Surface Transportation Security: TSA Has Taken Steps Designed to Develop Processes for Sharing and Analyzing Information and to Improve Rail Security Incident Reporting
Highlights
What GAO Found
In June 2014, GAO found that the Transportation Security Administration (TSA) did not have a systematic process for incorporating stakeholder feedback to improve security-related information sharing and recommended that TSA systematically document and incorporate stakeholder feedback. TSA concurred with this recommendation and, in April 2015, TSA developed a standard operating procedure to help ensure proper evaluation and consideration of all feedback TSA receives. In December 2012, GAO found TSA had made limited use of the rail security incident information it had collected from rail agencies, in part because it did not have a systematic process for conducting trend analysis. TSA's purpose for collecting this information was to allow TSA to "connect the dots" through trend analysis. However, the incident information provided to rail agencies by TSA was generally limited to descriptions of specific incidents. As a result, officials from passenger rail agencies GAO spoke with reported that they generally found little value in TSA's incident reporting requirement. On the basis of these findings, GAO recommended that TSA establish a systematic process for regularly conducting trend analysis of the rail security incident data. Although GAO has not assessed the effectiveness of TSA's efforts, by August 2013, TSA had developed a new analysis capability that, among other things, produces Trend Analysis Reports from the incident data.
In December 2012, GAO found that TSA had not provided consistent oversight of its rail security reporting requirement, which led to variation in the types and number of passenger rail security incidents reported. Specifically, GAO found that TSA headquarters had not provided guidance to local TSA inspection officials, the primary TSA points of contact for rail agencies, about the types of rail security incidents that must be reported, which contributed to inconsistent interpretation of the regulation. The variation in reporting was compounded by inconsistencies in compliance inspections and enforcement actions, in part because of limited utilization of oversight mechanisms at the headquarters level. GAO also found that TSA's incident management data system, WebEOC, had incomplete information, was prone to data entry errors, and had other limitations that inhibited TSA's ability to search and extract basic information. On the basis of these findings, GAO recommended that TSA (1) develop and disseminate written guidance on the types of incidents that should be reported, (2) enhance existing oversight mechanisms for compliance inspections and enforcement actions, (3) establish a process for updating WebEOC with previously unreported incidents, and (4) develop guidance to reduce data entry errors. TSA concurred with these recommendations and has taken actions to implement them. Specifically, in September 2013, TSA disseminated written guidance to local TSA inspection officials and passenger and freight rail agencies that provides clarification about the rail security incident reporting requirement. In August 2013, TSA enhanced existing oversight mechanisms by creating an inspection review mechanism, among other things. TSA also established a process for updating WebEOC in March 2013, and in October 2014, officials reported that they have updated the guidance used by officials responsible for entering incident data to reduce data entry errors associated with incident types. Although GAO has not assessed the effectiveness of these efforts, they address the intent of the recommendations.
Why GAO Did This Study
The U.S. surface transportation system's size and importance to the country's safety, security, and economic well-being make it an attractive target for terrorists. Within the federal government, TSA–a component of the Department of Homeland Security–is the primary federal agency responsible for overseeing and enhancing the security of the surface transportation system. A key component of this responsibility is ensuring that security-related information is collected, analyzed, and shared effectively across all modes, including rail. In 2008, TSA issued a regulation requiring U.S. passenger rail agencies to report all potential threats and significant security concerns to TSA, among other things.
This testimony addresses the extent to which TSA has (1) developed systematic processes for integrating stakeholder feedback about security-related information it provides and analyzing trends in reported rail security incidents and (2) ensured consistent implementation of rail security incident reporting requirements. This statement is based on related GAO reports issued in June 2014 and December 2012, including selected updates on TSA's efforts to implement GAO's prior recommendations related to rail security and information sharing. For the selected updates, GAO reviewed related documentation, including tools TSA developed to provide oversight. GAO also interviewed TSA officials.
Recommendations
GAO is making no new recommendations in this statement.