This is the accessible text file for GAO report number GAO-05-106 entitled 'Port Security: Better Planning Needed to Develop and Operate Maritime Worker Identification Card Program' which was released on December 10, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman and Ranking Minority Member, Committee on Commerce, Science, and Transportation, U.S. Senate: United States Government Accountability Office: GAO: December 2004: Port Security: Better Planning Needed to Develop and Operate Maritime Worker Identification Card Program: GAO-05-106: GAO Highlights: Highlights of GAO-05-106, a report to the Chairman and Ranking Minority Member, Committee on Commerce, Science, and Transportation, U.S. Senate: Why GAO Did This Study: As part of a multilayered effort to strengthen port security, the Maritime Transportation Security Act (MTSA) of 2002 calls for the Department of Homeland Security (DHS) to issue a worker identification card that uses biological metrics, such as fingerprints, to control access to secure areas of ports or ships. Charged with the responsibility for developing this card, the Transportation Security Administration (TSA), within DHS, initially planned to issue a Transportation Worker Identification Credential in August 2004 to about 6 million maritime workers. GAO assessed what factors limited TSA’s ability to meet its August 2004 target date for issuing cards and what challenges remain for TSA to implement the card. What GAO Found: Three main factors, all of which resulted in delays for testing a prototype of the maritime worker identification card system, caused the agency to miss its initial August 2004 target date for issuing the cards: (1) officials had difficulty obtaining timely approval to proceed with the prototype test from DHS, (2) extra time was required to identify data to be collected for a cost-benefit analysis, and (3) additional work to assess card technologies was required. DHS has not determined when it may begin issuing cards. In the future, TSA will face difficult challenges as it moves forward with developing and operating the card program, for example, developing regulations that identify eligibility requirements for the card. An additional challenge—and one that holds potential to adversely affect the entire program—is that TSA does not yet have a comprehensive plan in place for managing the project. Failure to develop such a plan places the card program at higher risk of cost overruns, missed deadlines, and underperformance. Following established, industry best practices for project planning and management could help TSA address these challenges. Best practices suggest managers develop a comprehensive project plan and other, detailed component plans. However, while TSA has initiated some project planning, the agency lacks an approved comprehensive project plan to govern the life of the project and has not yet developed other, detailed component plans for risk mitigation or the cost-benefit and alternatives analyses. How a Biometric Card Could Help Control Access: [See PDF for image] [A] Cards that are no longer valid due to new threat information or because they are lost, stolen, or damaged. [End of figure] What GAO Recommends: To help ensure that TSA meets the challenges it is facing in developing and operating its maritime worker identification card program, we are recommending that the Secretary of Homeland Security direct the TSA Administrator to employ industry best practices for project planning and management, by developing a comprehensive project plan for managing the remaining life of the project and other specific, detailed plans for risk mitigation and cost-benefit and alternatives analyses. DHS and TSA generally concurred with GAO’s recommendations. www.gao.gov/cgi-bin/getrpt?GAO-05-106. To view the full product, including the scope and methodology, click on the link above. For more information, contact Margaret Wrightson at (415) 904-2000 or wrightsonm@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Three Main Factors Caused TSA to Miss Its Initial Target Date for Issuing Worker Identification Cards: Using Established Planning and Management Practices Could Help TSA Address Challenges and Better Manage Risk: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Comments from the Department of Homeland Security: Table: Table 1: Policy Issues to Be Completed and Regulatory Processes to Be Finalized: Figure: Figure 1: How a Biometric Card Could Be Used to Control Access: Abbreviations: DHS: Department of Homeland Security: DOT: Department of Transportation: IRB: Investment Review Board: MTSA: Maritime Transportation Security Act: OMB: Office of Management and Budget: TSA: Transportation Security Administration: TWIC: Transportation Worker Identification Credential: USCG: United States Coast Guard: United States Government Accountability Office: Washington, DC 20548: December 10, 2004: The Honorable John McCain: Chairman: The Honorable Ernest F. Hollings, Jr.: Ranking Minority Member: Committee on Commerce, Science, and Transportation: United States Senate: Protecting waterfronts and ports from terrorist threats has taken on special urgency in the post-September 11, 2001, world. Hubs of economic activity involving millions of workers and often tied to the nation's land transportation network, U.S. seaports are particularly vulnerable to terrorism and particularly challenging to protect. To strengthen port security, Congress enacted the Maritime Transportation Security Act (MTSA) of 2002,[Footnote 1] which establishes a multilayered defense strategy to strengthen port security. As part of this effort, MTSA calls for the Secretary of the Department of Homeland Security (DHS) to issue a maritime worker identification card that uses biometrics, such as fingerprints, to control access to secure areas of ports or ships. The Transportation Security Administration (TSA) within DHS, which was charged with developing this identification card, initially planned to issue the cards in August 2004 to about 6 million maritime workers; however, TSA missed that target date. After we testified in September of 2003 on the challenges DHS faces in implementing MTSA,[Footnote 2] you asked us to follow up on certain issues. This report addresses (1) what factors caused TSA to miss its August 2004 target date for issuing the identification cards and (2) what challenges remain as TSA attempts to issue the identification cards. To respond to your concerns, we interviewed DHS and TSA officials and collected and analyzed documents and other information from them. We also interviewed port and port facility managers and labor union officials. We visited ports and facilities involved in testing TSA's prototype identification card system and representing different types of facilities on both east and west coasts.[Footnote 3] Since the maritime worker identification card is a major information technology system, we also reviewed Office of Management and Budget (OMB) regulations, GAO and DHS guidance for documenting and reviewing information technology investments, and established industry best practices for information technology project management and planning. We asked TSA officials what steps they took to ensure the reliability of the data on which they based their life cycle cost estimates. TSA officials said they used a range of documents and sources to ensure data reliability, including information and lessons learned from other federal credentialing programs.[Footnote 4] Officials also used estimates from government and industry sources, published component cost quotes, and costs extrapolated from current government programs. We conducted our work from October 2003 through October 2004 in accordance with generally accepted government auditing standards. Results in Brief: Three main factors, all of which resulted in delays for testing the prototype card system, caused the agency to miss its initial August 2004 target date for issuing maritime worker identification cards.[Footnote 5] First, TSA officials said that although the agency received permission from TSA and DHS information technology officials to test a card system prototype, it was difficult to obtain a response from DHS policy officials, which contributed to delays. Senior DHS policy officials said that, while they were consistently briefed throughout the development of the worker identification card, they did not provide a formal response regarding the prototype test to program officials because other important security and statutory requirements, including the creation and consolidation of DHS and the planning and execution of measures to close security gaps in the international aviation arena, created competition for executive level attention and agency resources. Second, DHS officials also directed TSA, as part of the prototype test, to conduct a cost-benefit analysis and evaluate the feasibility of various program alternatives for issuing a card. Working with DHS and OMB officials to identify additional information needed for the cost-benefit and alternative analyses required time, further delaying the prototype test. TSA officials said that because of the urgency to establish an identification card program after the terrorist attacks of September 11, 2001, these analyses were not completely documented as required by OMB regulations and DHS guidance. Third, TSA officials said that in response to direction from congressional oversight committees, they conducted additional tests of various card technologies, comparing their performance at different seaports. This technical assessment required more time to complete than anticipated, delaying the prototype test. This type of assessment is typical of good program management and planning and, while it may have delayed the original schedule, the purpose of such assessments is to prevent delays in the future. Because of the delays in the program,some port facilities have made temporary security improvements, while others, recognizing an immediate need to enhance access control systems, are proceeding with plans for local or regional identification cards. TSA officials indicated that in the near future, as they move forward with developing and operating a maritime worker identification card program, they face a number of challenges, including resolving issues with external stakeholders and completing regulations. An additional challenge that officials did not specifically identify--but one that holds potential to adversely affect the entire program--is that TSA is attempting to develop this program without following industry- established best practices for project planning and management. Such practices call for a comprehensive plan that identifies work to be completed, milestones for completing this work, and project budgets for the remaining life of the project. TSA, however, does not yet have an approved, comprehensive plan in place for the next phases of the project--testing the prototype card system and issuing cards. TSA officials said that in the near term they intend to complete a plan to guide the test of the prototype card system, but that until policy decisions are made, for example, selecting the most feasible program for issuing the card, they cannot create a plan for the remaining life of the project. Moving ahead without such a plan holds significant potential to adversely affect the card program, putting it at higher risk of cost overruns, missed deadlines, and underperformance. Best practices for such projects also suggest that project managers prepare other more detailed plans--such as plans for mitigating risks--to support the comprehensive plan. However, TSA has not yet prepared some of these more specific detailed component plans. For instance, TSA lacks a risk mitigation plan to help manage known risks, such as a potential decline in external stakeholders' support of the program, which may complicate TSA's ability to issue the card. Further, TSA officials said they do not have a plan in place to guide the required cost-benefit and alternatives analyses, which are to determine the feasibility of various approaches to issue the cards. To help ensure that TSA meets the challenges it is facing in developing and operating its maritime worker identification card program, we are recommending that the Secretary of Homeland Security direct the TSA Administrator to employ industry best practices for project planning and management, including developing a comprehensive project plan for managing the remaining life of the project and completing specific, detailed plans that support the comprehensive project plan, including plans for risk mitigation and cost-benefit and alternatives analyses. DHS and TSA reviewed our report and generally concurred with our recommendations. Background: As part of a multilayered defense strategy, MTSA required vessels and port facilities to have security plans in place by July 1, 2004, including provisions establishing and controlling access to secure areas of vessels and ports. Given that ports are not only centers for passenger traffic and import and export of cargo, but also sites for oil refineries, power plants, factories, and other facilities important to the nation's economy, securing sensitive sites of ports and vessels against access from unauthorized persons is critical. But because ports are often large and diverse places, controlling access can be difficult. To facilitate access control, MTSA required the DHS Secretary to issue a biometric identification card to individuals who required unescorted access to secure areas of port facilities or to vessels. These secure areas are to be defined by port facilities and vessels in designated security plans they were to submit to the United States Coast Guard (USCG) in July 2004. About 1 year before the passage of MTSA in 2002, work on a biometric identification card began at the Department of Transportation (DOT), partly in response to provisions in the Aviation and Transportation Security Act[Footnote 6] and the USA PATRIOT Act[Footnote 7] that relate to access control in transportation sectors. TSA--then a part of DOT--began to develop a transportation worker identification credential (TWIC)[Footnote 8] as an identity authentication tool that would ensure individuals with such an identification card had undergone an assessment verifying that they do not pose a terrorism security risk. The credential was designed by TSA to be a universally recognized identification card accepted across all modes of the national transportation system, including airports, seaports, and railroad terminals, for transportation workers requiring unescorted physical access to secure areas in this system. The credential is also to be used to help secure access to computers, networks, and applications. As shown in figure 1, ports or facilities could use an identification credential that stored a biometric, such as a fingerprint, to verify a worker's identity and, through a comparison with data in a local facility database, determine the worker's authority to enter a secure area. Figure 1: How a Biometric Card Could Be Used to Control Access: [See PDF for image] [A] Cards that are no longer valid due to new threat information or because they are lost, stolen, or damaged. [End of figure] During early planning stages in 2003 and while still a part of DOT, TSA decided that the most feasible approach to issue a worker identification card would be a cost-sharing partnership between the federal government and local entities, with the federal government providing the biometric card and a database to confirm a worker's identity and local entities providing the equipment to read the identity credential and to control access to a port's secure areas. In 2003, TSA projected that it would test a prototype of such a card system within the year and issue the first of the cards in August 2004. In March 2003, as part of a governmentwide reorganization, TSA became a part of DHS and was charged with implementing MTSA's requirement for a maritime worker identification card. TSA decided to use the prototype card system to issue the maritime identification card required under MTSA. At that time, TSA was preparing to test a prototype card system; later, DHS policy officials directed the agency to explore additional options for issuing the identification card required by MTSA. As a result, in addition to testing its prototype card system, TSA is exploring the cost-effectiveness of two other program alternatives: (1) a federal approach: a program wholly designed, financed, and managed by the federal government and (2) a decentralized approach: a program requiring ports and port facilities to design, finance, and manage programs to issue identification cards.[Footnote 9] According to TSA documents, each approach is to meet federally established standards for technical performance and interoperability[Footnote 10] across different transportation modes (such as air, surface, or rail). Appropriations committee conference reports, for fiscal years 2003 and 2004, directed up to $85 million[Footnote 11] of appropriated funds for the development and testing of a maritime worker identification card system prototype. With respect to fiscal year 2005 appropriations, $15 million was directed for the card program.[Footnote 12] The fiscal year 2005 funding was decreased from the $65 million as proposed by the House and the $53 million as proposed by the Senate because of delays in prototyping and evaluating the card system, according to the conference committee report.[Footnote 13] Several forms of guidance and established best practices apply to the acquisition and management of a major information technology system such as the maritime worker identification card program.[Footnote 14] For major information technology investments, DHS provided capital planning and investment control guidance as early as May 2003 that established four levels of investments, the top three of which are subject to review by department-level boards, including the Investment Review Board (IRB) and the Enterprise Architecture Board. The guidance also laid out a process for selecting, controlling, and managing investments. For example, DHS guidance suggests that as part of the control process, the agency should consider alternative means of achieving program objectives, such as different methods of providing services and different degrees of federal involvement. The guidance recommends that an alternatives analysis--a comparison of various approaches that demonstrates one approach is more cost-effective than others--should be conducted and a preferred alternative selected on the basis of that analysis. For projects like the maritime worker identification card program, whose costs and benefits extend 3 or more years, OMB also instructs federal agencies, including TSA, to complete an alternative analysis as well as a cost-benefit analysis.[Footnote 15] This analysis is to include intangible and tangible benefits and costs and willingness to pay for those benefits. In addition to DHS and OMB guidance, established industry best practices identify project management and planning best practices for major information technology system acquisition, including the development of a comprehensive plan to guide the project as detailed later in this report.[Footnote 16] Three Main Factors Caused TSA to Miss Its Initial Target Date for Issuing Worker Identification Cards: Three main factors, all of which resulted in delays for testing the prototype card system, caused the agency to miss its initial August 2004 target date for issuing maritime worker identification cards. First, program officials said that although they received permission from TSA and DHS information technology officials to test a card system prototype, TSA officials had difficulty obtaining a response from DHS policy officials, contributing to the schedule slippage. Program officials said that although DHS officials reviewed the proposed card system during late 2003, senior officials provided no formal direction to program staff. Senior DHS officials said that while they were consistently briefed throughout the development of the worker identification card system, they did not provide formal direction regarding the prototype test because other important statutory and security requirements required their attention. For example, the creation and consolidation of DHS and the planning and execution of measures to close security gaps in the international aviation arena led to competition for executive-level attention and agency resources. DHS policy officials subsequently approved the test of a card system prototype. Second, while providing this approval, DHS officials also directed TSA, as part of the prototype test, to conduct a cost-benefit analysis and to evaluate the feasibility of other program alternatives for providing a card. TSA had completed these analyses earlier in the project, but DHS officials said they did not provide sufficiently detailed information on the costs and benefits of the various program alternatives. TSA officials said that because of the urgency to establish an identification card program after the terrorist attacks of September 11, 2001, the earlier cost-benefit and alternatives analyses were not completely documented as typically required by OMB regulations and DHS guidance. Working with DHS and OMB officials to identify additional information needed for a cost-benefit analysis and alternatives analysis required additional time, further delaying the prototype test. Third, TSA officials said that before testing the card system prototype, in response to direction from congressional committees, TSA conducted additional tests of various card technologies. Officials assessed the capabilities of various card technologies, such as their reliability, to determine which technology was most appropriate for controlling access in seaports. This technology assessment required 7 months to complete, more time than anticipated, delaying the prototype test. This analysis is typical of good program management and planning and, while it may have delayed the original schedule, the purpose of such assessments is to prevent delays in the future. DHS has not determined when it may begin issuing cards under any of the three proposed program alternatives--the federal, decentralized, or TWIC programs. Because of the delays in the program,some port facilities have made temporary security improvements while waiting for TSA's maritime worker identification card system. Others, recognizing an immediate need to enhance access control systems, are proceeding with plans for local or regional identification cards that may require additional investment in order to make them compatible with TSA's system. For example, the state of Georgia is implementing a state-based maritime worker identification card, and ports along the eastern seaboard are pursuing plans for a regional identification card. Using Established Planning and Management Practices Could Help TSA Address Challenges and Better Manage Risk: TSA officials indicated that in the near future, as they move forward with developing and operating a maritime worker identification card program, they face a number of challenges, including resolving issues with stakeholders, such as how to share costs of the program, determining the fee for the maritime worker identification card, obtaining funding for the next phase of the program. Further, in the coming months, regardless of which approach the DHS chooses--the federal, decentralized, or TWIC approach--TSA will also face challenges completing key program policies, regulatory processes, and other work as indicated in table 1. Table 1: Policy Issues to Be Completed and Regulatory Processes to Be Finalized: Work to be accomplished: Eligibility requirements; Explanation: A basic program requirement has not been determined. While MTSA contains some general provisions relating to eligibility, DHS has not established which felony convictions should disqualify maritime workers as posing a terrorism risk. DHS has said it will likely base the maritime worker eligibility requirements on those used to screen hazardous material truck drivers but has not determined whether all workers will be required to meet the same requirements for a credential; Estimated schedule: Unknown. Work to be accomplished: Policies for adjudicating card applications and appeal and waiver requests from workers denied a card; Explanation: Program policies, procedures, and processes for adjudicating card applications and appeal and waiver requests have not been developed. While MTSA contains general provisions relating to adjudicating applications, neither TSA nor DHS has established an appeal and waiver process for workers denied a card; Estimated schedule: Unknown. Work to be accomplished: Card issuance; Explanation: Whether TSA will field a credential through a TWIC program or establish a decentralized program requiring other entities to issue the card has not been decided; Estimated schedule: During or at conclusion of prototype. Work to be accomplished: Cost sharing; Explanation: The extent to which the federal government or local public and private stakeholders will bear costs for a maritime worker identification card program has not been decided; Estimated schedule: During or at conclusion of prototype. Work to be accomplished: Scope of card; Explanation: TSA officials have not decided whether the biometric identification card will be implemented intermodally, that is, in transportation sectors other than seaports, and what issues related to intermodal implementation would affect implementation in seaports; Estimated schedule: Unknown. Work to be accomplished: Regulatory processes; Explanation: Several regulations, including a final rule implementing the MTSA card requirement and a regulatory impact assessment, are yet to be completed. Estimated best-case scenario for time needed to a final rule is 9 to 12 months, according to TSA officials. Time needed to complete other regulatory processes is unknown; Estimated schedule: Unknown. Source: GAO analysis of TSA documents. [End of table] While TSA officials acknowledged the importance of completing key program policies, for example, establishing the eligibility requirements a worker must meet before receiving a card and processes for adjudicating appeals and requests for waivers from workers denied a card, officials also said that this work had not yet been completed.[Footnote 17] A senior TSA official and DHS officials said they plan to base these policies and regulations for the maritime worker identification card on those TSA is currently completing for the hazardous materials endorsement for commercial truck drivers.[Footnote 18] According to a senior TSA official who was in charge of the card program, TSA placed a higher priority on completing regulations for the hazardous materials endorsement than completing those for the maritime worker identification card. TSA has other work to complete in addition to these policies and regulations. TSA officials said OMB recently directed them and DHS officials to develop the TWIC program card in a way that allows its processes and procedures to also be used for other DHS credentialing programs. To develop such a system, DHS expects TSA to standardize, to some degree, eligibility requirements for the maritime worker identification card with those for surface and aviation workers, a task that will be challenging, according to officials.[Footnote 19] In the near future, TSA will need to produce other work, for instance, it has initiated but not yet finalized cost estimates for the card program[Footnote 20] and a cost-benefit analysis, which is a necessary part of a regulatory impact analysis required by OMB regulations. Our analysis, however, indicates that TSA faces another significant challenge besides the ones it has identified. This challenge is that TSA is attempting to proceed with the program without following certain industry-established best practices for project planning and management. Two key components of these practices are missing. The first is a comprehensive plan that identifies work to be completed, milestones for completing this work, and project budgets for the project's remaining life. The second is detailed plans for specific and important components of the project--particularly mitigating risks and assessing alternative approaches--that would support the overall project plan. Failure to develop these plans holds significant potential to adversely affect the card program, putting it at higher risk of cost overruns, missed deadlines, and underperformance. Best Practices for Planning and Key Management Practices Are Important for Information Technology Programs: Over the years, we have analyzed information technology systems across a broad range of federal programs and agencies, and these analyses have repeatedly shown that without adequate planning, the risks increase for cost overruns, schedule slippages, and systems that are not effective or usable.[Footnote 21] According to industry best practices for managing information technology projects like the maritime worker identification card, program managers should develop a comprehensive project plan that governs and defines all aspects of the project, tying them together in a logical manner.[Footnote 22] A documented comprehensive project plan is necessary to achieve the mutual understanding, commitment, and performance of individuals, groups, and organizations that must execute or support the plans. A comprehensive project plan identifies work to be completed, milestones for completing this work, and project budgets as well as identifying other specific, detailed plans that are to be completed to support the comprehensive project plan. The comprehensive plan, in turn, needs to be supplemented by specific, detailed plans that support the plan where necessary. Such plans might be needed to address such matters as the program's budget and schedule, data to be analyzed, risk management and mitigation, staffing. For example, a risk mitigation plan would be important in situations where potential problems exist. One purpose of risk management is to identify potential problems before they occur; a risk mitigation plan specifies risk mitigation strategies and when they should be invoked to mitigate adverse outcomes. Effective risk management includes early and aggressive identification of risks because it is typically easier, less costly, and less disruptive to make changes and correct work efforts during the earlier phases of the project. In addition, plans for activities such as cost-benefit and alternatives analyses should be developed to help facilitate data collection and analysis. These types of plans typically describe, among other things, the data to be collected, the source of these data, and how the data will be analyzed. Such plans are important to guide needed data analysis as well as prevent unnecessary data collection, which can be costly. For this program, both risk mitigation and data analysis are key, because the program runs significant risks with regard to ensuring cooperation of stakeholders, and because TSA still faces considerable analytical work in deciding which approach to adopt. Lack of a Comprehensive Project Plan Could Limit TSA's Ability to Complete Future Work: According to TSA officials, the agency lacks an approved, comprehensive project plan to guide the remaining phases of the project, which include the testing of a maritime worker identification card system prototype and issuance of the cards. While it has initiated some project planning, according to officials, the agency has not completed a comprehensive project plan, which is to identify work to be completed, milestones for completing this work, and project budgets as well as identifying other specific, detailed plans that are to be completed. Officials said that with contractor support they intended to develop a plan to manage the prototype test. However, officials did not intend to develop a plan for the remainder of the project until key policy decisions had been made, such as what type of card program will be selected to issue the cards.[Footnote 23] Once key policies are determined, TSA may move forward with a comprehensive plan. As a consequence of not having such a plan in place, officials have not documented work to be completed, milestones for completing it, or accountability for ensuring that the work is done. Without a comprehensive project plan and agreement to follow the plan from the appropriate DHS and TSA officials, TSA program staff may have difficulty managing future work, putting the program at higher risk of additional delays and cost overruns. Officials did not provide a timeframe for completing such a project plan. Lack of Specific Plan for Mitigating Risks Could Affect TSA's Ability to Partner with Stakeholders: According to TSA planning documents and discussions with officials, TSA lacks a risk management plan that specifies strategies for mitigating known risks which could limit TSA's ability to manage these risks. For instance, TSA documents identified failure to sustain the support of external stakeholders, such as labor unions for port workers, as a program risk and indicated a mitigation strategy was needed to address this risk. But, TSA has not developed such a strategy to address this specific risk. TSA documents also indicated that involving stakeholders in decision making could help mitigate program risks associated with defining the eligibility requirements for the card. However, TSA has not planned for stakeholder involvement in decision-making. Several stakeholders at ports and port facilities told us that while TSA solicited their input on some issues, TSA did not respond to their input or involve them in making decisions regarding eligibility requirements for the card.[Footnote 24] In particular, some stakeholders said they had not been included in discussions about which felony convictions should disqualify a worker from receiving a card, even though they had expected and requested that DHS and TSA involve them in these decisions. One port security director said TSA promised the port a "large role" in determining the eligibility requirements which has not materialized, and others said that in the absence of TSA defining the eligibility requirements for the card, they recently drafted and sent proposed eligibility requirements to TSA. TSA officials said they have an extensive outreach program to inform external stakeholders about the program, for instance, by frequently attending industry conferences and maritime association meetings. Obtaining stakeholder involvement is important because achieving program goals hinges on the federal government's ability to form effective partnerships among many public and private stakeholders. If such partnerships are not in place--and equally important, if they do not work effectively--TSA may not be able to test and deliver a program that performs as expected. For example, TSA currently relies on facilities and workers to voluntarily participate in tests of the prototype card system. Without this and other support provided by stakeholders, the prototype card system could not be tested as planned. Planning for stakeholder involvement is also important because in the future other groups or organizations, for instance, other federal agencies or states, may be charged with developing biometric identification card programs and emerge as important external stakeholders for the maritime worker identification card program.[Footnote 25] Lack of Specific Plans for Cost-Benefit and Alternatives Analyses Could Create Further Delays: According to best practices, in order to ensure that the appropriate data are collected to support analyses on which program decisions are made, managers should develop a plan that describes data to be collected, the source of these data, and how the data will be analyzed. During the test of the prototype card system, officials said they are to collect data on the feasibility of the federal and decentralized approaches in order to conduct an alternatives analysis--a comparison of the three possible approaches that demonstrates one approach is more cost-effective than the others. TSA officials acknowledge they have not yet completed a plan; however, they said they intend to do so with contractor support. On the basis of interviews with a number of officials and review of documents, we determined TSA has not identified who would be responsible for collecting the data; the sources for the data, and how it will be analyzed. These details are needed to ensure production of a good result. Completing the cost-benefit and alternatives analyses is important because not only do OMB regulations and DHS guidance instruct agencies to complete them, but DHS officials said the alternatives analysis would guide their decision regarding which approach is the most cost-effective way to provide the card. Without a plan to guide this activity, TSA may not perform the necessary analysis to inform sound decision making, possibly causing further delays. Conclusions: With the passage of MTSA, Congress established a framework for homeland security that relies on a multilayered defense strategy to enhance port security. Improving access control by providing ports a maritime worker identification card is an important part of this strategy. Each delay in TSA's program to develop the card postpones enhancements to port security and complicates port stakeholders' efforts to make wise investment decisions regarding security infrastructure. Despite delays and the difficulties of a major governmentwide reorganization, DHS and TSA have made some progress in developing a maritime worker identification card. Nevertheless, without developing a comprehensive project plan and its component parts--an established industry best practice for project planning and management--TSA is placing the program's schedule and performance at higher risk. More delays could occur, for example, unless DHS and TSA agree on a comprehensive project plan to guide the remainder of the project, identify work that TSA and DHS officials must complete, and set deadlines for completing it. Without adequate risk mitigation plans, TSA may not be able to resolve problems that could adversely affect the card program objectives, such as insufficient stakeholder support to successfully develop, test, and implement the card program. Further, without a plan to guide the cost-benefit and alternatives analyses, TSA increases the risk that it may fail to sufficiently analyze the feasibility of various approaches to issue the card, an analysis needed by DHS policy officials to make informed decisions about the program, putting the program at risk for further delays. Recommendations for Executive Action: To help ensure that TSA meets the challenges it is facing in developing and operating its maritime worker identification card program, we are recommending that the Secretary of Homeland Security direct the TSA Administrator to employ industry best practices for project planning and management, by taking the following two actions: * Develop a comprehensive project plan for managing the remaining life of the project. * Develop specific, detailed plans for risk mitigation and cost-benefit and alternatives analyses. Agency Comments and Our Evaluation: We provided a draft of this report to DHS and TSA for their review and comment. DHS and TSA generally concurred with the findings and recommendations that we made in our report and provided technical comments that we incorporated where appropriate. DHS and TSA also provided written comments on a draft of this report (see app. I). In its comments, DHS noted actions that it has recently taken or plans to take to address concerns we raised regarding outstanding regulatory and policy issues. Although DHS and TSA concurred with our recommendations, in their comments, they contend that project plans and program management controls are currently in place to manage their test of the TWIC prototype. However, at the time of our review, the project planning documents identified by DHS and TSA in their comments were incomplete, lacked the necessary approvals from appropriate officials, or were not provided during our audit. Furthermore, project plans and other management controls have not been developed for the remaining life of the project. We are sending copies of this report to other interested Members of Congress. We are also sending copies to the Secretary of Homeland Security. We will make copies available to others upon request. In addition, the report will be available at no charge on GAO's Web site at http://www.gao.gov. If you or your staffs have any questions about this report, please contact me at (415) 904-2200 or at wrightsonm@gao.gov. Other major contributors to this report included Jonathan Bachman, Chuck Bausell, Tom Beall, Steve Calvo, Ellen Chu, Matt Coco, Lester Diamond, Geoffrey Hamilton, Rich Hung, Lori Kmetz, Anne Laffoon, Jeff Larson, David Powner, Tomas Ramirez, and Stan Stenerson. Signed by: Margaret T. Wrightson: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington DC 20J28: December 1, 2004: Ms. Margaret Wrightson: Director, Homeland Security & Justice Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Wrightson: RE: GAO-05-106, Port Security: Better Planning Needed to Develop and Operate Maritime Worker Identification Card Program (GAO Job Code 440265): Thank you for the opportunity to review the subject draft report. The Department of Homeland Security (DES) appreciates the work done to identify areas for improvement in the Transportation Security Administration's (TSA) Transportation Worker Identification Credential (TWIG) program referred to in the report as the Maritime Worker Identification Card Program. We generally concur with the recommendations and appreciate the discussion and acknowledgement of challenges and progress made, and suggested action this report contains. However, DES has comments on parts of the report. DES would like to emphasize the dynamic and maturing organizational environment in which the TWIC program has operated. The creation of TSA within the Department of Transportation and its subsequent transfer to DES in 2003 created challenges for TWIC officials by requiring the program to move forward without the benefit of long-standing and mature institutional frameworks. Regulatory Concerns: The report highlights concerns about regulations not being completed, including a final rule implementing the Maritime Transportation Security Act card requirement and a regulatory impact assessment. TSA and the Coast Guard are beginning work on joint rulemaking for the implementation of the TWIC program for maritime workers. The information gained from the prototype phase should provide valuable input to the rulemaking process. TSA will work with other agencies to develop complementary rules for transportation modes other than maritime. Policy Decisions: The report also lists numerous policy decisions that must be made in order for the TWIG program to proceed on schedule. As part of the Capital Planning and Investment Control process, and as directed by the DHS Investment Review Board, TSA is working closely with other DHS organizational elements to identify and resolve any outstanding policy questions. Once the prototype is complete, TSA will analyze the results to determine how the program will be implemented. GAO Recommendations: "To help ensure that TSA meets the challenges it is facing in developing and operating its maritime worker identification card program, we are recommending that the Secretary of Homeland Security direct the TSA Administrator to employ industry best practices for project planning and management, by taking the following two actions: * Develop a comprehensive project plan for managing the remaining life of the project; and: * Develop specific, detailed plans for risk mitigation and cost-benefit and alternatives analyses." Responses to GAO Recommendations: Project Management: DHS concurs with the GAO recommendation to develop a comprehensive plan for managing the remaining components of the TWIG project. Significant program management controls are currently in place. These controls are assisting TSA in managing Phase III - Prototype and include: * A detailed milestone schedule that tracks all phases of the TWIC system development lifecycle, key milestones, deliverables, and associated tasking; * Daily and weekly project team meetings that consist of in-depth reviews of the project schedule baseline, current issues requiring management attention and action, relevant project-phase deliverables, documentation, stakeholder issues, and program communications; * A detailed Program Management Control Plan; * Risk Assessment and Mitigation Planning; * Configuration Management and Change Control; * A project Quality Assurance Plan; and: * A detailed and iterative cost model to assist in developing budget projections during the lifecycle of the project. The recent successful demonstration of the TWIC Prototype initial operating capability is testimony to the efficacy of the program controls in place. The seven-month pilot will involve up to 200,000 workers in six states at 34 sites. On November 17, 18, and 19, 2004, workers received their credentials at the Port of Los Angeles, the Long Beach Container Terminal in California, at Port Canaveral and the Port of Pensacola in Florida, and at the Maritime Exchange in Philadelphia. In each instance, the enrollment, background checks, credential production, authorization, and issuance processes and mechanisms operated virtually problem-free. Risk Mitigation: DHS agrees that a risk mitigation plan is a vital tool to support program success. To that end, TSA is developing a "Risk Mitigation Plan for TWIC". The plan will describe the specific steps program officials will take to identify, analyze, plan, track and control risks. The plan will specify the frequency of such activities and the expected outputs and actions the program officials will take to manage and mitigate risks. In developing the plan, the TWIC Program Team has conducted numerous sessions to identify, analyze, and plan risk mitigation strategies for the program. When the Risk Mitigation Plan is fully implemented, the program will satisfy the risk mitigation recommendation specified in the GAO report. Cost Benefit Analysis and Alternatives Analysis: DHS agrees that a cost-benefit analysis and alternatives analysis needs to be performed. To that end, TSA is actively working to complete these analyses. As stated in the Alternatives Development Document, the TSA has analyzed a number of implementation options and eliminated those options that were deemed to be non-viable due to cost, schedule, or inability to meet mission goals or performance objectives. TSA will analyze the remaining alternatives and methods of implementation, applying reasonable assumptions, constraints and conditions, deriving cost estimates for the alternatives based on these factors. TSA will then analyze the potential benefits for each alternative and compare them to the projected costs. The cost benefit analysis focuses on comparing the potential costs and benefits of Federal versus decentralized oversight and implementation. Sincerely, Signed by: Anna F. Dixon: Director: Departmental GAO/OIG Liaison Office: [End of section] FOOTNOTES [1] Pub. L. No. 107-295, 116 Stat. 2064 (2002). [2] See GAO, Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain, GAO-03-1155T (Washington, D.C.: Sept. 9, 2003). [3] Of the facilities testing TSA's prototype, we visited ports and facilities in the Delaware River Region, including Wilmington Port Authority, the Philadelphia Maritime Exchange, and the South Jersey Port. We also visited ports and facilities on the west coast, including those in the Port of Seattle, Port of Los Angeles, and Port of Long Beach as well as ports and facilities in Florida, including Port Everglades and the Port of Jacksonville, and Florida state agencies responsible for the state's biometric identification card program for maritime workers. [4] These other credentialing programs included OMB's Interagency Advisory Board, various federal working groups, General Services Administration (GSA) Smart Access Common ID (referred to commonly as the Smart Card Schedule) Contract and its Smart Card Center of Excellence Smart Card, Biometric and Security industry events, and industry representatives. [5] Testing a biometric card system prototype is scheduled to begin in fall 2004, and the final report on the prototype is to be completed by May 2005. [6] Pub. L. No. 107-71, 115 Stat. 597 (2001). [7] The 2001 law titled Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 is also known as the USA PATRIOT Act. Pub. L. No. 107-56, 115 Stat. 272 (2001). [8] While TSA has not selected TWIC as the most appropriate approach to issue the biometric identification card required by MTSA, TSA program officials use the term TWIC to describe their maritime card program. [9] A senior TSA official said that under the decentralized approach, TSA would not issue the card but would issue a regulation that would require local entities to issue the card. [10] Interoperability means that the system will allow transportation workers to use the same card and associated background checks at multiple transportation facilities. [11] Specifically, the Conferees directed $50 million to the transportation worker identification card for fiscal year 2004 and $35 million jointly to the credentialing program and another program--the aviation registered traveler program--for fiscal year 2003. See, H.R. Conf. Rept. No. 108-280, at 37-38 (2003) and H.R. Conf. Rept. No. 108- 10, at 1235-1236 (2003). [12] H.R. Conf. Rept. No. 108-774, at 53 (2004). The Conferees specified that of the total funding, $5 million is a direct appropriation that is to be used to develop and install necessary hardware and software at those sites producing and personalizing the transportation worker identification credentials. The Conferees further specified that the additional $10 million appropriation would be offset throughout the fiscal year from application fees. [13] Of the total amounts provided in both the House and Senate Committee on Appropriations reports, each committee report specified that $50 million was to be offset throughout the fiscal year from fee collections. See, H.R. Rept. No. 108-541, at 48 (2004); S. Rept. No. 108-280, at 38 (2004). [14] DHS classified the maritime worker identification card as a major information technology investment under DHS guidelines. [15] Office of Management and Budget, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, Circular A-94, revised October 29, 1992. OMB requires both a cost-benefit analysis and an alternatives analysis to be completed but does not specify at what point in the project this work is to be done. However, DHS guidance and best practices for program management recognized by DHS suggest that programs complete an alternatives analysis in an early planning stage and then test a prototype of the preferred alternative. [16] Carnegie Mellon's Software Engineering Institute, a federally- funded research and development center operated by Carnegie Mellon University and sponsored by the U.S. Department of Defense, created models such as Capability Maturity Model® Integration (CMMI) to guide information technology projects through best practices of project planning and project management. The CMMI sets out specific project planning activities that should take place for a project to best fulfill its mission. [17] While MTSA contains some general provisions related to eligibility, it requires DHS to establish which felony convictions indicate that a maritime worker could pose a terrorism security risk and should therefore be disqualified from receiving a card. MTSA also requires DHS officials to develop processes for workers to appeal the denial of a card and to request a waiver of the eligibility requirements allowing them to receive a card if disqualified due to their criminal record. [18] TSA plans to harmonize the eligibility requirements for the maritime worker identification card with credentialing requirements for surface and aviation workers. [19] DHS officials expect TSA to make recommendations that establish eligibility requirements for maritime workers and harmonize them, to the extent possible, with those used to screen surface and aviation transportation workers. Certain workers in the aviation industry, the maritime industry, and truck drivers seeking a license to transport hazardous materials are subject to statutorily required background and criminal history record checks. With respect to the results of criminal history record checks in the aviation context, disqualifying criminal offenses are set out in statute. Neither the USA PATRIOT Act provisions relating to records checks of transporters of hazardous materials nor the MTSA provisions relating to records checks of maritime workers specify the types of criminal offenses to be considered as grounds for disqualification. With respect to workers in the maritime industry, MTSA further requires the issuance of a biometric security card for maritime workers. [20] TSA has estimated the total life-cycle program costs to the federal government of a TWIC approach to be about $1 billion. This estimate spans 10 years, fiscal years 2005 - 2014, and does not include all program costs, such as costs to port facilities, costs of background checks, and costs to adjudicate applications for a biometric identification card, appeal the decision to deny a worker a biometric transportation card, and waiver requests should a maritime worker not meet the eligibility requirements for a biometric identification card (e.g., if he or she was convicted of a serious felony making him or her ineligible for the card). TSA estimates the cost to maintain the TWIC program would be $116.2 million per year. TSA program officials said that the costs to the government would be recovered through a statutorily authorized fee collection program, but the agency has not established the fee amount yet. [21] See GAO, Maritime Security: Better Planning Needed to Help Ensure and Effective Port Security Assess Program, GAO-04-1062 (Washington, D.C.: Sept. 29, 2004); Land Management Systems: Progress and Risks in Developing BLM's Land and Mineral Record System, GAO/AIMD-95-180 (Washington, D.C.: Aug. 31, 1995); Land Management Systems: BLM Faces Risks in Completing the Automated Land and Mineral Record System, GAO/ AIMD-97-42 (Washington, D.C.: Mar. 19, 1997); Land Management Systems: Actions Needed in Completing the Automated Land and Mineral Record System Development, GAO/AIMD-98-107 (Washington, D.C.: May 15, 1998); and Land Management Systems: Major Software Development Does Not Meet BLM's Business Needs, GAO/AIMD-99-135 (Washington, D.C.: Apr. 30, 1999) [22] Carnegie Mellon's Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University and sponsored by the U.S. Department of Defense, created models such as Capability Maturity Model® Integration to guide information technology projects through best practices of project planning and project management. [23] TSA officials said that they cannot complete an implementation plan until DHS decides which type of program---the federal, decentralized, or TWIC--will be implemented. Of the various strategies for rolling out the card program, officials said TSA must determine which one is the best, for instance, a regional strategy where cards are issued to workers in all transportation sectors in one geographic region or a threat-based strategy, where cards are first issued to workers in maritime ports considered at highest risk. [24] Of the facilities testing TSA's prototype, we visited ports and facilities in the Delaware River Region, including Wilmington Port Authority, the Philadelphia Maritime Exchange, and the South Jersey Port. We also visited ports and facilities on the west coast, including those in the Port of Seattle, Port of Los Angeles, and Port of Long Beach as well as ports and facilities in Florida, including Port Everglades and the Port of Jacksonville. [25] As a result of the recommendations made in the report of the National Commission on Terrorist Attacks upon the United States (the 9/ 11 Commission), Congress has considered legislative proposals related to biometric identification cards. While it is too soon tell what effect, if any, legislative proposals may have on the maritime worker identification card program, such proposals could create new and important stakeholders for the card, have the potential to affect the design and implementation of TSA's card program, or make the TSA card unnecessary and duplicative. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: