Transportation Security: TSA Has Developed a Risk-Based Covert Testing Program, but Could Better Mitigate Aviation Security Vulnerabilities Identified Through Covert Tests
Highlights
The Transportation Security Administration (TSA) uses undercover, or covert, testing to approximate techniques that terrorists may use to identify vulnerabilities in and measure the performance of airport security systems. During these tests, undercover inspectors attempt to pass threat objects through passenger and baggage screening systems, and access secure airport areas. In response to a congressional request, GAO examined (1) TSA's strategy for conducting covert testing of the transportation system and the extent to which the agency has designed and implemented its covert tests to achieve identified goals; and (2) the results of TSA's national aviation covert tests conducted from September 2002 to June 2007, and the extent to which TSA uses the results of these tests to mitigate security vulnerabilities. To conduct this work, GAO analyzed covert testing documents and data and interviewed TSA and transportation industry officials.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Transportation Security Administration | To help ensure that the results of covert tests are more fully used to mitigate vulnerabilities identified in the transportation security system, the Assistant Secretary of Homeland Security for TSA should require OI inspectors to document the specific causes of all national covert testing failures--including documenting failures related to TSOs, screening procedures, and equipment--in the covert testing database to help TSA better identify areas for improvement, such as additional TSO training or revisions to screening procedures. |
In October and November 2010, Transportation Security Administration officials provided a response on what actions the agency has taken to address this recommendation. The Office of Inspection (OI) has modified its database to include a drop-down field to record reasons for success or failure. Further, the data collection forms used by OI inspection teams have been modified to require the Team Leader to assess and indicate the primary reason for success or failure. OI analysts then input this information into the database and include this information in their analysis as part of briefing and report generation. As a result, this recommendation is closed as implemented.
|
Transportation Security Administration | To help ensure that the results of covert tests are more fully used to mitigate vulnerabilities identified in the transportation security system, the Assistant Secretary of Homeland Security for TSA should develop a process for collecting, analyzing, and disseminating information on practices in place at those airports that perform well during national and local covert tests in order to assist TSA managers in improving the effectiveness of checkpoint screening operations. |
In October and November 2010, Transportation Security Administration Officials (TSA) officials provided a response on what actions the agency has taken to address this recommendation. The Office of Inspection (OI) is now collecting reasons for success and inputting that information directly into the database in addition to the practice of putting such information into the remarks field of the database. In addition to its periodic reports on covert testing, OI is also preparing briefings on significant best practices for the Assistant Administrator for Security Operations and his staff. OI will also continue the practice of briefing the affected Federal Security Director and staff at each covert testing out brief on areas of superior performance as OI has done since the inception of covert testing. In addition, TSA's Office of Security Operations (OSO) has established a process for collecting, analyzing, and disseminating recommendations for improving screening performance. Screening performance data is collected through the Aviation Screening Assessment Program (ASAP) through covert testing conducted locally and entered into a national database. At the completion of each cycle, test results are analyzed to uncover points of failure, identify their root causes, and determine recommendations to improve aviation security. The findings, root causes and recommendations are then shared with the Assistant Administrator of OSO for review and approval. Once recommendations are approved, the information is shared with various TSA offices for implementation. Four full cycles of ASAP data (6 months each) have already been completed. Twenty nine recommendations have been approved by OSO senior leadership. Some of these recommendations have either been implemented or are planned to be implemented. As a result, this recommendation is closed as implemented.
|
Transportation Security Administration | To help ensure that the results of covert tests are more fully used to mitigate vulnerabilities identified in the transportation security system, the Assistant Secretary of Homeland Security for TSA should, as TSA explores the use of covert testing in non-aviation modes of transportation, develop a process to systematically coordinate with domestic and foreign transportation organizations that already conduct these tests to learn from their experiences. |
In October and November 2010, Transportation Security Administration (TSA) officials provided a response on what actions the agency has taken to address this recommendation. According to TSA, the agency has addressed this recommendation through the efforts of its International Working Group on Land Transportation Security (IWGLTS). Through the IWGLTS, TSA has a process in place that encourages the sharing of information about any international covert testing program that may be in place with various foreign partners. The results so far have indicated there is little activity in this area. In addition, Transportation Security Inspectors were also queried regarding any knowledge of active domestic covert testing programs, and the results were the same. Similarly, TSA collects smart security practices from the domestic transit/passenger rail agencies through the use of our Baseline Assessment for Security Enhancement security assessment program. The TSA Transportation Surface Inspectors report any smart security practice in their final reports of the assessments they have conducted of the largest 100 transit agencies. To date, there have been no smart practices identified in the covert testing category. As a result, this recommendation is closed as implemented.
|
Transportation Security Administration | To help ensure that the results of covert tests are more fully used to mitigate vulnerabilities identified in the transportation security system, the Assistant Secretary of Homeland Security for TSA should develop a systematic process to ensure that the Office of Security Operations (OSO) considers all recommendations made by OI in a timely manner as a result of covert tests, and document its rationale for either taking or not taking action to address these recommendations. |
According to the Transportation Security Administration (TSA), the Office of Inspections (OI) has developed an Access database for the Office of Security Operations (OSO), to track and respond to OI's recommendations. In addition to current recommendations, OSO plans to enter future OI recommendations into the database. In addition, OSO issued an Operations Directive establishing a process for addressing OI recommendations. These actions, as described by TSA, address the intent of our recommendation
|
Transportation Security Administration | To help ensure that the results of covert tests are more fully used to mitigate vulnerabilities identified in the transportation security system, the Assistant Secretary of Homeland Security for TSA should require OSO to develop a process for evaluating whether the action taken to implement OI's recommendations mitigated the vulnerability identified during covert tests, such as using follow-up national or local covert tests to determine if these actions were effective. |
According to the Transportation Security Administration (TSA), the Office of Security Operations (OSO) was reorganized in December 2008, and responsibility for addressing Office on Inspections (OI), Aviation Assessment Screening Program (ASAPP, and other recommendations will be addressed using an Integrated Process Team (IPT) approach. The IPT is known as CROSSING-Continuous Reinforcement of Operational Security Skills with Intelligently Networked Guidance. Within the CROSSING framework, recommendations derived from covert testing will continue to be gathered and evaluated (e.g., study, pilot, experiment). CROSSING IPT members will analyze and evaluate resulting data to determine whether a recommendation effectively mitigates vulnerabilities identified during covert testing. The first study, (step 1), focused on evaluating the effectiveness of the Improvised Explosive (IED) drills, a nationally implemented program originating from an OI recommendation. The results from this study have been analyzed and the final report of recommendations was routed to TSA leadership in July/August 2008. Where appropriate, OSO will continue to use this process to initiate studies to determine the success of actions implemented to address security gaps identified by OI covert testing. The IED drill study final report was briefed to OSO, and associated recommendations were provided to Operations and Technical Training (OTT) for implementation. OTT is in the process of expanding the scope if the IED drills from carry-on baggage only to all procedures and technology at the checkpoint to include IEDs on person and pat-down as has been identified by OI. OTT completed the update to the Operations Directive, OD-400-50-1-12, IED Checkpoint Drills. These actions, when taken together, address the intent of our recommendation.
|