in Phase II trade lane tests with the CSD in September 2010; Expected completion (fiscal year): 2011. Source: GAO analysis of DHS S&T information. [End of table] In order for these container security technologies to provide the functionality that DHS desires, they must interface with readers--both handheld and fixed in place--that can use wireless communications to send commands to or gather operational or intrusion alarm status information from the technologies for CBP's use. Readers also serve as a means to arm and disarm ACSDs (including the sensor grid embedded in the Hybrid Composite Container) and CSDs. Because ACSDs and CSDs are mounted on the interior of a container in a manner that protects them from being physically accessed from outside of a container, a remote, wireless device such as a reader is needed to turn on the devices' intrusion detection functionality upon sealing the container (arming the device) and to turn off the devices' intrusion detection functionality when the container is opened by authorized parties (disarming the device). A handheld reader would also allow an official in close proximity to the container to detect and read the ACSD or CSD to determine if the container had been opened after it was sealed. In contrast, a fixed reader has a longer range and would be designed to automatically relay such status information to a centralized data center. ACSDs and CSDs must also support an encryption scheme for two reasons. First, commands to disarm a device must be encrypted to prevent unauthorized parties from circumventing the device by disarming it. Second, status information that a device sends may contain sensitive information, so status messages must be encrypted to protect the information during wireless transmission. Devices, such as handheld readers, would then be "trusted," in that they would have the ability to handle encrypted communications with ACSDs and CSDs. Appendix II provides further information on the planned communications system supporting ACSDs and CSDs. S&T Halted ACSD Funding during Phase I Laboratory Testing Because of Performance Deficiencies: According to S&T, because of deficiencies observed in Phase I laboratory testing, it is not currently funding the development of any vendor's ACSD prototype beyond Phase I laboratory testing. S&T officials added that L-3 Communications (L-3) and SAIC, the two vendors selected to participate in Phase I laboratory testing, did not demonstrate enough progress meeting the requirements. According to S&T and CSTE team officials, meeting the requirements of the ACSD program, including detecting intrusion on all six sides of a container, has proven to be very challenging. According to S&T, it may resume funding for the development of the SAIC ACSD if SAIC demonstrates sufficient improvement in its CSD, which uses similar technology. If no ACSD is found to demonstrate enough progress in meeting the requirements, performance standards will not be delivered for this project. Table 5 summarizes the test results for the ACSDs. Table 5: Description of CSTE's Testing of the ACSD Prototypes: Vendor: L-3[A]; Testing status: Phase I laboratory testing was conducted from April to September 2008, and resulted in the CSTE team recommendation that no further testing be conducted; Test summary: * Installation was difficult and could potentially injure the installing personnel; * Device confounded by environmental noise; * Detected 10 percent of wall penetration events, but near 0 percent when the container was loaded with cargo near the device; * Detected 96 percent of door openings; * No specific environmental testing, but observed to possibly be vulnerable to damage from dropping and condensation. Vendor: SAIC[B]; Testing status: Phase I laboratory testing was conducted from April to June 2008, and resulted in the CSTE team recommendation that no further testing be conducted. Testing may resume if progress is made on SAIC's CSD; Test summary: * Installation was reasonable and safe, but includes a complicated calibration step; * Operation was inconsistent and unpredictable; * It could not reliably detect a 3-inch diameter hole in the container, but could more easily detect when an object is inserted into or removed from the container through such a hole; * Extensive false alarms occurred, so no specific environmental testing was done. Source: GAO analysis of DHS S&T information. [A] The L-3 ACSD is a large, 50-pound device that is to be mounted inside the container, above the door, and run the full width of the interior of the container. It relies on a suite of light, acoustic, carbon dioxide, and other sensors to detect intrusion and human presence inside a container. [B] The SAIC ACSD consists of a single unit mounted inside the container, over the door. It uses radio frequency resonance to detect intrusion attempts. The device emits radio frequency signals and monitors the characteristics of the reflected signal to infer any changes in the structure of the container. Changes in the radio frequency reflections may indicate an opening in the container. This technique may not be as effective on Hybrid Composite Containers. [End of table] During Phase I laboratory testing, conducted from April 2008 to September 2008, the L-3 ACSD prototype successfully detected container door openings. However, it failed to identify preexisting holes in containers, was unable to consistently detect wall intrusions in ideal (empty container) conditions, and was largely unable to detect wall intrusions in a loaded container. Consequently, the L-3 ACSD prototype failed the project requirement that a device detect a hole in a container. According to S&T, based on the conclusions of the CSTE Team, in October 2008, S&T decided not to fund the L-3 ACSD for additional testing and evaluation. During Phase I laboratory testing, conducted from April 2008 to June 2008, the SAIC ACSD prototype detected door openings and closings, but it generated a false alarm rate higher than that permitted by the ACSD project requirements. Similar to the L-3 ACSD, in September 2008, the CSTE team concluded the SAIC ACSD was deficient. S&T decided that no further funding be provided to SAIC for the ACSD project. However, according to S&T officials, SAIC's ACSD prototype is closely related to that of its CSD (see below), and therefore, if SAIC's CSD demonstrates improvement, S&T will consider funding SAIC's ACSD for further tests and evaluations. CSD Performance Has Varied and S&T Anticipates One Vendor's CSD Prototype Will Begin Phase II Trade Lane Testing: Performance of the two CSD prototypes varied during Phase I laboratory testing and, according to the S&T program manager, Phase II trade lane testing is expected to begin for one of the prototypes in late 2010. S&T anticipates that Phase II trade lane testing will begin for the GTRI CSD in September 2010. According to S&T officials, the SAIC CSD began another round of Phase I laboratory testing in May 2010, but testing has since ceased due to the high false alarm rate the device exhibited. The S&T program manager expects to meet a November1, 2010, due date for completion of CSD performance standards for the Office of Policy Development and CBP. Table 6 summarizes the test results for the CSDs. Table 6: Description of CSTE's Testing of the CSD Prototypes: Vendor: GTRI[A]; Testing status: Phase I laboratory testing was conducted in 2007, and another round in 2009. A new version addressing the identified deficiencies was delivered to DHS in 2010. Phase II trade lane tests are anticipated to begin in September 2010; Test summary: * Installation was reasonable; * Detected 100 percent of door openings during valid tests; * CSTE noted false alarms or failures, or both, during temperature shock, humidity, and vibration tests; * Communications system required improved reliability and consistency; * Vulnerability testing revealed some weaknesses, such as a lack of built-in tamper resistance. Vendor: SAIC[B]; Testing status: Phase I laboratory testing was conducted from April to November 2008. A new version addressing the identified deficiencies was delivered to DHS in May 2010 and is being evaluated by the CSTE; Test summary: * Installation was reasonable and safe, but includes a complicated calibration step; * Detected 98 percent of door openings in empty containers and 96 percent in loaded containers; * False alarm rates ranging from 0 to 100 percent occurred when the test team shifted the location of cargo in the container; * False alarms occurred during container stacking tests and during humidity, saltwater mist, static discharge, and vibration tests. Source: GAO analysis of DHS S&T information. [A] The GTRI CSD consists of three components--two door-mounted units, and a header-beam-mounted controller unit. The GTRI CSD uses light- emitting diodes and light sensors to measure the position of the container doors. The infrared light-emitting diodes in each of the two door units emit light pulses, which the controller unit authenticates as having come from a CSD door unit. The device alarms when it detects a door opening of 1 inch or greater, or a decrease in signal strength past a set threshold. [B] The SAIC CSD is identical in appearance and general function to the company's ACSD. The primary difference between the two devices is in the sensing algorithm. The ACSD attempts to monitor all six sides of the container, whereas the CSD is focused on detecting the opening or removal of the container doors. [End of table] While the GTRI CSD reliably and consistently detected container door openings, minor deficiencies in environmental durability and physical security were identified in the first set of Phase I laboratory testing. GTRI responded to the identified deficiencies and submitted a revised prototype for additional Phase I laboratory testing. According to the S&T program manager, S&T determined that GTRI appropriately modified its prototype to resolve the deficiencies identified in the last round of Phase I laboratory testing, and S&T plans to include this device in Phase II trade lane testing scheduled to begin in September 2010. The S&T program manager added that during Phase II trade lane testing, the CSD will be installed on containers that will travel from the Port of Shanghai, China, to Savannah, Georgia. Figure 5 shows photographs of GTRI's and SAIC's CSDs, which are mounted on the interior of cargo containers. Figure 5: Photographs of GTRI's and SAIC's Container Security Devices: [Refer to PDF for image: 2 photographs] GTRI CSD mounted inside a container; SAIC CSD mounted inside a container, above container doors. Source: DHS. [End of figure] The SAIC CSD reliably and consistently detected door openings, but frequent false alarms, deficiencies in the connections of electrical components, and deficiencies in the device's installation and mounting system were identified during Phase I laboratory testing. According to SAIC, it is adjusting the detection algorithms, which is expected to reduce the device's sensitivity to normal cargo shifting during transit in an effort to reduce the device's false alarm rate, and it expects to simplify the installation procedure to address S&T's concerns. According to the S&T program manager, the new version of SAIC's CSD was delivered to S&T in May 2010 and during Phase I testing and evaluation it exhibited a high false alarm rate. The Hybrid Composite Container Project Has Demonstrated Potential, but S&T Terminated the Vendor's Contract during Phase I Laboratory Testing Because of Internal Management Issues: According to S&T, it terminated MSC's contract to build the composite container for the Hybrid Composite Container Project in June 2010 because MSC was experiencing internal management issues that were preventing the project from progressing. MSC had been building an ISO- compliant 20-foot shipping container made out of a composite fiber material instead of steel. The container consists of 4-foot by 8-foot corrugated, fiber-reinforced polymer panels welded to a steel frame. Five of the panels are welded together to form a 20-foot container wall. The container is 15 percent lighter than a steel container of the same size, and according to an official at the University of Maine (a subcontractor to MSC), it is expected to exhibit three to five times greater resistance to corrosion than a steel container. Damaged panels must be replaced, however, rather than repaired with a patch as can be done on a steel container. The container incorporates an embedded sensor grid to provide six-sided intrusion detection. In addition to the sensor grid, the composite container is to use a CSD for door-opening detection. Finally, a communications chip is integrated into the sensor grid to allow for wireless communications with readers. Previous test results of the composite container indicate that the container would likely meet or exceed ISO standards and, therefore, be suitable for use in international trade. S&T selected GTRI to develop a sensor grid that could be embedded within the walls of the composite container to provide intrusion detection capability. The sensor grid provides ACSD-like security for the container in that a hole in the container wall would be detected by the sensor grid triggering an alarm. However, one of the composite panels with the embedded sensor grid failed durability testing conducted by the vendor. Although development of the composite container has been halted, S&T has directed GTRI to continue developing its sensor grid to address this deficiency because S&T is exploring other contracting options to continue the development of the composite container. According to S&T, it anticipates that work on the composite container will resume in September 2010. Marine Asset Tag Tracking System Is Progressing to Phase II Trade Lane Testing: One vendor, iControl, Inc., is currently being supported by S&T to develop MATTS, which includes the iTAG, a communications tag mounted on the exterior of containers, and the iGATE, a remote reader used to communicate with the iTAG. MATTS will participate in Phase II trade lane testing with the GTRI CSD in September 2010. MATTS provides the capability to globally track the location of containers. In addition, the MATTS iTag provides a long-range wireless communications system for CSD and ACSD devices.[Footnote 17] A CSD or ACSD device mounted on the interior of a container has a short-range wireless communications system, but the iTAG, when mounted outside of a container, can act as a relay to pass messages from the CSD or ACSD to centralized locations at a designated read point, such as a port of departure.[Footnote 18] The CSTE team conducted limited Phase I laboratory testing of the iTAG, but it did not conduct all needed laboratory testing because changes were still being made to the iTAG. According to the S&T program manager, the iTAG will undergo all required testing when it is produced in its final form. While MATTS has not undergone DHS's Phase II trade lane tests, iControl, Inc., conducted two trade lane tests of MATTS beginning in 2007 and 2008. During each of these trade lane tests, iControl, Inc., placed 100 iTAGs on 100 cargo containers and shipped them from the Port of Yokohama, Japan, to the Port of Los Angeles. At the conclusion of these tests, 199 of the 200 MATTS iTAGs arrived at their destinations. However, the trade lane testing identified deficiencies with iControl, Inc.'s MATTS iTAG. Specifically, 13 to 15 percent of the iTAGs sustained damage during the tests, including loose connectors that affected the performance of the MATTS tags. In one test, power management features did not function as intended, resulting in battery usage in excess of that allowed by the project requirements. During the trade lane tests, iControl, Inc., did not test MATTS in conjunction with any ACSD or CSD prototypes. However, iControl, Inc., did test the environmental durability of the iTAG, as well as its power management and container tracking capabilities. According to the S&T program manager, the deficiencies identified in MATTS are being addressed by iControl, Inc., and a new version of the iTAG, in conjunction with the GTRI CSD device, will undergo Phase II trade lane testing from the Port of Shanghai, China, to Savannah, Georgia, in September 2010. The S&T program manager anticipates providing MATTS performance standards to the Office of Policy Development and CBP in December 2010. Figure 6 shows the MATTS tag mounted on a cargo container. Figure 6: Photograph of iControl, Inc.'s MATTS Tag: [Refer to PDF for image: photograph] iControl's MATTS tag mounted on the outside of a container, above container doors. Source: DHS. [End of figure] Testing All Operational Scenarios Would Enable S&T to Better Determine the Performance of Container Security Technologies in Their Intended Operational Environments: Before S&T can provide container security technology performance standards to the Office of Policy Development and CBP, all technology prototypes have to undergo Phase II trade lane testing, according to the master test plans. According to S&T, the MATTS tag and GTRI's CSD are expected to undergo Phase II trade lane testing in September 2010. However, S&T's plans for conducting Phase II trade lane testing of these container security technologies do not reflect all the operational scenarios agreed upon within DHS for how the technologies could be implemented. S&T's master test plans define Phase II trade lane testing as 100 maritime moves to a U.S. port. However, some of the operational scenarios being considered for implementation by the Office of Policy Development and CBP involve using technologies on cargo containers that would either not be placed on a vessel, or only applied during overland shipping after their arrival in the United States.[Footnote 19] Before S&T can provide performance standards, per the technology transition agreements signed by S&T, the Office of Policy Development, and CBP, the technologies are to have been proven to work in their final form and under expected operational conditions. DHS acknowledged that the testing is limited and that future testing should reflect all the operational scenarios. Unless the container security technologies are tested in all operational scenarios, the performance standards that are delivered by S&T to the Office of Policy Development and CBP may not fully meet DHS's or CBP's needs. Our prior work has shown that when operational requirements are not established prior to acquisition, it can negatively affect program performance.[Footnote 20] Conducting Phase II trade lane testing for the container security technologies consistent with all operational scenarios would better position S&T to determine if the technologies will be suitable for use in their intended operational environments. Key Steps and Challenges Remain before Implementation of Container Security Technologies Can Move Forward: If S&T determines that the container security technologies are mature enough to provide performance standards for these technologies to the Office of Policy Development and CBP, key steps and associated challenges remain before DHS and CBP can implement the container security technologies in the supply chain that meet those performance standards. Based on our discussions with Office of Policy Development and CBP officials, we identified three key steps that remain before implementation can occur: (1) obtaining support from trade industry and international partners, (2) developing a concept of operations (CONOPS)[Footnote 21] that describes how the technologies are to be deployed, and (3) certifying the technologies for use in the supply chain. According to Office of Policy Development and CBP officials, they will take these steps if and when S&T is able to provide performance standards. Our work indicates that the Office of Policy Development and CBP could face challenges when executing some of these steps. Obtaining Trade Industry and International Partners' Support to Implement Container Security Technologies Could Be Challenging: DHS could face challenges in obtaining support from the trade industry and international partners as it pursues implementation of the container security technologies. According to an Office of Policy Development director, there are two approaches DHS could likely pursue to implement container security technologies--mandatory or voluntary participation by the trade industry. The director added that if DHS determines that the universal use of container technologies would provide a worthwhile security benefit, DHS would likely pursue a rulemaking approach to mandate the use of the technologies on all U.S.- bound containers. If DHS determines that the technologies would be primarily beneficial in a more limited portion of the supply chain, though, it would work with the trade industry to encourage voluntary use of the technologies. Some members of the trade industry we spoke with were resistant to purchasing and using the technologies given the number of container security programs they already have to comply with.[Footnote 22] Representatives of the World Shipping Council and both vessel carriers we spoke with questioned the role of vessel carriers in implementation because of the uncertainties that presently exist concerning how the technologies could be implemented and which parties are to be involved. The representatives of the two vessel carriers we spoke with expressed interest in purchasing the Hybrid Composite Container because of the commercial benefit that could be provided by its reduced weight, but they added that they are not interested in spending additional money on the embedded sensor grid that is to provide the security benefit. Further, the importers we spoke with questioned their role and whether they have the authority to affix technologies on containers they do not own, as the containers they use are typically leased. If CBP adopts a voluntary approach, it may also have challenges getting support from C-TPAT members--its trusted private sector partners. Container security technologies could provide security benefits in the supply chain, but using technology that detects intrusion into a cargo container when there is no assurance illicit materials or contraband were not earlier introduced could give the false impression that the container is secure or could have the effect of potentially locking dangerous or illicit cargo in a container. Since C-TPAT members are committed to a comprehensive security process, including procedures for securing containers at the point of packing, they provide such assurance. According to DHS's 2007 Strategy to Enhance International Supply Chain Security,[Footnote 23] the department intended to use C- TPAT Tier III[Footnote 24] members to implement commercially available container security devices that CBP previously tested. However, C-TPAT Tier III members we spoke with were resistant to the idea of having to purchase and use technologies, such as the CSD and ACSD, on their containers to maintain their Tier III status. In particular, some of the members stated that from a financial standpoint, the additional benefit of reduced number of container inspections that CBP provided to Tier III members over Tier II[Footnote 25] members, would not outweigh the costs of using the technologies. As a result, they stated that they would likely downgrade to Tier II status rather than have to purchase the technologies. The C-TPAT Tier III members, as well as other trade industry representatives we spoke with, said DHS should demonstrate, through a risk-benefit analysis, that using the technologies would provide a clear security benefit before making the use of such technologies a requirement. CBP officials told us that they are aware that the trade industry is generally not willing to spend money on container security technologies and that C-TPAT members question whether the cost is worth the benefit. In addition to obtaining trade industry support, DHS will also need to obtain support from international organizations and WCO to implement the new container security technologies. In order for the container security technologies to be admitted into foreign countries without being subject to import duties and taxes, as well as import prohibitions and restrictions, the technologies first have to be recognized as accessories and equipment of the containers under the Customs Convention on Containers. The convention essentially provides for the temporary admission and reexportation of containers and their accessories and equipment that meet certain requirements without the imposition of duties or taxes by any customs authority. According to a WCO director, while an individual device attached to a container most likely would be viewed as an accessory to the container, if multiple devices are shipped in bulk for reuse on other containers, the question of how to treat them for import duty purposes would be more difficult. He also noted that, if requested by a member country, WCO could provide an advisory opinion as to whether the technologies should be treated as container accessories and equipment pursuant to the Customs Convention on Containers, but the ultimate decision as to whether to classify the technologies as exempt from import duties and taxes resides with each individual foreign government. Other options under consideration for how the container security technologies are to be implemented would also require support from foreign governments. CBP officials told us that they are considering implementing the use of container security technologies in high-risk trade lanes--trade routes that have been determined to pose the highest risk of transporting threats to the United States. S&T officials stated that another option would be to use the technologies on cargo containers departing from ports participating in the Container Security Initiative.[Footnote 26] CBP officials recognize that they will need to work with international partners, and plan to do so when S&T provides performance standards. Developing a Feasible Concept of Operations Could Prove Difficult: The successful implementation of container security technologies depends on the security procedures throughout the supply chain as well as the people engaged in those procedures. These procedures are typically documented in a concept of operations (CONOPS)---a user- oriented document that describes how an asset is to be employed and supported from the users' viewpoint. A CONOPS also describes the operations that must be performed, who must perform them, and where and how the operations will be carried out. DHS and CBP could face challenges developing a feasible CONOPS that addresses the necessary technology infrastructure needs and protocols. Container security technologies require a supporting technology infrastructure, including readers to communicate to customs officials whether a technology has identified an unauthorized intrusion, and a means to capture and store the data. CBP will be faced with determining who will have access to the container security technologies through readers, where to place these readers, and obtaining permission to install fixed readers at both domestic and foreign ports. Prior work we conducted on container scanning technologies identified challenges in obtaining permission and space from terminal operators at both domestic and foreign ports to install equipment.[Footnote 27] Further, several pilots previously conducted to test the feasibility of using container security technologies have also noted challenges with establishing the reader infrastructure at ports. For example, during Operation Safe Commerce, difficulties were encountered with the installation and maintenance of fixed readers at both foreign and domestic ports.[Footnote 28] Furthermore, several foreign ports did not allow installation of the fixed readers, and problems were also encountered in installing and maintaining power to fixed readers at domestic port facilities. In addition, databases are needed to collect the data obtained by the readers from the container security technologies. Pilots have also demonstrated the challenges with establishing information systems to collect the data provided by the technologies. Establishing protocols regarding which supply chain participants will be involved in arming and disarming the technologies, reading the status messages generated by the technologies, responding to alarms, and accessing data will also be important. For example, if the CONOPS calls for technologies to first be affixed to a container at the point of packing, it will require the packers to have the ability to first install and arm the technologies. The packing of goods into cargo containers can be handled by a number of different parties, including the shipper (i.e., seller), a third-party consolidator, or the buyer. Regardless of which party is packing the container, these participants have the last visual check of the goods before they are sealed for transport. At any point during the transfer of the container from its packing point to the port of embarkation, foreign customs may need to stop and open a container for inspection. In these instances, it will be important to ensure foreign customs officials have the ability to arm and disarm the technologies so they can open a container without triggering the alarm. Response protocols will need to be developed that include information on which parties are to respond to an alarm and the associated processes for responding. While CBP would likely respond to a container alarm by first scanning the container with NII equipment to mitigate any potential danger to a CBP officer entering the container to conduct a physical examination, CBP officers may not be nearby when an alarm occurs, particularly if it occurs during a container's transport to a foreign port, at a non-Container Security Initiative port, or while on a vessel in-transit. Furthermore, CBP will also need to consider whether foreign governments' customs agencies will be allowed access to the data generated by the technologies on containers departing their respective ports. CBP Plans to Certify Technologies before They Can Be Used in the Supply Chain: Once a CONOPS is developed, certification testing can take place to determine the suitability of technologies consistent with the CONOPS. According to CBP officials, CBP plans to conduct certification testing to demonstrate whether technology products meet the performance standards issued by S&T and are suitable for implementation consistent with its operational concept. CBP officials stated they would begin the certification process by issuing a request for information seeking vendors to submit technologies for certification testing. Interested container security technology vendors would submit their products to CBP for certification testing, which consists of a mix of laboratory and trade lane testing to demonstrate whether the products meet the performance standards. According to CBP officials, they would determine a means to select vendor products for testing and then establish detailed methods to test and evaluate the technology products submitted by the vendors. Office of Policy Development and CBP officials we spoke with anticipate certification testing would take approximately 3 to 4 months. The officials added that in advance of the testing, preparation time is needed to solicit participants from the trade industry and select trade lanes for testing. After conducting the tests, additional time will be needed to analyze the results to determine if the vendor's technology product will function as intended in the supply chain. If a technology product successfully completes certification testing, DHS will certify it as meeting its standards and the trade industry would be able to purchase it for use in the supply chain. Technologies that are successful during certification testing are expected to be implemented in the supply chain, according to an Office of Policy Development director. Figure 7 shows the process of developing an approved products list. Figure 7: Certification Testing Process: [Refer to PDF for image: illustration] DHS S&T roles: Phase I: Laboratory Testing; Phase II: Trade Lane Testing; Delivery of Performance Standards to DHS Office of Policy Development and CBP. CBP roles: Certification Testing; Approval Product List. Source: GAO analysis of DHS S&T information. [End of figure] Conclusions: Container security technologies have the potential to contribute to CBP's layered security strategy by tracking containers, and detecting and reporting intrusions, while containers move through the supply chain. S&T has made progress in testing and evaluating certain container security technologies, and continues to work with vendors to develop these technologies, but challenges continue in finding technologies that can provide intrusion detection through any of the six sides of a container. The ACSD project is not currently being funded due to the deficiencies identified during Phase I laboratory testing and the Hybrid Composite Container project is undergoing contract negotiations to resume work on the composite container after challenges were encountered with the vendor. In contrast, the CSD and MATTS projects--which will provide intrusion detection through container doors and a communications system, respectively--are nearing their completion and S&T expects to deliver performance standards to the Office of Policy Development and CBP by the end of 2010. Before delivering the performance standards, S&T must demonstrate that these container security technologies can work in the operational environments in which they are intended to be used. However, the operational environment testing that S&T plans to conduct is limited to the maritime environment and does not fully address the operational scenarios being considered by the Office of Policy Development and CBP. Until all intended operational scenarios are tested, S&T cannot provide reasonable assurance that the container security technologies would effectively function in all the operational scenarios identified by the Office of Policy Development and CBP for potential implementation. Conducting Phase II trade lane testing for the container security technologies in all intended operational scenarios would better position S&T to determine if the technologies will be suitable for use in their intended operational environments. Recommendation for Executive Action: To ensure that the container security technologies being developed will function in their intended operational environments, we recommend that the Secretary of Homeland Security instruct the Assistant Secretary of the Office of Policy, the Commissioner of U.S. Customs and Border Protection, and the Under Secretary of the Science and Technology Directorate, to test and evaluate the container security technologies consistent with all of the operational scenarios DHS identified for potential implementation, before S&T provides performance standards to the Office of Policy Development and CBP. Agency Comments: We provided draft copies of this report to the Secretaries of Homeland Security, Energy, and Defense for review and comments. DOE and DOD did not provide official written comments to include in the report. DHS provided official written comments, which are reprinted in appendix III. DHS concurred with our recommendation. In addition, DHS and CBP provided technical comments, which we incorporated as appropriate. In response to DHS's technical comments and subsequent discussion with agency officials, we modified our recommendation to clarify its intent that DHS test and evaluate container security technologies consistent with all of the operational scenarios it has identified for potential implementation. We are sending copies of this report to the Secretaries of Homeland Security, Energy, and Defense; and interested congressional committees. In addition, the report will be available on GAO's Web site at [hyperlink, http://www.gao.gov]. If you or your staff members have any questions about this report, please contact Stephen L. Caldwell at (202) 512-9610 or Timothy M. Persons at (202) 512-6412, or by e-mail at caldwells@gao.gov or personst@gao.gov, respectively. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IV. Sincerely yours, Signed by: Stephen L. Caldwell: Director, Homeland Security and Justice: Signed by: Timothy M. Persons, Ph.D. Chief Scientist: Director, Center for Science, Technology, and Engineering: [End of section] Appendix I: Vendors Selected to Participate in Container Security Technology Projects: This appendix provides information on how the Department of Homeland Security's (DHS) Science and Technology (S&T) Directorate selected vendors to participate in the four container security technology projects. S&T used a multiple-round process to select vendors' technologies for development. Several vendors responded to S&T's 2004 broad agency announcement (BAA) for the Advanced Container Security Device (ACSD) project and 2003 small business innovative research (SBIR) solicitation for the Marine Asset Tag Tracking System (MATTS). Respondents' technology proposals were evaluated on their ability to meet the project requirements, and those considered to be viable were selected by S&T to participate in Round I. S&T selected vendors for subsequent rounds of development based on vendor performance and proposals. Vendor selection for the Container Security Device (CSD) project was based on the performance of prototypes during Round I of the ACSD project. Similarly, selection for the Hybrid Composite Container project was based on performance in the ACSD project. Table 7 provides information on the vendors selected to participate in each of the projects and the funds provided to the vendors. Table 7: Selection and Funding of Vendors for Development of Container Security Technologies: Project name: Advanced Container Security Device (ACSD); Timeline of vendor selection: 2004--BAA published; Funds provided to vendors (dollars in millions): not applicable; Number of vendor awards: 30 respondents. Project name: Advanced Container Security Device (ACSD); Timeline of vendor selection: 2005--Round I; Funds provided to vendors (dollars in millions): $3.4; Number of vendor awards: 5 awardees. Project name: Advanced Container Security Device (ACSD); Timeline of vendor selection: 2006--Round II; Funds provided to vendors (dollars in millions): $6.1; Number of vendor awards: 2 awardees: L-3 Communications and SAIC. Project name: Container Security Device (CSD); Timeline of vendor selection: 2006--Project initiated during Round II of ACSD project to provide interim door sensor capabilities while ACSD progressed; Funds provided to vendors (dollars in millions): $2.7; Number of vendor awards: 2 awardees: GTRI and SAIC (selected from the ACSD project). Project name: Hybrid Composite Container; Timeline of vendor selection: 2005--Project initiated during ACSD project to provide ACSD capability in a composite container; Funds provided to vendors (dollars in millions): 5.8; Number of vendor awards: 2 awardees: Maine Secure Composites (composite container) and GTRI (sensor grid). Project name: Marine Asset Tag Tracking System (MATTS); Timeline of vendor selection: 2003--SBIR solicitation; Funds provided to vendors (dollars in millions): not applicable; [Empty]; Number of vendor awards: 85 respondents. Project name: Marine Asset Tag Tracking System (MATTS); Timeline of vendor selection: 2004--Round I; Funds provided to vendors (dollars in millions): $1.4; Number of vendor awards: 14 awardees. Project name: Marine Asset Tag Tracking System (MATTS); Timeline of vendor selection: 2005--Round II; Funds provided to vendors (dollars in millions): $2.4; Number of vendor awards: 3 awardees. Project name: Marine Asset Tag Tracking System (MATTS); Timeline of vendor selection: 2006--Round III; Funds provided to vendors (dollars in millions): $2.3; Number of vendor awards: 1 awardee: iControl, Inc. Source: GAO analysis of DHS S&T information. [End of table] [End of section] Appendix II: Description of Container Security Technologies' Communications Systems: Appendix II provides information on the communications system used to support container security technologies. Because ACSDs (including the sensor grid embedded in the Hybrid Composite Container) and CSDs are mounted inside of a container without a physical connection accessible from the outside of a closed container, a wireless communications system is to facilitate the remote arming (activating the intrusion detection capabilities) and disarming (deactivating the intrusion detection) of the ACSDs or CSDs. Furthermore, the communications system is to allow U.S. Customs and Border Protection (CBP) remote access to status information from an ACSD or CSD, including information about the health of the device and whether the device had detected an intrusion. ACSDs and CSDs are intended to be a single component of a larger Security Device System, which may also include the following components (see figure 8): * Communications Modules (CM): These devices are mounted on the exterior of a container. A CM is to relay status information from an ACSD or CSD to a fixed status reader using radio frequency (RF) at 2.4 GHz or cellular communications. iControl, Inc. is developing a device known as the iTAG under the MATTS project to serve as a CM. * Fixed status readers: These devices are to receive status information from ACSDs or CSDs located within 100 feet of the reader (or status updates relayed by a CM) and relay that status information using a variety of methods, such as RF, cellular, or Ethernet access, to a centralized data center. iControl, Inc., is developing a device known as the iGATE under the MATTS project to serve as a fixed status reader. * Handheld readers: These are to be used by CBP or other authorized parties to receive status information from ACSDs or CSDs located within 10 feet of the reader. * Centralized data centers: These centers are to receive status information from CMs and readers and allow CBP or other authorized parties to remotely monitor status information from all ACSDs and CSDs in the area served by the data center. Figure 8: Security Device System Supporting Container Security Technology Communications: [Refer to PDF for image: illustration] Depicted on the illustration: Container: CSD/ACSD; Container: CSD/ACSD (Trusted); Communication module; Communication module (Trusted); Handheld reader (Trusted); Fixed reader; Connection (RF); Connection (RF/cellular/other); Data Center (Trusted); CBP database. Source: GAO analysis of DHS S&T information. [End of figure] ACSDs and CSDs should be able to communicate to a reader with or without the use of a CM. If no CM is mounted with an ACSD or CSD, the ACSD or CSD can communicate--by means of short-range RF at 2.4 GHz using communications capabilities on the ACSD or CSD itself--intrusion alerts and periodic general status updates to a fixed status reader located within 100 feet of the monitored container or to a handheld reader located within 10 feet of the monitored container. If a CM is associated with an ACSD or CSD, the ACSD or CSD can use short-range RF communications to relay messages through its CM to a more remote reader. If an ACSD or CSD needs to send status information to the data center while out of range of a reader, the external CM can attempt to relay the information through other CMs mounted on nearby containers until a reader is in range. This relayed communications process is known as "meshing." Similarly, if a reader is unable to communicate to the data center, it may attempt to pass messages to other nearby readers until communication with the data center is achieved. Secure data generated by the ACSDs and CSDs are to be protected by translating the data into an unreadable form using a code (encryption). This encryption is to occur directly on the ACSDs and CSDs to avoid possible interception of confidential information transmitted during normal operation. Transmitted information includes security-related information used by CBP to determine the status of a container, but it may also include proprietary shipping information used by carriers or shippers (although such information must be encrypted separately). The encryption scheme also allows remote disarming of the devices (arming need not be done with an encrypted command), as only those devices with the encryption key will be capable of sending commands that the ACSDs or CSDs will recognize. The ACSDs, CSDs, handheld readers, and data centers (but not the fixed readers, as they are unattended and insecure) will be provided with the encryption key, allowing these components of the Security Device System to exchange information in a secure manner. Communication of status information to remote readers for transfer to a data center is to occur, at minimum, at all points where reading is specified by DHS. These read points include the point of packing, the entrance gate at the port of departure, the exit gate at the port of arrival, and the entrance gate at the point of deconsolidation (where a container is unpacked). Communications should be designed in a nonproprietary format designed specifically for this application. This standard ensures that a Security Device System is permissible under all necessary international communications standards. [End of section] Appendix III: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: September 21, 2010: Stephen L. Caldwell: Director, Homeland Security and Justice: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Caldwell: RE: Response to Draft Report GAO-10-887SU, Supply Chain Security: To Ensure Effective Testing of Container Security Technologies, DHS Components Should Agree on How They Will Be Used (GAO 440824). Thank you for the opportunity to review and comment on the Government Accountability Office's (GAO) draft report referenced above. The Department of Homeland Security (DHS), including the Office of Policy (Policy), U.S. Customs and Border Protection (CBP) and Science and Technology (S&T), appreciates the investigative team's review of ongoing efforts to develop conveyance security technologies that can enhance the security of goods moving across our borders and traveling within our Nation. We appreciate the professionalism and subject matter expertise demonstrated by GAO's team members in conducting this review. DHS concurs with the sole recommendation in this report that container security technologies should be tested and evaluated consistent with each of the intended operational scenarios before S&T provides performance standards to Policy and CBP. DHS agrees that identification of operational scenarios is a necessary prerequisite to the research and development process and the creation of performance standards; as discussed in the report, CBP. Policy, and S&T have identified a number of scenarios where technologies have the potential to be implemented in the future and therefore should be tested. However, as a matter of additional clarification, DHS does not anticipate completion of testing in all possible operational scenarios prior to delivery of any container security technology performance standards to CBP and Policy. For example, the performance standards currently under development by S&T for a Container Security Device (CSD) reflect the first generation of such a device and are focused exclusively on maritime container routes. Phase II trade lane testing master plans, and any resulting performance standards, therefore will reflect only one of the many operational scenarios previously agreed upon within DHS. This 'phased approach' for delivery of performance standards to CBP and Policy will permit additional time and opportunity for consideration of potential implementation of these devices in specific, limited trade routes. DHS remains committed to also pursing technologies that will work within different types of routes in the air and sea environments, as well as inter-modally (for example, within or between a sea and land route). While a technology that works within a single mode of transport is a start, DHS acknowledges that the complexity and inter- connectedness of global supply chains and transportation systems necessitate more comprehensive solutions. That said, DHS anticipates future work on CSD technologies for non- maritime routes or on devices that can be used even as goods transition between transportation systems in the coming years. The development, testing, and resulting performance standards will be based on the operational scenarios that have been identified to-date, as well as scenarios that may be proposed as our knowledge of supply chains continues to evolve. In fact, DHS is considering a pilot in Fiscal Year 2011 to evaluate potential applications for different types of container security technologies, including a CSD for non- maritime environments and the Marine Asset Tag Tracking System (MATTS) for several cross-border surface routes. Once again, thank you for the opportunity to comment on this draft report. We look forward to working with you on future homeland security issues. Sincerely, Signed by: Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Stephen L. Caldwell, (202) 512-9610 or caldwells@gao.gov: Timothy M. Persons, (202) 512-6412 or personst@gao.gov: Staff Acknowledgments: In addition to the contacts named above, Christopher Conrad and Richard Hung, Assistant Directors, and Lisa Canini, Analyst-in-Charge, managed this review. Leah Anderson, Alana Finley, Scott Fletcher, Adam Mirvis, and Matthew Tabbert made significant contributions to the work. In addition, Stanley Kostyla assisted with design and methodology; Frances Cook provided legal support; Katherine Davis and Lara Miklozek provided assistance in report preparation; and Pille Anvelt and Avy Ashery helped develop the report's graphics. [End of section] Glossary: The terms below are defined for the purposes of this GAO report. Cargo: The freight (goods or products) carried by a vessel, barge, train, truck, or plane. Concept of Operations (CONOPS): A CONOPS is a user-oriented document that describes how an asset, system, or capability will be employed and supported from the users' viewpoint. A CONOPS also describes the operations that must be performed, who must perform them, and where and how the operations will be carried out. Consolidator: The party who packs the container or arranges for the packing of the container. Container: A box made of aluminum, steel, or fiberglass used to transport cargo by ship, rail, truck, or barge. Common dimensions are about 20 feet x 8 feet x 8 feet (called a TEU, or 20-foot-equivalent unit) or about 40 feet x 8 feet x 8 feet. Customs: Government agency charged with enforcing the laws and rules passed to enforce the country's import and export revenues. In the United States these responsibilities are handled by U.S. Customs and Border Protection. Customs Broker: The person who prepares the needed documentation for importing goods (just as a freight forwarder does for exports). In the United States, the broker is licensed under federal regulations to act on behalf of others in conducting transactions related to federal import and export requirements. Exporter: A person or company that is responsible for the sending of goods out of one country to another. Freight Forwarder: An individual or company that prepares the documentation and coordinates the movement and storage of export cargoes. See also customs broker. Importer: A person or company that brings in goods from a foreign country. Maritime Move: A one-way trip through the supply chain from stuffing to U.S. port of arrival on an ocean-going vessel. Nonintrusive Inspection: Using technologies to scan the contents of a container without opening the container. Non-vessel operating common carrier: A non-vessel operating common carrier buys space aboard a ship to get a lower volume rate and then sells that space to various small shippers, consolidates their freight, issues bills of lading, and books space aboard a ship. Performance Standards: Requirements that must be met by products to ensure they will function as intended. Physical Inspection: The opening of a container and removal of its contents for inspection. Probability of Detection: The likelihood that a device will properly alarm when in the armed mode. Probability of False Alarm: The likelihood that a device will improperly alarm, when in the armed mode, due to environmental conditions or conditions other than opening or removing the door(s). Prototype: A functional preproduction version of a new type of product. Red Teaming: Red teaming is performed from the perspective of an attacker with malevolent intentions, to identify and exploit weaknesses in a technology. The results of these tests allow for a better understanding of the risk associated with the corresponding device or system. Scanning: Nonintrusively inspecting the contents of a container using technologies. Screening: Assessing the security risk posed by a container based on available information. Shipper: The person or company that is usually the supplier or owner of commodities shipped. Supply Chain: The international network of retailers, distributors, transporters, storage facilities and suppliers that participate in the sale, delivery, and production of goods. Trade Lane: A sea route ordinarily used by vessels. Twenty-Foot Equivalent Unit (TEU): A unit of measurement equal to the space occupied by a standard 20- foot container. Used in stating the capacity of container vessel or storage area. One 40-foot container is equal to 2 TEUs. Vendor: An entity that develops container security technology prototypes. Vessel: A ship or large boat. Vessel Carrier: Any person or entity who, in a contract of carriage, undertakes to perform or to procure the performance of carriage by sea. Vessel Manifest: Includes, among other things, a list of cargo being carried by the vessel. [End of section] Related GAO Products: Maritime Security: DHS Progress and Challenges in Key Areas of Port Security. [hyperlink, http://www.gao.gov/products/GAO-10-940T]. Washington, D.C.: July 21, 2010. Combating Nuclear Smuggling: DHS Has Made Some Progress but Not Yet Completed a Strategic Plan for Its Global Nuclear Detection Efforts or Closed Identified Gaps. [hyperlink, http://www.gao.gov/products/GAO-10-883T]. Washington, D.C.: June 30, 2010. Supply Chain Security: Feasibility and Cost-Benefit Analysis Would Assist DHS and Congress in Assessing and Implementing the Requirement to Scan 100 Percent of U.S.-Bound Containers. [hyperlink, http://www.gao.gov/products/GAO-10-12]. Washington, D.C.: October 30, 2009. Combating Nuclear Smuggling: DHS Improved Testing of Advanced Radiation Detection Portal Monitors, but Preliminary Results Show Limits of the New Technology. [hyperlink, http://www.gao.gov/products/GAO-09-655]. Washington, D.C.: May 21, 2009. Combating Nuclear Smuggling: DHS's Phase 3 Test Report on Advanced Portal Monitors Does Not Fully Disclose the Limitations of the Test Results. [hyperlink, http://www.gao.gov/products/GAO-08-979]. Washington, D.C.: September 20, 2008. Supply Chain Security: CBP Works with International Entities to Promote Global Customs Security Standards and Initiatives, but Challenges Remain. [hyperlink, http://www.gao.gov/products/GAO-08-538]. Washington, D.C.: August 15, 2008: Supply Chain Security: Challenges to Scanning 100 Percent of U.S.- Bound Cargo Containers. [hyperlink, http://www.gao.gov/products/GAO-08-533T]. Washington, D.C.: June 12, 2008. Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed. [hyperlink, http://www.gao.gov/products/GAO-08-187]. Washington, D.C.: January 25, 2008. Maritime Security: The SAFE Port Act: Status and Implementation One Year Later. [hyperlink, http://www.gao.gov/products/GAO-08-126T]. Washington, D.C.: October 30, 2007. Maritime Security: One Year Later: A Progress Report on the SAFE Port Act. [hyperlink, http://www.gao.gov/products/GAO-08-171T]. Washington, D.C.: October 16, 2007. Maritime Security: The SAFE Port Act and Efforts to Secure Our Nation's Seaports. [hyperlink, http://www.gao.gov/products/GAO-08-86T]. Washington, D.C.: October 4, 2007. International Trade: Persistent Weaknesses in the In-Bond Cargo System Impede Customs and Border Protection's Ability to Address Revenue, Trade, and Security Concerns. [hyperlink, http://www.gao.gov/products/GAO-07-561]. Washington, D.C.: April 17, 2007. Cargo Container Inspections: Preliminary Observations on the Status of Efforts to Improve the Automated Targeting System. [hyperlink, http://www.gao.gov/products/GAO-06-591T]. Washington, D.C.: March 30, 2006. Homeland Security: Key Cargo Security Programs Can Be Improved. [hyperlink, http://www.gao.gov/products/GAO-05-466T]. Washington, D.C.: May 26, 2005. Container Security: A Flexible Staffing Model and Minimum Equipment Requirements Would Improve Overseas Targeting and Inspection Efforts. [hyperlink, http://www.gao.gov/products/GAO-05-557]. Washington, D.C.: April 26, 2005. Preventing Nuclear Smuggling: DOE Has Made Limited Progress in Installing Radiation Detection Equipment at Highest Priority Foreign Seaports. [hyperlink, http://www.gao.gov/products/GAO-05-375]. Washington, D.C.: March 31, 2005. [End of section] Footnotes: [1] We have previously reviewed components of CBP's layered security strategy. See, for example, GAO, Supply Chain Security: Feasibility and Cost-Benefit Analysis Would Assist DHS and Congress in Assessing and Implementing the Requirement to Scan 100 Percent of U.S.-Bound Containers, [hyperlink, http://www.gao.gov/products/GAO-10-12] (Washington, D.C.: Oct. 30, 2009); Supply Chain Security: Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but Improved Data Collection and Performance Measures Are Needed, [hyperlink, http://www.gao.gov/products/GAO-08-187] (Washington, D.C.: Jan. 25, 2008); and Supply Chain Security: U.S. Customs and Border Protection Has Enhanced Its Partnership with Import Trade Sectors, but Challenges Remain in Verifying Security Practices, [hyperlink, http://www.gao.gov/products/GAO-08-240] (Washington, D.C.: Apr. 25, 2008). [2] The container security technology projects will not directly lead to a DHS acquisition program, as it is envisioned that the trade industry will purchase the technologies, but rather are intended to demonstrate the ability of the technologies to meet DHS's technical requirements. [3] The Office of Policy Development is located within DHS's Office of Policy. [4] DHS, Developing Operational Requirements: A Guide to the Cost Effective and Efficient Communication of Needs, Version 2.0 (November 2008). [5] Through the C-TPAT program, CBP develops voluntary partnerships with members of the international trade community comprised of importers; manufacturers; customs brokers; forwarders; air, sea, and land carriers; and contract logistics providers. Private companies agree to improve the security of their supply chains in return for various benefits, such as reduced examination of their cargo. See [hyperlink, http://www.gao.gov/products/GAO-08-240] for our previous work reviewing the C-TPAT program. [6] ISO is a nongovernmental organization that develops and publishes international standards for which there is a market requirement. ISO standards are voluntary, as ISO has no authority to enforce the implementation of its standards. [7] The WCO is an independent intergovernmental body whose mission is to enhance the effectiveness and efficiency of customs administrations. [8] A non-vessel operating common carrier buys space aboard a vessel and then sells the space to small shippers. [9] The standard measure of the volume of containerized cargo is a twenty-foot equivalent unit (TEU). For example, one 40-foot cargo container, the most common size in U.S. trade, would be counted as 2 TEUs of cargo. [10] Pub. L. No. 109-347, 120 Stat. 1884. [11] Pub. L. No. 110-53, § 1701(b), 121 Stat. 266, 491 (amending 6 U.S.C. § 944(a)(4)). [12] Generally, ISO 17712 requires that container seals meet or exceed standards for strength and durability so as to prevent accidental breakage, early deterioration (due to weather conditions, chemical action, etc.) or undetectable tampering under normal usage. ISO 17712 also requires that each seal be clearly and legibly marked with a unique identification number. [13] 46 U.S.C. § 70116. [14] This report is restricted and not available to the public. [15] The goal of a small business innovative research (SBIR) program is to incentivize increased participation of innovative and creative small businesses in federal research/federal research and development programs and to challenge industry to bring innovative homeland security solutions to reality. [16] Technology transition agreements are agreements signed by S&T and its customers that describe the capability gap that the S&T project will fill, the project deliverable, the technical requirements and parameters, and the project plan. [17] During testing, the performance of the iTAG's long-range communications system varied from 341 meters to 3,699 meters. [18] ACSDs and CSDs are required to communicate with handheld readers within 10 feet and fixed readers within 100 feet. [19] Three of the four operational scenarios consist of affixing container security devices on containers after their arrival by vessel or for overland shipping and include: (1) C-TPAT members' containers transiting from Mexico to the United States by truck; (2) containers arriving at the Port of Los Angeles and transiting by truck to Texas for immediate export into Mexico; and (3) containers transiting by truck from Mexico to Canada carrying agricultural products potentially containing pests. [20] GAO, Department of Homeland Security: Assessments of Selected Complex Acquisitions, [hyperlink, http://www.gao.gov/products/GAO-10-588SP] (Washington, D.C.: June 30, 2010); and Defense Acquisitions: DOD Must Prioritize Its Weapon System Acquisitions and Balance Them with Available Resources, GAO-09-501T (Washington, D.C.: Mar. 25, 2009). [21] A CONOPS is a user-oriented document that describes how an asset, system, or capability will be employed and supported from the users' viewpoint. [22] As noted earlier, we conducted interviews with importers in group settings. As a result of the group settings, we do not explicitly identify the number of importers who expressed particular views. Rather, we express these views as those of some of the importers we interviewed. [23] DHS, Strategy to Enhance International Supply Chain Security (July 2007). [24] Tier III is for those C-TPAT members that exceed minimum security criteria and demonstrate a commitment to the highest levels of supply chain security. [25] While Tier II members must meet minimum security requirements set by the C-TPAT program, Tier III membership is achieved by exceeding minimum requirements. In addition, Tier III members are required to maintain a record that is clear of security breaches or incidents. [26] Through the Container Security Initiative, CBP places staff at 58 participating foreign ports through which 86 percent of U.S.-bound cargo containers pass, to work with host country customs officials to target and examine high-risk container cargo for weapons of mass destruction before they are shipped to the United States. See [hyperlink, http://www.gao.gov/products/GAO-08-187]. [27] [hyperlink, http://www.gao.gov/products/GAO-10-12]. [28] Operation Safe Commerce was a public/private partnership developed after September 11, 2001, to improve supply chain security by testing security practices and commercially available technologies in an operational environment, including technologies for tracking and tracing containers, and sealing containers. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: