This is the accessible text file for GAO report number GAO-11-657 
entitled 'Transportation Worker Identification Credential: Internal 
Control Weaknesses Need to Be Corrected to Help Achieve Security 
Objectives' which was released on May 10, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Requesters: 

May 2011: 

Transportation Worker Identification Credential: 

Internal Control Weaknesses Need to Be Corrected to Help Achieve 
Security Objectives: 

GAO-11-657: 

GAO Highlights: 

Highlights of GAO-11-657, a report to congressional requesters. 

Why GAO Did This Study: 

Within the Department of Homeland Security (DHS), the Transportation 
Security Administration (TSA) and the U.S. Coast Guard manage the 
Transportation Worker Identification Credential (TWIC) program, which 
requires maritime workers to complete background checks and obtain a 
biometric identification card to gain unescorted access to secure 
areas of regulated maritime facilities. As requested, GAO evaluated 
the extent to which (1) TWIC processes for enrollment, background 
checking, and use are designed to provide reasonable assurance that 
unescorted access to these facilities is limited to qualified 
individuals; and (2) the effectiveness of TWIC has been assessed. GAO 
reviewed program documentation, such as the concept of operations, and 
conducted site visits to four TWIC centers, conducted covert tests at 
several selected U.S. ports chosen for their size in terms of cargo 
volume, and interviewed agency officials. The results of these visits 
and tests are not generalizable but provide insights and perspective 
about the TWIC program. This is a public version of a sensitive 
report. Information DHS deemed sensitive has been redacted. 

What GAO Found: 

Internal control weaknesses governing the enrollment, background 
checking, and use of TWIC potentially limit the program’s ability to 
provide reasonable assurance that access to secure areas of Maritime 
Transportation Security Act (MTSA)-regulated facilities is restricted 
to qualified individuals. To meet the stated program purpose, TSA 
designed TWIC program processes to facilitate the issuance of TWICs to 
maritime workers. However, TSA did not assess the internal controls 
designed and in place to determine whether they provided reasonable 
assurance that the program could meet defined mission needs for 
limiting access to only qualified individuals. GAO found that internal 
controls in the enrollment and background checking processes are not 
designed to provide reasonable assurance that (1) only qualified 
individuals can acquire TWICs; (2) adjudicators follow a process with 
clear criteria for applying discretionary authority when applicants 
are found to have extensive criminal convictions; or (3) once issued a 
TWIC, TWIC-holders have maintained their eligibility. Further, 
internal control weaknesses in TWIC enrollment, background checking, 
and use could have contributed to the breach of MTSA-regulated 
facilities during covert tests conducted by GAO’s investigators. 
During covert tests of TWIC use at several selected ports, GAO’s 
investigators were successful in accessing ports using counterfeit 
TWICs, authentic TWICs acquired through fraudulent means, and false 
business cases (i.e., reasons for requesting access). Conducting a 
control assessment of the TWIC program’s processes to address existing 
weaknesses could better position DHS to achieve its objectives in 
controlling unescorted access to the secure areas of MTSA-regulated 
facilities and vessels. 

DHS has not assessed the TWIC program’s effectiveness at enhancing 
security or reducing risk for MTSA-regulated facilities and vessels. 
Further, DHS has not demonstrated that TWIC, as currently implemented 
and planned, is more effective than prior approaches used to limit 
access to ports and facilities, such as using facility specific 
identity credentials with business cases. Conducting an effectiveness 
assessment that further identifies and assesses TWIC program security 
risks and benefits could better position DHS and policymakers to 
determine the impact of TWIC on enhancing maritime security. Further, 
DHS did not conduct a risk-informed cost-benefit analysis that 
considered existing security risks, and it has not yet completed a 
regulatory analysis for the upcoming rule on using TWIC with card 
readers. Conducting a regulatory analysis using the information from 
the internal control and effectiveness assessments as the basis for 
evaluating the costs, benefits, security risks, and corrective actions 
needed to implement the TWIC program, could help DHS ensure that the 
TWIC program is more effective and cost-efficient than existing 
measures or alternatives at enhancing maritime security. 

What GAO Recommends: 

Among other things, GAO recommends that DHS assess TWIC program 
internal controls to identify needed corrective actions, assess TWIC’s 
effectiveness, and use the information to identify effective and cost-
efficient methods for meeting program objectives. DHS concurred with 
all of the recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-11-657] or key 
components. For more information, contact Stephen M. Lord at (202) 512-
4379 or lords@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Internal Control Weaknesses in DHS's Biometric Transportation ID 
Program Hinder Efforts to Ensure Security Objectives Are Fully 
Achieved: 

TWIC's Effectiveness at Enhancing Security Has Not Been Assessed, and 
the Coast Guard Lacks the Ability to Assess Trends in TWIC Compliance: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Key Steps in the TWIC Enrollment Process: 

Appendix II: TWIC Program Funding: 

Appendix III: List of Documents U.S.-Born Citizens or Nationals Must 
Select from to Present When Applying for a TWIC: 

Appendix IV: Criminal Offenses That May Disqualify Applicants from 
Acquiring a TWIC: 

Appendix V: Comparison of Authentic and Counterfeit TWICs: 

Appendix VI: Comments from the Department of Homeland Security: 

Appendix VII: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Examples of Disqualifying Offenses for TWIC Eligibility: 

Table 2: TWIC Enrollment Process Summary: 

Table 3: TWIC Program Funding from Fiscal Years 2002 through 2010: 

Figure: 

Figure 1: Comparison of Authentic and Counterfeit TWICs: 

Abbreviations: 

ATSA: Aviation and Transportation Security Act: 

CSOC: Colorado Springs Operations Center: 

DHS: Department of Homeland Security: 

FBI: Federal Bureau of Investigation: 

FEMA: Federal Emergency Management Agency: 

IAFIS: Integrated Automated Fingerprint Identification System: 

III: Interstate Identification Index: 

MISLE: Marine Information for Safety and Law Enforcement: 

MSRAM: Maritime Security Risk Analysis Model: 

MTSA: Maritime Transportation Security Act: 

NCIC: National Crime Information Center: 

NIPP: National Infrastructure Protection Plan: 

SAFE Port Act: Security and Accountability For Every Port Act: 

SAVE: Systematic Alien Verification for Entitlements: 

TSA: Transportation Security Administration: 

TWIC: Transportation Worker Identification Credential: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

May 10, 2011: 

Congressional Requesters: 

Securing transportation systems and facilities requires balancing 
security to address potential threats while facilitating the flow of 
people and goods that are critical to the United States economy and 
necessary for supporting international commerce. As we have previously 
reported, these systems and facilities are vulnerable and difficult to 
secure given their size, easy accessibility, large number of potential 
targets, and proximity to urban areas.[Footnote 1] 

The Maritime Transportation Security Act of 2002[Footnote 2] (MTSA) 
required the Secretary of Homeland Security to prescribe regulations 
preventing individuals from having unescorted access to secure areas 
of MTSA-regulated facilities and vessels unless they possess a 
biometric transportation security card and are authorized to be in 
such an area.[Footnote 3] MTSA further tasked the Secretary with the 
responsibility to issue biometric transportation security cards to 
eligible individuals unless the Secretary determines that an applicant 
poses a security risk warranting denial of the card. The 
Transportation Worker Identification Credential (TWIC) program is 
designed to implement these biometric maritime security card 
requirements. The program requires maritime workers to complete 
background checks to obtain a biometric identification card and be 
authorized to be in the secure area by the owner/operator in order to 
gain unescorted access to secure areas of MTSA-regulated facilities 
and vessels.[Footnote 4] According to the Coast Guard, as of December 
2010 and January 2011, there were 2,509 facilities and 12,908 vessels, 
respectively, which are subject to MTSA regulations and must implement 
TWIC provisions.[Footnote 5] 

Within the Department of Homeland Security (DHS), the Transportation 
Security Administration (TSA) and the U.S. Coast Guard are responsible 
for implementing and enforcing the TWIC program. TSA's 
responsibilities include enrolling TWIC applicants, conducting 
background checks to assess the individual's security threat, and 
issuing TWICs. The Coast Guard is responsible for developing TWIC-
related security regulations and ensuring that MTSA-regulated maritime 
facilities and vessels are in compliance with these regulations. In 
addition, DHS's Screening Coordination Office facilitates coordination 
among the various DHS components involved in TWIC, such as TSA and the 
Coast Guard, as well as the U.S. Citizenship and Immigration Services, 
which personalizes the credentials,[Footnote 6] and the Federal 
Emergency Management Agency, which administers grant funds in support 
of the TWIC program. 

In January 2007, a federal regulation (known as the TWIC credential 
rule) set a compliance deadline, subsequently extended to April 15, 
2009, whereby each maritime worker seeking unescorted access to secure 
areas of MTSA-regulated facilities and vessels must possess a TWIC. 
[Footnote 7] In September 2008, we reported that TSA, the Coast Guard, 
and maritime industry stakeholders (e.g., operators of MTSA-regulated 
facilities and vessels) had faced challenges in implementing the TWIC 
program, including enrolling and issuing TWICs to a larger population 
than was originally anticipated, ensuring that TWIC access control 
technologies perform effectively in the harsh maritime environment, 
and balancing security requirements with the flow of maritime 
commerce.[Footnote 8] In November 2009, we reported that progress had 
been made in enrolling workers and activating TWICs, and recommended 
that TSA develop an evaluation plan to guide pilot efforts and help 
inform the future implementation of TWIC with electronic card readers. 
[Footnote 9] DHS generally concurred and discussed actions to 
implement the recommendations, but these actions have not yet fully 
addressed the intent of all of the recommendations. Currently, TWICs 
are primarily used as visual identity cards--known as a flashpass-- 
where a card is to be visually inspected before a cardholder is 
allowed unescorted access to a secure area of a MTSA-regulated port or 
facility.[Footnote 10] As of January 6, 2011, TSA reported over 1.7 
million enrollments and 1.6 million cards issued and activated. 
[Footnote 11] 

In response to your request, we evaluated the extent to which TWIC 
program controls provide reasonable assurance that unescorted access 
to secure areas of MTSA-regulated facilities and vessels is limited to 
those possessing a legitimately issued TWIC and who are authorized to 
be in such an area. Specifically, this report addresses the following 
questions: 

1. To what extent are TWIC processes for enrollment, background 
checking, and use designed to provide reasonable assurance that 
unescorted access to secure areas of MTSA-regulated facilities and 
vessels is limited to qualified individuals? 

2. To what extent has DHS assessed the effectiveness of TWIC, and does 
the Coast Guard have effective systems in place to measure compliance? 

This report is a public version of a related sensitive report that we 
issued to you in May 2011. DHS and TSA deemed some of the information 
in the prior report as sensitive security information, which must be 
protected from public disclosure. Therefore, this report omits 
sensitive information about the TWIC program, including techniques 
used to enroll and conduct a background check on individuals and 
assess an individual's eligibility for a TWIC, and the technologies 
that support TWIC security threat assessment determinations and Coast 
Guard inspections. In addition, at TSA's request, we have redacted 
data on specific enrollment center(s) and maritime ports where our 
investigators conducted covert testing. Although the information 
provided in this report is more limited in scope, it addresses the 
same questions and includes the same recommendations as the sensitive 
report. Also, the overall methodology used for both reports is the 
same. 

To assess the extent to which TWIC program processes were designed to 
provide reasonable assurance that unescorted access to secure areas of 
MTSA-regulated facilities and vessels is limited to qualified 
individuals, we reviewed applicable laws, regulations, and policies. 
[Footnote 12] We also reviewed documentation provided by TSA on the 
TWIC program systems and processes, such as the TWIC User Manual for 
Trusted Agents, Statement of Objectives, and Concept of Operations. We 
further reviewed the processes and data sources with TWIC program 
management from TSA and Lockheed Martin (the contractor responsible 
for implementing the program).[Footnote 13] We also met with (1) the 
Director of Vetting Operations at TSA's Colorado Springs Operations 
Center (CSOC), where background checks for links to terrorism and 
continual vetting of TWIC holders is to take place; (2) the Operations 
Manager for the Adjudication Center, where secondary background checks 
are to be conducted for applicants with identified criminal or 
immigration issues; and (3) the Director at DHS's Screening 
Coordination Office responsible for overseeing credentialing programs 
across DHS. Additionally, we met with the Criminal Justice Information 
Services Division at the Federal Bureau of Investigation (FBI) to 
discuss criminal vetting processes and policies. We then evaluated the 
processes against the TWIC program's mission needs and Standards for 
Internal Control in the Federal Government.[Footnote 14] As part of 
our assessment of TWIC program controls, we also did the following. 

* We visited four TWIC enrollment and activation centers located in 
areas with high population density and near ports participating in the 
TWIC pilot to observe how TWIC enrollments are conducted.[Footnote 15] 
The results are not generalizable to all enrollment and activation 
centers; however, because all centers are to conduct the same 
operations following the same guidance, the locations we visited 
provided us with an overview of the TWIC enrollment and activation/ 
issuance processes. 

* We had our investigators conduct covert testing at enrollment 
center(s) operating at the time to identify whether individuals 
providing fraudulent information could acquire an authentic TWIC. The 
information we obtained from the covert testing at enrollment 
center(s) is not generalizable across all TWIC enrollment centers. 
However, because all enrollments are to be conducted following the 
same established processes, we believe that the information from our 
covert tests provided us with important perspective on TWIC program 
enrollment and background checking processes, as well as potential 
challenges in verifying an individual's identity. 

Further our investigators conducted covert testing at several selected 
maritime ports with MTSA-regulated facilities and vessels to identify 
security vulnerabilities and program control deficiencies. These 
locations were selected based on their geographic location across the 
country (east coast, gulf coast, and west coast) and port size in 
terms of cargo volume. We also visited or met with officials at each 
of the seven original pilot sites being used to test TWIC card 
readers,[Footnote 16] interviewed port security officials at two 
additional ports responsible for implementing TWIC at their port, 
[Footnote 17] and met with nine maritime or transportation industry 
associations[Footnote 18] to obtain information on (1) the use of TWIC 
as a flashpass and with biometric readers where they are in use, (2) 
experiences with TWIC card performance, and (3) any suspected or 
reported cases of TWIC card fraud. The information we obtained from 
the security officials at the 9 ports or pilot participants we visited 
is not generalizable across the maritime transportation industry as a 
whole, but collectively, the ports we visited accounted for 56 percent 
of maritime container trade in the United States, and the ports our 
investigators visited as part of our covert testing efforts accounted 
for 54 percent of maritime container trade in the United States in 
2009. As such, we believe that the information from these interviews, 
site visits, and covert tests provided us with important additional 
perspective and context on the TWIC program, as well as information 
about potential implementation challenges faced by MTSA-regulated 
facilities/vessels, transportation workers, and mariners. 

To assess the extent to which DHS has assessed the effectiveness of 
TWIC, and determine whether the Coast Guard has effective systems in 
place to measure compliance, we reviewed applicable laws, regulations, 
and policies.[Footnote 19] We also met with TWIC program officials 
from TSA and the Coast Guard, as well as Coast Guard officials 
responsible for assessing maritime security risk, and reviewed related 
documents, to identify how TWIC is to enhance maritime security. 
[Footnote 20] In addition, we met with Coast Guard TWIC program 
officials, data management staff, and Coast Guard officials stationed 
at four port areas across the United States with enforcement 
responsibilities to assess the agency's approach to enforcing 
compliance with TWIC regulations and measuring program effectiveness. 
[Footnote 21] As part of this effort, we reviewed the type and 
substance of management information available to the Coast Guard for 
assessing compliance with TWIC. In performing this work, we evaluated 
the Coast Guard's practices against TWIC program mission needs and 
Standards for Internal Control in the Federal Government. 

We conducted this performance audit from November 2009 through March 
2011 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. We 
conducted our related investigative work in accordance with standards 
prescribed by the Council of the Inspectors General on Integrity and 
Efficiency.[Footnote 22] 

Background: 

TWIC History and Purpose: 

In November 2001, the Aviation and Transportation Security Act (ATSA) 
[Footnote 23] was enacted, requiring TSA to, among other things, work 
with airport operators to strengthen access control points to secured 
areas and to consider using biometric access control systems, or 
similar technologies, to verify the identity of individuals who seek 
to enter a secure airport area. In response to ATSA, TSA established 
the TWIC program in December 2001.[Footnote 24] In November 2002, MTSA 
was enacted and required the Secretary of Homeland Security to issue a 
maritime worker identification card that uses biometrics to control 
access to secure areas of maritime transportation facilities and 
vessels.[Footnote 25] In addition, the Security and Accountability For 
Every Port Act (SAFE Port Act) of 2006 amended MTSA and directed the 
Secretary of Homeland Security to, among other things, implement the 
TWIC pilot project to test TWIC use with biometric card readers and 
inform a future regulation on the use of TWIC with electronic readers. 

In requiring the issuance of transportation security cards for entry 
into secure areas of a facility or vessel as part of MTSA, Congress 
noted in the "Findings" section of the legislation that ports in the 
United States are a major location for federal crime such as cargo 
theft and smuggling, and are susceptible to large-scale acts of 
terrorism.[Footnote 26] For example, according to the Coast Guard's 
January 2008 National Maritime Terrorism Threat Assessment, al Qaeda 
leaders and supporters have identified western maritime assets as 
legitimate targets[Footnote 27]. Moreover, according to the Coast 
Guard assessment, al Qaeda-inspired operatives are most likely to use 
vehicle bombs to strike U.S. cargo vessels, tankers, and fixed coastal 
facilities such as ports. Studies have demonstrated that attacks on 
ports could have serious consequences. For example, a study by the 
Center for Risk and Economic Analysis of Terrorist Events on the 
impact of a dirty bomb attack on the Ports of Los Angeles and Long 
Beach estimated that the economic consequences from a shutdown of the 
harbors due to the contamination could result in significant losses in 
the tens of billions of dollars, including the decontamination costs 
and the indirect economic impacts due to the port shutdown. [Footnote 
28] 

As defined by DHS, the purpose of the TWIC program is to design and 
field a common credential for all transportation workers across the 
United States who require unescorted access to secure areas at MTSA- 
regulated maritime facilities and vessels[Footnote 29]. As such, the 
TWIC program, once implemented, aims to meet the following stated 
mission needs: 

* Positively identify authorized individuals who require unescorted 
access to secure areas of the nation's transportation system. 

* Determine the eligibility of individuals to be authorized unescorted 
access to secure areas of the transportation system by conducting a 
security threat assessment. 

* Ensure that unauthorized individuals are not able to defeat or 
otherwise compromise the access system in order to be granted 
permissions that have been assigned to an authorized individual. 

* Identify individuals who fail to maintain their eligibility 
requirements subsequent to being permitted unescorted access to secure 
areas of the nation's transportation system and immediately revoke the 
individual's permissions. 

TWIC Program Processes for Ensuring TWIC-Holder Eligibility: 

TSA is responsible for enrolling TWIC applicants and conducting 
background checks to ensure that only eligible individuals are granted 
TWICs.[Footnote 30] In addition, pursuant to TWIC-related regulations, 
MTSA-regulated facility and vessel operators are responsible for 
reviewing each individual's TWIC as part of their decision to grant 
unescorted access to secure areas of their facilities. The Coast Guard 
is responsible for assessing and enforcing operator compliance with 
TWIC-related laws and regulations. Described below are key components 
of each process for ensuring TWIC-holder eligibility. 

Enrollment: Transportation workers are enrolled by providing 
biographic information, such as name, date of birth, and address, and 
proof of identity documents, and then being photographed and 
fingerprinted at enrollment centers by trusted agents. A trusted agent 
is a member of the TWIC team who has been authorized by the federal 
government to enroll transportation workers in the TWIC program and 
issue TWIC cards.[Footnote 31] Appendix I summarizes key steps in the 
enrollment process. 

Background checking: TSA conducts background checks on each worker who 
applies for a TWIC to ensure that individuals who enroll do not pose a 
security risk to the United States. A worker's potential link to 
terrorism, criminal history, immigration status, and mental capacity 
are considered as part of the security threat assessment. Workers have 
the opportunity to appeal negative results of the threat assessment or 
request a waiver of certain specified criminal offenses, and 
immigration or mental capacity standards. Specifically, the TWIC 
background checking process includes two levels of review. 

First-level review: Initial automated background checking. The initial 
automated background checking process is conducted to determine 
whether any derogatory information is associated with the name and 
fingerprints submitted by an applicant during the enrollment process. 
This check is conducted against the FBI's criminal history records. 
These records contain information from federal and state and local 
sources in the FBI's National Crime Information Center (NCIC) database 
and the FBI's Integrated Automated Fingerprint Identification System 
(IAFIS)/Interstate Identification Index (III), which maintain criminal 
records and related fingerprint submissions. Rather than positively 
confirming each individual's identity using the submitted 
fingerprints, the FBI's criminal history records check is a negative 
identification check, whereby the fingerprints are used to confirm 
that the associated individual is not on the FBI criminal history 
list. If an individual is identified as being on the FBI's criminal 
history list, relevant information is to be forwarded to TSA for 
adjudication.[Footnote 32] The check is also conducted against federal 
terrorism information from the Terrorist Screening Database, including 
the Selectee and No-Fly Lists.[Footnote 33] To determine an 
applicant's immigration/citizenship status and eligibility, TSA also 
runs applicant information against the Systematic Alien Verification 
for Entitlements (SAVE) system. If the applicant is identified as a 
U.S.-born citizen with no related derogatory information, the system 
can approve the issuance of a TWIC with no further review of the 
applicant or human intervention. 

Second-level review: TSA's Adjudication Center Review. A second-level 
review is conducted as part of an individual's background check if (1) 
the applicant has self-identified themselves to be a non-U.S. citizen 
or non-U.S.-born citizen or national, or (2) the first-level review 
uncovers any derogatory information. As such, not all TWIC applicants 
will be subjected to a second-level review. The second-level review 
consists of staff at TSA's adjudication center reviewing the 
applicant's enrollment file.[Footnote 34] 

Card use and compliance: Once a TWIC has been activated and issued, 
the worker may present his or her TWIC to security officials when he 
or she seeks unescorted access to a secure area. Currently, visual 
inspections of TWICs are required for controlling access to secure 
areas of MTSA-regulated facilities and vessels.[Footnote 35] 
Approaches for inspecting TWICs using biometric readers at individual 
facilities and vessels across the nation are being considered as part 
of a pilot but are not yet required. Pursuant to Coast Guard policy, 
[Footnote 36] Coast Guard inspectors are required to verify TWIC cards 
during annual compliance exams, security spot checks, and in the 
course of other Coast Guard duties as determined by the Captain of the 
Port[Footnote 37] based on risk and resource availability. The Coast 
Guard's primary means of verification is shifting toward the use of 
biometric handheld readers with the continued deployment of readers to 
each of its Sectors and Marine Safety Units.[Footnote 38] As of 
December 21, 2010, the Coast Guard reports to have deployed biometric 
handheld readers to all of its 35 Sectors and 16 Marine Safety Units. 

TWIC Regulations and Cost: 

In August 2006, DHS officials decided, based on industry comment, to 
implement TWIC through two separate regulations, or rules. The first 
rule, issued in January 2007, directs the use of the TWIC as an 
identification credential, or flashpass. The second rule, the card 
reader rule, is currently under development and is expected to address 
how the access control technologies, such as biometric card readers, 
are to be used for confirming the identity of the TWIC holder against 
the biometric information on the TWIC. On March 27, 2009, the Coast 
Guard issued an Advance Notice of Proposed Rule Making for the card 
reader rule.[Footnote 39] 

To inform the rulemaking process, TSA initiated a pilot in August 
2008, known as the TWIC reader pilot, to test TWIC-related access 
control technologies.[Footnote 40] This pilot is intended to test the 
technology, business processes, and operational impacts of deploying 
TWIC readers at secure areas of the marine transportation system. As 
such, the pilot is expected to test the feasibility and functionality 
of using TWICs with biometric card readers within the maritime 
environment. After the pilot has concluded, a report on the findings 
of the pilot is expected to inform the development of the card reader 
rule. DHS currently estimates that a notice of proposed rulemaking 
will be issued late in calendar year 2011 and that the final rule will 
be promulgated no earlier than the end of calendar year 2012. 

According to agency officials, from fiscal years 2002 through 2010, 
the TWIC program had funding authority totaling $420 million. In 
issuing the credential rule, DHS estimated that implementing the TWIC 
program could cost the federal government and the private sector a 
combined total of between $694.3 million and $3.2 billion over a 10-
year period. However, these figures did not include costs associated 
with implementing and operating readers.[Footnote 41] Appendix II 
contains additional program funding details. 

Standards for Internal Control: 

Standards for Internal Control in the Federal Government underscores 
the need for developing effective controls for meeting program 
objectives and complying with applicable regulations.[Footnote 42] 
Effective internal controls provide for an assessment of the risks the 
agency faces from both internal and external sources. Once risks have 
been identified, they should be analyzed for their possible effect. 
Management then has to decide upon the internal control activities 
required to mitigate those risks and achieve the objectives of 
efficient and effective operations. As part of this effort, management 
should design and implement internal controls based on the related 
cost and benefits. 

In addition, internal control standards highlight the need for the 
following: 

* capturing information needed to meet program objectives; 

* designing controls to assure that ongoing monitoring occurs in the 
course of normal operations; 

* determining that relevant, reliable, and timely information is 
available for management decision-making purposes; 

* conducting reviews and testing of development and modification 
activities before placing systems into operation; 

* recording and communicating information to management and others 
within the entity who need it and in a form and within a time frame 
that enables them to carry out their internal control and other 
responsibilities; and: 

* designing internal controls to provide reasonable assurance that 
compliance with applicable laws and regulations is being achieved, and 
provide appropriate supervisory review of activities to help provide 
oversight of operations. This includes designing and implementing 
appropriate supervisory review activities to help provide oversight 
and analyzing data to compare trends in actual performance to expected 
results to identify any areas that may require further inquiries or 
corrective action. 

Internal control also serves as the first line of defense in 
safeguarding assets and preventing and detecting errors and fraud. An 
internal control weakness is a condition within an internal control 
system worthy of attention. A weakness, therefore, may represent a 
perceived, potential, or real shortcoming, or an opportunity to 
strengthen internal controls to provide a greater likelihood that the 
entity's objectives will be achieved. 

Internal Control Weaknesses in DHS's Biometric Transportation ID 
Program Hinder Efforts to Ensure Security Objectives Are Fully 
Achieved: 

DHS has established a system of TWIC-related processes and controls. 
However, internal control weaknesses governing the enrollment, 
background checking, and use of TWIC potentially limit the program's 
ability to provide reasonable assurance that access to secure areas of 
MTSA-regulated facilities is restricted to qualified individuals. 
Specifically, internal controls[Footnote 43] in the enrollment and 
background checking processes are not designed to provide reasonable 
assurance that (1) only qualified individuals can acquire TWICs; (2) 
adjudicators follow a process with clear criteria for applying 
discretionary authority when applicants are found to have extensive 
criminal convictions; or (3) once issued a TWIC, TWIC holders have 
maintained their eligibility. To meet the stated program mission 
needs, TSA designed TWIC program processes to facilitate the issuance 
of TWICs to maritime workers. However, TSA did not assess the internal 
controls designed and in place to determine whether they provided 
reasonable assurance that the program could meet defined mission needs 
for limiting access to only qualified individuals. Further, internal 
control weaknesses in TWIC enrollment, background checking, and use 
could have contributed to the breach of selected MTSA-regulated 
facilities during covert tests conducted by our investigators. 

TWIC Program Controls Are Not Designed to Provide Reasonable Assurance 
That Only Qualified Applicants Can Acquire TWICs: 

DHS has established a system of TWIC-related processes and controls 
that as of April 2011 has resulted in TWICs being denied to 1,158 
applicants based on a criminal offense, criminal immigration offense, 
or invalid immigration status.[Footnote 44] However, the TWIC 
program's internal controls for positively identifying an applicant, 
arriving at a security threat determination for that individual, and 
approving the issuance of a TWIC, are not designed to provide 
reasonable assurance that only qualified applicants can acquire TWICs. 
[Footnote 45] Assuring the identity and qualifications of TWIC-holders 
are two of the primary benefits that the TWIC program is to provide 
MTSA-regulated facility and vessel operators making access control 
decisions. If an individual presents an authentic TWIC acquired 
through fraudulent means when requesting access to the secure areas of 
a MTSA-regulated facility or vessel, the cardholder is deemed not to 
be a security threat to the maritime environment because the 
cardholder is presumed to have met TWIC-related qualifications during 
a background check. In such cases, these individuals could better 
position themselves to inappropriately gain unescorted access to 
secure areas of a MTSA-regulated facility or vessel.[Footnote 46] 

As confirmed by TWIC program officials, there are ways for an 
unqualified individual to acquire an authentic TWIC. According to TWIC 
program officials, to meet the stated program purpose, TSA's focus in 
designing the TWIC program was on facilitating the issuance of TWICs 
to maritime workers. However, TSA did not assess internal controls 
prior to implementing the program. Further, prior to fielding the 
program, TSA did not conduct a risk assessment of the TWIC program to 
identify program risks and the need for controls to mitigate existing 
risks and weaknesses, as called for by internal control standards. 
Such an assessment could help provide reasonable assurance that 
control weaknesses in one area of the program do not undermine the 
reliability of other program areas or impede the program from meeting 
mission needs. TWIC program officials told us that control weaknesses 
were not addressed prior to initiating the TWIC program because they 
had not previously identified them, or because they would be too 
costly to address. However, officials did not provide documentation to 
support their cost concerns and told us that they did not complete an 
assessment that accounted for whether the program could achieve 
defined mission needs without implementing additional or compensating 
controls to mitigate existing risks, or the risks associated with not 
correcting for existing internal control weaknesses. 

Our investigators conducted covert tests at enrollment center(s) to 
help test the rigor of the TWIC enrollment and background checking 
processes. The investigators fully complied with the enrollment 
application process. They were photographed and fingerprinted, and 
asserted themselves to be U.S.-born citizens.[Footnote 47] The 
investigators were successful in obtaining authentic TWIC cards 
despite going through the background-checking process. Not having 
internal controls designed to provide reasonable assurance that the 
applicant has (1) been positively identified, and (2) met all TWIC 
eligibility requirements, including not posing a security threat to 
MTSA-regulated facilities and vessels, could have contributed to the 
investigators' successes. Specifically, we identified internal control 
weaknesses in the following three areas related to ensuring that only 
qualified applicants are able to obtain a TWIC. 

Controls to identify the use of potentially counterfeit identity 
documents are not used to inform background checking processes. As 
part of TWIC program enrollment, a trusted agent is to review identity 
documents for authenticity and use an electronic authentication device 
to assess the likelihood of the document being counterfeit.[Footnote 
48] According to TWIC program officials, the trusted agent's review of 
TWIC applicant identity documents and the assessment provided by the 
electronic authentication device are the two steps intended to serve 
as the primary controls for detecting whether an applicant is 
presenting counterfeit identity documents. Additionally, the 
electronic device used to assess the authenticity of identification 
credentials renders a score on the likelihood of the document being 
authentic and produces an assessment report in support of the score. 
Assessing whether the applicant's credential is authentic is one 
source of information for positively identifying an applicant. Our 
investigators provided counterfeit or fraudulently acquired documents, 
but they were not detected. 

However, the TWIC program's background checking processes are not 
designed to routinely consider the results of controls in place for 
assessing whether an applicant's identity documents are authentic. For 
example, assessments of document authenticity made by a trusted agent 
or the electronic document authentication device as part of the 
enrollment process are not considered as part of the first-level 
background check. Moreover, TWIC program officials agree that this is 
a program weakness. As of December 1, 2010, approximately 50 percent 
of TWICs were approved after the first-level background check without 
undergoing further review.[Footnote 49] As an initial step towards 
addressing this weakness, and in response to our review, TWIC program 
officials told us that since April 17, 2010, the comments provided at 
enrollment by trusted agents have been sent to the Screening Gateway-- 
a TSA system for aggregating threat assessment data. However, this 
change in procedure does not correct the internal control weaknesses 
we identified.[Footnote 50] Attempts to authenticate copies of 
documents are limited because it is not possible to capture all of the 
security features when copies of the identity documents are recorded, 
such as holograms or color-shifting ink. Using information on the 
authenticity of identity documents captured during enrollment to 
inform the background check could help TSA better assess the 
reliability and authenticity of such documents provided at enrollment. 

Controls related to the legal status of self-reported U.S.-born 
citizens or nationals.[Footnote 51] The TWIC program does not require 
that applicants claiming to be U.S.-born citizens or nationals provide 
identity documents that demonstrate proof of citizenship, or lawful 
status in the United States. See appendix III for the list of 
documents U.S.-born citizens or nationals must select from and present 
when applying for a TWIC.[Footnote 52] For example, an applicant could 
elect to provide one document, such a U.S. passport, which, according 
to TSA officials, serves as proof of U.S. citizenship or proof of 
nationality. However, an applicant could elect to submit documents 
that do not provide proof of citizenship. As of December 1, 2010, 
nearly 86 percent of approved TWIC enrollments were by self-identified 
United States citizens or nationals asserting that they were born in 
the United States or a United States territory.[Footnote 53] 

Verifying a U.S.-born citizen's identity and related lawful status can 
be costly and is a challenge faced by U.S. government programs such as 
passports.[Footnote 54] However, reaching an accurate determination of 
a TWIC applicant's potential security threat in meeting TWIC mission 
needs is dependent on positively identifying the applicant. Given such 
potential cost constraints, consistent with internal control 
standards, identifying alternative mechanisms to positively identify 
individuals to the extent that the benefits exceed the costs and TWIC 
program mission needs are met could enhance TSA's ability to 
positively identify individuals and reduce the likelihood that 
criminals or terrorists could acquire a TWIC fraudulently. 

Controls are not in place to determine whether an applicant has a need 
for a TWIC.[Footnote 55] Regulations governing the TWIC program 
security threat assessments require applicants to disclose their job 
description and location(s) where they will most likely require 
unescorted access, if known, and the name, telephone number, and 
address of the applicant's current employer(s) if the applicant works 
for an employer that requires a TWIC.[Footnote 56] However, TSA 
enrollment processes do not require that this information be provided 
by applicants. For example, when applying for a TWIC, applicants are 
to certify that they may need a TWIC as part of their employment 
duties. However, the enrollment process does not request information 
on the location where the applicant will most likely require 
unescorted access, and enrollment processes include asking the 
applicant if they would like to provide employment information, but 
informing the applicant that employer information is not required. 

While not a problem prior to implementing the TWIC program, according 
to TSA officials, a primary reason for not requiring employer 
information be captured by applicant processes is that many applicants 
do not have employers, and that many employers will not accept 
employment applications from workers who do not already have a TWIC. 
However, TSA could not provide statistics on (1) how many individuals 
applying for TWICs were unemployed at the time of their application; 
or (2) a reason why the TWIC-related regulation does not prohibit 
employers from denying employment to non-TWIC holders who did not 
previously have a need for a TWIC. Further, according to TSA and Coast 
Guard officials, industry was opposed to having employment information 
verified as part of the application process, as industry 
representatives believed such checks would be too invasive and time- 
consuming. TSA officials further told us that confirming this 
information would be too costly. 

We recognize that implementing mechanisms to capture this information 
could be time-consuming and involve additional costs. However, 
collecting information on present employers or operators of MTSA- 
regulated facilities and vessels to be accessed by the applicant, to 
the extent that the benefits exceed the costs and TWIC program mission 
needs are met, could help ensure TWIC program mission needs are being 
met, and serve as a barrier to individuals attempting to acquire an 
authentic TWIC through fraudulent means. Therefore, if TSA determines 
that implementing such mechanisms are, in fact, cost prohibitive, 
identifying and implementing appropriate compensating controls could 
better position TSA to positively identify the TWIC applicant. Not 
taking any action increases the risk that individuals could gain 
unescorted access to secure areas of MTSA-regulated facilities and 
vessels. 

As of September 2010, TSA's background checking process had identified 
no instances of nonimmigration-related document or identity fraud. 
This is in part because of previously discussed weaknesses in TWIC 
program controls for positively identifying applicants, and the 
systems and procedures the TWIC program relies on not being designed 
to effectively monitor for such occurrences, in accordance with 
internal control standards. Though not an exhaustive list, through a 
review of Coast Guard reports and publicly available court records, we 
identified five court cases where the court documents indicate that 
illegal immigrants acquired, or in one of the cases sought to acquire, 
an authentic TWIC through fraudulent activity such as providing 
fraudulent identity information and, in at least one of the cases and 
potentially up to four, used the TWIC to access secure areas of MTSA-
regulated facilities. Four of these cases were a result of, or 
involved, United States Immigration and Customs Enforcement efforts 
after individuals had acquired, or sought to acquire, a TWIC. As of 
September 2010, the program's background checking process identified 
18 instances of potential fraud out of the approximately 1,676,000 
TWIC enrollments. These instances all involved some type of fraud 
related to immigration.[Footnote 57] The 18 instances of potential 
fraud were identified because the 18 individuals asserted themselves 
to be non-U.S.-born applicants and, unlike processes in place for 
individuals asserting to be U.S.-born citizens, TSA's background 
checking process includes additional controls to validate such 
individuals' identities. For example, TSA requires that at least one 
of the documents provided by such individuals at enrollment show proof 
of their legal status and seeks to validate each non-U.S.-born 
applicant's identity with the U.S. Citizenship and Immigration 
Services. 

Internal control standards highlight the need for capturing 
information needed to meet program objectives; ensuring that relevant, 
reliable, and timely information is available for management decision-
making purposes; and providing reasonable assurance that compliance 
with applicable laws and regulations is being achieved.[Footnote 58] 
Conducting a control assessment of the TWIC program's processes to 
address existing weaknesses could enhance the TWIC program's ability 
to prevent and detect fraud and positively identify TWIC applicants. 
Such an assessment could better position DHS in strengthening the 
program to ensure it achieves its objectives in controlling access to 
MTSA-regulated facilities and vessels. 

TWIC Program Controls Are Not Designed to Require Adjudicators to 
Follow a Process with Clear Criteria for Applying Discretionary 
Authority When Applicants Are Found to Have Extensive Criminal 
Convictions: 

Being convicted of a felony does not automatically disqualify a person 
from being eligible to receive a TWIC; however, prior convictions for 
certain crimes are automatically disqualifying. Threat assessment 
processes for the TWIC program include conducting background checks to 
determine whether each TWIC applicant poses a security threat. 
[Footnote 59] Some of these offenses, such as espionage or treason, 
would permanently disqualify an individual from obtaining a TWIC. 
Other offenses, such as murder or the unlawful possession of an 
explosive device, while categorized as permanent disqualifiers, are 
also eligible for a waiver under TSA regulations and might not 
permanently disqualify an individual from obtaining a TWIC if TSA 
determines upon subsequent review that an applicant does not represent 
a security threat.[Footnote 60] Table 1 presents examples of 
disqualifying criminal offenses set out in statute and implementing 
regulations for consideration as part of the adjudication process. 

Table 1: Examples of Disqualifying Offenses for TWIC Eligibility: 

Permanent disqualifying offenses[A]: 
Espionage; 
Sedition; 
Treason; 
A federal crime of terrorism. 

Permanent disqualifying offenses that can be waived[B]: 
Murder; 
Unlawful possession, use, sale, distribution, manufacture, purchase, 
receipt, transfer, shipping, transporting, import, export, storage of, 
or dealing in an explosive or explosive device; 
A crime involving a transportation security incident; 
Making any threat concerning the deliverance, placement, or detonation 
of an explosive or other lethal device in or against a place of public 
use, a state or government facility, a public transportation system, 
or an infrastructure facility. 

Interim disqualifying offenses[C]: 
Bribery; 
Smuggling; 
Arson; 
Extortion; 
Robbery. 

Source: GAO analysis of regulations and TSA. 

Notes: See appendix IV for a list of all disqualifying offenses. 

[A] Permanent disqualifying offenses are offenses defined in 49 C.F.R. 
1572.103(a) for which no waiver can be granted under 49 C.F.R. 
1515.7(a)(i). 

[B] Permanent disqualifying offenses that can be waived are offenses 
defined in 49 C.F.R. 1572.103(a) for which a waiver can be granted in 
accordance with 49 C.F.R. 1515.7(a)(i). Applicants with certain 
permanent criminal offenses and all interim disqualifying criminal 
offenses may request a waiver of their disqualification. TSA 
regulations provide that in determining whether to grant a waiver, TSA 
will consider (1) the circumstances of the disqualifying act or 
offense; (2) restitution made by the applicant; (3) any federal or 
state mitigation remedies; (4) court records or official medical 
release documents indicating that the applicant no longer lacks mental 
capacity; and (5) other factors that indicate the applicant does not 
pose a security threat warranting denial of a hazardous materials 
endorsement or TWIC. 

[C] Interim disqualifying offenses are offenses defined in 49 C.F.R. 
1572.103(b) for which the applicant has either been (1) convicted, or 
found not guilty by reason of insanity, within a 7-year period 
preceding the TWIC application, or (2) incarcerated for within a 5-
year period preceding the TWIC application. 

[End of table] 

TSA also has the authority to add to or modify the list of interim 
disqualifying crimes. Further, in determining whether an applicant 
poses a security threat, TSA officials stated that adjudicators have 
the discretion to consider the totality of an individual's criminal 
record, including criminal offenses not defined as a permanent or 
interim disqualifying criminal offenses, such as theft or larceny. 
[Footnote 61] More specifically, TSA's implementing regulations 
provide, in part, that with respect to threat assessments, TSA may 
determine that an applicant poses a security threat if the search 
conducted reveals extensive foreign or domestic criminal convictions, 
a conviction for a serious crime not listed as a permanent or interim 
disqualifying offense, or a period of foreign or domestic imprisonment 
that exceeds 365 consecutive days. Thus, if a person was convicted of 
multiple crimes, even if each of the crimes were not in and of 
themselves disqualifying, the number and type of convictions could be 
disqualifying. 

Although TSA has the discretion and authority to consider criminal 
offenses not defined as a disqualifying offense, such as larceny and 
theft, and periods of imprisonment, TSA has not developed a definition 
for what extensive foreign or domestic criminal convictions means, or 
developed guidance to ensure that adjudicators apply this authority 
consistently in assessing the totality of an individual's criminal 
record. For example, TSA has not developed guidance or benchmarks for 
adjudicators to consistently apply when reviewing TWIC applicants with 
extensive criminal convictions but no disqualifying offense. This is 
particularly important given TSA's reasoning for including this 
authority in TWIC-related regulation. Specifically, TSA noted that it 
understands that the flexibility this language provides must be used 
cautiously and on the basis of compelling information that can 
withstand judicial review. They further noted that the decision to 
determine whether an applicant poses a threat under this authority is 
largely a subjective judgment based on many facts and circumstances. 

While TSA does not track metrics on the number of TWICs provided to 
applicants with specific criminal offenses not defined as 
disqualifying offenses, as of September 8, 2010, the agency reported 
460,786 cases where the applicant was approved, but had a criminal 
record based on the results from the FBI. This represents 
approximately 27 percent of individuals approved for a TWIC at the 
time. In each of these cases, the applicant had either a criminal 
offense not defined as a disqualifying offense or an interim 
disqualifying offense that was no longer a disqualification based on 
conviction date or the applicant's release date from incarceration. 
Consequently, based on TSA's background checking procedures, all of 
these cases would have been reviewed by an adjudicator for 
consideration as part of the second-level background check because 
derogatory information had been identified. As such, each of these 
cases had to be examined and a judgment had to be made as to whether 
to deny an applicant a TWIC based on the totality of the offenses 
contained in each applicant's criminal report. 

While there were 460,786 cases where the applicant was approved, but 
had a criminal record, TSA reports to have taken steps to deny 1 TWIC 
applicant under this authority. However, in the absence of guidance 
for the application of this authority, it is not clear how TSA applied 
this authority in approving the 460,786 applications and denying the 
1. Internal control standards call for controls and other significant 
events to be clearly documented in directives, policies, or manuals to 
help ensure operations are carried out as intended. 

According to TSA officials, the agency has not implemented guidance 
for adjudicators to follow on how to apply this discretion in a 
consistent manner because they are confident that the adjudicators 
would, based on their own judgment, identify all applicants where the 
authority to deny a TWIC based on the totality of all offenses should 
be applied. However, in the absence of criteria, we were unable to 
analyze or compare how the approximately 30 adjudicators who are 
assigned to the TWIC program at any given time made determinations 
about TWIC applicants with extensive criminal histories. Given that 27 
percent of TWIC holders have been convicted of at least one 
nondisqualifying offense, defining what extensive criminal convictions 
means and developing guidance or criteria for how adjudicators should 
apply this discretionary authority could help provide TSA with 
reasonable assurance that applications are consistently adjudicated. 
Defining terms and developing guidance is consistent with internal 
control standards. 

TWIC Program Controls Are Not Designed to Provide Reasonable Assurance 
That TWIC Holders Have Maintained Their Eligibility Once Issued TWICs: 

DHS's defined mission needs for TWIC include identifying individuals 
who fail to maintain their eligibility requirements once issued a 
TWIC, and immediately revoking the individual's card privileges. 
Pursuant to TWIC-related regulations, an individual may be 
disqualified from holding a TWIC and be required to surrender the TWIC 
to TSA for failing to meet certain eligibility criteria related to, 
for example, terrorism, crime, and immigration status. However, 
weaknesses exist in the design of the TWIC program's internal controls 
for identifying individuals who fail to maintain their eligibility 
that make it difficult for TSA to provide reasonable assurance that 
TWIC holders continue to meet all eligibility requirements. 

Controls are not designed to determine whether TWIC holders have 
committed disqualifying crimes at the federal or state level after 
being granted a TWIC. TSA conducts a name-based check of TWIC holders 
against federal wants[Footnote 62] and warrants on an ongoing basis. 
According to FBI and TSA officials, policy and statutory provisions 
hamper the program from running the broader FBI fingerprint-based 
check using the fingerprints collected at enrollment on an ongoing 
basis. More specifically, because the TWIC background check is 
considered to be for a noncriminal justice purpose,[Footnote 63] to 
conduct an additional fingerprint-based check as part of an ongoing 
TWIC background check, TSA would have to collect a new set of 
fingerprints from the TWIC-holder,[Footnote 64] if the prints are more 
than 1 year old, and submit those prints to the FBI each time they 
want to assess the TWIC-holder's criminal history. According to TSA 
officials, it would be cost prohibitive to run the fingerprint-based 
check on an ongoing basis, as TSA would have to pay the FBI $17.25 per 
check. 

Although existing policies may hamper TSA's ability to check FBI-held 
fingerprint-based criminal history records for the TWIC program, TSA 
has not explored alternatives for addressing this weakness, such as 
informing facility and port operators of this weakness and identifying 
solutions for leveraging existing state criminal history information, 
where available. For instance, state maritime organizations may have 
other mechanisms at their disposal for helping to identify TWIC-
holders who may no longer meet TWIC qualification requirements. 
Specifically, laws governing the maritime environment in New York and 
New Jersey provide for credentialing authorities being notified if 
licensed or registered longshoremen have been arrested. Further, other 
governing entities, such as the State of Florida and the Alabama State 
Port Authority, have access to state-based criminal records checks. 
While TSA may not have direct access to criminal history records, TSA 
could compensate for this control weakness, for example, by leveraging 
existing mechanisms available to maritime stakeholders across the 
country to better ensure that only qualified individuals retain TWICs. 

Controls are not designed to provide reasonable assurance that TWIC 
holders continue to meet immigration status eligibility requirements. 
If a TWIC holder's stated period of legal presence in the United 
States is about to expire or has expired, the TWIC program does not 
request or require proof from TWIC holders to show that they continue 
to maintain legal presence in the United States. Additionally, 
although they have the regulatory authority to do so, the program does 
not issue TWICs for a term less than 5 years to match the expiration 
of a visa. Instead, TSA relies on (1) TWIC holders to self-report if 
they no longer have legal presence in the country, and (2) employers 
to report if a worker is no longer legally present in the country. 
[Footnote 65] As we have previously reported, government programs 
for granting benefits to individuals face challenges in confirming 
an individual's immigration status.[Footnote 66] TWIC program 
officials stated that the program uses a United States Citizenship 
and Immigration Services system during the background checking 
process prior to issuing a TWIC as a method for confirming the 
legal status of non-U.S. citizens.[Footnote 67] TSA has not, however, 
consistent with internal control standards, implemented alternative 
controls to compensate for this limitation and provide reasonable 
assurance that TWIC holders remain eligible. For instance, the TWIC 
program has not compensated for this limitation by (1) using its 
authority to issue TWICs with shorter expiration dates to correspond 
with each individual's legal presence, or (2) updating the TWIC 
system to systematically suspend TWIC privileges for individuals who 
no longer meet immigration eligibility requirements until they can 
provide evidence of continued legal presence.[Footnote 68] 

TWIC program officials stated that implementing these compensating 
measures would be too costly, but they have not conducted an 
assessment to identify the costs of implementing these controls, or 
determined if the benefits of mitigating related security risks would 
outweigh those costs, consistent with internal control standards. Not 
implementing such measures could result in a continued risk of 
individuals no longer meeting TWIC legal presence requirements 
continuing to hold a federally issued identity document and gaining 
unescorted access to secure areas of MTSA-regulated facilities and 
vessels.[Footnote 69] Thus, implementing compensating measures, to the 
extent that the benefits outweigh the costs and meet the program's 
defined mission needs, could provide TSA, the Coast Guard, and MTSA-
regulated stakeholders with reasonable assurance that each TWIC holder 
continues to meet TWIC-related eligibility requirements. 

Internal Control Weaknesses in TWIC Enrollment, Background Checking, 
and Use Could Have Contributed to Breach of MTSA-Regulated Ports: 

As of January 7, 2011, the Coast Guard reports that it has identified 
11 known attempts to circumvent TWIC requirements for gaining 
unescorted access to MTSA-regulated areas by presenting counterfeit 
TWICs. The Coast Guard further reports to have identified 4 instances 
of individuals presenting another person's TWIC as their own in 
attempts to gain access. Further, our investigators conducted covert 
tests to assess the use of TWIC as a means for controlling access to 
secure areas of MTSA-regulated facilities. During covert tests of TWIC 
at several selected ports, our investigators were successful in 
accessing ports using counterfeit TWICs, authentic TWICs acquired 
through fraudulent means, and false business cases (i.e., reasons for 
requesting access).[Footnote 70] Our investigators did not gain 
unescorted access to a port where a secondary port specific 
identification was required in addition to the TWIC. 

In response to our covert tests, TSA and Coast Guard officials stated 
that, while a TWIC card is required for gaining unescorted access to 
secure areas of a MTSA-regulated facility, the card alone is not 
sufficient. These officials stated that the cardholder is also 
required to present a business case, which security officials at 
facilities must consider as part of granting the individual access. In 
addition, according to DHS's Screening Coordination Office, a 
credential is only one layer of a multilayer process to increase 
security. Other layers of security might include onsite law 
enforcement, security personnel, cameras, locked doors and windows, 
alarm systems, gates, and turnstiles. Thus, a weakness in the 
implementation of TWIC will not guarantee access to the secure areas 
of a MTSA-regulated port or facility. 

However, as our covert tests demonstrated, having an authentic TWIC 
and a legitimate business case were not always required in practice. 
The investigators' possession of TWIC cards provided them with the 
appearance of legitimacy and facilitated their unescorted entry into 
secure areas of MTSA-regulated facilities and ports at multiple 
locations across the country. If individuals are able to acquire 
authentic TWICs fraudulently, verifying the authenticity of these 
cards with a biometric reader will not reduce the risk of undesired 
individuals gaining unescorted access to the secure areas of MTSA- 
regulated facilities and vessels. 

Given existing internal control weaknesses, conducting a control 
assessment of the TWIC program's processes to address existing 
weaknesses could enhance the TWIC program's ability to prevent and 
detect fraud and positively identify TWIC applicants. Such an 
assessment could better position DHS in strengthening the program to 
ensure it achieves its objectives in controlling unescorted access to 
MTSA-regulated facilities and vessels. It could also help DHS identify 
and implement the minimum controls needed to (1) positively identify 
individuals, (2) provide reasonable assurance that control weaknesses 
in one area of the program would not undermine the reliability of 
other program areas or impede the program from meeting mission needs, 
and (3) provide reasonable assurance that the threat assessments are 
based on complete and accurate information. Such actions would be 
consistent with internal control standards, which highlight the need 
for capturing information needed to meet program objectives; 
determining that relevant, reliable, and timely information is 
available for management decision-making purposes; and designing 
internal controls to provide reasonable assurance that compliance with 
applicable laws and regulations is being achieved, as part of 
implementing effective controls. Moreover, our prior work on internal 
controls has shown that management should design and implement 
internal controls based on the related costs and benefits and 
continually assess and evaluate its internal controls to assure that 
the controls being used are effective and updated when necessary. 
[Footnote 71] 

TWIC's Effectiveness at Enhancing Security Has Not Been Assessed, and 
the Coast Guard Lacks the Ability to Assess Trends in TWIC Compliance: 

The TWIC program is intended to improve maritime security by using a 
federally sponsored credential to enhance access controls to secure 
areas at MTSA-regulated facilities and vessels, but DHS has not 
assessed the program's effectiveness at enhancing security. In 
addition, Coast Guard's approach for monitoring and enforcing TWIC 
compliance nationwide could be improved by enhancing its collection 
and assessment of related maritime security information. For example, 
the Coast Guard tracks TWIC program compliance, but the processes 
involved in the collection, cataloging, and querying of information 
cannot be relied on to produce the management information needed to 
assess trends in compliance with the TWIC program or associated 
vulnerabilities. 

TWIC Has Not Been Assessed to Measure Effectiveness at Enhancing 
Security: 

DHS asserted in its 2009 and 2010 budget submissions that the absence 
of the TWIC program would leave America's critical maritime port 
facilities vulnerable to terrorist activities.[Footnote 72] However, 
to date, DHS has not assessed the effectiveness of TWIC at enhancing 
security or reducing risk for MTSA-regulated facilities and vessels. 
Such assessments are consistent with DHS's National Infrastructure 
Protection Plan, which recognizes that metrics and other evaluation 
procedures should be used to measure progress and assess the 
effectiveness of programs designed to protect key assets.[Footnote 73] 
Further, DHS has not demonstrated that TWIC, as currently implemented 
and planned with readers, is more effective than prior approaches used 
to limit access to ports and facilities, such as using facility 
specific identity credentials with business cases. According to TSA 
and Coast Guard officials, because the program was mandated by 
Congress as part of MTSA, DHS did not conduct a risk assessment to 
identify and mitigate program risks prior to implementation. Further, 
according to these officials, neither the Coast Guard nor TSA analyzed 
the potential effectiveness of TWIC in reducing or mitigating security 
risk--either before or after implementation--because they were not 
required to do so by Congress. Rather, DHS assumed that the TWIC 
program's enrollment and background checking procedures were effective 
and would not allow unqualified individuals to acquire and retain 
authentic TWICs. 

The internal control weaknesses that we discuss earlier in the report, 
as well as the results of our covert tests of TWIC use, raise 
questions about the effectiveness of the TWIC program. According to 
the Coast Guard official responsible for conducting assessments of 
maritime risk, it may now be possible to assess TWIC effectiveness and 
the extent to which, or if, TWIC use could enhance security using 
current Maritime Security Risk Analysis Model (MSRAM) data. Since 
MSRAM's deployment in 2005, the Coast Guard has used its MSRAM to help 
inform decisions on how to best secure our nation's ports and how to 
best allocate limited resources to reduce terrorist risks in the 
maritime environment.[Footnote 74] Moreover, as we have previously 
reported, Congress also needs information on whether and in what 
respects a program is working well or poorly to support its oversight 
of agencies and their budgets, and agencies' stakeholders need 
performance information to accurately judge program effectiveness. 
[Footnote 75] Conducting an effectiveness assessment that evaluates 
whether use of TWIC in its present form and planned use with readers 
would enhance the posture of security beyond efforts already in place 
given costs and program risks could better position DHS and 
policymakers in determining the impact of TWIC on enhancing maritime 
security. 

Further, pursuant to executive branch requirements, prior to issuing a 
new regulation, agencies are to conduct a regulatory analysis, which 
is to include an assessment of costs, benefits, and associated risks. 
[Footnote 76] Prior to issuing the regulation on implementing the use 
of TWIC as a flashpass, DHS conducted a regulatory analysis, which 
asserted that TWIC would increase security. The analysis included an 
evaluation of the costs and benefits related to implementing TWIC. 
However, DHS did not conduct a risk-informed cost-benefit analysis 
that considered existing security risks. For example, the analysis did 
not account for the costs and security risks associated with designing 
program controls to prevent an individual from acquiring an authentic 
TWIC using a fraudulent identity and limiting access to secure areas 
of MTSA-regulated facilities and vessels to those with a legitimate 
need, in accordance with stated mission needs. As a proposed 
regulation on the use of TWIC with biometric card readers is under 
development, DHS is to issue a new regulatory analysis. Conducting a 
regulatory analysis using the information from the internal control 
and effectiveness assessments as the basis for evaluating the costs, 
benefits, security risks, and needed corrective actions could better 
inform and enhance the reliability of the new regulatory analysis. 
Moreover, these actions could help DHS identify and assess the full 
costs and benefits of implementing the TWIC program in a manner that 
will meet stated mission needs and mitigate existing security risks, 
and help ensure that the TWIC program is more effective and cost-
efficient than existing measures or alternatives at enhancing maritime 
security. 

Coast Guard's Approach for Monitoring and Enforcing TWIC Compliance 
Could Be Improved by Enhancing Its Collection and Assessment of 
Maritime Security Information: 

Internal control standards state that (1) internal controls should be 
designed to ensure that ongoing monitoring occurs in the course of 
normal operations, and (2) information should be communicated in a 
form and within a time frame that enables management to carry out its 
internal control responsibilities.[Footnote 77] Further, our prior 
work has stated that Congress also needs information on whether and in 
what respects a program is working well or poorly to support its 
oversight of agencies and their budgets, and agencies' stakeholders 
need performance information to accurately judge program 
effectiveness.[Footnote 78] The Coast Guard uses its Marine 
Information for Safety and Law Enforcement (MISLE) database to meet 
these needs by recording activities related to MTSA-regulated facility 
and vessel oversight, including observations of TWIC-related 
deficiencies.[Footnote 79] The purpose of MISLE is to provide the 
capability to collect, maintain, and retrieve information necessary 
for the administration, management, and documentation of Coast Guard 
activities. In February 2008, we reported that flaws in the data in 
MISLE limit the Coast Guard's ability to accurately portray and 
appropriately target oversight activities.[Footnote 80] 

In accordance with Coast Guard policy, Coast Guard inspectors are 
required to verify TWIC cards during annual compliance exams and 
security spot checks, and may do so in the course of other Coast Guard 
duties. As part of each inspection, Coast Guard inspectors are, among 
other things, to: (1) ensure that the card is authentic by examining 
it to visually verify that it has not been tampered with; (2) verify 
identity by comparing the photograph on the card with the TWIC holder 
to ensure a match; (3) check the card's physical security features; 
and (4) ensure the TWIC is valid--a check of the card's expiration 
date. Additionally, Coast Guard inspectors are to assess the 
proficiency of facility and vessel security personnel in complying 
with TWIC requirements through various means including oral 
examination, actual observation, and record review. Coast Guard 
inspectors randomly select workers to check their TWICs during 
inspections. The number of TWIC cards checked is left to the 
discretion of the inspectors. 

As of December 17, 2010, according to Coast Guard data, 2,135 
facilities have undergone at least 2 MTSA inspections as part of 
annual compliance exams and spot checks. In reviewing the Coast 
Guard's records of TWIC-related enforcement actions, we found that, in 
addition to verifying the number of inspections conducted, the Coast 
Guard is generally positioned to verify that TWIC cards are being 
checked by Coast Guard inspectors and, of the card checks that are 
recorded, the number of cardholders who are compliant and 
noncompliant. For instance, the Coast Guard reported inspecting 
129,464 TWIC holders' cards from May 2009 through January 6, 2011. The 
Coast Guard reported that 124,203 of the TWIC holders, or 96 percent, 
were found to be compliant--possessed a valid TWIC.[Footnote 81] 
However, according to Coast Guard officials, local Coast Guard 
inspectors may not always or consistently record all inspection 
attempts. Consequently, while Coast Guard officials told us that 
inspectors verify TWICs as part of all security inspections, the Coast 
Guard could not reliably provide the number of TWICs checked during 
each inspection. 

Since the national compliance deadline in April 2009 requiring TWIC 
use at MTSA-regulated facilities and vessels, the Coast Guard has not 
identified major concerns with TWIC implementation nationally. 
However, while the Coast Guard uses MISLE to track program compliance, 
because of limitations in the MISLE system design, the processes 
involved in the collection, cataloging, and querying of information 
cannot be relied upon to produce the management information needed to 
assess trends in compliance with the TWIC program or associated 
vulnerabilities. For instance, when inspectors document a TWIC card 
verification check, the system is set up to record the number of TWICs 
reviewed for different types of workers and whether the TWIC holders 
are compliant or noncompliant. However, other details on TWIC-related 
deficiencies, such as failure to ensure that all facility personnel 
with security duties are familiar with all relevant aspects of the 
TWIC program and how to carry them out, are not recorded in the system 
in a form that allows inspectors or other Coast Guard officials to 
easily and systematically identify that a deficiency was related to 
TWIC. For example, from January 2009 through December 2010, the Coast 
Guard reported issuing 145 enforcement actions as a result of annual 
compliance exams or security spot checks at the 2,135 facilities that 
have undergone the inspections.[Footnote 82] These included 57 letters 
of warning, 40 notices of violation, 32 civil penalties, and 16 
operations controls (suspension or restriction of operations). 
However, it would be labor-intensive for the Coast Guard to identify 
how many of the 57 letters of warning or 40 notices of violation were 
TWIC related, according to a Coast Guard official responsible for TWIC 
compliance, because there is not an existing query designed to extract 
this information from the system. Someone would have to manually 
review each of the 97 inspection reports in the database indicating 
either a letter of warning or a notice of violation to verify whether 
or not the deficiencies were TWIC related. As such, the MISLE system 
is not designed to readily provide information that could help 
management measure and assess the overall level of compliance with the 
TWIC program or existing vulnerabilities. 

According to a Coast Guard official responsible for TWIC compliance, 
Coast Guard headquarters staff has not conducted a trend analysis of 
the deficiencies found during reviews and inspections and there are no 
other analyses they planned to conduct regarding enforcement until 
after readers are required to be used. According to the Coast Guard, 
it can generally identify the number of TWICs checked and recorded in 
the MISLE system. However, it cannot perform trend analysis of the 
deficiencies as it would like to do, as it requires additional 
information. In the interim, as of January 7, 2011, the Coast Guard 
reported deploying 164 handheld biometric readers nationally to units 
responsible for conducting inspections.[Footnote 83] These handheld 
readers are intended to be the Coast Guard's primary means of TWIC 
verification. During inspections, Coast Guard inspectors use the card 
readers to electronically check TWICs in three ways: (1) verification--
a biometric one-to-one match of the fingerprint; (2) authentication-- 
electronically confirming that the certificates on the credential are 
authentic; and (3) validation--electronically check the card against 
the "hotlist" of invalid or revoked cards. The Coast Guard believes 
that the use of these readers during inspections will greatly improve 
the effectiveness of enforcement efforts and enhance record keeping 
through the use of the readers' logs. 

As a result of limitations in MISLE design and the collection and 
recording of inspection data, it will be difficult for the Coast Guard 
to identify trends nationwide in TWIC-related compliance, such as 
whether particular types of facilities or a particular region of the 
country have greater levels of noncompliance, on an ongoing basis. 
Coast Guard officials acknowledged these deficiencies and reported 
that they are in the process of making enhancements to the MISLE 
database and plan to distribute updated guidance on how to collect and 
input information into MISLE to the Captains of the Port. However, as 
of January 2011, the Coast Guard had not yet set a date for 
implementing these changes. Further, while this is a good first step, 
these enhancements do not address weaknesses related to the collection 
process and querying of MISLE information so as to facilitate the 
Coast Guard performing trend analysis of the deficiencies as part of 
its compliance reviews. By designing and implementing a cost-effective 
and practical method for collecting, cataloging, and querying TWIC-
related compliance information, the Coast Guard could be better 
positioned to identify and assess TWIC-related compliance and 
enforcement trends, and to obtain management information needed to 
assess and understand existing vulnerabilities with the use of TWIC. 

Conclusions: 

As the TWIC program continues on the path to full implementation--with 
potentially billions of dollars needed to install TWIC card readers in 
thousands of the nation's ports, facilities, and vessels at stake--it 
is important that Congress, program officials, and maritime industry 
stakeholders fully understand the program's potential benefits and 
vulnerabilities, as well as the likely costs of addressing these 
potential vulnerabilities. Identified internal control weaknesses and 
vulnerabilities include weaknesses in controls related to preventing 
and detecting identity fraud, assessing the security threat that 
individuals with extensive criminal histories pose prior to issuing a 
TWIC, and ensuring that TWIC holders continue to meet program 
eligibility requirements. Thus, conducting an internal control 
assessment of the program by analyzing controls, identifying related 
weaknesses and risks, and determining cost-effective actions to 
correct or compensate for these weaknesses could better position DHS 
to provide reasonable assurance that control weaknesses do not impede 
the program from meeting mission needs. 

In addition, conducting an effectiveness assessment could help provide 
reasonable assurance that the use of TWIC enhances the posture of 
security beyond efforts already in place or identify the extent to 
which TWIC may possibly introduce security vulnerabilities because of 
the way it has been designed and implemented. This assessment, along 
with the internal controls assessment, could be used to enhance the 
regulatory analysis to be conducted as part of implementing a 
regulation on the use of TWIC with readers. More specifically, 
considering identified security risks and needed corrective actions as 
part of the regulatory analysis could provide insights on the full 
costs and benefits of implementing the TWIC program in a manner that 
will meet stated mission needs and mitigate existing security risks. 
This is important because, unlike prior access control approaches 
which allowed access to a specific facility, the TWIC potentially 
facilitates access to thousands of facilities once the federal 
government attests that the TWIC holder has been positively identified 
and is deemed not to be a security threat. Further, doing so as part 
of the regulatory analysis could better assure DHS, Congress, and 
maritime stakeholders that TWIC program security objectives will be 
met. Finally, by designing and implementing a cost-effective and 
practical method for collecting, cataloging, and querying TWIC-related 
compliance information, the Coast Guard could be better positioned to 
identify trends and to obtain management information needed to assess 
and understand existing vulnerabilities with the use of TWIC. 

Recommendations for Executive Action: 

To identify effective and cost-efficient methods for meeting TWIC 
program objectives, and assist in determining whether the benefits of 
continuing to implement and operate the TWIC program in its present 
form and planned use with readers surpass the costs, we recommend that 
the Secretary of Homeland Security take the following four actions: 

* Perform an internal control assessment of the TWIC program by (1) 
analyzing existing controls, (2) identifying related weaknesses and 
risks, and (3) determining cost-effective actions needed to correct or 
compensate for those weaknesses so that reasonable assurance of 
meeting TWIC program objectives can be achieved. This assessment 
should consider weaknesses we identified in this report among other 
things, and include: 

- strengthening the TWIC program's controls for preventing and 
detecting identity fraud, such as requiring certain biographic 
information from applicants and confirming the information to the 
extent needed to positively identify the individual, or implementing 
alternative mechanisms to positively identify individuals; 

- defining the term extensive criminal history for use in the 
adjudication process and ensuring that adjudicators follow a clearly 
defined and consistently applied process, with clear criteria, in 
considering the approval or denial of a TWIC for individuals with 
extensive criminal convictions not defined as permanent or interim 
disqualifying offenses; and: 

- identifying mechanisms for detecting whether TWIC holders continue 
to meet TWIC disqualifying criminal offense and immigration-related 
eligibility requirements after TWIC issuance to prevent unqualified 
individuals from retaining and using authentic TWICs. 

* Conduct an effectiveness assessment that includes addressing 
internal control weaknesses and, at a minimum, evaluates whether use 
of TWIC in its present form and planned use with readers would enhance 
the posture of security beyond efforts already in place given costs 
and program risks. 

* Use the information from the internal control and effectiveness 
assessments as the basis for evaluating the costs, benefits, security 
risks, and corrective actions needed to implement the TWIC program in 
a manner that will meet stated mission needs and mitigate existing 
security risks as part of conducting the regulatory analysis on 
implementing a new regulation on the use of TWIC with biometric card 
readers. 

* Direct the Commandant of the Coast Guard to design effective methods 
for collecting, cataloging, and querying TWIC-related compliance 
issues to provide the Coast Guard with the enforcement information 
needed to assess trends in compliance with the TWIC program and 
identify associated vulnerabilities. 

Agency Comments and Our Evaluation: 

We provided a draft of the sensitive version of this report to the 
Secretary of Homeland Security for review and comment on March 18, 
2011. DHS provided written comments on behalf of the Department, the 
Transportation Security Administration, and the United States Coast 
Guard, which are reprinted in full in appendix IV. In commenting on 
our report, DHS stated that it concurred with our four recommendations 
and identified actions planned or under way to implement them. 

While DHS did not take issue with the results of our work, DHS did 
provide new details in its response that merit additional discussion. 
First, DHS noted that it is working to strengthen controls around 
applicant identity verification in TWIC, but that document fraud is a 
vulnerability to credential-issuance programs across the federal 
government, state and local governments, and the private sector. DHS 
further noted that a governmentwide infrastructure does not exist for 
information sharing across all entities that issue documents that 
other programs, such as TWIC, use to positively authenticate an 
individual's identity. We acknowledge that such a government-wide 
infrastructure does not exist, and, as discussed in our report, 
recognize that there are inherent weaknesses in relying on identity 
documents alone to confirm an individual's identity. However, 
positively identifying individuals--or confirming their identity--and 
determining their eligibility for a TWIC is a key stated program goal. 
Issuing TWICs to individuals without positively identifying them and 
subsequently assuring their eligibility could, counter to the 
program's intent, create a security vulnerability. While we recognize 
that additional costs could be imposed by requiring positive 
identification checks, taking actions to strengthen the existing 
identity authentication process, such as only accepting documents that 
TSA can and does confirm to be authentic with the issuing agency, and 
verifying an applicant's business need, could enhance TWIC program 
efforts to prevent and detect identity fraud and enhance maritime 
security. 

Second, DHS stated that it is working to continually verify TWIC-
holder eligibility after issuance but also noted the limitations in 
the current process. While TSA does receive some criminal history 
records information when it sends fingerprints to the FBI, the 
information is not provided recurrently, nor is the information 
necessarily complete. DHS stated that to provide the most robust 
recurrent vetting against criminal records, TSA would need access to 
additional state and federal systems, and have additional authority to 
do so. As we reported, FBI and TWIC officials stated that because the 
TWIC background check is considered to be for a noncriminal justice 
purpose, policy and statutory provisions hamper the program from 
running the broader FBI fingerprint-based check using the fingerprints 
collected at enrollment on an ongoing basis. However, we continue to 
believe that TSA could compensate for this weakness by leveraging 
existing mechanisms available to maritime stakeholders. For example, 
other governing entities--such as the Alabama State Port Authority--
that have an interest in ensuring the security of the maritime 
environment, might be willing to establish a mechanism for 
independently sharing relevant information when warranted. Absent 
efforts to leverage available information sources, TSA may not be 
successful in tempering existing limitations. 

Lastly, DHS sought clarification on the reporting of our 
investigators' success at breaching security at ports during covert 
testing. Specifically, in its comments, DHS noted that it believes 
that our report's focus on access to port areas rather than access to 
individual facilities can be misleading. DHS noted that we do not 
report on the number of facilities that our investigators attempted to 
gain access to within each port area. DHS stated that presenting the 
breaches in terms of the number of port areas breached rather than the 
number of facilities paints a more troublesome picture of the actual 
breaches that occurred. We understand DHS's concern but continue to 
believe that the results of our investigators' work, as reported, 
fairly and accurately represents the results and significance of the 
work conducted. The goal of the covert testing was to assess whether 
or not weaknesses exist at ports with varying characteristics across 
the nation, not to define the pervasiveness of existing weaknesses by 
type of facility, volume, or other characteristic. Given the numerous 
differences across facilities and the lack of publicly available 
information and related statistics for each of the approximately 2,509 
MTSA-regulated facilities, we identified covert testing at the port 
level to be the proper unit of analysis for our review and reporting 
purposes. Conducting a detailed assessment of the pervasiveness of 
existing weaknesses by type of facility, volume, or other 
characteristics as suggested by DHS would be a more appropriate 
tasking for the Coast Guard as part of its continuing effort to ensure 
compliance with TWIC-related regulations. 

In addition, with regard to covert testing, DHS further commented that 
the report does not distinguish among breaches in security using a 
counterfeit TWIC or an authentic TWIC card obtained with fraudulent 
documents. DHS noted that because there is no "granularity" with the 
report as to when a specific card was used, one can be left with the 
unsupported impression that individual facilities in all cases were 
failing to implement TWIC visual inspection requirements. For the 
above noted reason, we did not report on the results of covert testing 
at the facility level. However, our records show that use of 
counterfeit TWICs was successful for gaining access to more than one 
port where our investigators breached security. Our investigators 
further report that security officers never questioned the 
authenticity of TWICs presented for acquiring access. Our records show 
that operations at the locations our investigators breached included 
cargo, containers, and fuel, among others. 

In addition, TSA provided written technical comments, which we 
incorporated into the report, as appropriate. 

We are sending copies of this report to the Secretary of Homeland 
Security, the Assistant Secretary for the Transportation Security 
Administration, the Commandant of the United States Coast Guard, 
and appropriate congressional committees. In addition, this report 
is available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 


If you or your staff have any questions about this report, please 
contact me at (202) 512-4379 or lords@gao.gov. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. Key contributors to this report are 
listed in appendix VII. 

Signed by: 

Stephen M. Lord: 
Director, Homeland Security and Justice Issues: 

List of Requesters: 

The Honorable John D. Rockefeller, IV: 
Chairman: 
Committee on Commerce, Science, and Transportation: 
United States Senate: 

The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable John L. Mica: 
Chairman: 
Committee on Transportation and Infrastructure: 
House of Representatives: 

The Honorable Bennie G. Thompson: 
Ranking Member: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Frank R. Lautenberg: 
Chairman: 
Subcommittee on Surface Transportation and Merchant Marine 
Infrastructure, Safety, and Security Committee on Commerce, Science, 
and Transportation: 
United States Senate: 

The Honorable Olympia J. Snowe: 
Ranking Member: 
Subcommittee on Oceans, Atmosphere, Fisheries, and Coast Guard: 
Committee on Commerce, Science, and Transportation: 
United States Senate: 

The Honorable Frank A. LoBiondo: 
Chairman: 
Subcommittee on Coast Guard and Maritime Transportation: 
Committee on Transportation and Infrastructure: 
House of Representatives: 

The Honorable Mike Rogers: 
Chairman: 
Subcommittee on Transportation Security: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Candice S. Miller: 
Chairwoman: 
Subcommittee on Border and Maritime Security: 
Committee on Homeland Security: 
House of Representatives: 

[End of section] 

Appendix I: Key Steps in the TWIC Enrollment Process: 

Transportation workers are enrolled by providing biographic 
information, such as name, date of birth, and address, and proof of 
identity documents, and then photographed and fingerprinted at 1 of 
approximately 149 enrollment centers by trusted agents. A trusted 
agent is a member of the TWIC team who has been authorized by the 
federal government to enroll transportation workers in the TWIC 
program and issue TWIC cards. Trusted agents are subcontractor staff 
acquired by Lockheed Martin as part of its support contract with TSA 
for the TWIC program. Table 2 below summarizes key steps in the 
enrollment process. 

Table 2: TWIC Enrollment Process Summary: 

1. The TWIC applicant fills out a TWIC Application and Disclosure Form 
and affirms that the information he or she is providing to TSA is 
truthful. 

2. The applicant is required to present documentation to establish his 
or her identity to the trusted agent at the enrollment center. The 
documentation required is dependent upon the applicant's legal 
presence in the United States or whether the applicant was born in the 
United States. 

3. The trusted agent (government contractor) captures the applicant's 
biographic information, such as name and date of birth, in the TWIC 
system. This can be done in various ways, such as by scanning 
fingerprints and certain identity documents or by manually typing 
information into the system. 

4. The trusted agent reviews the identity documents to establish and 
confirm the applicant's identity and to confirm the documents' 
authenticity by reviewing the physical security features on the 
documents. 

5. The trusted agent scans the identity documents to record a digital 
image of the applicant's identity information. 

6. The trusted agent uses a machine-readable document scanning device 
to assess the risk of certain documents being fraudulent. Not all 
documents can be assessed using this device. 

7. The applicant's 10 fingerprints (where available) are captured in 
the system. The presence of nonsuitable fingerprints or lack of a 
finger for biometric use is documented in the system by the trusted 
agent. 

8. The applicant's digital picture is taken. 

9. The enrollment record is completed, encrypted, and is forwarded by 
the trusted agent to undergo the TWIC program's background checking 
procedures. 

Source: GAO analysis of the TWIC program enrollment process and 
documentation. 

[End of table] 

[End of section] 

Appendix II: TWIC Program Funding: 

According to TSA and Federal Emergency Management Agency (FEMA) 
program officials, from fiscal year 2002 through 2010, the TWIC 
program had funding authority totaling $420 million. Through fiscal 
year 2009, $111.5 million in appropriated funds, including 
reprogramming and adjustments, had been provided to TWIC (see table 3 
below). An additional $196.8 million in funding was authorized from 
fiscal years 2008 through 2010 through the collection of TWIC 
enrollment fees by TSA, and $111.7 million had been made available to 
maritime facilities implementing TWIC from FEMA grant programs--the 
Port Security Grant Program and the Transit Security Grant Program--
from fiscal years 2006 through 2010. In addition, industry has spent 
between approximately $185.7 million and $234 million to purchase 
1,765,110 TWICs as of January 6, 2011.[Footnote 84] The costs for 
implementing the TWIC program, as estimated by TSA for informing the 
regulation on requiring the use of TWIC as an identification 
credential, is from $694.3 million to $3.2 billion over a 10-year 
period. This estimate includes the costs related to purchasing TWICs 
and visually inspecting them. However, this estimate does not include 
the costs related to implementing TWIC with biometric card readers or 
related access control systems.[Footnote 85] 

Table 3: TWIC Program Funding from Fiscal Years 2002 through 2010: 

Fiscal year: 2002; 
Appropriated: 0; 
Reprogramming: 0; 
Adjustments: 0; 
TWIC fee authority[A]: 0; 
Federal security grant awards related to TWIC[B]: 0; 
Total funding authority: 0. 

Fiscal year: 2003; 
Appropriated: $5.0 million; 
Reprogramming: 0; 
Adjustments: $20 million; 
TWIC fee authority[A]: 0; 
Federal security grant awards related to TWIC[B]: 0; 
Total funding authority: $25.0 million. 

Fiscal year: 2004; 
Appropriated: $49.7 million; 
Reprogramming: 0; 
Adjustments: 0; 
TWIC fee authority[A]: 0; 
Federal security grant awards related to TWIC[B]: 0; 
Total funding authority: $49.7 million. 

Fiscal year: 2005; 
Appropriated: $5.0 million; 
Reprogramming: 0; 
Adjustments: 0; 
TWIC fee authority[A]: 0; 
Federal security grant awards related to TWIC[B]: 0; 
Total funding authority: $5.0 million. 

Fiscal year: 2006; 
Appropriated: 0; 
Reprogramming: $15.0 million; 
Adjustments: 0; 
TWIC fee authority[A]: 0; 
Federal security grant awards related to TWIC[B]: $24.3 million; 
Total funding authority: $39.3 million. 

Fiscal year: 2007; 
Appropriated: 0; 
Reprogramming: $4.0; 
Adjustments: $4.7 million; 
TWIC fee authority[A]: 0; 
Federal security grant awards related to TWIC[B]: $31.5 million[C]; 
Total funding authority: $40.2 million. 

Fiscal year: 2008; 
Appropriated: $8.1 million; 
Reprogramming: 0; 
Adjustments: 0; 
TWIC fee authority[A]: $42.5 million; 
Federal security grant awards related to TWIC[B]: $18.0 million; 
Total funding authority: $68.6 million. 

Fiscal year: 2009; 
Appropriated: 0; 
Reprogramming: 0; 
Adjustments: 0; 
TWIC fee authority[A]: $109.3 million; 
Federal security grant awards related to TWIC[B]: $22.2 million[D]; 
Total funding authority: $131.5 million. 

Fiscal year: 2010; 
Appropriated: 0; 
Reprogramming: 0; 
Adjustments: 0; 
TWIC fee authority[A]: $45.0 million; 
Federal security grant awards related to TWIC[B]: $15.7 million; 
Total funding authority: $60.7 million. 

Fiscal year: Total; 
Appropriated: $67.8 million; 
Reprogramming: $19.0 million; 
Adjustments: $24.7 million; 
TWIC fee authority[A]: $196.8 million; 
Federal security grant awards related to TWIC[B]: $111.7 million; 
Total funding authority: $420 million. 

Source: GAO analysis of TWIC program funding reported by TSA and FEMA. 

[A] Figures in the TWIC fee authority column represent the dollar 
amount TSA is authorized to collect from TWIC enrollment fees and not 
the actual dollars collected. TSA reports to have collected $41.7 
million for fiscal year 2008, $76.2 million for fiscal year 2009, and 
$30.6 million for fiscal year 2010. 

[B] According to FEMA, many of these awards are issued as cooperative 
agreements and, as such, the scope and amounts may change as the 
project(s) proceed. Also, FEMA has not received projects from all 
grant recipients so the total number of projects may increase slightly 
over time. 

[C] Federal security grant funding subtotal for fiscal year 2007 
includes $19.2 million in fiscal year Port Security Grant Program 
funding, $10.8 million in supplemental funding, and $1.5 million in 
Transit Security Grant Program funding. 

[D] Federal security grant funding subtotal for fiscal year 2009 
includes $3.9 million in fiscal year Port Security Grant Program 
funding and an additional $18.3 million in American Recovery and 
Reinvestment Act of 2009 (Pub. L. No. 111-5, 123 Stat. 115 (2009)) 
funding. 

[End of table] 

[End of section] 

Appendix III: List of Documents U.S.-Born Citizens or Nationals Must 
Select from to Present When Applying for a TWIC: 

TWIC applicants who are citizens of the United States (or its outlying 
possessions) and were born inside the United States (or its outlying 
possessions), must provide one document from list A or two documents 
from list B. If two documents from list B are presented, at least one 
of them must be a government-issued photo identification, such as a 
state-issued driver's license, military ID card, or state 
identification card. 

List A: 

* Unexpired United States passport book or passport card; 

* Unexpired Merchant Mariner Document; 

* Unexpired Free and Secure Trade Card;[Footnote 86] 

* Unexpired NEXUS Card;[Footnote 87] 

* Unexpired Secure Electronic Network for Travelers Rapid Inspection 
Card. 

List B: 

* Unexpired driver's license issued by a state or outlying possession 
of the United States; 

* Unexpired identification card issued by a state or outlying 
possession of the United States. Must include a state or state agency 
seal or logo (such as state port authority identification or state 
university identification); 

* Original or certified copy of birth certificate issued by a state, 
county, municipal authority, or outlying possession of the United 
States bearing an official seal; 

* Voter's registration card; 

* United States military identification card or United States retired 
military identification; 

* United States military dependent's card; 

* Expired United States passport (within 12 months of expiration); 

* Native American tribal document (with photo); 

* United States Social Security card; 

* United States military discharge papers (DD-214); 

* Department of Transportation medical card; 

* United States civil marriage certificate; 

* Unexpired Merchant Mariner License bearing an official raised seal, 
or a certified copy; 

* Unexpired Department of Homeland Security/Transportation Security 
Administration Transportation Worker Identification Credential Card; 

* Unexpired Merchant Mariner Credential. 

[End of section] 

Appendix IV: Criminal Offenses That May Disqualify Applicants from 
Acquiring a TWIC: 

Listed below are criminal offenses that can prevent TWIC applicants 
from being issued a TWIC. Pursuant to TSA implementing regulations, 
permanent disqualifying offenses are offenses defined in 49 C.F.R. 
1572.103(a). Permanent disqualifying offenses that can be waived are 
those offenses defined in 49 C.F.R. 1572.103(a) for which a waiver can 
be granted in accordance with 49 C.F.R. 1515.7(a)(i). Interim 
disqualifying offenses are offenses defined in 49 C.F.R. 1572.103(b) 
for which the applicant has either been (1) convicted, or found not 
guilty by reason of insanity, within a 7-year period preceding the 
TWIC application, or (2) incarcerated for within a 5-year period 
preceding the TWIC application. Applicants with certain permanent 
criminal offenses and all interim disqualifying criminal offenses may 
request a waiver of their disqualification. In general, TSA may issue 
such a waiver and grant a TWIC if TSA determines that an applicant 
does not pose a security threat based upon the security threat 
assessment. 

Permanent disqualifying criminal offenses for which no waiver may be 
granted. 

1. Espionage, or conspiracy to commit espionage. 

2. Sedition, or conspiracy to commit sedition. 

3. Treason, or conspiracy to commit treason. 

4. A federal crime of terrorism as defined in 18 U.S.C. 2332b(g), or 
comparable state law, or conspiracy to commit such crime. 

Permanent disqualifying criminal offenses for which a waiver may be 
granted. 

1. A crime involving a transportation security incident. A 
transportation security incident is a security incident resulting in a 
significant loss of life, environmental damage, transportation system 
disruption, or economic disruption in a particular area, as defined in 
46 U.S.C. § 70101. The term economic disruption does not include a 
work stoppage or other employee-related action not related to 
terrorism and resulting from an employer-employee dispute. 

2. Improper transportation of a hazardous material under 49 U.S.C. § 
5124, or a state law that is comparable. 

3. Unlawful possession, use, sale, distribution, manufacture, 
purchase, receipt, transfer, shipping, transporting, import, export, 
storage of, or dealing in an explosive or explosive device. An 
explosive or explosive device includes, but is not limited to, an 
explosive or explosive material as defined in 18 U.S.C. §§ 232(5), 
841(c) through 841(f), and 844(j); and a destructive device, as 
defined in 18 U.S.C. § 921(a)(4) and 26 U.S.C. § 5845(f). 

4. Murder. 

5. Making any threat, or maliciously conveying false information 
knowing the same to be false, concerning the deliverance, placement, 
or detonation of an explosive or other lethal device in or against a 
place of public use, a state or government facility, a public 
transportations system, or an infrastructure facility. 

6. Violations of the Racketeer Influenced and Corrupt Organizations 
Act, 18 U.S.C. § 1961, et seq., or a comparable state law, where one 
of the predicate acts found by a jury or admitted by the defendant, 
consists of one of the crimes listed in paragraph 49 C.F.R. § 1572.103 
(a). 

7. Attempt to commit the crimes in paragraphs listed under 49 C.F.R. § 
1572.103 (a)(1) through (a)(4). 

8. Conspiracy or attempt to commit the crimes in 49 C.F.R. § 1572.103 
(a)(5) through (a)(10). 

The interim disqualifying felonies. 

1. Unlawful possession, use, sale, manufacture, purchase, 
distribution, receipt, transfer, shipping, transporting, delivery, 
import, export of, or dealing in a firearm or other weapon. A firearm 
or other weapon includes, but is not limited to, firearms as defined 
in 18 U.S.C. § 921(a)(3) or 26 U.S.C. § 5845(a), or items contained on 
the United States Munitions Import List at 27 CFR § 447.21. 

2. Extortion. 

3. Dishonesty, fraud, or misrepresentation, including identity fraud 
and money laundering where the money laundering is related to a crime 
described in 49 C.F.R. § 1572.103 (a) or (b). Welfare fraud and 
passing bad checks do not constitute dishonesty, fraud, or 
misrepresentation for purposes of this paragraph. 

4. Bribery. 

5. Smuggling. 

6. Immigration violations. 

7. Distribution of, possession with intent to distribute, or 
importation of a controlled substance. 

8. Arson. 

9. Kidnapping or hostage taking. 

10. Rape or aggravated sexual abuse. 

11. Assault with intent to kill. 

12. Robbery. 

13. Fraudulent entry into a seaport as described in 18 U.S.C. § 1036, 
or a comparable state law. 

14. Violations of the Racketeer Influenced and Corrupt Organizations 
Act, 18 U.S.C. § 1961, et seq., or a comparable state law, other than 
the violations listed in paragraph 49 C.F.R. § 1572.103 (a)(10). 

15. Conspiracy or attempt to commit the interim disqualifying felonies. 

[End of section] 

Appendix V: Comparison of Authentic and Counterfeit TWICs: 

Figure 1: Comparison of Authentic and Counterfeit TWICs: 

Details from this section were removed because the agency deemed them 
to be sensitive security information. 

[End of section] 

Appendix VI: Comments from the Department of Homeland Security: 

U.S. Department or Homeland Security: 
Washington, DC 20528: 

May 5, 2011: 

Mr. Stephen M. Lord: 
Director, Homeland Security and Justice Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Lord: 

Re: GAO-11-657, Draft Report, Transportation Worker Identification 
Credential: Internal Control Weaknesses Need to be Corrected to Help 
Achieve Security Objectives. 

Thank you for the opportunity to review and comment on this draft 
report. The U.S. Department of Homeland Security (DHS) appreciates the 
U.S. Government Accountability Office's (GAO's) work in planning and 
conducting its review and issuing this report. 

Transportation Worker Identification Credential (TWIC) is a vital 
security program that is jointly administered by the U.S. Coast Guard 
(USCG) and the Transportation Security Administration (TSA). TSA is 
responsible for enrollment, vetting, and card production, with the 
support of the U.S. Citizenship and Immigration Services, while the 
USCG governs access control requirements and has primary 
responsibility for enforcement. As of March 2011, TSA has enrolled and 
vetted more than 1.8 million maritime workers. As a result of DHS's 
rigorous vetting process, 35,661 individuals were denied from 
receiving a TWIC. DHS agrees that more work is needed to strengthen 
existing security controls and has begun efforts to address many of 
the GAO's findings. 

OHS Increasing Applicant Identity Verification Controls: 

OHS is working to strengthen controls around applicant identity 
verification in TWIC, knowing that document fraud is a vulnerability 
to credential-issuance programs across federal, state, and local 
governments, and the private sector. To establish identity and proof-
of-citizenship, TWIC leverages documents issued by multiple federal, 
state, and local entities. However, a government-wide infrastructure 
does not exist for information sharing across all entities that issue 
the breeder documents that relying parties use to positively 
authenticate an identity. TWIC follows best practices to mitigate the 
risks from not having visibility or control of the physical 
characteristics or the issuance process for these documents.
Specifically. TWIC uses document authentication readers and requires 
fraudulent document training of its Trusted Agents as safeguards 
against document fraud. 

TWIC will benefit from national efforts to strengthen identity 
documents. For example, DHS continues to work with the states to 
implement the requirements of the REAL ID Act for more secure driver's 
licenses, as well as the underlying issuance processes and procedures.
Furthermore, efforts are underway in the Federal Government, state 
vital records agencies, and departments of motor vehicles to enhance 
security related to core breeder documents. such as birth 
certificates, which would assist in positive authentication. 

TSA is also actively engaged with the DHS's United States Visitor and 
Immigrant Status Indicator Technology (US-VISIT) program to include 
TWIC applicant data into the US-VISIT database, referred to as IDENT. 
Biometrics placed in IDENT are linked to specific biographic 
information, enabling a person's identity to be established and then 
verified by the U.S. Government. 

TWIC is also strengthening safeguards against cards being misused 
after issuance. An upcoming USCG rulemaking will include a requirement 
for electronic verification of the TWIC card through use of card 
readers. The use of electronic readers will provide the port or 
facility authority in charge of access control decisions with a higher 
level of assurance that the TWIC presented is authentic, valid (not 
revoked), and unexpired. 

DHS Working to Continually Verify TWIC Holder Eligibility after 
Issuance: 

DHS strongly agrees on the value of recurrent vetting. DHS is making 
progress in the effort to reasonably assure that TWIC holders have 
maintained their eligibility once issued their TWICs. TSA conducts 
recurrent checks of TWIC holders against the Terrorist Screening
Database and other databases. TSA has the authority to revoke TWICs 
based on the results of recurrent vetting, and use of card readers for 
electronic verification will strengthen the effectiveness of these 
processes. 

In order to provide the most robust recurrent vetting against criminal 
history records, TSA needs full access to Criminal History Records 
Information (CHRI), similar to that of a criminal justice agency or 
law enforcement officer; this information is available at the state 
level and accessed via the Interstate Identification Index managed by 
the U.S. Department of Justice, Federal Bureau of Investigation (FBI). 
Although TSA receives some CHRI when it sends fingerprints to the FBI 
for initial vetting, the FBI does not perform recurrent vetting of
CHRI on behalf of TSA. The FBI has deemed that TSA's security threat 
assessments for TWIC are non-criminal justice activities. As a result, 
TSA is unable to request subsequent CHRI for recurrent vetting without 
a submission of new fingerprints from the individual. Additionally, 
TSA may not always receive all available information because of the 
FBI's designation as 'non-criminal justice' purposes for TSA security 
threat assessments. States may not upload all available information 
into the FBI biometric system and may not respond to CHRI requests for 
"non-criminal justice" activities. DHS has and will continue to work
with the FBI and states to try to expand access to the CHRI. 

While not a final solution to the challenge of recurrent criminal 
vetting, including TWIC data in IDENT would provide a framework to 
initiate more recurrent vetting on CURL, where available, for TWIC 
holders. In addition to supporting identity verification, biometric 
data from IDENT is used to conduct vetting against criminals and 
immigration violators. TSA and US-VISIT are working to include TWIC 
data in the IDENT database. 

DHS Clarification on GAO Breaches of MTSA-Regulated Ports: 

DHS would also like to address aspects of GAO's covert operation 
defined in the report that we believe warrant further clarification. 

DHS believes that the focus on access to port areas rather than access 
to individual facilities can be misleading. Specifically, the report 
states that GAO investigators successfully penetrated ports between 
August 2009 and February 2010. However, the report does not breakdown 
the number of facilities to which GAO attempted to gain access within 
each port area. Each port is unique in design and operation—-ranging 
from some ports housing hundreds of individual facilities spread over 
a large geographic area to other ports containing only a few 
facilities in a small geographic area with one main access control 
point. While GAO stated that it did not require its covert 
investigators to record the individual attempts to access facilities, 
investigators indicated during discussions with USCG that they were 
successful in gaining unauthorized access at some individual 
facilities within the port areas. The presentation of breaches at port 
versus individual facilities paints a more troublesome picture of the 
actual breaches that occurred. 

Third, the report does not distinguish among fraud committed with 
counterfeit TWIC cards, authentic TWIC cards obtained with fraudulent 
documents, and access control decisions made by facility personnel. 
Each type of fraud has a different mitigation technique. The fact that a
Facility Security Officer does not question what appears to be a valid 
card should not be intertwined with cases in which a counterfeit card 
was presented to gain access. Because there is no granularity within 
the report as to when a specific card was used, one can be left with 
the unsupported impression that individual facilities in all cases 
were failing to implement TWIC visual inspection requirements. Or, as 
written in this report, that ports failed to properly implement these 
requirements. 

Recent Developments: 

The GAO audit was beneficial in helping DHS identify immediate actions 
that could strengthen the effectiveness of the TWIC program. 

TSA has already taken steps to remedy some of the missing internal 
controls that GAO has identified. Starting in January 2011, the TWIC 
program initiated a 100-percent review of all fingerprint matches 
received in the system. These matches could highlight potential fraud 
in the TWIC enrollment process where one individual could be 
attempting to enroll under a different identity and possibly with 
fraudulent documents. During this process, the TWIC program has 
already referred numerous cases to our Law Enforcement Investigations 
Unit where investigations are under way. 

On February 14, 2011, USCG Headquarters published additional guidance 
to field units regarding the importance of TWIC inspections and 
verifications. The guidance directed Captains of the Port to place a 
higher priority on the review and validation of TWIC verification 
procedures during the required Maritime Transportation Security Act 
(MTSA) security inspections. Additionally, the guidance encouraged 
Captains of the Port and the Facility Security Officers to take 
advantage of training aids regarding the identification of fraudulent 
TWICs published on Homeport-—the USCG's Internet site for maritime 
information. 

As previously mentioned, the USCG is currently developing an upcoming 
rulemaking that will include a requirement for card readers at ports 
and facilities. The TWIC program has completed a pilot that evaluated 
using card readers for electronic verification of the TWIC card. DHS 
believes that electronic verification of TWIC cards will significantly 
enhance protection against counterfeit, tampered, or expired TWIC 
cards being used to gain access to secure facilities. 

TSA is in the initial phases of a modernization effort for its vetting 
infrastructure. This effort is aimed at consolidating systematic 
processes related to conducting background checks with the goal of 
improving the overall security and consistency of our enrollment and 
vetting processes. As the modernization effort moves forward, the TWIC 
program will continue to be heavily involved to ensure that any 
internal control gaps or risks are addressed or further mitigated. 

GAO Recommendations: 

DHS takes the findings of this review very seriously. DHS strongly 
believes that TWIC has an overall effect of strengthening the security 
of our Nation's ports. We also acknowledge and appreciate GAO's work 
to identify opportunities to enhance current program controls.
We recognize that breaches did occur and that the Department and port 
facility owners and operators need to take steps to enhance security. 
DHS appreciates the opportunity to provide GAO with comments to its 
audit recommendations. 

"To identify effective and cost efficient methods for meeting TWIC 
program objectives, and assist in determining whether the benefits of 
continuing to implement and operate the TWIC program in its present 
form and planned use with readers surpass the costs, we recommend that 
the Secretary of Homeland Security take the following four actions: 

Recommendation 1: Perform an internal control assessment of the TWIC 
program by (1) analyzing existing controls, (2) identifying related 
weaknesses and risks, and (3) determining cost-effective actions 
needed to correct or compensate for those weaknesses so that 
reasonable assurance of meeting TWIG program objectives can be 
achieved. This assessment should consider weaknesses we identified in 
this report, among other things, and include: 

* strengthening the TWIC program's controls for preventing and 
detecting identity fraud, such as requiring certain biographic 
information from applicants and confirming the information to the 
extent needed to positively identify the individual, or implementing 
alternative mechanisms to positively identify individuals; 

* defining the term extensive criminal history for use in the 
adjudication process and ensuring that adjudicators follow a clearly 
defined and consistently applied process, with clear criteria, in 
considering the approval and denial of a TWIC for individuals with 
extensive criminal convictions not defined as a permanent or interim 
disqualifying offense, and; 

* identifying mechanisms for detecting whether TWIC-holders continue 
to meet TWIC disqualifying criminal offense and immigration-related 
eligibility requirements after TWIC issuance to prevent unqualified 
individuals from retaining and using authentic TWICs." 

Response: Concur. DHS agrees that an internal control assessment 
should and will be performed. Once the final GAO report is issued, DHS 
will initiate a comprehensive review of current internal controls with 
a specific focus on the controls highlighted in this report. In the 
interim, TSA and USCG are evaluating and implementing new internal 
controls as discussed in this letter. 

Recommendation 2: "Conduct an effectiveness assessment that includes 
addressing internal control weaknesses and, at a minimum, evaluates 
whether use of TWIC in its present form and planned use with readers 
would enhance the posture of security beyond efforts already in place 
given costs and program risks." 

Response: Concur. DHS agrees that the results of the internal control 
assessment should be used to further evaluate the effectiveness of the 
TWIC program. 

Recommendation 3: "Use the information from the internal control and 
effectiveness assessments as the basis for the evaluating the costs, 
benefits, security risks, and corrective actions needed to implement 
the TWIC program in a manner that will meet stated mission needs and 
mitigate existing security risks as part of conducting the regulatory 
analysis on implementing a new regulation on the use of TWIC with 
biometric card readers." 

Response: Concur. As the internal control assessments progress, any 
applicable data or risks will be communicated to USCG for 
consideration during their regulatory analysis. 

Recommendation 4: "Direct the Commandant of the Coast Guard to design 
effective methods for collecting, cataloging, and querying TWIC-
related compliance issues to provide the Coast Guard with the 
enforcement information needed to assess trends in compliance with the 
TWIC program and identify associated vulnerabilities." 

Response: Concur. USCG has already incorporated changes to its current 
version of Marine Information for Safety and Law Enforcement (MISLE) 
to enhance data collection since the TWIC compliance date of April 15, 
2009. Incorporation of additional changes is planned in a future 
release of MISLE that will add to current capabilities to collect data 
and allow for more detailed trend analysis. 

Again, thank you for the opportunity to review and comment on this 
draft report. We look forward to working with you on future Homeland 
Security issues. 

Sincerely, 

Signed by: 

Jim H. Crumpacker: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix VII: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Stephen M. Lord at (202) 512-4379 or at lords@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, David Bruno (Assistant 
Director), Joseph P. Cruz, Scott Fletcher, Geoffrey Hamilton, Richard 
Hung, Lemuel Jackson, Linda Miller, Jessica Orr, and Julie E. Silvers 
made key contributions to this report. 

[End of section] 

Footnotes: 

[1] See GAO, Transportation Worker Identification Credential: Progress 
Made in Enrolling Workers and Activating Credentials but Evaluation 
Plan Needed to Help Inform the Implementation of Card Readers, 
[hyperlink, http://www.gao.gov/products/GAO-10-43] (Washington, D.C.: 
Nov. 18, 2009); Transportation Security: DHS Should Address Key 
Challenges before Implementing the Transportation Worker 
Identification Credential Program, [hyperlink, 
http://www.gao.gov/products/GAO-06-982] (Washington, D.C.: Sept. 29, 
2006); and Port Security: Better Planning Needed to Develop and 
Operate Maritime Worker Identification Card Program, [hyperlink, 
http://www.gao.gov/products/GAO-05-106] (Washington, D.C.: Dec. 10, 
2004). 

[2] Pub. L. No. 107-295, 116 Stat. 2064 (2002). 

[3] Under Coast Guard regulations, a secure area, in general, is an 
area over which the owner/operator has implemented security measures 
for access control in accordance with a Coast Guard-approved security 
plan. For most maritime facilities, the secure area is generally any 
place inside the outer-most access control point. For a vessel or 
outer continental shelf facility, such as off-shore petroleum or gas 
production facilities, the secure area is generally the whole vessel 
or facility. 

[4] Biometrics refers to technologies that measure and analyze human 
body characteristics--such as fingerprints, eye retinas and irises, 
voice patterns, facial patterns, and hand measurements--for 
authentication purposes. 

[5] 33 C.F.R. Part 105, for example, governs maritime facility 
security and sets forth general security requirements along with 
requirements for facility security assessments and facility security 
plans, among other things. General maritime security requirements 
pertaining to vessels are set out in 33 C.F.R. Part 104. 

[6] A card is personalized when the card holder's personal 
information, such as photograph and name, are added to the card. 

[7] 72 Fed. Reg. 3492 (2007); Extension of deadline to April 15, 2009 
by 73 Fed. Reg. 25562 (2008). 

[8] GAO, Transportation Worker Identification Credential: A Status 
Update, [hyperlink, http://www.gao.gov/products/GAO-08-1151T] 
(Washington, D.C.: Sept. 17, 2008). 

[9] [hyperlink, http://www.gao.gov/products/GAO-10-43]. 

[10] TWIC guidance provides that possession of a TWIC is required for 
an individual to be eligible for unescorted access to secure areas of 
vessels and facilities. With the issuance of a TWIC, it is still the 
responsibility of facility and vessel owners to determine who should 
be granted access to their facilities or vessels. 

[11] Prior to issuing a TWIC, each TWIC is activated, or turned on, 
after the person being issued the TWIC provides a personal 
identification number. 

[12] See, for example, MTSA, Security and Accountability For Every 
Port Act (SAFE Port Act) of 2006 (Pub. L. No. 109-347, 120 Stat. 1884 
(2006)) amendments to MTSA, Navigation and Vessel Inspection Circular 
Number 03-07: Guidance for the Implementation of the Transportation 
Worker Identification Credential Program in the Maritime Sector 
(Washington, D.C.: July 2, 2007), Coast Guard Policy Advisory Council 
(PAC) decisions, and Commandant Instruction M16601.01: Coast Guard 
Transportation Worker Identification Credential Verification and 
Enforcement Guide (Washington, D.C.: Oct. 10, 2008). 

[13] To assess the reliability of data on the number of TWIC 
enrollments, the number of self-identified U.S. citizens or nationals 
asserting themselves to be born in the United States or in a U.S. 
territory, and the number of TWICs approved after the initial 
background check, we reviewed program systems documentation and 
interviewed knowledgeable agency officials about the source of the 
data and the controls the TWIC program and systems had in place to 
maintain the integrity of the data. We determined that the data were 
sufficiently reliable for the purposes of our report. The data we 
reviewed were collected between October 2007 and December 2010. 

[14] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[15] We visited the Howland Hook enrollment center in Staten Island, 
New York, the Whitehall Ferry Terminal enrollment center in New York, 
New York, the Terminal Island enrollment center in San Pedro, 
California, and the Long Beach enrollment center in Long Beach, 
California. 

[16] We visited pilot participants at the Ports of Los Angeles, Long 
Beach, and Brownsville, and the Port Authority of New York and New 
Jersey. We also interviewed and or met with officials at vessel 
operations participating in the TWIC pilot, including the Staten 
Island Ferry in Staten Island, New York; Magnolia Marine Transports in 
Vicksburg, Mississippi; and Watermark Cruises in Annapolis, Maryland. 

[17] We met with officials responsible for implementing TWIC at the 
Port of Baltimore and the Port of Houston. We selected the Port of 
Baltimore based on proximity to large population centers and we 
selected the Port of Houston because it was using TWICs with readers. 

[18] We interviewed representatives from the Association of the Bi- 
State Motor Carriers, the New Jersey Motor Truck Association, the 
Association of American Railroads, the American Public Transportation 
Association, the American Association of Port Authorities, the 
International Liquid Terminals Association, the International 
Longshore and Warehouse Union, the National Employment Law Project, 
and the Passenger Vessel Association. These organizations were 
selected because together they represent the key constituents of port 
operations. 

[19] See, for example, MTSA, Security and Accountability For Every 
Port Act (SAFE Port Act) of 2006 (Pub. L. No. 109-347, 120 Stat. 1884 
(2006)) amendments to MTSA, Navigation and Vessel Inspection Circular 
Number 03-07: Guidance for the Implementation of the Transportation 
Worker Identification Credential Program in the Maritime Sector 
(Washington, D.C.: July 2, 2007), Coast Guard Policy Advisory Council 
(PAC) decisions, and Commandant Instruction M16601.01: Coast Guard 
Transportation Worker Identification Credential Verification and 
Enforcement Guide (Washington, D.C.: Oct. 10, 2008). 

[20] See, for example, the Coast Guard's 2008 Analysis of 
Transportation Worker Identification Credential (TWIC) Electronic 
Reader Requirements in the Maritime Sector, and the Homeland Security 
Institute's 2008 Independent Verification and Validation of 
Development of Transportation Worker Identification Credential (TWIC) 
Reader Requirements. 

[21] We interviewed Coast Guard officials in New York and New Jersey; 
Los Angeles and Long Beach, California; Corpus Christi, Texas; and 
Baltimore, Maryland. We met with these Coast Guard officials because 
the facilities, vessels, and enrollment centers we visited are housed 
in these officials' area(s) of responsibility. 

[22] During the course of the audit, we provided briefings on the 
preliminary results of our work in May and October 2010. 

[23] Pub. L. No. 107-71, 115 Stat. 597 (2001). 

[24] TSA was transferred from the Department of Transportation to DHS 
pursuant to requirements in the Homeland Security Act, enacted on 
November 25, 2002 (Pub. L. No. 107-296, 116 Stat. 2135, 2178 (2002)). 

[25] Prior to TWIC, facilities and vessels administered their own 
approaches for controlling access based on the perceived risk at the 
facility. These approaches, among others, included requiring people 
seeking access to have a reason for entering, facility-specific 
identification, and in some cases, a background check. Some ports and 
port facilities still maintain their own credentials. 

[26] Maritime Transportation Security Act of 2002 (Pub. L. No. 107- 
295,116 Stat. 2064 (2002)). The FBI estimates that in the United 
States, cargo crime amounts to $12 billion annually and finds that 
most cargo theft occurs in or near seaports. 

[27] U.S. Coast Guard Intelligence Coordination Center, National 
Maritime Terrorism Threat Assessment (Washington, D.C.: Jan. 7, 2008). 

[28] H. Rosoff and D. von Winterfeldt, "A Risk and Economic Analysis 
of Dirty Bomb Attacks on the Ports of Los Angeles and Long Beach," 
Journal of Risk Analysis, vol. 27, no. 3 (2007). This research was 
supported by DHS through the Center for Risk and Economic Analysis of 
Terrorist Events by grant funding. 

[29] This is defined in the TWIC System Security Plan and the DHS 
Budget Justification to Congress for fiscal years 2009 and 2010. 

[30] TWIC program threat assessment processes include conducting a 
background check to determine whether each TWIC applicant is a 
security risk to the United States. These checks, in general, can 
include checks for criminal history records, immigration status, 
terrorism databases and watchlists, and records indicating an 
adjudication of lack of mental capacity, among other things. TSA 
security threat assessment-related regulations define the term 
security threat to mean an individual whom TSA determines or suspects 
of posing a threat to national security; to transportation security; 
or of terrorism. 

[31] Trusted agents are subcontractor staff acquired by Lockheed 
Martin as part of its support contract with TSA for the TWIC program. 

[32] Not all TWIC applicants will have readable fingerprints. As we 
have previously reported, it is estimated that about 2 percent to 5 
percent of people cannot be easily fingerprinted because their 
fingerprints have become dry or worn from age, extensive manual labor, 
or exposure to corrosive chemicals (See GAO, Technology Assessment: 
Using Biometrics for Border Security, [hyperlink, 
http://www.gao.gov/products/GAO-03-174] (Washington, D.C.: Nov. 15, 
2002). 

[33] Pursuant to Homeland Security Presidential Directive 6, dated 
September 16, 2003, the Terrorist Screening Center--under the 
administration of the FBI--was established to develop and maintain the 
U.S. government's consolidated terrorist screening database (the watch 
list) and to provide for the use of watch-list records during security-
related screening processes. The Selectee List contains information on 
individuals who should receive enhanced screening (e.g., additional 
physical screening or a hand-search of carry-on baggage) before 
proceeding through the security checkpoint at airports. The No Fly 
List contains information on individuals who should be precluded from 
boarding flights. The No Fly and Selectee lists contain applicable 
records from the FBI Terrorist Screening Center's consolidated 
database of known or appropriately suspected terrorists. 

[34] If an applicant has asserted him/herself to be a non-U.S. citizen 
or non-U.S.-born citizen, TSA staff at the adjudication center are to 
positively identify the individual by confirming aspects of the 
individual's biographic information, inclusive of their alien 
registration number and other physical descriptors, against available 
databases. For those individuals, TSA requires that at least one of 
the documents provided as proof of identity demonstrates immigration 
status or United States citizenship. According to TWIC officials, the 
program is able to validate immigration status and citizenship-related 
documents required of noncitizens and non-U.S.-born citizens--such as 
certificates of naturalization--with the originating source. For 
individuals with derogatory information, staff at the adjudication 
center reviews each applicant's file to determine if the derogatory 
information accurately applies to the individual or includes 
disqualifying information. 

[35] Coast Guard regulations require that such an inspection include 
(1) a match of the photo on the TWIC to the individual presenting the 
TWIC, (2) verification that the TWIC has not expired, and (3) a visual 
check of the various security features present on the card to 
determine whether the TWIC has been tampered with or forged. 

[36] See United States Coast Guard, Commandant Instruction Manual 
16601.1: Coast Guard Transportation Worker Identification Credential 
(TWIC) Verification and Enforcement Guide (Washington, D.C.: Oct. 10, 
2008). 

[37] The Captain of the Port is the Coast Guard officer designated by 
the Commandant to enforce within his or her respective areas port 
safety and security and marine environmental protection regulations, 
including, without limitation, regulations for the protection and 
security of vessels, harbors, and waterfront facilities. 

[38] Coast Guard Sectors run all Coast Guard missions at the local and 
port levels, such as search and rescue, port security, environmental 
protection, and law enforcement in ports and surrounding waters, and 
oversee a number of smaller Coast Guard units, including small cutters 
and small-boat stations. 

[39] 74 Fed. Reg. 13360 (2009). An advanced notice of proposed 
rulemaking is published in the Federal Register and contains notices 
to the public of the proposed issuance of rules and regulations. The 
purpose of this advanced notice of proposed rulemaking was to 
encourage the discussion of potential TWIC reader requirements prior 
to the rulemaking process. 

[40] The pilot initiation date is based on the first date of testing 
identified in the TWIC pilot schedule. This date is not inclusive of 
time taken for planning the pilot prior to the first test. The SAFE 
Port Act required the pilot to commence no later than 180 days after 
the date of enactment (Oct. 13, 2006) of the SAFE Port Act. See GAO-06-
982. 

[41] See Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Final Rule, 72 Fed. Reg. 3492, 
3571 (2007). 

[42] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[43] In accordance with Standards for Internal Control in the Federal 
Government, the design of the internal controls is to be informed by 
identified risks the program faces from both internal and external 
sources; the possible effect of those risks; control activities 
required to mitigate those risks; and the cost and benefits of 
mitigating those risks. 

[44] TSA further reports that as of April 2011 there have been 34,503 
cases out of 1,841,122 enrollments, or 1.9 percent of TWIC 
enrollments, where enrollees have not been approved for a TWIC because 
TSA has identified that the enrollees have at least one potentially 
disqualifying criminal offense, criminal immigration offense, or 
invalid immigration status, and the enrollee did not respond to an 
initial determination of threat assessment. Under the TWIC vetting 
process, an applicant that receives an initial determination of threat 
assessment is permitted to provide additional information to respond 
to or challenge the determination, or to request a waiver for the 
disqualifying condition, and subsequently be granted a TWIC. 

[45] For the purposes of this report, routinely is defined as a 
process being consistently applied in accordance with established 
procedure so as to render consistent results. 

[46] The TWIC program requires individuals to both hold a TWIC and be 
authorized to be in the secure area by the owner/operator in order to 
gain unescorted access to secure areas of MTSA-regulated facilities 
and vessels. 

[47] The details related to the means used by the investors in the 
tests could not be detailed here because they were deemed sensitive 
security information by TSA. 

[48] As designed, the TWIC program's enrollment process relies on a 
trusted agent--a contract employee--to collect an applicant's 
identification information. The trusted agent is provided basic 
training on how to detect a fraudulent document. The training, for 
example, consists of checking documents for the presence of a laminate 
that is not peeling, typeset that looks legitimate, and seals on 
certain types of documents. 

[49] Of the 1,697,160 enrollments approved for a TWIC, 852,540 were 
approved using TSA's automated process as part of the first-level 
background check without undergoing further review. 

[50] Details from this section were removed because the agency deemed 
them sensitive security information. 

[51] National means a citizen of the United States or a noncitizen 
owing permanent allegiance to the United States. In general, U.S.-born 
nationals who are not U.S. citizens at birth are individuals born in 
an outlying possession of the United States. Details from this section 
were removed because the agency deemed them sensitive security 
information. 

[52] Various identity documents can be provided by U.S.-born citizens 
or nationals when applying for a TWIC. For certain documents, such as 
an unexpired U.S. passport, TSA requires one document as a proof of 
identity. For other documents, such as a Department of Transportation 
Medical Card or United States Military Dependents Identification Card, 
TSA requires that TWIC applicants provide two identity documents from 
a designated list, with one being a government-issued photo 
identification. 

[53] As of December 1, 2010, TSA reported that 1,697,160 TWIC 
enrollments have been approved, of which 1,457,337 were self-
identified United States citizens or nationals asserting that they 
were born in the United States or in a United States territory. 

[54] See GAO, State Department: Significant Vulnerabilities in the 
Passport Issuance Process, [hyperlink, 
http://www.gao.gov/products/GAO-09-681T] (Washington, D.C.: May 5, 
2009) and State Department: Improvements Needed to Strengthen U.S. 
Passport Fraud Detection Efforts, [hyperlink, 
http://www.gao.gov/products/GAO-05-477] (Washington, D.C.: May 20, 
2005). 

[55] TWIC is unlike other federally-sponsored access control 
credentials, such as the Department of Defense's Common Access Card-- 
the agencywide standard identification card--for which sponsorship by 
an employer is required. For these federal credentialing programs, 
employer sponsorship begins with the premise that an individual is 
known to need certain access as part of their employment. Further, the 
employing agency is to conduct a background investigation on the 
individual and has access to other personal information, such as prior 
employers, places of residency, and education, which they may confirm 
as part of the employment process and use to establish the 
individual's identity. 

[56] Implementing regulations at 49 C.F.R. § 1572.17 require that when 
applying for or renewing a TWIC, the applicant provide, among other 
information: (1) the reason that the applicant requires a TWIC, 
including, as applicable, the applicant's job description and the 
primary facility, vessel, or maritime port location(s) where the 
applicant will most likely require unescorted access, if known; (2) 
the name, telephone number, and address of the applicant's current 
employer(s) if the applicant works for an employer that requires a 
TWIC; and (3) if the applicant works for an employer that does not 
require possession of a TWIC, does not have a single employer, or is 
self-employed, the primary vessel or port location(s) where the 
applicant requires unescorted access, if known. The regulation states 
that this information is required to establish eligibility for a TWIC 
and that TSA is to review the applicant information as part of the 
intelligence-related check. 

[57] According to TSA, as of September 8, 2010, a total of 18 TWIC 
applicants were issued an Initial Determination of Threat Assessment 
for invalid immigration documents. Upon submission to the U.S. 
Citizenship and Immigration Services, the documentation was reported 
to be altered or counterfeit. Of these 18 instances, only 1 applicant 
submitted additional documentation following an Initial Determination 
of Threat Assessment to challenge TSA's determination. The single 
applicant was subsequently awarded a TWIC. 

[58] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[59] These checks, in general, can include checks for criminal history 
records, immigration status, terrorism databases and watchlists, and 
records indicating an adjudication of a lack of mental capacity, among 
other things. As defined in TSA implementing regulations, the term 
security threat means an individual whom TSA determines or suspects of 
posing a threat to national security; to transportation security; or 
of terrorism. 49 C.F.R. § 1570.3. 

[60] These permanent disqualifying offenses for which no waiver can be 
issued include espionage, sedition, treason, a federal crime of 
terrorism, or conspiracy to commit any of these offenses. 

[61] The U.S. government's Adjudicative Desk Reference, used in 
adjudicating security clearances, states that multiple criminal 
offenses indicate intentional continuing behavior that raises serious 
questions about a person's trustworthiness and judgment. 

[62] Federal wants generally consist of information on wanted persons, 
or individuals, for whom federal warrants are outstanding. 

[63] Under the National Crime Prevention and Privacy Compact Act of 
1998 (Pub. L. No. 105-251, 112 Stat. 1870, 1874 (1998) (codified as 
amended at 42 U.S.C. §§ 14601-14616)), which established an 
infrastructure by which states and other specified parties can 
exchange criminal records for noncriminal justice purposes authorized 
under federal or state law, the term noncriminal justice purposes 
means uses of criminal history records for purposes authorized by 
federal or state law other than purposes relating to criminal justice 
activities, including employment suitability, licensing 
determinations, immigration and naturalization matters, and national 
security clearances. 

[64] Under the 1998 Act, subject fingerprints or other approved forms 
of positive identification must be submitted with all requests for 
criminal history record checks for noncriminal justice purposes. 

[65] TWIC-related regulations provide, for example, that individuals 
disqualified from holding a TWIC for immigration status reasons must 
surrender the TWIC to TSA. In addition, the regulations provide that 
TWICs are deemed to have expired when the status of certain lawful 
nonimmigrants with a restricted authorization to work in the United 
States (e.g., H-1B1 Free Trade Agreement) expires, the employer 
terminates the employment relationship with such an applicant, or such 
applicant otherwise ceases working for the employer, regardless of the 
date on the face of the TWIC. Upon the expiration of such nonimmigrant 
status for an individual who has a restricted authorization to work in 
the United States, the employer and employee both have related 
responsibilities--the employee is required to surrender the TWIC to 
the employer, and the employer is required to retrieve the TWIC and 
provide it to TSA. According to TSA officials, the TWIC program could 
not provide a count of the total number of TWIC holders whose 
employers reported that the TWIC holders no longer have legal status, 
as they do not track this information. 

[66] See, for example, GAO, Employment Verification: Federal Agencies 
Have Taken Steps to Improve E-Verify, but Significant Challenges 
Remain, [hyperlink, http://www.gao.gov/products/GAO-11-146] 
(Washington, D.C.: Dec. 17, 2010), and Immigration Enforcement: 
Weaknesses Hinder Employment Verification and Worksite Enforcement 
Efforts, [hyperlink, http://www.gao.gov/products/GAO-05-813] 
(Washington, D.C.: Aug. 31, 2005). 

[67] Details from this section were removed because the agency deemed 
them sensitive security information. 

[68] The TWIC program accepts various documents, such as visas, 
Interim Employment Authorizations, and form I-94 Arrival and Departure 
Records, as evidence of legal presence in the United States. 

[69] TWIC is a federally issued identity document that can be used as 
proof of identity for nonmaritime activities, such as boarding 
airplanes at United States airports and certain Department of Defense 
facilities in accordance with Department of Defense policy, Directive- 
Type Memorandum (DTM) 09-012, "Interim Policy Guidance for DOD 
Physical Access Control," dated December 8, 2009. 

[70] Existing vulnerabilities with TWIC to date have included, for 
example, problems with deteriorating TWIC card security features. 
Cards fading and delaminating have been reported by stakeholders 
across the country from places such as New York, Virginia, Texas, and 
California, with a range of climate conditions. According to 
stakeholders, these problems make it difficult for security guards to 
distinguish an authentic TWIC that is faded from a fraudulent TWIC. 
TSA and the Coast Guard have also received reports of problems with 
the card's chip or antenna connection not working from locations where 
TWICs are being used with readers. The total number of damaged TWICs 
with a damaged chip or antenna is unknown because TWICs are not 
required to be used with readers. 

[71] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[72] See DHS, DHS Exhibit 300 Public Release BY10/TSA - Transportation 
Worker Identification Credentialing (TWIC) (Washington, D.C.: Apr. 17, 
2009) and DHS Exhibit 300 Public Release BY09/TSA - Transportation 
Worker Identification Credentialing (TWIC) (Washington, D.C.: July 27, 
2007). 

[73] DHS, National Infrastructure Protection Plan: Partnering to 
Enhance Protection and Resiliency (Washington, D.C.: 2009). The NIPP, 
first issued in June 2006 by DHS, established a six-step risk 
management framework to establish national priorities, goals, and 
requirements for Critical Infrastructure and Key Resources (CIKR) 
protection so that federal funding and resources are applied in the 
most effective manner to deter threats, reduce vulnerabilities, and 
minimize the consequences of attacks and other incidents. The NIPP 
states that comprehensive risk assessments are necessary for 
determining which assets or systems face the highest risk, for 
prioritizing risk mitigation efforts and the allocation of resources, 
and for effectively measuring how security programs reduce risks. 

[74] The Coast Guard uses MSRAM to assess risk for various types of 
vessels and port infrastructure in accordance with the guidance on 
assessing risk from DHS's National Infrastructure Protection Plan 
(NIPP). The Coast Guard uses the analysis tool to help implement its 
strategy and concentrate maritime security activities when and where 
relative risk is believed to be the greatest. The model assesses the 
risk--threats, vulnerabilities, and consequences--of a terrorist 
attack based on different scenarios; that is, it combines potential 
targets with different means of attack, as recommended by the risk 
assessment aspect of the NIPP. Also in accordance with the NIPP, the 
model is designed to support decision making for the Coast Guard. At 
the national level, the model's results are used, among other things, 
for identifying capabilities needed to combat future terrorist threats. 

[75] GAO, Executive Guide: Effectively Implementing the Government 
Performance and Results Act, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-96-118] (Washington, D.C.: June 
1996). 

[76] Office of Management and Budget, Circular A-4, Regulatory 
Analysis (Revised Sept. 17, 2003) provides guidance to federal 
agencies on the development of regulatory analysis as required by 
Executive Order 12866 of September 30, 1993, as amended by Executive 
Order 13258 of February 26, 2002, and Executive Order 13422 of January 
18, 2007, "Regulatory Planning and Review." According to Executive 
Order 12866, agencies should adhere to certain specified principles, 
such as (1) with respect to setting regulatory priorities, each agency 
shall consider, to the extent reasonable, the degree and nature of the 
risks posed by various substances or activities within its 
jurisdiction, and (2) each agency shall base its decisions on the best 
reasonably obtainable scientific, technical, economic, and other 
information concerning the need for, and consequences of, the intended 
regulation. According to Circular A-4, a regulatory analysis should 
include the following three basic elements: (1) a statement of the 
need for the proposed action, (2) an examination of alternative 
approaches, and (3) an evaluation of the benefits and costs--
quantitative and qualitative--of the proposed action and the main 
alternatives identified by the action. The evaluation of benefits and 
costs is to be informed by a risk assessment. 

[77] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[78] See [hyperlink, http://www.gao.gov/products/GAO/GGD-96-118]. 

[79] MISLE began operating in December 2001 and is the Coast Guard's 
primary data system for documenting facility oversight and other 
activities. 

[80] We recommended that, among other things, the Coast Guard assess 
MISLE compliance data, including the completeness of the data, data 
entry, consistency, and data field problems, and make any changes 
needed to more effectively use MISLE data. DHS concurred with this 
recommendation. The Coast Guard acknowledged the need for improvement 
in MISLE compliance data and has taken initial steps to reduce some of 
the database concerns identified in our previous work. However, as of 
January 2011, the recommendation has not been fully addressed. See 
GAO, Maritime Security: Coast Guard Inspections Identify and Correct 
Facility Deficiencies, but More Analysis Needed of Program's Staffing, 
Practices, and Data, [hyperlink, 
http://www.gao.gov/products/GAO-08-12] (Washington, D.C.: Feb. 14, 
2008). 

[81] These numbers represent a combination of visual and electronic 
verifications because the TWIC verification window in MISLE is not 
currently designed to capture whether cards are verified visually or 
electronically. According to Coast Guard officials, with the recent 
deployment of handheld readers to Coast Guard units, the Coast Guard 
is in the process of enhancing MISLE to include the ability to 
distinguish between the number of visual inspections of cards and the 
number of verifications conducted using the handheld readers. 

[82] According to the Coast Guard, 2,509 facilities are subject to 
MTSA and must actively implement TWIC provisions. 

[83] The Coast Guard estimated a need for 300 handheld biometric 
readers, based on an estimate of 5 readers for each of the Coast 
Guard's major field inspections units across the country. 

[84] Range based on a reduced fee of $105.25 per TWIC for workers with 
current, comparable background checks or a $132.50 fee per TWIC for 
those without. 

[85] See Transportation Worker Identification Credential (TWIC) 
Implementation in the Maritime Sector; Final Rule, 72 Fed. Reg. 3492, 
3571 (2007). 

[86] The Free and Secure Trade (FAST) Card is to be issued to approved 
commercial drivers to facilitate the travel of low-risk screened 
shipments across the borders between the U.S.-Canadian border and to 
the U.S. from Mexico. 

[87] The NEXUS card can be used as an alternative to the passport for 
air, land, and sea travel into the United States for U.S. and Canadian 
citizens. The NEXUS program allows prescreened travelers expedited 
processing by United States and Canadian officials at dedicated 
processing lanes at designated northern border ports of entry, at 
NEXUS kiosks at Canadian Preclearance airports, and at marine 
reporting locations. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: