This is the accessible text file for GAO report number GAO-11-140R 
entitled 'Maritime Security: Responses to Questions for the Record' 
which was released on November 22, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-11-140R: 

United States Government Accountability Office: 
Washington, DC 20548: 

October 22, 2010: 

The Honorable John D. Rockefeller IV:
Chairman:
The Honorable Kay Bailey Hutchison:
Ranking Member:
Committee on Commerce, Science, and Transportation:
United States Senate: 

Subject: Maritime Security: Responses to Questions for the Record: 

On July 21, 2010, we testified before your committee on the Department 
of Homeland Security's (DHS) progress and challenges in key areas of 
port security.[Footnote 1] Members of the committee requested that we 
provide additional comments to a number of post hearing questions. The 
questions and our answers are provided in the Enclosure 1. The 
responses are based on work associated with previously issued GAO 
products and also include selected updates--conducted in September 
2010--to the information provided in these products. We conducted this 
work in accordance with generally accepted government auditing 
standards. To ensure the technical accuracy of the updated information 
obtained in September 2010, we provided of copy of the information 
contained in this letter to DHS. DHS provided technical comments that 
we incorporated as appropriate. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the date of this letter. At that time, this letter will be 
available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you have any questions about this letter or need additional 
information, please contact me at (202) 512-9610 or caldwells@gao.gov. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this letter. Key contributors 
to this letter are listed in Enclosure 2. 

Signed by: 

Stephen L. Caldwell:
Director:
Homeland Security and Justice: 

Enclosures: 

[End of section] 

Enclosure 1: GAO Responses to Questions for the Record: 

Small Vessel Threats and Strategy: 

Question from Chairman Rockefeller: 

1. Pending the release of the implementation plan for the DHS Small 
Vessel Security Strategy, what are the potential options for 
mitigating threats from small vessels? To what extent would a new 
requirement that small vessels carry transponders--so they could be 
tracked--be a viable solution? How does this option compare to 
increased "neighborhood watch" type programs to encourage watermen and 
pleasure boaters to report suspicious activity? 

Please see question 2 below for a joint response. 

Question from Senator Hutchison: 

2. Since the terrorist attacks of September 11, 2001, maritime 
security efforts have focused primarily on large commercial vessels, 
cargoes, and crew. Efforts to address the small vessel environment 
have largely been limited to traditional safety and basic law 
enforcement concerns. Small vessels are, however, readily available 
for potential exploitation by terrorists, smugglers of weapons of mass 
destruction (WMDs), narcotics, aliens, other contraband, and other 
criminals. Small vessels have also been successfully employed overseas 
by terrorists to deliver Waterborne Improvised Explosive Devices 
(WBIEDs). GAO previously noted that technology systems used by the 
Coast Guard to track small vessels have not worked properly at night 
or during inclement weather. In your view, is it cost-effective to 
track small vessels? 

Governmental agencies, both in the United States and abroad, have 
exercised several options to address the risks presented by small 
vessels. As we previously reported in April 2010,[Footnote 2] the 
Department of Homeland Security (DHS)--including the U.S. Coast Guard 
and U.S. Customs and Border Protection (CBP)--and other entities are 
taking actions to reduce the risk from small vessels. These actions 
include the development of the Small Vessel Security Strategy, 
[Footnote 3] community outreach efforts through the America's Waterway 
Watch (AWW) program and Operation Focused Lens, port-level vessel 
tracking efforts with radars and cameras, port-scale nuclear detection 
pilot projects, establishment of security zones in U.S. ports and 
waterways, and escorts of possible targets of waterborne improvised 
explosive devices. CBP and the Coast Guard also have other efforts 
under way to prevent small vessels from transporting weapons of mass 
destruction, terrorists, or narcotics from foreign countries into the 
United States. CBP's Office of Air and Marine reports that it is using 
airborne assets such as four engine P3 Airborne Early Warning and Long 
Range Tracker aircraft and soon maritime reconnaissance versions of 
unmanned Predator drones, to detect smugglers' vessels, including 
semisubmersibles, sailing to the United States. The Coast Guard and 
CBP's Office of Air and Marine also report that they station patrol 
vessels along smuggling routes to intercept smugglers' vessels before 
they reach U.S. shores. At the request of Chairman Bennie Thompson and 
Ranking Member Peter King of the Committee on Homeland Security, House 
of Representatives, we are currently reviewing CBP's Office of Air and 
Marine program and examining the agency's use of its resources and 
expect to issue the results of this review next year. Outside of the 
United States, the government of Singapore began a program in 2007 
called Harbour Craft Transponder System where all vessels not covered 
by the International Maritime Organization's (IMO) International 
Convention for the Safety of Life at Sea (generally, this convention 
covers vessels 300 gross tons or more on an international voyage and 
cargo ships of 500 gross tons or more) were required to install and 
operate transponders that broadcast their position. The program was 
implemented jointly by the Maritime and Port Authority, the Police 
Coast Guard and the Republic of Singapore Navy, and an estimated 2,800 
small vessels were equipped when its operation commenced in 2007. User 
costs include the transponder device, which ranges in cost from 
approximately $700 to $730 plus applicable taxes, depending on whether 
the model is portable or fixed, and an annual operating cost of 
approximately $90. 

As we reported in March 2009, the expansion of vessel tracking to all 
small vessels--through transponders or other methods--may be of 
limited utility because of the large number of small vessels, the 
difficulty identifying threatening actions, the challenges associated 
with getting resources on scene in time to prevent an attack once it 
has been identified, and the limitations of certain equipment. 
[Footnote 4] For vessels not required to carry automatic 
identification system (AIS)[Footnote 5] equipment, cameras may be 
utilized, though not all ports have cameras suited to overcome 
challenges posed by low lighting during operation at night or in bad 
weather. Even when vessels carrying transponders are tracked in ports, 
recognizing hostile intent is very difficult. During our reviews of 
maritime security efforts, we were provided evidence of vessels 
intruding into security zones where unauthorized access was 
prohibited. While no attacks occurred, such vessels were able to 
travel freely near potential targets. Coast Guard officials have told 
us that their ability to enforce security zones is constrained by 
their limited resources. Moreover, the Coast Guard has not been able 
to meet its own internal standards for the frequency of escorts of 
potential target vessels. The difficulty in recognizing potentially 
threatening activity and the limited response capability indicates 
that expanding tracking to all small vessels would not necessarily 
diminish the risk posed by small vessels. While such tracking would 
likely lead to increased observation of prohibited activities, such as 
intrusion into security zones, it would not necessarily help to 
differentiate between vessels that entered security zones with hostile 
intent and vessels that entered for other reasons, such as better 
fishing. In addition, with the increased number of vessels to observe, 
watch standers could be overwhelmed by the amount of information they 
must track or monitor. While the Coast Guard has research underway to 
automate its ability to detect threatening behavior by vessels, even 
if these efforts are successful they would not improve the agency's 
ability to respond quickly. DHS's Small Vessel Security Strategy also 
states that small-vessel risk reduction efforts should not impede the 
lawful use of the maritime domain or the free flow of legitimate 
commerce--making the need to decipher vessel behavior essential. As 
the strategy states, given the size and complexity of the maritime 
domain, risk-based decision making is the only feasible approach to 
prevention, protection, response and recovery related to small-vessel 
threats. 

Much of the seaborne smuggling of narcotics and undocumented migrants 
into the United States currently makes use of small vessels, such as 
high-speed "go fast" boats and semisubmersibles. While CBP and the 
Coast Guard are also taking actions to intercept smugglers at sea, 
their ability to prevent this smuggling is mixed. In its fiscal year 
2009 performance report, the Coast Guard reported removing 15 percent 
of the cocaine being transported on noncommercial vessels bound for 
the United States in fiscal year 2009. Conversely, the Coast Guard 
reported that it interdicted approximately 84 percent of undocumented 
migrants who attempted to enter the United States via maritime routes 
in fiscal year 2009. CBP's performance report did not include similar 
measures for maritime narcotic or migrant interdiction. 

With the critical task of mitigating the risk posed by small vessels 
before the Coast Guard and CBP, we believe a risk management approach 
coupled with strong intelligence-gathering efforts would lead to the 
greatest benefit. Intelligence-gathering efforts at the port level, 
such as AWW, should help uncover potential threats before they develop 
into full-fledged attacks. The program's outreach to over 400 local 
watch group members in and around the Puget Sound region for the 
Vancouver 2010 Winter Olympics demonstrated its potential as means of 
increasing vigilance and communication. Moreover, targeted efforts 
aimed at protecting critical infrastructure and valuable vessels, 
along with random escorts and patrols, should help provide deterrence 
against a small vessel attack inside U.S. port areas. Offshore, 
intelligence efforts aimed at uncovering smuggling operations should 
also help to target patrols and interceptions. These efforts would 
include random patrols, which add uncertainty to where these assets 
will be at any one time. A risk management approach that focuses 
limited resources on the greatest risks is even more critical given 
the federal government's current budget climate. 

Security in Overseas Ports: 

Questions from Chairman Rockefeller: 

3. Regarding security in foreign ports, your statement emphasized the 
importance of risk management and indicated that your work had shown 
potential to apply more risk management to the Coast Guard inspection 
of foreign ports. What did your work specifically show and how could 
the Coast Guard use risk management more effectively? Can the Coast 
Guard do this on its own, or would legislative changes be needed to 
implement changes in the frequency or intensity of visits to foreign 
ports? 

Since we issued our report on the Coast Guard's International Port 
Security Program in April 2008, the Coast Guard has adopted a new risk 
management program.[Footnote 6] In April 2008, the Coast Guard was 
just beginning the next phase of the program, revisiting countries to 
reassess the security measures of 138 trading partners. As part of 
this next phase, the Coast Guard planned to place greater emphasis on 
countries that were not in compliance or that were struggling to 
comply with International Ship and Port Facility Security (ISPS) Code 
requirements. To accomplish this with available resources, the Coast 
Guard planned to prioritize its country visits and capacity-building 
efforts using a risk-based approach that would allow Coast Guard 
officials to spend more time in countries not in compliance and whose 
lack of compliance poses a higher risk to the United States. At the 
time of our report, the Coast Guard was in the process of developing 
this risk-management approach and had created working groups to 
consider how to implement this approach. Since the issuance of our 
report, the Coast Guard reported that the program finalized its 
methodology which analyzes the risk a country potentially poses to the 
United States, how well a country is implementing the ISPS Code, and 
the likelihood that capacity-building efforts in the country would be 
effective considering a variety of political, economic, and social 
preconditions. According to the Coast Guard, the results of the 
methodology are used to manage risk and limited resources by helping 
establish assessment team size, determining countries and ports where 
capacity-building resources would be most effective, and finally 
identifying high-risk countries that need additional oversight. We 
have not conducted a detailed review of this methodology or the Coast 
Guard's implementation of it. 

Although we have not analyzed or directly reported on this issue as it 
relates to the Coast Guard, another approach the Coast Guard could 
consider to incorporate risk management into the program is to use 
mutual recognition arrangements with other countries, similar to that 
developed by CBP for international customs. We reported in August 2008 
that CBP worked with the international customs community to achieve a 
system of mutual recognition--an arrangement whereby the actions or 
decisions taken by one customs administration are recognized and 
accepted by another administration.[Footnote 7] For a system of mutual 
recognition to work, however, there must be an agreed-upon common set 
of standards that are applied uniformly so that a level of confidence 
exists between countries. As international standards exist for 
maritime security through the ISPS Code, the Coast Guard could 
consider developing a similar system of mutual recognition for 
international maritime security. For example, the European Union has 
developed detailed regulations for the consistent implementation of 
the ISPS Code by its member states and established a process for 
verifying the effectiveness of its member states' maritime security 
measures. This process includes an inspection of member states' ports 
that results in a report identifying any nonconformities with the 
regulations and making recommendations to address the nonconformities. 
Should the Coast Guard develop confidence in the European Union's 
regulatory and inspection approach to determine whether its members 
have fully implemented and maintain international maritime security 
standards, under a mutual recognition arrangement with the European 
Union the Coast Guard could agree to recognize and accept one 
another's security practices. The Coast Guard could then give 
countries with which it has such agreements lower priority for a 
country visit. During a meeting in September 2010 to follow-up on our 
report, Coast Guard officials told us that more flexibility to 
determine whether an assessment is necessary for countries with which 
there is confidence in the implementation of international maritime 
security standards would be helpful to the program in allocating 
program resources toward the highest-risk countries. Changes to 
increase the frequency of visits to foreign ports would not require a 
legislative change, whereas a decrease in frequency may require a 
legislative change. 

In regard to the Coast Guard's ability to spend more time in countries 
not in compliance to assist with capacity building, we reported in 
April 2008 that the International Port Security Program was subject to 
limitations on its ability to offer capacity-building assistance 
outside of assessment activities or to other countries that may comply 
with the ISPS Code standard, but struggle to maintain their 
compliance. Coast Guard officials stated that while authorities 
allowed for certain types of capacity-building activities, several of 
the authorities limited those activities to ports in foreign countries 
that have been found to lack effective antiterrorism measures. 
However, with the enactment of the Coast Guard Authorization Act of 
2010,[Footnote 8] the Coast Guard has new authorities to provide 
assistance to what the Coast Guard describes as a broader range of 
countries. For example, the act authorizes the Coast Guard to provide 
specified types of assistance to foreign ports based on risk 
assessments and comprehensive port security assessments rather than a 
finding of the lack of effective antiterrorism measures before 
providing assistance. In terms of changes to the frequency of visits 
to foreign ports, although the Security and Accountability For Every 
Port Act of 2006 (SAFE Port Act) currently requires that a minimum 
number of reassessments of the effectiveness of antiterrorism measures 
in foreign ports be conducted at a rate of not less than once every 3 
years,[Footnote 9] the International Port Security Program strives to 
conduct reassessments every 2 years to follow the direction contained 
in the conference report accompanying the fiscal year 2007 DHS 
Appropriations Act.[Footnote 10] The Coast Guard states that in 
addition to the reassessments, it visits all countries at least 
annually, with countries that have ports with nonconformance issues it 
has identified more frequently. Consequently, to decrease the 
frequency of visits to an amount less than the established frequencies 
in the SAFE Port Act would require legislative changes whereas an 
increase in frequency would not require legislative changes. 

$. S. 3639 authorizes the Coast Guard to provide assistance to foreign 
governments or ports to enhance their maritime security. Does GAO 
support this provision? 

The provisions in S. 3639 to authorize the Coast Guard to provide 
assistance to foreign governments or ports to enhance their maritime 
security are similar to provisions recently enacted in the Coast Guard 
Authorization Act of 2010. While we have not directly looked at this 
issue, based on our work, Coast Guard technical assistance to other 
countries could be another way to improve port security in certain 
circumstances with available Coast Guard resources. During our review 
of the International Port Security Program, Coast Guard officials told 
us that funding is a major challenge for most countries struggling to 
meet and sustain ISPS Code requirements.[Footnote 11] For example, 
Coast Guard officials stated that in several African countries, the 
designated authority within the government does not have the resources 
to provide security for ports or funds to provide grants for ports in 
need of improvements. However, according to Coast Guard officials, the 
Coast Guard also does not have resources to supply physical security 
assets, such as fences and guards, to those countries that cannot 
afford them. Program officials have sought to raise awareness about 
low-cost methods that can be used to meet certain international 
security requirements, such as the use of "tabletop" exercises rather 
than conducting full-scale drills and exercises. 

In addition to the budgetary limitations, Coast Guard officials stated 
that the program faced legal limitations in the capacity-building 
efforts they could provide under their previous legislative 
authorities. As discussed above, while previous authorities allowed 
for certain types of capacity-building activities, several of those 
authorities limited those activities to ports in foreign countries 
that had been found to lack effective antiterrorism measures. However, 
with the enactment of the Coast Guard Authorization Act of 2010, the 
Coast Guard has new authorities to provide assistance. For example, 
the act authorizes the Coast Guard to provide assistance based on risk 
assessments and comprehensive port security assessments rather than a 
finding of a lack of effective antiterrorism measures. Another 
capacity-building authority authorizes the provision of technical 
assistance when it is provided in conjunction with regular Coast Guard 
operations. The Coast Guard Authorization Act of 2010 amended this 
authority to expressly authorize the use of funds for certain purposes 
such as the activities of traveling contact teams, including any 
transportation expense, translation services, seminars, and 
conferences involving members of maritime authorities of foreign 
governments, and the distribution of publications pertinent to 
engagement with maritime authorities of foreign governments. 

5. Does the Coast Guard have an adequate workforce of inspectors who 
can operate in foreign environments to inspect foreign ports? To what 
extent would that workforce be affected by proposals to change the 
frequency or intensity of visits to foreign ports? How would it be 
affected by proposals to increase technical assistance to foreign 
governments and ports outside of the normal visit/inspection cycle? 

We reported in January 2010 that during this decade, the Coast Guard 
has been challenged with expanded mission responsibilities, and 
concerns have been raised about whether the Coast Guard has a 
sufficient workforce to fulfill these mission responsibilities. 
[Footnote 12] The impact of expanding missions underscored 
shortcomings in the Coast Guard's ability to effectively allocate 
resources, such as personnel; ensure readiness levels; and maintain 
mission competency. Similarly, when we concluded our review of the 
International Port Security Program in April 2008, we reported that 
the Coast Guard also faced challenges in ensuring that it had trained 
staff available to meet assessment and assistance needs. According to 
Coast Guard officials, personnel working in the program have unique 
demands placed on their skills since they must be proficient security 
inspectors and must also be culturally and diplomatically sensitive 
liaisons to foreign countries. The challenge was made more difficult 
by Coast Guard plans to compress its schedule for completing follow-up 
visits so that all were to be completed within a 2-year time frame and 
by the Coast Guard personnel rotation policy that moves personnel 
between different positions every 3 to 4 years. 

We also reported that the Coast Guard did not have a fully developed 
strategic workforce plan for the program. Coast Guard officials noted 
that the calculations for the number of program personnel required 
were straightforward as the number of countries to assess was limited 
to approximately 138 and the amount of time required to conduct 
assessments was known. When we asked Coast Guard officials about 
ensuring the availability of sufficient resources for the next phase 
of the program, Coast Guard officials stated that they believed they 
had sufficient resources to conduct assessments and provide capacity 
building within the current authorities provided to the program. 
However, we reported that they had not completed aspects of workforce 
planning, such as processes to regularly analyze staffing data and 
workforce demographics and develop strategies for identifying and 
filling gaps, as human capital management guidance provided by the 
Office of Personnel Management suggests. Without such planning, we 
reported that it may be difficult for the Coast Guard to meet its 
program goals. As a result, we recommended that the Coast Guard 
develop and incorporate a workforce plan as part of the risk 
management approach it was developing to prioritize the performance of 
program activities. DHS and the Coast Guard concurred in part with our 
recommendation. Specifically, they noted that the Coast Guard has 
analyzed its workforce needs to carry out the functions currently 
mandated and had begun to develop a methodology to determine where 
best to conduct capacity-building efforts. They stated that more 
analysis would be done when and if authorities are provided to expand 
the capacity-building activities of the program. While we agreed that 
the Coast Guard would need additional authorities to carry out certain 
capacity-building activities beyond countries not in compliance, the 
Coast Guard's workforce planning efforts were not consistent with 
those called for by human capital management guidance, even for the 
program's current authorities. 

While we do not have the data or information to determine how the 
Coast Guard's workforce would be affected by potential changes to the 
frequency or intensity of visits, or changes to increase the technical 
assistance to foreign governments and ports, since the issuance of our 
report the Coast Guard has reported taking additional actions to more 
fully develop a workforce plan for the program. Although the program 
does not envision a separate "stand-alone" plan, the Coast Guard 
reported reviewing human capital management guidance and is 
incorporating some of the principles in its program management. Among 
other things, the Coast Guard reported that the program continues to 
refine its human capital management including using an analysis to 
identify training needs for new personnel entering the program and 
promulgation of guidance on resources that should be devoted to 
conducting assessment visits for various categories of countries. The 
program also reported finalizing its methodology which looks at the 
risk a country potentially poses; how well it is implementing the 
international security standard, the ISPS Code; and the likelihood 
that the capacity-building efforts in the country would be effective. 
While we have not assessed these actions, we believe they contribute 
towards the implementation of our recommendation and thereby better 
position the Coast Guard to ensure that it has an adequate workforce. 
Should the program be given additional capacity-building authority, 
the Coast Guard stated that the program will use its methodology to 
identify additional personnel needs and where they should best be 
stationed. 

Question from Senator Klobuchar: 

6. As recently as this month, the U.S. Coast Guard estimated that as 
many as 15 countries are not maintaining effective antiterrorism 
measures at their port facilities. If foreign ports or facilities fail 
to maintain these measures, the Coast Guard has the authority to deny 
entry to vessels arriving from such ports or impose specific 
conditions on the vessels in order to be allowed entry to the U.S. Can 
you tell us more about this assessment and what the conditions on the 
ground are at these ports? How are we working with foreign governments 
to increase protective measures at their ports? What steps are we 
taking to address the national sovereignty concerns of nations whose 
ports are being examined under the International Port Security Program? 

There are a variety of reasons and circumstances whereby the Coast 
Guard deems a country and its ports as not in compliance with 
international port security standards. In regards to the conditions in 
countries currently considered not to be maintaining effective 
antiterrorism measures at their port facilities, the Coast Guard 
considers this information as sensitive and it therefore cannot be 
publicly released. However, the Coast Guard told us that its concerns 
about these countries generally center around the failure of the 
contracting government to audit the ISPS Code compliance of its port 
facilities and on the individual port facilities' failure to 
adequately control access of personnel and cargo. During the 
assessment the Coast Guard conducts of foreign ports[Footnote 13] 
through its International Port Security Program, Coast Guard officials 
visit and review the implementation of security measures in foreign 
ports, examining the physical security measures and access controls at 
the ports as well as the policies, procedures, and training related to 
the ISPS Code. Based on its visit and the information provided by the 
foreign country, the Coast Guard team determines the extent to which 
the country has substantially implemented the ISPS Code. The Coast 
Guard team makes a determination that a country has "substantially 
implemented" the ISPS Code if the team concludes that effective 
security measures are in place at the ports that meet the requirements 
of the ISPS Code and the government exercises effective oversight. If 
the team does not observe these items, the team makes a determination 
that the country "has not substantially implemented" the ISPS Code. In 
addition to being an outcome of a country visit, the Coast Guard may 
also find a country to not have substantially implemented the ISPS 
Code if it denies access to its ports, it fails to communicate 
information on its compliance to the Coast Guard or the IMO, or a 
credible report by another U.S. government agency or other source 
finds that substantial security concerns exist. 

In cases where a country has been found not to have substantially 
implemented the ISPS Code, the Coast Guard explains the identified 
deficiencies and makes recommendations to the country for addressing 
the deficiencies and provides possible points of contact for 
assistance to help the country improve. In addition, Coast Guard 
officials work with the appropriate American embassy to identify other 
capacity-building resources that might assist the country. As part of 
the program, the Coast Guard has been collecting and sharing best 
practices it has observed during its visits with a special emphasis on 
low-cost security practices or innovative applications that are easy 
to implement and do not require a significant financial investment. 
The Coast Guard shares these best practices with other countries and 
makes them publicly available through the program's Web site to assist 
foreign governments in making improvements in their port security. The 
Coast Guard team then revisits the country to observe whether 
identified deficiencies have been addressed. Depending on the progress 
observed and the cooperation received from the country, the team may 
decide to continue to work with the country and make a revisit or 
place conditions on vessels that try to enter U.S. ports after 
visiting the country's ports. During our review, Coast Guard officials 
cited their efforts in one Caribbean Basin country as an example of 
how the Coast Guard works with foreign governments to increase 
protective measures at their ports. In that case, the Coast Guard 
initially found that ports in the country were not substantially 
implementing the ISPS Code. After several rounds of sharing 
information on security training, discussions of best practices for 
security exercises, and suggestions for specific physical security 
improvements, the Coast Guard found that the country had made 
substantial progress toward implementing the ISPS Code. 

In regards to national sovereignty concerns, the Coast Guard is aware 
of such concerns and has considered ways to address them. The Coast 
Guard has stated that because of sovereignty concerns and "assessment 
fatigue," it is becoming increasingly difficult to gain access to 
countries such as China, Egypt, India, Libya, Russia, and Venezuela 
for reassessments. During our review, Coast Guard officials stated 
that an effort was underway to conduct joint visits when possible with 
other U.S. government agencies as well as increase the sharing of 
assessment data among various agencies to reduce the "footprint" of 
U.S. government activities in the countries. As another approach, 
Coast Guard officials stated that they have also considered partnering 
with other foreign governments and international organizations to 
complete assessments. However, the Coast Guard has not partnered with 
any international governments to conduct reassessments because the 
international community has not developed an approach or methodology 
as the Coast Guard has for inspecting ports. The Coast Guard has also 
reported that it works frequently with international organizations 
such as the Asia Pacific Economic Cooperation (APEC) and the 
Organization of American States on capacity-building projects and 
utilizes the information obtained when conducting such actions as part 
of the assessment process. For example, as part of APEC's 
Transportation Working Group's maritime expert group security 
subcommittee, the Coast Guard assisted in creating the Port Security 
Visit Program and has participated in several of the assessment visits 
to member economies. In addition, the Coast Guard has conducted joint 
visits with auditors from the Secretariat of the Pacific Community in 
Pacific island nations. In the short term, program officials stated 
that the best way to mitigate a possible lack of cooperation from 
sovereign nations is to continue to reach out and diplomatically work 
with countries. The recently enacted Coast Guard Authorization Act of 
2010 now mandates that unless the Coast Guard finds that a port in a 
foreign country maintains effective antiterrorism measures, that the 
Coast Guard notify appropriate governmental authorities of the foreign 
country and allows the imposition of conditions of entry (requiring 
vessels to take additional security measures) "unless the Coast Guard 
finds effective anti-terrorism measures in place in foreign ports." In 
cases where countries still deny the Coast Guard access to their 
ports, program officials will implement and utilize these provisions 
as required and work with other Coast Guard programs in the domestic 
arena--specifically, programs that examine foreign vessels to verify 
their compliance with ISPS Code requirement--and conduct offshore 
security boardings of vessels to help limit the access of high-risk 
vessels to U.S. ports. 

Port Security Grant Program: 

Question from Senator Lautenberg: 

7. The Port Authority of New York and New Jersey is unable to move 
forward on a number of projects to improve the security of the port 
because of the twenty-five percent cost share requirement for port 
security grants. It is my understanding that waiving this requirement 
is a long, arduous process that is rarely successful. What should be 
done about this cost-share requirement so that it does not impede the 
security of our ports? 

Matching contributions--also known as cost-share requirements--are a 
key factor for effective federal grants for two reasons. First, it is 
important that federal dollars are leveraged to ensure that federal 
grants supplement stakeholder (whether public or private) spending 
rather than serve as a substitute for stakeholder spending on grant- 
funded projects. If a grant program is not designed to encourage 
supplementation, other stakeholders may rely solely on federal funds 
and choose to use their own funds for other purposes, meaning that 
federal funds cannot be leveraged to the extent they otherwise could 
be. We reported in September 2003 that the inclusion of matching 
requirements is one method through which to encourage supplementation 
of federal grants.[Footnote 14] Second, matching requirements are 
reasonable given that grant benefits can be highly localized. For 
example, regarding port security grants, we reported in December 2005 
that, 

"Ports can produce benefits that are public in nature (such as general 
economic well-being) and distinctly private in nature (such as 
generating profits for a particular company). The public benefits they 
produce can also be distinctly local in nature, such as sustaining a 
high level of economic activity in a particular state or metropolitan 
area. Thus, state and local governments, like private companies, also 
have a vested interest in ensuring that their ports can act as 
efficient conduits of trade and economic activity. Given that homeland 
security threats can imperil this activity, it can be argued that all 
of these stakeholders should invest in the continued stability of the 
port."[Footnote 15] 

However, in the December 2005 report, we also recognized the 
differences of opinion among policymakers regarding the inclusion of 
matching requirements in federal grants. Some might see substitution 
of federal funds for local funds as reasonable given differences in 
fiscal capacity, while others may view homeland security as a shared 
responsibility. For policymakers who place greater value on reducing 
the substitution of federal funds for local funds, strengthening 
matching requirements offers one option in administering grants. One 
way to implement this requirement involves using a sliding scale for 
matching federal funds depending on the fiscal capacity of the grant 
applicant. Additionally, the matching requirement under the fiscal 
year 2009 Port Security Grant Program (PSGP) stated that the match may 
be in the form of cash or in-kind contributions, allowing grant 
recipients flexibility in meeting this requirement. However, the cost-
share requirement was waived for fiscal year 2010 port security grants. 

Aside from matching requirements, there are other key factors to 
consider in ensuring an effective grant process, such as efficiency, 
timeliness, and oversight. For example, the DHS Office of Inspector 
General reported in March 2010 that DHS has a variety of preparedness 
grant programs with similar purposes, redundant application processes, 
and differing program requirements.[Footnote 16] In our June 2009 
report on the Transit Security Grant Program (TSGP), we identified 
problems with grant management and made recommendations related to 
defining agency roles when more than one agency is involved in the 
grant program, developing a plan for measuring effectiveness, 
developing a process to systematically collect data and track grant 
activities, and communicating the availability of grant funding to 
transit agencies.[Footnote 17]Lacking these grant management 
characteristics, the TSGP experienced delays in approving projects and 
making funds available. As a result, about $21 million of the $755 
million in awarded funds for fiscal years 2006 through 2008 had been 
expended by transit agencies. At the request of Ranking Member Peter 
T. King of the House Committee on Homeland Security, and Senator 
George V. Voinovich of the Senate Committee on Homeland Security and 
Governmental Affairs, this month we are initiating a review of grant 
management processes of selected DHS preparedness grant programs. 

Question from Senator Hutchison: 

8. Various ports across the nation have indicated that the port 
security grant process is confusing, and that the distribution of 
funds is very slow, with FEMA and the USCG still working on delivering 
funds from 2007. What insights can GAO offer for a better, and more 
efficient, way to distribute port security grants, so that our 
nation's ports receive funds in a timely manner? GAO has made a number 
of recommendations to TSA and FEMA to improve the grant process for 
rail and transit security grants. Do any of those recommendations 
apply to port security grants? Is the Fiduciary Agent process an 
effective way to distribute port security grant funds? 

While we have not reviewed issues related to the distribution of 
funding under the PSGP since 2005, and thus cannot offer solutions to 
current PSGP problems, we reported in our June 2009 report on the TSGP 
that defining agency roles, tracking grant activity, and distributing 
funds in a timely manner are important principles of grant management. 
[Footnote 18] For example, given that the Federal Emergency Management 
Agency (FEMA) and Transportation Security Agency (TSA) share 
responsibility for the TSGP, we recommended that the two agencies 
define their respective roles and responsibilities for managing the 
TSGP. Similarly, FEMA and the Coast Guard should define their 
respective roles and responsibilities for managing the PSGP. We also 
reported that the systematic collection and tracking of grant 
activities under the TSGP is essential to effective grant management. 
At FEMA, the Grants Program Directorate (GPD)--which also oversees the 
PSGP--is responsible for this record keeping. However, GPD officials 
reported in March 2010 that the development of an updated grant 
management system--scheduled for completion in 2011--had been halted 
because of budget cuts. Lastly, because of delays that transit 
agencies experienced in receiving funding, we recommended that TSGP 
grant management officials establish time frames for making funds 
available to stakeholders that have had projects approved. 
Establishing such time frames could help grantees implement projects 
within the designated performance periods of the grants. 

In addition to negotiating, tracking, and distributing funds, the 
process must also include key internal controls. In its Guide to 
Opportunities for Improving Grant Accountability, the Domestic Working 
Group reported that internal controls are needed to ensure that funds 
are properly used and achieve intended results.[Footnote 19] It cites 
four areas where internal controls are important: (1) preparing 
policies and procedures before issuing grants, (2) consolidating 
information systems to assist in managing grants, (3) providing grant 
management training to staff and grantees, and (4) coordinating 
programs with similar goals and purposes. Establishing effective 
internal controls may slow the distribution of grants, as these 
systems should be in place prior to the grant award. However, the 
Domestic Working Group reported that inadequate internal controls make 
it difficult for grant managers to determine whether funds are 
properly used. 

In terms of using a fiduciary agent, until fiscal year 2009, TSGP 
grant funding was first processed through a state administrative 
agency (SAA). However, the DHS appropriations acts for fiscal years 
2009 and 2010 required funding to be provided directly to transit 
agencies.[Footnote 20] We expect to follow up with transit agencies to 
identify the impacts of this change and determine whether the removal 
of the fiduciary agent added any efficiencies to the grant process as 
part of our upcoming review of grant management processes of selected 
DHS preparedness grant programs, requested by Ranking Member Peter T. 
King of the House Committee on Homeland Security, and Senator George 
V. Voinovich of the Senate Committee on Homeland Security and 
Governmental Affairs. 

Transportation Worker Identification Credential: 

Question from Senator Lautenberg: 

9. Over a million maritime workers have gone through background checks 
and obtained TWIC cards, to gain access to secure areas of our ports. 
The Port Authority of New York/New Jersey is one of the sites testing 
these TWIC cards. However, this technology has been fraught with 
challenges and has not been working as intended. How do the challenges 
with the TWIC program affect the security of our ports? 

In November 2009, we identified several Transportation Worker 
Identification Credential (TWIC) program challenges.[Footnote 21] As 
noted in the report, the TWIC pilot is currently under way to test the 
use of TWIC cards with biometric card readers. Specifically, this 
pilot is intended to test the technology, business processes, and 
operational impacts of deploying TWIC readers at secure areas of the 
marine transportation system. As such, the pilot is expected to test 
the viability of selected biometric card readers for use in reading 
TWIC cards within the maritime environment. It is also to test the 
technical aspects of connecting TWIC readers to access control 
systems. After the pilot has concluded, the results of the pilot are 
expected to inform the development of the card reader rule requiring 
the deployment of TWIC readers for use in controlling unescorted 
access to the secure areas of Maritime Transportation Security Act of 
2002 (MTSA)--regulated vessels and facilities.[Footnote 22] However, 
as noted in our November 2009 report, shortfalls in TWIC pilot 
planning have hindered the TSA and the Coast Guard's efforts to ensure 
that the pilot is broadly representative of deployment conditions and 
will yield the information needed--such as information on the 
operational impacts of deploying biometric card readers and their 
costs--to accurately inform Congress and the card reader rule. For 
instance, because of schedule constraints, TSA did not conduct its 
more rigorous laboratory testing of readers to be used at pilot sites 
prior to testing them at pilot sites as initially planned. 

Since we issued our report in November 2009, TSA has received the 
results of the more rigorous laboratory-based reader durability 
testing. However, TSA has not shared the information on reader results 
with pilot participants. According to representatives of four of the 
seven pilot participants we met with, not sharing the results of 
reader testing has limited their ability to acquire the equipment that 
meets the environmental and durability needs of their port facilities 
and vessels and has resulted in their expending important port 
security funds without any assurance that their investment will be 
fruitful. Further, not all the approaches proposed in the Advanced 
Notice of Proposed Rule Making for using TWIC cards with readers will 
utilize the electronic security features on the TWIC card to confirm 
that the TWIC card is valid and authentic. 

We are currently conducting a review of the TWIC program's internal 
controls related to enrollment, background checks, card production, 
card activation and issuance, and use. The results of this work, 
including related covert testing at port facilities, will be published 
in February 2011. 

Question from Senator Nelson: 

10. Mr. Caldwell, does TSA share the information it gathers in its 
background investigations for Transportation Worker Identification 
Cards with state law enforcement entities? 

TSA reports that it does not share the information that it gathers 
during the background investigations of TWIC applicants with state and 
local law enforcement entities on a routine basis. Pursuant to MTSA 
provisions restricting the use of applicant information and the TWIC 
Privacy Impact Assessment, TSA and the Coast Guard limit their sharing 
of information on applicants and card holders. MTSA also provides, 
however, that such information may be shared with other federal law 
enforcement agencies. According to TSA officials, on a case-by-case 
basis, TSA can decide to share information if TSA determines that 
there is an imminent threat (terrorist or criminal) of loss of life or 
property. According to TSA officials, in such a situation, TSA would 
provide only basic information, such as the type of threat, location, 
and individuals involved, but would likely not provide other 
information from a person's TWIC application. Additionally, state and 
local law enforcement entities may contact TSA if they identify 
criminal use of a TWIC card (e.g., a TWIC card used in commission of a 
crime, or presentation of a fraudulent TWIC card for entry into the 
secure area of a MTSA-regulated facility) or to verify the 
authenticity of a TWIC card. 

Additionally, the Coast Guard and TSA have processes in place to share 
threat information with other federal law enforcement or terrorism 
centers. In the event that a TWIC applicant or TWIC cardholder is 
determined to pose a security threat, Coast Guard and TSA have 
developed a protocol to ensure effective interagency coordination and 
timely action to minimize the potential threat and risk to the 
maritime community associated with these individuals. 

Supply Chain Security: 

Questions from Chairman Rockefeller: 

11. Has GAO's work made a formal determination of whether the 100 
percent scanning requirement is consistent with risk management? 

The application of risk management for container security can be 
considered at the strategic level (e.g., assessing risks to the entire 
supply chain and designing appropriate security programs) or the 
tactical level (e.g., assessing risks to individual containers and 
applying extra scrutiny through existing layered security programs). 
At the strategic level, federal law and presidential directives call 
for the use of risk management in homeland security as a way to 
protect the nation against possible terrorist attacks, and CBP uses 
risk management in its processes for mitigating potential threats 
posed by U.S.-bound cargo containers. Risk management generally calls 
for establishing risk management priorities and allocating limited 
resources to those assets that face the highest risk. Risk management 
is necessary in the context of container security because CBP, like 
other DHS components, cannot afford to protect all commerce against 
all possible threats. According to risk management frameworks 
developed by GAO and DHS, key phases of risk management should include 
(1) assessing the risk posed by terrorists' use of cargo containers 
and (2) evaluating alternative measures to counter that risk based on 
factors such as the degree of risk reduction they afford and the cost 
and difficulty to implement them.[Footnote 23] This process includes a 
cost-benefit analysis of countermeasure options, which is useful in 
evaluating alternatives because it links the benefits from risk-
reducing countermeasures to the costs associated with them. While we 
have not conducted an assessment of whether the 100 percent scanning 
requirement is consistent with risk management, our prior work 
indicates that 100 percent scanning is not consistent because this 
strategic analytic process did not occur. Specifically, our work has 
shown that DHS has not evaluated the cost-effectiveness of 100 percent 
scanning as a countermeasure as part of a risk management framework 
for cargo container security.[Footnote 24] 

At the tactical level, opponents of 100 percent scanning have taken 
the position that it is better to assess the risk posed by each 
container and apply a countermeasure that is tailored to that 
container--as opposed to assessing the risk posed to supply chain 
security by cargo containers in general and then determining the most 
cost-effective countermeasure to reduce that risk (e.g., 100 percent 
scanning, CBP's layered security approach, or another alternative). 
From this perspective, the 100 percent scanning requirement is a 
departure from existing CBP container security programs because it 
requires CBP to scan all containers before performing analysis to 
determine their potential risk level. This position applies risk 
management principles--establishing strategic goals and priorities and 
allocating limited resources to those assets that face the highest 
risk--at the individual container level. According to this view, the 
100 percent scanning requirement is inconsistent with risk management 
principles because it does not distinguish among containers based on 
risk; rather, it assumes that all containers have an equal risk of 
carrying terrorist weapons and are to be subjected to the same level 
of scrutiny with the same amount of resources. Thus, resources are 
applied uniformly across all cargo containers rather than being 
allocated based on the potential risk they pose. Opponents of 100 
percent scanning who have generally taken this position include CBP, 
foreign governments, and industry. For example, the former Acting 
Commissioner and current Commissioner of CBP have said that the 100 
percent scanning requirement is not a risk-based approach. Similarly, 
foreign governments have expressed the view that 100 percent scanning 
is not consistent with risk management principles as contained in the 
World Customs Organization (WCO) Framework of Standards to Secure and 
Facilitate Global Trade (commonly referred to as the SAFE Framework). 
For example, European and Asian customs officials told us that the 100 
percent scanning requirement is in contrast to the risk-based 
strategy, that serves as the basis for other U.S. programs, such as 
the Container Security Initiative (CSI)[Footnote 25] and the Customs-
Trade Partnership Against Terrorism (C-TPAT).[Footnote 26] The WCO, 
representing customs agencies around the world, stated that the 
implementation of 100 percent scanning would be "tantamount to 
abandonment of risk management." In terms of industry, in 2008 the 
Association of German Seaport Operators released a position paper that 
stated that implementing the 100 percent scanning requirement would 
undermine mutual, already achieved security successes and deprive 
resources from areas that present a more significant threat and 
warrant closer scrutiny. Closer to home, the Commercial Operations 
Advisory Committee--an official industry group to CBP--has recently 
called for the repeal of the 100 percent scanning requirement and a 
move toward a more risk-based approach.[Footnote 27] 

Still at the tactical level, supporters of 100 percent scanning have 
expressed concerns about the effectiveness of existing CBP programs 
that attempt to assess the risks of individual containers and subject 
those deemed higher risk to closer scrutiny, including non-intrusive 
inspection (NII) scanning. Members of Congress who spoke in favor of 
the 100 percent scanning requirement noted that scanning all 
containers overseas could help detect weapons of mass destruction 
concealed in containers that are not identified as high risk because 
of weaknesses in CBP's layered security strategy. That is, 100 percent 
scanning would be a more effective way to counter the risks posed to 
cargo containers than existing initiatives intended to identify high-
risk containers. In making these arguments, certain members of 
Congress also cited GAO work that had identified potential weaknesses 
in programs that make up the layered security strategy. Our work 
identified weaknesses including a lack of validation of CBP's 
targeting practices through strategies like red-teaming; inadequate 
validation of C-TPAT members' security practices prior to granting 
them program benefits, such as a decreased likelihood of having their 
shipments scanned or physically examined; and not ensuring that 
containers identified as high risk but not scanned at CSI ports 
overseas are scanned upon arrival in the United States.[Footnote 28] 
The concerns we raised were open issues at the time Congress 
considered the 100 percent scanning requirement; however, since that 
time, these CBP programs have matured, and many of our recommendations 
have been implemented.[Footnote 29] 

As mentioned above, risk management includes not just assessing risks, 
but also evaluating alternative measures based on such factors as the 
degree of risk reduction they afford and the cost and difficulty to 
implement them. Our work has documented that there are operational 
challenges--such as logistics, technology, and infrastructure--to 
implementing 100 percent scanning.[Footnote 30] However, CBP has not 
done a detailed analysis to determine the feasibility of 100 percent 
scanning within the context of its risk-based layered security 
strategy. In this case, part of evaluating alternative measures is 
determining a concept of operations--a description of the operations 
that must be performed, who must perform them, and where and how the 
operations will be carried out--for how 100 percent scanning would 
work at foreign ports, which would include conducting studies and 
analyses at each port to determine locations where NII equipment would 
be able to scan 100 percent of containers going to the United States 
with a minimum of disruption to the flow of commerce at the port. For 
instance, transshipment--cargo containers from one port that are taken 
off a vessel at another port to be placed on another vessel bound for 
the United States--poses a particular challenge to 100 percent 
scanning. According to European customs officials, implementing the 
100 percent scanning requirement at large ports with complex 
operations would likely result in the need for a fundamental redesign 
of several ports, entailing substantial costs to terminal users. For 
other scanning options, the costs may not be as great. For example, as 
we describe in more detail in the next section, scanning with only 
radiation portal monitors (RPM) is less costly in terms of both 
equipment and impact on the flow of commerce. 

No homeland security program can guarantee complete success or freedom 
from risk, and CBP officials have acknowledged that they will likely 
not be able to achieve 100 percent scanning of U.S.-bound cargo 
containers by the statutory deadline.[Footnote 31] However, we believe 
additional analysis, done within a risk management framework, can help 
improve container security. In our October 2009 report on the Secure 
Freight Initiative (SFI) and 100 percent scanning, we recommended that 
among other things, CBP perform feasibility and cost-benefit analyses 
to (1) better position itself to determine the most effective way 
forward to enhance container security, (2) improve its container 
security programs, and (3) better inform Congress. DHS agreed in part 
with our recommendation that it develop a cost-benefit analysis of 100 
percent scanning, acknowledging that the recommended analyses would 
better inform Congress, but stated that the recommendation should be 
directed to the Congressional Budget Office. While the Congressional 
Budget Office does prepare cost estimates for pending legislation, we 
think the recommendation is appropriately directed to CBP. Given its 
daily interaction with foreign customs services and its direct 
knowledge of port operations, CBP is in a better position to conduct 
any cost-benefit analysis and bring results to Congress for 
consideration. We believe that such analyses could help to guide DHS, 
CBP, and Congress in their efforts to either implement the 100 percent 
scanning requirement or assess other approaches to enhancing container 
security. 

12. S. 3639 makes a technical amendment so that all U.S.-bound 
containers be scanned with either RPM or NII, but not both. It also 
extends the deadline for the requirement by three years from 2012 to 
2015. What are the advantages of this approach to 100 percent scanning? 

Based on our review of the 100 percent scanning requirement, scanning 
containers with RPMs instead of in combination with NII equipment may 
be more achievable from a technology, logistics, political, and cost 
standpoint.[Footnote 32] However, there are limitations to relying 
solely on RPMs for scanning cargo containers that should be taken into 
consideration. 

* Technology/logistics: Scanning containers with RPM equipment is 
generally less time-consuming than scanning with NII equipment. While 
the actual NII scanning time per container can take as little as 20 
seconds, depending on the system, the entire inspection time can take 
longer than 6 minutes. As part of the scanning process, customs 
officers need time to (1) stage the container to align it properly 
between the system's radiation source and detector array, (2) verify 
the container information with the manifest, (3) ensure that the 
system is set to receive scanned images, (4) interpret the scanned 
images and verify them using manifest information, (5) identify and 
document any anomalies, (6) save the scanned images, (7) check the 
integrity of the seal and verify the seal number, and (8) prepare the 
system for the next container. While scanning cargo containers with 
NII equipment involves several steps, in contrast it takes the driver 
of a standard tractor trailer from 4 to 7 seconds to pass through a 
RPM.[Footnote 33] 

* Political: Although 173 members of the WCO expressed their 
opposition to the 100 percent scanning requirement, in a letter to 
members of Congress in September 2008, the WCO noted that it did not 
object to the requirement that all cargo containers be subjected to 
radiation detection processes (i.e., RPM scanning) prior to shipment 
to the United States. In addition, foreign government officials we 
spoke with stated that they are generally not opposed to the use of 
radiation detection equipment--such as the RPMs that are used as part 
of the Megaports Initiative[Footnote 34]--but they are opposed to the 
use of NII equipment because of the likelihood that it may hinder 
trade and reduce security by consuming a large amount of scarce 
resources (i.e., key dock space and increased time needed for cargo 
container inspections) for comparatively little benefit. 

* Cost: RPM equipment is less expensive than NII equipment. The price 
for polyvinyl toluene monitors--the type of RPMs most commonly used at 
U.S. seaports--is $425,000 per unit (including deployment costs). In 
contrast, the purchase price for large-scale NII systems used by CBP 
at U.S. seaports is approximately $3 million per system (including 
deployment costs). 

* Limitations of RPMs: Scanning containers with RPMs alone introduces 
the vulnerability of not detecting shielded nuclear material. However, 
if customs officials believe based on targeting data that further 
inspections are necessary, they can have a container scanned by NII 
equipment. 

In addition to the factors listed above, the Department of Energy's 
National Nuclear Security Administration (NNSA) has a goal through the 
Megaports Initiative of scanning as much global cargo container 
traffic as possible with RPMs. Since the start of the Megaports 
Initiative in fiscal year 2003, NNSA has completed installations of 
RPM equipment at 27 foreign ports, and implementation is under way at 
an additional 16 foreign ports. The Megaports Initiative seeks to 
equip 100 ports with radiation detection systems by 2015, scanning 
approximately 50 percent of global maritime containerized cargo. 

13. DHS and CBP have cited the Strategic Trade Corridor and the 
Importer Security Filing (10+2) as alternative ways to enhance supply 
chain security. They have also stated that new technology for 
containers themselves, and the equipment used to scan them, is another 
path forward to improve supply chain security. What work does GAO have 
on these programs and what is the status of these DHS efforts? 

Strategic Trade Corridor Strategy: 

The Secretary of Homeland Security has endorsed the concept of a 
strategic trade corridor strategy as the path forward for implementing 
the SFI program, but DHS and CBP have not yet selected the ports or 
funded the expansion of SFI. In particular, in April 2009, the 
Secretary of Homeland Security was presented with three options for 
implementing the SFI program, ranging from implementing SFI at 70 
ports that account for shipping over 90 percent of U.S.-bound 
containers to seeking repeal of the 100 percent scanning requirement. 
The strategic trade corridor strategy option selected by the Secretary 
focuses cargo container scanning efforts on a limited number of ports 
where CBP has determined that SFI will help mitigate the greatest risk 
of potential weapons of mass destruction entering the United States. 
According to CBP's report, Risk-Based, Layered Approach to Supply 
Chain Security, sent to Congress in April 2010, the data gathered from 
SFI operations will help to inform future deployments to strategic 
locations.[Footnote 35] The report further added that CBP plans to 
evaluate the usefulness of these deployments and consider whether the 
continuation of scanning operations adds value in each of these 
locations and in potential additional locations that would 
strategically enhance CBP efforts. However, in DHS's Congressional 
Budget Justification for FY 2011, CBP requested a decrease in the SFI 
program's $19.9 million budget by $16.6 million and did not request 
any funds to implement the strategic trade corridor strategy. 
According to the budget justification, in fiscal year 2011, SFI 
operations will be discontinued at three SFI ports--Puerto Cortes, 
Honduras; Southampton, United Kingdom; and Busan, South Korea--and the 
SFI program is to be established at the Port of Karachi, Pakistan. We 
issued a report in October 2009 that provides further details about 
the implementation of the SFI program.[Footnote 36] 

Importer Security Filing Program: 

While CBP has implemented the Importer Security Filing and Additional 
Carrier Requirements,[Footnote 37] collectively known as the 10+2 
rule, and is using the information to identify high-risk unmanifested 
containers, CBP has not yet fully incorporated the collected data into 
its targeting process. In January 2009, CBP implemented the 10+2 rule, 
which mandates that importers and vessel carriers submit additional 
cargo information, such as country of origin, to CBP before the cargo 
is loaded onto a U.S.-bound vessel.[Footnote 38] Collection of the 
additional cargo information (10 data elements for importers and 2 
data elements for vessel carriers) and their incorporation into CBP's 
Automated Targeting System (ATS)[Footnote 39] are intended to enhance 
CBP's ability to identify high-risk shipments and prevent the 
transportation of potential terrorist weapons into the United States 
via cargo containers. CBP has assessed the submitted 10+2 data 
elements for risk factors, and according to CBP officials, access to 
information on stow plans[Footnote 40] has enabled CBP to identify 
more than 1,000 unmanifested containers--containers that are 
inherently high risk because their contents are not listed on a ship's 
manifest. However, although CBP has conducted a preliminary analysis 
that indicates that the collection of the additional 10+2 data 
elements could help determine risk earlier in the supply chain, CBP 
has not yet finalized its national security targeting weight set for 
identifying high-risk cargo containers or established project time 
frames and milestones--best practices in project management--for doing 
so. We recommended that CBP establish milestones and time frames for 
updating its national security weight set to use 10+2 data in its 
identification of shipments that could pose a threat to national 
security. DHS concurred with this recommendation and said it plans to 
complete its updates to the national security weight set by November 
2010. More information on the results of our review can be found in 
our September 2010 report.[Footnote 41] 

Container Security Technologies: 

DHS is testing and evaluating technologies for detecting and reporting 
intrusions into and tracking the location of cargo containers as they 
pass through the global supply chain, but it will take time before the 
evaluations are complete and the technology and implementation 
challenges are overcome for some of these technologies. In particular, 
CBP has partnered with DHS's Science and Technology Directorate (S&T) 
to develop performance standards--requirements that must be met by 
products to ensure that they will function as intended--for four 
container security technologies with the goal of having the ability to 
detect and report intrusion into, and track the movement of cargo 
containers through the global supply chain. If S&T is able to 
demonstrate through testing and evaluation that container security 
technologies exist that can meet CBP's requirements, then it plans to 
provide performance standards to CBP and DHS's Office of Policy 
Development to pursue for implementation. From 2004 through 2009, S&T 
spent over $60 million and made varying levels of progress on its four 
container security technology projects. Each of these projects has 
undergone laboratory testing, but S&T has not yet conducted 
operational environment testing to ensure that the prototypes will 
satisfy the requirements so that S&T can provide performance standards 
to the Office of Policy Development and CBP. Performance standards are 
expected to be completed for two of the technologies by the end of 
2010, but it could take time before they are complete for the other 
two technologies. More information on the results of our review of 
container security technologies may be found in our September 2010 
report.[Footnote 42] 

Cargo Advanced Automated Radiography System: 

We also reviewed DHS efforts to improve NII scanning through the cargo 
advanced automated radiography system (CAARS) program. DHS intended 
for CAARS to be used by CBP to automatically detect and identify 
highly shielded nuclear material in vehicles and cargo containers at 
U.S. ports of entry. However, DHS's Domestic Nuclear Detection Office 
(DNDO) pursued the acquisition and deployment of CAARS machines 
without fully understanding that they would not fit within existing 
primary inspection lanes at CBP ports of entry. This occurred because 
during the first year or more of the program DNDO and CBP had few 
discussions about operating requirements at ports of entry. Further, 
the development of the CAARS algorithms (software)--a key part of the 
machine needed to identify shielded nuclear materials automatically-- 
did not mature at a rapid enough pace to warrant acquisition and 
deployment. These factors contributed to DNDO's December 2007 decision 
to make a "course correction" in the program resulting in cancellation 
of the acquisition and deployment plans for CAARS. Through this 
action, DNDO significantly reduced the scope of CAARS to a research 
and development effort designed to demonstrate the potential 
capability of the technology. While the development of CAARS-type or 
other advanced radiography equipment capable of automatic detection of 
highly shielded nuclear material in cargo containers has been ongoing 
since 2005, one senior CBP official acknowledged that it is not known 
when the technology will be sufficiently mature for agencies within 
DHS, such as CBP, to justify acquiring and deploying it in large 
numbers. On September 30, 2010, the Director of DNDO announced that 
DNDO is terminating the CAARS program. However, the technology 
developed under the CAARS program may be utilized by other programs. 
More information on the results of our review of CAARS may be found in 
our September 2010 statement for the record for the Senate Committee 
on Homeland Security and Governmental Affairs.[Footnote 43] 

[End of section] 

Enclosure 2: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Stephen L. Caldwell, (202) 512-9610, or caldwells@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Dawn Hoff, Assistant Director; 
Jonathan Bachman; Chuck Bausell; Lisa Canini; Christopher Conrad; 
Frances Cook; Tracey Cross; Alana Finley; Geoff Hamilton; Christine 
Hanson; Mike Harmond; Christopher Hatscher; Dawn Hoff; Richard Hung; 
Tracey King; Daniel Klabunde; Lara Miklozek; Julie Silvers; and Katy 
Trenholme were key contributors to this letter. 

[End of section] 

Footnotes: 

[1] GAO, Maritime Security: DHS Progress and Challenges in Key Areas 
of Port Security, [hyperlink, 
http://www.gao.gov/products/GAO-10-940T], (Washington, D.C.: July 21, 
2010). 

[2] GAO, Maritime Security: Varied Actions Taken to Enhance Cruise 
Ship Security, but Some Concerns Remain, [hyperlink, 
http://www.gao.gov/products/GAO-10-400], (Washington, D.C.: Apr. 9, 
2010). 

[3] The goals of DHS's Small Vessel Security Strategy are consistent 
with the critical infrastructure protection maritime sub-sector goal 
to enhance the resiliency of the maritime transportation system. 
According to the strategy, reducing the risk from small vessels will 
contribute to the security of our ports and help prevent the 
disruption of commerce and the negative impact of a vessel security 
incident by reducing the potential consequences of such an incident. 
The primary consequence of a terrorist incident (as well as other 
transportation security incidents) arising from the use of a small 
vessel could be devastating for the U.S. economy if it damaged 
critical infrastructure or resulted in closure of a port. By reducing 
the risk and the associated consequences from small-vessel risks, the 
strategy contributes to the resilience of the maritime sector and 
associated critical infrastructure. 

[4] As we reported in March of 2009, some cameras have the ability to 
operate in low light or use infrared images that distinguish objects 
by the heat they emanate. These capabilities allow them to be 
effective when cameras using visible light prove ineffective, such as 
at night or in bad weather. However, these cameras can still be 
affected by high surf conditions, which can hide vessels smaller than 
the height of the waves. For additional information, see GAO, Maritime 
Security: Vessel Tracking Systems Provide Key Information, but the 
Need for Duplicate Data Should Be Reviewed, GAO-09-337 (Washington, 
D.C.: Mar. 17, 2009). 

[5] AIS is a technology that uses global navigation satellite data and 
radios to transmit and receive information about a vessel's voyage, 
including its name, position, course, and speed. 

[6] Our April 2008 report is restricted and not available to the 
public. 

[7] GAO, Supply Chain Security: CBP Works with International Entities 
to Promote Global Customs Security Standard and Initiatives, but 
Challenges Remain, [hyperlink, http://www.gao.gov/products/GAO-08-538] 
(Washington, D.C.: Aug. 15, 2008). 

[8] Pub. L. No. 111-281, ___ Stat. ___ (2010). 

[9] Pub. L. No. 109-347, 120 Stat. 1884, 1918 (2006). 

[10] H.R. Conf. Rep. No. 109-699, at 142 (2006). 

[11] Our April 2008 report is restricted and not available to the 
public. 

[12] GAO, Coast Guard: Service Has Taken Steps to Address Historic 
Personnel Problems, but It Is too Soon to Assess the Impact of These 
Efforts, [hyperlink, http://www.gao.gov/products/GAO-10-268R], 
(Washington, D.C.: Jan. 29, 2010). 

[13] While the focus of the program is country based, the 
implementation status of specific ports or port facilities is 
considered on a case-by-case basis if the country has not 
substantially implemented the ISPS Code. In certain cases, a port 
facility that has implemented the ISPS Code in a country that has not 
may request that it be considered separately from the country. 
Requests are handled on a case-by-case basis and are generally limited 
to only those port facilities critical to maritime trade with the 
United States based on factors such as the volume and importance of 
the cargo imported from or exported to that port or port facility. 

[14] GAO, Homeland Security: Reforming Federal Grants to Better Meet 
Outstanding Needs, [hyperlink, 
http://www.gao.gov/products/GAO-03-1146T] (Washington, D.C.: Sept. 3, 
2003). 

[15] GAO, Risk Management: Further Refinements Needed to Assess Risks 
and Prioritize Protective Measures at Ports and Other Critical 
Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91] 
(Washington, D.C.: Dec. 15, 2005). 

[16] Department of Homeland Security, Office of Inspector General, 
Efficacy of DHS Grant Programs, OIG-10-69 (Washington, D.C., Mar. 22, 
2010). 

[17] GAO, Transit Security Grant Program: DHS Allocates Grants Based 
on Risk, but Its Risk Methodology, Management Controls, and Grant 
Oversight Can Be Strengthened, [hyperlink, 
http://www.gao.gov/products/GAO-09-491] (Washington, D.C.: June 8, 
2009). 

[18] [hyperlink, http://www.gao.gov/products/GAO-09-491]. 

[19] The Domestic Working Group, consisting of 19 federal, state, and 
local audit organizations, was formed to identify current and emerging 
challenges and explore opportunities for greater collaboration within 
the intergovernmental audit community. The group identified grant 
accountability as a concern and created a project team to address this 
concern. The results are presented in the following report: Domestic 
Working Group Grant Accountability Project: Guide to Opportunities for 
Improving Grant Accountability (Washington, D.C., October 2005). 

[20] Pub. L No. 110-329, 122 Stat. 3574, 3671 (2008); Pub. L. No. 111- 
83, 123 Stat. 2142, 2159 (2009). 

[21] GAO, Transportation Worker Identification Credential: Progress 
Made in Enrolling Workers and Activating Credentials but Evaluation 
Plan Needed to Help Inform the Implementation of Card Readers, 
[hyperlink, http://www.gao.gov/products/GAO-10-43] (Washington, D.C.: 
Nov. 18, 2009). 

[22] Pub. L. No. 107-295, 116 Stat. 2064. 

[23] [hyperlink, http://www.gao.gov/products/GAO-06-91] and DHS, 
National Infrastructure Protection Plan, Partnering to Enhance 
Protection and Resiliency (Washington, D.C.: January 2009). 

[24] GAO, Supply Chain Security: Feasibility and Cost-Benefit Analysis 
Would Assist DHS and Congress in Assessing and Implementing the 
Requirement to Scan 100 Percent of U.S.-Bound Containers, [hyperlink, 
http://www.gao.gov/products/GAO-10-12] (Washington, D.C.: Oct. 30, 
2009). 

[25] CBP places staff at participating foreign ports to work with host 
country customs officials to target and examine high-risk container 
cargo for weapons of mass destruction before they are shipped to the 
United States. 

[26] Through the C-TPAT program, CBP develops voluntary partnerships 
with members of the international trade community comprised of 
importers; manufacturers; customs brokers; forwarders; air, sea, and 
land carriers; and contract logistics providers. Private companies 
agree to improve the security of their supply chains in return for 
various benefits, such as reduced examination of their cargo. 

[27] The Commercial Operations Advisory Committee advises the 
Secretaries of the Treasury and Homeland Security on the commercial 
operations of CBP and related DHS and Department of the Treasury 
functions. 

[28] See for example, GAO, Cargo Security: Partnership Program Grants 
Importers Reduced Scrutiny with 

Limited Assurance of Improved Security, [hyperlink, 
http://www.gao.gov/products/GAO-05-404] (Washington, D.C.: Mar. 11, 
2005), and 

Homeland Security: Summary of Challenges Faced in Targeting Oceangoing 
Cargo Containers for Inspection, [hyperlink, 
http://www.gao.gov/products/GAO-04-557T] (Washington, D.C.: Mar. 31, 
2004). 

[29] We previously reported on the maturing of these programs and the 
implementation of our recommendations in GAO, Maritime Security: The 
SAFE Port Act: Status and Implementation One Year Later, [hyperlink, 
http://www.gao.gov/products/GAO-08-126T] (Washington, D.C.: Oct. 30, 
2007). 

[30] GAO, Supply Chain Security: Challenges to Scanning 100 Percent of 
U.S.-Bound Cargo Containers, [hyperlink, 
http://www.gao.gov/products/GAO-08-533T] (Washington, D.C.: June 12, 
2008). 

[31] The statute provides that containers loaded at foreign ports on 
or after July 1, 2012 shall not enter the United States unless they 
were scanned by NII equipment and radiation detection equipment prior 
to loading. It also provides for renewable, two-year extensions if DHS 
certifies to Congress that certain conditions exist at a port or 
ports, such as equipment not being available for purchase and 
installation, physical constraints, or a significant impact on trade 
capacity and flow of cargo. See 6 U.S.C. § 982(b). 

[32] [hyperlink, http://www.gao.gov/products/GAO-10-12]. 

[33] Containers that trigger a radiation alarm at the RPM undergo a 
second exam with a handheld radiation detection device to help ensure 
that the source of the alarm is identified and resolved. The exam with 
the handheld radiation detection device typically requires 5 to 10 
minutes to perform. 

[34] Through the Megaports Initiative, the Department of Energy 
installs radiation detection equipment at key foreign ports, enabling 
foreign government personnel to use radiation detection equipment to 
scan shipping containers entering and leaving these ports, regardless 
of the containers' destination, for nuclear and other radioactive 
material that could be used against the United States and its allies. 

[35] U.S. Customs and Border Protection, Risk-Based, Layered Approach 
Supply Chain Security, Fiscal Year 2010 Report to Congress (Washington 
D.C., Apr. 13, 2010). 

[36] [hyperlink, http://www.gao.gov/products/GAO-10-12]. 

[37] Importer Security Filing and Additional Carrier Requirements, 73 
Fed. Reg. 71,730 (Nov. 25, 2008) (to be codified at 19 C.F.R. pts. 4, 
12, 18, 101, 103, 113, 122, 123, 141, 143, 149, 178, and 192). 

[38] Under other requirements that preceded the 10+2 rule, importers 
are also required to provide customs entry information, and carriers 
are required to provide cargo manifest information under the 24-hour 
rule. 

[39] ATS is a computer model that CBP uses to analyze shipment data 
for risk factors and target potentially high-risk oceangoing cargo 
containers for inspection. For more information on ATS, see GAO, Cargo 
Container Inspections: Preliminary Observations on the Status of 
Efforts to Improve the Automated Targeting System, [hyperlink, 
http://www.gao.gov/products/GAO-06-591T] (Washington, D.C.: Mar. 30, 
2006), and [hyperlink, http://www.gao.gov/products/GAO-04-557T]. 

[40] Stow plans depict the position of each cargo container on a 
vessel. 

[41] GAO, Supply Chain Security: CBP Has Made Progress in Assisting 
the Trade Industry in Implementing the New Importer Security Filing 
Requirements, but Some Challenges Remain, [hyperlink, 
http://www.gao.gov/products/GAO-10-841] (Washington, D.C.: Sept. 10, 
2010). 

[42] GAO, Supply Chain Security: DHS Should Test and Evaluate 
Container Security Technologies Consistent with All Identified 
Operational Scenarios to Ensure the Technologies Will Function as 
Intended, [hyperlink, http://www.gao.gov/products/GAO-10-877] 
(Washington, D.C.: Sept. 29, 2010). 

[43] GAO, Combating Nuclear Smuggling: Inadequate Communication and 
Oversight Hampered DHS Efforts to Develop an Advanced Radiography 
System to Detect Nuclear Materials, [hyperlink, 
http://www.gao.gov/products/GAO-10-1041T] (Washington, D.C.: Sept. 15, 
2010). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: