[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] IS TSA'S PLANNED PURCHASE OF CAT/BPSS A WISE USE OF TAXPAYER DOLLARS? ======================================================================= HEARING before the SUBCOMMITTEE ON TRANSPORTATION SECURITY of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS SECOND SESSION __________ JUNE 19, 2012 __________ Serial No. 112-99 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] CONGRESS.#13 Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 79-506 WASHINGTON : 2013 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Peter T. King, New York, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Daniel E. Lungren, California Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Michael T. McCaul, Texas Henry Cuellar, Texas Gus M. Bilirakis, Florida Yvette D. Clarke, New York Paul C. Broun, Georgia Laura Richardson, California Candice S. Miller, Michigan Danny K. Davis, Illinois Tim Walberg, Michigan Brian Higgins, New York Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana Joe Walsh, Illinois Hansen Clarke, Michigan Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Ben Quayle, Arizona Kathleen C. Hochul, New York Scott Rigell, Virginia Janice Hahn, California Billy Long, Missouri Vacancy Jeff Duncan, South Carolina Tom Marino, Pennsylvania Blake Farenthold, Texas Robert L. Turner, New York Michael J. Russell, Staff Director/Chief Counsel Kerry Ann Watkins, Senior Policy Director Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON TRANSPORTATION SECURITY Mike Rogers, Alabama, Chairman Daniel E. Lungren, California Sheila Jackson Lee, Texas Tim Walberg, Michigan Danny K. Davis, Illinois Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana Joe Walsh, Illinois, Vice Chair Vacancy Robert L. Turner, New York Bennie G. Thompson, Mississippi Peter T. King, New York (Ex (Ex Officio) Officio) Amanda Parikh, Staff Director Natalie Nixon, Deputy Chief Clerk Vacant, Minority Subcommittee Lead C O N T E N T S ---------- Page Statements The Honorable Mike Rogers, a Representative in Congress From the State of Alabama, and Chairman, Subcommittee on Transportation Security....................................................... 1 The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas, and Ranking Member, Subcommittee on Transportation Security........................................ 15 Witnesses Mr. Kelly Hoggan, Assistant Administrator, Office Of Security Capabilities, Transportation Security Administration: Oral Statement................................................. 4 Prepared Statement............................................. 6 Mr. Stephen M. Lord, Director, Homeland Security and Justice Issues, Government Accountability Office: Oral Statement................................................. 9 Prepared Statement............................................. 11 For the Record The Honorable Mike Rogers, a Representative in Congress From the State of Alabama, and Chairman, Subcommittee on Transportation Security: Letter to John S. Pistole...................................... 2 IS TSA'S PLANNED PURCHASE OF CAT/BPSS A WISE USE OF TAXPAYER DOLLARS? ---------- Tuesday, June 19, 2012 U.S. House of Representatives, Subcommittee on Transportation Security, Committee on Homeland Security, Washington, DC. The subcommittee met, pursuant to call, at 2:17 p.m., in Room 311, Cannon House Office Building, Hon. Mike Rogers [Chairman of the subcommittee] presiding. Present: Representatives Rogers, Walberg, Cravaack, and Jackson Lee. Mr. Rogers. This Committee on Homeland Security, Subcommittee on Transportation Security will come to order. The subcommittee is meeting today to examine whether TSA's Credential Authentication Technology Boarding Pass Screening-- or Scanning System, commonly referred to as CAT/BPSS, is a smart use of taxpayer's funds. I want to thank our witnesses for being here today, and I appreciate your time and energy in preparing for today's hearing. I know it takes a lot of time and commitment, and I appreciate that. We look forward to your testimony. TSA has plans to purchase Credential Authentication Technology Boarding Pass Scanning Systems, commonly referred to as CAT/BPSS. You will hear me refer to it as the new technology because it is easier to say than CAT/BPSS. Eventually, the idea is to have this technology replace today's manual travel document checking process with an automated process. While the technology may assist screeners in detecting fake IDs and boarding passes, TSA has not addressed several fundamental weaknesses in the technology that could render it ineffective. As TSA attempts to rebrand itself as a threat-driven agency, CAT/BPSS sticks out like a sore thumb. Here are three of the problems we have identified with this looming purchase: CAT/BPSS is not integrated into TSA's other security layers, such as the terrorist watch list. No. 2, the costs of CAT/BPSS have grown exponentially since TSA first started looking at this. According to TSA figures, acquisition went from $35 million to $115 million, and projected life-cycle costs went from $83 million to $150 million. Finally, TSA plans to purchase over 1,000 of these units over a span of a few months. That does not appear to be a risk-based approach. For those who don't know, TSA already has a lot of extra equipment sitting in storage. Mr. Hoggan, we don't need any more. This hearing will provide an important opportunity to hear more about TSA's plans for CAT/BPSS and examine whether the technology makes us more secure and is a wise use of taxpayer's dollars. Last week, I sent Administrator Pistole a letter expressing my concerns with the technology. If there is no objection, I want to insert that into the record at this time. So ordered. [The information follows:] Letter From Chairman Mike Rogers to John S. Pistole June 11, 2012. Honorable John S. Pistole, Administrator, Transportation Security Administration, 601 South 12th Street, Arlington, VA 20598. Dear Administrator Pistole: I am writing to express my concerns regarding the TSA's plans to purchase and deploy Credential Authentication Technology/Boarding Pass Scanning Systems (CAT/BPSS). While CAT/BPSS may assist Transportation Security Officers in detecting fraudulent or invalid IDs and boarding passes, there are a number of weaknesses with this technology that call into question the benefit of deploying up to 1,400 units. On May 30, 2012, I appreciated the opportunity for my staff and I to receive a briefing and demonstration of CAT/BPSS at the TSA's Systems Integration Facility (TSIF). However, our discussion with the CAT/BPSS program team further reinforced our concerns, as outlined below. As you know, the Subcommittee on Transportation Security has held a number of hearings on technology procurement reform at TSA. While we are beginning to see some improvements, including greater transparency with industry, I am concerned that CAT/BPSS falls short in the area of requirements generation and collaboration with the Science and Technology (S&T) Directorate. It appears that the development and deployment of CAT/BPSS technology lacks two critical considerations: (1) A thorough risk analysis of the threat scenarios that the technology addresses and its associated cost-benefit, and (2) the necessary system requirements to achieve risk-based operational success. I commend TSA's emphasis to move towards a more risk-based approach to airport security, so I am puzzled by the apparent lack of risk and cost-benefit analyses for the CAT/BPSS technology. My staff and I have requested several times that TSA provide us an analysis of the projected costs for the CAT/BPSS units, especially given that there is a planned large-scale acquisition as early as 5 months from now. TSA has provided neither cost projections nor cost threshold requirements for the technology. Secondly, while the technology is claimed to be part of a layered approach to airport security screening, we have not seen any risk analysis that supports the role of this technology in the overall security architecture. Specifically, the technology only detects potentially fraudulent documents, and does little or nothing to link these potentially fraudulent documents to terrorist-related threats. CAT/BPSS provides no interconnectivity to other Government threat databases, provides no protection against falsification of IDs at the issuing source, and provides limited assurance that damaged or misprinted, but valid IDs (or boarding passes) can be correctly processed by the system. I also commend TSA for its use of systems engineering principles in developing a set of operational requirements for the CAT/BPSS technology. However, I remain deeply concerned, due to the lack of risk-based analyses, that some key requirements have been excluded. Examples of missing requirements that have been observed include:No requirement for interconnectivity to other security systems within or external to the TSA system architecture. No requirement for false alarm rates. Since only detection rates and throughput rates are specified, the ``threshold settings'' will likely be set to such a low rate that potential threats will pass through undetected. No requirement for human factors. How do we avoid false confidence by the TSOs as they see repeated readings of ``PASS'' by the automated screens? How do we ensure that the technology does not distract from the TSOs' ability to observe passengers for behavioral cues? No requirement for phasing in the technology, based on risk and effectiveness. The acquisition plans call for a bulk procurement of 1,400 CAT/BPSS units for deployment at 50% of all lanes at all airports. Based on prior TSA technology experiences, it would seem that a more phased, risk-based procurement and implementation would be prudent. As you are aware, I intend to hold a hearing on CAT/BP8S next week. This hearing will provide TSA the opportunity to clarify the issues and offer solutions for a path forward. In preparation for this hearing, I request that TSA provide the following information by June 15, 2012: Projected costs of CAT/BPSS, including per-limit costs and projected life-cycle costs. Requirements documents for CAT/BPSS. Risk analyses conducted on CAT/BPSS, including quantitative assessments of the terrorist-based threats that CAT/BPSS will address, and its role in the overall TSA security system architecture. Delineation of the ways in which the S&T Directorate has been engaged and what its expert feedback has been. At my visit to the TSIF on May 30, 2012, the CAT/BPSS program team affirmed there was some level of collaboration with S&T. Since that time, the S&T Directorate has denied having a role in CAT/BPSS development. Thank you for your prompt and personal attention to this matter. I appreciate your continuing efforts to secure the Nation's transportation systems and look forward to working with you to improve TSA's performance in carrying out its critical mission. Sincerely, Mike Rogers, Chairman, Subcommittee on Transportation Security. Mr. Rogers. Mr. Hoggan, while you are very new to this position, this subcommittee has held a number of hearings on technology procurement reform at TSA in which we identified a long list of procurement problems and heard testimony from your predecessor on the subject. While we are beginning to see some general improvements, I am concerned that CAT/BPSS falls into the same familiar pattern of TSA procurement and completely misses the mark. At this point, I think CAT/BPSS is a Band-aid measure to solving a complex problem. The travel document checker can't perform the way we want it to--want him or her to do, so instead of revising training standards, the management protocols and operational procedures, TSA is looking for a quick fix. While an automated process makes sense, TSA has not addressed flaws that plague the technology, and more importantly, TSA checkpoints operation-- checkpoint operations as a whole. Today, I expect concrete answers about the benefits and gaps associated with CAT/BPSS and exactly what changed your mind about it. Based on the information the committee received late on Friday, you have decide to postpone procurement of this technology until next year. I am encouraged by that news, but I can assure that our oversight of this program and other acquisitions will continue to be robust. With that, I would ordinarily now turn to my Ranking Member, Sheila Jackson Lee of Texas. She is involved in another committee and will be here shortly, and we will pause when she arrives to recognize her for an opening statement. Now we are pleased to recognize our witnesses. By the way, the other committee Members are reminded they can submit their statements for the record. We are pleased to have two distinguished witnesses before us today on this important topic. Let me remind each of the witnesses that their entire written statements will be submitted for the record. Our first witness, Mr. Kelly Hoggan, currently serves as an assistant administrator for the Office of Security Capabilities at TSA, a position he assumed this past March. I think it was April, wasn't it? April? Mr. Hoggan. April 8. Mr. Rogers. April 8. In this position, Mr. Hoggan is responsible for the implementation and development of security technologies across multiple modes of transportation. Mr. Hoggan joined TSA in 2004 and has served in numerous leadership positions, most recently as the regional director for the Office of Global Strategies based in Singapore, where he was responsible for overseeing TSA's regional tactical operations. Mr. Hoggan is also served as the deputy administrative-- assistant administrator for the Office of Global Strategies and a deputy assistant administrator for the Office of Security Operations. The Chairman now recognizes Mr. Hoggan for 5 minutes for your own opening statement. STATEMENT OF KELLY HOGGAN, ASSISTANT ADMINISTRATOR, OFFICE OF SECURITY CAPABILITIES, TRANSPORTATION SECURITY ADMINISTRATION Mr. Hoggan. Thank you, Chairman Rogers and distinguished Members of the subcommittee. Thank you for the opportunity to testify about the Transportation Security Administration's use of technology to support a layered approach to securing the Nation's transportation system, while ensuring freedom of movement for people and commerce. TSA's workforce responsibilities include security screening of passengers and baggage at more than 450 airports in the United States, facilitating air travel for 1.8 million people per day. We also vet more than 14 million passenger reservations, 13 million transportation workers against a terrorist watch list every week. One way in which our security approach continues evolving is by investing in innovative technologies and pursuing initiatives that further standardize and integrate equipment. I appreciate the opportunity to discuss with the subcommittee TSA's efforts to strengthen our multi-layered security system through technology innovation. As you know, last fall TSA began developing a strategy for enhanced use of intelligence to help implement a risk-based approach to transportation security. Our objective is to mitigate risk in a way that effectively balances security measures with privacy, civil rights, and civil liberty concerns. Through various risk-based security, or RBS, initiatives, TSA is moving away from a one-size-fits-all security model and close to its goal of providing the most effective transportation security in the most efficient way possible. Perhaps the most widely-known enhancement we are putting in place is TSA PreCheck, which, like other RBS initiatives, leverages our advancements in technology. For example, we are able to leverage our secure-flight technology in a manner that identifies lower risk passengers and distinguishing them in a checkpoint through barcodes on their boarding passes. Another initiative we are currently testing in a handful of airports is a credential authentication technology boarding pass scanning system, or CAT/BPSS, to provide TSO's with an effective tool to quickly detect fraudulent and altered documents. This equipment automatically and currently verifies passenger boarding passes and IDs as they are presented to TSA during the security checkpoint screening process. Using CAT/BPSS, TSA can verify the authenticity of a passenger's ID by comparing the format and security features of a passenger's against a known set of security features for that particular identity credential type. Most legitimate forms of identification issued today includes some forms of encoded data that is written into the credential by the issuing authority in one or more widely- accepted formats. The most common form of formats include one- and two-dimensional bar codes, magnetic strips, embedded circuits, machine readable text. The formatted security features set for each credential type were provided to the TSA by the credential issuers so that TSA can compare the security features on the passenger ID with the security features provided by the credential issuer. TSA is currently conducting CAT/BPSS technology pilots in San Juan, Houston Air Continental and Dulles Washington Airports. During the process, TSA is evaluating the throughput as well as determining the overall operational availability of the various solutions. If testing proves successful, CAT/BPSS units could replace Travel Document Checker podiums in the entrance of airport security checkpoints and the current manual lights and loupes process for boarding pass authentication. TSA is also in the process of upgrading currently deployed AT X-ray systems as well as deploying next generation AT2 systems. This technology is used to screen carry-on luggage at security checkpoints in addition to other upgrades to streamline the baggage check process. Next generation A2X-Ray units featured enhanced explosive detection capabilities to help our officers detect new threats. There are currently more than 1,400 AT units at 125 airports with additional deployments for the remainder of the calendar year 2012. We are working close with DHS S&T and our qualified vendor list to assess the AT2 system's capability to detect liquid, aerosols, and gels, commonly known as LAGs, which could expedite the secondary bag search process. Bottle liquid scanners, or BLS, security screening systems are used to detect potential liquids or gels threats while differentiating between liquid explosives and common benign liquids such as baby formula and insulin. Next-generation BLS systems have the ability to detect a wider range of explosive material and use light waves to screen sealed containers for explosive liquids. TSA recently deployed an additional 500 next-generation BLS units to airports Nation-wide and now is a total of 1,200 at 350 airports. Going forward, TSA will continue its efforts to strengthen this multi-layer security system through technological advances. Chairman Rogers, thank you, once again, for the opportunity for today. [The statement of Mr. Hoggan follows:] Prepared Statement of Kelly Hoggan June 19, 2012 Good afternoon Chairman Rogers, Ranking Member Jackson Lee, and distinguished Members of the subcommittee. Thank you for the opportunity to testify today about the Transportation Security Administration's (TSA) use of technology to support our layered approach to securing the Nation's transportation systems while ensuring freedom of movement for people and commerce. TSA employs risk-based, intelligence-driven measures to deter and prevent terrorist attacks and to reduce vulnerabilities in the Nation's transportation systems. In partnership with airport operators, airlines, and local law enforcement agencies, TSA secures our Nation's commercial airports through a variety of programs that create a multi-layered system of transportation security to mitigate risk. The TSA workforce operates on the front line, executing the agency's transportation security responsibilities in support of the Nation's counterterrorism efforts. These responsibilities include security screening of passengers and baggage at over 450 airports in the United States that facilitate air travel for 1.8 million people per day; recurrently vetting over 13 million transportation workers against the terrorist watch list each day; and conducting security regulation compliance inspections and enforcement activities at airports, for domestic and foreign air carriers, and for air cargo screening operations throughout the United States and at last point of departure locations internationally. In 2011, Transportation Security Officers (TSOs) stopped more than 125,000 prohibited items at airport checkpoints. Of those items, more than 1,300 were firearms. Since our creation in the wake of the September 11 terrorist attacks, TSA has evolved our security approach based on intelligence and by examining how specific security procedures are carried out, improving workforce efficiencies, investing in innovative technologies and pursuing initiatives to further standardize and integrate equipment. Following our Congressional mandate to keep the millions of Americans who travel each day safe and secure across numerous modes of transportation, TSA has strengthened security by creating successful programs and deploying technologies that were not in place prior to September 11, while also taking steps whenever possible to enhance the passenger experience. I am pleased to have an opportunity today to discuss with the subcommittee TSA's technological innovations, which have strengthened our multi-layered security system. risk-based security (rbs) and tsa precheck Last fall, TSA began developing a strategy for enhanced use of intelligence and other information to support a more risk-based approach in all facets of transportation, including passenger screening, air cargo, and surface transportation. At its core, the concept of RBS builds upon the work TSA has been doing throughout its first decade of service to the Nation. Our objective is to mitigate the risk of an attack against our transportation systems in a way that effectively balances security measures with privacy, civil rights, and civil liberties concerns while promoting the safe movement of people and commerce. Through various RBS initiatives, TSA is moving away from a one- size-fits-all security model and closer to its goal of providing the most effective transportation security in the most efficient way possible. In the passenger screening context, RBS allows our dedicated TSOs to focus more attention on those travelers we believe are more likely to pose a risk to our transportation network while providing the opportunity for expedited screening to those we consider pose less risk. The most widely known risk-based security enhancement we are putting in place is TSA PreCheckTM, which, like other RBS initiatives, leverages our advancements in technology. Since first implementing this idea last fall, TSA PreCheckTM has been expanded to 15 airports, making it possible for eligible passengers flying from these airports to experience expedited security screening through TSA PreCheckTM. The feedback we've been receiving is consistently positive. TSA pre-screens TSA PreCheckTM passengers each time they fly through participating airports. Currently, U.S. citizens flying domestically who are qualified frequent fliers of American Airlines, Delta Air Lines, and Alaska Airlines, or members of U.S. Customs and Border Protection's trusted traveler programs such as Global Entry, may be eligible for expedited screening at select checkpoints. TSA is actively working with other major air carriers such as United Airlines, US Airways, and Jet Blue to expand both the number of participating airlines and the number of airports where expedited screening through TSA PreCheckTM is provided. By the end of 2012, TSA plans to have TSA PreCheckTM operating at over 30 of the Nation's busiest airports. TSA PreCheckTM travelers are able to divest fewer items, which may include leaving on their shoes, jacket, and light outerwear as well as other modifications to the standard screening process. As always, TSA will continue to incorporate random and unpredictable security measures throughout the security process. At no point are TSA PreCheckTM travelers guaranteed expedited screening. credential authentication technology/boarding pass scanning systems TSA is currently evaluating a new technology to improve the effectiveness of verifying and validating passengers' travel and identity credentials (ID). This Credential Authentication Technology/ Boarding Pass Scanning System (CAT/BPSS), provides TSOs with an effective tool to quickly detect fraudulent or altered IDs or boarding passes, ensure that the identity information on the ID and boarding pass match, and automatically identify passengers that have been selected, under the RBS concept, for differentiated screening. CAT/BPSS provides TSA with a greater ability to identify fraudulent ID documents and can verify the authenticity of boarding passes. CAT/ BPSS compares the format and security features of the passenger ID against a known set of security features for that particular identity credential type. The most common security features are one and two dimensional (1D, 2D) barcodes, magnetic stripes, embedded circuits, and machine readable text. TSA is currently concluding CAT/BPSS technology pilots at San Juan, Houston, and Washington Dulles airports. During this technical evaluation process, TSA is determining the overall operational suitability of different vendor solutions. Prior to proceeding to the field pilots each CAT/BPSS system were required to go through two rounds of qualification testing plus two additional rounds of regression testing, to remediate issues identified during qualification testing, at the TSA Systems Integration Facility (TSIF). If testing proves successful, CAT/BPSS units could replace the Travel Document Checker podium at the entrance of airport security checkpoints as well as the current manual method of ID and boarding pass authentication with a more effective security measure. advanced imaging technology Advanced Imaging Technology (AIT) helps TSOs screen passengers for metallic and non-metallic threats including weapons, explosives, and other objects concealed under layers of clothing without physical contact. Currently, there are more than 700 AIT units at nearly 190 airports. AIT is a critical component of TSA's risk-based security approach. Consistent with recent U.S. Department of Homeland Security (DHS), Office of Inspector General (OIG), and Government Accountability Office (GAO) recommendations, TSA is implementing an action plan to increase the level of available AIT screening capacity across the Nation's aviation system. Where AIT is deployed and relied upon, TSA has established a utilization target consistent with the recommendation by OIG, and is meeting or exceeding that target. TSA has developed and implemented an AIT instructor certification curriculum for Security Training Instructors (STI) assigned at the airports. These STIs are responsible for delivering AIT training as airports receive the technology. A full training curriculum package, including training kits and training aids, has been distributed to all AIT airports and allows each airport to train as many operators as required. Airports that have not received AIT units will receive the training kit and aids when the equipment is installed. In addition, introduction of Automated Target Recognition (ATR) functionality eliminates the need for a remote Image Operator in all new machines. ATR capability is being retrofitted on all existing machines using millimeter-wave technology, and TSA is currently completing the evaluation of ATR on Backscatter AIT systems. The ATR software provides the same high level of detection and it allows for more targeted pat-downs, because of the manner in which anomalies are displayed. The introduction of ATR reduced the amount of time required for initial operator training and certification. By using local airport STIs to conduct this training, TSA has eliminated concerns about training being a constraint in achieving our AIT utilization goal. The availability of AIT equipment supports long-term needs while increasing efficiencies at checkpoints with even more effective ATR software and a reduced footprint, which will inform future deployment strategies. In support of the increasing number of AIT units deployed with ATR, TSA is developing a new training kit specifically designed to support AIT ATR training and testing. Working with the Johns Hopkins University Applied Physics Laboratory, TSA is also working to increase the number of AIT testing scenarios under our Aviation Screening Assessment Program (ASAP). TSA has been conducting a preliminary assessment to develop and validate additional testing stimulants and scenarios for use with the AIT ATR equipment. The intent is to incorporate new scenarios and stimulants appropriate for use with AIT ATR into ASAP's National-level testing framework. TSA is also working with industry in order to enhance ATR and AIT hardware for greater detection effectiveness. automated wait time Automated Wait Time (AWT) systems utilize technology to monitor and track queuing traffic at the security checkpoint, enabling TSA to reallocate resources to areas of higher congestion and priority as needed. The AWT system includes the ability to display wait times to the traveling public on monitors within airport checkpoints. TSA preliminarily tested an AWT system at the TSIF and anticipates testing it in airports in the coming months. next generation advanced technology x-ray TSA is in the process of upgrading currently deployed Advanced Technology (AT) X-ray systems, as well as deploying next generation, or AT-2 systems. This technology is used to screen carry-on luggage at the security checkpoint. In addition to other upgrades that streamline the bag check process, next generation AT X-ray units feature enhanced explosive detection capabilities that enable TSA to detect additional threats. There are currently more than 1,400 AT units at over 125 airports. These systems enhance security effectiveness and efficiency, and deployments will continue through calendar year 2012. We are working closely with the DHS Science and Technology Directorate (S&T) and our qualified vendors to assess the AT-2 system's capability to detect liquids, aerosols, and gels (LAG), which would provide the TSOs more efficient tools to perform a targeted bag search. shoe-scanning detection technology Shoe-Scanning Detection (SSD) technology is an advanced technology which would be capable of detecting both metallic and non-metallic threats concealed in passenger footwear without requiring that passengers to remove their footwear at the checkpoint. S&T recently issued a Broad Agency Announcement that allows it to support private- sector R&D research and development efforts to develop shoe-scanner detection systems that meet TSA detection requirements. bottled liquids scanners Bottled Liquids Scanner (BLS) screening systems are used to detect potential liquid or gel threats, which may be contained in a passenger's property while differentiating between liquid explosives and common, benign liquid such as baby formula and insulin. Next- generation BLS screening systems have the ability to detect a wider range of explosive materials and use light waves to screen sealed containers for explosive liquids. TSA recently deployed an additional 500 next-generation BLS units to airports Nation-wide. These recent deployments bring the total number of BLS units Nation-wide to over 1,200 at nearly 350 airports. explosives trace detection Explosives Trace Detection (ETD) technology is used at security checkpoints around the country to screen passengers and their carry-on baggage for traces of explosives. Officers may swab a piece of luggage or passenger hands and place the swab inside the ETD unit to analyze the content for the presence of potential explosive residue. TSA is focusing on recapitalization efforts to perform life-cycle replacements with more effective next-generation solutions. In addition, TSA is expanding its use of ETD technology in airports as part of its layered approach to aviation security. TSA is currently conducting pilot testing on portable trace solutions to support more widespread usage of this technology and working with S&T on the development of next- generation ETDs. explosives detection systems recapitalization and optimization Over the next 5 years, a large number of Explosives Detection Systems (EDS) will approach the end of their useful life and replacing these aging units is a top priority. TSA will fund recapitalization projects, which include the work required to remove the existing EDS as well as minimal modifications to the Baggage Handling System infrastructure associated with the replacement of the EDS and the associated purchase and installation of the new EDS. TSA's plan to replace the aging EDS fleet of equipment will be prioritized based on a combination of age and maintenance data. conclusion TSA will continue to enhance its layered security approach through state-of-the-art technologies, expanded use of existing and proven technology, passenger pre-screening and other developments that will continue to strengthen aviation security. Thank you for the opportunity to appear before you today, and I look forward to answering your questions. Mr. Rogers. Thanks, Mr. Hoggan. Our next witness is Mr. Steve Lord. Mr. Lord is a GAO executive responsible for directing numerous engagements on aviation and surface transportation issues and regularly discusses these issues before Congress and at industry forums. He has recently conducted in-depth reviews of the TSA's passenger checked baggage and air-cargo screening operations. Before his appointment to the Senior Executive Service in 2007, he led GAO's work on a number of key international security, finance, and trade issues. Mr. Lord, we appreciate you appearing before this committee on many occasions and look forward to your testimony today. The Chairman now recognizes Mr. Lord for his statement. STATEMENT OF STEPHEN M. LORD, DIRECTOR, HOMELAND SECURITY AND JUSTICE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Lord. Thank you, Mr. Chairman. Chairman Rogers and other distinguished Members of the committee, I am pleased to be here today to discuss TSA's efforts to acquire this new technology. I don't use the acronym either. Some of our past work on TSA acquisitions which could inform the deliberations over TSA's progress in procuring this: This is an important issue as TSA acquisitions represent billions of dollars in life-cycle costs and support a wide range of missions. As you know, TSA started testing some of this new technology to help verify passenger IDs and boarding passes. They plan to use this technology to eventually replace the current process, the manual process, for inspecting and detecting fraudulent or altered documents. Today, I would like to discuss two specific issues. No. 1, the status of the actual acquisition for this technology and some broader challenges we have previously identified in TSA's acquisition process that may be relevant for today's discussion. First, regarding the acquisition status, TSA is now preparing to start a really important phase of the acquisitions referred to an operational test and evaluation and that is the one going to occur at three airports, Houston, Dulles, and San Juan. During the operational testing, TSA plans to assess the system's performance in terms of three performance criteria, detection capabilities, passenger throughput, and availability. Those are referred to as key performance parameters. According to the acquisition documents we reviewed, the estimated life-cycle cost of the program is about $130 million based on a procurement of 4,000 units over 20 years. You have to understand 4,000 includes replacement costs. Out of 1,400 referred to earlier, that is the planned buy, but since they are only expected to last 7 or 8 years, you, ultimately, have to replace them. We reviewed the life-cycle cost estimate of the passenger screening program and found the estimate to be reasonably comprehensive and documented. We have clear criteria for evaluating these life-cycle cost estimates. However, we could not determine the credibility because the current version does not include a risk analysis or independent cost estimate as deemed by best practice. We also noted that the assumed deflation rate over the life of the program is 1 percent rather than the historical rate of 3 to 4 percent. So, thus, if a higher assumed inflation rate was used, estimated program costs would definitely be higher. More broadly, our prior work has identified three consistent challenges that are worth noting as this TSA acquisition unfolds. Our prior work emphasizes the importance of establishing and meeting clear program requirements, No. 2, properly overseeing and testing the technologies you are procuring. No. 3, developing sound acquisition program baselines to benchmark progress and meeting initial costs, schedule, and performance targets. We previously reported that DHS and TSA have faced challenges in developing requirements when acquiring new screening technologies. For example, in June 2010, we reported that more than half of the 15 DHS reviewed, awarded contracts to initiate acquisitions without required approval of key acquisition documents. The good news for CAT/BPSS is it does have some of these key documents. On the other hand, as I noted earlier, we have some concerns about the credibility of the life-cycle cost estimate. In closing, this hearing provides an excellent opportunity to ask some broader questions about the TSA procurement. First, how will TSA ensure that this new system addresses the security of vulnerabilities it previously identified with the fraudulent IDs? Second, what confidence does TSA have in its unit cost estimate? Third, how does the screening technology fit into TSA's broader acquisition--I am sorry, aviation security strategy? Finally, what cost-benefit analysis, if any, is being used to guide TSA decision-makers? Mr. Chairman, this concludes my remarks. I look forward to responding to any questions you may have. Thank you. [The statement of Mr. Lord follows:] Prepared Statement of Stephen M. Lord June 19, 2012 aviation security.--status of tsa's acquisition of technology for screening passenger identification and boarding passes Chairman Rogers, Ranking Member Jackson Lee, and Members of the committee: I am pleased to be here today to discuss our past work examining the Transportation Security Administration's (TSA) progress and challenges in developing and acquiring technologies to address aviation security needs. TSA's acquisition programs represent billions of dollars in life-cycle costs and support a wide range of aviation security missions and investments. Within the Department of Homeland Security (DHS), the Science and Technology Directorate (S&T) and TSA have responsibilities for researching, developing, and testing and evaluating new technologies, including airport checkpoint screening technologies. Specifically, S&T is responsible for the basic and applied research and advanced development of new technologies, while TSA, through its Passenger Screening Program, identifies the need for new checkpoint screening technologies and provides input to S&T during the research and development of new technologies, which TSA then procures and deploys. TSA screens more than 600 million air passengers per year through approximately 2,300 security checkpoint lanes at about 450 airports Nation-wide, and must attempt to balance its aviation security mission with concerns about efficiency and the privacy of the traveling public. The agency relies upon multiple layers of security to deter, detect, and disrupt persons posing a potential risk to aviation security. Part of its checkpoint security controls include a manual review and comparison by a travel document checker of each person's boarding pass and identification, such as passports or State-issued driver's licenses. However, concerns have been raised about security vulnerabilities in this process. For example, in 2006, a university student created a website that enabled individuals to create fake boarding passes. In addition, in 2011, a man was convicted of stowing away aboard an aircraft after using an expired boarding pass with someone else's name on it to fly from New York to Los Angeles. Recent news reports have also highlighted the apparent ease of ordering high- quality counterfeit driver's licenses from China. We have previously reported on significant fraud vulnerabilities in the passport issuance process and on difficulties in detecting fraudulent identity documentation, such as driver's licenses.\1\ --------------------------------------------------------------------------- \1\ GAO, State Department: Significant Vulnerabilities in the Passport Issuance Process, GAO-09-681T (Washington, DC: May 5, 2009), and Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, GAO-11-657 (Washington, DC: May 10, 2011). We also have on-going classified work looking at the effectiveness of the travel document checker at detecting fraudulent documents, which we expect to finalize later this summer. --------------------------------------------------------------------------- In response to these vulnerabilities, and as part of its broader effort to improve security and increase efficiency, TSA began developing technology designed to automatically verify boarding passes and to better identify altered or fraudulent passenger identification documents. TSA plans for this technology, known as Credential Authentication Technology/Boarding Pass Scanning Systems (CAT/BPSS), to eventually replace the current procedure used by travel document checkers to detect fraudulent or altered documents. However, we have previously reported that DHS and TSA have experienced challenges in managing their acquisition efforts, including implementing technologies that did not meet intended requirements and were not appropriately tested and evaluated, and have not consistently included completed analyses of costs and benefits before technologies were implemented.\2\ --------------------------------------------------------------------------- \2\ For example, see GAO, Homeland Security: DHS and TSA Face Challenges Overseeing Acquisition of Screening Technologies, GAO-12- 644T (Washington, DC: May 9, 2012). --------------------------------------------------------------------------- Since DHS's inception in 2003, we have designated implementing and transforming DHS as high-risk because DHS had to transform 22 agencies--several with major management challenges--into one department.\3\ This high-risk area includes challenges in strengthening DHS's management functions, including acquisitions; the effect of those challenges on DHS's mission implementation; and challenges in integrating management functions within and across the department and its components. DHS currently has several plans and efforts under way to address the high-risk designation as well as the more specific challenges related to acquisition and program implementation that we have previously identified. For example, DHS provided us with its Integrated Strategy for High-Risk Management in June 2012, which includes management initiatives and corrective actions to address acquisition management challenges, among other management areas. We will continue to monitor and assess DHS's implementation and transformation efforts through our on-going and planned work, including the 2013 high-risk update that we expect to issue in early 2013. --------------------------------------------------------------------------- \3\ GAO, High-Risk Series: An Update, GAO-11-278 (Washington, DC: Feb. 16, 2011). --------------------------------------------------------------------------- My statement today focuses on: (1) The status of TSA's CAT/BPSS acquisition and the extent to which the related life-cycle cost estimate is consistent with best practices, and (2) challenges we have previously identified in TSA's acquisition process to manage, test, acquire, and deploy screening technologies. This statement also provides information on issues for possible Congressional oversight related to CAT/BPSS. This statement is based on reports and testimonies we issued from October 2009 through May 2012 related to TSA's efforts to manage, test, acquire, and deploy various technology programs.\4\ In addition, we obtained updated information in June 2012 from TSA on the status of its efforts to implement our recommendations from these reports. For our past work, we reviewed program schedules, planning documents, testing reports, and other acquisition documentation. For some of the programs we discuss in this testimony, we conducted site visits to a range of facilities, such as National laboratories, airports, and other locations to observe research, development, and testing efforts. We also conducted interviews with DHS component program managers and DHS Science and Technology Directorate officials to discuss issues related to individual programs. More detailed information on the scope and methodology from our previous work can be found within each specific report. In addition, this statement contains new information we obtained from TSA in June 2012 on the status of its CAT/BPSS acquisition. We reviewed key acquisition documents--including the mission needs statement (September 2008), request for proposal (April 2011), operational requirements document (August 2011), life-cycle cost estimate (November 2011), and acquisition program baseline (November 2011)--interviewed officials from TSA's Office of Security Capabilities, and viewed a demonstration of the CAT/BPSS test units. We compared the life-cycle cost estimate with best practices from our Cost Estimating and Assessment Guide to determine whether the official cost estimates were comprehensive (i.e., include all costs), accurate, well- documented, and credible.\5\ We conducted all of our work in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on our audit objectives. We discussed new information in this statement with TSA officials and incorporated their comments as appropriate. --------------------------------------------------------------------------- \4\ See the related products list at the end of this statement. Examples of these technology programs include advanced imaging technology (AIT)--commonly referred to as a full-body scanner--that screens passengers for metallic and non-metallic threats including weapons, explosives, and other objects concealed under layers of clothing; explosives detection systems, which use X-rays with computer- aided imaging to automatically recognize the characteristic signatures of threat explosives; and explosives trace detection machines, in which a human operator (e.g., a baggage screener) uses chemical analysis to manually detect traces of explosive materials' vapors and residue. \5\ GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, GAO-09-3SP (Washington, DC: March 2009). --------------------------------------------------------------------------- In summary, TSA has completed its initial testing of the CAT/BPSS technology and has begun operational testing at three airports. We found the project's associated life-cycle cost estimate to be reasonably comprehensive and well-documented, although we are less confident in its accuracy due to questions about the assumed inflation rate. In addition, we could not evaluate its credibility because the current version does not include an independent cost estimate or an assessment of how changing key assumptions and other factors would affect the estimate. Our past work has identified three key challenges related to TSA's efforts to acquire and deploy technologies to address homeland security needs: (1) Developing and meeting technology program requirements, (2) overseeing and conducting testing of new screening technologies, and (3) developing acquisition program baselines to establish initial cost, schedule, and performance parameters. cat/bpss is in the operational testing and evaluation phase, and the life-cycle cost estimate is not fully consistent with best practices CAT/BPSS, which is part of TSA's Passenger Screening Program, has undergone initial testing and is in the operational testing and evaluation phase of acquisition, according to TSA. The goal of CAT/BPSS is to deploy a computerized system that will read and analyze data and embedded security features on every passenger's identification and some boarding passes, and to identify fraudulent credentials and boarding passes. In 2011, TSA conducted qualification testing of this system at its System Integration Facility at Washington Reagan National Airport, including testing the systems against more than 530 genuine and fraudulent documents, such as State-issued driver's licenses, passports, and military identification cards, according to TSA. The technology is designed to automatically compare a passenger's identification with a set of embedded security features to seek to identify indicators of fraud and concurrently ensure that the information on the identification and boarding pass matches. This system is intended to help ensure that identity credentials and boarding passes presented at the checkpoint have not been tampered with or fraudulently produced, and that the information on the boarding pass matches that of the identity credential. According to TSA, CAT/BPSS is to compare identity credentials with an internal database of more than 2,400 templates for various types of credentials and to check for certain embedded security features, then alert the operator of any discrepancies. In September 2011, TSA awarded contracts for approximately $3.2 million, which included the purchase of 30 units from three different vendors.\6\ In April 2012, TSA began deploying units to three airports--George Bush Intercontinental in Houston, Luis Munoz Marin International in San Juan, and Washington Dulles International--in preparation for initial operational testing. TSA officials said that those airports were selected, in part, because of their high passenger volume and experience with detecting fraudulent documents. In preparation for initial testing, TSA tested the performance of its current process for comparison purposes. TSA is also training personnel on the CAT/BPSS systems, collecting preliminary data on system performance and availability, and assessing the adequacy of the concept of operations and standard operating procedures. According to TSA officials, these efforts will allow travel document checkers at the three airports to test the three systems in an operational environment and provide feedback on the systems' performance. During operational testing, TSA plans to assess the systems' performance against key performance parameters for detection, passenger throughput, and availability. Once operational testing is complete, TSA plans to produce a system evaluation report and recommend whether to move forward with the acquisition or make modifications. Vendors that successfully exit the operational testing phase will be eligible to compete for a contract to produce 1,400 units, according to TSA. --------------------------------------------------------------------------- \6\ According to TSA, the $3.2 million included costs for maintenance, database updates, and training, among other things. --------------------------------------------------------------------------- According to the life-cycle cost estimate for the Passenger Screening Program, of which CAT/BPSS is a part, the estimated 20-year life-cycle cost of CAT/BPSS is approximately $130 million based on a procurement of 4,000 units.\7\ As highlighted in our Cost Estimating and Assessment Guide, a reliable cost estimate has four characteristics--it is comprehensive, well-documented, accurate, and credible.\8\ We reviewed TSA's November 2011 life-cycle cost estimate for the Passenger Screening Program and compared it with the four characteristics. Based on our assessment, the life-cycle cost estimate is reasonably comprehensive and well-documented. Regarding accuracy, the cost estimate assumes a 1 percent inflation rate from fiscal years 2015 through 2029, as compared with the historic inflation rates calculated for fiscal years 2009 through 2014, which ranged from 3.3 to 4.5 percent. If a larger inflation rate were used, costs would be much higher than what are currently estimated. In addition, we cannot make a determination as to the credibility of the life-cycle cost estimate as it does not include a risk and uncertainty analysis or an independent cost estimate. The risk assessment would quantify risks and identify effects of changing key cost driver assumptions and factors.\9\ In the cost estimate, TSA indicates that it is pursuing the acquisition of risk analysis capability and plans on having such capabilities in time for the next life-cycle cost estimate. Likewise, there is no evidence that an independent cost estimate was conducted by a group outside the acquiring organization to determine whether other estimating methods would produce similar results. TSA officials indicated that the agency is updating its life-cycle cost estimate to include a risk and uncertainty analysis and independent cost estimate, but the document has not yet been approved. --------------------------------------------------------------------------- \7\ This includes an initial procurement of 1,400 units in fiscal year 2013, and an additional 2,600 replacement units by fiscal year 2029. \8\ GAO-09-3SP. The DHS Cost Analysis Division has implemented our Cost Estimating and Assessment Guide as the standard for cost estimating at DHS. \9\ DHS did not approve the life-cycle cost estimate due to the lack of risk and sensitivity analysis, according to TSA. --------------------------------------------------------------------------- The agency plans to expand the CAT/BPSS deployment schedule following successful implementation and testing in the selected airport environments. As of June 2012, TSA officials estimated that this could occur as soon as the end of this calendar year, depending on the results of the operational testing and evaluation phase. previously identified challenges tsa faces in overseeing acquisition of screening technologies Our past work has identified three key challenges related to TSA's efforts to acquire and deploy technologies to address homeland security needs: (1) Developing and meeting technology program requirements, (2) overseeing and conducting testing of new screening technologies, and (3) developing acquisition program baselines to establish initial cost, schedule, and performance parameters. We have previously reported that DHS and TSA have faced challenges in developing and meeting program requirements when acquiring screening technologies, and that program performance cannot be accurately assessed without valid baseline requirements established at the program start. In June 2010, for example, we reported that more than half of the 15 DHS programs we reviewed awarded contracts to initiate acquisition activities without component or Department approval of documents essential to planning acquisitions, setting operational requirements, or establishing acquisition program baselines.\10\ We made a number of recommendations to help address issues related to these procurements. DHS generally agreed with these recommendations and, to varying degrees, has begun taking actions to address them. We currently have on-going work related to this area and we plan to report the results later this fall.\11\ At the program level, in May 2012, we reported that TSA did not fully follow DHS acquisition policies when acquiring advanced imaging technology (AIT), or body scanners, which resulted in DHS approving full AIT deployment without full knowledge of TSA's revised specifications.\12\ --------------------------------------------------------------------------- \10\ GAO, Department of Homeland Security: Assessments of Selected Complex Acquisitions, GAO-10-588SP (Washington, DC: June 30, 2010). Three of 15 were TSA programs. \11\ We are conducting this work at the request of the Senate Committee on Homeland Security and Governmental Affairs and the Subcommittee on Oversight, Investigations, and Management of the House Committee on Homeland Security. \12\ See GAO-12-644T, in which we publicly reported some of the findings and recommendations from our January 2012 classified report on TSA's procurement and deployment of AIT, commonly referred to as full- body scanners, at airport checkpoints. --------------------------------------------------------------------------- We have also reported on DHS and TSA challenges in overseeing and testing new screening technologies, which can lead to costly redesign and rework at a later date. Addressing such problems before moving to the acquisition phase can help agencies better manage costs. For example, in October 2009, we reported that TSA had deployed explosives trace portals, a technology for detecting traces of explosives on passengers at airport checkpoints, in January 2006 even though TSA officials were aware that tests conducted during 2004 and 2005 on earlier models of the portals suggested the portals did not demonstrate reliable performance in an airport environment. As a result, we found that TSA procured and deployed a technology that met evolving requirements, but not the initial requirements included in its key acquisition requirements document that the agency initially determined were necessary to enhance the aviation system. We recommended that TSA develop a road map that outlines vendors' progress in meeting all key performance parameters. DHS agreed with our recommendation and has begun taking action to address it.\13\ In June 2006, TSA halted deployment of the explosives trace portals because of performance problems and high installation costs. In our 2009 report, we recommended that, to the extent feasible, TSA ensure that tests are completed before deploying new checkpoint screening technologies to airports. DHS concurred with the recommendation and has taken action to address it, such as requiring more recent technologies to complete both laboratory and operational tests prior to deployment. --------------------------------------------------------------------------- \13\ GAO, Aviation Security: DHS and TSA Have Researched, Developed, and Begun Deploying Passenger Checkpoint Screening Technologies, but Continue to Face Challenges, GAO-10-128 (Washington, DC: Oct. 7, 2009). --------------------------------------------------------------------------- DHS and TSA have also experienced challenges identifying acquisition program baselines, which include program schedules and costs. Our prior work has found that realistic acquisition program baselines with stable requirements for cost, schedule, and performance are among the factors that are important to successful acquisitions delivering capabilities within cost and schedule. We also found that program performance metrics for cost and schedule can provide useful indicators of the health of acquisition programs. For example, we reported in April 2012 that TSA has not had a DHS-approved acquisition program baseline since the inception of the Electronic Baggage Screening Program (EBSP) more than 8 years ago.\14\ Further, DHS did not require TSA to complete an acquisition program baseline until November 2008. According to TSA officials, they have twice submitted an acquisition program baseline to DHS for approval--first in November 2009 and again in February 2011. An approved baseline would provide DHS with additional assurances that TSA's approach is appropriate and that the capabilities being pursued are worth the expected costs. In November 2011, because TSA did not have a fully-developed life-cycle cost estimate as part of its acquisition program baseline for the EBSP, DHS instructed TSA to revise the life-cycle cost estimates as well as its procurement and deployment schedules to reflect budget constraints. DHS officials told us that they could not approve the acquisition program baseline as written because TSA's estimates were significantly over budget. TSA officials stated that TSA is currently working with DHS to amend the draft program baseline and plans to resubmit the revised acquisition program baseline before the next Acquisition Review Board meeting, which is planned for July or August 2012. Establishing and approving a program baseline, as DHS and TSA plan to do for the EBSP, could help DHS assess the program's progress in meeting its goals and achieve better program outcomes. --------------------------------------------------------------------------- \14\ GAO, Checked Baggage Screening: TSA Has Deployed Optimal Systems at the Majority of TSA-Regulated Airports, but Could Strengthen Cost Estimates, GAO-12-266 (Washington, DC: Apr. 27, 2012). --------------------------------------------------------------------------- Our prior work on TSA acquisition management identified oversight problems that have led to cost increases, delivery delays, and other operational challenges for certain assets, such as EBSP, but TSA has also taken several steps to improve its acquisition management. For example, while we continue to find that some TSA acquisition programs do not have key documents needed for properly managing acquisitions, CAT/BPSS has a DHS-approved mission needs statement, operational requirements document, and acquisition program baseline.\15\ --------------------------------------------------------------------------- \15\ The life-cycle cost estimate was approved by TSA but not by DHS. --------------------------------------------------------------------------- congressional oversight issues This hearing provides an opportunity for Congressional stakeholders to focus a dialogue on how to continue a sufficient level of oversight of the CAT/BPSS acquisition and implementation and other key components of the Passenger Screening Program. For example, relevant questions that could be raised include the following: To what extent, if any, have key performance parameters changed during the course of the acquisition, and how will these changes affect security and efficiency at the checkpoint? What would be TSA's strategy if vendors have difficulty meeting the key performance parameters? How will TSA ensure that implementation of the system addresses the security vulnerabilities previously identified? What confidence does TSA have in its cost estimates and how is the agency mitigating the risk of cost escalation or schedule delays? In managing limited resources to mitigate a potentially unlimited range of security threats, how does CAT/BPSS fit into TSA's broader aviation security strategy? What cost-benefit and related analyses, if any, are being used to guide TSA decision makers? These types of questions and related issues warrant on-going consideration by TSA management and continued oversight by Congressional stakeholders. Chairman Rogers, Ranking Member Jackson Lee, and Members of the committee, this concludes my prepared statement. I look forward to responding to any questions that you may have. Mr. Rogers. I thank the gentleman. The Chairman now recognizes the Ranking Member for her opening statement. Ms. Jackson Lee. Chairman, thank you for hosting this hearing and, as I indicated to you, two committees that I love the most, Judiciary and Homeland Security and, particularly these subcommittees seem to have an uncanny ability to overlap their committee meetings, particularly mark-ups. So let me thank the two witnesses and the Chairman for holding this hearing and I would like to have a rhetorical response back to the rhetorical question which is the title of this hearing that indicates whether it is a wise use and I think, to Mr. Hoggan and Mr. Lord, the chief responsibility of the hearing today is for you to answer that question. I have an answer, I think it is wise, but I think the Chairman's inquiry is appropriate, in terms of the procurement or the utilization of funds or the technology and contractor, whether or not we are at the best level of efficiencies to ensure that we get the job done. I hope that I will be able to secure some answers on that very point. So I thank the Chairman for holding today's hearing and I know, from our discussions, that we share the same commitment to securing our Nation's transportation systems. We also share the same commitment to ensuring that technologies procured by the Department are acquired after a robust testing and evaluation process. Today marks the fourth hearing the subcommittee is holding regarding the procurement practices at the Department and transportation and security technologies. I might add that I have often said that I am interested in small, minority, women-owned businesses. I don't know if they have a chance to be engaged in this procurement process and the question is would they have been better? Is this a small business or a large business? I would be interested in knowing that. Although I welcome the delivered oversight of procurement practices carried by this committee, I respectfully reassert my request that we hold a hearing evaluating TSA's in-cabin security efforts and I look forward to working with the Chairman on determining that. That is an assessment of TSA's work if they have that ability and as well, airlines and what they are doing for in- cabin security. As we learned on September 11, if all else fails, the cabin of an airplane may become our last line of defense. Today, we will hear from the Transportation Security Commission Government Accountability Office regarding the procurement goals by TSA on CAT/BPSS. This system has been deployed for testing at three major airports since last April. As of today, TSA is still working on reviewing the data it gathered from testing and evaluating this technology in real- life conditions. This is a critical step in assessing the effectiveness of any piece of technology. As we learned from the puffer machines, what works in the lab may not work in real-life and this is a large and looming question. I look forward to hearing from TSA about its preliminary findings on the performance of this technology and what you will do next. I also look forward to hearing about the risk analysis TSA conducted on the use of fraudulent documents by potential terrorists. Last year the media exposed an incident in which a 24-year-old man was arrested after attempting to board a flight from a Los Angeles airport to Atlanta using outdated boarding passes. What was even more alarming was the fact that this same individual had already navigated layers of security at JFK and boarded a flight using an outdated boarding pass to fly to Los Angeles International Airport. This incident underscored the need for additional training and technology to enable TSOs to detect fraudulent documents. This is a learning and growing process. We want it to be a learning and growing process by saving the lives of Americans. I think TSA is committed to that, and I think this technology is one aspect of making good on that promise of securing the homeland. Since that incident, TSA has been working to identify technological solutions to resolve the problem of detecting fraudulent documents. The system we will hear about today, CAT/ BPSS, may be one possible technological solution. Science is not perfect. Testing a new technology is part of the TAFF--test, test, test, improve the technology, test, test, test, improve the technology and save lives. There is nothing wrong with that. I look forward to today's testimony from GAO and TSA that we have already heard, and I thank you for your testimony. I hope each will shed light and has shed light on the procurement process and--identify the type of technology needed to address the vulnerability. As we know, this subcommittee has been particularly interested in ensuring that the procurement goals set forth by the Department are administered by the under secretary of management and those at TSA. Last fall, Mr. Chairman, you held three hearings that examined the practices used to evaluate, procure, and deploy technology across our transportation system. During these hearings we heard from former homeland security officials. They testified about the need for greater cooperation between the business and Government in developing contract requirements for major research projects. While this is an interesting thought, as you know, the Federal Acquisition Regulations have strict rules about the depth and breadth of permissible discussions between Government and industry prior to the announcement of a contracting opportunity. I think those hearings also made clear that this administration has taken action on how TSA and S&T can improve this collaboration. Congress needs to support and encourage efforts to ensure that Government is more efficient, genuinely meets the needs of its customers, the American taxpayers, and use our dollars in a fiscally responsible way. Unfortunately, under our budgetary constraints, we may lose the opportunity to get the best technology. Mr. Chairman, we cannot use money to fill every security gap, but we cannot ignore money in terms of what the needs are for new technology. So I look forward to assessing the procurement problem and as well to solving the problem if there is one, but to make sure that everything we do is to secure the homeland and to save lives. With that, Mr. Chairman, I yield back. Mr. Rogers. I thank the gentlelady. Now we will turn to questions. Before I start my questions I wanted to share something with Mr. Hoggan, which is not your fault, but it is something you should be aware of that your staff has done. If you will look up on the screens, you will see written testimony that was strikingly similar to testimony we got from your predecessor a year ago. That testimony was from a different hearing on a different topic. All of the highlighted content on this page up on the screen was recycled from that hearing. So they basically took your predecessor's testimony from a hearing a year ago and gave it to you to regurgitate again this year. Slide 2, if they can get that up there--guess not--there it is. This slide shows that 7 pages of the testimony TSA was-- dedicated less than a paragraph to the specific topic of this hearing, and of that, some of the material was also recycled. This testimony also does not address any of the questions this committee has raised in the past month, including questions I specifically raised in a letter to Mr. Pistole. I try not to waste your time, and I hope you will have your committee make sure they don't waste our time, because it is disrespectful. With that, as you know, we talked briefly yesterday and I am pleased about the turn of events with your postponement. About 5 or 6 weeks ago, I along with a number of staff members from both sides of the aisle went out to the TSIF to be briefed by your staff on this new technology. As a result, we found what it could do, but also had real questions about what it couldn't do and couldn't get our questions answered satisfactorily. We are concerned about the cost. So we wrote the letter to Administrator Pistole and it is my understanding that you all have now postponed it for the third time. I want to know if you agree with the statement that if it had not been postponed and we had gone ahead with the procurement, with its limitations, it would have been a waste of money to do that. Mr. Hoggan. Sir, I wouldn't have proposed going forward with procurement as it exists today with the information I know from OT&E. Mr. Rogers. That is what I thought. Well, I am glad. I am glad you came in and recognized that we don't need to be wasting any money. The fact is that, as you know, and I have talked with Administrator Pistole about this on numerous occasions, the public is just outraged by what they see with TSA and a lot of the wasteful money that has been spent in the past. They are looking for us to be better stewards and also to be a little bit more threat-based in our approach and not treat everybody like terrorists. So it has got a lot of problems, but one of them has been the money. In these new, more austere times, we are going to have to be good stewards of our Federal tax dollars. With that in mind, the cost of this technology skyrocketed, as you heard me say earlier. It went from $35 million projected cost in 2008 to $115 million in 2011. It is a 200 percent increase. Can you tell me how that developed? Mr. Hoggan. Sir, I will have to get back on you for that. I know the original procurement for the 1,400 units could cost anywhere from $35 million to $45 million and the life-cycle cost estimate over a 20-year time frame would be an additional upwards of $130 million over that time, as Mr. Lord had talked about, that has to do with the life cycle being anywhere from 7 to 8 years and a replenishment factor for 2,600 units to manage it to 1,400 across that 20-year time frame. The specifics of the reasons why the changes had happened I will have to research that and I will provide that back to you, sir. Mr. Rogers. What about this? In 2011, TSA said the cost of each machine was going to be roughly $25,000. More recently TSA said the cost of each machine is now going to be $100,000. It is a pretty big jump. Mr. Hoggan. That is incorrect, sir. This is a procurement- sensitive issue right now, and I could talk to you specifically off-line about the individual cost because we are still in the middle of the process. However, it is not $100,000 per machine. I can assure you that. Mr. Rogers. Good, I am glad to hear that. It took this committee 3 weeks to share--or it took TSA 3 weeks to share with this committee the cost of this program, those numbers which you now point out are incorrect. Given these huge cost increases, it is easy to understand why. Were you aware it took 3 weeks for your office to get that information to us in the time we requested it? Mr. Hoggan. No, sir, I am not. Mr. Rogers. Okay. Do you find that acceptable? Mr. Hoggan. No, sir, I do not. Mr. Rogers. Great. Tell me what you see is the purpose of the CAT/BPSS. Mr. Hoggan. In 2007 TSA, as a layered approach to security, took over the boarding pass ID authentication and review at the check point from airline employees or individuals as were subcontracted by airlines at the departure gates. At that time we employed transportation security officers to do the review of the documents and the boarding passes. What we have found over time--and I will give you the example and the numbers--with the 50 States and eight different territories we have approximately 600 different permeations of IDs that could be presented at checkpoints. If you take that into consideration with TWIC cards or CAC cards or TESLA cards from the DOD, as well as passports, we have upwards of 2,470 different variations of ID's that could be presented at a checkpoint alone for travel, you know, on the air. That being said, a TSO who is deployed at Washington Dulles might have a very good understanding of driver's license from District of Columbia, State of Maryland, State of Virginia, maybe State of Pennsylvania or West Virginia, but they don't have a fundamental pure understanding of IDs from other parts of the country. Notwithstanding, 2,470 different permeations of ID is hard for anybody to get a perspective on. So the technology allows us to have good authentication of the different travel documents that are presented, whether it is the ID and the boarding pass. The boarding pass also allows us to have the name matches, as well as other fields, not least of which is departure date, flight, and so forth to ensure that it matches the data. So for a human factors component it is very difficult for a TSO over time to have a continued high level of proficiency for that many variables, but the technology does provide it. Mr. Rogers. Thank you. My time is expired. The Chairman now recognizes the Ranking Member for any questions she may have. Ms. Jackson Lee. I thank the Chairman very much. I thank the witnesses again. Mr. Hoggan, what is the name of the contractor? Are there many contractors or just one? Mr. Hoggan. Madam, right now there are three contractors that have provided BAE Systems. I would have to look at my notes for the exact full names of them, but we have three contractors now--presented. There were four original contractors that came in the procurement, but only three of them cleared the process. Ms. Jackson Lee. Okay. I don't want to be unfair, but I think you have got staff sitting behind you and they are not-- we need to be helpful to the witness. Maybe they can find it for you, Mr. Hoggan, so you won't have to look. I think they can better look for it. Are these small companies or medium-sized companies or what? Mr. Hoggan. Madam, originally one of them was a small business during the procurement life cycle. Subsequently, my understanding is, it had been purchased by a larger business in the interim and---- Ms. Jackson Lee. Why don't you read the names into the record, please? Mr. Hoggan. Names of record are Trans Digital Technologies, BAE Systems, NCR Government Solutions. Ms. Jackson Lee. Each are offering their type of technology or they are collaborating? Mr. Hoggan. Each are offering their own type of technology. Ms. Jackson Lee. They are involved in the pilot. Mr. Hoggan. Yes, madam, they are, in the OT&E. Ms. Jackson Lee. Do you find one technology better than the other? Mr. Hoggan. Not right now. They are very similar. There are unique differences. It is preliminary, as we talked about before. We are still in the OT&E process. It just completed last week. We are in the process of gathering the data. We had all the machines at Dulles for 6 weeks and at San Juan and George Bush Intercontinental for 4 weeks. So we are pulling the data right now. But the preliminary information that I have been privy to is that they are very similar, but there are some unique differences--minor unique differences. One of them might have a harder time reading a BlackBerry or---- Ms. Jackson Lee. So you are not going to at this point in time say that of the three, two are out and one is in? Mr. Hoggan. No, madam, I am not. Ms. Jackson Lee. All right. Let me rapidly move forward on my questions, so I can get as many in as possible. You are not--so therefore the assessment that we have to go back to the drawing board comes from where? Mr. Hoggan. The assessment comes from the OT&E review as it relates to the technology in detection and most importantly as well as reliability and speed for the processing. They are not at the levels they need to be, and we found these issues as it relates to the IDs, the boarding passes. So we want to go back to the manufacturers and update some database entries as well as some software---- Ms. Jackson Lee. So the incident that I recited in my statement about a gentleman getting on the plane with a false boarding pass generated the interest in trying to enhance technology to determine about these false documents? Mr. Hoggan. No, madam, we actually started this in 2007 with integrated product team back when we took over---- Ms. Jackson Lee. What was the purpose of starting this? Mr. Hoggan. It was a travel document checking process that we took over with the TSOs. This is the fourth procurement event for this type activity. We had an RFP go out in March 2009 and we had no vendors that qualified with our---- Ms. Jackson Lee. So then you came back? Mr. Hoggan. Yes, madam. Ms. Jackson Lee. Do you see a value in the utilization of this technology if it can be perfected? Mr. Hoggan. Yes, madam, I do. Ms. Jackson Lee. How does that value translate to securing the homeland? Mr. Hoggan. It allows us the opportunity to ensure that the people who are traveling, as they present themselves, are who they say they are; their ID is authenticated; it matches the boarding passes for travel on that day, which then ensures, because there are encrypted data that comes through, that all those boarding passes have---- Ms. Jackson Lee. So if someone is leaving West Virginia, going to Montana, and they have Montana documents, and you are having TSOs who are unfamiliar with Montana documents, can this technology enhance that TSO's ability to protect the homeland by knowing whether those are false documents, through that technology? Mr. Hoggan. Yes, madam. Ms. Jackson Lee. So there is a value to it? Mr. Hoggan. Yes, madam. Ms. Jackson Lee. Let me ask you, Mr. Lord. In your assessment, is this a valuable technology if it is perfected and if it has the efficiencies of scale? Mr. Lord. Well, with all due respect, madam, those are major ``ifs.'' That is the purpose of the operational test and evaluation. Ms. Jackson Lee. Do you view the operational test as valuable? Mr. Lord. Yes. Ms. Jackson Lee. Is this what we should be doing? Mr. Lord. That is something we have identified in our prior work. In the past, TSA's tended to either not do that or truncated the testing. So we think it is very important to take as much time as needed in operational tests and evaluation to ensure the technology you are procuring meets the original requirements. Ms. Jackson Lee. So how many more tests would you suggest they have? Mr. Lord. Well, it is the length of the testing period. What they are doing is they bought two each, as Mr. Hoggan indicated. There are three vendors. They are testing two units of each vendors' technology in the three airports. So they purchased. The initial buy was 30 for $3 million, so that is how he derived the $100,000 per unit cost. That is the original up-front cost, but if you are going to purchase 1,400, obviously, the unit costs are going to come way down. But again---- Ms. Jackson Lee [continuing]. Not asking for that right now. Mr. Lord. Yes. Ms. Jackson Lee. Go ahead. Mr. Lord. Again, but the major lesson learned here is slow to train down if you have to. There is an old saying in procurement circles, ``If you want it bad, you get it bad.'' So that just underscores---- Ms. Jackson Lee. So, from your perspective, when you are dealing with these agencies--and you have just given us a review--do you see the validity in this technology, but what you are bringing to us as a committee, in terms of our oversight, is to slow this process down; be deliberative; ensure that the technology will do what it is supposed to do? Mr. Lord. Before going with your plan, you know, the full buy, yes. Ms. Jackson Lee. Full steam ahead. Mr. Lord. Yes. Ms. Jackson Lee. This is my last--do you have any concern that these machines, this technology cannot stand by a checkpoint and operate themselves; it requires a TSO personnel? Mr. Lord. Yes, it definitely requires--in fact, if you looked at the total life-cycle costs of the program, by and large, the biggest component is cost of the TSOs to operate the machines. Ms. Jackson Lee. But if the TSOs are already there, so the cost is just the TSOs there now working the equipment. Is that correct? Mr. Lord. Well, it is going to require some training. That is another concern I have. TSA indicated earlier they are planning to roll this out in December, but you not only have to complete the operational tests and evaluation; you have to train new staff. So I am encouraged to here today they are thinking of moving that date to the right. Ms. Jackson Lee. So you would be comfortable if, No. 1, we had a more deliberative--when I say we, the oversight of TSA, had a more deliberative approach--and I am glad for your report, to be very honest with you--and that you would certainly want TSOs to be trained? Mr. Lord. Properly trained. Ms. Jackson Lee. But in your looking at the technology, since you have that expertise, do you see it as having some ultimate value if done right? Mr. Lord. Well, it is--the technology is designed to address a real vulnerability, and that is the use of fraudulent IDs and boarding passes. So assuming you can get the technology to work properly and it meets requirements, there obviously would be some value in addressing that vulnerability. Ms. Jackson Lee. Mr. Chairman, I thank you. Mr. Lord, thank you for affirming the value of saving lives through adequate and efficient technology, and how we can work through this is, I think, an important point going forward. Mr. Chairman, thank you. I yield back. Mr. Rogers. I thank the gentlelady. The Chairman now recognizes the gentleman from Minnesota, Mr. Cravaack, for 5 minutes. Mr. Cravaack. Thank you, Mr. Chairman. Mr. Hoggan, you having fun so far? Mr. Hoggan. Yes, sir, I am. Mr. Cravaack. Good to hear. Good to hear. Well, anyway, thank you for being here today. Just some quick questions. In studying for today's committee hearing, I just had some questions in regards to the system itself. As I understand it, this system is not linked to any no-fly lists or any type of State or Federal database. Is that correct? Mr. Hoggan. That is correct. Right now, it is not linked. There is an interoperability requirement in the operation requirements document. I believe it is in Section 3.2, Mr. Rogers, as we provided. It says it allows the opportunity, going forward in time, to do that. It is not in our original requirements this time, but if we find, going forward, that we need to hook to either something internal or external, there is an opportunity to do that, depending on what it is as well as taking into concerns, privacy concerns---- Mr. Cravaack. Well, taking into account your answer, sir, my question would be, technically, if a person were able to, you know, fabricate a pretty good fake ID, you could have the same person at the same address flying on the same day, practically at the same time, without interoperability of the machines themselves. Would that be a correct statement? Mr. Hoggan. Not necessarily because, the--ID, we have confidence that the equipment could get it. The no-fly list, sir, may I remind you, is connected through the airlines reservation systems. So that check will be done behind the scenes before the boarding pass is actually generated. So that check should already have been done. Mr. Cravaack. Okay. But in regards to just the ID themselves, wherever there is an offensive measure, there is always a countermeasure that will happen later on. We have seen that through the years. As a military person, I understand that completely. But the bottom line is this system does not track travel patterns. It doesn't track who is flying on a certain day or anything of that nature; it just takes a look at the idea itself and goes from there. Is that correct? Mr. Hoggan. That is correct, sir. Mr. Cravaack. Okay. The other questions I have--how are identifications of an ID--become--there is a question about the ID itself. How is that situation then handled? Mr. Hoggan. If an ID has some type of warning or notice through the process, the TSO then takes a manual review of the ID, depending on what the different criteria was that caused the error. There is also opportunity in the SOP that a supervisory TSO actually does another review on top of that as well. Keep in mind we also still have a layered approach based on the behaviors and whether it is the TSO watching or behavior detection officers. But it is run through a next-level, second- tier, third-tier review. Mr. Cravaack. Well, my question is the technology could be such that there is such a high rate of passengers subject to additional screening because of the false alarm rate being set at a high level that people could be going through security and, really through no fault of their own, because they have a valid ID, could also be subject to more intense scrutiny. So I am a little concerned about that and what I have been reading so far on the technology. Mr. Hoggan. You are absolutely correct. Some of the preliminary information we are finding during the testing phase, and we want to go back and address those specific areas of concern and go back with the vendors as relates to the database as well as the algorithms and make those modifications and changes. It is currently performing very near the standard it is supposed to be at in some areas. In others, it is not, and we need to address that. So that is the intent of extending the test and evaluation. Mr. Cravaack. Has the TSA worked in conjunction with S&T Directorate or the DOD? Mr. Hoggan. Yes, sir. We work with S&T as it relates to our operational test and evaluation. We are a DHS-approved testing facility for this type of technology. Mr. Cravaack. Okay, that is good to hear. Mr. Lord, can you tell me that TSA--and, kind of, jumping on what Ms. Jackson was saying, the TSA has said in the past, at least in my readings, that this technology, the purchase of this technology, would help reduce workforce needs? Is that a true or incorrect statement? Mr. Lord. I am not sure at this point, sir. I would have to go back and look at the workforce projections. But, again, this is not a piece of technology that works--I mean, it works in conjunction with the transportation screen officer. He is still standing at the platform and he is on--the technology gives you read, essentially red light/green light, and he is the one that has to interpret that and then make the judgment, in some cases referred a person to secondary screening or another person for review. So it does not eliminate the need for a TSO, just to be clear. Mr. Cravaack. So it would not necessarily reduce workforce. I have just been handed a note from our staff that S&T is saying that they didn't play any role in your study, sir. So seeing that time is over, will there be a second round, sir? Okay. With that, sir, I will yield back. Mr. Rogers. Thank you. The Chairman now recognizes Mr. Walberg for any questions he may have. Mr. Walberg. Thank you, Mr. Chairman. Mr. Hoggan, currently this technology doesn't connect to any other State or Federal database, as I understand. Mr. Hoggan. That is correct, sir. Mr. Walberg. To me, that seems like an obvious vulnerability for coordination that generally you think would be important. What plans does TSA have to link this technology to other databases in the future? Mr. Hoggan. It is something that we need to review once we get the original requirements moving forward. That is in the second phase, to make that determination. Originally, this program was set to do ID authentication and then boarding pass matching with the names. As we go forward in time, that is definitely something we will review. Mr. Walberg. Speaking of review, could you describe the initial results from the operational testing and evaluation of the technology at Dulles, at George Bush International--or Intercontinental Airport, basically those airports, what were the results of the operational testing? Mr. Hoggan. Well, the operational testing just completed last week, so they are providing the reports to me now. But the anecdotal information I have been giving is that there are some issues as it relates to boarding pass authentication, whether it is encrypted with--you need to have 2D bar codes to have it encrypted; 1D doesn't necessarily do that. There are some issues when name matches, presentation of names--first, last and changes. There are also some issues as it relates to IDs. You know, some States, like I said, with the 50 States and the eight territories, there are 600 permeations. I have in my pocket right now a Virginia State ID that is well over 5 years old, but there are a lot of individuals who have different IDs. So you also have problems with wear on the IDs, and different security features on there that are causing problems, as well. So these are the little things we are looking at. There is a slight problem with one of the vendors as it relates to reading mobile boarding passes. There are some changes that have to be done on that. But the exact specifics, I don't have a full document. This is just anecdotal information I have from talking with individuals. Like I said, we just completed that. We are still in the process. We haven't finished it. So if you would like, as soon as I have that preliminary report I would be more than happy to share it to the committee. Mr. Walberg. I think we would appreciate that. Mr. Hoggan. Okay, sir. Mr. Walberg. In your view, how does the technology propel TSA forward in a more economical threat-based--as a more economical threat-based agency? Mr. Hoggan. Economical in meaning the saving--the TSOs in the process? Mr. Walberg. Savings across the board. Mr. Hoggan. Well, as Mr. Lord had said, the original requirements document showed a processing rate of 240 passengers an hour, which is comparable to the planning, staffing levels that we have today. So I will have to research and find the documentation that, Chairman Rogers, you had referred to, as well as you, sir, that it would be a savings. Right now I don't project it to be a savings of staff. I project it to be an increased opportunity to cover a vulnerability that we have and have a better detection capability as it relates to fraudulent IDs as well as ensuring that the passenger is the one that has gone through the Secure Flight engine. But as it relates to the economics of saving FTE or TSOs, I don't see that being the case right now. So I will have to research the documents that you refer to. Mr. Walberg. Thank you. Mr. Lord, given TSA's track record of having a continuously expanding workforce, do you think that this technology realistically could lead to a reduction in the TSA workforce needs? Mr. Lord. I am not sure at this point. We will have to wait and see how the tests and evaluation phase goes. Again, that is still being tested. So they anticipated some reductions initially. But I always like to see how the testing goes before finalizing my judgment. The good news is they are conducting a separate operational test and evaluation phase for the technology. As Mr. Hoggan indicated, they are already identifying some issues with throughput and character recognition, et cetera. So that is--I mean, that is good. They are trying to fix the bugs, so to speak. Mr. Walberg. In your experience, Mr. Lord, when a Government agency is planning procurement, do they generally have a sense of what the cost will be? Mr. Lord. Oh, yes. The DHS acquisition guidance requires before you start purchasing, before--it is called--at the end of the so-called analyze phase you are supposed to have a validated life-cycle cost estimate. So you are supposed to have a pretty good idea what your costs are going to be. It is not sufficient to just generate a life-cycle cost estimate. You have to have a review by an outside party to help ensure there is no bias in their projections. We note, at least with this program, as part of this passenger screening program, the life-cycle costs for the larger program is yet to be validated by an outside entity, so that is something I raise in my statement today, a concern. So, you know, we are not sure what the costs are gonna be at this point. Mr. Walberg. Thank you. I yield back. Mr. Rogers. I thank the gentleman. I want to pick back up where my questioning left off when I had asked Mr. Hoggan the purpose of the CAT/BPSS. I would ask Mr. Lord, do you believe the CAT/BPSS would identify terrorist threat? Mr. Lord. Well, that is a really important question. It is oriented to detect the use of fraudulent IDs. There have been some instances where--in the past where terrorists have been exposed and--have used fraudulent IDs. But, again, you have to make the overall judgment. The system is gonna cost over $100 million. Is it--it is gonna provide some incremental benefit. Is it justifiable? I have not seen the cost-benefit analysis that clearly lays that out. But there have been instances in the past--terrorists have used fraudulent documents. So it potentially could help address that vulnerability. But---- Mr. Rogers. I would ask either one of you if you are aware if TSA's done a cost-benefit analysis of the potential costs against the benefit that we would incur. Mr. Hoggan or Mr. Lord, either one. Mr. Lord. I haven't seen one. Mr. Hoggan could correct me if needed. But part of the problem is that a key component of that is the life-cycle cost assessment, and that is not completed yet because it hasn't been fully validated. So I am not sure how they could do one because that is a big piece of it, having a validated cost---- Mr. Rogers. Do you know, Mr. Hoggan? Mr. Hoggan. Mr. Lord is correct, we actually submitted our life-cycle cost estimate to DHS in November 2011. It came back in the spring of 2012 for review and adjustment, as well as an introduction of the risk analysis that is in review. We expect to have it back to DHS inside of 30 days, sir. Mr. Rogers. Do you know, Mr. Hoggan if the CAT/BPSS is in any way based upon or pulling from intelligence about a known terrorist threat? You know, one of my concerns when we were out there was the no-fly list was not pegged against what it was scanning for. Mr. Hoggan. The no-fly list right now as I was talking to the gentleman comes through the air carriers as it relates to the issuance of the boarding passes. So that is how it is tied into the system. Now, if you are asking whether the system---- Mr. Rogers. So you are saying the boarding pass---- Mr. Rogers [continuing]. Pinged off the no-fly list? Mr. Hoggan. Yes, sir, to be able to get the boarding pass generated by the air carrier it must go through the Secure Flight process. Mr. Rogers. You know, the biggest threat that we are facing right now when it comes to air security is the non-metallic explosive device. Do you know if there is anything about this other than detecting somebody is not who they pretend to be that would detect an explosive device on the person? Mr. Hoggan. No, sir. This is a credential authentication and boarding pass authentication. It has got nothing to do with screening of the passengers. Mr. Rogers. Okay. I want to go back to Mr. Walberg's questions. One of the things I was wondering when they were demonstrating the devices to our group was why would we still need TSOs--if they can develop this technology so it has a higher degree of proficiency and we feel comfortable that it will add benefit, why would we need a TSO to put the driver's license or the boarding pass in the machine? Why couldn't we let the passenger do that and then if the green light goes off a little gate open and they can walk on through? All you need is one TSO to watch each of the gates to make sure people only going through on a green light, or if somebody got a red light then go over and interdict. You know, why do we have to have just as many people--you know, you go to McDonald's now and you pour your own Coca-Cola, you know. Why can't we just take some of that approach? Mr. Hoggan. Because we are--the technology is not there, yet, sir, to be honest with you. As I said, this is the fourth time we have gone through. The first time we put an RFP out we had zero vendors that actually met our requirements. The second time we had one, and we couldn't have a procurement with just one vendor. This was in March, if I am not mistaken. I have it written down, if--I can tell you the exact months if you want-- but it would have been in March 2009. Then again it would have been--I am sorry--July 2009. Then a third time there were no vendors that met the requirements, the minimum requirements--in October 2010. This is the fourth time they came through, which is April 2011. In a perfect world, going forward in time, is that technology matures, and part of our spiral development and getting technology that meets our baselines, I could foresee that happening. But as it exists today with the technology you still have to have the TSO there to do a couple things. The first thing that is most important is a visual check to make sure that the picture on the ID matches the person---- Mr. Rogers. Right, right. Mr. Hoggan [continuing]. That presents themselves, as well as ensuring that the compliance of the boarding passes are actually compliant in ensuring all the information is in there as it relates to---- Mr. Rogers. See, the machine ought to do that, though. Before you ever purchase that machine, the second---- I agree first item is a point that is valid. The second item, that machine ought to tag that base. Mr. Hoggan. You are absolutely correct. The machine does that. But if the information is not provided accurately from the carriers as they present the information on the boarding pass, the machine can't read what is not there. So that is why we continue to have outreach with the carriers to ensure that we have the encryption and we have the information in the specific fields in the boarding pass that we want in the bar code---- Mr. Rogers. Right. Mr. Hoggan. Provided we have that and we have a good representation and a consistent representation of that information of the passenger, I could accept your comment. But right now it is not there. Mr. Rogers. Well, you know, as I told you yesterday, one of the things I would invite you all to do--and I have done this with department heads across the entire Department--is to have more of an open dialogue with the private sector about what you are trying to do. I think you may find these goals are achievable, including the self-service approach, if we think about it and we talk about the subject matter with the private sector before we do the RFP. But thank you very much. We will now go to Mr. Cravaack for a second round of questions. Mr. Cravaack. Thank you, Mr. Chairman. Thank you, again. I wanted to just say thank you for the prescreening for our troops. Appreciate that. I mean, we are going to the risk-based analysis, so thank you. It gives me a nice smile when I see a trooper that is coming back from Afghanistan able to not be strip-searched and able to get through. So thank you very much. With that said, in regard to the risk-based analysis, the deployment of the machines themselves, I have read, is going to be evenly distributed throughout the system. Would that be a correct statement? Mr. Hoggan. The original deployment plan as listed in the operations requirement document would be the purchase of 1,400 units, which simple math says if we have 2,800 lanes it is one for every two, and that was what was in there. As it relates to which ones go where and which sequence, if in fact that we did purchase all 1,400 based on the requirements, there would be threat-based and risk-based. Mr. Cravaack. Okay. Mr. Hoggan. It would be deployed at our higher-risk airports---- Mr. Cravaack. Good. Mr. Hoggan. I am sure JFK would get it before a much smaller airport that only handles 10 passengers a day, sir. Mr. Cravaack. Yes, as I understand it they were supposed to be all deployed at one time, so that is---- Mr. Hoggan. Yes, that couldn't happen. We would never deploy anything at one time. Mr. Cravaack. Yes, okay. Mr. Hoggan. It would be staggered based on risk, sir. Mr. Cravaack. Yes, I read that. Just to make sure that I understand what this system does, it is a stand-alone system, is that correct? It isn't---- Mr. Hoggan. That is correct, sir. Mr. Cravaack. No interoperability with any other Federal, State, or airline databases, is that correct? Mr. Hoggan. For the machine--correct. Mr. Cravaack. At the same time, does not alleviate any workforce demands upon the system, is that correct? Mr. Lord. That is correct. Mr. Cravaack. Okay. We really don't have any source of action regarding false alarm rates and, you know, how do we adjust for that and making sure that the system works correctly and what we do with false alarms and what kind of false alarm rate system we have, is that correct? Mr. Lord. Well, we are in a process of reviewing that with DOE T&E. We have standards that we have for the machines to choose it. But there will be a protocol in place to address anything that is a false alarm not unlike what we had the day with our other technology and checkpoints. Mr. Cravaack. Okay, then with all that said, and I commend your decision to not pursue rolling the system out until those questions are answered, I can't support this program whatsoever. Though like the Chairman says, the concept is great, but we have to--before we do something like we did with the puffer machines and spent a lot of the taxpayers' hard- earned money on systems that don't work, I highly recommend, sir, that you step back, reevaluate the situation and then make sure that we have the proper procedures and the proper equipment with the layered security that you were just--we all want and need to make sure our traveling public is safe. So with that, thank you very much sir, I appreciate all your information, Mr. Lord as well. I will yield back. Mr. Rogers. I thank the gentleman. The Chairman now recognizes Mr. Walberg for a second round of questions. Mr. Walberg. Thank you, Mr. Chairman. Going back to analysis, Mr. Hoggan, did TSA use independent cost validation? Mr. Hoggan. We did not, I don't believe we did, sir. Mr. Walberg. Okay, so no concern about looking, letting someone outside look in? Mr. Hoggan. It is my understanding that we performed with the DHS acquisitions directorate but I will double check that. I am not sure that that is in there. I will have to follow up, I apologize, I will have to get information back with you on that, sir. Mr. Walberg. Then let me ask you, has TSA developed procedures for the travel document checker if the technology we are discussing at the checkpoint experiences a system failure, would there be a TSO there trained in the lights and loupes method? Mr. Hoggan. Yes, absolutely sir, that would be a backup for the procedure that we have in place, not unlike what actually exists across the Nation. Mr. Walberg. Any other backup other than that in case the system goes down? Mr. Hoggan. No, you would refer back to the process that we have in place. Again, this is a huge vulnerability we hope to cover and move it--refer back to what we are doing today. Mr. Walberg. Thank you. Mr. Lord, you have got definitely a lot of experience in assessing weaknesses in TSA's past procurements. What concerns me and I think our committee is that it appears that the TSA is not applying lessons learned from its past missteps to this procurement. Can you discuss some of the problems that you identify with TSA's procurement process for this technology thus far? Mr. Lord. In general, the lessons learned have been a three-fold. First, it is important to test and evaluate any technology you are procuring. It is important to have clear requirements set up front so you can measure what are the-- requirements. It is also important to adhere to, you know, to document the major decisions. These are some of the lessons learned. We have found in the past and specific to this platform, one thing Mr. Hoggan noted as there could be some issues related to throughput, which is related to throughput, which is, you know, an important consideration to look at when you are evaluating the technology. So rather than change the requirements, we would like to know: Is TSA going to respond to that concern? Well they hopefully take a little longer and work with the vendor and ensure they get the throughput they are looking for rather than modify and of the, you know, the requirements. Mr. Walberg. Okay. Thank you. I yield back. Mr. Rogers. Just one point of clarification, Mr. Hoggan. In response to Mr. Walberg's question, you referred to this false identification problem as being a huge vulnerability. Could you expand on that? What did you mean by it? Mr. Hoggan. It is a vulnerability, I am sorry if I said huge. But there is a vulnerability that we need to ensure that the---- Mr. Rogers. Well I agree. When you said huge, it made me think that this was a much more prominent problem---- Mr. Hoggan. I am sorry, I meant a vulnerability---- Mr. Rogers. Right, right. Mr. Hoggan [continuing]. Not a huge vulnerability. Mr. Rogers. I knew that we had occasional false IDs, I didn't think it was happening that much except down on the border now, we have them all the time coming in our ports of entry down in El Paso and other places. So we might see this technology being used in some of those ports of entry, hopefully only at a much lower cost because these numbers are pretty staggering. But with that, I want to thank the witnesses for their time. I will remind you that the Members who could not be here because of conflicts may have questions and these Members as well as I may have some additional questions we will submit to you in writing. So for the next 10 days, this hearing will remain open for that purpose. If you do get those written questions, I would ask that you provide timely responses to those. Thank you again. This hearing is adjourned. [Whereupon, at 2:17 p.m., the subcommittee was adjourned.]