[Senate Hearing 112-164]
[From the U.S. Government Publishing Office]
S. Hrg. 112-164
ARE OUR NATION'S PORTS SECURE?
EXAMINING THE TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL PROGRAM
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
MAY 10, 2011
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
_____
U.S. GOVERNMENT PRINTING OFFICE
71-433 PDF WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii KAY BAILEY HUTCHISON, Texas,
JOHN F. KERRY, Massachusetts Ranking
BARBARA BOXER, California OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida JIM DeMINT, South Carolina
MARIA CANTWELL, Washington JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri ROY BLUNT, Missouri
AMY KLOBUCHAR, Minnesota JOHN BOOZMAN, Arkansas
TOM UDALL, New Mexico PATRICK J. TOOMEY, Pennsylvania
MARK WARNER, Virginia MARCO RUBIO, Florida
MARK BEGICH, Alaska KELLY AYOTTE, New Hampshire
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
Bruce H. Andrews, General Counsel
Brian M. Hendricks, Republican Staff Director and General Counsel
Todd Bertoson, Republican Deputy Staff Director
Rebecca Seidel, Republican Chief Counsel
C O N T E N T S
----------
Page
Hearing held on May 10, 2011..................................... 1
Statement of Senator Lautenberg.................................. 1
Statement of Senator Ayotte...................................... 6
Statement of Senator Klobuchar................................... 7
Statement of Senator Boozman..................................... 7
Prepared statement........................................... 7
Statement of Senator Begich...................................... 55
Statement of Senator Wicker...................................... 57
Statement of Senator Snowe....................................... 59
Prepared statement........................................... 62
Witnesses
Hon. John L. Mica, Chairman, Committee on Transportation and
Infrastructure, U.S. House of Representatives.................. 1
Prepared statement........................................... 3
Hon. John S. Pistole, Administrator, Transportation Security
Administration, U.S. Department of Homeland Security........... 8
Prepared statement........................................... 10
Rear Admiral Kevin S. Cook, Director of Prevention Policy, U.S.
Coast Guard.................................................... 11
Prepared statement........................................... 13
Stephen M. Lord, Director, Homeland Security and Justice Issues,
U.S. Government Accountability Office.......................... 16
Prepared statement........................................... 17
Appendix
Response to written questions submitted to Hon. John S. Pistole
by:
Hon. Bill Nelson............................................. 71
Hon. Frank R. Lautenberg..................................... 73
Hon. Jim DeMint.............................................. 75
Hon. Roger F. Wicker......................................... 77
Response to written questions submitted by Hon. Frank R.
Lautenberg to Rear Admiral Kevin Cook.......................... 79
Letter dated July 6, 2011 to Hon. Frank R. Lautenberg and Hon.
Bill Nelson from Stephen M. Lord, Director, Homeland Security
and Justice Issues, U.S. Government Accountability Office...... 80
ARE OUR NATION'S PORTS SECURE?
EXAMINING THE TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL PROGRAM
----------
TUESDAY, MAY 10, 2011
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The committee met, pursuant to notice, at 2:30 p.m. in room
SR-253, Russell Senate Office Building, Hon. Frank R.
Lautenberg, presiding.
OPENING STATEMENT OF HON. FRANK R. LAUTENBERG,
U.S. SENATOR FROM NEW JERSEY
Senator Lautenberg. I'm pleased to open this hearing of the
Committee on Commerce, Science, and Transportation. We've got
important subjects at hand here.
And we are pleased to see our colleague from the House of
Representatives, The Honorable John Mica, who is the Chairman
of the Committee of Jurisdiction on the House side.
And, Mr. Mica, we welcome you. And we ask you to give your
testimony. It's customary to have a 5-minute period for
presentation, but if there is a need to extend it, please don't
be unwilling to ask for it. And we'll start the clock, please,
at the 5-minute level.
Thank you.
And, Mr. Mica, the table--the microphone is yours, sir.
STATEMENT OF HON. JOHN L. MICA, CHAIRMAN, COMMITTEE ON
TRANSPORTATION AND INFRASTRUCTURE, U.S. HOUSE OF
REPRESENTATIVES
Mr. Mica. Well, thank you. And I'm pleased to be on the
Senate side this afternoon, and also to work jointly with your
committee.
And actually, I'm here today because I think the subject
before you is--well, the title is, ``Are Our Nation's Ports
Secure? Examining the Transportation Worker Identification
Credential Program.'' And I think also you're going to focus on
a GAO report that I had the opportunity to be a co-requester
with members of this important Senate committee. So, I will try
to talk about both the GAO report and also the issue at hand of
credentialing our transportation workers.
I've submitted a full statement for the record, and I'll
just give some comments here.
As you know, Mr. Chairman and other members, for nearly a
decade now the federal government has struggled to produce a
transportation worker identification credential. We've tried to
produce a credential for airport and transportation workers.
We've attempted to produce a pilot's license. And we've also
attempted to produce a frequent airline traveler identification
card. After spending years and nearly half a billion dollars,
we have, unfortunately, missed the mark. We've spent nearly
half a billion dollars, and unfortunately, we do not have a
TWIC card that provides secure identification, as you'll hear
from GAO today, and also that your committee staff has revealed
in their report.
I read your committee report. Being a former Senate
staffer, I want to thank them. They did some excellent work.
The report--the key findings are summarized very clearly--it
says, ``GAO investigators were able to access secure
facilities''--this is using TWIC cards or fraudulent cards--
they ``were able to access secure facilities at U.S. ports
during covert tests in which they presented either counterfeit
TWIC cards, authentic TWIC cards obtained through fraudulent
means, or falsified reasons for requesting access to the
security.'' Then they also summarized and said, the--``DHS has
not adequately assessed the effectiveness of the TWIC Program,
nor has DHS demonstrated that the current TWIC Program enhances
port and facility security better than what we've had in the
past.''
One other key finding is the GAO--in the GAO report, that
you cite in your report, is that TSA does not have clear
criteria for applying discretionary authority to applicants who
have past criminal convictions.
These are just the highlights of some of the findings, not
that I came up with, but that your staff recited from the GAO
report.
As Chair of the House Aviation Subcommittee, I helped to
launch--work with many members on this side--the Transportation
Security Administration, some years ago, in 2001. Even in that
first measure, Congress recognized and requested development of
a secure ID for transportation workers. In 2004, I helped pass
legislation to require the FAA to replace a paper pilot
identification card. And we put in the law that we required a
durable, biometrically-enabled license that also had a
photograph of the pilot on the--this durable new identification
license.
After spending billions--I'm sorry--after--I get used to
billions today--but, after spending millions, FAA produced a
license that was durable. However, it didn't have a biometric
means. And I know there'll be a call today for having some
unification of these different licenses and IDs, and what
components they'd have. But, they finally produced, again, a
card, at millions of dollars, that does not have a biometric
measure and code--and coding capability. And the only pilots
that appear on the document, on the license, are Wilbur and
Orville Wright. I don't know if you've seen this, but this is--
turn the--show them Wilbur and Orville Wright, there. So,
there's--we spent millions of dollars, we produced this
license, and it actually is not acceptable with TSA, as an ID.
It doesn't have a--even a photo of the pilot on it.
When you talk to FAA about this, they point to Homeland
Security, and then they point to TSA, for trying to get
directions.
So, after spending hundreds of millions of dollars on a
TWIC card, now we find, this report says, that it can easily
fraudulently be used.
We still lack deployment of readers. We've issued about 1.7
million of these cards, but we don't have a reader. The TWIC
card does have biometric measures for fingerprint. Iris is on
its way, we're told. It has a photo. But, we don't have a
reader capable of confirming the identification of the person
using the card, and knowing that, in fact, is the same person
that's on the ID, or carrying the ID.
With--right now, the U.S. House and also your help in the
Senate--and this is a very important hearing because I'm hoping
this will help prod the agencies to soon have a TWIC card with
full biometric fingerprint and iris capability, and also
readers capable of a reliable confirmation. However, even with
that equipment and with that new capability, it will not
address some of the fraudulent issues that are uncovered by
GAO.
So, I'm pleased to come----
Senator Lautenberg. Mr. Mica, we will put your full
statement into the record. I made a slight error when I invited
you to go first without making my own statement. So, we listen
with interest, have heard your public comments about how you
saw things, in your testimony, here today. So, I am going to
make my statement. And if you need a minute more, I'm happy to
give it to you.
Mr. Mica. Thank you. I'd like to hear your statement. Thank
you.
[The prepared statement of Mr. Mica follows:]
Prepared Statement of Hon. John L. Mica, Chairman, Committee on
Transportation and Infrastructure, U.S. House of Representatives
Mr. Chairman, Ranking Member Hutchinson, and members of the
Committee, thank you for the opportunity to testify before you today on
the progress, or lack thereof, of the Transportation Worker
Identification Credential--or ``TWIC''--Program. It is a privilege to
appear before you, and I thank you for your continued and vigilant
oversight on this important issue.
As you may know, I am one of the co-requestors of the Government
Accountability Office (GAO) report that I believe this Committee will
release today on the weaknesses of the TWIC Program. As Chairman of the
Transportation and Infrastructure Committee in the House of
Representatives, I can attest that the Members of my Committee are
committed to ensuring the security of the transportation workers and
transportation infrastructure they oversee as part of their role on the
Committee. As an original author of the legislation that created the
Transportation Security Administration (TSA) after 9/11, I also feel a
personal sense of obligation to ensure that this important piece of our
nation's defense apparatus is operating as the efficient and effective
security agency it was intended to be.
Government Coordination on Transportation Security
In the wake of 9/11, the federal government realized how disastrous
storing information in government silos could be. Information-sharing
became a top priority and the administration directed departments and
agencies to work together to ensure all relevant information is on the
table at all times. During this time, the TSA was transferred from the
Department of Transportation (DOT) to the newly-created Department of
Homeland (DHS).
Homeland Security Presidential Directive-7 directed DHS and DOT to
``collaborate on all matters relating to transportation security and
transportation infrastructure protection.'' \1\ In 2004, the two
Departments entered into a Memorandum of Understanding and jointly
expressed a desire for a ``strong partnership in order to reduce the
vulnerability of transportation passengers, employees, and systems to
terrorism and other disruptions.'' \2\ Each department would have
regulatory responsibilities in the area of transportation security, and
would communicate and cooperate on funding for transportation security
projects.
---------------------------------------------------------------------------
\1\ ``Homeland Security Presidential Directive-7: Critical
Infrastructure Identification, Prioritization, and Protection,'' The
White House. December 17, 2003.
\2\ ``Memorandum of Understanding between the Department of
Homeland Security and the Department of Transportation on Roles and
Responsibilities.'' September 28, 2004.
---------------------------------------------------------------------------
As evidence of this partnership, TSA officials have appeared before
the Transportation and Infrastructure Committee more than a dozen times
since the agency was transferred to DHS at the end of 2002. In January
2008, former-TWIC Program Director Maurine Fanguy provided an update to
the Committee on the TWIC Program.
So you will understand my surprise when TSA Administrator Pistole
and TWIC Program Manager John Schwartz declined an invitation to
testify before the Transportation Committee on the same issue in April
of this year.
I don't understand what has changed, but I do want to impart to
Administrator Pistole, who I understand is testifying on the next
panel, that it is imperative that jurisdictional issues not interfere
with progress, particularly when money is being poured into flawed
security programs. As evidenced by my appearance before this Committee
today, Congress does indeed want to work together on these important
issues and it is not the role of any government agency to interpret
jurisdictional boundaries of Congressional Committees.
Transportation Worker Identification Credential (TWIC) Program
With that said, I did come here today to discuss the TWIC Program.
According to TSA, 1.86 million people have enrolled, 1.72 million cards
have been activated,\3\ and $420 million has been provided to the TWIC
Program. In 2007, DHS estimated that the combined cost to the federal
government and the private sector may reach $3.2 billion over a ten-
year period--not taking into account the full cost of ``implementing
and operating readers.''
---------------------------------------------------------------------------
\3\ ``Transportation Worker Identification Credential (TWIC)
Program Briefing'' to the House Committee on Oversight and Government
Reform, Transportation Security Administration. May 2, 2011.
---------------------------------------------------------------------------
TWIC is turning into a dangerous and expensive experiment in
security. Nearly half-a-billion dollars have been spent since the
Maritime Transportation Security Act of 2002 directed the Secretary of
DHS to issue biometric transportation security cards to maritime
workers. Yet today, 10 years later, TWIC cards are no more useful than
library cards. In fact, the only port that GAO investigators were NOT
able to gain access to using fraudulent means was the port that still
required port-specific identification for admittance to secure areas.
We have also learned from GAO that:
1. Individuals can obtain authentic TWICs using fraudulent
identification documentation;
2. Individuals can gain access to ports using counterfeit
TWICs; and that, among other things,
3. TSA is unable to confirm that TWIC holders maintain their
eligibility throughout the life of their TWIC.
This is a troubling scenario and counterintuitive to the purpose of
the program. GAO determined that an individual does not have to prove
who they say they are when enrolling in the program. In other words, an
individual can present a fraudulent identification document with
somebody else's name, but provide their own fingerprints to obtain an
authentic TWIC card. In this instance, the TWIC card transforms into a
biometric key that unlocks our nation's ports and facilities for any
individual with the intent and desire to do us harm.
GAO tells us that DHS has not assessed whether or not the TWIC
program enhances security or not. In fact, DHS cannot demonstrate that
TWIC--as implemented and planned--is more effective than the approach
used to secure ports and facilities before 9/11.
I believe we must begin to ask if these vulnerabilities in fact
make our nation less secure.
TSA Needs to Conduct Cost-Benefit and Risk Analyses of Programs Prior
to Funding
The root of this problem is evidenced in many other TSA programs as
well--this fledgling agency still does not conduct risk assessments and
cost-benefit analyses of its security programs as required by law.
TSA's Screening People by Observation Techniques--or ``SPOT''--
program, will require $1.2 billion over the next 5 years, but TSA has
yet to validate the underlying methodology of the program or to conduct
a cost-benefit analysis.\4\
---------------------------------------------------------------------------
\4\ ``Efforts to Validate TSA's Passenger Screening Behavior
Detection Program Underway, but Opportunities Exist to Strengthen
Validation and Address Operational Challenges.'' U.S. Government
Accountability Office, May 2010.
---------------------------------------------------------------------------
Likewise, GAO found in April of last year that TSA has not
conducted comprehensive risk assessments across the surface
transportation sector.\5\ This lack of analysis results in ill-informed
resource allocations and more importantly calls into question whether
the highest risk targets are being secured. In light of the plot
against the U.S. rail sector uncovered in the Bin Laden raid, it is
alarming that TSA still has not addressed recommendations to close
these gaps.
---------------------------------------------------------------------------
\5\ ``Surface Transportation Security: TSA Has Taken Actions to
Manage Risk, Improve Coordination, and Measure Performance, but
Additional Actions Would Enhance It's Efforts.'' U.S. Government
Accountability Office, April 2010.
---------------------------------------------------------------------------
Biometric Pilot Licenses
TSA is not the only agency that has struggled to develop a
biometric credential for transportation workers. In April, the Federal
Aviation Administration (FAA) testified before my Committee on the long
delayed development of biometric pilot license. Although Congress
mandated that pilot licenses include biometric identifiers in the
Intelligence Reform and Terrorism Prevention Act of 2004, FAA has yet
to produce them. FAA recently spent $2.7 million to issue 700,000 pilot
licenses that complied with one requirement of the 2004 legislation--
they are now plastic instead of paper and therefore tamper-resistant.
Unfortunately, the requirements to include a photograph and biometric
identifiers were not taken into consideration.
In closed door sessions with my Committee, FAA informed Members
that they believed TSA was going to produce a biometric standard for
them, perhaps in the form of a TWIC card.
Given the testimony that you will hear today, and the results of
this GAO report, I think it is safe to say that roping additional
transportation workers into the TWIC Program is an idea destined for
disaster. While the biometric standard for the TWIC Program, developed
by the National Institute of Standard and Technology (NISI), works well
and fulfilled a much-needed mandate, the program itself is poorly
managed.
NIST's Director of Information Technology recently informed me that
the agency is in the process of updating the current biometric standard
to include iris scanning, an effort which I applaud. I understand that
this standard will be complete by the end of this year and look forward
to its inclusion in future personal identify verification cards for the
federal workforce.
I want to thank the Committee again for the opportunity to testify
before you today, and for your important work on the issue of secure
credentials for transportation workers.
Senator Lautenberg. Thanks very much. And again, welcome.
And I'm pleased to have a chance to have this committee
hearing. We have serious concerns about the government's
record, and efforts to make America's ports more secure. Our
maritime facilities are global gateways, and they provide
American businesses and consumers access to the world
marketplace. The ports are a vital part of our economy, but
they've also been identified as special targets for terrorist
attacks.
Now, my state is home to--as said by the FBI--to the
country's most at-risk areas for a terrorist attack, a stretch
that includes major hubs like the Port of New York and New
Jersey, which handled more than $140 million in cargo last
year.
Now, to improve security at our ports, 9 years ago the
government created a worker identification program, known as
TWIC, to try to make sure that access to the nation's ports is
limited to people who belong there, such as dock workers and
cargo handlers and other professionals. Now, after several
delays, the program is now, as you said, up and running, and
the government has issued almost 2 million TWIC cards.
But, a recent Government Accountability Office
investigation raises a disturbing question. Are America's ports
actually safer now than they were a decade ago? The GAO has
identified serious problems with TWIC, including startling
evidence that this program might actually diminish the safety
of our ports.
At this committee's request, the GAO conducted covert
testing. Investigators were able to fraudulently obtain TWIC
cards and use the cards to access secure locations. Not only
were they able to access the port facilities, but they were
able to drive a vehicle with a simulated explosive into a
secure area. Fraudulent and counterfeit cards, like the ones
used by investigators, could also be used as identification at
airports or military facilities.
The problems don't stop with fraudulent cards. There are
also issues with criminal background checks, immigration
checks, and the lack of safeguards to determine if an applicant
even needs a TWIC card. So, despite these alarming findings,
the Transportation Security Administration has, so far, been
unable to close the gaping holes that plague this program.
Additionally, the Department of Homeland Security, which
heads the TSA, has not yet conducted a review to determine if
the card program helps or hinders security at our nation's
ports. And given the critical importance of our ports, it's
unacceptable that we're spending hundreds of millions of tax
dollars on a program that might actually be making the ports
less safe. So, according to estimates, it could cost as much as
$3 billion to deploy the cards over a 10-year period. And this
doesn't include the cost of the sophisticated biometric
equipment that's needed to read the card. So, we've got to
thoroughly examine and correct the TWIC Program, and make sure
we're focusing our resources where they're needed most, the
areas that present the highest risk.
So, I look forward, Mr. Mica, to hearing from you and our
other witnesses about how you see the status of the program and
how we can best implement changes to make sure our port
security programs are effective and the money we spent--spend
is improving at our ports.
Now, I've got Senators here that are waiting at a chance to
make their statements. And if you want to add a ex post facto
thing for just a couple of minutes, Mr. Mica, I'd be----
Mr. Mica. Sure, I'm here, waiting. Love to hear the other
Senators, too. Thank you, sir.
Senator Lautenberg. Thank you. In the order of their
appearance, Senator Ayotte is here. And we're pleased to see
you, and invite you to give your statement, please.
STATEMENT OF HON. KELLY AYOTTE,
U.S. SENATOR FROM NEW HAMPSHIRE
Senator Ayotte. Thank you, Mr. Chairman.
Thank you, Representative Mica. Thank you so much for
coming over to testify from the House.
Security at our nation's ports is critically important to
our safety and to our economy. Not only would an attack on our
nation's ports be devastating, in terms of the loss of human
life, but would also severely impact our national economy.
It is deeply troubling that the GAO investigators were able
to access secure facilities at U.S. ports during covert tests
by presenting counterfeit or fraudulent TWIC cards. This
represents a significant hole in our national security that
must be addressed. And we certainly don't want a security
program in place that gives the appearance of making us more
secure, but in reality does not, because that can cause people
to actually act less vigilantly than they should, given the
situation.
I look forward to discussing the reasons behind why this
was able to happen, ways we can prevent this from happening in
the future, and how this program can be corrected to ensure the
security of our ports. I also wanted to raise the issue that
transportation workers who are getting these IDs--they also are
pretty inconvenienced, in terms of having to make two trips to
a TWIC enrollment center to obtain their TWIC card, which can
be time-consuming and expensive for, particularly, workers in
rural areas that don't live close to an enrollment center,
which can place an additional financial burden, particularly on
a program which we have questions about the efficacy of it. I'm
also interested in discussing ways that this burden could be
alleviated so that workers don't have to make multiple, costly
trips in order to receive the TWIC card, while, at the same
time, ensuring the integrity of the card, which is very
important.
As millions of TWICs are going to be coming up for renewal
in 2012, now is the time for this committee to address this
issue. And it's critical that we solve these problems right
away.
And I look forward to your testimony today.
Thank you.
Senator Lautenberg. Senator Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. I'm looking forward to hearing from the
witnesses. Thank you, Mr. Chairman.
Senator Lautenberg. Senator Boozman.
STATEMENT OF HON. JOHN BOOZMAN,
U.S. SENATOR FROM ARKANSAS
Senator Boozman. I think, in the interest of time, Mr.
Chairman, I will put my statement in the record, with your
permission.
[The prepared statement of Senator Boozman follows:]
Prepared Statement of Hon. John Boozman, U.S. Senator from Arkansas
Senator Lautenberg, thank you for presiding over this hearing
today. The results of this GAO study are troubling, including the
multiple breaches at facilities by investigators using fraudulent and/
or counterfeit TWIC cards. Perhaps the only thing that is positive to
see is that the Department of Homeland Security agrees with the
recommendations.
I look forward to listening to your testimony today, and working
with both DHS and the Coast Guard in the future to improve the TWIC
program.
Senator Lautenberg. We're making haste here, Mr. Mica.
We've got, if you want, a couple of minutes.
Mr. Mica. Thank you. I'll just conclude. And again, I
associate myself with your remarks, and Senators that are here.
You're looking at TWIC, you're looking at problems we've
uncovered. The last Senator who spoke indicated that, 2012,
we'll be renewing these cards. I think it's incumbent on both
the House and the Senate that we get our act together on these
IDs. If we've spent a half a billion dollars. We don't have a
reader. We're on the cusp of getting a second biometric
measure. And we have transportation workers in other fields--
aviation, for example--where I showed you a card that we have
for a license, that can't be used for an ID, that doesn't meet
the criteria that Congress intended. We can, and we must, do a
better job of getting our whole act together.
Now, this, folks, too, is not rocket science. There are
other agencies that already have identification cards. They
have them with biometrics, both iris and thumb. They have them
with readers that can confirm that that person is the person
that has the ID and can be identified. So, we go on spending
more and more money, and we don't have security at our ports,
our airports, or other transportation facilities.
So, I'll work with you. I know you're going to hear from
Mr. Pistole. He's fairly new at the gate. A lot of this didn't
happen under his watch. But, we do need to work with him, with
the administration, and others, to somehow call a halt to
spending hundreds of millions of dollars and still, 10 years
later, not having a secure ID.
Thank you. And I'm pleased to be here.
Senator Lautenberg. We appreciate your presence here.
Senator Begich, you've just come in. Can we proceed with
the witnesses, or----
Senator Begich. Let me think about it, if you could, Mr.
Chairman. I have lots of thoughts on my mind.
Senator Lautenberg. OK.
Senator Begich. No, go ahead.
[Laughter.]
Senator Lautenberg. All right. And I would call the second
panel to the table: Mr. John Pistole, the Administrator of the
Transportation Security Administration. You're not so new. And
we're glad that you've brought your experience and leadership
to the task. We'll hear from you on the administration's
efforts to implement the card program. Rear Admiral Kevin Cook,
Director of Prevention Policy for the United States Coast
Guard, to testify on the Coast Guard's role in the TWIC
Program. And Mr. Steve Lord, Director of Homeland Security and
Justice for the GAO, the Government Accountability Office. And
your testimony, I understand is going to be on the GAO's
oversight and investigation of this program.
So, I thank all of you for coming today.
And, Mr. Pistole, please begin. We have 5 minutes for your
testimony.
STATEMENT OF HON. JOHN S. PISTOLE, ADMINISTRATOR,
TRANSPORTATION SECURITY ADMINISTRATION,
U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Pistole. Thank you, Chairman Lautenberg. And good
afternoon, distinguished members of the Committee.
I appreciate the opportunity to testify today about
Transportation Security Administration's work with the United
States Coast Guard on the Transportation Worker Identification
Credential Program, or TWIC.
TWIC Program, of course, authorized by the Maritime
Transportation Security Act of 2002, MTSA, and the SAFE Port
Act, strengthens the security of our nation's port while
facilitating trade through the provision of a tamper-resistant
biometric credential to all port workers requiring unescorted
access to secure areas of these MTSA-regulated port facilities
and vessels.
The purpose of the TWIC Program is to provide a means of
positively verifying the identify of those seeking access to
secure areas, and to conduct Security Threat Assessments, or
STAs, to determine their eligibility, and to deny access to
unauthorized individuals.
Like all security procedures, use of TWIC cards help reduce
or mitigate risk, but do not eliminate risk, as detailed in the
GAO report. Not only do I agree with the findings and
conclusions of the GAO report, and have taken initial steps to
address the first two recommendations--the first three apply to
TSA, particularly--but, I've asked GAO to follow up with a
rigorous cost-benefit analysis of the entire TWIC Program, in
conjunction with DHS, Coast Guard, and TSA. I believe this type
of comprehensive assessment will help us all make judgments on
how well we, the U.S. Government and industry, are buying down
risk, and the best way forward with this program. In other
words, what's our return on investment?
To date, TSA has vetted and ruled more than 1.8 million
TWIC applicants. The majority of transportation workers who
have no criminal history receive their TWIC within 5 to 10
calendar days of submitting an application. Applicants with
criminal histories require a more stringent review, of course,
and generally receive either their TWIC or notification of a
potentially disqualifying offense within 30 calendar days of
submitting an application.
Now, in accordance with the SAFE Port Act of 2006, a TWIC
pilot is currently being conducted to evaluate the feasibility,
as well as technical and operational impact, of implementing a
transportation security card reader. Formal data collection
from the pilots is expected to be completed in 3 weeks--the end
of May. Thereafter, an independent test agent will develop
individual participant reports for review by TSA and Coast
Guard. And we also continue to analyze data already collected
in the pilot. And we'll analyze new data as it is required. We
have drafted a report required by section 104 of the SAFE Port
Act, and will continue to make further updates to this report
until its anticipated delivery to Congress this summer. These
reports, along with direct feedback from the participants, will
inform decisions regarding Coast Guard's rulemaking that will
establish TWIC-reader use requirements.
I don't believe this testimony would be complete without
mention of TSA's efforts to harmonize the Security Threat
Assessments across all modes of transportation. We share the
goal of Congress and stakeholders that STA programs be
harmonized to alleviate the burden and inconvenience placed on
individuals by the need to obtain multiple STAs. To this end,
we are working on a rulemaking that may further--may propose
further harmonization of the security threat assessments. To
achieve the optimal benefit of this rule, new legislation must
be enacted that would harmonize different statutorily required
procedures that prevent harmonization and cannot be changed
through rulemaking. TSA looks forward--I look forward to
working with this committee, and other committees, to develop
the needed legislation.
Mr. Chairman, members of the Committee, I thank you for the
opportunity to appear before you. I look forward to your
questions. Thank you.
[The prepared statement of Mr. Pistole follows:]
Prepared Statement of Hon. John S. Pistole, Administrator,
Transportation Security Administration, U.S. Department of Homeland
Security
Good morning, Chairman Lautenberg, Ranking Member Hutchison, and
distinguished members of the Committee. Thank you for the opportunity
to testify today about the Transportation Security Administration's
(TSA) work with the United States Coast Guard (USCG) on the
Transportation Worker Identification Credential (TWIC) program.
The TWIC program, authorized by the Maritime Transportation
Security Act of 2002 (MTSA) and the SAFE Port Act, strengthens the
security of our nation's ports while facilitating trade through the
provision of a tamper-resistant biometric credential to all port
workers requiring unescorted access to secure areas of MTSA-regulated
port facilities and vessels. The mission of the TWIC program is to
provide a means of positively verifying the identity of those seeking
access to secure areas, to conduct Security Threat Assessments (STA) to
determine their eligibility, and to deny access to unauthorized
individuals.
TSA began the national deployment of the TWIC program on October
16, 2007, with the enrollment of maritime workers at the Port of
Wilmington, DE. A nationwide requirement for individuals to hold a TWIC
in order to access MTSA-regulated facilities went into effect in April
2009, and TSA continues to operate approximately 134 enrollment centers
located in ports and concentrations of maritime activity throughout the
United States and its territories. These centers serve the diverse
population of maritime workers, including truckers, suppliers,
maintenance personnel and others who require a TWIC to allow them
unescorted access to secure areas of MTSA-regulated facilities and
vessels.
The process to obtain a TWIC requires two visits to an enrollment
center: an initial visit to provide biographic and biometric data, and
a subsequent visit to activate the credential upon successful
completion of the STA. While TSA understands that this process can pose
a burden on transportation workers who do not live within close
proximity of an enrollment center, the process is critical to verify
the identity of the individual to whom the credential is to be issued,
and TSA has made efforts to mitigate this potential burden by operating
135 enrollment centers nationwide centered around maritime populations.
In addition, TSA allows more remote area authorities or organizations
to conduct enrollment and activation operations on their own for their
defined population. TSA continues to actively engage all stakeholders
to address issues concerning proximity to enrollment centers as well as
other challenges faced by the maritime population relating to the TWIC
program.
To date, TSA has vetted more than 1.8 million TWIC applicants. The
majority of transportation workers who have no criminal history receive
their TWIC within 5 to 10 calendar days of submitting an application.
Applicants with criminal histories require a more stringent review and
generally receive either their TWIC or notification of a potentially
disqualifying offense within 30 calendar days of submitting an
application. Initially, transportation workers who requested redress
following an initial determination of ineligibility experienced delays
in the process necessary to reach a decision. TSA took this issue very
seriously and, through increased staff and adjudicative process
improvements, we have been able to significantly reduce the wait time
for individuals in these scenarios.
The national implementation of the TWIC as the common credential
verifying the identity and background suitability significantly
enhances national maritime security, which previously relied on a
patchwork of private and public identity verification and threat
assessment architectures to allow access to secure and restricted
areas.
The STA and associated TWIC must be renewed every 5 years and
preparations are being made in advance of the impending initial five-
year renewal cycle. TSA is in the process of developing policies and
procedures that will ensure a smooth renewal phase for the
transportation workers who rely on this card to do their jobs. These
procedures will both minimize the operational impact at TWIC enrollment
centers and ensure that individuals who have completed the redress
process are not required to repeat the process when no new criminal
information is found. This will help prevent adjudication backlogs that
the expected surge in renewal enrollments might otherwise cause.
Throughout this process, TSA will continue to engage the stakeholder
community in order to minimize the impact of the renewal cycle on
affected workers.
In addition to renewing the STA and TWIC every 5 years, TSA
conducts recurrent checks of TWIC holders against terrorist watchlists
and has the authority to revoke TWICs based on the results of this
recurrent vetting.
In accordance with the SAFE Port Act of 2006, a TWIC pilot is
currently being conducted to evaluate the feasibility as well as
technical and operational impact of implementing a transportation
security card reader system. Biometric identity verification would
require workers to present their card to a TWIC card reader and place
their finger on a biometric sensor. The reader would then verify the
worker's identity by matching the fingerprint presented to the
fingerprint templates on the TWIC. Based on stakeholder feedback to the
TWIC Notice of Proposed Rulemaking (NPRM) \1\ as well as its own
analysis, DHS determined that the maritime commercial environment would
benefit from an easy, rapid entrance process, not one that included
entering a Personal Identification Number (PIN) as is required with the
Federal Personal Identity Verification (PIV) smart card-based standard
for Federal employees and contractors.\2\ TSA and the Coast Guard
engaged maritime stakeholders, smart card industry experts, and
appropriate Federal agency representatives to develop TWIC
specifications that would meet maritime industry requirements for
biometric identity verification.
---------------------------------------------------------------------------
\1\ 71 FR 29396, May 22, 2006.
\2\ Federal Information Processing Standards Publication 201-1
March 2006.
---------------------------------------------------------------------------
Formal data collection from the pilots is expected to be completed
at the end of this month. Thereafter, an independent test agent will
develop individual participant reports for review by TSA and the Coast
Guard. TSA also continues to analyze data already collected in the
pilot and will analyze new data as it is acquired. TSA has drafted the
report required by Section 104 of the SAFE Port Act and will continue
to make further updates to this report until its anticipated delivery
to Congress this summer. These reports, along with the direct feedback
from the participants, will inform decisions regarding the Coast
Guard's rulemaking that will establish TWIC reader use requirements.
Notwithstanding several factors that contributed to a delay in
commencing the TWIC Pilot--including the fact that participation in the
pilot was voluntary, limiting DHS's ability to influence the overall
pace of the pilot--the pilot officially began with the start of the
first reader tests during the Initial Technical Testing (ITT) phase on
August 20, 2008. The Early Operational Assessment (EOA) phase began in
April 2009 with the installation of readers in the Port of Brownsville,
TX, and the System Test and Evaluation (ST&E) phase began in November
2009. Over the course of the pilot, approximately 156 portable and
fixed readers were in use at participating ports and facilities.
This testimony would not be complete without mention of TSA's
effort to harmonize STAs across all modes of transportation. We share
the goal of Congress and stakeholders that STA programs be harmonized
to alleviate the burden and inconvenience placed on individuals by the
need to obtain multiple STAs. To this end, TSA is working on a
rulemaking that may propose further harmonization of STAs. To achieve
the optimal benefit of this rule, new legislation must be enacted that
would harmonize differing statutorily required procedures that prevent
harmonization and cannot be changed through rulemaking. TSA will work
with Congress to develop the needed legislation.
Mr. Chairman, Ranking Member Hutchison, I thank you for the
opportunity to appear before you today and I look forward to answering
your questions about progress in the TWIC program.
Senator Lautenberg. Thanks very much.
Admiral your turn. And we look forward to your testimony.
STATEMENT OF REAR ADMIRAL KEVIN S. COOK, DIRECTOR,
OF PREVENTION POLICY, U.S. COAST GUARD
Admiral Cook. Well, good afternoon, Mr. Chairman and
distinguished members of the Committee.
With your permission, Mr. Chairman, I'd like to have my
written testimony entered into the record.
Senator Lautenberg. So it'll be done.
Admiral Cook. Thank you for the opportunity to speak with
you today about the progress the Coast Guard, working together
with the Transportation Security Administration, has made in
implementation of the TWIC Program, the ongoing TWIC compliance
efforts for facilities and vessels regulated under the Maritime
Transportation Security Act, or MTSA, and future plans for card
readers.
The Coast Guard remains cognizant of how implementation and
enforcement of TWIC impacts individuals and their livelihoods
while balancing security needs with the economic vitality of
port operations. The TWIC Program, as envisioned under MTSA and
strengthened by the subsequent requirements of the SAFE Port
Act, provides an additional layer of security. This is
accomplished by ensuring all transportation workers and
credentialed merchant mariners who seek unescorted access to
secure areas in approximately 2,700 regulated facilities,
12,000 regulated vessels, and 50 regulated Outer Continental
Shelf facilities have been vetted and do not pose a security
risk to our marine transportation system.
As of April 15, 2009, applicable Coast Guard-credentialed
mariners, MTSA-regulated facilities and vessels were required
to be in compliance with the TWIC Program. The Coast Guard,
through the captain of the port and the area maritime security
committees, continue to monitor and enforce TWIC regulations by
working closely with owners and operators.
Internal guidance documents for training, compliance, and
enforcement for Coast Guard personnel have been developed and
shared with our DHS partners, including TSA and CBP, and state
and local agencies to promote a unified approach to enforcement
protocols.
The SAFE Port Act mandates that the Coast Guard conduct two
security inspections annually at all MTSA-regulated facilities,
with one inspection being unannounced. During each of these,
TWICs are checked by Coast Guard personnel either visually or
using biometric hand-held readers.
As originally planned with the TWIC rule in 2006, the final
step of implementation of the TWIC Program is to utilize the
full security benefits of the card through the use of readers.
Although the implementation and reader requirements were
originally combined in one rulemaking, the Coast Guard and TSA
heard loud and clear from the industry that further research
and a different approach for readers was necessary, especially
as it applies to incorporating contactless reader technology.
Our stakeholders spoke, and we listened, and agreed to split
the rule so that the first phase of the TWIC Program, that
we're using now, is based on visual verification. Based on
industry recommendations, a working specification for the use
of contactless readers was developed. It is subsequently being
tested through the reader pilot test that Administrator Pistole
just mentioned.
In parallel with the pilot testing, the Coast Guard has
been working on a proposed rulemaking that will address
potential requirements for MTSA vessels and facilities to
utilize electronic card readers. A key component in this will
be informing with the operational, environmental, and technical
data from--the TWIC reader pilot program brings to our
rulemaking. Based on the current status of the pilot program,
we hope to be able to publish a notice of proposed rulemaking
toward the end of calendar year 2011 or early in 2012.
In the meantime, to maximize the security benefits of the
TWIC, the Coast Guard procured and deployed over 200 hand-held
readers for use during routine and unscheduled inspections. The
Coast Guard and TSA developed several supplementary documents
to help those who are required to comply with the TWIC
regulations. The latest Policy Advisory Council decision, 01-
11, on the voluntary use of TWIC readers was published in the
Federal Register on the 15th of March, 2011, to assist the
marine industry with consistency in the voluntary use of TWIC
readers.
Also, we recently directed that our captains of the port
place a higher priority on review and validation of TWIC
verification procedures that are conducted during MTSA
inspections. This is being done through a direct engagement
with facility security officers to highlight the importance of
properly trained guards, and remind them of the training aids
that are available on the Coast Guard's Homeport website.
In conclusion, Mr. Chairman, the TWIC implementation marked
a major milestone in the MTSA to protect our maritime
transportation system. Card readers are a key step in
maximizing the security benefit. And the Coast Guard is
anxiously awaiting the pilot test results to help us draft
effective regulations, minimizing the potential adverse impacts
of the reader. While we have accomplished a great deal thus
far, we acknowledge that the process has not been free from
challenges. We will continue to keep the public interest in
mind and also keep you informed on our progress.
Thank you for the opportunity to speak with you today. And
I would be pleased to take any of your questions.
[The prepared statement of Admiral Cook follows:]
Prepared Statement of Rear Admiral Kevin S. Cook,
Director of Prevention Policy, U.S. Coast Guard
Good morning, Chairman Rockefeller, Ranking Member Hutchison and
distinguished members of the Committee. I am Rear Admiral Kevin Cook,
U.S. Coast Guard Director of Prevention Policy. It is a pleasure to be
here today to update you on how the Coast Guard, in partnership with
the Transportation Security Administration (TSA), continues to
implement the Transportation Worker Identification Credential (TWIC)
program, which strengthens the security of our nation's ports while
facilitating trade by adding a layer of security which allows vetted
employees with a biometric credential to have unescorted access to
secure areas.
TWIC enrollment began in 2007 and today, maritime vessels and
facilities within all 42 Coast Guard Captain of the Port (COTP) Zones
are in compliance with the TWIC program. In April of this year, we
reached more than 1.8 million enrollments for TWIC with no significant
impact to commerce and the maritime transportation system. Since the
Coast Guard and TSA published the TWIC requirements on January 25, 2007
in a Final Rule, we have been developing regulations, policies, systems
and capabilities to serve as a solid foundation for enrollment and
compliance. The deliberate process and careful steps taken to lay this
foundation ensure that we gain the full security benefit from TWIC.
Background
The TWIC program builds on the security framework established by
Congress in the Maritime Transportation Security Act (MTSA) of 2002.
Coast Guard regulations stemming from MTSA established security
requirements for maritime vessels and facilities posing a high risk of
being involved in a transportation security incident. The MTSA also
required the Secretary of Homeland Security to issue a biometric
transportation security card to all licensed and documented U.S.
mariners, as well as those individuals granted unescorted access to
secure areas of MTSA-regulated vessels and facilities. TSA was assigned
this requirement, and because of our overlapping responsibilities, the
Coast Guard and TSA formally joined efforts to carry out the TWIC
program in November 2004. In this partnership, TSA is responsible for
TWIC enrollment, security threat assessment and adjudication, card
production, technology, TWIC issuance, conduct of the TWIC appeal and
waiver process as it pertains to credential issuance, and management of
government support systems. The Coast Guard is responsible for
establishing and enforcing TWIC access control requirements for MTSA-
regulated vessels and facilities.
TSA and the Coast Guard published a joint TWIC Notice of Proposed
Rulemaking (NPRM) on May 22, 2006. Following the publication of the
NPRM and the subsequent comment period, Congress enacted the Security
and Accountability for Every Port Act of 2006 (the SAFE Port Act). The
SAFE Port Act created new statutory requirements for the TWIC Program,
including: the commencement of a pilot program to test the viability of
TWIC cards and readers in the maritime environment; deployment of the
program in priority ports by set deadlines; inclusion of a provision to
allow newly hired employees to work while their TWIC application is
being processed; and concurrent processing of the TWIC and merchant
mariner applications.
TSA and the Coast Guard published the TWIC Final Rule on January
25, 2007, in which the Coast Guard's MTSA regulations and TSA's
Hazardous Material Endorsement regulations were amended to incorporate
the TWIC requirements. After receiving many comments regarding
technology issues of the reader requirements as proposed in the NPRM,
we removed from the final rule the requirement to install TWIC readers
at vessels and facilities. This requirement is currently being
addressed in a second rulemaking, which I will discuss later.
Policy
The Coast Guard and TSA developed several supplementary documents
to help those who are required to comply with the TWIC regulation. To
explain in detail how the Coast Guard intends to apply TWIC
regulations, we established policy guidance in the form of a Navigation
and Vessel Inspection Circular (NVIC) and provided answers in 16 Policy
Advisory Council documents that have been published since November 21,
2007.
The Policy Advisory Council was established during the original
implementation of the MTSA regulations. It is made up of Coast Guard
representatives from headquarters and field level commands that are
charged with considering questions from stakeholders and/or field
offices to ensure consistent interpretation of regulation. The latest
Policy Advisory Council Decision 01-11 on the voluntary use of TWIC
readers was published in the Federal Register on March 15, 2011. This
guidance document will assist the maritime industry and general public
with TWIC reader requirements and is designed to ensure consistent
installation for the voluntary use of TWIC readers for electronic
identity verification across MTSA-regulated facilities and vessels.
Stakeholder Engagement and Outreach
Engagement with affected stakeholders continues to be crucial to
successful implementation, and the regulatory process is one of the
most important vehicles for the public to voice concerns and provide
comment on the TWIC program. For example, responses received during the
TWIC NPRM comment period provided valuable insight into the unique
operational issues facing labor, maritime facilities and vessels
required to comply with TWIC requirements. Comments regarding the
technological and economic feasibility of employing the TWIC cards and
card readers in the maritime environment led to splitting the rule,
with the card reader requirements forming a separate, pending
rulemaking. The Coast Guard published the TWIC Reader Requirements
Advanced Notice of Proposed Rulemaking (ANPRM) on March 27, 2009, which
again afforded the public and maritime community an opportunity to
shape future TWIC requirements.
Since publication of the TWIC Final Rule and TWIC Reader
Requirements ANPRM, the Coast Guard and TSA have conducted numerous
outreach events at national venues such as: the American Trucking
Association; Association of American Railroads; American Short Line and
Regional Railroad Association; Passenger Vessel Association; American
Waterways Operators; National Association of Charter Boat Operators;
National Association of Waterfront Employers; National Petrochemical
Refiners Association meetings; smart card and biometric industry
conferences; maritime union meetings; American Association of Port
Authorities conferences; and many others. In addition, quarterly TWIC
Stakeholder Communication Committee meetings are being held and remain
an important avenue for keeping the public informed and creating the
opportunity for open dialogue.
The Coast Guard, through COTP and Area Maritime Security
Committees, continues to closely monitor and encourage enrollment for
TWIC and work collaboratively with owners and operators of regulated
facilities and vessels to ensure compliance and enforcement of the TWIC
program.
Reader Pilot Testing
In accordance with the SAFE Port Act of 2006, a TWIC pilot is
currently being conducted to evaluate the feasibility as well as
technical and operational impact of implementing a transportation
security card reader system. TSA and the Coast Guard have begun
operational testing of the TWIC card readers at geographically and
operationally diverse port and vessel locations and formal data
collection should be completed on May 31, 2011. Thereafter, individual
participant reports will be developed by an independent test agent and
then reviewed by TSA and the Coast Guard. These individual participant-
level reports, along with the direct feedback from the participants,
will be the primary data source for the Coast Guard to move forward in
the next phase of the TWIC reader rulemaking.
Reader Requirements
Per the SAFE Port Act, the Coast Guard is required to use the pilot
report to inform a final reader rulemaking. The Coast Guard, with the
support of TSA, is developing a second TWIC reader requirements rule
that will serve to meet the requirement for electronic TWIC readers in
the maritime environment. This rulemaking will apply requirements in a
risk-based fashion to leverage security benefits and capabilities. The
Coast Guard solicited and received valuable input and recommendations
from the Towing Safety Advisory Committee, Merchant Marine Personnel
Advisory Committee, and the National Maritime Security Advisory
Committee on specific aspects of potential applications of readers for
vessels and facilities. As in all aspects of the TWIC program, our goal
is to enhance maritime security while balancing impacts on the
stakeholders, who are at the forefront of providing that security. As
we evaluate the economic and operational impact on the maritime
industry we will continue to seek input and recommendations to develop
and issue regulations requiring industry compliance.
Compliance
The Coast Guard has the primary responsibility for ensuring
compliance with the TWIC regulations. We continue to work extensively
with our DHS partners, including TSA and U.S. Customs and Border
Protection, as well as state and local agencies to enhance partnerships
and develop enforcement assistance protocols.
All of the approximately 2,700 maritime facilities impacted by the
TWIC regulations are--and have been--in compliance as of the April 15,
2009 implementation date. The Coast Guard continues to conduct both
announced and unannounced spot checks to ensure compliance with the
TWIC regulations.
To fully leverage the security benefits of the TWIC and other
credentials, the Coast Guard has deployed 218 multi-use biometric
handheld readers nationwide. The use of these readers serves as the
primary means of TWIC verification during Coast Guard compliance
activities. Over the past 2 years since the national compliance date,
the Coast Guard has verified more than 150,000 TWICs through a
combination of visual and electronic verification methods.
The use of readers by the Coast Guard and industry alike reduces
the risk of successful counterfeit attempts and further adds to the
ability to identify authentic credentials that have been revoked at
some point after activation and delivery.
The Way Ahead
The Coast Guard continues to focus on the enforcement of the TWIC
regulations and deployment of handheld readers will continue to enhance
these efforts. Approximately 130 additional readers are scheduled for
deployment in 2011.
We recently directed our COTPs to place higher priority on review
and validation of TWIC verification procedures during required MTSA
inspections. This review and validation is being done through direct
engagement with Facility Security Officers to highlight the importance
of properly trained guards and remind them of the training aids
available.
Our ongoing compliance efforts in combination with the future
reader requirements on commercial vessels and facilities through
rulemaking are critical in ensuring the security of America's maritime
transportation system.
Conclusion
We continue to work closely with TSA to facilitate outreach to the
maritime industry in an effort to enhance the overall TWIC experience
for workers and maritime operators--from improving the enrollment and
activation processes to ensuring the necessary guidance and support is
in place for maritime operator enforcement. We have accomplished
important milestones, strengthened working relationships with public
and industry stakeholders, and held a steadfast commitment to securing
the maritime transportation system while facilitating commerce. As we
continue to make improvements regarding compliance, enforcement, and
continued industry engagement, we will ensure Congress remains informed
of our progress.
Thank you for the opportunity to testify today. I look forward to
your questions.
Senator Lautenberg. Thank you, Admiral Cook.
And Mr. Steve Lord, we invite you to give your testimony.
STATEMENT OF STEPHEN M. LORD, DIRECTOR,
HOMELAND SECURITY AND JUSTICE ISSUES,
U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Lord. Thank you, Mr. Chairman and distinguished members
of the Committee.
I'm really pleased to be here today to discuss the findings
of our TWIC report, which is being publicly released today. As
you know, TSA and the Coast Guard jointly manage the TWIC
Program, which requires maritime workers to obtain a biometric
ID card to access secure areas of MTSA-regulated facilities and
vessels.
Today, I would like to discuss two issues: the internal
controls governing TWIC enrollment, background checking, and
use, as well as DHS assessments of the effectiveness of this
program.
The main point that I'd like to convey today is that
internal control weaknesses in the TWIC Program's enrollment
and background checking process do not provide what we deem as
reasonable assurance in meeting key security goals; in other
words, that only qualified individuals are acquiring TWICs. And
second, once issued a TWIC, TWIC holders maintain their
eligibility for holding the card. For example, we found that
the flags raised by enrollment personnel or electronic document
scanners were not being systematically used during the
background checking process to verify an applicant's
identification. This helps explain why our special
investigators were not detected when using counterfeit or
fraudulent application documents to acquire TWICs. TSA also
does not verify that applicants need a TWIC for employment-
related reasons. In other words, there's not employee
sponsorship, unlike other government credentials. We also found
that program adjudicators do not use clear criteria when
reviewing TWIC applicants with extensive, nondisqualifying
criminal convictions, such as larceny and theft. This is an
important issue, as about 461,000 TWIC holders have a criminal
record, based on the results from the FBI. And this is about 27
percent of the total TWIC-holder population.
Finally, we also found that program controls did not
provide reasonable assurance that TWIC holders continue to meet
immigration eligibility requirements once they acquire TWIC.
For example, the program does not issue TWICs for a term less
than 5 years, to match the expiration of a visa. Instead, TSA
relies on TWIC holders and employers to report if a worker is
no longer legally present in the country.
The weaknesses I've discussed may have contributed to the
breach of MTSA-regulated ports and facilities during the covert
tests we ran. During these tests, our investigators were
successful in accessing ports using either counterfeit TWICs or
real TWICs acquired through fraudulent means, paired with a
false business case for entering a facility.
And regarding our second key research objective, in seeking
to determine the impact of the program, we found that DHS has
not assessed the program's effectiveness in enhancing port
security, a key program goal. Thus, it's unclear, at this
point, whether the program is more effective or less effective
than prior approaches used to enhance port and vessel security.
Our report findings would question the other witness' statement
that the program significantly enhances national maritime
security.
Today's report makes several important recommendations to
address the internal control weaknesses we identified. For
example, our report is recommending that DHS complete an
internal control assessment to identify other potential holes
in the system, as well as identifying cost-effective fixes. We
also recommended that DHS conduct a formal assessment to
clarify how the program will improve security, beyond the port
efforts already in place. We also recommended that the Coast
Guard improve the quality of the information used to monitor
and enforce TWIC compliance. The good news I'd like to report
today, Mr. Chairman, is that the DHS, TSA, and the Coast Guard
all agreed to implement all our report recommendations.
In closing, before proceeding on the path to full
implementation, with potentially billions of dollars at stake,
it's important that Congress and industry stakeholders fully
understand the program's current strengths, current weaknesses,
and the likely cost of mitigating the risks we've identified in
the report we're releasing today.
Mr. Chairman, this concludes my prepared testimony. I look
forward to answering any questions that you or other members of
the Committee may have.
Thank you.
[The prepared statement of Mr. Lord follows:]
Prepared Statement of Stephen M. Lord, Director, Homeland Security and
Justice Issues, U.S. Government Accountability Office
Chairman Rockefeller, Ranking Member Hutchison, and members of the
Committee:
I am pleased to be here today to discuss credentialing issues
associated with the security of U.S. transportation systems and
facilities. Securing these systems requires balancing security to
address potential threats while facilitating the flow of people and
goods that are critical to the U.S. economy and international commerce.
As we have previously reported, these systems and facilities are
vulnerable and difficult to secure given their size, easy
accessibility, large number of potential targets, and proximity to
urban areas.\1\ The Maritime Transportation Security Act of 2002 (MTSA)
required regulations preventing individuals from having unescorted
access to secure areas of MTSA-regulated facilities and vessels unless
they possess a biometric transportation security card and are
authorized to be in such an area. MTSA further required that biometric
transportation security cards be issued to eligible individuals unless
determined that an applicant poses a security risk warranting denial of
the card. The Transportation Worker Identification Credential (TWIC)
program is designed to implement these biometric maritime security card
requirements.\2\
---------------------------------------------------------------------------
\1\ See GAO, Transportation Worker Identification Credential:
Progress Made in Enrolling Workers and Activating Credentials but
Evaluation Plan Needed to Help Inform the Implementation of Card
Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 2009).
\2\ The program requires maritime workers to complete background
checks to obtain a biometric identification card and be authorized to
be in the secure area by the owner/operator in order to gain unescorted
access to secure areas of MTSA-regulated facilities and vessels. Under
Coast Guard regulations, a secure area, in general, is an area over
which the owner/operator has implemented security measures for access
control in accordance with a Coast Guard-approved security plan. For
most maritime facilities, the secure area is generally any place inside
the outer-most access control point. For a vessel or outer continental
shelf facility, such as off-shore petroleum or gas production
facilities, the secure area is generally the whole vessel or facility.
Biometrics refers to technologies that measure and analyze human body
characteristics for authentication purposes. The Department of Homeland
Security (DHS) has estimated that implementing the TWIC program could
cost the Federal Government and the private sector a combined total of
between $694.3 million and $3.2 billion over a ten-year period.
However, these figures do not include costs associated with
implementing and operating readers. A pilot on the use of TWIC with
card readers is currently underway and will inform a proposed TWIC
regulation, and these figures are to be updated as part of this
process.
---------------------------------------------------------------------------
The TWIC program, once implemented, aims to meet the following
stated mission needs:
Positively identify authorized individuals who require
unescorted access to secure areas of the nation's
transportation system.
Determine the eligibility of individuals to be authorized
unescorted access to secure areas of the transportation system
by conducting a security threat assessment.
Ensure that unauthorized individuals are not able to defeat or
otherwise compromise the access system in order to be granted
permissions that have been assigned to an authorized
individual.
Identify individuals who fail to maintain their eligibility
requirements subsequent to being permitted unescorted access to
secure areas of the Nation's transportation system and
immediately revoke the individual's permissions.
Within the Department of Homeland Security (DHS), the
Transportation Security Administration (TSA) and the U.S. Coast Guard
are responsible for implementing and enforcing the TWIC program. In
addition, DHS's Screening Coordination Office facilitates coordination
among the various DHS components involved in TWIC.
My statement is based on a report we are releasing publicly today
on the TWIC program.\3\ Like the report, it will discuss the extent to
which: (1) TWIC processes for enrollment, background checking, and use
are designed to provide reasonable assurance that unescorted access to
secure areas of MTSA-regulated facilities and vessels is limited to
qualified individuals, and (2) DHS has assessed the effectiveness of
TWIC, and whether the Coast Guard has effective systems in place to
measure compliance.
---------------------------------------------------------------------------
\3\ See GAO, Transportation Worker Identification Credential:
Internal Control Weaknesses Need to be Corrected to Help Achieve
Security Objectives, GAO-11-657 (Washington, D.C.: May 10, 2011).
---------------------------------------------------------------------------
For the report, we reviewed applicable laws, regulations, and
policies, as well as documentation provided by TSA on the TWIC program
systems and processes. We also reviewed the processes and data sources
with TWIC program management from TSA and Lockheed Martin (the
contractor responsible for implementing the program) and met with
officials from TSA and the Coast Guard, as well as the Criminal Justice
Information Services Division at the Federal Bureau of Investigation
(FBI). We then evaluated the processes against the TWIC program's
mission needs and Standards for Internal Control in the Federal
Government.\4\ Further, our investigators conducted covert testing at
enrollment center(s) to identify whether individuals providing
fraudulent information could acquire an authentic TWIC, and at maritime
ports with MTSA-regulated facilities and vessels to identify security
vulnerabilities and program control deficiencies. In addition, we
reviewed the type and substance of management information available to
the Coast Guard and compared them to Standards for Internal Control in
the Federal Government. We conducted this work in accordance with
generally accepted government auditing standards. We conducted our
related investigative work in accordance with standards prescribed by
the Council of the Inspectors General on Integrity and Efficiency.
---------------------------------------------------------------------------
\4\ GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
---------------------------------------------------------------------------
Internal Control Weaknesses in DHS's Biometric Transportation ID
Program Hinder Efforts to Ensure Security Objectives Are Fully
Achieved
DHS has established a system of TWIC-related processes and
controls. However, internal control weaknesses governing the
enrollment, background checking, and use of TWIC potentially limit the
program's ability to meet the program's stated mission needs or provide
reasonable assurance that access to secure areas of MTSA-regulated
facilities is restricted to qualified individuals. Specifically,
internal controls \5\ in the enrollment and background checking
processes are not designed to provide reasonable assurance that: (1)
only qualified individuals can acquire TWICs; (2) adjudicators follow a
process with clear criteria for applying discretionary authority when
applicants are found to have extensive criminal convictions; or (3)
once issued a TWIC, TWIC holders have maintained their eligibility.
---------------------------------------------------------------------------
\5\ In accordance with Standards for Internal Control in the
Federal Government, the design of the internal controls is to be
informed by identified risks the program faces from both internal and
external sources; the possible effect of those risks; control
activities required to mitigate those risks; and the cost and benefits
of mitigating those risks.
---------------------------------------------------------------------------
To meet the stated program purpose, TSA's focus in designing the
TWIC program was on facilitating the issuance of TWICs to maritime
workers. However, TSA did not assess the internal controls in place to
determine whether they provided reasonable assurance that the program
could meet defined mission needs for limiting access to only qualified
individuals. For example, controls that the TWIC program has in place
to identify the use of potentially counterfeit identity documents are
not used to routinely inform background checking processes.
Additionally, controls are not in place to determine whether an
applicant has a need for a TWIC. For example, regulations governing the
TWIC program security threat assessments require applicants to disclose
their job description and location(s) where they will most likely
require unescorted access, if known, among other things. However, TSA
enrollment processes do not require that this information be provided
by applicants.
In addition, TWIC program controls are not designed to require that
adjudicators follow a process with clear criteria for applying
discretionary authority when applicants are found to have extensive
criminal convictions. Being convicted of a felony does not
automatically disqualify a person from being eligible to receive a
TWIC; however, prior convictions for certain crimes are automatically
disqualifying.\6\ For example, offenses such as espionage or treason
would permanently disqualify an individual from obtaining a TWIC. Other
offenses, such as murder or the unlawful possession of an explosive
device, while categorized as permanent disqualifiers, are also eligible
for a waiver under TSA regulations. These offenses might not
permanently disqualify an individual from obtaining a TWIC if TSA
determines that an applicant does not represent a security threat. As
of September 8, 2010, the agency reported 460,786 cases where the
applicant was approved, but had a criminal record based on the results
from the FBI. This represents approximately 27 percent of individuals
approved for a TWIC at the time. Although TSA has the discretion and
authority to consider the totality of an individual's criminal record,
including the existence of: (1) extensive criminal convictions, (2)
criminal offenses not defined as a permanent or interim disqualifying
criminal offense, such as theft or larceny, and (3) certain periods of
imprisonment, TSA has not developed a definition for what extensive
foreign or domestic criminal convictions means, or developed guidance
to ensure that adjudicators apply this authority consistently. In
commenting on our report, DHS concurred with our related
recommendation, and consequently may address this weakness as part of
its efforts to correct internal control weaknesses in the TWIC program.
---------------------------------------------------------------------------
\6\ Threat assessment processes for the TWIC program include
conducting background checks to determine whether each TWIC applicant
poses a security threat. These checks, in general, can include checks
for criminal history records, immigration status, terrorism databases
and watchlists, and records indicating an adjudication of a lack of
mental capacity, among other things. As defined in TSA implementing
regulations, the term security threat means an individual who TSA
determines or suspects of posing a threat to national security, to
transportation security, or of terrorism.
---------------------------------------------------------------------------
Further, TWIC program controls are not designed to provide
reasonable assurance that TWIC holders have maintained their
eligibility once issued TWICs. For example, controls are not designed
to determine whether TWIC holders have committed disqualifying crimes
at the Federal or state level after being granted a TWIC. Although
existing policies may hamper TSA's ability to check FBI-held
fingerprint-based criminal history records for the TWIC program on an
ongoing basis after TWIC issuance, TSA has not explored alternatives
for addressing this weakness, such as informing facility and port
operators of this weakness and identifying solutions for leveraging
existing state criminal history information, where available. In
addition, controls are not designed to provide reasonable assurance
that TWIC holders continue to meet immigration status eligibility
requirements. For example, if a TWIC holder's stated period of legal
presence in the United States is about to expire or has expired, the
TWIC program does not request or require proof from TWIC holders to
show that they continue to maintain legal presence in the United
States. Additionally, although it has regulatory authority to do so,
the program does not issue TWICs for a term less than 5 years to match
the expiration of a visa.\7\
---------------------------------------------------------------------------
\7\ Instead, TSA relies on: (1) TWIC holders to self-report if they
no longer have legal presence in the country, and (2) employers to
report if a worker is no longer legally present in the country. TWIC-
related regulations provide, for example, that individuals disqualified
from holding a TWIC for immigration status reasons must surrender the
TWIC to TSA. In addition, the regulations provide that TWICs are deemed
to have expired when the status of certain lawful nonimmigrants with a
restricted authorization to work in the United States (e.g., H-1B1 Free
Trade Agreement) expires, the employer terminates the employment
relationship with such an applicant, or such applicant otherwise ceases
working for the employer, regardless of the date on the face of the
TWIC. Upon the expiration of such nonimmigrant status for an individual
who has a restricted authorization to work in the United States, the
employer and employee both have related responsibilities--the employee
is required to surrender the TWIC to the employer, and the employer is
required to retrieve the TWIC and provide it to TSA.
---------------------------------------------------------------------------
Internal control weaknesses in TWIC enrollment, background
checking, and use could have contributed to the breach of selected
MTSA-regulated facilities during covert tests conducted by our
investigators. During these tests at several selected ports, our
investigators were successful in accessing ports using counterfeit
TWICs, authentic TWICs acquired through fraudulent means, and false
business cases (i.e., reasons for requesting access). Our investigators
did not gain unescorted access to a port where a secondary port-
specific identification was required in addition to the TWIC. TSA and
Coast Guard officials stated that the TWIC card alone is not sufficient
and that the cardholder is also required to present a business case.
However, our covert tests demonstrated that having an authentic TWIC
and a legitimate business case were not always required in practice.
Prior to fielding the program, TSA did not conduct a risk
assessment of the TWIC program to identify program risks and the need
for controls to mitigate existing risks and weaknesses, as called for
by internal control standards. Such an assessment could help provide
reasonable assurance that control weaknesses in one area of the program
do not undermine the reliability of other program areas or impede the
program from meeting mission needs. TWIC program officials told us that
control weaknesses were not addressed prior to initiating the TWIC
program because they had not previously identified them, or because
they would be too costly to address. However, as we noted in our
report, officials did not provide: (1) documentation to support their
cost concerns and (2) did not complete an assessment of whether they
needed to implement additional compensating controls or of the risks
associated with not correcting for existing internal control
weaknesses. In our May 2011 report, we recommended that the Secretary
of Homeland Security perform an internal control assessment of the TWIC
program by: (1) analyzing existing controls, (2) identifying related
weaknesses and risks, and (3) determining cost-effective actions needed
to correct or compensate for those weaknesses so that reasonable
assurance of meeting TWIC program objectives can be achieved. This
assessment should consider weaknesses we identified in this report
among other things. DHS officials concurred with our recommendation.
TWIC's Effectiveness at Enhancing Security Has Not Been Assessed, and
the Coast Guard Lacks the Ability to Assess Trends in TWIC
Compliance
DHS asserted in its 2009 and 2010 budget submissions that the
absence of the TWIC program would leave America's critical maritime
port facilities vulnerable to terrorist activities.\8\ However, to
date, DHS has not assessed the effectiveness of TWIC at enhancing
security or reducing risk for MTSA-regulated facilities and vessels.
Further, DHS has not demonstrated that TWIC, as currently implemented
and planned with card readers, is more effective than prior approaches
used to limit access to ports and facilities, such as using facility-
specific identity credentials with business cases.
---------------------------------------------------------------------------
\8\ See DHS, DHS Exhibit 300 Public Release BY10/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington,
D.C.: Apr. 17, 2009) and DHS Exhibit 300 Public Release BY09/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington,
D.C.: July 27, 2007).
---------------------------------------------------------------------------
According to TSA and Coast Guard officials, because the program was
mandated by Congress as part of MTSA, DHS did not conduct a risk
assessment to identify and mitigate program risks prior to
implementation. Further, according to these officials, neither the
Coast Guard nor TSA analyzed the potential effectiveness of TWIC in
reducing or mitigating security risk--either before or after
implementation--because they were not required to do so by Congress.
However, internal control weaknesses raise questions about the
effectiveness of the TWIC program. Moreover, as we have previously
reported, Congress also needs information on whether and in what
respects a program is working well or poorly to support its oversight
of agencies and their budgets, and agencies' stakeholders need
performance information to accurately judge program effectiveness.
Therefore, we recommended in our May 2011 report that the Secretary of
Homeland Security conduct an effectiveness assessment that includes
addressing internal control weaknesses and, at a minimum, evaluates
whether use of TWIC in its present form and planned use with readers
would enhance the posture of security beyond efforts already in place
given costs and program risks. DHS concurred with our recommendation.
Further, Executive Branch requirements provide that prior to
issuing a new regulation, agencies are to conduct a regulatory
analysis, which is to include an assessment of costs, benefits, and
risks. Therefore, DHS is required to issue a new regulatory analysis
for its proposed regulation on the use of TWIC with biometric card
readers. Conducting a regulatory analysis using the information from
the internal control and effectiveness assessments could better inform
the new regulatory analysis and could help DHS identify and assess the
full costs and benefits of implementing the TWIC program. Therefore, in
our May 2011 report, we recommended that the Secretary of Homeland
Security use the information from the internal control and
effectiveness assessments as the basis for evaluating the costs,
benefits, security risks, and corrective actions needed to implement
the TWIC program. This should be done in a manner that will meet stated
mission needs and mitigate existing security risks as part of the
regulatory analysis being completed for the new TWIC biometric card
reader regulation. DHS concurred with our recommendation.
Finally, the Coast Guard's approach for monitoring and enforcing
TWIC compliance nationwide could be improved by enhancing its
collection and assessment of related maritime security information. For
example, the Coast Guard tracks TWIC program compliance, but the
processes involved in the collection, cataloguing, and querying of
information cannot be relied on to produce the management information
needed to assess trends in compliance with the TWIC program or
associated vulnerabilities. The Coast Guard uses its Marine Information
for Safety and Law Enforcement (MISLE) database to monitor activities
related to MTSA-regulated facility and vessel oversight, including
observations of TWIC-related deficiencies. Coast Guard officials
reported that they are making enhancements to the MISLE database and
plan to distribute updated guidance on how to collect and input
information. However, as of May 2011, the Coast Guard had not yet set a
date for implementing these changes. Further, these enhancements do not
address all weaknesses identified in our report that hamper the Coast
Guard's efforts to conduct trend analysis of the deficiencies as part
of its compliance reviews. Therefore, in our May 2011 report, we
recommended that the Secretary of Homeland Security direct the
Commandant of the Coast Guard to design effective methods for
collecting, cataloguing, and querying TWIC-related compliance issues to
provide the Coast Guard with the enforcement information needed to
assess trends in compliance with the TWIC program and identify
associated vulnerabilities. DHS concurred with our recommendation.
As the TWIC program continues on the path to full implementation--
with potentially billions of dollars needed to install TWIC card
readers in thousands of the nation's ports, facilities, and vessels at
stake--it is important that Congress, program officials, and maritime
industry stakeholders fully understand the program's potential benefits
and vulnerabilities, as well as the likely costs of addressing these
potential vulnerabilities. The report we are releasing today aims to
help inform stakeholder views on these issues.
Chairman Rockefeller, Ranking Member Hutchison, and members of the
Committee, this concludes my prepared testimony. I look forward to
answering any questions that you may have.
______
Attachment
U.S. Government Accountability Office (GAO)--Report to Congressional
Requesters--May 2011--Transportation Worker Identification Credential
Internal Control Weaknesses Need to Be Corrected to Help Achieve
Security Objectives
Abbreviations
ATSA--Aviation and Transportation Security Act
CSOC--Colorado Springs Operations Center
DHS--Department of Homeland Security
FBI--Federal Bureau of Investigation
FEMA--Federal Emergency Management Agency
IAFIS--Integrated Automated Fingerprint Identification System
III--Interstate Identification Index
MISLE--Marine Information for Safety and Law Enforcement
MSRAM--Maritime Security Risk Analysis Model
MTSA--Maritime Transportation Security Act
NCIC--National Crime Information Center
NIPP--National Infrastructure Protection Plan
SAFE Port Act--Security and Accountability For Every Port Act
SAVE--Systematic Alien Verification for Entitlements
TSA--Transportation Security Administration
TWIC--Transportation Worker Identification Credential
______
May 10, 2011
Congressional Requesters
Securing transportation systems and facilities requires balancing
security to address potential threats while facilitating the flow of
people and goods that are critical to the United States economy and
necessary for supporting international commerce. As we have previously
reported, these systems and facilities are vulnerable and difficult to
secure given their size, easy accessibility, large number of potential
targets, and proximity to urban areas.\1\
---------------------------------------------------------------------------
\1\ See GAO, Transportation Worker Identification Credential:
Progress Made in Enrolling Workers and Activating Credentials but
Evaluation Plan Needed to Help Inform the Implementation of Card
Readers, GAO-10-43 (Washington, D.C.: Nov. 18, 2009); Transportation
Security: DHS Should Address Key Challenges before Implementing the
Transportation Worker Identification Credential Program, GAO-06-982
(Washington, D.C.: Sept. 29, 2006); and Port Security: Better Planning
Needed to Develop and Operate Maritime Worker Identification Card
Program, GAO-05-106 (Washington, D.C.: Dec. 10, 2004).
---------------------------------------------------------------------------
The Maritime Transportation Security Act of 2002 \2\ (MTSA)
required the Secretary of Homeland Security to prescribe regulations
preventing individuals from having unescorted access to secure areas of
MTSAregulated facilities and vessels unless they possess a biometric
transportation security card and are authorized to be in such an
area.\3\ MTSA further tasked the Secretary with the responsibility to
issue biometric transportation security cards to eligible individuals
unless the Secretary determines that an applicant poses a security risk
warranting denial of the card. The Transportation Worker Identification
Credential (TWIC) program is designed to implement these biometric
maritime security card requirements. The program requires maritime
workers to complete background checks to obtain a biometric
identification card and be authorized to be in the secure area by the
owner/operator in order to gain unescorted access to secure areas of
MTSA-regulated facilities and vessels.\4\ According to the Coast Guard,
as of December 2010 and January 2011, there were 2,509 facilities and
12,908 vessels, respectively, which are subject to MTSA regulations and
must implement TWIC provisions.\5\
---------------------------------------------------------------------------
\2\ Pub. L. No. 107-295, 116 Stat. 2064 (2002).
\3\ Under Coast Guard regulations, a secure area, in general, is an
area over which the owner/operator has implemented security measures
for access control in accordance with a Coast Guard-approved security
plan. For most maritime facilities, the secure area is generally any
place inside the outer-most access control point. For a vessel or outer
continental shelf facility, such as off-shore petroleum or gas
production facilities, the secure area is generally the whole vessel or
facility.
\4\ Biometrics refers to technologies that measure and analyze
human body characteristics--such as fingerprints, eye retinas and
irises, voice patterns, facial patterns, and hand measurements--for
authentication purposes.
\5\ 33 C.F.R. Part 105, for example, governs maritime facility
security and sets forth general security requirements along with
requirements for facility security assessments and facility security
plans, among other things. General maritime security requirements
pertaining to vessels are set out in 33 C.F.R. Part 104.
---------------------------------------------------------------------------
Within the Department of Homeland Security (DHS), the
Transportation Security Administration (TSA) and the U.S. Coast Guard
are responsible for implementing and enforcing the TWIC program. TSA's
responsibilities include enrolling TWIC applicants, conducting
background checks to assess the individual's security threat, and
issuing TWICs. The Coast Guard is responsible for developing TWIC-
related security regulations and ensuring that MTSA-regulated maritime
facilities and vessels are in compliance with these regulations. In
addition, DHS's Screening Coordination Office facilitates coordination
among the various DHS components involved in TWIC, such as TSA and the
Coast Guard, as well as the U.S. Citizenship and Immigration Services,
which personalizes the credentials,\6\ and the Federal Emergency
Management Agency, which administers grant funds in support of the TWIC
program.
---------------------------------------------------------------------------
\6\ A card is personalized when the card holder's personal
information, such as photograph and name, are added to the card.
---------------------------------------------------------------------------
In January 2007, a federal regulation (known as the TWIC credential
rule) set a compliance deadline, subsequently extended to April 15,
2009, whereby each maritime worker seeking unescorted access to secure
areas of MTSA-regulated facilities and vessels must possess a TWIC.\7\
In September 2008, we reported that TSA, the Coast Guard, and maritime
industry stakeholders (e.g., operators of MTSA-regulated facilities and
vessels) had faced challenges in implementing the TWIC program,
including enrolling and issuing TWICs to a larger population than was
originally anticipated, ensuring that TWIC access control technologies
perform effectively in the harsh maritime environment, and balancing
security requirements with the flow of maritime commerce.\8\ In
November 2009, we reported that progress had been made in enrolling
workers and activating TWICs, and recommended that TSA develop an
evaluation plan to guide pilot efforts and help inform the future
implementation of TWIC with electronic card readers.\9\ DHS generally
concurred and discussed actions to implement the recommendations, but
these actions have not yet fully addressed the intent of all of the
recommendations. Currently, TWICs are primarily used as visual identity
cards--known as a flashpass--where a card is to be visually inspected
before a cardholder is allowed unescorted access to a secure area of a
MTSA-regulated port or facility.\10\ As of January 6, 2011, TSA
reported over 1.7 million enrollments and 1.6 million cards issued and
activated.\11\
---------------------------------------------------------------------------
\7\ 72 Fed. Reg. 3492 (2007); Extension of deadline to April 15,
2009 by 73 Fed. Reg. 25562 (2008).
\8\ GAO, Transportation Worker Identification Credential: A Status
Update, GAO-08-1151T (Washington, D.C.: Sept. 17, 2008).
\9\ GAO-10-43.
\10\ TWIC guidance provides that possession of a TWIC is required
for an individual to be eligible for unescorted access to secure areas
of vessels and facilities. With the issuance of a TWIC, it is still the
responsibility of facility and vessel owners to determine who should be
granted access to their facilities or vessels.
\11\ Prior to issuing a TWIC, each TWIC is activated, or turned on,
after the person being issued the TWIC provides a personal
identification number.
---------------------------------------------------------------------------
In response to your request, we evaluated the extent to which TWIC
program controls provide reasonable assurance that unescorted access to
secure areas of MTSA-regulated facilities and vessels is limited to
those possessing a legitimately issued TWIC and who are authorized to
be in such an area. Specifically, this report addresses the following
questions:
1. To what extent are TWIC processes for enrollment, background
checking, and use designed to provide reasonable assurance that
unescorted access to secure areas of MTSA-regulated facilities
and vessels is limited to qualified individuals?
2. To what extent has DHS assessed the effectiveness of TWIC,
and does the Coast Guard have effective systems in place to
measure compliance?
This report is a public version of a related sensitive report that
we issued to you in May 2011. DHS and TSA deemed some of the
information in the prior report as sensitive security information,
which must be protected from public disclosure. Therefore, this report
omits sensitive information about the TWIC program, including
techniques used to enroll and conduct a background check on individuals
and assess an individual's eligibility for a TWIC, and the technologies
that support TWIC security threat assessment determinations and Coast
Guard inspections. In addition, at TSA's request, we have redacted data
on specific enrollment center(s) and maritime ports where our
investigators conducted covert testing. Although the information
provided in this report is more limited in scope, it addresses the same
questions and includes the same recommendations as the sensitive
report. Also, the overall methodology used for both reports is the
same.
To assess the extent to which TWIC program processes were designed
to provide reasonable assurance that unescorted access to secure areas
of MTSA-regulated facilities and vessels is limited to qualified
individuals, we reviewed applicable laws, regulations, and
policies.\12\ We also reviewed documentation provided by TSA on the
TWIC program systems and processes, such as the TWIC User Manual for
Trusted Agents, Statement of Objectives, and Concept of Operations. We
further reviewed the processes and data sources with TWIC program
management from TSA and Lockheed Martin (the contractor responsible for
implementing the program).\13\ We also met with: (1) the Director of
Vetting Operations at TSA's Colorado Springs Operations Center (CSOC),
where background checks for links to terrorism and continual vetting of
TWIC holders is to take place; (2) the Operations Manager for the
Adjudication Center, where secondary background checks are to be
conducted for applicants with identified criminal or immigration
issues; and (3) the Director at DHS's Screening Coordination Office
responsible for overseeing credentialing programs across DHS.
Additionally, we met with the Criminal Justice Information Services
Division at the Federal Bureau of Investigation (FBI) to discuss
criminal vetting processes and policies. We then evaluated the
processes against the TWIC program's mission needs and Standards for
Internal Control in the Federal Government.\14\ As part of our
assessment of TWIC program controls, we also did the following:
---------------------------------------------------------------------------
\12\ See, for example, MTSA, Security and Accountability For Every
Port Act (SAFE Port Act) of 2006 (Pub. L. No. 109-347, 120 Stat. 1884
(2006)) amendments to MTSA, Navigation and Vessel Inspection Circular
Number 03-07: Guidance for the Implementation of the Transportation
Worker Identification Credential Program in the Maritime Sector
(Washington, D.C.: July 2, 2007), Coast Guard Policy Advisory Council
(PAC) decisions, and Commandant Instruction M16601.01: Coast Guard
Transportation Worker Identification Credential Verification and
Enforcement Guide (Washington, D.C.: Oct. 10, 2008).
\13\ To assess the reliability of data on the number of TWIC
enrollments, the number of self-identified U.S. citizens or nationals
asserting themselves to be born in the United States or in a U.S.
territory, and the number of TWICs approved after the initial
background check, we reviewed program systems documentation and
interviewed knowledgeable agency officials about the source of the data
and the controls the TWIC program and systems had in place to maintain
the integrity of the data. We determined that the data were
sufficiently reliable for the purposes of our report. The data we
reviewed were collected between October 2007 and December 2010.
\14\ GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
We visited four TWIC enrollment and activation centers
located in areas with high population density and near ports
participating in the TWIC pilot to observe how TWIC enrollments
are conducted.\15\ The results are not generalizable to all
enrollment and activation centers; however, because all centers
are to conduct the same operations following the same guidance,
the locations we visited provided us with an overview of the
TWIC enrollment and activation/issuance processes.
---------------------------------------------------------------------------
\15\ We visited the Howland Hook enrollment center in Staten
Island, New York, the Whitehall Ferry Terminal enrollment center in New
York, New York, the Terminal Island enrollment center in San Pedro,
California, and the Long Beach enrollment center in Long Beach,
California.
We had our investigators conduct covert testing at
enrollment center(s) operating at the time to identify whether
individuals providing fraudulent information could acquire an
authentic TWIC. The information we obtained from the covert
testing at enrollment center(s) is not generalizable across all
TWIC enrollment centers. However, because all enrollments are
to be conducted following the same established processes, we
believe that the information from our covert tests provided us
with important perspective on TWIC program enrollment and
background checking processes, as well as potential challenges
---------------------------------------------------------------------------
in verifying an individual's identity.
Further our investigators conducted covert testing at several
selected maritime ports with MTSA-regulated facilities and vessels to
identify security vulnerabilities and program control deficiencies.
These locations were selected based on their geographic location across
the country (east coast, gulf coast, and west coast) and port size in
terms of cargo volume. We also visited or met with officials at each of
the seven original pilot sites being used to test TWIC card
readers,\16\ interviewed port security officials at two additional
ports responsible for implementing TWIC at their port,\17\ and met with
nine maritime or transportation industry associations \18\ to obtain
information on: (1) the use of TWIC as a flashpass and with biometric
readers where they are in use, (2) experiences with TWIC card
performance, and (3) any suspected or reported cases of TWIC card
fraud. The information we obtained from the security officials at the 9
ports or pilot participants we visited is not generalizable across the
maritime transportation industry as a whole, but collectively, the
ports we visited accounted for 56 percent of maritime container trade
in the United States, and the ports our investigators visited as part
of our covert testing efforts accounted for 54 percent of maritime
container trade in the United States in 2009. As such, we believe that
the information from these interviews, site visits, and covert tests
provided us with important additional perspective and context on the
TWIC program, as well as information about potential implementation
challenges faced by MTSA-regulated facilities/vessels, transportation
workers, and mariners.
---------------------------------------------------------------------------
\16\ We visited pilot participants at the Ports of Los Angeles,
Long Beach, and Brownsville, and the Port Authority of New York and New
Jersey. We also interviewed and or met with officials at vessel
operations participating in the TWIC pilot, including the Staten Island
Ferry in Staten Island, New York; Magnolia Marine Transports in
Vicksburg, Mississippi; and Watermark Cruises in Annapolis, Maryland.
\17\ We met with officials responsible for implementing TWIC at the
Port of Baltimore and the Port of Houston. We selected the Port of
Baltimore based on proximity to large population centers and we
selected the Port of Houston because it was using TWICs with readers.
\18\ We interviewed representatives from the Association of the Bi-
State Motor Carriers, the New Jersey Motor Truck Association, the
Association of American Railroads, the American Public Transportation
Association, the American Association of Port Authorities, the
International Liquid Terminals Association, the International Longshore
and Warehouse Union, the National Employment Law Project, and the
Passenger Vessel Association. These organizations were selected because
together they represent the key constituents of port operations.
---------------------------------------------------------------------------
To assess the extent to which DHS has assessed the effectiveness of
TWIC, and determine whether the Coast Guard has effective systems in
place to measure compliance, we reviewed applicable laws, regulations,
and policies.\19\ We also met with TWIC program officials from TSA and
the Coast Guard, as well as Coast Guard officials responsible for
assessing maritime security risk, and reviewed related documents, to
identify how TWIC is to enhance maritime security.\20\ In addition, we
met with Coast Guard TWIC program officials, data management staff, and
Coast Guard officials stationed at four port areas across the United
States with enforcement responsibilities to assess the agency's
approach to enforcing compliance with TWIC regulations and measuring
program effectiveness.\21\ As part of this effort, we reviewed the type
and substance of management information available to the Coast Guard
for assessing compliance with TWIC. In performing this work, we
evaluated the Coast Guard's practices against TWIC program mission
needs and Standards for Internal Control in the Federal Government.
---------------------------------------------------------------------------
\19\ See, for example, MTSA, Security and Accountability For Every
Port Act (SAFE Port Act) of 2006 (Pub. L. No. 109-347, 120 Stat. 1884
(2006)) amendments to MTSA, Navigation and Vessel Inspection Circular
Number 03-07: Guidance for the Implementation of the Transportation
Worker Identification Credential Program in the Maritime Sector
(Washington, D.C.: July 2, 2007), Coast Guard Policy Advisory Council
(PAC) decisions, and Commandant Instruction M16601.01: Coast Guard
Transportation Worker Identification Credential Verification and
Enforcement Guide (Washington, D.C.: Oct. 10, 2008).
\20\ See, for example, the Coast Guard's 2008 Analysis of
Transportation Worker Identification Credential (TWIC) Electronic
Reader Requirements in the Maritime Sector, and the Homeland Security
Institute's 2008 Independent Verification and Validation of Development
of Transportation Worker Identification Credential (TWIC) Reader
Requirements.
\21\ We interviewed Coast Guard officials in New York and New
Jersey; Los Angeles and Long Beach, California; Corpus Christi, Texas;
and Baltimore, Maryland. We met with these Coast Guard officials
because the facilities, vessels, and enrollment centers we visited are
housed in these officials' area(s) of responsibility.
---------------------------------------------------------------------------
We conducted this performance audit from November 2009 through
March 2011 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. We
conducted our related investigative work in accordance with standards
prescribed by the Council of the Inspectors General on Integrity and
Efficiency.\22\
---------------------------------------------------------------------------
\22\ During the course of the audit, we provided briefings on the
preliminary results of our work in May and October 2010.
---------------------------------------------------------------------------
Background
TWIC History and Purpose
In November 2001, the Aviation and Transportation Security Act
(ATSA) \23\ was enacted, requiring TSA to, among other things, work
with airport operators to strengthen access control points to secured
areas and to consider using biometric access control systems, or
similar technologies, to verify the identity of individuals who seek to
enter a secure airport area. In response to ATSA, TSA established the
TWIC program in December 2001.\24\ In November 2002, MTSA was enacted
and required the Secretary of Homeland Security to issue a maritime
worker identification card that uses biometrics to control access to
secure areas of maritime transportation facilities and vessels.\25\ In
addition, the Security and Accountability For Every Port Act (SAFE Port
Act) of 2006 amended MTSA and directed the Secretary of Homeland
Security to, among other things, implement the TWIC pilot project to
test TWIC use with biometric card readers and inform a future
regulation on the use of TWIC with electronic readers.
---------------------------------------------------------------------------
\23\ Pub. L. No. 107-71, 115 Stat. 597 (2001).
\24\ TSA was transferred from the Department of Transportation to
DHS pursuant to requirements in the Homeland Security Act, enacted on
November 25, 2002 (Pub. L. No. 107-296, 116 Stat. 2135, 2178 (2002)).
\25\ Prior to TWIC, facilities and vessels administered their own
approaches for controlling access based on the perceived risk at the
facility. These approaches, among others, included requiring people
seeking access to have a reason for entering, facility-specific
identification, and in some cases, a background check. Some ports and
port facilities still maintain their own credentials.
---------------------------------------------------------------------------
In requiring the issuance of transportation security cards for
entry into secure areas of a facility or vessel as part of MTSA,
Congress noted in the ``Findings'' section of the legislation that
ports in the United States are a major location for Federal crime such
as cargo theft and smuggling, and are susceptible to large-scale acts
of terrorism.\26\ For example, according to the Coast Guard's January
2008 National Maritime Terrorism Threat Assessment, al Qaeda leaders
and supporters have identified western maritime assets as legitimate
targets.\27\ Moreover, according to the Coast Guard assessment, al
Qaeda-inspired operatives are most likely to use vehicle bombs to
strike U.S. cargo vessels, tankers, and fixed coastal facilities such
as ports. Studies have demonstrated that attacks on ports could have
serious consequences. For example, a study by the Center for Risk and
Economic Analysis of Terrorist Events on the impact of a dirty bomb
attack on the Ports of Los Angeles and Long Beach estimated that the
economic consequences from a shutdown of the harbors due to the
contamination could result in significant losses in the tens of
billions of dollars, including the decontamination costs and the
indirect economic impacts due to the port shutdown.\28\
---------------------------------------------------------------------------
\26\ Maritime Transportation Security Act of 2002 (Pub. L. No. 107-
295,116 Stat. 2064 (2002)). The FBI estimates that in the United
States, cargo crime amounts to $12 billion annually and finds that most
cargo theft occurs in or near seaports.
\27\ U.S. Coast Guard Intelligence Coordination Center, National
Maritime Terrorism Threat Assessment (Washington, D.C.: Jan. 7, 2008).
\28\ H. Rosoff and D. von Winterfeldt, ``A Risk and Economic
Analysis of Dirty Bomb Attacks on the Ports of Los Angeles and Long
Beach,'' Journal of Risk Analysis, vol. 27, no. 3 (2007). This research
was supported by DHS through the Center for Risk and Economic Analysis
of Terrorist Events by grant funding.
---------------------------------------------------------------------------
As defined by DHS, the purpose of the TWIC program is to design and
field a common credential for all transportation workers across the
United States who require unescorted access to secure areas at MTSA-
regulated maritime facilities and vessels.\29\ As such, the TWIC
program, once implemented, aims to meet the following stated mission
needs:
---------------------------------------------------------------------------
\29\ This is defined in the TWIC System Security Plan and the DHS
Budget Justification to Congress for Fiscal Years 2009 and 2010.
Positively identify authorized individuals who require
unescorted access to secure areas of the Nation's
---------------------------------------------------------------------------
transportation system.
Determine the eligibility of individuals to be authorized
unescorted access to secure areas of the transportation system
by conducting a security threat assessment.
Ensure that unauthorized individuals are not able to defeat
or otherwise compromise the access system in order to be
granted permissions that have been assigned to an authorized
individual.
Identify individuals who fail to maintain their eligibility
requirements subsequent to being permitted unescorted access to
secure areas of the Nation's transportation system and
immediately revoke the individual's permissions.
TWIC Program Processes for Ensuring TWIC-Holder Eligibility
TSA is responsible for enrolling TWIC applicants and conducting
background checks to ensure that only eligible individuals are granted
TWICs.\30\ In addition, pursuant to TWIC-related regulations,
MTSAregulated facility and vessel operators are responsible for
reviewing each individual's TWIC as part of their decision to grant
unescorted access to secure areas of their facilities. The Coast Guard
is responsible for assessing and enforcing operator compliance with
TWIC-related laws and regulations. Described below are key components
of each process for ensuring TWIC-holder eligibility.
---------------------------------------------------------------------------
\30\ TWIC program threat assessment processes include conducting a
background check to determine whether each TWIC applicant is a security
risk to the United States. These checks, in general, can include checks
for criminal history records, immigration status, terrorism databases
and watchlists, and records indicating an adjudication of lack of
mental capacity, among other things. TSA security threat assessment-
related regulations define the term security threat to mean an
individual whom TSA determines or suspects of posing a threat to
national security; to transportation security; or of terrorism.
---------------------------------------------------------------------------
Enrollment: Transportation workers are enrolled by providing
biographic information, such as name, date of birth, and address, and
proof of identity documents, and then being photographed and
fingerprinted at enrollment centers by trusted agents. A trusted agent
is a member of the TWIC team who has been authorized by the Federal
Government to enroll transportation workers in the TWIC program and
issue TWIC cards.\31\ Appendix I summarizes key steps in the enrollment
process.
---------------------------------------------------------------------------
\31\ Trusted agents are subcontractor staff acquired by Lockheed
Martin as part of its support contract with TSA for the TWIC program.
---------------------------------------------------------------------------
Background checking: TSA conducts background checks on each worker
who applies for a TWIC to ensure that individuals who enroll do not
pose a security risk to the United States. A worker's potential link to
terrorism, criminal history, immigration status, and mental capacity
are considered as part of the security threat assessment. Workers have
the opportunity to appeal negative results of the threat assessment or
request a waiver of certain specified criminal offenses, and
immigration or mental capacity standards. Specifically, the TWIC
background checking process includes two levels of review.
First-level review: Initial automated background checking. The
initial automated background checking process is conducted to
determine whether any derogatory information is associated with
the name and fingerprints submitted by an applicant during the
enrollment process. This check is conducted against the FBI's
criminal history records. These records contain information
from Federal and state and local sources in the FBI's National
Crime Information Center (NCIC) database and the FBI's
Integrated Automated Fingerprint Identification System (IAFIS)/
Interstate Identification Index (III), which maintain criminal
records and related fingerprint submissions. Rather than
positively confirming each individual's identity using the
submitted fingerprints, the FBI's criminal history records
check is a negative identification check, whereby the
fingerprints are used to confirm that the associated individual
is not on the FBI criminal history list. If an individual is
identified as being on the FBI's criminal history list,
relevant information is to be forwarded to TSA for
adjudication.\32\ The check is also conducted against Federal
terrorism information from the Terrorist Screening Data base,
including the Selectee and No-Fly Lists.\33\ To determine an
applicant's immigration/citizenship status and eligibility, TSA
also runs applicant information against the Systematic Alien
Verification for Entitlements (SAVE) system. If the applicant
is identified as a U.S.-born citizen with no related derogatory
information, the system can approve the issuance of a TWIC with
no further review of the applicant or human intervention.
---------------------------------------------------------------------------
\32\ Not all TWIC applicants will have readable fingerprints. As we
have previously reported, it is estimated that about 2 percent to 5
percent of people cannot be easily fingerprinted because their
fingerprints have become dry or worn from age, extensive manual labor,
or exposure to corrosive chemicals (See GAO, Technology Assessment:
Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.:
Nov. 15, 2002).
\33\ Pursuant to Homeland Security Presidential Directive 6, dated
September 16, 2003, the Terrorist Screening Center--under the
administration of the FBI--was established to develop and maintain the
U.S. government's consolidated terrorist screening database (the watch
list) and to provide for the use of watch-list records during security-
related screening processes. The Selectee List contains information on
individuals who should receive enhanced screening (e.g., additional
physical screening or a hand-search of carryon baggage) before
proceeding through the security checkpoint at airports. The No Fly List
contains information on individuals who should be precluded from
boarding flights. The No Fly and Selectee lists contain applicable
records from the FBI Terrorist Screening Center's consolidated database
of known or appropriately suspected terrorists.
Second-level review: TSA's Adjudication Center Review. A
second-level review is conducted as part of an individual's
background check if: (1) the applicant has self-identified
themselves to be a non-U.S. citizen or non-U.S.-born citizen or
national, or (2) the first-level review uncovers any derogatory
information. As such, not all TWIC applicants will be subjected
to a second-level review. The second-level review consists of
staff at TSA's adjudication center reviewing the applicant's
enrollment file.\34\
---------------------------------------------------------------------------
\34\ If an applicant has asserted him/herself to be a non-U.S.
citizen or non-U.S.-born citizen, TSA staff at the adjudication center
are to positively identify the individual by confirming aspects of the
individual's biographic information, inclusive of their alien
registration number and other physical descriptors, against available
databases. For those individuals, TSA requires that at least one of the
documents provided as proof of identity demonstrates immigration status
or United States citizenship. According to TWIC officials, the program
is able to validate immigration status and citizenship-related
documents required of noncitizens and non-U.S.-born citizens--such as
certificates of naturalization--with the originating source. For
individuals with derogatory information, staff at the adjudication
center reviews each applicant's file to determine if the derogatory
information accurately applies to the individual or includes
disqualifying information.
Card use and compliance: Once a TWIC has been activated and issued,
the worker may present his or her TWIC to security officials when he or
she seeks unescorted access to a secure area. Currently, visual
inspections of TWICs are required for controlling access to secure
areas of MTSAregulated facilities and vessels.\35\ Approaches for
inspecting TWICs using biometric readers at individual facilities and
vessels across the nation are being considered as part of a pilot but
are not yet required. Pursuant to Coast Guard policy,\36\ Coast Guard
inspectors are required to verify TWIC cards during annual compliance
exams, security spot checks, and in the course of other Coast Guard
duties as determined by the Captain of the Port \37\ based on risk and
resource availability. The Coast Guard's primary means of verification
is shifting toward the use of biometric handheld readers with the
continued deployment of readers to each of its Sectors and Marine
Safety Units.\38\ As of December 21, 2010, the Coast Guard reports to
have deployed biometric handheld readers to all of its 35 Sectors and
16 Marine Safety Units.
---------------------------------------------------------------------------
\35\ Coast Guard regulations require that such an inspection
include: (1) a match of the photo on the TWIC to the individual
presenting the TWIC, (2) verification that the TWIC has not expired,
and (3) a visual check of the various security features present on the
card to determine whether the TWIC has been tampered with or forged.
\36\ See United States Coast Guard, Commandant Instruction Manual
16601.1: Coast Guard Transportation Worker Identification Credential
(TWIC) Verification and Enforcement Guide (Washington, D.C.: Oct. 10,
2008).
\37\ The Captain of the Port is the Coast Guard officer designated
by the Commandant to enforce within his or her respective areas port
safety and security and marine environmental protection regulations,
including, without limitation, regulations for the protection and
security of vessels, harbors, and waterfront facilities.
\38\ Coast Guard Sectors run all Coast Guard missions at the local
and port levels, such as search and rescue, port security,
environmental protection, and law enforcement in ports and surrounding
waters, and oversee a number of smaller Coast Guard units, including
small cutters and small-boat stations.
---------------------------------------------------------------------------
TWIC Regulations and Cost
In August 2006, DHS officials decided, based on industry comment,
to implement TWIC through two separate regulations, or rules. The first
rule, issued in January 2007, directs the use of the TWIC as an
identification credential, or flashpass. The second rule, the card
reader rule, is currently under development and is expected to address
how the access control technologies, such as biometric card readers,
are to be used for confirming the identity of the TWIC holder against
the biometric information on the TWIC. On March 27, 2009, the Coast
Guard issued an Advance Notice of Proposed Rule Making for the card
reader rule.\39\
---------------------------------------------------------------------------
\39\ 74 Fed. Reg. 13360 (2009). An advanced notice of proposed
rulemaking is published in the Federal Register and contains notices to
the public of the proposed issuance of rules and regulations. The
purpose of this advanced notice of proposed rulemaking was to encourage
the discussion of potential TWIC reader requirements prior to the
rulemaking process.
---------------------------------------------------------------------------
To inform the rulemaking process, TSA initiated a pilot in August
2008, known as the TWIC reader pilot, to test TWIC-related access
control technologies.\40\ This pilot is intended to test the
technology, business processes, and operational impacts of deploying
TWIC readers at secure areas of the marine transportation system. As
such, the pilot is expected to test the feasibility and functionality
of using TWICs with biometric card readers within the maritime
environment. After the pilot has concluded, a report on the findings of
the pilot is expected to inform the development of the card reader
rule. DHS currently estimates that a notice of proposed rulemaking will
be issued late in calendar year 2011 and that the final rule will be
promulgated no earlier than the end of calendar year 2012.
---------------------------------------------------------------------------
\40\ The pilot initiation date is based on the first date of
testing identified in the TWIC pilot schedule. This date is not
inclusive of time taken for planning the pilot prior to the first test.
The SAFE Port Act required the pilot to commence no later than 180 days
after the date of enactment (Oct. 13, 2006) of the SAFE Port Act. See
GAO-06-982.
---------------------------------------------------------------------------
According to agency officials, from Fiscal Years 2002 through 2010,
the TWIC program had funding authority totaling $420 million. In
issuing the credential rule, DHS estimated that implementing the TWIC
program could cost the Federal Government and the private sector a
combined total of between $694.3 million and $3.2 billion over a 10-
year period. However, these figures did not include costs associated
with implementing and operating readers.\41\ Appendix II contains
additional program funding details.
---------------------------------------------------------------------------
\41\ See Transportation Worker Identification Credential (TWIC)
Implementation in the Maritime Sector; Final Rule, 72 Fed. Reg. 3492,
3571 (2007).
---------------------------------------------------------------------------
Standards for Internal Control
Standards for Internal Control in the Federal Government
underscores the need for developing effective controls for meeting
program objectives and complying with applicable regulations.\42\
Effective internal controls provide for an assessment of the risks the
agency faces from both internal and external sources. Once risks have
been identified, they should be analyzed for their possible effect.
Management then has to decide upon the internal control activities
required to mitigate those risks and achieve the objectives of
efficient and effective operations. As part of this effort, management
should design and implement internal controls based on the related cost
and benefits.
---------------------------------------------------------------------------
\42\ GAO/AIMD-00-21.3.1.
---------------------------------------------------------------------------
In addition, internal control standards highlight the need for the
following:
capturing information needed to meet program objectives;
designing controls to assure that ongoing monitoring occurs
in the course of normal operations;
determining that relevant, reliable, and timely information
is available for management decisionmaking purposes;
conducting reviews and testing of development and
modification activities before placing systems into operation;
recording and communicating information to management and
others within the entity who need it and in a form and within a
time-frame that enables them to carry out their internal
control and other responsibilities; and
designing internal controls to provide reasonable assurance
that compliance with applicable laws and regulations is being
achieved, and provide appropriate supervisory review of
activities to help provide oversight of operations. This
includes designing and implementing appropriate supervisory
review activities to help provide oversight and analyzing data
to compare trends in actual performance to expected results to
identify any areas that may require further inquiries or
corrective action.
Internal control also serves as the first line of defense in
safeguarding assets and preventing and detecting errors and fraud. An
internal control weakness is a condition within an internal control
system worthy of attention. A weakness, therefore, may represent a
perceived, potential, or real shortcoming, or an opportunity to
strengthen internal controls to provide a greater likelihood that the
entity's objectives will be achieved.
Internal Control Weaknesses in DHS's Biometric Transportation ID
Program Hinder Efforts to Ensure Security Objectives Are Fully
Achieved
DHS has established a system of TWIC-related processes and
controls. However, internal control weaknesses governing the
enrollment, background checking, and use of TWIC potentially limit the
program's ability to provide reasonable assurance that access to secure
areas of MTSA-regulated facilities is restricted to qualified
individuals. Specifically, internal controls \43\ in the enrollment and
background checking processes are not designed to provide reasonable
assurance that: (1) only qualified individuals can acquire TWICs; (2)
adjudicators follow a process with clear criteria for applying
discretionary authority when applicants are found to have extensive
criminal convictions; or (3) once issued a TWIC, TWIC holders have
maintained their eligibility. To meet the stated program mission needs,
TSA designed TWIC program processes to facilitate the issuance of TWICs
to maritime workers. However, TSA did not assess the internal controls
designed and in place to determine whether they provided reasonable
assurance that the program could meet defined mission needs for
limiting access to only qualified individuals. Further, internal
control weaknesses in TWIC enrollment, background checking, and use
could have contributed to the breach of selected MTSA-regulated
facilities during covert tests conducted by our investigators.
---------------------------------------------------------------------------
\43\ In accordance with Standards for Internal Control in the
Federal Government, the design of the internal controls is to be
informed by identified risks the program faces from both internal and
external sources; the possible effect of those risks; control
activities required to mitigate those risks; and the cost and benefits
of mitigating those risks.
---------------------------------------------------------------------------
TWIC Program Controls Are Not Designed to Provide Reasonable Assurance
That Only Qualified Applicants Can Acquire TWICs
DHS has established a system of TWIC-related processes and controls
that as of April 2011 has resulted in TWICs being denied to 1,158
applicants based on a criminal offense, criminal immigration offense,
or invalid immigration status.\44\ However, the TWIC program's internal
controls for positively identifying an applicant, arriving at a
security threat determination for that individual, and approving the
issuance of a TWIC, are not designed to provide reasonable assurance
that only qualified applicants can acquire TWICs.\45\ Assuring the
identity and qualifications of TWIC-holders are two of the primary
benefits that the TWIC program is to provide MTSA-regulated facility
and vessel operators making access control decisions. If an individual
presents an authentic TWIC acquired through fraudulent means when
requesting access to the secure areas of a MTSA-regulated facility or
vessel, the cardholder is deemed not to be a security threat to the
maritime environment because the cardholder is presumed to have met
TWIC-related qualifications during a background check. In such cases,
these individuals could better position themselves to inappropriately
gain unescorted access to secure areas of a MTSAregulated facility or
vessel.\46\
---------------------------------------------------------------------------
\44\ TSA further reports that as of April 2011 there have been
34,503 cases out of 1,841,122 enrollments, or 1.9 percent of TWIC
enrollments, where enrollees have not been approved for a TWIC because
TSA has identified that the enrollees have at least one potentially
disqualifying criminal offense, criminal immigration offense, or
invalid immigration status, and the enrollee did not respond to an
initial determination of threat assessment. Under the TWIC vetting
process, an applicant that receives an initial determination of threat
assessment is permitted to provide additional information to respond to
or challenge the determination, or to request a waiver for the
disqualifying condition, and subsequently be granted a TWIC.
\45\ For the purposes of this report, routinely is defined as a
process being consistently applied in accordance with established
procedure so as to render consistent results.
\46\ The TWIC program requires individuals to both hold a TWIC and
be authorized to be in the secure area by the owner/operator in order
to gain unescorted access to secure areas of MTSA-regulated facilities
and vessels.
---------------------------------------------------------------------------
As confirmed by TWIC program officials, there are ways for an
unqualified individual to acquire an authentic TWIC. According to TWIC
program officials, to meet the stated program purpose, TSA's focus in
designing the TWIC program was on facilitating the issuance of TWICs to
maritime workers. However, TSA did not assess internal controls prior
to implementing the program. Further, prior to fielding the program,
TSA did not conduct a risk assessment of the TWIC program to identify
program risks and the need for controls to mitigate existing risks and
weaknesses, as called for by internal control standards. Such an
assessment could help provide reasonable assurance that control
weaknesses in one area of the program do not undermine the reliability
of other program areas or impede the program from meeting mission
needs. TWIC program officials told us that control weaknesses were not
addressed prior to initiating the TWIC program because they had not
previously identified them, or because they would be too costly to
address. However, officials did not provide documentation to support
their cost concerns and told us that they did not complete an
assessment that accounted for whether the program could achieve defined
mission needs without implementing additional or compensating controls
to mitigate existing risks, or the risks associated with not correcting
for existing internal control weaknesses.
Our investigators conducted covert tests at enrollment center(s) to
help test the rigor of the TWIC enrollment and background checking
processes. The investigators fully complied with the enrollment
application process. They were photographed and fingerprinted, and
asserted themselves to be U.S.-born citizens.\47\ The investigators
were successful in obtaining authentic TWIC cards despite going through
the background-checking process. Not having internal controls designed
to provide reasonable assurance that the applicant has: (1) been
positively identified, and (2) met all TWIC eligibility requirements,
including not posing a security threat to MTSA-regulated facilities and
vessels, could have contributed to the investigators' successes.
Specifically, we identified internal control weaknesses in the
following three areas related to ensuring that only qualified
applicants are able to obtain a TWIC.
---------------------------------------------------------------------------
\47\ The details related to the means used by the investors in the
tests could not be detailed here because they were deemed sensitive
security information by TSA.
---------------------------------------------------------------------------
Controls to identify the use of potentially counterfeit identity
documents are not used to inform background checking processes. As part
of TWIC program enrollment, a trusted agent is to review identity
documents for authenticity and use an electronic authentication device
to assess the likelihood of the document being counterfeit.\48\
According to TWIC program officials, the trusted agent's review of TWIC
applicant identity documents and the assessment provided by the
electronic authentication device are the two steps intended to serve as
the primary controls for detecting whether an applicant is presenting
counterfeit identity documents. Additionally, the electronic device
used to assess the authenticity of identification credentials renders a
score on the likelihood of the document being authentic and produces an
assessment report in support of the score. Assessing whether the
applicant's credential is authentic is one source of information for
positively identifying an applicant. Our investigators provided
counterfeit or fraudulently acquired documents, but they were not
detected.
---------------------------------------------------------------------------
\48\ As designed, the TWIC program's enrollment process relies on a
trusted agent--a contract employee--to collect an applicant's
identification information. The trusted agent is provided basic
training on how to detect a fraudulent document. The training, for
example, consists of checking documents for the presence of a laminate
that is not peeling, typeset that looks legitimate, and seals on
certain types of documents.
---------------------------------------------------------------------------
However, the TWIC program's background checking processes are not
designed to routinely consider the results of controls in place for
assessing whether an applicant's identity documents are authentic. For
example, assessments of document authenticity made by a trusted agent
or the electronic document authentication device as part of the
enrollment process are not considered as part of the first-level
background check. Moreover, TWIC program officials agree that this is a
program weakness. As of December 1, 2010, approximately 50 percent of
TWICs were approved after the first-level background check without
undergoing further review.\49\ As an initial step toward addressing
this weakness, and in response to our review, TWIC program officials
told us that since April 17, 2010, the comments provided at enrollment
by trusted agents have been sent to the Screening Gateway--a TSA system
for aggregating threat assessment data. However, this change in
procedure does not correct the internal control weaknesses we
identified.\50\ Attempts to authenticate copies of documents are
limited because it is not possible to capture all of the security
features when copies of the identity documents are recorded, such as
holograms or color-shifting ink. Using information on the authenticity
of identity documents captured during enrollment to inform the
background check could help TSA better assess the reliability and
authenticity of such documents provided at enrollment.
---------------------------------------------------------------------------
\49\ Of the 1,697,160 enrollments approved for a TWIC, 852,540 were
approved using TSA's automated process as part of the first-level
background check without undergoing further review.
\50\ Details from this section were removed because the agency
deemed them sensitive security information.
---------------------------------------------------------------------------
Controls related to the legal status of self-reported U.S.-born
citizens or nationals.\51\ The TWIC program does not require that
applicants claiming to be U.S.-born citizens or nationals provide
identity documents that demonstrate proof of citizenship, or lawful
status in the United States. See appendix III for the list of documents
U.S.-born citizens or nationals must select from and present when
applying for a TWIC.\52\ For example, an applicant could elect to
provide one document, such a U.S. passport, which, according to TSA
officials, serves as proof of U.S. citizenship or proof of nationality.
However, an applicant could elect to submit documents that do not
provide proof of citizenship. As of December 1, 2010, nearly 86 percent
of approved TWIC enrollments were by self-identified United States
citizens or nationals asserting that they were born in the United
States or a United States territory.\53\
---------------------------------------------------------------------------
\51\ National means a citizen of the United States or a noncitizen
owing permanent allegiance to the United States. In general, U.S.-born
nationals who are not U.S. citizens at birth are individuals born in an
outlying possession of the United States. Details from this section
were removed because the agency deemed them sensitive security
information.
\52\ Various identity documents can be provided by U.S.-born
citizens or nationals when applying for a TWIC. For certain documents,
such as an unexpired U.S. passport, TSA requires one document as a
proof of identity. For other documents, such as a Department of
Transportation Medical Card or United States Military Dependents
Identification Card, TSA requires that TWIC applicants provide two
identity documents from a designated list, with one being a government-
issued photo identification.
\53\ As of December 1, 2010, TSA reported that 1,697,160 TWIC
enrollments have been approved, of which 1,457,337 were self-identified
United States citizens or nationals asserting that they were born in
the United States or in a United States territory.
---------------------------------------------------------------------------
Verifying a U.S.-born citizen's identity and related lawful status
can be costly and is a challenge faced by U.S. Government programs such
as passports.\54\ However, reaching an accurate determination of a TWIC
applicant's potential security threat in meeting TWIC mission needs is
dependant on positively identifying the applicant. Given such potential
cost constraints, consistent with internal control standards,
identifying alternative mechanisms to positively identify individuals
to the extent that the benefits exceed the costs and TWIC program
mission needs are met could enhance TSA's ability to positively
identify individuals and reduce the likelihood that criminals or
terrorists could acquire a TWIC fraudulently.
---------------------------------------------------------------------------
\54\ See GAO, State Department: Significant Vulnerabilities in the
Passport Issuance Process, GAO-09-681T (Washington, D.C.: May 5, 2009)
and State Department: Improvements Needed to Strengthen U.S. Passport
Fraud Detection Efforts, GAO-05-477 (Washington, D.C.: May 20, 2005).
---------------------------------------------------------------------------
Controls are not in place to determine whether an applicant has a
need for a TWIC.\55\ Regulations governing the TWIC program security
threat assessments require applicants to disclose their job description
and location(s) where they will most likely require unescorted access,
if known, and the name, telephone number, and address of the
applicant's current employer(s) if the applicant works for an employer
that requires a TWIC.\56\ However, TSA enrollment processes do not
require that this information be provided by applicants. For example,
when applying for a TWIC, applicants are to certify that they may need
a TWIC as part of their employment duties. However, the enrollment
process does not request information on the location where the
applicant will most likely require unescorted access, and enrollment
processes include asking the applicant if they would like to provide
employment information, but informing the applicant that employer
information is not required.
---------------------------------------------------------------------------
\55\ TWIC is unlike other federally-sponsored access control
credentials, such as the Department of Defense's Common Access Card--
the agencywide standard identification card--for which sponsorship by
an employer is required. For these Federal credentialing programs,
employer sponsorship begins with the premise that an individual is
known to need certain access as part of their employment. Further, the
employing agency is to conduct a background investigation on the
individual and has access to other personal information, such as prior
employers, places of residency, and education, which they may confirm
as part of the employment process and use to establish the individual's
identity.
\56\ Implementing regulations at 49 C.F.R. � 1572.17 require that
when applying for or renewing a TWIC, the applicant provide, among
other information: (1) the reason that the applicant requires a TWIC,
including, as applicable, the applicant's job description and the
primary facility, vessel, or maritime port location(s) where the
applicant will most likely require unescorted access, if known; (2) the
name, telephone number, and address of the applicant's current
employer(s) if the applicant works for an employer that requires a
TWIC; and (3) if the applicant works for an employer that does not
require possession of a TWIC, does not have a single employer, or is
self-employed, the primary vessel or port location(s) where the
applicant requires unescorted access, if known. The regulation states
that this information is required to establish eligibility for a TWIC
and that TSA is to review the applicant information as part of the
intelligence-related check.
---------------------------------------------------------------------------
While not a problem prior to implementing the TWIC program,
according to TSA officials, a primary reason for not requiring employer
information be captured by applicant processes is that many applicants
do not have employers, and that many employers will not accept
employment applications from workers who do not already have a TWIC.
However, TSA could not provide statistics on: (1) how many individuals
applying for TWICs were unemployed at the time of their application; or
(2) a reason why the TWIC-related regulation does not prohibit
employers from denying employment to non-TWIC holders who did not
previously have a need for a TWIC. Further, according to TSA and Coast
Guard officials, industry was opposed to having employment information
verified as part of the application process, as industry
representatives believed such checks would be too invasive and time-
consuming. TSA officials further told us that confirming this
information would be too costly.
We recognize that implementing mechanisms to capture this
information could be time-consuming and involve additional costs.
However, collecting information on present employers or operators of
MTSA-regulated facilities and vessels to be accessed by the applicant,
to the extent that the benefits exceed the costs and TWIC program
mission needs are met, could help ensure TWIC program mission needs are
being met, and serve as a barrier to individuals attempting to acquire
an authentic TWIC through fraudulent means. Therefore, if TSA
determines that implementing such mechanisms are, in fact, cost
prohibitive, identifying and implementing appropriate compensating
controls could better position TSA to positively identify the TWIC
applicant. Not taking any action increases the risk that individuals
could gain unescorted access to secure areas of MTSAregulated
facilities and vessels.
As of September 2010, TSA's background checking process had
identified no instances of nonimmigration-related document or identity
fraud. This is in part because of previously discussed weaknesses in
TWIC program controls for positively identifying applicants, and the
systems and procedures the TWIC program relies on not being designed to
effectively monitor for such occurrences, in accordance with internal
control standards. Though not an exhaustive list, through a review of
Coast Guard reports and publicly available court records, we identified
five court cases where the court documents indicate that illegal
immigrants acquired, or in one of the cases sought to acquire, an
authentic TWIC through fraudulent activity such as providing fraudulent
identity information and, in at least one of the cases and potentially
up to four, used the TWIC to access secure areas of MTSA-regulated
facilities. Four of these cases were a result of, or involved, United
States Immigration and Customs Enforcement efforts after individuals
had acquired, or sought to acquire, a TWIC. As of September 2010, the
program's background checking process identified 18 instances of
potential fraud out of the approximately 1,676,000 TWIC enrollments.
These instances all involved some type of fraud related to
immigration.\57\ The 18 instances of potential fraud were identified
because the 18 individuals asserted themselves to be non-U.S.- born
applicants and, unlike processes in place for individuals asserting to
be U.S.-born citizens, TSA's background checking process includes
additional controls to validate such individuals' identities. For
example, TSA requires that at least one of the documents provided by
such individuals at enrollment show proof of their legal status and
seeks to validate each non-U.S.-born applicant's identity with the U.S.
Citizenship and Immigration Services.
---------------------------------------------------------------------------
\57\ According to TSA, as of September 8, 2010, a total of 18 TWIC
applicants were issued an Initial Determination of Threat Assessment
for invalid immigration documents. Upon submission to the U.S.
Citizenship and Immigration Services, the documentation was reported to
be altered or counterfeit. Of these 18 instances, only 1 applicant
submitted additional documentation following an Initial Determination
of Threat Assessment to challenge TSA's determination. The single
applicant was subsequently awarded a TWIC.
---------------------------------------------------------------------------
Internal control standards highlight the need for capturing
information needed to meet program objectives; ensuring that relevant,
reliable, and timely information is available for management
decisionmaking purposes; and providing reasonable assurance that
compliance with applicable laws and regulations is being achieved.\58\
Conducting a control assessment of the TWIC program's processes to
address existing weaknesses could enhance the TWIC program's ability to
prevent and detect fraud and positively identify TWIC applicants. Such
an assessment could better position DHS in strengthening the program to
ensure it achieves its objectives in controlling access to MTSA-
regulated facilities and vessels.
---------------------------------------------------------------------------
\58\ GAO/AIMD-00-21.3.1.
---------------------------------------------------------------------------
TWIC Program Controls Are Not Designed to Require Adjudicators to
Follow a
Process with Clear Criteria for Applying Discretionary
Authority When
Applicants Are Found to Have Extensive Criminal Convictions
Being convicted of a felony does not automatically disqualify a
person from being eligible to receive a TWIC; however, prior
convictions for certain crimes are automatically disqualifying. Threat
assessment processes for the TWIC program include conducting background
checks to determine whether each TWIC applicant poses a security
threat.\59\ Some of these offenses, such as espionage or treason, would
permanently disqualify an individual from obtaining a TWIC. Other
offenses, such as murder or the unlawful possession of an explosive
device, while categorized as permanent disqualifiers, are also eligible
for a waiver under TSA regulations and might not permanently disqualify
an individual from obtaining a TWIC if TSA determines upon subsequent
review that an applicant does not represent a security threat.\60\
Table 1 presents examples of disqualifying criminal offenses set out in
statute and implementing regulations for consideration as part of the
adjudication process.
---------------------------------------------------------------------------
\59\ These checks, in general, can include checks for criminal
history records, immigration status, terrorism databases and
watchlists, and records indicating an adjudication of a lack of mental
capacity, among other things. As defined in TSA implementing
regulations, the term security threat means an individual whom TSA
determines or suspects of posing a threat to national security; to
transportation security; or of terrorism. 49 C.F.R. � 1570.3.
\60\ These permanent disqualifying offenses for which no waiver can
be issued include espionage, sedition, treason, a Federal crime of
terrorism, or conspiracy to commit any of these offenses.
------------------------------------------------------------------------
Table 1.--Examples of Disqualifying Offenses for TWIC Eligibility
------------------------------------------------------------------------
Permanent Permanent disqualifying Interim disqualifying
disqualifying offenses offenses that can be offenses c
a waived b
------------------------------------------------------------------------
Espionage Murder Bribery
Sedition Unlawful possession, use, Smuggling
Treason sale, distribution, Arson
A federal crime of manufacture, purchase, Extortion
terrorism receipt, transfer, Robbery
shipping, transporting,
import, export, storage
of, or dealing in an
explosive or explosive
device
A crime involving a
transportation security
incident
Making any threat
concerning the
deliverance, placement,
or detonation of an
explosive or other
lethal device in or
against a place of
public use, a state or
government facility, a
public transportation
system, or an
infrastructure facility
------------------------------------------------------------------------
Source: GAO analysis of regulations and TSA.
Notes: See appendix IV for a list of all disqualifying offenses.
a Permanent disqualifying offenses are offenses defined in 49 C.F.R.
1572.103(a) for which no waiver can be granted under 49 C.F.R.
1515.7(a)(i).
b Permanent disqualifying offenses that can be waived are offenses
defined in 49 C.F.R. 1572.103(a) for which a waiver can be granted in
accordance with 49 C.F.R. 1515.7(a)(i). Applicants with certain
permanent criminal offenses and all interim disqualifying criminal
offenses may request a waiver of their disqualification. TSA
regulations provide that in determining whether to grant a waiver, TSA
will consider: (1) the circumstances of the disqualifying act or
offense; (2) restitution made by the applicant; (3) any Federal or
state mitigation remedies; (4) court records or official medical
release documents indicating that the applicant no longer lacks mental
capacity; and (5) other factors that indicate the applicant does not
pose a security threat warranting denial of a hazardous materials
endorsement or TWIC.
c Interim disqualifying offenses are offenses defined in 49 C.F.R.
1572.103(b) for which the applicant has either been: (1) convicted, or
found not guilty by reason of insanity, within a 7-year period
preceding the TWIC application, or (2) incarcerated for within a 5-
year period preceding the TWIC application.
TSA also has the authority to add to or modify the list of interim
disqualifying crimes. Further, in determining whether an applicant
poses a security threat, TSA officials stated that adjudicators have
the discretion to consider the totality of an individual's criminal
record, including criminal offenses not defined as a permanent or
interim disqualifying criminal offenses, such as theft or larceny.\61\
More specifically, TSA's implementing regulations provide, in part,
that with respect to threat assessments, TSA may determine that an
applicant poses a security threat if the search conducted reveals
extensive foreign or domestic criminal convictions, a conviction for a
serious crime not listed as a permanent or interim disqualifying
offense, or a period of foreign or domestic imprisonment that exceeds
365 consecutive days. Thus, if a person was convicted of multiple
crimes, even if each of the crimes were not in and of themselves
disqualifying, the number and type of convictions could be
disqualifying.
---------------------------------------------------------------------------
\61\ The U.S. government's Adjudicative Desk Reference, used in
adjudicating security clearances, states that multiple criminal
offenses indicate intentional continuing behavior that raises serious
questions about a person's trustworthiness and judgment.
---------------------------------------------------------------------------
Although TSA has the discretion and authority to consider criminal
offenses not defined as a disqualifying offense, such as larceny and
theft, and periods of imprisonment, TSA has not developed a definition
for what extensive foreign or domestic criminal convictions means, or
developed guidance to ensure that adjudicators apply this authority
consistently in assessing the totality of an individual's criminal
record. For example, TSA has not developed guidance or benchmarks for
adjudicators to consistently apply when reviewing TWIC applicants with
extensive criminal convictions but no disqualifying offense. This is
particularly important given TSA's reasoning for including this
authority in TWICrelated regulation. Specifically, TSA noted that it
understands that the flexibility this language provides must be used
cautiously and on the basis of compelling information that can
withstand judicial review. They further noted that the decision to
determine whether an applicant poses a threat under this authority is
largely a subjective judgment based on many facts and circumstances.
While TSA does not track metrics on the number of TWICs provided to
applicants with specific criminal offenses not defined as disqualifying
offenses, as of September 8, 2010, the agency reported 460,786 cases
where the applicant was approved, but had a criminal record based on
the results from the FBI. This represents approximately 27 percent of
individuals approved for a TWIC at the time. In each of these cases,
the applicant had either a criminal offense not defined as a
disqualifying offense or an interim disqualifying offense that was no
longer a disqualification based on conviction date or the applicant's
release date from incarceration. Consequently, based on TSA's
background checking procedures, all of these cases would have been
reviewed by an adjudicator for consideration as part of the second-
level background check because derogatory information had been
identified. As such, each of these cases had to be examined and a
judgment had to be made as to whether to deny an applicant a TWIC based
on the totality of the offenses contained in each applicant's criminal
report.
While there were 460,786 cases where the applicant was approved,
but had a criminal record, TSA reports to have taken steps to deny 1
TWIC applicant under this authority. However, in the absence of
guidance for the application of this authority, it is not clear how TSA
applied this authority in approving the 460,786 applications and
denying the 1. Internal control standards call for controls and other
significant events to be clearly documented in directives, policies, or
manuals to help ensure operations are carried out as intended.
According to TSA officials, the agency has not implemented guidance
for adjudicators to follow on how to apply this discretion in a
consistent manner because they are confident that the adjudicators
would, based on their own judgment, identify all applicants where the
authority to deny a TWIC based on the totality of all offenses should
be applied. However, in the absence of criteria, we were unable to
analyze or compare how the approximately 30 adjudicators who are
assigned to the TWIC program at any given time made determinations
about TWIC applicants with extensive criminal histories. Given that 27
percent of TWIC holders have been convicted of at least one
nondisqualifying offense, defining what extensive criminal convictions
means and developing guidance or criteria for how adjudicators should
apply this discretionary authority could help provide TSA with
reasonable assurance that applications are consistently adjudicated.
Defining terms and developing guidance is consistent with internal
control standards.
TWIC Program Controls Are Not Designed to Provide Reasonable Assurance
That TWIC Holders Have Maintained Their Eligibility Once Issued
TWICs
DHS's defined mission needs for TWIC include identifying
individuals who fail to maintain their eligibility requirements once
issued a TWIC, and immediately revoking the individual's card
privileges. Pursuant to TWICrelated regulations, an individual may be
disqualified from holding a TWIC and be required to surrender the TWIC
to TSA for failing to meet certain eligibility criteria related to, for
example, terrorism, crime, and immigration status. However, weaknesses
exist in the design of the TWIC program's internal controls for
identifying individuals who fail to maintain their eligibility that
make it difficult for TSA to provide reasonable assurance that TWIC
holders continue to meet all eligibility requirements.
Controls are not designed to determine whether TWIC holders have
committed disqualifying crimes at the Federal or state level after
being granted a TWIC. TSA conducts a name-based check of TWIC holders
against Federal wants \62\ and warrants on an ongoing basis. According
to FBI and TSA officials, policy and statutory provisions hamper the
program from running the broader FBI fingerprint-based check using the
fingerprints collected at enrollment on an ongoing basis. More
specifically, because the TWIC background check is considered to be for
a noncriminal justice purpose,\63\ to conduct an additional
fingerprint-based check as part of an ongoing TWIC background check,
TSA would have to collect a new set of fingerprints from the TWIC-
holder,\64\ if the prints are more than 1 year old, and submit those
prints to the FBI each time they want to assess the TWIC-holder's
criminal history. According to TSA officials, it would be cost
prohibitive to run the fingerprint-based check on an ongoing basis, as
TSA would have to pay the FBI $17.25 per check.
---------------------------------------------------------------------------
\62\ Federal wants generally consist of information on wanted
persons, or individuals, for whom Federal warrants are outstanding.
\63\ Under the National Crime Prevention and Privacy Compact Act of
1998 (Pub. L. No. 105- 251, 112 Stat. 1870, 1874 (1998) (codified as
amended at 42 U.S.C. �� 14601-14616)), which established an
infrastructure by which states and other specified parties can exchange
criminal records for noncriminal justice purposes authorized under
Federal or state law, the term noncriminal justice purposes means uses
of criminal history records for purposes authorized by Federal or state
law other than purposes relating to criminal justice activities,
including employment suitability, licensing determinations, immigration
and naturalization matters, and national security clearances.
\64\ Under the 1998 Act, subject fingerprints or other approved
forms of positive identification must be submitted with all requests
for criminal history record checks for noncriminal justice purposes.
---------------------------------------------------------------------------
Although existing policies may hamper TSA's ability to check FBI-
held fingerprint-based criminal history records for the TWIC program,
TSA has not explored alternatives for addressing this weakness, such as
informing facility and port operators of this weakness and identifying
solutions for leveraging existing state criminal history information,
where available. For instance, state maritime organizations may have
other mechanisms at their disposal for helping to identify TWIC-holders
who may no longer meet TWIC qualification requirements. Specifically,
laws governing the maritime environment in New York and New Jersey
provide for credentialing authorities being notified if licensed or
registered longshoremen have been arrested. Further, other governing
entities, such as the State of Florida and the Alabama State Port
Authority, have access to state-based criminal records checks. While
TSA may not have direct access to criminal history records, TSA could
compensate for this control weakness, for example, by leveraging
existing mechanisms available to maritime stakeholders across the
country to better ensure that only qualified individuals retain TWICs.
Controls are not designed to provide reasonable assurance that TWIC
holders continue to meet immigration status eligibility requirements.
If a TWIC holder's stated period of legal presence in the United States
is about to expire or has expired, the TWIC program does not request or
require proof from TWIC holders to show that they continue to maintain
legal presence in the United States. Additionally, although they have
the regulatory authority to do so, the program does not issue TWICs for
a term less than 5 years to match the expiration of a visa. Instead,
TSA relies on: (1) TWIC holders to self-report if they no longer have
legal presence in the country, and (2) employers to report if a worker
is no longer legally present in the country.\65\ As we have previously
reported, government programs for granting benefits to individuals face
challenges in confirming an individual's immigration status.\66\ TWIC
program officials stated that the program uses a United States
Citizenship and Immigration Services system during the background
checking process prior to issuing a TWIC as a method for confirming the
legal status of non-U.S. citizens.\67\ TSA has not, however, consistent
with internal control standards, implemented alternative controls to
compensate for this limitation and provide reasonable assurance that
TWIC holders remain eligible. For instance, the TWIC program has not
compensated for this limitation by: (1) using its authority to issue
TWICs with shorter expiration dates to correspond with each
individual's legal presence, or (2) updating the TWIC system to
systematically suspend TWIC privileges for individuals who no longer
meet immigration eligibility requirements until they can provide
evidence of continued legal presence.\68\
---------------------------------------------------------------------------
\65\ TWIC-related regulations provide, for example, that
individuals disqualified from holding a TWIC for immigration status
reasons must surrender the TWIC to TSA. In addition, the regulations
provide that TWICs are deemed to have expired when the status of
certain lawful nonimmigrants with a restricted authorization to work in
the United States (e.g., H-1B1 Free Trade Agreement) expires, the
employer terminates the employment relationship with such an applicant,
or such applicant otherwise ceases working for the employer, regardless
of the date on the face of the TWIC. Upon the expiration of such
nonimmigrant status for an individual who has a restricted
authorization to work in the United States, the employer and employee
both have related responsibilities--the employee is required to
surrender the TWIC to the employer, and the employer is required to
retrieve the TWIC and provide it to TSA. According to TSA officials,
the TWIC program could not provide a count of the total number of TWIC
holders whose employers reported that the TWIC holders no longer have
legal status, as they do not track this information.
\66\ See, for example, GAO, EmploymentVerification: Federal
Agencies Have Taken Steps to Improve E-Verify, but Significant
Challenges Remain, GAO-11-146 (Washington, D.C.: Dec. 17, 2010), and
Immigration Enforcement: Weaknesses Hinder Employment Verification and
Worksite Enforcement Efforts, GAO-05-813 (Washington, D.C.: Aug. 31,
2005).
\67\ Details from this section were removed because the agency
deemed them sensitive security information.
\68\ The TWIC program accepts various documents, such as visas,
Interim Employment Authorizations, and form I-94 Arrival and Departure
Records, as evidence of legal presence in the United States.
---------------------------------------------------------------------------
TWIC program officials stated that implementing these compensating
measures would be too costly, but they have not conducted an assessment
to identify the costs of implementing these controls, or determined if
the benefits of mitigating related security risks would outweigh those
costs, consistent with internal control standards. Not implementing
such measures could result in a continued risk of individuals no longer
meeting TWIC legal presence requirements continuing to hold a federally
issued identity document and gaining unescorted access to secure areas
of MTSAregulated facilities and vessels.\69\ Thus, implementing
compensating measures, to the extent that the benefits outweigh the
costs and meet the program's defined mission needs, could provide TSA,
the Coast Guard, and MTSA-regulated stakeholders with reasonable
assurance that each TWIC holder continues to meet TWIC-related
eligibility requirements.
---------------------------------------------------------------------------
\69\ TWIC is a federally issued identity document that can be used
as proof of identity for nonmaritime activities, such as boarding
airplanes at United States airports and certain Department of Defense
facilities in accordance with Department of Defense policy, Directive-
Type Memorandum (DTM) 09-012, ``Interim Policy Guidance for DOD
Physical Access Control,'' dated December 8, 2009.
---------------------------------------------------------------------------
Internal Control Weaknesses in TWIC Enrollment, Background Checking,
and Use Could Have Contributed to Breach of MTSA-Regulated
Ports
As of January 7, 2011, the Coast Guard reports that it has
identified 11 known attempts to circumvent TWIC requirements for
gaining unescorted access to MTSA-regulated areas by presenting
counterfeit TWICs. The Coast Guard further reports to have identified 4
instances of individuals presenting another person's TWIC as their own
in attempts to gain access. Further, our investigators conducted covert
tests to assess the use of TWIC as a means for controlling access to
secure areas of MTSA-regulated facilities. During covert tests of TWIC
at several selected ports, our investigators were successful in
accessing ports using counterfeit TWICs, authentic TWICs acquired
through fraudulent means, and false business cases (i.e., reasons for
requesting access).\70\ Our investigators did not gain unescorted
access to a port where a secondary port specific identification was
required in addition to the TWIC.
---------------------------------------------------------------------------
\70\ Existing vulnerabilities with TWIC to date have included, for
example, problems with deteriorating TWIC card security features. Cards
fading and delaminating have been reported by stakeholders across the
country from places such as New York, Virginia, Texas, and California,
with a range of climate conditions. According to stakeholders, these
problems make it difficult for security guards to distinguish an
authentic TWIC that is faded from a fraudulent TWIC. TSA and the Coast
Guard have also received reports of problems with the card's chip or
antenna connection not working from locations where TWICs are being
used with readers. The total number of damaged TWICs with a damaged
chip or antenna is unknown because TWICs are not required to be used
with readers.
---------------------------------------------------------------------------
In response to our covert tests, TSA and Coast Guard officials
stated that, while a TWIC card is required for gaining unescorted
access to secure areas of a MTSA-regulated facility, the card alone is
not sufficient. These officials stated that the cardholder is also
required to present a business case, which security officials at
facilities must consider as part of granting the individual access. In
addition, according to DHS's Screening Coordination Office, a
credential is only one layer of a multilayer process to increase
security. Other layers of security might include onsite law
enforcement, security personnel, cameras, locked doors and windows,
alarm systems, gates, and turnstiles. Thus, a weakness in the
implementation of TWIC will not guarantee access to the secure areas of
a MTSA-regulated port or facility.
However, as our covert tests demonstrated, having an authentic TWIC
and a legitimate business case were not always required in practice.
The investigators' possession of TWIC cards provided them with the
appearance of legitimacy and facilitated their unescorted entry into
secure areas of MTSA-regulated facilities and ports at multiple
locations across the country. If individuals are able to acquire
authentic TWICs fraudulently, verifying the authenticity of these cards
with a biometric reader will not reduce the risk of undesired
individuals gaining unescorted access to the secure areas of MTSA-
regulated facilities and vessels.
Given existing internal control weaknesses, conducting a control
assessment of the TWIC program's processes to address existing
weaknesses could enhance the TWIC program's ability to prevent and
detect fraud and positively identify TWIC applicants. Such an
assessment could better position DHS in strengthening the program to
ensure it achieves its objectives in controlling unescorted access to
MTSA-regulated facilities and vessels. It could also help DHS identify
and implement the minimum controls needed to: (1) positively identify
individuals, (2) provide reasonable assurance that control weaknesses
in one area of the program would not undermine the reliability of other
program areas or impede the program from meeting mission needs, and (3)
provide reasonable assurance that the threat assessments are based on
complete and accurate information. Such actions would be consistent
with internal control standards, which highlight the need for capturing
information needed to meet program objectives; determining that
relevant, reliable, and timely information is available for management
decision-making purposes; and designing internal controls to provide
reasonable assurance that compliance with applicable laws and
regulations is being achieved, as part of implementing effective
controls. Moreover, our prior work on internal controls has shown that
management should design and implement internal controls based on the
related costs and benefits and continually assess and evaluate its
internal controls to assure that the controls being used are effective
and updated when necessary.\71\
---------------------------------------------------------------------------
\71\ GAO/AIMD-00-21.3.1.
---------------------------------------------------------------------------
TWIC's Effectiveness at Enhancing Security Has Not BeenAssessed, and
the Coast Guard Lacks the Ability to Assess Trends in TWIC
Compliance
The TWIC program is intended to improve maritime security by using
a federally sponsored credential to enhance access controls to secure
areas at MTSA-regulated facilities and vessels, but DHS has not
assessed the program's effectiveness at enhancing security. In
addition, Coast Guard's approach for monitoring and enforcing TWIC
compliance nationwide could be improved by enhancing its collection and
assessment of related maritime security information. For example, the
Coast Guard tracks TWIC program compliance, but the processes involved
in the collection, cataloguing, and querying of information cannot be
relied on to produce the management information needed to assess trends
in compliance with the TWIC program or associated vulnerabilities.
TWIC Has Not Been Assessed to Measure Effectiveness at Enhancing
Security
DHS asserted in its 2009 and 2010 budget submissions that the
absence of the TWIC program would leave America's critical maritime
port facilities vulnerable to terrorist activities.\72\ However, to
date, DHS has not assessed the effectiveness of TWIC at enhancing
security or reducing risk for MTSA-regulated facilities and vessels.
Such assessments are consistent with DHS's National Infrastructure
Protection Plan, which recognizes that metrics and other evaluation
procedures should be used to measure progress and assess the
effectiveness of programs designed to protect key assets.\73\ Further,
DHS has not demonstrated that TWIC, as currently implemented and
planned with readers, is more effective than prior approaches used to
limit access to ports and facilities, such as using facility specific
identity credentials with business cases. According to TSA and Coast
Guard officials, because the program was mandated by Congress as part
of MTSA, DHS did not conduct a risk assessment to identify and mitigate
program risks prior to implementation. Further, according to these
officials, neither the Coast Guard nor TSA analyzed the potential
effectiveness of TWIC in reducing or mitigating security risk--either
before or after implementation--because they were not required to do so
by Congress. Rather, DHS assumed that the TWIC program's enrollment and
background checking procedures were effective and would not allow
unqualified individuals to acquire and retain authentic TWICs.
---------------------------------------------------------------------------
\72\ See DHS, DHS Exhibit 300 Public Release BY10/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington,
D.C.: Apr. 17, 2009) and DHS Exhibit 300 Public Release BY09/TSA--
Transportation Worker Identification Credentialing (TWIC) (Washington,
D.C.: July 27, 2007).
\73\ DHS, National Infrastructure Protection Plan: Partnering to
Enhance Protection and Resiliency (Washington, D.C.: 2009). The NIPP,
first issued in June 2006 by DHS, established a six-step risk
management framework to establish national priorities, goals, and
requirements for Critical Infrastructure and Key Resources (CIKR)
protection so that Federal funding and resources are applied in the
most effective manner to deter threats, reduce vulnerabilities, and
minimize the consequences of attacks and other incidents. The NIPP
states that comprehensive risk assessments are necessary for
determining which assets or systems face the highest risk, for
prioritizing risk mitigation efforts and the allocation of resources,
and for effectively measuring how security programs reduce risks.
---------------------------------------------------------------------------
The internal control weaknesses that we discuss earlier in the
report, as well as the results of our covert tests of TWIC use, raise
questions about the effectiveness of the TWIC program. According to the
Coast Guard official responsible for conducting assessments of maritime
risk, it may now be possible to assess TWIC effectiveness and the
extent to which, or if, TWIC use could enhance security using current
Maritime Security Risk Analysis Model (MSRAM) data. Since MSRAM's
deployment in 2005, the Coast Guard has used its MSRAM to help inform
decisions on how to best secure our nation's ports and how to best
allocate limited resources to reduce terrorist risks in the maritime
environment.\74\ Moreover, as we have previously reported, Congress
also needs information on whether and in what respects a program is
working well or poorly to support its oversight of agencies and their
budgets, and agencies' stakeholders need performance information to
accurately judge program effectiveness.\75\ Conducting an effectiveness
assessment that evaluates whether use of TWIC in its present form and
planned use with readers would enhance the posture of security beyond
efforts already in place given costs and program risks could better
position DHS and policymakers in determining the impact of TWIC on
enhancing maritime security.
---------------------------------------------------------------------------
\74\ The Coast Guard uses MSRAM to assess risk for various types of
vessels and port infrastructure in accordance with the guidance on
assessing risk from DHS's National Infrastructure Protection Plan
(NIPP). The Coast Guard uses the analysis tool to help implement its
strategy and concentrate maritime security activities when and where
relative risk is believed to be the greatest. The model assesses the
risk--threats, vulnerabilities, and consequences--of a terrorist attack
based on different scenarios; that is, it combines potential targets
with different means of attack, as recommended by the risk assessment
aspect of the NIPP. Also in accordance with the NIPP, the model is
designed to support decisionmaking for the Coast Guard. At the national
level, the model's results are used, among other things, for
identifying capabilities needed to combat future terrorist threats.
\75\ GAO, Executive Guide: Effectively Implementing the Government
Performance and Results Act, GAO/GGD-96-118 (Washington, D.C.: June
1996).
---------------------------------------------------------------------------
Further, pursuant to Executive Branch requirements, prior to
issuing a new regulation, agencies are to conduct a regulatory
analysis, which is to include an assessment of costs, benefits, and
associated risks.\76\ Prior to issuing the regulation on implementing
the use of TWIC as a flashpass, DHS conducted a regulatory analysis,
which asserted that TWIC would increase security. The analysis included
an evaluation of the costs and benefits related to implementing TWIC.
However, DHS did not conduct a risk-informed cost-benefit analysis that
considered existing security risks. For example, the analysis did not
account for the costs and security risks associated with designing
program controls to prevent an individual from acquiring an authentic
TWIC using a fraudulent identity and limiting access to secure areas of
MTSA-regulated facilities and vessels to those with a legitimate need,
in accordance with stated mission needs. As a proposed regulation on
the use of TWIC with biometric card readers is under development, DHS
is to issue a new regulatory analysis. Conducting a regulatory analysis
using the information from the internal control and effectiveness
assessments as the basis for evaluating the costs, benefits, security
risks, and needed corrective actions could better inform and enhance
the reliability of the new regulatory analysis. Moreover, these actions
could help DHS identify and assess the full costs and benefits of
implementing the TWIC program in a manner that will meet stated mission
needs and mitigate existing security risks, and help ensure that the
TWIC program is more effective and cost-efficient than existing
measures or alternatives at enhancing maritime security.
---------------------------------------------------------------------------
\76\ Office of Management and Budget, Circular A-4, Regulatory
Analysis (Revised Sept. 17, 2003) provides guidance to Federal agencies
on the development of regulatory analysis as required by Executive
Order 12866 of September 30, 1993, as amended by Executive Order 13258
of February 26, 2002, and Executive Order 13422 of January 18, 2007,
``Regulatory Planning and Review.'' According to Executive Order 12866,
agencies should adhere to certain specified principles, such as: (1)
with respect to setting regulatory priorities, each agency shall
consider, to the extent reasonable, the degree and nature of the risks
posed by various substances or activities within its jurisdiction, and
(2) each agency shall base its decisions on the best reasonably
obtainable scientific, technical, economic, and other information
concerning the need for, and consequences of, the intended regulation.
According to Circular A-4, a regulatory analysis should include the
following three basic elements: (1) a statement of the need for the
proposed action, (2) an examination of alternative approaches, and (3)
an evaluation of the benefits and costs--quantitative and qualitative--
of the proposed action and the main alternatives identified by the
action. The evaluation of benefits and costs is to be informed by a
risk assessment.
---------------------------------------------------------------------------
Coast Guard's Approach for Monitoring and Enforcing TWIC Compliance
Could Be Improved by Enhancing Its Collection and Assessment of
Maritime Security
Information
Internal control standards state that: (1) internal controls should
be designed to ensure that ongoing monitoring occurs in the course of
normal operations, and (2) information should be communicated in a form
and within a time-frame that enables management to carry out its
internal control responsibilities.\77\ Further, our prior work has
stated that Congress also needs information on whether and in what
respects a program is working well or poorly to support its oversight
of agencies and their budgets, and agencies' stakeholders need
performance information to accurately judge program effectiveness.\78\
The Coast Guard uses its Marine Information for Safety and Law
Enforcement (MISLE) database to meet these needs by recording
activities related to MTSA-regulated facility and vessel oversight,
including observations of TWIC-related deficiencies.\79\ The purpose of
MISLE is to provide the capability to collect, maintain, and retrieve
information necessary for the administration, management, and
documentation of Coast Guard activities. In February 2008, we reported
that flaws in the data in MISLE limit the Coast Guard's ability to
accurately portray and appropriately target oversight activities.\80\
---------------------------------------------------------------------------
\77\ See GAO/AIMD-00-21.3.1.
\78\ See GAO/GGD-96-118.
\79\ MISLE began operating in December 2001 and is the Coast
Guard's primary data system for documenting facility oversight and
other activities.
\80\ We recommended that, among other things, the Coast Guard
assess MISLE compliance data, including the completeness of the data,
data entry, consistency, and data field problems, and make any changes
needed to more effectively use MISLE data. DHS concurred with this
recommendation. The Coast Guard acknowledged the need for improvement
in MISLE compliance data and has taken initial steps to reduce some of
the database concerns identified in our previous work. However, as of
January 2011, the recommendation has not been fully addressed. See GAO,
Maritime Security: Coast Guard Inspections Identify and Correct
Facility Deficiencies, but More Analysis Needed of Program's Staffing,
Practices, and Data, GAO-08-12 (Washington, D.C.: Feb. 14, 2008).
---------------------------------------------------------------------------
In accordance with Coast Guard policy, Coast Guard inspectors are
required to verify TWIC cards during annual compliance exams and
security spot checks, and may do so in the course of other Coast Guard
duties. As part of each inspection, Coast Guard inspectors are, among
other things, to: (1) ensure that the card is authentic by examining it
to visually verify that it has not been tampered with; (2) verify
identity by comparing the photograph on the card with the TWIC holder
to ensure a match; (3) check the card's physical security features; and
(4) ensure the TWIC is valid--a check of the card's expiration date.
Additionally, Coast Guard inspectors are to assess the proficiency of
facility and vessel security personnel in complying with TWIC
requirements through various means including oral examination, actual
observation, and record review. Coast Guard inspectors randomly select
workers to check their TWICs during inspections. The number of TWIC
cards checked is left to the discretion of the inspectors.
As of December 17, 2010, according to Coast Guard data, 2,135
facilities have undergone at least 2 MTSA inspections as part of annual
compliance exams and spot checks. In reviewing the Coast Guard's
records of TWICrelated enforcement actions, we found that, in addition
to verifying the number of inspections conducted, the Coast Guard is
generally positioned to verify that TWIC cards are being checked by
Coast Guard inspectors and, of the card checks that are recorded, the
number of cardholders who are compliant and noncompliant. For instance,
the Coast Guard reported inspecting 129,464 TWIC holders' cards from
May 2009 through January 6, 2011. The Coast Guard reported that 124,203
of the TWIC holders, or 96 percent, were found to be compliant--
possessed a valid TWIC.\81\ However, according to Coast Guard
officials, local Coast Guard inspectors may not always or consistently
record all inspection attempts. Consequently, while Coast Guard
officials told us that inspectors verify TWICs as part of all security
inspections, the Coast Guard could not reliably provide the number of
TWICs checked during each inspection.
---------------------------------------------------------------------------
\81\ These numbers represent a combination of visual and electronic
verifications because the TWIC verification window in MISLE is not
currently designed to capture whether cards are verified visually or
electronically. According to Coast Guard officials, with the recent
deployment of handheld readers to Coast Guard units, the Coast Guard is
in the process of enhancing MISLE to include the ability to distinguish
between the number of visual inspections of cards and the number of
verifications conducted using the handheld readers.
---------------------------------------------------------------------------
Since the national compliance deadline in April 2009 requiring TWIC
use at MTSA-regulated facilities and vessels, the Coast Guard has not
identified major concerns with TWIC implementation nationally. However,
while the Coast Guard uses MISLE to track program compliance, because
of limitations in the MISLE system design, the processes involved in
the collection, cataloguing, and querying of information cannot be
relied upon to produce the management information needed to assess
trends in compliance with the TWIC program or associated
vulnerabilities. For instance, when inspectors document a TWIC card
verification check, the system is set up to record the number of TWICs
reviewed for different types of workers and whether the TWIC holders
are compliant or noncompliant. However, other details on TWIC-related
deficiencies, such as failure to ensure that all facility personnel
with security duties are familiar with all relevant aspects of the TWIC
program and how to carry them out, are not recorded in the system in a
form that allows inspectors or other Coast Guard officials to easily
and systematically identify that a deficiency was related to TWIC. For
example, from January 2009 through December 2010, the Coast Guard
reported issuing 145 enforcement actions as a result of annual
compliance exams or security spot checks at the 2,135 facilities that
have undergone the inspections.\82\ These included 57 letters of
warning, 40 notices of violation, 32 civil penalties, and 16 operations
controls (suspension or restriction of operations). However, it would
be labor-intensive for the Coast Guard to identify how many of the 57
letters of warning or 40 notices of violation were TWIC related,
according to a Coast Guard official responsible for TWIC compliance,
because there is not an existing query designed to extract this
information from the system. Someone would have to manually review each
of the 97 inspection reports in the database indicating either a letter
of warning or a notice of violation to verify whether or not the
deficiencies were TWIC related. As such, the MISLE system is not
designed to readily provide information that could help management
measure and assess the overall level of compliance with the TWIC
program or existing vulnerabilities.
---------------------------------------------------------------------------
\82\ According to the Coast Guard, 2,509 facilities are subject to
MTSA and must actively implement TWIC provisions.
---------------------------------------------------------------------------
According to a Coast Guard official responsible for TWIC
compliance, Coast Guard headquarters staff has not conducted a trend
analysis of the deficiencies found during reviews and inspections and
there are no other analyses they planned to conduct regarding
enforcement until after readers are required to be used. According to
the Coast Guard, it can generally identify the number of TWICs checked
and recorded in the MISLE system. However, it cannot perform trend
analysis of the deficiencies as it would like to do, as it requires
additional information. In the interim, as of January 7, 2011, the
Coast Guard reported deploying 164 handheld biometric readers
nationally to units responsible for conducting inspections.\83\ These
handheld readers are intended to be the Coast Guard's primary means of
TWIC verification. During inspections, Coast Guard inspectors use the
card readers to electronically check TWICs in three ways: (1)
verification--a biometric one-to-one match of the fingerprint; (2)
authentication--electronically confirming that the certificates on the
credential are authentic; and (3) validation--electronically check the
card against the ``hotlist'' of invalid or revoked cards. The Coast
Guard believes that the use of these readers during inspections will
greatly improve the effectiveness of enforcement efforts and enhance
record keeping through the use of the readers' logs.
---------------------------------------------------------------------------
\83\ The Coast Guard estimated a need for 300 handheld biometric
readers, based on an estimate of 5 readers for each of the Coast
Guard's major field inspections units across the country.
---------------------------------------------------------------------------
As a result of limitations in MISLE design and the collection and
recording of inspection data, it will be difficult for the Coast Guard
to identify trends nationwide in TWIC-related compliance, such as
whether particular types of facilities or a particular region of the
country have greater levels of noncompliance, on an ongoing basis.
Coast Guard officials acknowledged these deficiencies and reported that
they are in the process of making enhancements to the MISLE database
and plan to distribute updated guidance on how to collect and input
information into MISLE to the Captains of the Port. However, as of
January 2011, the Coast Guard had not yet set a date for implementing
these changes. Further, while this is a good first step, these
enhancements do not address weaknesses related to the collection
process and querying of MISLE information so as to facilitate the Coast
Guard performing trend analysis of the deficiencies as part of its
compliance reviews. By designing and implementing a cost-effective and
practical method for collecting, cataloging, and querying TWIC-related
compliance information, the Coast Guard could be better positioned to
identify and assess TWIC-related compliance and enforcement trends, and
to obtain management information needed to assess and understand
existing vulnerabilities with the use of TWIC.
Conclusions
As the TWIC program continues on the path to full implementation--
with potentially billions of dollars needed to install TWIC card
readers in thousands of the Nation's ports, facilities, and vessels at
stake--it is important that Congress, program officials, and maritime
industry stakeholders fully understand the program's potential benefits
and vulnerabilities, as well as the likely costs of addressing these
potential vulnerabilities. Identified internal control weaknesses and
vulnerabilities include weaknesses in controls related to preventing
and detecting identity fraud, assessing the security threat that
individuals with extensive criminal histories pose prior to issuing a
TWIC, and ensuring that TWIC holders continue to meet program
eligibility requirements. Thus, conducting an internal control
assessment of the program by analyzing controls, identifying related
weaknesses and risks, and determining cost-effective actions to correct
or compensate for these weaknesses could better position DHS to provide
reasonable assurance that control weaknesses do not impede the program
from meeting mission needs.
In addition, conducting an effectiveness assessment could help
provide reasonable assurance that the use of TWIC enhances the posture
of security beyond efforts already in place or identify the extent to
which TWIC may possibly introduce security vulnerabilities because of
the way it has been designed and implemented. This assessment, along
with the internal controls assessment, could be used to enhance the
regulatory analysis to be conducted as part of implementing a
regulation on the use of TWIC with readers. More specifically,
considering identified security risks and needed corrective actions as
part of the regulatory analysis could provide insights on the full
costs and benefits of implementing the TWIC program in a manner that
will meet stated mission needs and mitigate existing security risks.
This is important because, unlike prior access control approaches which
allowed access to a specific facility, the TWIC potentially facilitates
access to thousands of facilities once the Federal Government attests
that the TWIC holder has been positively identified and is deemed not
to be a security threat. Further, doing so as part of the regulatory
analysis could better assure DHS, Congress, and maritime stakeholders
that TWIC program security objectives will be met. Finally, by
designing and implementing a cost-effective and practical method for
collecting, cataloging, and querying TWIC-related compliance
information, the Coast Guard could be better positioned to identify
trends and to obtain management information needed to assess and
understand existing vulnerabilities with the use of TWIC.
Recommendations for Executive Action
To identify effective and cost-efficient methods for meeting TWIC
program objectives, and assist in determining whether the benefits of
continuing to implement and operate the TWIC program in its present
form and planned use with readers surpass the costs, we recommend that
the Secretary of Homeland Security take the following four actions:
Perform an internal control assessment of the TWIC program
by: (1) analyzing existing controls, (2) identifying related
weaknesses and risks, and (3) determining cost-effective
actions needed to correct or compensate for those weaknesses so
that reasonable assurance of meeting TWIC program objectives
can be achieved. This assessment should consider weaknesses we
identified in this report among other things, and include:
strengthening the TWIC program's controls for preventing
and detecting identity fraud, such as requiring certain
biographic information from applicants and confirming the
information to the extent needed to positively identify the
individual, or implementing alternative mechanisms to
positively identify individuals;
defining the term extensive criminal history for use in
the adjudication process and ensuring that adjudicators
follow a clearly defined and consistently applied process,
with clear criteria, in considering the approval or denial
of a TWIC for individuals with extensive criminal
convictions not defined as permanent or interim
disqualifying offenses; and
identifying mechanisms for detecting whether TWIC holders
continue to meet TWIC disqualifying criminal offense and
immigration-related eligibility requirements after TWIC
issuance to prevent unqualified individuals from retaining
and using authentic TWICs.
Conduct an effectiveness assessment that includes addressing
internal control weaknesses and, at a minimum, evaluates
whether use of TWIC in its present form and planned use with
readers would enhance the posture of security beyond efforts
already in place given costs and program risks.
Use the information from the internal control and
effectiveness assessments as the basis for evaluating the
costs, benefits, security risks, and corrective actions needed
to implement the TWIC program in a manner that will meet stated
mission needs and mitigate existing security risks as part of
conducting the regulatory analysis on implementing a new
regulation on the use of TWIC with biometric card readers.
Direct the Commandant of the Coast Guard to design effective
methods for collecting, cataloguing, and querying TWIC-related
compliance issues to provide the Coast Guard with the
enforcement information needed to assess trends in compliance
with the TWIC program and identify associated vulnerabilities.
Agency Comments and Our Evaluation
We provided a draft of the sensitive version of this report to the
Secretary of Homeland Security for review and comment on March 18,
2011. DHS provided written comments on behalf of the Department, the
Transportation Security Administration, and the United States Coast
Guard, which are reprinted in full in appendix IV. In commenting on our
report, DHS stated that it concurred with our four recommendations and
identified actions planned or under way to implement them.
While DHS did not take issue with the results of our work, DHS did
provide new details in its response that merit additional discussion.
First, DHS noted that it is working to strengthen controls around
applicant identity verification in TWIC, but that document fraud is a
vulnerability to credential-issuance programs across the Federal
Government, state and local governments, and the private sector. DHS
further noted that a governmentwide infrastructure does not exist for
information sharing across all entities that issue documents that other
programs, such as TWIC, use to positively authenticate an individual's
identity. We acknowledge that such a government-wide infrastructure
does not exist, and, as discussed in our report, recognize that there
are inherent weaknesses in relying on identity documents alone to
confirm an individual's identity. However, positively identifying
individuals--or confirming their identity--and determining their
eligibility for a TWIC is a key stated program goal. Issuing TWICs to
individuals without positively identifying them and subsequently
assuring their eligibility could, counter to the program's intent,
create a security vulnerability. While we recognize that additional
costs could be imposed by requiring positive identification checks,
taking actions to strengthen the existing identity authentication
process, such as only accepting documents that TSA can and does confirm
to be authentic with the issuing agency, and verifying an applicant's
business need, could enhance TWIC program efforts to prevent and detect
identity fraud and enhance maritime security.
Second, DHS stated that it is working to continually verify TWIC-
holder eligibility after issuance but also noted the limitations in the
current process. While TSA does receive some criminal history records
information when it sends fingerprints to the FBI, the information is
not provided recurrently, nor is the information necessarily complete.
DHS stated that to provide the most robust recurrent vetting against
criminal records, TSA would need access to additional state and Federal
systems, and have additional authority to do so. As we reported, FBI
and TWIC officials stated that because the TWIC background check is
considered to be for a noncriminal justice purpose, policy and
statutory provisions hamper the program from running the broader FBI
fingerprint-based check using the fingerprints collected at enrollment
on an ongoing basis. However, we continue to believe that TSA could
compensate for this weakness by leveraging existing mechanisms
available to maritime stakeholders. For example, other governing
entities--such as the Alabama State Port Authority--that have an
interest in ensuring the security of the maritime environment, might be
willing to establish a mechanism for independently sharing relevant
information when warranted. Absent efforts to leverage available
information sources, TSA may not be successful in tempering existing
limitations.
Lastly, DHS sought clarification on the reporting of our
investigators' success at breaching security at ports during covert
testing. Specifically, in its comments, DHS noted that it believes that
our report's focus on access to port areas rather than access to
individual facilities can be misleading. DHS noted that we do not
report on the number of facilities that our investigators attempted to
gain access to within each port area. DHS stated that presenting the
breaches in terms of the number of port areas breached rather than the
number of facilities paints a more troublesome picture of the actual
breaches that occurred. We understand DHS's concern but continue to
believe that the results of our investigators' work, as reported,
fairly and accurately represents the results and significance of the
work conducted. The goal of the covert testing was to assess whether or
not weaknesses exist at ports with varying characteristics across the
nation, not to define the pervasiveness of existing weaknesses by type
of facility, volume, or other characteristic. Given the numerous
differences across facilities and the lack of publicly available
information and related statistics for each of the approximately 2,509
MTSA-regulated facilities, we identified covert testing at the port
level to be the proper unit of analysis for our review and reporting
purposes. Conducting a detailed assessment of the pervasiveness of
existing weaknesses by type of facility, volume, or other
characteristics as suggested by DHS would be a more appropriate tasking
for the Coast Guard as part of its continuing effort to ensure
compliance with TWIC-related regulations.
In addition, with regard to covert testing, DHS further commented
that the report does not distinguish among breaches in security using a
counterfeit TWIC or an authentic TWIC card obtained with fraudulent
documents. DHS noted that because there is no ``granularity'' with the
report as to when a specific card was used, one can be left with the
unsupported impression that individual facilities in all cases were
failing to implement TWIC visual inspection requirements. For the above
noted reason, we did not report on the results of covert testing at the
facility level. However, our records show that use of counterfeit TWICs
was successful for gaining access to more than one port where our
investigators breached security. Our investigators further report that
security officers never questioned the authenticity of TWICs presented
for acquiring access. Our records show that operations at the locations
our investigators breached included cargo, containers, and fuel, among
others.
In addition, TSA provided written technical comments, which we
incorporated into the report, as appropriate.
We are sending copies of this report to the Secretary of Homeland
Security, the Assistant Secretary for the Transportation Security
Administration, the Commandant of the United States Coast Guard, and
appropriate congressional committees. In addition, this report is
available at no charge on the GAO website at http://www.gao.gov.
If you or your staff have any questions about this report, please
contact me.
Stephen M. Lord
Director, Homeland Security and Justice Issues
List of Requesters
The Honorable John D. Rockefeller, IV
Chairman
Committee on Commerce, Science, and Transportation
U.S. Senate
The Honorable Susan M. Collins
Ranking Member
Committee on Homeland Security and Governmental Affairs
U.S. Senate
The Honorable John L. Mica
Chairman
Committee on Transportation and Infrastructure
House of Representatives
The Honorable Bennie G. Thompson
Ranking Member
Committee on Homeland Security
House of Representatives
The Honorable Frank R. Lautenberg
Chairman
Subcommittee on Surface Transportation and Merchant Marine
Infrastructure, Safety, and Security
Committee on Commerce, Science, and Transportation
U.S. Senate
The Honorable Olympia J. Snowe
Ranking Member
Subcommittee on Oceans, Atmosphere, Fisheries, and Coast Guard
Committee on Commerce, Science, and Transportation
U.S. Senate
The Honorable Frank A. LoBiondo
Chairman
Subcommittee on Coast Guard and Maritime Transportation
Committee on Transportation and Infrastructure
House of Representatives
The Honorable Mike Rogers
Chairman
Subcommittee on Transportation Security
Committee on Homeland Security
House of Representatives
The Honorable Candice S. Miller
Chairwoman
Subcommittee on Border and Maritime Security
Committee on Homeland Security
House of Representatives
______
Appendix I: Key Steps in the TWIC Enrollment Process
Transportation workers are enrolled by providing biographic
information, such as name, date of birth, and address, and proof of
identity documents, and then photographed and fingerprinted at 1 of
approximately 149 enrollment centers by trusted agents. A trusted agent
is a member of the TWIC team who has been authorized by the Federal
Government to enroll transportation workers in the TWIC program and
issue TWIC cards. Trusted agents are subcontractor staff acquired by
Lockheed Martin as part of its support contract with TSA for the TWIC
program. Table 2 below summarizes key steps in the enrollment process.
------------------------------------------------------------------------
Table 2.--TWIC Enrollment Process Summary
------------------------------------------------------------------------
------------------------------------------------------------------------
1. The TWIC applicant fills out a TWIC
Application and Disclosure Form and
affirms that the information he or
she is providing to TSA is truthful.
2. The applicant is required to present
documentation to establish his or
her identity to the trusted agent at
the enrollment center. The
documentation required is dependant
upon the applicant's legal presence
in the United States or whether the
applicant was born in the United
States.
3. The trusted agent (government
contractor) captures the applicant's
biographic information, such as name
and date of birth, in the TWIC
system. This can be done in various
ways, such as by scanning
fingerprints and certain identity
documents or by manually typing
information into the system.
4. The trusted agent reviews the
identity documents to establish and
confirm the applicant's identity and
to confirm the documents'
authenticity by reviewing the
physical security features on the
documents.
5. The trusted agent scans the identity
documents to record a digital image
of the applicant's identity
information.
6. The trusted agent uses a machine-
readable document scanning device to
assess the risk of certain documents
being fraudulent. Not all documents
can be assessed using this device.
7. The applicant's 10 fingerprints
(where available) are captured in
the system. The presence of
nonsuitable fingerprints or lack of
a finger for biometric use is
documented in the system by the
trusted agent.
8. The applicant's digital picture is
taken.
9. The enrollment record is completed,
encrypted, and is forwarded by the
trusted agent to undergo the TWIC
program's background checking
procedures.
------------------------------------------------------------------------
Source: GAO analysis of the TWIC program enrollment process and
documentation.
______
Appendix II: TWIC Program Funding
According to TSA and Federal Emergency Management Agency (FEMA)
program officials, from Fiscal Year 2002 through 2010, the TWIC program
had funding authority totaling $420 million. Through Fiscal Year 2009,
$111.5 million in appropriated funds, including reprogramming and
adjustments, had been provided to TWIC (see table 3 below). An
additional $196.8 million in funding was authorized from Fiscal Years
2008 through 2010 through the collection of TWIC enrollment fees by
TSA, and $111.7 million had been made available to maritime facilities
implementing TWIC from FEMA grant programs--the Port Security Grant
Program and the Transit Security Grant Program--from Fiscal Years 2006
through 2010. In addition, industry has spent between approximately
$185.7 million and $234 million to purchase 1,765,110 TWICs as of
January 6, 2011.\1\ The costs for implementing the TWIC program, as
estimated by TSA for informing the regulation on requiring the use of
TWIC as an identification credential, is from $694.3 million to $3.2
billion over a 10-year period. This estimate includes the costs related
to purchasing TWICs and visually inspecting them. However, this
estimate does not include the costs related to implementing TWIC with
biometric card readers or related access control systems.\2\
---------------------------------------------------------------------------
\1\ Range based on a reduced fee of $105.25 per TWIC for workers
with current, comparable background checks or a $132.50 fee per TWIC
for those without.
\2\ See Transportation Worker Identification Credential (TWIC)
Implementation in the Maritime Sector; Final Rule, 72 Fed. Reg. 3492,
3571 (2007).
----------------------------------------------------------------------------------------------------------------
Table 3.--TWIC Program Funding from Fiscal Years 2002 through 2010
Dollars in millions
----------------------------------------------------------------------------------------------------------------
Federal security
Fiscal year Appropriated Reprogramming Adjustments TWIC fee grant awards Total funding
authority a related to TWIC b authority
----------------------------------------------------------------------------------------------------------------
2002 0 0 0 0 0 0
----------------------------------------------------------------------------------------------------------------
2003 $5.0 0 $20 0 0 $25.0
----------------------------------------------------------------------------------------------------------------
2004 $49.7 0 0 0 0 $49.7
----------------------------------------------------------------------------------------------------------------
2005 $5.0 0 0 0 0 $5.0
----------------------------------------------------------------------------------------------------------------
2006 0 $15.0 0 0 $24.3 $39.3
----------------------------------------------------------------------------------------------------------------
2007 0 $4.0 $4.7 0 $31.5 c $40.2
----------------------------------------------------------------------------------------------------------------
2008 $8.1 0 0 $42.5 $18.0 $68.6
----------------------------------------------------------------------------------------------------------------
2009 0 0 0 $109.3 $22.2 d $131.5
----------------------------------------------------------------------------------------------------------------
2010 0 0 0 $45.0 $15.7 $60.7
----------------------------------------------------------------------------------------------------------------
Total $67.8 $19.0 $24.7 $196.8 $111.7 $420
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of TWIC program funding reported by TSA and FEMA.
a Figures in the TWIC fee authority column represent the dollar amount TSA is authorized to collect from TWIC
enrollment fees and not the actual dollars collected. TSA reports to have collected $41.7 million for Fiscal
Year 2008, $76.2 million for Fiscal Year 2009, and $30.6 million for Fiscal Year 2010.
b According to FEMA, many of these awards are issued as cooperative agreements and, as such, the scope and
amounts may change as the project(s) proceed. Also, FEMA has not received projects from all grant recipients
so the total number of projects may increase slightly over time.
c Federal security grant funding subtotal for Fiscal Year 2007 includes $19.2 million in Fiscal Year Port
Security Grant Program funding, $10.8 million in supplemental funding, and $1.5 million in Transit Security
Grant Program funding.
d Federal security grant funding subtotal for Fiscal Year 2009 includes $3.9 million in Fiscal Year Port
Security Grant Program funding and an additional $18.3 million in American Recovery and Reinvestment Act of
2009 (Pub. L. No. 111-5, 123 Stat. 115 (2009)) funding.
______
Appendix III: List of Documents U.S.-Born Citizens or Nationals Must
Select from to Present When Applying for a TWIC
TWIC applicants who are citizens of the United States (or its
outlying possessions) and were born inside the United States (or its
outlying possessions), must provide one document from list A or two
documents from list B. If two documents from list B are presented, at
least one of them must be a government-issued photo identification,
such as a state-issued driver's license, military ID card, or state
identification card.
List A
Unexpired United States passport book or passport card
Unexpired Merchant Mariner Document
Unexpired Free and Secure Trade Card \1\
---------------------------------------------------------------------------
\1\ The Free and Secure Trade (FAST) Card is to be issued to
approved commercial drivers to facilitate the travel of low-risk
screened shipments across the borders between the U.S.-Canadian border
and to the U.S. from Mexico.
Unexpired NEXUS Card \2\
---------------------------------------------------------------------------
\2\ The NEXUS card can be used as an alternative to the passport
for air, land, and sea travel into the United States for U.S. and
Canadian citizens. The NEXUS program allows prescreened travelers
expedited processing by United States and Canadian officials at
dedicated processing lanes at designated northern border ports of
entry, at NEXUS kiosks at Canadian Preclearance airports, and at marine
reporting locations.
Unexpired Secure Electronic Network for Travelers Rapid
Inspection Card
List B
Unexpired driver's license issued by a state or outlying
possession of the United States
Unexpired identification card issued by a state or outlying
possession of the United States. Must include a state or state
agency seal or logo (such as state port authority
identification or state university identification)
Original or certified copy of birth certificate issued by a
state, county, municipal authority, or outlying possession of
the United States bearing an official seal
Voter's registration card
United States military identification card or United States
retired military identification
United States military dependent's card
Expired United States passport (within 12 months of
expiration)
Native American tribal document (with photo)
United States Social Security card
United States military discharge papers (DD-214)
Department of Transportation medical card
United States civil marriage certificate
Unexpired Merchant Mariner License bearing an official
raised seal, or a certified copy
Unexpired Department of Homeland Security/Transportation
Security Administration Transportation Worker Identification
Credential Card
Unexpired Merchant Mariner Credential
______
Appendix IV: Criminal Offenses That May Disqualify Applicants from
Acquiring a TWIC
Listed below are criminal offenses that can prevent TWIC applicants
from being issued a TWIC. Pursuant to TSA implementing regulations,
permanent disqualifying offenses are offenses defined in 49 C.F.R.
1572.103(a). Permanent disqualifying offenses that can be waived are
those offenses defined in 49 C.F.R. 1572.103(a) for which a waiver can
be granted in accordance with 49 C.F.R. 1515.7(a)(i). Interim
disqualifying offenses are offenses defined in 49 C.F.R. 1572.103(b)
for which the applicant has either been: (1) convicted, or found not
guilty by reason of insanity, within a 7-year period preceding the TWIC
application, or (2) incarcerated for within a 5-year period preceding
the TWIC application. Applicants with certain permanent criminal
offenses and all interim disqualifying criminal offenses may request a
waiver of their disqualification. In general, TSA may issue such a
waiver and grant a TWIC if TSA determines that an applicant does not
pose a security threat based upon the security threat assessment.
Permanent disqualifying criminal offenses for which no waiver may
be granted.
1. Espionage, or conspiracy to commit espionage.
2. Sedition, or conspiracy to commit sedition.
3. Treason, or conspiracy to commit treason.
4. A Federal crime of terrorism as defined in 18 U.S.C.
2332b(g), or comparable state law, or conspiracy to commit such
crime.
Permanent disqualifying criminal offenses for which a waiver may be
granted.
1. A crime involving a transportation security incident. A
transportation security incident is a security incident
resulting in a significant loss of life, environmental damage,
transportation system disruption, or economic disruption in a
particular area, as defined in 46 U.S.C. � 70101. The term
economic disruption does not include a work stoppage or other
employee-related action not related to terrorism and resulting
from an employer-employee dispute.
2. Improper transportation of a hazardous material under 49
U.S.C. � 5124, or a state law that is comparable.
3. Unlawful possession, use, sale, distribution, manufacture,
purchase, receipt, transfer, shipping, transporting, import,
export, storage of, or dealing in an explosive or explosive
device. An explosive or explosive device includes, but is not
limited to, an explosive or explosive material as defined in 18
U.S.C. �� 232(5), 841(c) through 841(f), and 844(j); and a
destructive device, as defined in 18 U.S.C. � 921(a)(4) and 26
U.S.C. � 5845(f).
4. Murder.
5. Making any threat, or maliciously conveying false
information knowing the same to be false, concerning the
deliverance, placement, or detonation of an explosive or other
lethal device in or against a place of public use, a state or
government facility, a public transportations system, or an
infrastructure facility.
6. Violations of the Racketeer Influenced and Corrupt
Organizations Act, 18 U.S.C. �1961, et seq. , or a comparable
state law, where one of the predicate acts found by a jury or
admitted by the defendant, consists of one of the crimes listed
in paragraph 49 C.F.R. � 1572.103(a).
7. Attempt to commit the crimes in paragraphs listed under 49
C.F.R. � 1572.103(a)(1) through (a)(4).
8. Conspiracy or attempt to commit the crimes in 49 C.F.R. �
1572.103(a)(5) through (a)(10).
The interim disqualifying felonies.
1. Unlawful possession, use, sale, manufacture, purchase,
distribution, receipt, transfer, shipping, transporting,
delivery, import, export of, or dealing in a firearm or other
weapon. A firearm or other weapon includes, but is not limited
to, firearms as defined in 18 U.S.C. � 921(a)(3) or 26 U.S.C. �
5845(a), or items contained on the United States Munitions
Import List at 27 CFR � 447.21.
2. Extortion.
3. Dishonesty, fraud, or misrepresentation, including identity
fraud and money laundering where the money laundering is
related to a crime described in 49 C.F.R. � 1572.103(a) or (b).
Welfare fraud and passing bad checks do not constitute
dishonesty, fraud, or misrepresentation for purposes of this
paragraph.
4. Bribery.
5. Smuggling.
6. Immigration violations.
7. Distribution of, possession with intent to distribute, or
importation of a controlled substance.
8. Arson.
9. Kidnapping or hostage taking.
10. Rape or aggravated sexual abuse.
11. Assault with intent to kill.
12. Robbery.
13. Fraudulent entry into a seaport as described in 18 U.S.C. �
1036, or a comparable state law.
14. Violations of the Racketeer Influenced and Corrupt
Organizations Act, 18 U.S.C. � 1961, et seq., or a comparable
state law, other than the violations listed in paragraph 49
C.F.R. � 1572.103(a)(10).
15. Conspiracy or attempt to commit the interim disqualifying
felonies.
______
Appendix V: Comparison of Authentic and Counterfeit TWICs
Figure 1: Comparison of Authentic and Counterfeit TWICs
Details from this section were removed because the agency deemed
them to be sensitive security information.
______
Appendix VI: Comments from the Department of Homeland Security
U.S. Department or Homeland Security
Washington, DC, May 5, 2011
Mr. Stephen M. Lord,
Director, Homeland Security and Justice Issues,
U.S. Government Accountability Office,
Washington, DC.
Dear Mr. Lord:
Re: GAO-11-657, Draft Report, Transportation Worker Identification
Credential: Internal Control Weaknesses Need to be
Corrected to Help Achieve Security Objectives
Thank you for the opportunity to review and comment on this draft
report. The U.S. Department of Homeland Security (DHS) appreciates the
U.S. Government Accountability Office's (GAO's) work in planning and
conducting its review and issuing this report.
Transportation Worker Identification Credential (TWIC) is a vital
security program that is jointly administered by the U.S. Coast Guard
(USCG) and the Transportation Security Administration (TSA). TSA is
responsible for enrollment, vetting, and card production, with the
support of the U.S. Citizenship and Immigration Services, while the
USCG governs access control requirements and has primary responsibility
for enforcement. As of March 2011, TSA has enrolled and vetted more
than 1.8 million maritime workers. As a result of DHS's rigorous
vetting process, 35,661 individuals were denied from receiving a TWIC.
DHS agrees that more work is needed to strengthen existing security
controls and has begun efforts to address many of the GAO's findings.
DHS Increasing Applicant Identity Verification Controls
DHS is working to strengthen controls around applicant identity
verification in TWIC, knowing that document fraud is a vulnerability to
credential-issuance programs across Federal, state, and local
governments, and the private sector. To establish identity and proof-
of-citizenship, TWIC leverages documents issued by multiple Federal,
state, and local entities. However, a government-wide infrastructure
does not exist for information sharing across all entities that issue
the breeder documents that relying parties use to positively
authenticate an identity. TWIC follows best practices to mitigate the
risks from not having visibility or control of the physical
characteristics or the issuance process for these documents.
Specifically. TWIC uses document authentication readers and requires
fraudulent document training of its Trusted Agents as safeguards
against document fraud.
TWIC will benefit from national efforts to strengthen identity
documents. For example, DHS continues to work with the states to
implement the requirements of the REAL ID Act for more secure driver's
licenses, as well as the underlying issuance processes and procedures.
Furthermore, efforts are underway in the Federal Government, state
vital records agencies, and departments of motor vehicles to enhance
security related to core breeder documents. such as birth certificates,
which would assist in positive authentication.
TSA is also actively engaged with the DHS's United States Visitor
and Immigrant Status Indicator Technology (US-VISIT) program to include
TWIC applicant data into the US-VISIT database, referred to as IDENT.
Biometrics placed in IDENT are linked to specific biographic
information, enabling a person's identity to be established and then
verified by the U.S. Government.
TWIC is also strengthening safeguards against cards being misused
after issuance. An upcoming USCG rulemaking will include a requirement
for electronic verification of the TWIC card through use of card
readers. The use of electronic readers will provide the port or
facility authority in charge of access control decisions with a higher
level of assurance that the TWIC presented is authentic, valid (not
revoked), and unexpired.
DHS Working to Continually Verify TWIC Holder Eligibility after
Issuance
DHS strongly agrees on the value of recurrent vetting. DHS is
making progress in the effort to reasonably assure that TWIC holders
have maintained their eligibility once issued their TWICs. TSA conducts
recurrent checks of TWIC holders against the Terrorist Screening
Database and other databases. TSA has the authority to revoke TWICs
based on the results of recurrent vetting, and use of card readers for
electronic verification will strengthen the effectiveness of these
processes.
In order to provide the most robust recurrent vetting against
criminal history records, TSA needs full access to Criminal History
Records Information (CHRI), similar to that of a criminal justice
agency or law enforcement officer; this information is available at the
state level and accessed via the Interstate Identification Index
managed by the U.S. Department of Justice, Federal Bureau of
Investigation (FBI). Although TSA receives some CHRI when it sends
fingerprints to the FBI for initial vetting, the FBI does not perform
recurrent vetting of CHRI on behalf of TSA. The FBI has deemed that
TSA's security threat assessments for TWIC are non-criminal justice
activities. As a result, TSA is unable to request subsequent CHRI for
recurrent vetting without a submission of new fingerprints from the
individual. Additionally, TSA may not always receive all available
information because of the FBI's designation as ``non-criminal
justice'' purposes for TSA security threat assessments. States may not
upload all available information into the FBI biometric system and may
not respond to CHRI requests for ``non-criminal justice'' activities.
DHS has and will continue to work with the FBI and states to try to
expand access to the CHRI.
While not a final solution to the challenge of recurrent criminal
vetting, including TWIC data in IDENT would provide a framework to
initiate more recurrent vetting on CURL, where available, for TWIC
holders. In addition to supporting identity verification, biometric
data from IDENT is used to conduct vetting against criminals and
immigration violators. TSA and US-VISIT are working to include TWIC
data in the IDENT database.
DHS Clarification on GAO Breaches of MTSA-Regulated Ports
DHS would also like to address aspects of GAO's covert operation
defined in the report that we believe warrant further clarification.
DHS believes that the focus on access to port areas rather than
access to individual facilities can be misleading. Specifically, the
report states that GAO investigators successfully penetrated ports
between August 2009 and February 2010. However, the report does not
breakdown the number of facilities to which GAO attempted to gain
access within each port area. Each port is unique in design and
operation--ranging from some ports housing hundreds of individual
facilities spread over a large geographic area to other ports
containing only a few facilities in a small geographic area with one
main access control point. While GAO stated that it did not require its
covert investigators to record the individual attempts to access
facilities, investigators indicated during discussions with USCG that
they were successful in gaining unauthorized access at some individual
facilities within the port areas. The presentation of breaches at port
versus individual facilities paints a more troublesome picture of the
actual breaches that occurred.
Third, the report does not distinguish among fraud committed with
counterfeit TWIC cards, authentic TWIC cards obtained with fraudulent
documents, and access control decisions made by facility personnel.
Each type of fraud has a different mitigation technique. The fact that
a Facility Security Officer does not question what appears to be a
valid card should not be intertwined with cases in which a counterfeit
card was presented to gain access. Because there is no granularity
within the report as to when a specific card was used, one can be left
with the unsupported impression that individual facilities in all cases
were failing to implement TWIC visual inspection requirements. Or, as
written in this report, that ports failed to properly implement these
requirements.
Recent Developments
The GAO audit was beneficial in helping DHS identify immediate
actions that could strengthen the effectiveness of the TWIC program.
TSA has already taken steps to remedy some of the missing internal
controls that GAO has identified. Starting in January 2011, the TWIC
program initiated a 100-percent review of all fingerprint matches
received in the system. These matches could highlight potential fraud
in the TWIC enrollment process where one individual could be attempting
to enroll under a different identity and possibly with fraudulent
documents. During this process, the TWIC program has already referred
numerous cases to our Law Enforcement Investigations Unit where
investigations are under way.
On February 14, 2011, USCG Headquarters published additional
guidance to field units regarding the importance of TWIC inspections
and verifications. The guidance directed Captains of the Port to place
a higher priority on the review and validation of TWIC verification
procedures during the required Maritime Transportation Security Act
(MTSA) security inspections. Additionally, the guidance encouraged
Captains of the Port and the Facility Security Officers to take
advantage of training aids regarding the identification of fraudulent
TWICs published on Homeport-the USCG's Internet site for maritime
information.
As previously mentioned, the USCG is currently developing an
upcoming rulemaking that will include a requirement for card readers at
ports and facilities. The TWIC program has completed a pilot that
evaluated using card readers for electronic verification of the TWIC
card. DHS believes that electronic verification of TWIC cards will
significantly enhance protection against counterfeit, tampered, or
expired TWIC cards being used to gain access to secure facilities.
TSA is in the initial phases of a modernization effort for its
vetting infrastructure. This effort is aimed at consolidating
systematic processes related to conducting background checks with the
goal of improving the overall security and consistency of our
enrollment and vetting processes. As the modernization effort moves
forward, the TWIC program will continue to be heavily involved to
ensure that any internal control gaps or risks are addressed or further
mitigated.
GAO Recommendations
DHS takes the findings of this review very seriously. DHS strongly
believes that TWIC has an overall effect of strengthening the security
of our nation's ports. We also acknowledge and appreciate GAO's work to
identify opportunities to enhance current program controls. We
recognize that breaches did occur and that the Department and port
facility owners and operators need to take steps to enhance security.
DHS appreciates the opportunity to provide GAO with comments to its
audit recommendations.
``To identify effective and cost efficient methods for meeting TWIC
program objectives, and assist in determining whether the benefits of
continuing to implement and operate the TWIC program in its present
form and planned use with readers surpass the costs, we recommend that
the Secretary of Homeland Security take the following four actions:
Recommendation 1: Perform an internal control assessment of the
TWIC program by: (1) analyzing existing controls, (2) identifying
related weaknesses and risks, and (3) determining cost-effective
actions needed to correct or compensate for those weaknesses so that
reasonable assurance of meeting TWIG program objectives can be
achieved. This assessment should consider weaknesses we identified in
this report, among other things, and include:
strengthening the TWIC program's controls for preventing and
detecting identity fraud, such as requiring certain biographic
information from applicants and confirming the information to
the extent needed to positively identify the individual, or
implementing alternative mechanisms to positively identify
individuals;
defining the term extensive criminal history for use in the
adjudication process and ensuring that adjudicators follow a
clearly defined and consistently applied process, with clear
criteria, in considering the approval and denial of a TWIC for
individuals with extensive criminal convictions not defined as
a permanent or interim disqualifying offense, and;
identifying mechanisms for detecting whether TWIC-holders
continue to meet TWIC disqualifying criminal offense and
immigration-related eligibility requirements after TWIC
issuance to prevent unqualified individuals from retaining and
using authentic TWICs.''
Response: Concur. DHS agrees that an internal control assessment
should and will be performed. Once the final GAO report is issued, DHS
will initiate a comprehensive review of current internal controls with
a specific focus on the controls highlighted in this report. In the
interim, TSA and USCG are evaluating and implementing new internal
controls as discussed in this letter.
Recommendation 2: ``Conduct an effectiveness assessment that
includes addressing internal control weaknesses and, at a minimum,
evaluates whether use of TWIC in its present form and planned use with
readers would enhance the posture of security beyond efforts already in
place given costs and program risks.''
Response: Concur. DHS agrees that the results of the internal
control assessment should be used to further evaluate the effectiveness
of the TWIC program.
Recommendation 3: ``Use the information from the internal control
and effectiveness assessments as the basis for the evaluating the
costs, benefits, security risks, and corrective actions needed to
implement the TWIC program in a manner that will meet stated mission
needs and mitigate existing security risks as part of conducting the
regulatory analysis on implementing a new regulation on the use of TWIC
with biometric card readers.''
Response: Concur. As the internal control assessments progress, any
applicable data or risks will be communicated to USCG for consideration
during their regulatory analysis.
Recommendation 4: ``Direct the Commandant of the Coast Guard to
design effective methods for collecting, cataloging, and querying TWIC-
related compliance issues to provide the Coast Guard with the
enforcement information needed to assess trends in compliance with the
TWIC program and identify associated vulnerabilities.''
Response: Concur. USCG has already incorporated changes to its
current version of Marine Information for Safety and Law Enforcement
(MISLE) to enhance data collection since the TWIC compliance date of
April 15, 2009. Incorporation of additional changes is planned in a
future release of MISLE that will add to current capabilities to
collect data and allow for more detailed trend analysis.
Again, thank you for the opportunity to review and comment on this
draft report. We look forward to working with you on future Homeland
Security issues.
Sincerely,
Jim H. Crumpacker,
Director, Departmental GAO/OIG Liaison Office.
______
Appendix VII: GAO Contact and Staff
Stephen M. Lord at (202) 512-4379 or at [email protected]
Staff Acknowledgments
In addition to the contact named above, David Bruno (Assistant
Director), Joseph P. Cruz, Scott Fletcher, Geoffrey Hamilton, Richard
Hung, Lemuel Jackson, Linda Miller, Jessica Orr, and Julie E. Silvers
made key contributions to this report.
Senator Lautenberg. Thank you very much, Mr. Lord.
It's astounding to hear your testimony and see the large
percentage of those really not qualified to receive the card.
And then you said, being convicted of a felony does not
automatically disqualify a person from being eligible. And it
goes on to detail what kind of offenses: espionage, treason,
other offenses, such as murder or the unlawful possession of
explosive device. It sounds like we're not attracting, always,
the kinds of applicants that would qualify to get a card. And
that's a tough outcome for something that ought to be done much
differently.
Through your covert testing, you said you were able to
obtain fraudulent TWIC cards, and access secure facilities
using these cards. Now, what kind of threats are these to our
ports and our other secure facilities?
Mr. Lord. Well, in our report today, we reference a 2008
Coast Guard assessment, in which it states, very clearly, al
Qaeda considers U.S. ports and facilities to be legitimate
targets. Perhaps the Coast Guard witness could expound on that.
But, that to us, that's why this issue is important.
Senator Lautenberg. The fact of the matter is that there's
a question that invites a view of the magnitude of the problems
that are involved in having something that can be stabilized
and relied upon. And I wonder what other kinds of approaches
there might be in order to get this to be an easier program to
manage--one that's more reliable. Anyone want to make a quick
suggestion here on that regard?
Mr. Pistole?
Admiral Cook. Mr. Chairman, I would just go back a little
bit in history. I happen to have been the Captain of Port for
the Houston-Galveston area during 9/11. And at that time, when
we tried to bring into account--actually, before the MTSA, but
certainly recognizing that access control was very, very
important--that we tried to find a document that could be
universally recognized from facility to facility which,
typically, would have their own card. Sometimes they would
recognize driver's license. Sometimes they would recognize
other Federal ID cards. That was a very important thing for us
to address early on. So, as we move from that initial, you
know, implementation, and realizing that we needed to have more
secure ports in the future, looking forward to one card that
could be universally recognized, that guards could be trained
to recognize, security features could be built in. And I think
that that has been viewed as a very good thing. The Coast Guard
actually looks forward to the opportunity to maximize that card
through the use of card readers, which will then provide an
additional level of verification, authentication, and
validation. But--so, I--from my point of view, I would say that
the card has introduced a significant amount of security, and
certainly with my past experience----
Senator Lautenberg. Well, but there is--Admiral, there is a
suggestion that, in some ways, we might have not gained on it,
and exposed ourselves to more difficult problems in the future.
So, Mr. Pistole, before we discuss TSA's effort to address
port security, it was discovered that al Qaeda was planning an
attack on a U.S. rail line. To date, TSA's efforts on rail
security have been delayed and nearly nonexistent, compared to
aviation security. In light of this information, what immediate
steps are we taking to increase rail security measures?
Mr. Pistole. Thank you, Mr. Chairman. Well, obviously, as
soon as we got the word from the document exploitation from the
bin Laden raid and the killing of bin Laden, we engaged,
particularly, with our partners in the rail security,
particularly Amtrak for the Northeast Corridor, but all
passenger and freight rail, noting the context for this
information, coming from February of last year, and talking
about an attack on passenger rail for the 10th anniversary of
9/11. So, it's still months away. But, we passed that
information immediately and then worked with, particularly,
Amtrak Police, and others, in terms of what they were doing, in
terms of additional random, unpredictable patrols, both
uniformed officers, canines, explosive trace detection--all
those things that would serve as a deterrent, knowing that the
three things the terrorists are looking for, in terms of
deterrent, are additional police patrols, additional canines,
or closed-circuit television cameras, as long as they're not
suicide bombers, as we saw in London, on July 5 and 21 of 2005.
So, that's what we have done. We're obviously very much
interested in the Transportation Security Grant Program and the
outcome of Congress's decision on that, in terms of where that
will be--how much money we'll have to support both the training
efforts and the additional efforts that I've mentioned, in
terms of things such as infrastructure protection, whether it's
the Port Authority, Trans-Hudson, the PATH tunnels that you're
so familiar with, shoring up those vulnerabilities, and other
issues. So, those are some of the things we've done since that
announcement.
Senator Lautenberg. Senator Boozman.
Senator Boozman. Thank you, Mr. Chairman.
Mr. Lord, how much money has been spent on the project?
Mr. Lord. Since the inception of the program, it's
approximately $420 million. And that includes $111 million in
direct appropriations, $112 million in grants, including port
security grants and transit security grants, and approximately
$198 million raised in fees. Once you apply for a TWIC, you're
to pay $132.50. So, that represents a significant share of the
program proceeds.
Senator Boozman. After looking, the ability to essentially
very easily obtain a TWIC fraudulently, the fact that it looks
like--am I reading it right?--of the 1,676,000, 460,000--over
460,000 criminals, only one has been denied?
Mr. Lord. Actually, we didn't have full visibility over
that, but that's our understanding. Most--virtually all were
approved, and the one was denied, as part of that adjudication
process; once derogatory information is identified in the
application process. That's our understanding, which we include
in our report.
Senator Boozman. Based on your investigation, would a
normal driver's license from the states, now, that are required
to do the--you know, much more background check than they used
to, as far as who you are--would that be more secure identity
than the TWIC card? Or, is it at least as secure?
Mr. Lord. It's at least as secure, probably, in many cases,
more secure. That's our point.
Senator Boozman. We've spent all this money, and right
now--up to now, what we have is less secure than a driver's
license.
Mr. Lord. Yes. And that was the purpose of our report,
quite frankly. We identified some design flaws in the system--
some holes. We think they can be patched. And we also raised an
issue of facility training. The security guards play a key role
in the process, and they, perhaps, need to be provided some
additional training. They'll need to be a little more rigorous
in scrutinizing the credentials, which are currently being used
as a flash pass only. The biometric reader, that's the next
stage of the program.
Senator Boozman. And I guess, Admiral Cook, I would take
exception to your remark about the TWIC card making us--you
know, that we've had improvement by having it. And you can
comment on this, too, Mr. Lord, and you, Mr. Pistole. But, the
fact that we have this card that means nothing, or very little,
because Mr. Lord's group has demonstrated it's very easy to get
around it--to me, it makes us less secure than ever, because
when your guys check this card, they, in good faith, feel like
they're dealing--you know, this system--they have no idea that
the card wasn't valid--then it gives them a false sense that
they really shouldn't have at this point. Is that true or
false?
Admiral Cook. Senator--and this is not to be argumentative
in any way--the--I pretty--I'm starting, pre-9/11, in my mind.
But, then one of the things that--as I said, we're looking
forward to being able to move to the electronic reader. And
what the Coast Guard has done to try to move ahead on that is,
we deployed over 200 portable readers so that we can take
advantage of that biometrics. It still does not account for
someone that had a TWIC obtained based on fraudulent documents,
because then the--biometric in the card.
Senator Boozman. The point is, it's so easy to obtain these
things fraudulently.
Admiral Cook. Well, the--as the mariners and workers----
Senator Boozman. And this is not your problem. You're just
the guy that's checking. I don't----
Admiral Cook. Right.
Senator Boozman. But, again, I think it puts--you're all at
a disadvantage.
Mr. Lord, who initiated the GAO study?
Mr. Lord. It was this committee and eight other
Congressional committees.
Senator Boozman. Did you find any evidence, as you were
investigating, that anybody--the Coast Guard, TSA--were
concerned about this prior to your investigating the--was
this--did this seem something that was at the top of their
radar, as far as concerns about safety and security in this
area?
Mr. Lord. Oh, I think, absolutely, it was on their agenda;
it was on their radar. But just contextually, we have completed
a large body of work on TWIC-related issues over the last 5
years. We've worked very closely with TSA and the Coast Guard
on this. We have a good, collaborative relationship, and they
have taken steps to address some of the issues we identified in
our report.
Senator Boozman. Mr. Pistole, who in your agency--I find it
remarkable--you know, if you talk to the truckers and people
like that, you know checking records--and just employers, in
general, you know, with drug screenings and--this doesn't have
anything to do with drug screenings--but, just in general,
checking people out, whether or not they're going to drive a
schoolbus or whatever--it's remarkable that, of your people
with a criminal record, there's such a low, low, low percentage
of people that were flagged. Who in your agency--who's
responsible for that? What entity within TSA is responsible for
making that decision?
Mr. Pistole. Well, of course, I'm responsible, overall, but
the----
Senator Boozman. No, but you don't check----
Mr. Pistole. Yes.
Senator Boozman.--these things off.
Mr. Pistole. Right. But----
Senator Boozman. Who does that?
Mr. Pistole.--TTAC, which is our credentialing group, is
responsible for that.
And just, if I could, Senator----
Senator Boozman. So, what is the name of that group?
Mr. Pistole. TTAC. It's T-T-A-C, the credentialing group.
And just for context, I think--so, I would say--I agree
with a number of your comments--I would say we are more secure
from the standpoint of, prior to any of these cards, somebody
could use a driver's license, a union card, whatever it may be,
that they just used to get access to the ports, with no----
Senator Boozman. Mr. Lord has just testified that a
driver's license is more secure than the card.
Mr. Pistole. So, if I could just finish, there--without any
background check, necessarily--and so, at least, we're doing
background checks now. Obviously, there are statutory
provisions for people with criminal histories. And just by the
nature of the workforce, a number of dockworkers may have had
some criminal history. So----
Senator Boozman. Right.
Thank you, Mr. Chairman.
Senator Lautenberg. Thank you very much.
Senator Begich?
STATEMENT OF HON. MARK BEGICH,
U.S. SENATOR FROM ALASKA
Senator Begich. Thank you very much, Mr. Chairman.
First, I want to thank you, Administrator Pistole, for one
program called ``Enroll Your Own,'' which is very important in
our rural parts of Alaska, as you know. In order to have people
to get the TWIC card is very expensive, complex for--and the
travel in some of our fishing communities. And so, first I want
to say thank you for that. We do have some suggestions we want
to share with you--we'll do it for the record--from our police
departments, who you work with.
Mr. Pistole. Good.
Senator Begich. And I think they have some very positive
suggestions that I would hope you would consider as you
continue to roll this program out.
Mr. Pistole. Sure.
Senator Begich. And I just want to issue a cautionary note,
on the discussion here on criminal records and so forth--you
hinted to it--in some of these industries, not everyone's going
to have a stellar background, but are working in jobs that pay
sometimes very low wages, and a variety of other things. So, I
know that's a careful balance that you have to have.
My concern--and I don't know who wants to answer this. Let
me, first, start with one example. And I may be a little off,
here, but I'm using an example from my own--one of my own staff
people, a loaner from one of the agencies, NOAA. Because he
works on a ship and works on a dock, he goes through a whole
process to get his card, his common access card--
fingerprinting, all the 9 yards. Then he has to get a TWIC
card, go through the same process. That seems such a simple
fix, that if you've got a Coast Guard person that's required to
go through and get their card, or a NOAA person, or any of
these Federal agencies or government agencies, like a police
department or maritime enforcement office, depending on if
you're a coastal area, that, once they've done that, they
shouldn't have to repeat that. Is that an easy fix that you can
do?
Mr. Pistole. I will take that, Senator. It's not easy,
unfortunately, but you've identified a key issue which is
really overriding all these individual issues that we're
talking about here today, and that's not only for the whole
U.S. Government, in terms of having a universal access card,
whatever that may be--of course every state has different
standards. The National Institute of Standards Technology, of
course, sets some standards that we abide by. But, that's the
challenge that we deal with, that this goes--even in my last
job, at the FBI, where there were all types of fraudulent
documents because of differing standards by state and the
federal government.
Senator Begich. But, you'll probably never get to the
unified card of any kind. So, we have to take that as a given,
even though I know, from a law-enforcement--as someone who was
a mayor that managed a police department, you know, they would
love to have one card, one place, one location. But, that will
never happen, because of states' rights, and many other things.
But, it seems, even in the Federal agencies--I think if a NOAA
person or a Coast Guard person or--pick the agency--that goes
through this already, that they shouldn't have to go through it
again.
Mr. Pistole. So, there's----
Senator Begich. First, let me ask, does that make sense,
that logic?
Mr. Pistole. Yes.
Senator Begich. OK.
Mr. Pistole. Absolutely.
Senator Begich. So, why not figure out--I know what we'd
like to do, it seems, in the federal government, as I've
learned now, is always get the big pitch, try to do it all at
once, and do everything, which is disastrous. Example A, $300
million. You know, maybe we'll learn a little bit out of this.
But, it seems like--why don't we just take one piece of the pie
and try to deal with it and get it to work, rather than this
holistic, which--you know, it sounds like another contractor
making a lot of money on a system that doesn't work, that we'll
probably never recoup anything from, and then they'll charge us
more to do some more work.
Mr. Pistole. So, I agree, completely.
Senator Begich. It's the----
Mr. Pistole. You would think, Senator----
Senator Begich.--the federal M.O.
Mr. Pistole. Right. So, we are working on some proposed
rulemaking that would help in that regard. Obviously, industry
has a lot of interest and input into that. And so, as we work
through this, unfortunately I believe it's a longer-term rather
than a short-term fix. But, I agree completely with your
philosophical approach of trying to consolidate and make it
more efficient and effective for those who need these access
cards.
Senator Begich. And then--but, I just give you a cautionary
note. The standard thought is, ``Well, let's try to figure out
all the Federal--just take the Coast Guard, get them cleared
up. Get the NOAA, get them cleared up.'' In other words,
piecemeal it out so, each one, you're just trying to
incrementally do. Is that a realistic approach, rather than
this--it just makes me very nervous that we're going to try to
do all of it at once and then, maybe a year and a half or 2
years from now, we'll have the same conversation, maybe with
different people, maybe the same people, talking about more
expense. Is that----
Admiral I don't know who. Mr. Lord? Whoever.
Mr. Lord. No, it makes perfect sense. I believe you're
referring to consolidating the so-called security threat
assessment process. Typically, when you go in for a credential
now, they'll run a STA on you. To complete an STA, you may need
another credential. They'll do it again. What they're doing is
accessing the same--essentially, the same databases. So, they
have an effort. They just started. They're trying to
consolidate that. So, they, the Department of Homeland
Security, wholeheartedly would agree with your position. And
they're already taking steps to do that. Initial steps. But,
that's the vision. You want to consolidate----
Senator Begich. Right.
Mr. Lord.--all that so-called background-checking process,
and just have one person, one check----
Senator Begich. Right.
Mr. Lord.--rather than having one person, multiple checks.
It's currently----
Senator Begich. Doesn't make sense, that latter part.
Mr. Lord.--inefficient, and it costs the consumer, the
person applying for the card, more money.
Senator Begich. Let me just end with one question. The
people that initiated this process--I know it wasn't under some
of you folks, because some of you are new, obviously--but, the
people below you who deal with all this, are they the same
people that initiated this process, or are they new people? And
the reason I ask that, sometimes--you know, there's my
question. Because, I just heard a little knock on--to the left.
[Laughter.]
Senator Begich. Yes or no?
Mr. Pistole. Yes, mostly the same people.
Senator Begich. That's a problem. I'll leave it at that.
Senator Lautenberg. Thank you very much.
Senator Wicker.
STATEMENT OF HON. ROGER F. WICKER,
U.S. SENATOR FROM MISSISSIPPI
Senator Wicker. Thank you.
Gentleman, the results of the GAO report, I must say, are
absolutely breathtaking. TSA has failed to implement and
evaluate the TWIC Program in a way that provides reasonable
assurance that only qualified individuals have access. GAO
investigators were able to access secure facilities at U.S.
ports during covert tests in which they presented either
counterfeit TWIC cards, authentic TWIC cards, or cards obtained
through fraud. GAO found that controls to identify the use of
potentially counterfeit identity documents were not used to
inform the background- checking process. TSA does not have
clear criteria for applying discretionary authority to
applicants who have past criminal convictions. And controls are
not designed to determine whether cardholders have committed
disqualifying crimes at the federal and state level after being
granted a TWIC.
It seems to me that a decade of work has resulted in a
system that would put Rube Goldberg to shame, and it almost
argues for starting over from scratch and trying to design
something that would work. I would mention again what Senator
Boozman has pointed out, that of 460,000 TWIC applicants with a
criminal record, TSA was able to deny access to one of those
460,000-plus applicants. I mean, it is absolutely astounding.
But, the requirement has succeeded in making things harder on
the applicants. And I have a report here from a constituent
group, regarding TWIC card applications and the two-trip
requirement. And I'll quote from this business, ``The
requirement that applicants make two trips to a TWIC enrollment
center that may be hundreds of miles from their workplace or
home represents a substantial burden on transportation workers
across the country. A resident living in West Plains, Missouri,
for example, must make, at minimum, two 350-mile round-trips to
apply for and activate their card at the nearest enrollment
center located in Memphis. Another worker in Meridian,
Mississippi, must make, at minimum, two 267-mile round-trips to
apply for and activate their card at the nearest enrollment
center in Mobile.''
So, for the honest worker who doesn't have a criminal
background, he's got to make two trips. Mr. Lord, is there some
way, in your judgment, that we could devise a system that does
not require the two trips? I have confidence in the mail
system. And it seems to me that receiving a card in the mail,
then calling with secure information to verify that that card
has been received, and then activated at that point, much like
the credit cards are done, that something of that nature should
be used to apply some common sense to the honest people that
are being inconvenienced, to the tune of hundreds of miles.
Mr. Lord. No, that's an excellent question, sir. We
recently looked at that, whether you could simply mail a TWIC
card to an applicant's place of residence. It sounds easy. But,
like many things, once you start looking into it, it's a little
more complicated. And what we found was, the current policy of
the Department is to remain aligned with the so-called FIPS 201
standard. This is a biometric security standard that pertains
to all government credentials. As long as the policy is to
remain aligned with that standard, it would preclude you from
mailing it to an applicant's place of residence. Why? Because
you have to do a biometric match, in person, to ensure
security. That helps limit potential fraud. And it's a key
security enhancement. We had discussions with the NIST
officials who crafted the standard--TSA, DHS; they agreed with
our assessment. So, as long as that's their policy, the current
policy is to remain aligned with that standard. Obviously, they
could change the policy and have to reengineer their business
processes, but as long as that policy remains unchanged, they
cannot mail the TWIC to a person's place of residence.
To TSA's credit, they did add some flexibility to the
program. In February 2009, they allowed the applicant to
designate what enrollment center they'd like to pick it up.
Sometimes people move. You apply for a TWIC in Seattle, say,
and move to Memphis. You can now say, ``I'd like to pick up my
card in Memphis,'' without having to drive all the way back to
Seattle. So, there has been some effort to respond to the needs
of applicants. But, I cannot criticize them for requiring the
in-person biometric match. That's a key part of the process.
Senator Wicker. Well, I would just simply suggest, as I
yield back, that there are so many aspects of this program that
are obviously going to have to be rethought, that we ought to
put up the best minds in the country on some way to make this
less burdensome on the honest folks that actually do comply.
Thank you.
Mr. Pistole. Mr. Chairman----
Senator Lautenberg. Yes.
Mr. Pistole. I'm sorry.
Senator Lautenberg. I'm sorry. Yes.
Mr. Pistole. If I may just respond on the one part to the
Senator's question----
Senator Lautenberg. Sure.
Mr. Pistole.--just briefly.
Senator on the one denial, the overall numbers--we've
actually denied over 35,000 people, for various disqualifying
criteria. The one you're referring to is one who is an
individual who had several criminal convictions, none of which
was individually disqualifying, but, taken in totality, was
disqualifying. So, it has actually been over 35,000. So, that's
the whole purpose of that. We've also had several people who,
it turned out, are on the terrorist watch list, who've applied
for TWIC card, that have also been denied. And I could go into
more detail in a closed setting on that.
Senator Lautenberg. Thank you.
Senator Snowe.
STATEMENT OF HON. OLYMPIA J. SNOWE,
U.S. SENATOR FROM MAINE
Senator Snowe. Thank you, Mr. Chairman.
And just to follow up on the question on the enrollment
centers which is obviously a problem in a state like Maine,
where we only have two enrollment centers, one in Bangor and
one in Portland. So, I'm going to explore with you the issue of
distance. Do have you have any information regarding the impact
it has on these workers to go long distances in order to secure
the card and then have to go back and get it approved, and so
on, and requiring two different trips for these identity cards?
And so, do you have any information on that? Who's----
Mr. Lord. Just to clarify, we audited the program, but we
did speak to many applicants. And that was a persistent pain
point, having to make two trips to get your credential. And I
know there has been various discussions about how to mitigate
that. They have portable enrollment centers. You can move
certain enrollment centers around the country. But, again, I'm
from GAO, not TSA. So, that's probably a better question for
TSA.
Senator Snowe. Mr. Pistole?
Mr. Pistole. So, Senator, yes, it's clearly less than ideal
for most persons who are not located close. I have a map of
where the permanent enrollment centers are. And, of course,
they're located where most of these workers that would need
them. We've also done several dozen of the mobile centers. And
if there's a need in Maine that you've identified that would
need one of these mobile centers, I'd be glad to take a look at
that to try to facilitate that. So, we're--and also, by
allowing the applicants to pick up their card at a different
location, as noted, because they do move around and are--work
in different places, it is a challenge, in trying to comply
with the NIST standards, in terms of the best security, while
also providing for the best convenience. So, that's the dynamic
we deal with.
Senator Snowe. Well, there is obviously a gap between the
enrolled and the activated. So, is it your surmisal that they
travel from one place to another--activate at one--enroll in
one area and activate it in another location?
Mr. Pistole. Some of the applicants request that, because
they're jobs have changed----
Senator Snowe. Do they have to get prior approval for doing
that?
Mr. Pistole. You know, I don't know that. I'll have to
check on that.
Senator Snowe. Well, somehow, we're going to just have to
make this simpler. I just think it's cumbersome and
bureaucratic. I mean, only 167 centers nationwide. So, it
just--there must be a better way. I mean, I think about the
amount of money that has already been spent on this program.
Frankly, I think--the Chairman and I are probably one of the
few members that were here on the Committee post-9/11, working
on this very issue, and this was one of the issues that was
identified as a priority. And that was back in the aftermath of
9/11. In 2002, we began this process. I think it was then
former President Bush identified as, you know, having the
identity of these workers established, and developing a system.
And we will have spent $3.2 billion, and we've yet to clear all
the hurdles to say that it's fully implemented and satisfied.
And so, I think it's--it--presenting enormous difficulties
and complexity and failing to uphold the major standard, which
is to confirm the identity of a cardholder. I mean, ultimately,
that is not something that's been achieved at this point, it
seems to me. And so, now we're going to spend all this money on
biometric reading and digital devices, which are going to cost,
as I understand it, up to $8,000 apiece. Is that correct?
Admiral Cook. That is correct, yes.
Senator Snowe. It is. So--I mean, so there's another
monumental cost. And next year, we're supposed to have--mandate
the use of these cards. Are we going to be prepared for that?
Mr. Pistole. So, that is one of our challenges. And that's
exactly why I've asked, along with Coast Guard and the
Department, to--asking GAO to look the cost-benefit analysis of
this whole program, because we do have hundreds of millions
invested in it, between us, the U.S. Government, taxpayers, and
industry. The question is, what's our return on investment? Are
we clearly safer? Yes, we are. But, at what cost? And so,
that's why we've asked for GAO to follow up on this.
Senator Snowe. Well, I guess it's a red flag for all of us
in Congress. I mean, I think if it takes so long to get a
program up and running, something must be truly wrong, and
we've got to decide differently, because it has been the better
part of the decade, obviously, and we still haven't completed
it. And yet, it's going to cost a great deal. I mean, it has
been practically, what, from 2002 to 2012, essentially, and
we're still not that much further ahead, in terms of where we
need to be, and all the other problems that have been exposed.
In 2006, I introduced an amendment to the SAFE Port Acts
that required a GAO report to review the various background
checks among various agencies. Now, is there any way that we
can sort of synchronize these background checks, you know, so
that we can have one unified background check, in credentials,
for workers, instead of, you know, multiplicity?
Mr. Pistole. So, that's what----
Senator Snowe. Admiral Cook, and Mr. Pistole?
Admiral Cook. Well, Senator----
Senator Snowe. Who's in charge on this one?
Admiral Cook. I'll go ahead and----
Senator Snowe. OK.
Admiral Cook.--step up, Senator. But, I think the--you
know, to answer your question, we're kind of at a pivotal time
right now in the program, because the pilot reader program is
being concluded. I don't know if you were in here when we
mentioned it would--the Administrator mentioned that that data
for the final report will be closed out at the end of this
month. And then that report will come over to the Coast Guard,
and that will be part of the background for our notice of
proposed rulemaking to establish the readers.
So, I think, you know, in terms of the GAO audit, the work
that has already been put into the TWIC, we are on the verge of
being able to exploit the fundamental biometric data that we
all wanted to achieve. And I know that the industry, who has
been--you know, used to having the TWIC cards just flash passed
us for the last few years, is anxious to move to that phase.
They understand there'll be some costs. They're anxious to
participate and help us get it right. And I think that's what I
can offer at this time.
Senator Snowe. Well, is it going to be interoperable in any
way? I mean, are you--talking about this, you know, electronic
reader--is that all going to be interoperable with other
systems within government, or is it going to be stove-pipe?
Admiral Cook. The standards are--should be set, such that
they were--have the ability to read several different kinds of
cards. And that's the--that will be a plus, right there. The--
but, they'll be focused back to databases which relate to the
TWIC, from what I understand right now. But, as I say, as a
pivotal point, we can start integrating different aspects that
the GAO has brought to our attention and that we already have
some internal programs for.
Senator Snowe. Well, is it--can we understand, then, that
there's going to be harmonization of these security
credentials, among agencies, or not? I guess that's the
question.
Mr. Pistole?
Mr. Pistole. So, that's--Senator, that's one of the things,
at least within the Department of Homeland Security, the
Secretary is focused on, to ensure that, for example, just
within TSA, we do vetting and credentialing for up to 15
million people in 28 different categories. So, there's a lot of
that just within what we're doing. And that's what the
Secretary is focused on.
Senator Snowe. Thank you.
I ask unanimous consent to include my statement in the
record, Mr. Chairman. Thank you.
Senator Lautenberg. Without any objection, certainly.
[The prepared statement of Senator Snowe follows:]
Prepared Statement of Hon. Olympia J. Snowe, U.S. Senator from Maine
Thank you, Mr. Chairman for holding this hearing. As an original
requestor of the GAO report presented today, I have great concerns
about the Transportation Worker Identification Credential, or TWIC
card, and the security of our nation's ports. For nearly a decade we
have been grappling with many port security questions, and I think the
report we see today identifies a need for review of current security
practices. When we joined several of our colleagues to request this
critical review of the TWIC, I believe you and I shared the view that
when it comes to maritime security, we can, and must do better to
protect our country's 360 ports and maritime facilities.
Biometric identification cards for transportation workers were one
of the first security challenges addressed by Congress following
September 11 in the Aviation and Transportation Security Act of 2001.
In subsequent years, the mandate for identification for port workers
was amended several times to define the ID we now call the TWIC. Since
2007, more than 1.7 million truckers, merchant mariners, longshoreman,
and port workers have been issued these cards. Even the students at the
Maine Maritime Academy have these $132 Federal security credentials to
access the secure port facility on campus.
Secure ID cards like the TWIC are vital in insuring that access to
critical port facilities is restricted to known-persons. In 2004,
President Bush issued Homeland Security Presidential Directive Number
12, which among other things, required the Federal Government to
establish a standard for ``secure and reliable forms of
identification'' that must: (1) reliably identify an employee's
identity, (2) be resistant to tampering or counterfeiting, (3) be
rapidly authenticated electronically, and (4) be issued by providers
whose reliability has been established. Unfortunately, we can see from
today's report that the TWIC credential has failed on all counts.
The truth of the matter is, the implementation of the TWIC card has
not increased the level of security at our ports as designed, and has
become another example of bureaucracy at its worst. Not only do the
cards fail to accurately establish that transportation workers are who
they say they are, they fail to work as designed, require an unwieldy
process to obtain, and add yet another redundant credential to the list
of federal security cards.
Today's report indicates that the TWIC card may fail the first
fundamental challenge of a security credential- accurately confirming
the identity of the cardholder. GAO investigators were able to obtain
TWIC cards by misrepresenting themselves as natural born U.S. citizens
and by presenting forged birth certificates and drivers licenses. We're
told that the documents presented can even be noted in the system as
forgeries, but that these red flags are not accessible by the final
adjudicator! Even if the TWIC processing center indicates a probable
forgery, there is no path for review of the original documents
presented.
Even worse, the production of a false card does not seem to be
beyond the capability of a common criminal. Since the cards are often
used as ``flash passes'' where card holders simply wave the card at a
gate agent, the cards only need a passing resemblance to the true card.
GAO inspectors were able to enter port facilities with false cards,
unchallenged on a number of occasions! The lack of digital verification
of TWIC cards is a critical failure in ensuring the effective use of
the credential, and we must move forward quickly in deploying cost
effective, equipment designed for a marine environment.
The TWIC cards have also so far failed to be rapidly authenticated
electronically--most are worn as another badge, or presented for visual
inspection, often from a distance of several feet. And the deployment
of mobile readers suitable for ports has been slow at best. The
substantial Federal investment of more than $400 million in the past 8
years, combined with the industry investment of approximately $200
million was designed to enhance and protect our nations ports, but I
question if the program has been administered to provide the greatest
security benefit.
In the next year, a mandate for the use of TWIC card readers will
begin to roll out, and we must ensure that we invest wisely in
technology that will add to our security, and not just our bottom line.
I would like additional information from our witnesses on the costs
associated with the technology requirements, and how to best utilize
the readers to maximize their security impact.
The GAO report which we receive today also highlights significant
concerns with the process used to vet applicants and reliably confirm
the identity of individuals granted these security credentials. From
asking workers to self identify a need for access to ports, and their
place of birth, to incomplete verification of identity documents, it is
clear that the security process for reviewing TWIC applicants has
significant loopholes. I look forward to hearing from Administrator
Pistole how TSA plans to address the concerns noted in the report.
Frustratingly, this is not only a security problem; the two
separate visits needed to process TWIC credentials has a impact on
trucking, shipping, and port workers and managers. Workers must first
take the time to visit the enrollment center nearest them, which in
some cases may be many miles away. At this time, Maine has only two
TWIC enrollment centers of 167 nationwide. Students from the Maine
Maritime Academy must travel the 50 miles from Castine, where the
Academy is located, to Bangor, where the nearest TWIC processing center
is located to begin the application, and back to the center again
several weeks later to activate and pick up their TWIC card. While most
of these locations are at, or near busy ports, with a highly mobile
work force, this is a poorly thought out process that does not mirror
the distribution of other Federal documents like passports which can be
mailed to applicants.
Port workers, truckers, and other maritime professionals find
themselves forced to obtain this additional security, often in addition
to several other Federal issue identifications or endorsements. The
TWIC is often carried in addition to Merchant Mariner Licenses,
Merchant Mariner Credentials, and Commercial Drivers Licenses with
Hazardous Materials Endorsements. How many times must the Federal
Government screen and provide access credentials to a single
individual? Can the departments of the Federal Government not work
together to grant a single document to port and maritime workers to
access and secure their workplace?
In 2006, I offered an amendment to the SAFE Ports Act, which
required GAO to look into these Federal background checks for
credentials like these. While GAO and DHS identified several
credentials which can use the same background check information, I
believe we must take additional steps to reduce duplication of effort
and the unnecessary repetition of these background checks. We must
implement common sense reform to ensure efficiency and maximize cost
savings--credentialing operations should be streamlined by reducing the
number of redundant offices and procedures.
I look forward to the testimony of today's witnesses, and I will be
looking for information on how we can improve the credentialing
process, the use of the card, and how we can adapt the use of the
document to ensure the security of our nation's ports.
Thank you, Mr. Chairman.
Senator Lautenberg. And thank you, Senator Snowe, for your
diligence in matters of security for our country, and
particularly because the state of Maine has so much water
access and ports that mean a lot. We thank you for your
efforts.
The questions that have arisen here are obviously a small
number of the questions that actually exist. And we kind of
feel like we're looking at a Rubik's Cube here. You know, you
don't know where to start and quite where to stop. And we're
talking about somewhat safer, but I wonder if that can be--if
that sentence can end--or, that expression can end with
``somewhat safer,'' because I think there's also larger risk
accompanying this because of the fraudulent nature of things.
And I ask, Mr. Pistole, when we know that GAO investigators
were able to fraudulently obtain TWIC cards, use them for
access to secure facilities--and these cards can be used to
access literally thousands of facilities nationwide--so, what's
being done to prevent fraudulently obtained cards from being
used to access the airports, military bases? I think Senator
Snowe was going there, as well. And can we do something that
says, ``OK, these cards are good for limited use, limited time
periods--reenrollment is the question that you raised--
biometric--I don't know--things that are visually protected.
When I hear of the number of ineligibles that wanted to sign up
for a card, it tells me that there is something really amiss in
the basic structure.
And I ask you, any one of you, what--has there been an
assessment of the program of any significance since its
origination, some years ago?
Mr. Lord. Sure. We've, again, done a large body of work on
this. I'd like to think we contributed to some better
understanding of what some of the program's successes and
weaknesses are. And when I think about this holistically, we're
trying to apply this program, on a very large scale, in a so-
called one-size-fits-all manner. I think that when you do
something of this magnitude, it's really important to design it
very carefully, number one, and, two, make sure your staff are
well trained in implementing it. In our report, that's
essentially what we found wrong, that we found some design
imperfections; some of the information they collect at the
front end isn't acted upon; and some of the security guards and
trusted agents, which are delegated a large responsibility for
making this thing successful, they had some lapses. Some of our
covert investigators used fraudulent documents and the trusted
agents should have flagged them. I can't really discuss any of
the details, because it's sensitive security information. But,
you know, we found some holes at the front end and at the back
end, when the security guards are looking at these things and
letting people on their facilities.
Senator Lautenberg. I'd almost like to ask that you--on a
scale of 1 to 10, how comfortable we are with the progress that
we've made, and this is not intended to be accusatory; it's
intended to understand better where the problems are. I mean,
the problems--we keep on, I think, discovering new problems as
we move along here. And is the design an impossible one to make
sense from? Or, what--anybody--I--you want to volunteer a quick
opinion, Mr. Pistole?
Mr. Pistole. Sure, Chairman.
Senator Lautenberg. Admiral Cook?
Mr. Pistole. No, I think this hearing has identified a lot
of the challenges in trying to deploy a biometric card to a
civilian population in--on a large-scale basis. And I think,
although some progress has been made, it is clearly not what
anybody intended, especially those going back to post-9/11. So,
I have my own concerns. And that's why I've asked for the GAO
to do, basically, a--just a top-to-bottom review to assess what
that return on investment is.
The thing that I do have some comfort in is that we largely
know about those who are working in ports now, and docks. The
fact that they have access to a dock doesn't mean they have
access to the ship or anything else. I mean, there are
obviously multiple layers of security, here. What I'm concerned
about is the ease of using a fraudulent document. We know
there's, you know, tens of thousands, perhaps 35,000 places in
the country you can get a birth certificate, hopefully
legitimate, but perhaps not. And if that's a breeder document,
that's a document you're using to establish your bona fides;
that makes it very difficult. The social engineering, which Mr.
Lord referred to, simply having one of his folks--undercover
officers go in and, you know, say, ''I have an appointment
here,`` even though the card doesn't work, or, ''I need to use
the restroom.`` So, that gets to this--to the training of the
guards. And so, there--it is a complex issue.
In answer to your question about 1-to-10, I would put it at
a 3 right now.
Senator Lautenberg. Either one of you--I'm going to go to
my colleagues for a second round of questions--in response to
my question--it sounds like what we've got--we've got a new
idea: we'll make prisons without bars, and maybe that will help
control behavior. I don't think we're quite getting there.
Admiral Cook, do you----
Admiral Cook. Senator, I would say that I'm anxious to move
to a phase where I believe we'll provide--we'll wring out some
of the uncertainty when we go to more biometrics. And the
reason I would say I'm anxious is, we have anecdotal evidence,
because we have a strong network, through our area maritime
security committees, where we're in constant contact with the
facility security officers, the actual people paid, on the
waterfront facilities, by their companies, to maintain
security. And we have feedback that things like pilferage and
other small crimes have been reduced. I don't have statistical
evidence. I'm just saying it's all anecdotal. So, I would like
to move past the anecdotes, past the feeling of the area
maritime security.
Senator Lautenberg. Well, we agree.
Admiral Cook. And that--so, that's where I am.
Senator Lautenberg. Past the anecdotes. But, I'd like to
move past the difficulties and the experiences that we've had.
Mr. Lord, before I call on Senator Ayotte, do you have
anything you want to volunteer, here?
Mr. Lord. Again, a key program goal--I always like to go
back to the program goals--there are four key program goals.
One of them was to positively identify individuals applying for
a TWIC. It's difficult to positively identify someone. What
they do now is negatively identify. And all that means is, they
run your fingerprints past the FBI criminal records checks, and
if there's not derogatory information that comes back on that
or the other database checks, you're given a TWIC card. You
could say you're Joe Blow, essentially have your fingerprints
run, name checked; as long as no derogatory information comes
back, you could be provided a card. And that's not positively
identifying; that's a negative ID. So, it costs more, up front.
It's more rigorous. They have to make a judgment whether there
are additional steps they can take, up front, to positively
identify someone, like you do with a driver's license; you have
to show them your electric bill, show them some proof of
documentation that you're a resident in the state with that
name. There's more rigor, up front, involved. But, it makes for
a better system.
Senator Lautenberg. Senator Ayotte.
Senator Ayotte. Thank you, Chairman.
I wanted to ask, as I understand it--and whoever's most
appropriate to answer this question--that part of the screening
process would be to match it up against the terrorist watch
list. And this, of course, makes sense, in terms of making sure
that those individuals on the list don't receive cards. So,
that is part of the screening process. Is that right?
Mr. Pistole. That's correct, Senator.
Senator Ayotte. And have you ever had a situation where a
TWIC applicant has actually been on the list--a known or
suspected terrorist?
Mr. Pistole. Yes.
Senator Ayotte. Can you give us a sense on how frequently
that has occurred?
Mr. Pistole. So--infrequently, fortunately. And the actual
number is sensitive security information. But----
Senator Ayotte. Right.
Mr. Pistole.--it's a small number, out of the 1.8 million.
But, yes, we do have--and I can give you the exact number--but,
we do have a small number of people who are on the watch list
who have applied and been denied.
Senator Ayotte. And if that occurs, is the process denial?
Mr. Pistole. So, it would probably be denial. But, there
may be an instance, because of the reason the person's on the
watch list; and so we have to go back to the FBI or the
intelligence community to see why they're on the watch list. Is
there something--because, there are all different levels of
reasons, whether it's material support, fund raisers, as
opposed to bomb throwers. So, there may be something in there
that would be mitigating.
Senator Ayotte. So, is there a procedure in place to
coordinate with other agencies--for example, the FBI--in terms
of how you deal with someone on the watch list that applies for
the TWIC?
Mr. Pistole. Yes. So, there is. But, in the process of
preparing for this hearing, I've found something that we can
improve that I don't want to go into in an open hearing. But,
yes, there is a vulnerability there that we need to address,
both between us and with the FBI.
Senator Ayotte. Is that something that we could learn about
in a more appropriate----
Mr. Pistole. Yes, absolutely.
Senator Ayotte.--classified setting?
Mr. Pistole. Sure.
Senator Ayotte. Because, I think it's very important.
Because, obviously, one of the issues we wanted to address,
post-9/11, was the coordination among agencies----
Mr. Pistole. Right.
Senator Ayotte.--and making sure that, if we have that
situation, that, if we need to create a situation where further
intelligence-gathering has to occur, we're all working from the
same page. So, I would really appreciate that answer in a more
appropriate setting.
Mr. Pistole. Absolutely. I'd be glad to do it after this,
if you have time. But, yes.
Senator Ayotte. Great. Thank you. I appreciate that.
I also just wanted to share the concerns, as I understand,
that have already been raised by my colleagues, and I raised in
my opening statement, about figuring out a way where the
multiple trips by the transportation workers to the enrollment
centers, particularly those that live in areas that aren't so
close to some of those centers. Is there a better way to do it?
Can we do it in a more efficient way? And I know that many of
my colleagues asked you about that, so I won't repeat that.
But, I would echo their concerns.
Mr. Pistole. Noted.
Senator Ayotte. And finally, to the extent you haven't
answered this, but if you can help me with it--when you're in a
position where DHS is doing multiple screening processes--and
you mentioned it in your opening statement--so, one facility,
for example, could be going through one type of process, and
that same facility may have to get a screening from you in
another process. What is it that you are doing to eliminate
those redundancies that--you know, one of the concerns--it's
not just a cost issue of how much the redundancies cost on both
the applicant and the government cost, but also, when you've
got the right hand and the left hand, you can end up in
confusion. So, if you could address that, I'd appreciate it.
Mr. Pistole. Sure, Senator. So, there are a couple aspects
to this. One is what we're doing, in terms of trying to limit
the number of security threat assessments, the STAs, that would
be done for somebody who has any type of government-issued ID
that gives them access to something. So, we--15 million people,
that I've mentioned, in the private sector, that we do some
type of background and credentialing for them--so, do they--if
they have, for example, a TWIC card, a hazardous material
endorsement card, if they're an aviation worker--have access,
or something--any number of things--and, of course, different
things for other components--can we use that STA, that security
threat assessment, that would apply to all of those? So, that's
something that we're working through, just to streamline, make
more efficient.
In terms of the enrollment, I know, between Coast Guard and
TSA, we have consolidated some centers. So--and I would defer
to the Coast Guard, in terms of the details of that--where a
person would be able to go into a TWIC enrollment center and
apply for something that would be a Coast Guard card. And so--
--
Senator Ayotte. Can you help me, also, in thinking about
this--is there one universal standard, or are there multiple
standards that--and can we move, in appropriate settings, to
one universal standard for, obviously, similarly situated
settings for threat?
Mr. Pistole. So, there's not----
Senator Ayotte. That would seem simpler, from----
Mr. Pistole. Right.
Senator Ayotte.--a government perspective.
Mr. Pistole. Yes. And that would be--and it would be good
for industry in many respects. But, for example, the criteria
and standards that would be used--that we use on a national
level for TWIC cards is a different standard than individual--
450 airports, for the--what they call the SIDA, the S-I-D-A,
access--so--which are issued locally by each airport--and so,
there--there's not constituency there. And then--so, there are
a number of issues that we could peel back on that that would
be helpful, that we are moving to try to address. There are a
number of challenges there.
Senator Ayotte. Well, you know, I appreciate that this is
challenging. And I hope that, to the extent we can, we do move
to a universal screening process for those that are in the same
category. I can recognize that there may be additional
screening for those in different categories, depending on the
amount of risk that could be incurred, based on the activity.
Mr. Pistole. Exactly.
Senator Ayotte. But, it seems to me that that would be a
better way to rank it and rate it, based on risk of activity,
with screening, so that we could use our resources more
efficiently in a universal standard.
Mr. Pistole. Agreed. Agreed.
Senator Ayotte. So----
Senator Lautenberg. The record will be open for further
submissions.
Senator Ayotte. Great.
Thank you very much.
Senator Lautenberg. I would ask a question, here, related
to something Senator Ayotte was talking about, about trying to
define risks regarding the individual who's applying for the
card. But, I go further, and it's said, and I'm sure you're all
aware, that New Jersey is home to the most at-risk area for a
terrorist attack in the United States. The FBI said, the
distance from the Newark Airport to the harbor is the most
dangerous 2 miles in the country for a terrorist attack. There
are 12 million people within a short radius of that area. So,
shouldn't the TSA, Mr. Pistole--and either one of you, as
well--prioritize these high-risk areas for TWIC funding and
implementation, and move on these things in some kind of
priority basis?
Mr. Pistole. Chairman, I think it--yes, exactly. And the--
part of this fits in with what we are doing with what we're
describing as a risk-based security initiative, and it applies
as much to aviation as anything. But, that--this fits within
that--that we expedite those in those high-risk areas,
recognizing, similar to the Transportation Security Grant
Program, that there are a lot of different opinions about how
those funds should be allocated. There's also different
priorities, depending on what outcome you're trying to achieve.
So, clearly, those who have access to the most sensitive high-
risk areas should be expedited, and we'll take that back.
Senator Lautenberg. Thank you.
This hearing is to be adjourned. And we will keep the
record open. And I ask that, within some degree of promptness,
that responses be given in writing.
And I thank you, Senator Ayotte, for being here and for
your questions.
Thank all of you.
[Whereupon, at 4 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. Bill Nelson to
Hon. John S. Pistole
Question 1. What specific efforts have been made to partner with
the states to ensure that TSA is granted access to states' criminal
records, and guarantee that important information is not being
neglected from background checks?
Answer. The Department of Homeland Security, including the
Transportation Security Administration (TSA), recognizes that there is
additional information at the state level not available currently via
the criminal history records information provided from the Department
of Justice, Federal Bureau of Investigation (FBI).
TSA has worked with the states, FBI and the National Crime
Prevention and Privacy Compact Council to convene working groups to
identify possible solutions to receive data directly from other states
and to identify a standard, automated, cost efficient and effective
solution. TSA discovered multiple problems with obtaining information
directly from the states:
a. The states have varying data systems, legal and practical
constraints, and TSA would likely be required to develop and
build a unique solution for each state in order to request data
directly for each Security Threat Assessment (STA) case. To
minimize these problems, TSA has discussed with the states an
option of defining one common technical solution through which
states could send their data directly to TSA. TSA is pursuing
this effort as part of the Transportation Threat Assessment and
Credentialing (TTAC) Infrastructure Modernization (TIM)
program, which was established to standardize and consolidate
TSA's security threat assessment systems.
b. Because many transportation workers have resided in and
continually travel across multiple states, requesting and
receiving state level data from only an applicant's state of
residence or enrollment may miss criminal history in other
states.
c. Some states may require additional fees to request and
receive information directly, rather than using the FBI's
system. Most TSA STA programs are primarily funded via user
fees and this additional cost could dramatically increase the
fees charged to workers.
For all these reasons, TSA has determined that using the
established FBI Interstate Identification Index (III) system to request
and receive data from all states would be the most effective and
efficient solution. State level criminal history data may be accessed
via the III system managed by the FBI. The extent of access to state
level data is based on the purpose for the data request; however, a
program must be deemed to have a criminal justice purpose in order to
receive the full breadth of Criminal History Records Information (CHRI)
available from all 50 states and the District of Columbia. Many states
may not upload all available information into the FBI biometric system
made available to TSA today, and many states do not provide their III
records for ``non-criminal justice'' activities.
The Department of Justice has deemed that TSA's security threat
assessments for TWIC and other similar programs are non-criminal
justice activities. As a result, TSA is effectively provided the same
access as an employer, and does not receive all available information.
Additionally, TSA is not authorized to request subsequent CHRI for the
purpose of conducting recurrent criminal background checks without a
submission of new fingerprints from the individual.
To provide the most robust recurrent vetting against criminal
history records, TSA needs full access to CHRI similar to the access
granted to criminal justice agencies and law enforcement officers. TSA,
in coordination with the Department of Homeland Security (DHS), has and
will continue to work with the FBI, the National Crime Prevention and
Privacy Compact Council, and states to expand access to the CHRI.
Question 2. The TWIC program currently does not make an effort to
ensure that its holders are legally permitted to work under our
immigration laws. Our immigration system is largely administered by the
same department in which TSA is contained, the Department of Homeland
Security, and it's no secret that individuals are permitted to work for
different lengths of time, and that visas expire. Why doesn't the TWIC
program reflect the reality of our immigration laws?
Answer. The design of the Transportation Worker Identification
Credential (TWIC) vetting program seeks to ensure consistency with
current immigration laws, including the need to accommodate visa
holders who receive an extension to their stay.
TWIC leverages the capabilities of the Department of Homeland
Security (DHS) as related to immigration. TWIC applicants who are not
U.S. citizens undergo an immigration check using the U.S. Citizenship
and Immigration Services (USCIS) Systematic Alien Verification for
Entitlements (SAVE) data base. This check reviews an applicant's
immigration status using TWIC-eligible immigration categories,
developed as part of the rulemaking effort, that include visa
categories that relate to working in the maritime industry. If the
immigration check reveals information demonstrating that the individual
is not in a TWIC-eligible immigration category, the individual is
determined to be ineligible. If the check indicates that the individual
may be in the U.S. illegally or improperly, the individual is
determined ineligible and the Transportation Security Administration
(TSA) coordinates with immigration authorities to take appropriate
action.
Input from industry and stakeholders strongly suggested that
linking the TWIC expiration date to a non-U.S. citizen's visa
expiration date would be problematic. Industry feedback focused on
minimizing the disruption to ports and the flow of commerce when a non-
U.S. citizen's visa date was extended, as frequently happens.
Electronic security features on the current TWIC make it impossible to
extend the expiration date to reflect the extension of the visa.
Furthermore, the TWIC expiration date is printed on the card. If the
TWIC expiration was tied to the original visa expiration, the TWIC
holder would have to assume the cost and process to get a new TWIC each
time the visa was extended, or each time the individual came to the
U.S. to conduct business. The ports would incur the economic cost of
the individual's inability to access secure areas.
As an alternative, the determination was made that individual
employers--at the local level--should track the visa information on
their non-immigrant employees, as they are required to do by law
already, independent of TWIC. Per the TWIC regulation, individual TWIC
holders are responsible for returning their TWICs if they no longer
meet eligibility requirements and employers are responsible for
collecting an individual's TWIC upon the expiration of his/her work
visa.
TSA believes believe the current process strikes a reasonable
balance between ensuring only those who are in lawful status to work in
the U.S. have access to regulated facilities and the need to
accommodate business needs when visa holders receive an extension to
their stay. Changing the requirement for the TWIC expiration date would
entail significant changes to the current system and processes,
including close integration with other DHS components and the
Department of State, as well as oblige the TWIC holder to incur
additional costs to obtain new credentials correlated with the duration
of the individual's visa.
Question 3. The contractors running the TWIC program have only
denied one application that came under their discretionary review
authority. What sort of oversight is there for the 460,786 other
applicants who were flagged by the first check, but ultimately granted
TWICs? Is there any follow up to insure that the proper judgment was
made about those individuals?
Answer. The Transportation Worker Identification Credential (TWIC)
program employs contractors for the TWIC enrollment and operations, and
separate contractors to assist with the high volume of TWIC
applications to review background check information. The Transportation
Threat Assessment and Credentialing (TTAC) staff makes the vast
majority of initial denial decisions and all final denial decisions.
The majority of the 460,786 approvals listed were made by the
contractor after review of the background check information. TTAC
provides a four-phased training program to all new adjudicators, both
contractors and Federal employees, during which time the trainees are
constantly evaluated. In order for a trainee to obtain status as a
self-approver, he/she must pass a test administered by the government.
After a trainee has been approved to be a self-approver, the government
maintains a quality assurance process, where 5 to 10 percent of each
self-approver's decisions are randomly reviewed each day to identify
potential errors.
It is important to note that the statement from GAO concerning the
adjudicator's denial of ``one application that came under their
discretionary review authority'' relates to a sentence in the TWIC
regulations (49 CFR 1572.107(b)) that permits the Transportation
Security Administration (TSA) to disqualify an applicant for
``extensive foreign or domestic criminal convictions; a conviction for
a crime not listed in 1572.103; or a period of foreign or domestic
imprisonment that exceeds 365 consecutive days.'' TSA created this
provision to cover the unusual circumstance of an applicant who
appeared to pose a distinct ``terrorism security risk'' called for by
the statute (46 U.S.C. 70105), but did not have serious criminal
convictions listed on the specific list of disqualifying offenses. TSA
never intended this provision to cover petty or frequent violators of
the criminal code who, while perhaps untrustworthy and deceitful, did
not pose a ``terrorism security risk.'' TSA intended for the list of
criminal disqualifiers and periods for disqualification that are set
forth by statute and regulation to be the primary list we would use to
evaluate an applicant as to criminal history. (In fact, as of March
2011 TSA has denied TWICs to 35,661 out of 1.8 million applicants.
______
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to
Hon. John S. Pistole
Question 1. It was discovered last week that Al Qaeda was planning
an attack on a U.S. rail line. To date, TSA's efforts on rail security
have been delayed, incomplete and nearly nonexistent compared to
aviation security. In light of this new plot, what immediate steps are
you taking to increase rail security measures?
Answer.
Mass Transit and Passenger Railroad Security
In response to the news that Al Qaeda was planning an attack on a
U.S. rail line, the Transportation Security Administration (TSA) held
teleconference calls with the Transit Policing and Security Peer
Advisory Group (PAG) on Monday, May 2, 2011, and Friday, May 6, 2011.
The PAG was established under the Sector Coordinating Council structure
and serves as a vital component for the mass transit industry.
On the May 2 call, TSA encouraged all public transportation
agencies to ramp up visible deterrence measures, and promoted the value
of conducting unscheduled Regional Alliances including Local, State,
and Federal Effort (RAILSAFE) operations.
During the May 6 call, the PAG members discussed increased rail
security measures that their respective public transportation systems
were implementing. Such measures include:
Maintaining high levels of K9 units deployed, including
vapor-wake teams on Amtrak trains
Special briefings of engineers/track employees to emphasize
reporting of suspicious activity along Right of Way
Implementing special operations deployments
Participating in Visible Intermodal Prevention and Response
(VIPR) Team missions in critical locations
Deploying Anti-Terrorism Teams
Sending out awareness notices urging vigilance to transit
police and employees
Emphasizing the ``See Something, Say Something'' campaign
Adding extra police patrols over the weekend
In addition to the independent security actions taken above, the
public transportation agencies across the United States conducted a
RAILSAFE exercise on Tuesday, May 5, 2011, which was stood-up in less
than 24 hours, and involved over 90 agencies across 29 states and the
District of Columbia, incorporating over 1,000 officers.
Going forward, TSA will continue Security Awareness messages and
Operational Deterrence Programs, which include training, public
awareness, K9 units, and VIPR Teams. The focus will shift from extended
periods of time to shorter periods, such as months or weeks. TSA
encourages continuing RAILSAFE operations on a random basis to prepare
for various security threats.
Freight Rail
For nearly a decade, the freight rail industry, with guidance and
assistance from TSA, has taken steps to reduce vulnerabilities within
the freight rail network, specifically, the vulnerability of
potentially dangerous cargoes. The industry has sought to raise the
baseline of security by emphasizing employee training and awareness,
and by instituting fundamental changes to daily processes that
emphasize deterrence and increase the likelihood of detection of
potential acts of terrorism.
Regarding the most recent intelligence that Al Qaeda had plans to
attack trains or railroad infrastructure, the information garnered was
non-specific and general in nature. As such, TSA immediately
communicated with the freight railroad industry and advised them to
continue a state of vigilance and awareness. The success of this
increased vigilance was evidenced by the increase in reporting of
suspicious incidents detected throughout the railroad industry.
In summary, TSA will continue to work closely with the freight
railroad industry to ensure appropriate processes are in place that
will enable them to meet emerging threats and continue to improve the
baseline of security in the industry.
Question 2. The TWIC program has more than one point eight (1.8)
million people enrolled across the country, from crane operators to
Alaskan fishermen. All of these applicants have access to secure
facilities throughout the United States with their TWIC cards. Plus,
the current enrollment process doesn't even check to see if these
applicants legitimately need access to secure facilities. Are you
confident that the TWIC program is making our ports more secure?
Answer. The Transportation Security Administration (TSA) is
confident that the Transportation Worker Identification Credential
(TWIC) program has made the United States' ports more secure. Although
the 1.8 million workers who have been issued TWICs are eligible to be
granted unescorted access to secure areas of regulated facilities and
vessels, they are not entitled or allowed to enter secure areas of
facilities and vessels without the permission of the owners or
operators of those facilities.
Prior to the implementation of TWIC, the identity document
requirements for access to secure areas of ports and vessels were
dependent on each facility's Facility Security Plan. Facilities often
accepted a number of documents such as a driver's license, passport,
state ID, port/facility specific security card, or a Z-card (now
Merchant Mariner Credential). Without uniform credential issuance
processes, most facilities were unable to positively authenticate the
identity of an individual or determine the authenticity of the identity
documents presented. There also were no universal methods for
determining if a once-valid credential holder were no longer eligible
for access privileges, or to effectively revoke an individual's access
permissions or credentials. TWIC enhances maritime security by
providing one standardized biometric credential, removing the need to
have security personnel discern the authenticity of multiple identity
documents. In addition, TWIC standardized the security threat
assessment (STA) conducted on workers in these secure areas to include
comprehensive terrorism, criminal history, and immigration checks.
In advance of a rule requiring reader use, ports are now made more
secure by readers installed and in use through the recently completed
TWIC reader pilot; the voluntary installation and use of readers at
many facilities; and the more than 200 portable readers used by Coast
Guard personnel to check TWICs during routine facility inspections. The
use of these readers confirms that a valid TWIC is present, that it has
not expired, and that it has not been revoked. In the biometric mode,
the worker's identity is confirmed. Port security will continue to be
enhanced as more electronic readers are put into use at secure
facilities and vessels around the country.
Question 3. When the TWIC program expanded nationwide, most cards
were issued within a short period of time--and most of those cards are
set to expire in 2012. What is TSA doing to work with labor and
industry to prepare for the expiration of the current credentials?
Answer. The Transportation Worker Identification Credential (TWIC)
enrollments began in October 2007 when enrollment centers were phased
in nationwide. Over the eighteen month period from October 2007 until
the national compliance date of April 15, 2009, 1.1 million people
applied for a TWIC. The Security Threat Assessment and associated TWIC
for each applicant must be renewed every 5 years, for the credential to
remain valid. Therefore, the expiration dates for the initial
population of TWIC holders is spread out from October 2012 to April
2014 (5 years after the national compliance date). Preparations are
being made in advance of the impending initial five-year renewal cycle.
The Transportation Security Administration (TSA) is in the process of
developing policies and procedures that will ensure a smooth renewal
phase for the transportation workers who rely on this card to do their
jobs. TSA's enrollment services contract provides for increased hours
and days of operation, and additional equipment and personnel to meet
fluctuating demands for service. These procedures both minimize the
operational impact at TWIC enrollment centers, and ensure that
individuals who have completed the redress process are not required to
repeat the process when no new criminal information is found. This
approach will help expedite adjudication during the expected surge in
renewal enrollments. Throughout this process, TSA will continue to
engage the stakeholder community in order to minimize the impact of the
renewal cycle on affected workers.
______
Response to Written Questions Submitted by Hon. Jim DeMint to
Hon. John S. Pistole
Question 1. From GAO's ``TWIC Security Review'' (GAO-11-657):
``While TSA does not track metrics on the number of TWICs provided
to applicants with specific criminal offenses not defined as
disqualifying offenses, as of September 8, 2010, the agency reported
460,786 cases where the applicant was approved, but had a criminal
record based on the results from the FBI. This represents approximately
27 percent of individuals approved for a TWIC at the time. In each of
these cases, the applicant had either a criminal offense not defined as
a disqualifying offense or an interim disqualifying offense that was no
longer a disqualification based on conviction date or the applicant's
release date from incarceration. Consequently, based on TSA's
background checking procedures, all of these cases would have been
reviewed by an adjudicator for consideration as part of the second-
level background check because derogatory information had been
identified. As such, each of these cases had to be examined and a
judgment had to be made as to whether to deny an applicant a TWIC based
on the totality of the offenses contained in each applicant's criminal
report.
While there were 460,786 cases where the applicant was approved,
but had a criminal record, TSA reports to have taken steps to deny 1
TWIC applicant under this authority.''
Does the TSA track metrics on the number of TWICs provided to
applicants with specific offenses defined as disqualifying offenses? If
so, how many TWICs have been provided to such applicants? Is it
accurate to conclude that an applicant with specific offenses defined
as disqualifying offenses may only be provided a TWIC after receiving a
waiver?
Answer. As of March 2011, TSA has enrolled and vetted over 1.8
million maritime workers. As a result of DHS's rigorous vetting
process, 35,661 individuals were denied from receiving a TWIC. To
clarify the quoted statement from the GAO report in the second
paragraph of the question, that only 1 applicant has been denied a TWIC
``under this authority'', the authority is the 49 CFR 1572.107(b)
provision of the TWIC regulation. This provision permits the
Transportation Security Administration (TSA) to disqualify an applicant
for ``extensive foreign or domestic criminal convictions; a conviction
for a crime not listed in 1572.103; or a period of foreign or domestic
imprisonment that exceeds 365 consecutive days.'' TSA created this
provision to cover the unusual circumstance of an applicant who
appeared to pose a distinct ``terrorism security risk'' called for by
the statute (46 U.S.C. 70105), but did not have serious criminal
convictions listed on the specific list of disqualifying offenses. TSA
never intended this provision to cover petty or frequent violators of
the criminal code who, while perhaps untrustworthy and deceitful, did
not pose a ``terrorism security risk.'' TSA intended for the list of
criminal disqualifiers and periods for disqualification that are set
forth by statute and regulation to be the primary list we would use to
evaluate an applicant as to criminal history.
TSA tracks metrics on the number of Transportation Worker
Identification Credentials (TWICs) provided to applicants, with
specific offenses defined as disqualifying, who apply for an appeal or
waiver. TSA approved 44,444 appeal requests and 7,962 waiver requests
as of June 5, 2011, that involve disqualifying criminal offenses.
An applicant, with specific offenses defined as disqualifying may
also be provided a TWIC after approval of his/her request for an appeal
where the applicant is able to prove that the disqualifying offense is
out of scope (conviction is greater than 7 years old and release from
incarceration on that disqualifying offense is greater than 5 years
old), the conviction was later reversed on appeal, the applicant is not
the person who committed the offense, or other fact that shows that the
disqualifying offense standards have not been met.
Question 2. How many applicants with the following criminal
offenses as part of their backgrounds have been issued TWICs through a
waiver process?
a. A crime involving a transportation security incident. A
transportation security incident is a security incident resulting in a
significant loss of life, environmental damage, transportation system
disruption, or economic disruption in a particular area, as defined in
46 U.S.C. � 70101. The term economic disruption does not include a work
stoppage or other employee-related action not related to terrorism and
resulting from an employer-employee dispute.
Answer. 4 waivers approved
Question 2b. Improper transportation of a hazardous material under
49 U.S.C. �5124, or a state law that is comparable.
Answer. 22 waivers approved
Question 2c. Unlawful possession, use, sale, distribution,
manufacture, purchase, receipt, transfer, shipping, transporting,
import, export, storage of, or dealing in an explosive or explosive
device. An explosive or explosive device includes, but is not limited
to, an explosive or explosive material as defined in 18 U.S.C. ��
232(5), 841(c) through 841(f), and 844(j); and a destructive device, as
defined in 18 U.S.C. � 921(a)(4) and 26 U.S.C. � 5845(f).
Answer. All crimes involving explosives, explosives devices, and/
or other lethal devices are classified in the same manner. 89 waivers
approved
Question 2d. Murder.
Answer. 564 waivers approved
Question 2e. Making any threat, or maliciously conveying false
information knowing the same to be false, concerning the deliverance,
placement, or detonation of an explosive or other lethal device in or
against a place of public use, a state or government facility, a public
transportations system, or an infrastructure facility.
Answer. All crimes involving explosives, explosives devices, and/
or other lethal devices are classified in the same manner. Question c.
and e. are tracked as one metric with a total of 89 waivers approved
for all explosive crimes.
Question 2f. Violations of the Racketeer Influenced and Corrupt
Organizations Act, 18 U.S.C. � 1961, et seq., or a comparable state
law, where one of the predicate acts found by a jury or admitted by the
defendant, consists of one of the crimes listed in paragraph 49 C.F.R.
� 1572.103(a).
Answer. All crimes involving Violations of the Racketeer Influenced
and Corrupt Organizations Act are classified in the same manner. 26
waivers approved
Question 2g. Attempt to commit the crimes in paragraphs listed
under 49 C.F.R. � 1572.103(a)(1) through (a)(4).
Answer. Attempts to commit the crimes in paragraphs listed under 49
C.F.R. � 1572.103(a)(1) through (a)(4) are not tracked separately.
Question 2h. Conspiracy or attempt to commit the crimes in 49
C.F.R. � 1572.103(a)(5) through (a)(10).
Answer. Conspiracy or attempt to commit the crimes in 49 C.F.R. �
1572.103(a)(5) through (a)(10) are not tracked separately.
Question 2i. Unlawful possession, use, sale, manufacture, purchase,
distribution, receipt, transfer, shipping, transporting, delivery,
import, export of, or dealing in a firearm or other weapon. A firearm
or other weapon includes, but is not limited to, firearms as defined in
18 U.S.C. � 921(a)(3) or 26 U.S.C. � 5845(a), or items contained on the
United States Munitions Import List at 27 C.F.R. � 447.21.
Answer. 942 waivers approved
Question 2j. Extortion.
Answer. 6 waivers approved
Question 2k. Dishonesty, fraud, or misrepresentation, including
identity fraud and money laundering where the money laundering is
related to a crime described in 49 C.F.R. � 1572.103(a) or (b). Welfare
fraud and passing bad checks do not constitute dishonesty, fraud, or
misrepresentation for purposes of this paragraph.
Answer. 922 waivers approved
Question 2l. Bribery.
Answer. 12 waivers approved
Question 2m. Smuggling.
Answer. 9 waivers approved
Question 2m. Immigration violations.
Answer. 0
Question 2o. Distribution of, possession with intent to distribute,
or importation of a controlled substance.
Answer. 2,968 waivers approved
Question 2p. Arson.
Answer. 61 waivers approved
Question 2q. Kidnapping or hostage taking.
Answer. 24 waivers approved
Question 2r. Rape or aggravated sexual abuse.
Answer. 281 waivers approved
Question 2s. Assault with intent to kill.
Answer. 4 waivers approved
Question 2t. Robbery.
Answer. 552 waivers approved
Question 2u. Fraudulent entry into a seaport as described in 18
U.S.C. � 1036, or a comparable state law.
Answer. 0 waivers approved
Question 2v. Violations of the Racketeer Influenced and Corrupt
Organizations Act, 18 U.S.C. � 1961, et seq., or a comparable state
law, other than the violations listed in paragraph 49 C.F.R. �
1572.103(a)(10).
Answer. All crimes involving Violations of the Racketeer Influenced
and Corrupt Organizations Act are classified in the same manner.
Question f. and v. are tracked as one metric with a total of 26 waivers
approved for all RICO crimes.
Question 2w. Conspiracy or attempt to commit the interim
disqualifying felonies.
Answer. Conspiracy or attempt to commit interim disqualifying
felonies are not tracked separately.
Question 3. From GAO's ``TWIC Security Review'' (GAO-11-657):
``TSA regulations provide that in determining whether to grant a
waiver, TSA will consider: (1) the circumstances of the disqualifying
act or offense; (2) restitution made by the applicant; (3) any Federal
or state mitigation remedies; (4) court records or official medical
release documents indicating that the applicant no longer lacks mental
capacity; and (5) other factors that indicate the applicant does not
pose a security threat warranting denial of a hazardous materials
endorsement or TWIC.''
These criteria generally, and (5) in particular, seem to grant
broad latitude to TSA to grant TWICs to convicted felons. Please detail
for the committee the guidance you have provided to your staff
regarding the granting of waivers for disqualified individuals.
Answer. The waiver review regulation is designed to provide a
framework, for subjective assessment of whether the Transportation
Worker Identification Credential (TWIC) applicant has overcome the
presumption that he/she poses a security risk, for reviewing the
totality of the TWIC applicant's criminal background and circumstances.
The Transportation Security Administration (TSA) has maintained
extensive communication between TSA's Office of Chief Counsel (OCC) and
Office of Transportation Threat Assessment and Credentialing (TTAC) to
develop guidelines and training materials to accomplish waiver reviews
and make waiver determinations. Each waiver request is assessed by
obtaining and reviewing information from the applicant as well as
pertinent law enforcement, legal, business, and community officials.
Once sufficient material has been obtained and reviewed, a
recommendation to grant or deny the waiver is made to the appropriate
TTAC decisionmaking official, and the TTAC official makes the waiver
decision.
According to 46 U.S.C. 70105(c)(2), TSA must develop a waiver
program and give ``consideration to the circumstances of any
disqualifying act or offense, restitution made by the individual,
Federal and State mitigation remedies, and other factors.''
TSA proposed a list of disqualifying offenses and did not limit the
crimes that are eligible for a waiver in its initial notice of proposed
rulemaking, which was subject to broad public comment, and included
consultation with the Department of Justice as part of the rulemaking
process. Many comments asserted that criminal history generally does
not give rise to the ``terrorism security risk,'' as called for by the
statute, and the list of disqualifying offenses should be much shorter
than TSA's proposed list. Many feared that too many workers would be
disqualified, and commerce and small businesses would suffer
significantly as a result. Thus, TSA balanced a variety of important
legal and policy issues in arriving at the current policy.
______
Response to Written Questions Submitted by Hon. Roger F. Wicker to
Hon. John S. Pistole
Question 1. What steps were taken to identify security
vulnerabilities in the TWIC program before it was implemented?
Answer. The Transportation Worker Identification Credential (TWIC)
program followed the principle of establishing a chain-of-trust from
the initial enrollment of an applicant to delivery of their TWIC. Best
practices from other credentialing programs were reviewed and adopted
as appropriate. Integrating document authenticating scanner technology
to assist in identifying counterfeit documents, such as driver licenses
and passports, and comparing a new applicant's fingerprints to those of
previous applicants, to catch an attempt to enroll more than once, are
two examples of adopting best practices from other programs.
The secure card technology and issuance procedures for a TWIC are
very similar to the standards developed for government workers and
contractors, specified for the Personal Identity Verification (PIV)
card. The physical security features on the card meet the highest
levels of counterfeit resistance specified by the Government. The
procedures for issuing the TWIC ensure that the card is only delivered
to its rightful holder.
Question 2. The information encoded in the TWIC cards includes
sensitive information about the cardholders, including information that
could be used to profile cardholders. What steps are taken to protect
this information from being leaked to third parties?
Answer. Protecting personal privacy is a key component of the
Transportation Worker Identification Credential (TWIC) program's
mission statement. TWIC includes limited personal information contained
on the card. The TWIC contains only three elements of personal
information: name, facial photograph, and fingerprint templates for two
fingerprints. The cardholder's name is printed on the card and encoded
on the Integrated Circuit Chip (ICC) so that it may be freely read by a
card reader. The facial photograph is also printed on the card and
encoded on the ICC. However, it is encoded on the ICC such that it is
protected from being viewed by a card reader without a Personal
Identification Number (PIN)--selected by, and known only to, the
cardholder. The fingerprint templates are stored in two locations on
the card to facilitate use by either a TWIC reader or a Personal
Identity Verification card reader. In the first case, the algorithm is
encrypted to prevent disclosure of the template if an attempt is made
to ``skim'' (i.e., the practice of intercepting information from a
smart card using a device without the knowledge of the card holder) the
card using radio-frequency technology. To decrypt the algorithm, a
cardholder must physically ``swipe'' or insert his/her card into a
reader. Thus, an un-encrypted fingerprint template cannot be obtained
without the cardholder's action. In the second case, the algorithm is
available only after entering a PIN.
Note: A fingerprint template is a compact digital representation of
distinct characteristics derived from a fingerprint image. Fingerprint
templates are used as the basis for comparison during biometric
authentication.
Question 3. After the Agency addresses the problems cited by the
GAO report, how will it evaluate those remediation steps to determine
that they close the gaps the GAO identified?
Answer. The Transportation Security Administration (TSA) is
currently working to initiate the recommended controls assessment of
the Transportation Worker Identification Credential (TWIC) program. As
part of this assessment, a method will be established for each control
enhancement that defines how TSA will monitor the effectiveness of the
change. While the evaluation technique will depend on the remediation
method, TSA plans to continue unannounced system and operational audits
regarding key security areas. In addition, reporting mechanisms will be
created that will assist TSA in ensuring that any new security
procedures are being followed.
Question 4. Robust and effective cybersecurity and the protection
of freight information systems are important elements in port security
for the United States. Among other important goals of port security are
the ability to reliably and economically detect weapons of mass
destruction that may be hidden in containers and cargo. Additionally it
is important to verify the trustworthiness of foreign shippers. The
compromise of data and information systems that relate to these
vulnerabilities would represent critical risks to national security.
Has the cybersecurity of port security systems, and related freight
information, been addressed?
Answer. Yes. All U.S. Customs and Border Protection (CBP) systems,
including port security systems, abide by the Federal Information
Security Management Act (FISMA) of 2002. FISMA requires each Federal
agency to develop, document, and implement an agency-wide program to
provide information security for the information and information
systems that support the operations and assets of the agency. CBP has
developed a robust Certification and Accreditation program to align
with the goals and objectives of FISMA. Additionally, the Security and
Technology Policy Branch ensures that port security systems align with
DHS Sensitive Systems Policy Directive 4300A and CBP Information
Systems Security Policies and Procedures Handbook 1400-05D.
The National Cyber Security Division (NCSD), within the National
Protection and Program Directorate's Office of Cybersecurity and
Communications, is working with its public and private sector partners
to address industrial control systems security and general
cybersecurity at port and shipping facilities. Its Control Systems
Security Program (CSSP) provided resources to conduct high-level
assessments in Boston, Houston, and Norfolk. The assessment reports are
still in development. Using the Cyber Security Evaluation Tool, CSSP
will be conducting evaluations at ports and terminals located at the
top ten facilities, based on a ranking by the Department of
Transportation's Bureau of Transportation Statistics, as well as Maersk
Shipping. In 2009, CSSP conducted several evaluations of freight rail
facilities, as well as a port facility in Saipan, Commonwealth of the
Northern Mariana Islands.
Question 5. What evaluations, assessments, and tests have been
performed to determine whether other port security systems under the
agency's purview, such as freight information systems, can be
compromised as readily as the GAO was able to with the TWIC program?
Answer. CBP employs a defense-in-depth approach to security. As a
component of FISMA, a detailed and thorough Security Test and
Evaluation (ST&E) of port security systems is conducted. Testing
includes personal interviews, scans of workstations, websites and data
bases, and a physical site assessment to find and mitigate potential
vulnerabilities. Additionally, CBP site risk assessments are performed
to evaluate the site's security posture. Risk assessments are performed
continuously throughout the calendar year. Each port security system
also has a dedicated Information Systems Security Officer (ISSO) who
handles day-to-day security for the system. ISSO duties include daily/
weekly log file examination, review of the CBP Security Operations
Center monthly enterprise vulnerability scans, and oversight of
configuration management.
NCSD's Critical Infrastructure Protection--Cyber Security (CIP-CS)
program is in discussions with the Maritime Sector Specific Agency
(U.S. Coast Guard) to scope a Maritime Sector-wide cybersecurity risk
assessment. This assessment would focus on identifying and assessing
risks to categories of cyber critical infrastructure that support
Maritime Sector critical functions. CIP-CS is conducting this work in
support of the critical infrastructure and key resources cross-sector
community to identify cyber critical infrastructure and support sector-
wide approaches to cybersecurity risk management.
______
Response to Written Questions Submitted by Hon. Frank R. Lautenberg to
Rear Admiral Kevin Cook
Question 1. The Coast Guard uses a risk analysis model to inform
decisions on how best to secure our nation's ports and allocate limited
resources. Could the Coast Guard model be applied to TWIC to assess its
effectiveness and to enhance security?
Answer. The Coast Guard Maritime Security Risk Analysis Model
(MSRAM) is a terrorism risk analysis tool and process used by Coast
Guard analysts across the nation to perform detailed risk analysis for
their areas of responsibility. The results of this process are used to
support a variety of risk management decisions at the strategic,
operational, and tactical levels.
During the initial rollout of TWIC, MSRAM data was used as part of
a risk analysis approach in developing TWIC reader requirements in the
maritime sector, and MSRAM will continue to provide risk analysis
support to TWIC. However, since MSRAM is a risk analysis tool and not
designed or capable of being used as a measure of effectiveness, it is
not an appropriate model to assess the effectiveness of TWIC.
Question 2. It has been more than 9 years since the TWIC program
was created, but ports still do not have readers for the cards.
Instead, they rely on visual verification, which can be more
susceptible to fraud. How much will it cost to install readers at ports
across the country and who is expected to pay for it?
Answer. The Department of Homeland Security managed the TWIC pilot
through the joint participation of TSA and the Coast Guard. The Coast
Guard plans on using data from the TWIC Pilot Program, along with other
studies and reader vendor data, to estimate the costs to fully
implement the final card reader phase of the TWIC program. The Coast
Guard is working on publishing a Notice of Proposed Rulemaking in the
Federal Register that will present estimates of the costs to install
readers at affected port facilities and present the number and types of
affected facilities that will need to install readers. The cost of
readers, as well as any necessary installation, will be incurred by the
affected facilities. The ports may apply for grants to fund
installation.
TWIC Projects are eligible for funding under the FEMA Port Security
Grant Program (PSGP). TWIC related projects have been specifically
funded since FY06 or earlier and identified as a PSGP priority since
FY07. TWIC Readers and associated equipment have been specifically
identified as the major component of over $88M of PSGP funded projects
since FY06. Project size, scope, and costs vary greatly among ports,
and TWIC projects may typically include readers, cameras, fencing,
gates, lighting, and associated installation costs as part of the
overall project.
Question 3. According to the FBI, New Jersey is home to the most
at-risk area for a terrorist Answer. attack in the U.S. This area has
targets ranging from the port to airports to chlorine gas plants. An
attack in this area could impact 12 million people who live nearby.
Shouldn't TSA prioritize these high-risk areas for TWIC funding and
implementation?
Answer. It is essential that the prioritization for TWIC funding
and reader implementation be consistent across the Nation. Those
facilities and vessels that present the highest risk, or are in high-
risk areas, will be prioritized accordingly, as they were in the
initial TWIC implementation.
Question 4. GAO investigators were able to fraudulently obtain TWIC
cards and then use them to access secure facilities. TWIC cards can be
used to access literally thousands of facilities nationwide. What is
being done to prevent fraudulently obtained cards from being used to
access airports, military bases, and other secure facilities?
Answer. Each port establishes the requirements for access to its
secure facilities. Possession of a TWIC, while a necessary element for
access, does not guarantee its holder the right of access absent
meeting the business case that individual port authorities establish
for entering their secure facilities. The Coast Guard works with the
ports to ensure the enforcement of security practices for access to
secure facilities.
Another important enhancement will be the use of card readers to
verify TWICs electronically and ensure that the cards have not been
revoked. The Coast Guard is currently developing an upcoming rulemaking
that will include requirements for TWIC readers at Maritime
Transportation Security Act (MTSA) regulated facilities and vessels.
Once the final card reader phase of the program is implemented for
electronic verification of TWICs, it will significantly enhance
protection against counterfeit, tampered, or expired TWICs being used
to gain access to MTSA-regulated facilities and vessels.
Finally, TSA is conducting a review of internal controls for TWIC
enrollment to identify ways to enhance the program's ability to prevent
people from obtaining a TWIC using fraudulent identity documents.
Almost all credentialing programs at all levels of government and the
private sector face this challenge. TSA follows best practices by
requiring the use of document authentication technology as a safeguard
against TWIC applicants using counterfeit or altered identity documents
at enrollment. DHS will continue to seek out best practices and new
technologies to ensure that TWIC takes every reasonable precaution
against fraud.
______
United States Government Accountability Office
Washington, DC, July 6, 2011
Hon. Frank R. Lautenberg,
Hon. Bill Nelson,
Committee on Commerce, Science, and Transportation,
U.S. Senate.
Subject: Transportation Worker Identification Credential: Responses to
Posthearing Questions for the Record
On May 10, 2011, I testified before the Committee on Commerce,
Science, and Transportation on the Department of Homeland Security's
(DHS) credentialing program known as the Transportation Worker
Identification Credential (TWIC). This letter responds to the three
questions for the record that you posed. The responses are based on
work associated with previously issued GAO products.\1\ Your questions
and my responses follow.
---------------------------------------------------------------------------
\1\ See GAO, Transportation Worker Identification Credential:
Internal Control Weaknesses Need to Be Corrected to Help Achieve
Security Objectives, GAO-11-657 (Washington, D.C.: May 10, 2011);
Transportation Worker Identification Credential: Internal Control
Weaknesses Need to Be Corrected to Help Achieve Security Objectives,
GAO-11-648T (Washington, D.C.: May 10, 2011); and Transportation Worker
Identification Credential: Progress Made in Enrolling Workers and
Activating Credentials but Evaluation Plan Needed to Help Inform the
Implementation of Card Readers, GAO-10-43 (Washington, D.C.: Nov. 18,
2009).
---------------------------------------------------------------------------
Question 1. Through your covert testing, you were able to obtain
fraudulent TWIC cards and access secure facilities using fraudulent and
counterfeit cards. What potential security threats are our ports and
other secure facilities exposed to because of the problems with the
TWIC program?
Answer. We reported in May 2011 that internal control weaknesses in
TWIC enrollment, background checking, and use could have contributed to
the breach of Maritime Transportation Security Act (MTSA)-regulated
ports during covert tests conducted by our investigators.\2\ We had our
investigators conduct covert testing at TWIC enrollment center(s) to
identify whether individuals providing fraudulent information could
acquire an authentic TWIC. Further, during covert tests of TWIC use at
several selected ports, our investigators were successful in accessing
ports using counterfeit TWICs, authentic TWICs acquired through
fraudulent means, and false business cases (i.e., reasons for
requesting access). Our records show that operations at the ports our
investigators breached included cargo, containers, and fuel, among
others.\3\ Our investigators reported that throughout the testing,
security officers did not question the authenticity of TWICs presented
for acquiring access.
---------------------------------------------------------------------------
\2\ GAO-11-657.
\3\ The details related to the means used by the investigators in
the tests could not be described here because they were deemed
sensitive security information by TSA.
---------------------------------------------------------------------------
According to the Coast Guard's January 2008 National Maritime
Terrorism Threat Assessment, al Qaeda leaders and supporters have
identified western maritime assets as legitimate targets.\4\ Moreover,
according to the Coast Guard assessment, al Qaeda-inspired operatives
are most likely to use vehicle bombs to strike U.S. cargo vessels,
tankers, and fixed coastal facilities such as ports. If an individual
presents an authentic TWIC acquired through fraudulent means when
requesting unescorted access to the secure areas of a MTSA-regulated
facility or vessel, the cardholder is deemed not to be a security
threat to the maritime environment because the cardholder is presumed
to have met TWIC-related qualifications during a background check. In
such cases, individuals who wish to do harm to the maritime
transportation system could better position themselves to
inappropriately gain unescorted access to secure areas of a MTSA-
regulated facility or vessel.\5\
---------------------------------------------------------------------------
\4\ U.S. Coast Guard Intelligence Coordination Center, National
Maritime Terrorism Threat Assessment (Washington, D.C.: Jan. 7, 2008).
\5\ The TWIC program requires individuals to both hold a TWIC and
be authorized to be in the secure area by the owner/operator to gain
unescorted access to secure areas of MTSA-regulated facilities and
vessels. A regulation on the use of TWICs with card readers is
currently under development and expected to address how the access
control technologies, such as biometric card readers, are to be used
for confirming the identity of the TWIC holder against the biometric
information on the TWIC.
---------------------------------------------------------------------------
As we recently reported in May 2011, while one of the goals of the
TWIC program was to improve security by reducing risks associated with
fraudulent or altered credentials by using biometrics to positively
match an individual to the credential, as our covert tests
demonstrated, an authentic TWIC and a legitimate business case were not
always required in practice.\6\ As detailed in our report, inspection
of TWICs with biometric readers is not currently required. Rather,
TWICs are primarily used as visual identity cards--known as a
flashpass--where a card is to be visually inspected before a cardholder
is allowed unescorted access to a secure area of a MTSAregulated port
or facility. The investigators' possession of TWICs provided them with
the appearance of legitimacy and facilitated their unescorted entry
into secure areas of MTSA-regulated ports at multiple locations across
the country. If individuals are able to acquire authentic TWICs
fraudulently, verifying the authenticity of these cards with a
biometric reader will not necessarily reduce the risk of undesired
individuals gaining unescorted access to the secure areas of MTSA-
regulated facilities and vessels. Our report noted that, unlike prior
access control approaches, which allowed access to a specific facility,
the TWIC potentially facilitates access to thousands of facilities once
the Federal Government attests that the TWIC holder has been positively
identified and is deemed not to be a security threat.
---------------------------------------------------------------------------
\6\ GAO-11-657.
Question 2. According to the FBI, New Jersey is home to the most
at-risk area for a terrorist attack in the U.S. This area has targets
ranging from the port to airports to chlorine gas plants. An attack in
this area could impact 12 million people who live nearby. Shouldn't TSA
prioritize these high-risk areas for TWIC funding and implementation?
Answer. Funding for the TWIC program is a shared responsibility
between the Federal Government and the private sector. TSA's efforts to
issue the TWIC are to be funded by enrollment fees collected from TWIC
applicants.\7\ Additional resources, however, would be required if TWIC
is to be implemented with biometric card readers. For instance, MTSA-
regulated facility operators could be required to expend resources on
TWIC readers and infrastructure to support TWIC-related operations,
such as installing fiber optic cables and investing in computing
system(s) capable of managing and recording TWIC-related access control
efforts. While funding for such efforts is anticipated to be the
responsibility of facility operators, limited Federal funding is
expected to be available through Federal grant programs, such as the
Federal Emergency Management Agency's (FEMA) Port Security Grant
Program and the Transit Security Grant Program.\8\ As we previously
reported, issuance of such grants is, in part, based on available risk
information.\9\
---------------------------------------------------------------------------
\7\ TSA was authorized to fund the program's operations by
collecting $196.8 million in enrollment fees from TWIC applicants from
Fiscal Years 2008 through 2010.
\8\ From Fiscal Years 2006 through 2010, $111.7 million had been
made available to maritime facilities implementing TWIC from FEMA grant
programs--the Port Security Grant Program and the Transit Security
Grant Program.
\9\ See GAO, Transit Security Grant Program: DHS Allocates Grants
Based on Risk, but Its Risk Methodology, Management Controls, and Grant
Oversight Can Be Strengthened, GAO-09-491 (Washington, D.C.: June 8,
2009); and Risk Management: Further Refinements Needed to Assess Risks
and Prioritize Protective Measures at Ports and Other Critical
Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005).
---------------------------------------------------------------------------
Funding and implementing TWIC in a risk-informed manner would be
consistent with our prior work.\10\ The purported benefit of making
risk-informed investments is that Federal funds are to be directed at
those programs that are most effective at reducing risk given available
resources. However, as we reported in May 2011, DHS had not assessed
the effectiveness of TWIC at enhancing security or reducing risk for
MTSAregulated facilities and vessels.\11\ Further, DHS had not
demonstrated that TWIC, as currently implemented and planned with
readers, is more effective than prior approaches used to limit access
to ports and facilities, such as using facility-specific identity
credentials with business cases. Moreover, our May 2011 report found
that enrollment and background checking processes were not designed to
provide reasonable assurance that only qualified individuals could
acquire TWICs, or that once issued a TWIC, TWIC-holders had maintained
their eligibility. These weaknesses, coupled with the results of our
covert tests on TWIC use, raise questions about the effectiveness of
the TWIC program. As such, we recommended that the Secretary of
Homeland Security evaluate the costs, benefits, security risks, and
corrective actions needed to implement the TWIC program in a manner
that will mitigate existing security risks. Completing these steps will
facilitate efforts to identify high-risk areas for TWIC funding and
implementation.
---------------------------------------------------------------------------
\10\ See GAO, Homeland Security: Applying Risk Management
Principles to Guide Federal Investments, GAO-07-386T (Washington, D.C.:
Feb. 7, 2007); and GAO-06-91.
\11\ GAO-11-657.
Question 3. We have four of the highest volume U.S. ports in
Florida, which are involved in tens of billions of dollars in trade
each year. Did your investigators turn anything up unique about the
efforts made by the folks running the TWIC program in Florida?
Answer. Prior to being amended, previous Florida state law required
workers accessing the state's 12 active deepwater public ports to
undergo a state criminal history records check, and Florida's ports
required workers to obtain a local port identification card. In doing
so, Florida had implemented background check and identification
requirements that extended beyond those of the TWIC program. First,
prior to being repealed on May 24, 2011, a Florida statutory provision
required that all applicants undergo a State of Florida fingerprint-
based criminal history records check to identify certain specified
state criminal offenses, such as theft and burglary, separately from
those specifically required to be identified or considered by the
criminal history records check conducted by the TWIC program. Second,
Florida denied access to individuals who had obtained their TWIC
through the TWIC-waiver process, whereby individuals with disqualifying
offenses could be granted a TWIC. Third, Florida maintained a database
that retained the fingerprints and eligibility status of all seaport
workers accessing its ports, and provided ports with an ongoing
notification of the workers' criminal histories. While Florida has
repealed its background check requirements, various Florida ports still
require that individuals attempting to gain access to a port or
facility provide a port-specific identification card in addition to the
TWIC to gain access to ports in Florida.
As we reported in May 2011, our investigators were successful in
accessing ports using counterfeit TWICs, authentic TWICs acquired
through fraudulent means, and false business cases (i.e., reasons for
requesting access) during covert tests of TWIC use at several selected
ports.\12\ Information on the specific ports and locations that our
investigators were unable to access during covert testing was deemed
sensitive security information by TSA. However, our report states that
our investigators did not gain unescorted access to a port where a
secondary port specific identification was required in addition to the
TWIC.
---------------------------------------------------------------------------
\12\ GAO-11-657.
---------------------------------------------------------------------------
If you have any questions about this letter or need additional
information, please contact me at (202) 512-4379 or [email protected].
Stephen M. Lord,
Director, Homeland Security and Justice Issues.
�