This is the accessible text file for GAO report number GAO-04-232T entitled 'Aviation Security: Efforts to Measure Effectiveness and Address Challenges' which was released on November 05, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony before the Committee on Commerce, Science and Transportation, U.S. Senate: United States General Accounting Office: GAO: For Release on Delivery Expected at 9:30 a.m. EDT: Wednesday, November 5, 2003: AVIATION SECURITY: Efforts to Measure Effectiveness and Address Challenges: Statement of Cathleen A. Berrick, Director Homeland Security and Justice Issues: GAO-04-232T: GAO Highlights: Highlights of GAO-04-232T, a testimony to the Committee on Commerce, Science and Technology, U.S. Senate Why GAO Did This Study: It has been 2 years since the attacks of September 11, 2001, exposed vulnerabilities in the nation’s aviation system. Since then, billions of dollars have been spent on a wide range of initiatives designed to enhance the security of commercial aviation. However, vulnerabilities in aviation security continue to exist. As a result, questions have been raised regarding the effectiveness of established initiatives in protecting commercial aircraft from threat objects, and whether additional measures are needed to further enhance security. Accordingly, GAO was asked to describe the Transportation Security Administration’s (TSA) efforts to (1) measure the effectiveness of its aviation security initiatives, particularly its passenger screening program; (2) implement a risk management approach to prioritize efforts and focus resources; and (3) address key challenges to further enhance aviation security. What GAO Found: TSA has implemented numerous initiatives designed to enhance aviation security, but has collected limited information on the effectiveness of these initiatives in protecting commercial aircraft. Our recent work on passenger screening found that little testing or other data exist that measures the performance of screeners in detecting threat objects. However, TSA is taking steps to collect data on the effectiveness of its security initiatives, including developing a 5- year performance plan detailing numerous performance measures, as well as implementing several efforts to collect performance data on the effectiveness of passenger screening—such as fielding the Threat Image Projection System and increasing screener testing. TSA has developed a risk management approach to prioritize efforts, assess threats, and focus resources related to its aviation security initiatives as we previously recommended, but has not yet fully implemented this approach. A risk management approach is a systematic process to analyze threats, vulnerabilities, and the criticality (or relative importance) of assets to better support key decisions. TSA is developing and implementing both a criticality and a vulnerability assessment tool to provide a basis for risk-based decision-making. TSA is currently using some components of these tools and plans to fully implement its risk management approach by the summer 2004. TSA faces a number of programmatic and management challenges as it continues to enhance aviation security. These include the implementation of the new computer-assisted passenger prescreening system, as well as strengthening baggage screening, airport perimeter and access controls, air cargo, and general aviation security. TSA also must manage the costs associated with aviation security and address human capital challenges, such as sizing its workforce as efficiency is improved with security-enhancing technologies—including the integration of explosive detection systems into in-line baggage- handling systems. Further challenges in sizing its workforce may be encountered if airports are granted permission to opt out of using federal screeners. What GAO Recommends: In prior reports and testimonies, GAO has made numerous recommendations to strengthen aviation security and to improve the management of federal aviation security organizations. We also have ongoing reviews assessing many of the issues addressed in this testimony and will issue separate reports on these areas at a later date. www.gao.gov/cgi-bin/getrpt?-GAO-04-232T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Cathleen A. Berrick at (202) 512-8777 or bbeberrickc@gao.gov. [End of section] Mr. Chairman and Members of the Committee: I appreciate the opportunity to participate in today's hearing to discuss the security of our nation's aviation system. It has been more than 2 years since the attacks of September 11, 2001, exposed vulnerabilities in commercial aviation. Since then, billions of dollars have been spent and a wide range of programs and initiatives have been implemented to enhance aviation security. However, recent reviews and covert testing conducted by GAO and Department of Homeland Security Office of Inspector General, as well as media reports, revealed continuing weaknesses and vulnerabilities in aviation security. For example, the recent incident involving a college student who placed box cutters, clay resembling plastic explosives, and bleach on commercial aircraft illustrated that aviation security can still be compromised. As a result of these challenges, the Transportation Security Administration (TSA), which is responsible for ensuring the security of aviation, is faced with the daunting task of determining how to allocate its limited resources to have the greatest impact in addressing threats and enhancing security. My testimony today focuses on three areas that are fundamental to TSA's success in allocating its resources and enhancing aviation security. These areas are (1) the need to measure the effectiveness of TSA's aviation security initiatives that have already been implemented, particularly its passenger screening program; (2) the need to implement a risk management approach to prioritize efforts, assess threats, and focus resources; and (3) the need to address key programmatic and management challenges that must be overcome to further enhance aviation security. This testimony is based on our prior work, reviews of TSA documentation, and discussions with TSA officials. In summary: Although TSA has implemented numerous programs and initiatives to enhance aviation security, it has collected limited information on the effectiveness of these programs and initiatives. Our recent work on TSA's passenger screening program showed that although TSA has made numerous enhancements in passenger screening, it has collected limited information on how effective these enhancements have been in improving screeners' ability to detect threat objects. The Aviation and Transportation Security Act (ATSA), which was enacted with the primary goal of strengthening the security of the nation's aviation system, requires that TSA establish acceptable levels of performance for aviation security initiatives and develop annual performance plans and reports to measure and document the effectiveness of those initiatives.[Footnote 1] Although TSA has developed an annual performance plan and report as required by ATSA, to date these tools have focused on TSA's progress in meeting deadlines to implement programs and initiatives mandated by ATSA, rather than on the effectiveness of these programs and initiatives. TSA has recognized that its data on the effectiveness of its aviation security initiatives are limited and is taking steps to collect objective data to assess its performance, which is to be incorporated in DHS's 5-year performance plan. TSA has developed a risk management approach to prioritize efforts, assess threats, and focus resources related to its aviation security initiatives as recommended by GAO, but has not yet fully implemented this approach. TSA's aviation security efforts are varied and vast, and its resources are fixed. As a result, a risk management approach is needed to better support key decisions, linking resources with prioritized efforts.[Footnote 2] TSA has not yet fully implemented its risk management tools because until recently its resources and efforts were largely focused on meeting the aviation security mandates included in ATSA. TSA has acknowledged the need for a risk management approach and expects to complete the development and automation of its risk management tools by September 2004. TSA faces a number of programmatic and management challenges as it continues to address threats to our nation's aviation system. These challenges include implementing various aviation security programs, such as the Computer-Assisted Passenger Prescreening System[Footnote 3]--CAPPS II--and addressing broader security concerns related to the security of air cargo and general aviation.[Footnote 4] TSA also faces challenges in managing the costs of aviation security and in strategically managing its workforce of about 60,000 people, most of whom are deployed at airports to detect weapons and explosives. TSA has been addressing these and other challenges through a variety of efforts. We have work in progress that is examining TSA's efforts in addressing many of these challenges. Background: Ensuring the security of our nation's commercial aviation system has been a long-standing concern. As demonstrated by the 1988 bombing of a U.S. airliner over Lockerbie, Scotland, and the 1995 plot to blow up as many as 12 U.S. aircraft in the Pacific region discovered by Philippine authorities, U.S. aircraft have long been a target for terrorist attacks. Many efforts have been made to improve aviation security, but as we and others have documented in numerous reports and studies, weaknesses in the system continue to exist. It was these weaknesses that terrorist exploited to hijack four commercial aircraft in September 2001, with tragic results. On November 19, 2001, the President signed into law the Aviation and Transportation Security Act, with the primary goal of strengthening the security of the nation's aviation system. ATSA created TSA as an agency within the Department of Transportation with responsibility for securing all modes of transportation, including aviation. ATSA mandated specific improvements to aviation security and established deadlines for completing many of them. TSA's main focus during its first year of operation was on meeting these ambitious deadlines, particularly federalizing the screener workforce at commercial airports nationwide by November 19, 2002, while at the same time establishing a new federal organization from the ground up. The Homeland Security Act, signed into law on November 25, 2002, transferred TSA from the Department of Transportation to the new Department of Homeland Security.[Footnote 5] Virtually all aviation security responsibilities now reside with TSA, including the screening of air passengers and baggage, a function that had previously been the responsibility of air carriers. TSA is also responsible for ensuring the security of air cargo and overseeing security measures at airports to limit access to restricted areas, secure airport perimeters, and conduct background checks for airport personnel with access to secure areas, among other responsibilities. Limited Information Exists on the Effectiveness of Aviation Security Initiatives: TSA has implemented numerous initiatives designed to enhance aviation security but has collected little information on the effectiveness of these initiatives. ATSA requires that TSA establish acceptable levels of performance and develop annual performance plans and reports to measure and document the effectiveness of its security initiatives.[Footnote 6] Although TSA has developed these performance tools, as required by ATSA, it currently focuses on progress toward meeting ATSA deadlines, rather than on the effectiveness of its programs and initiatives. However, TSA is taking steps to collect objective data to assess its performance. Evaluation of Program Effectiveness: TSA currently has limited information on the effectiveness of its aviation security initiatives. As we reported in September 2003,[Footnote 7] the primary source of information collected on screeners' ability to detect threat objects is the covert testing conducted by TSA's Office of Internal Affairs and Program Review. However, TSA does not consider the results of these covert tests to be a measure of performance but rather a "snapshot" of a screener's ability to detect threat objects at a particular point in time, and as a system-wide performance indicator. At the time we issued our report, the Office of Internal Affairs and Program Review had conducted 733 covert tests of passenger screeners at 92 airports. Therefore, only about 1 percent of TSA's nearly 50,000 screeners had been subject to a covert test. In addition to conducting covert tests at screening checkpoints, TSA conducts tests to determine whether the current Computer-Assisted Passenger Screening System is working as designed, threat objects are detected during the screening of checked baggage, and access to restricted areas of the airport is limited only to authorized personnel.[Footnote 8] While the Office of Internal Affairs has conducted about 2,000 access tests, it has conducted only 168 Computer- Assisted Passenger Screening System and checked baggage tests. Based on an anticipated increase in staff from about 100 in fiscal year 2003 to 200 in fiscal year 2004, the Office of Internal Affairs and Program Review plans to conduct twice as many covert tests next year.[Footnote 9] Another key source of data on screener performance in detecting threat objects is the Threat Image Projection (TIP) system, which places images of threat objects on the X-ray screen during actual operations and records whether screeners identify the threat object.[Footnote 10] The Federal Aviation Administration began deploying TIP in late 1999 to continuously measure screener performance and to train screeners in becoming more adept at detecting hard-to-spot threat objects. However, TIP was shut down immediately following the September 11 terrorist attacks because of concerns that it would result in screening delays and panic, as screeners might think that they were actually viewing a threat object. Although TSA officials recognized that TIP is a key tool in measuring, maintaining, and enhancing screener performance, they only recently began reactivating TIP on wide-scale basis because of competing priorities, a lack of training, and a lack of resources needed to deploy TIP activation teams. Once TIP is fully deployed and operational at every checkpoint at all airports, as it is expected to be in April 2004, TSA headquarters and federal security directors[Footnote 11] will have the capability to analyze this performance data in a number of ways, including by individual screeners, checkpoints, terminals, and airports. When fully deployed, the annual screener recertification test results will provide another source of data on screener performance. ATSA requires that TSA collect performance information on each screener through conducting an annual proficiency review to ensure he or she continues to meet all qualifications and standards required to perform the screening function. Although TSA began deploying federal screeners to airports in April 2002, TSA only recently began implementing the annual recertification program and does not expect to complete testing at all airports until March 2004. The recertification testing is comprised of three components: (1) image recognition; (2) knowledge of standard operating procedures; and (3) practical demonstration of skills, to be administered by a contractor. TSA officials consider about 28,000 screeners as having already completed the first two components because they successfully passed competency tests TSA administered at many airports as part of a screener workforce reduction effort. However, these competency tests did not include the third component of TSA's planned annual screener recertification program--the practical demonstration of skills. TSA officials awarded a contract for this component of the annual proficiency reviews in September 2003. TSA's Performance Management Information System for passenger and baggage screening operations is designed to collect performance data, but it currently contains little information on screener performance in detecting threat objects. The Performance Management Information System collects a wide variety of metrics on workload, staffing, and equipment and is used to identify some performance indicators, such as the level of absenteeism, the average time for equipment repairs, and the status of TSA's efforts to meet goals for 100 percent electronic baggage screening.[Footnote 12] However, the system does not contain any performance metrics related to the effectiveness of passenger screeners. TSA is planning to integrate performance information from various systems into the Performance Management Information System to assist the agency in making strategic decisions. TSA further plans to continually enhance the system as it learns what data are needed to best manage the agency. In addition to making improvements to the Performance Management Information System, TSA is currently developing performance indexes for both individual screeners and the screening system as a whole. The screener performance index will be based on data such as the results of performance evaluations and recertification tests, and the index for the screening system will be based on information such as covert test results and screener effectiveness measures. TSA has not yet fully established its methodology for developing the indexes, but it expects to have the indexes developed by the end of fiscal year 2004. In conjunction with measuring the performance of its passenger screening operations, TSA must also assess the performance of the five pilot airports that are currently using contract screeners to determine the feasibility of using private screening companies instead of federal screeners.[Footnote 13] Although ATSA allows airports to apply to opt out of using federal screeners beginning in November 2004, TSA has not yet determined how to evaluate and measure the performance of the pilot program. In early October 2003, TSA awarded a contract to BearingPoint, Inc., to compare the performance of pilot screening with federal screening, including the overall strengths and weaknesses of both systems, and determine the reasons for any differences.[Footnote 14] The evaluation is scheduled to be completed by March 31, 2004.[Footnote 15] TSA has acknowledged that designing an effective evaluation of the screeners at the pilot airports will be challenging because key operational areas, including training, assessment, compensation, and equipment, have to a large extent been held constant across all airports, and therefore are not within the control of the private screening companies.[Footnote 16] In its request for proposal for the pilot airport evaluation, TSA identified several data sources for the evaluation, including the Performance Management Information System and the Office of Internal Affairs and Program Review's covert testing of passenger screeners. However, as we recently reported, data from both of these systems in measuring the effectiveness of screening operations is limited. As a result, it will be a challenge for TSA to effectively compare the performance of the contract pilot airports with the performance of airports using federal screeners. TSA Is Developing Performance Evaluation Tools: TSA has recognized the need to strengthen the assessment of its performance, and has initiated efforts to develop and implement strategic and performance plans to clarify goals, establish performance measures, and measure the performance of its security initiatives. Strategic plans are the starting point for an agency's planning and performance measurement efforts. Strategic plans include a comprehensive mission statement based on the agency's statutory requirements, a set of outcome-related strategic goals, and a description of how the agency intends to achieve these goals. The Government Performance and Results Act (GPRA)[Footnote 17] establishes a framework for strategic plans that requires agencies to: * clearly establish results-oriented performance goals in strategic and annual performance plans for which they will be held accountable, * measure progress toward achieving those goals, * determine the strategies and resources to effectively accomplish the goals, * use performance information to make programmatic decisions necessary to improve performance, and: * formally communicate results in performance reports. Although the Department of Homeland Security plans to issue one strategic plan for the Department, it plans to incorporate strategic planning efforts from each of its component agencies. TSA recently completed a draft of its input into the Department of Homeland Security's strategic plan. TSA officials stated that the draft is designed to ensure their security initiatives are aligned with the agency's goals and objectives, and that these initiatives represent the most efficient use of their resources. TSA officials submitted the draft plan to stakeholders in September 2003 for their review and comment. The Department of Homeland Security plans to issue its strategic plan by the end of the year.[Footnote 18] In addition to developing a strategic plan, TSA is developing a performance plan to help it evaluate the current effectiveness and levels of improvement in its programs, based on established performance measures. TSA submitted to the Congress a short-term performance plan in May 2003, as required by ATSA, that included performance goals and objectives. The plan also included an initial set of 32 performance measures, including the percentage of bags screened by explosive detection systems and the percentage of screeners in compliance with training standards. However, these measures were primarily output-based (measuring whether specific activities were achieved) and did not measure the effectiveness of TSA's security initiatives. TSA officials acknowledge that the goals and measures included in the report were narrowly focused, and that in moving forward additional performance- based measures are needed. In addition to developing a short-term performance plan, ATSA also requires that TSA develop a 5-year performance plan and annual performance report, including an evaluation of the extent to which its goals and objectives were met. TSA is currently developing performance goals and measures as part of its annual planning process and will collect baseline data throughout fiscal year 2004 to serve as a foundation for its performance targets. TSA also plans to increase its focus on measuring the effectiveness of various aspects of the aviation security system in its 5-year performance plan. According to TSA's current draft strategic plan, which outlines its overall goals and strategies for fiscal years 2003 through 2008, its efforts to measure the effectiveness of the aviation security system will include: * random and scheduled reviews of the efficiency and effectiveness of security processes; * oversight of compliance with security standards and approved programs through a combination of inspections, testing, interviews, and record reviews--to include TIP; * measurement of performance against standards to ensure expected standards are met and to drive process improvements; and: * collection and communication of performance data using a state-of- the-art data collection and reporting system. In our January 2003 report on TSA's actions and plans to build a results-oriented culture, we recommended next steps that TSA should take to strengthen its strategic planning efforts.[Footnote 19] These steps include establishing security performance goals and measures for all modes of transportation that involves stakeholders, and applying practices that have been shown to provide useful information in agency performance plans. We also identified practices that TSA can apply to ensure the usefulness of its required 5-year performance plan to TSA managers, the Congress, and other decision makers or interested parties. Table 1 outlines the practices we identified for TSA. Table 1: Summary of Opportunities to Help Ensure Useful Annual Plans and Applied Practices: Opportunities to help ensure useful annual plans: Articulate a results orientation; Applied practices: Create a set of performance goals and measures that addresses important dimensions of program performance and balances competing priorities; Use intermediate goals and measures to show progress or contribution to intended results; Include explanatory information on the goals and measures; Develop performance goals to address mission-critical management problems; Show baseline and trend data for past performance; Identify projected target levels of performance for multiyear goals; Link the goals of component organizations to departmental strategic goals. Opportunities to help ensure useful annual plans: Coordinate cross- cutting programs; Applied practices: Identify programs that contribute to the same or similar results; Set complementary performance goals to show how differing program strategies are mutually reinforcing and establish common or complementary performance measures, as appropriate; Describe--briefly or refer to a separate document-- planned coordination strategies. Opportunities to help ensure useful annual plans: Show how strategies will be used to achieve goals; Applied practices: Link strategies and programs to specific performance goals and describe how they will contribute to the achievement of those goals; Describe strategies to leverage or mitigate the effects of external factors on the accomplishment of performance goals; Discuss strategies to resolve mission-critical management problems; Discuss--briefly or refer to a separate plan--plans to ensure that mission-critical processes and information systems function properly and are secure. Opportunities to help ensure useful annual plans: Show performance consequences of budget and other resource decisions; Applied practices: Show how budgetary resources relate to the achievement of performance goals; Discuss--briefly and refer to the agency capital plan--how proposed capital assets (specifically information technology investments) will contribute to achieving performance goals; Discuss- -briefly or refer to a separate plan--how the agency will use its human capital. Opportunities to help ensure useful annual plans: Build the capacity to gather and use performance information; Applied practices: Identify internal and external sources of data; Describe efforts to verify and validate performance data; Identify actions to compensate for unavailable or low-quality data; Discuss implications of data limitations for assessing performance. Source: GAO. [End of table] TSA agreed with our recommendation and plans to incorporate these principles into the data it provides DHS for the department's 5-year performance plan and annual performance report. DHS plans to complete its 5-year performance plan and annual performance report by February 2004, as required by GPRA. The Congress has also recognized the need for TSA to collect performance data and, as part of the Federal Aviation Administration's (FAA) reauthorization act--Vision 100: Century of Aviation Reauthorization Act--is currently considering a provision that would require the Secretary of the Department of Homeland Security to conduct a study of the effectiveness of the aviation security system. Risk Management Approach Needed To Focus Security Efforts: As TSA moves forward in addressing aviation security concerns, it needs adequate tools to ensure that its efforts are appropriately focused, strategically sound, and achieving expected results. Because of limited funding, TSA needs to set priorities so that its resources can be focused and directed to those aviation security enhancements most in need of implementation. In recent years, we have consistently advocated the use of a risk management approach to respond to various national security and terrorism challenges, and have recommended that TSA apply this approach to strengthen security in aviation as well as in other modes of transportation.[Footnote 20] TSA agreed with our recommendation and is adopting a risk management approach. Risk management is a systematic and analytical process to consider the likelihood that a threat will endanger an asset, an individual, or a function and to identify actions to reduce the risk and mitigate the consequences of an attack. Risk management principles acknowledge that while risk cannot be eliminated, enhancing protection from existing or potential threats can help reduce it. Accordingly, a risk management approach is a systematic process to analyze threats, vulnerabilities, and the criticality (or relative importance) of assets to better support key decisions. The purpose of this approach is to link resources with efforts that are of the highest priority. Figure 1 describes the risk management approach. Figure 1: Elements of a risk management approach: A threat assessment identifies and evaluates potential threats on the basis of factors such as capabilities, intentions, and past activities. This assessment represents a systematic approach to identifying potential threats before they materialize, and is based on threat information gathered from both the intelligence and law enforcement communities. However, even if updated often, a threat assessment might not adequately capture some emerging threats. The risk management approach, therefore, uses vulnerability and criticality assessments as additional input to the decision-making process; A vulnerability assessment identifies weaknesses that may be exploited by identified threats and suggests options to address those weaknesses. In general, a vulnerability assessment is conducted by a team of experts skilled in such areas as engineering, intelligence, security, information systems, finance, and other disciplines; A criticality assessment evaluates and prioritizes assets and functions in terms of specific criteria, such as their importance to public safety and the economy. The assessment provides a basis for identifying which structures or processes are relatively more important to protect from attack. As such, it helps managers to determine operational requirements and target resources at their highest priorities, while reducing the potential for targeting resources at lower priorities. Source: GAO. [End of figure] Figure 2 illustrates how the risk management approach can guide decision making and shows that the highest risks and priorities emerge where the three elements of risk management overlap. Figure 2: A Risk Management Approach: [See PDF for image] [End of figure] For example, an airport that is determined to be a critical asset, vulnerable to attack, and a likely target would be at most risk and therefore would be a higher priority for funding compared with an airport that is only vulnerable to attack. In this vein, aviation security measures shown to reduce the risk to the most critical assets would provide the greatest protection for the cost. Over the past several years, we have concluded that comprehensive threat, vulnerability, and criticality assessments are key in better preparing against terrorist attacks, and we have recommended that TSA apply this risk management approach to strengthen security in aviation. TSA agreed with our recommendation and is adopting a risk management approach in an attempt to enhance security across all modes of transportation. According to TSA officials, once established, risk management principles will drive all decisions--from standard setting to funding priorities to staffing. TSA has not yet fully implemented its risk management approach, but it has taken steps in this direction. Specifically, TSA's Office of Threat Assessment and Risk Management is developing four assessment tools that will help assess threats, criticality, and vulnerabilities. Figure 3 illustrates TSA's threat assessment and risk management approach. Figure 3: TSA's Risk Management Approach and Tools: [See PDF for image] Source: TSA. [End of figure] The first tool, which will assess criticality, will determine a criticality score for a facility or transportation asset by incorporating factors such as the number of fatalities that could occur during an attack and the economic and sociopolitical importance of the facility or asset. This score will enable TSA, in conjunction with transportation stakeholders, to rank facilities and assets within each mode and thus focus resources on those that are deemed most important. TSA is working with another Department of Homeland Security office--the Information and Analysis Protection Directorate--to ensure that the criticality tool will be consistent with the Department's overall approach for managing critical infrastructure. A second tool--the Transportation Risk Assessment and Vulnerability Tool (TRAVEL)--will assess threats and analyze vulnerabilities at those transportation assets TSA determines to be nationally critical. The tool will be used in a TSA-led and facilitated assessment that will be conducted on the site of the transportation asset.[Footnote 21] Specifically, the tool will assess an asset's baseline security system and that system's effectiveness in detecting, deterring, and preventing various threat scenarios, and it will produce a relative risk score for potential attacks against a transportation asset or facility. In addition, TRAVEL will include a cost-benefit component that compares the cost of implementing a given countermeasure with the reduction in relative risk to that countermeasure. TSA is working with economists to develop the cost-benefit component of this model and with the TSA Intelligence Service to develop relevant threat scenarios for transportation assets and facilities. According to TSA officials, a standard threat and vulnerability assessment tool is needed so that TSA can identify and compare threats and vulnerabilities across transportation modes. If different methodologies are used in assessing the threats and vulnerabilities, comparisons could be problematic. However, a standard assessment tool would ensure consistent methodology. A third tool--the Transportation Self-Assessment Risk Module (TSARM)-- will be used to assess and analyze vulnerabilities for assets that the criticality assessment determines to be less critical. The self- assessment tool included in TSARM will guide a user through a series of security-related questions in order to develop a comprehensive security baseline of a transportation entity and will provide mitigating strategies for when the threat level increases. For example, as the threat level increases from yellow to orange, as determined by the Department of Homeland Security, the assessment tool might advise an entity to take increased security measures, such as erecting barriers and closing selected entrances. TSA had deployed one self-assessment module in support of targeted maritime vessel and facility categories.[Footnote 22] The fourth risk management tool that TSA is currently developing is the TSA Vulnerability Assessment Management System (TVAMS). TVAMS is TSA's intended repository of criticality, threat, and vulnerability assessment data. TVAMS will maintain the results of all vulnerability assessments across all modes of transportation. This repository will provide TSA with data analysis and reporting capabilities. TVAMS is currently in the conceptual stage and requirements are still being gathered. TSA is now using components of these risk management tools and is automating others so that the components can be used remotely by stakeholders, such as small airports, to assess their risks. For example, according to TSA officials, TSA has conducted assessments at 9 of 443 commercial airports using components of its TRAVEL tool. Three of these assessments were conducted at category X airports (the largest and busiest airports), and the remaining 6 assessments were conducted at airports in lower categories. TSA plans to conduct approximately 100 additional assessments of commercial airports in 2004 using TRAVEL and plans to begin compiling data on security vulnerability trends in 2005. Additionally, TSA plans to fully implement and automate its risk management approach by September 2004. TSA Faces Additional Programmatic And Management Challenges: In addition to collecting performance data and implementing a risk management approach, TSA faces a number of other programmatic and management challenges in strengthening aviation security. These challenges include implementing the new Computer-Assisted Passenger Prescreening System; strengthening baggage screening, airport perimeter and access controls, air cargo, and general aviation security; managing the costs of aviation security initiatives; and managing human capital. TSA has been addressing these challenges through a variety of efforts. We have work in progress that is examining TSA's efforts in most of these areas, and we will be reporting on TSA's progress in the future. Computer-Assisted Passenger Prescreening System (CAPPS II): ATSA authorized TSA to develop a new Computer-Assisted Passenger Prescreening System, or CAPPS II. This system is intended to replace the current Computer-Assisted Passenger Screening program, which was developed in the mid-1990s by the Federal Aviation Administration to enable air carriers to identify passengers requiring additional security attention. The current system is maintained as a part of the airlines' reservation systems and, operating under federal guidelines, uses a number of behavioral characteristics to select passengers for additional screening. In the wake of the September 11, 2001, terrorist attacks, a number of weaknesses in the current prescreening program were exposed. For example, although the characteristics used to identify passengers for additional screening are classified, several have become public knowledge through the press or on the Internet. Although enhancements have been made to address some of these weaknesses, the behavioral traits used in the system may not reflect current intelligence information. It is also difficult to quickly modify the system to respond to real-time changes in threats. Additionally, because the current system operates independently within each air carrier reservation system, changes to each air carrier's system to modify the prescreening system can be costly and time-consuming. In contrast, CAPPS II is planned to be a government-run program that will provide real-time risk assessment for all airline passengers. Unlike the current system, TSA is designing CAPPS II to identify and compare personal information with commercially available data to confirm a passenger's identity. The system will then run the identifying information against government databases and generate a "risk" score for the passenger. The risk score will determine the level of screening that the passenger will undergo before boarding. TSA currently estimates that initial implementation of CAPPS II will occur during the fall of 2004, with full implementation expected by the fall of 2005. TSA faces a number of challenges that could impede their ability to implement CAPPS II. Among the most significant are the following: * concerns about travelers' privacy rights and the safeguards established to protect passenger data; * the accuracy of the databases being used by the CAPPS II system and whether inaccuracies could generate a high number of false positives and erroneously prevent or delay passengers from boarding their flights; * the length of time that data will be retained by TSA; * the availability of a redress process through which passengers could get erroneous information corrected; * concerns that identify theft, in which someone steals relevant data and impersonates another individual to obtain that person's low risk score, may not be detected and thereby negate the security benefits of the system; and: * obtaining the international cooperation needed for CAPPS II to be fully effective, as some countries consider the passenger information required by CAPPS II as a potential violation of their privacy laws. We are currently assessing these and other challenges in the development and implementation of the CAPPS II system and expect to issue a final report on our work in early 2004. Checked Baggage Screening: Checked baggage represents a significant security concern, as explosive devices in baggage can, and have, been placed in aircraft holds. ATSA required screening of all checked baggage on commercial aircraft by December 31, 2002, using explosive detection systems to electronically scan baggage for explosives. According to TSA, electronic screening can be accomplished by bulk explosives detection systems (EDS)[Footnote 23] or Explosives Trace Detection (ETD) systems.[Footnote 24] However, TSA faced challenges in meeting the mandated implementation date. First, the production capabilities of EDS manufacturers were insufficient to produce the number of units needed. Additionally, according to TSA, it was not possible to undertake all of the airport modifications necessary to accommodate the EDS equipment in each airport's baggage handling area. In order to ensure that all checked baggage is screened, TSA established a program that uses alternative measures, including explosives sniffing dogs, positive passenger bag match,[Footnote 25] and physical hand searches at airports where sufficient EDS or ETD technology is not available. TSA was granted an extension for screening all checked baggage electronically, using explosives detection systems, until December 31, 2003. Although TSA has made progress in implementing EDS technology at more airports, it has reported that it will not meet the revised mandate for 100 percent electronic screening of all checked baggage. Specifically, as of October 2003, TSA reported that it will not meet the deadline for electronic screening by December 31, 2003, at five airports. Airport representatives with whom we spoke expressed concern that there has not been enough time to produce, install, and integrate all of the systems required to meet the deadline. In addition to fielding the EDS systems at airports, difficulties exist in integrating these systems into airport baggage handling systems. For those airports that have installed EDS equipment, many have been located in airport lobbies as stand-alone systems. The chief drawback of stand-alone systems is that because of their size and weight there is a limit to the number of units that can be placed in airport lobbies, and numerous screeners are required to handle the checked bags because each bag must be physically conveyed to the EDS machines and then moved back to the conveyor system for transport to the baggage handling room in the air terminal. Some airports are in the process of integrating the EDS equipment in-line with the conveyor belts that transport baggage from the ticket counter to the baggage handling area; however, the reconfiguring of airports for in-line checked baggage screening can be extensive and costly.[Footnote 26] TSA has reported that in-line EDS equipment installation costs range from $1 million to $3 million per piece of equipment. In February 2003, we identified letters of intent[Footnote 27] as a funding option that has been successfully used to leverage private sources of funding.[Footnote 28] TSA has since written letters of intent covering seven airports promising multiyear financial support totaling over $770 million for in-line integration of EDS equipment.[Footnote 29] Further, TSA officials have stated that they have identified 25 to 35 airports as candidates for further letters of intent pending Congressional authorization of funding. We are examining TSA's baggage screening program, including its issuance of letters of intent, in an ongoing assignment. Perimeter and Access Controls: Prior to September 2001, work performed by GAO, and others, highlighted the vulnerabilities in controls for limiting access to secure airport areas. In one report, we noted that GAO special agents were able to use fictitious law enforcement badges and credentials to gain access to secure areas, bypass security checkpoints, and walk unescorted to aircraft departure gates.[Footnote 30] The agents, who had been issued tickets and boarding passes, could have carried weapons, explosives, or other dangerous objects onto aircraft. Concerns over the adequacy of the vetting process for airport workers who have unescorted access to secure airport areas have also arisen, in part, as a result of federal agency airport security sweeps that uncovered hundreds of instances in which airport workers lied about their criminal history, or immigration status, or provided false or inaccurate Social Security numbers on their application for security clearances to obtain employment. ATSA contains provisions to improve perimeter access security at the nation's airports and strengthen background checks for employees working in secure airport areas, and TSA has made some progress in this area. For example, federal mandates were issued to strengthen airport perimeter security by limiting the number of airport access points, and they require random screening of individuals, vehicles, and property before entry at the remaining perimeter access points. Further, TSA made criminal history checks mandatory for employees with access to secure or sterile airport areas. To date, TSA has conducted approximately 1 million of these checks. TSA also has plans to develop a pilot airport security program and is reviewing security technologies in the areas of biometrics access control identification systems (i.e., fingerprints or iris scans), anti-piggybacking technologies (to prevent more than one employee from entering a secure area at a time), and video monitoring systems for perimeter security. TSA solicited commercial airport participation in the program. It is currently reviewing information from interested airports and plans to select 20 airports for the program. Although progress has been made, challenges remain with perimeter security and access controls at commercial airports. Specifically, ATSA contains numerous requirements for strengthening perimeter security and access controls, some of which contained deadlines, which TSA is working to meet. In addition, a significant concern is the possibility of terrorists using shoulder-fired portable missiles from locations near the airport. We reported in June 2003 that airport operators have increased their patrols of airport perimeters since September 2001, but industry officials stated that they do not have enough resources to completely protect against missile attacks.[Footnote 31] A number of technologies could be used to secure and monitor airport perimeters, including barriers, motion sensors, and closed-circuit television. Airport representatives have cautioned that as security enhancements are made to airport perimeters, it will be important for TSA to coordinate with the Federal Aviation Administration and the airport operators to ensure that any enhancements do not pose safety risks for aircraft. To further examine these threats and challenges, we have ongoing work assessing TSA's progress in meeting ATSA provisions related to improving perimeter security, access controls, and background checks for airport employees and other individuals with access to secure areas of the airport, as well as the nature and extent of the threat from shoulder-fired missiles. Air Cargo Security: As we and the Department of Transportation's Inspector General have reported, vulnerabilities exist in ensuring the security of cargo carried aboard commercial passenger and all-cargo aircraft. TSA has reported that an estimated 12.5 million tons of cargo are transported each year--9.7 million tons on all-cargo planes and 2.8 million tons on passenger planes. Potential security risks are associated with the transport of air cargo--including the introduction of undetected explosive and incendiary devices in cargo placed aboard aircraft. To reduce these risks, ATSA requires that all cargo carried aboard commercial passenger aircraft be screened and that TSA have a system in place as soon as practicable to screen, inspect, or otherwise ensure the security of cargo on all-cargo aircraft. Despite these requirements, it has been reported that less than 5 percent of cargo placed on passenger airplanes is physically screened.[Footnote 32] TSA's primary approach to ensuring air cargo security and safety is to ensure compliance with the "known shipper" program--which allows shippers that have established business histories with air carriers or freight forwarders to ship cargo on planes. However, we and the Department of Transportation's Inspector General have identified weaknesses in the known shipper program and in TSA's procedures for approving freight forwarders, such as possible tampering with freight at various handoff points before it is loaded into an aircraft.[Footnote 33] Since September 2001, TSA has taken a number of actions to enhance cargo security, such as implementing a database of known shippers in October 2002. The database is the first phase in developing a cargo profiling system similar to the Computer-Assisted Passenger Prescreening System. However, in December 2002, we reported that additional operational and technological measures, such as checking the identity of individuals making cargo deliveries, have the potential to improve air cargo security in the near term.[Footnote 34] We further reported that TSA lacks a comprehensive plan with long-term goals and performance targets for cargo security, time frames for completing security improvements, and risk-based criteria for prioritizing actions to achieve those goals. Accordingly, we recommended that TSA develop a comprehensive plan for air cargo security that incorporates a risk management approach, includes a list of security priorities, and sets deadlines for completing actions. TSA agreed with this recommendation and expects to develop such a plan by the end of 2003. It will be important that this plan include a timetable for implementation to help ensure that vulnerabilities in this area are reduced. General Aviation Security: Since September 2001, TSA has taken limited action to improve general aviation security, leaving general aviation far more open and potentially vulnerable than commercial aviation. General aviation is vulnerable because general aviation pilots and passengers are not screened before takeoff and the contents of general aviation planes are not screened at any point. General aviation includes more than 200,000 privately owned airplanes, which are located in every state at more than 19,000 airports.[Footnote 35] More than 550 of these airports also provide commercial service. In the last 5 years, about 70 aircraft have been stolen from general aviation airports, indicating a potential weakness that could be exploited by terrorists. This vulnerability was demonstrated in January 2002, when a teenage flight student stole and crashed a single-engine airplane into a Tampa, Florida skyscraper. Moreover, general aviation aircraft could be used in other types of terrorist acts. It was reported that the September 11th hijackers researched the use of crop dusters to spread biological or chemical agents. We reported in September 2003 that TSA chartered a working group on general aviation within the existing Aviation Security Advisory Committee.[Footnote 36] The working group consists of industry stakeholders and is designed to identify and recommend actions to close potential security gaps in general aviation. On October 1, 2003, the working group issued a report that included a number of recommendations for general aviation airport operators' voluntary use in evaluating airports' security requirements. These recommendations are both broad in scope and generic in their application, with the intent that every general aviation airport and landing facility operators may use them to evaluate that facility's physical security, procedures, infrastructure, and resources. TSA is taking some additional action to strengthen security at general aviation airports, including developing a risk-based self-assessment tool for general aviation airports to use in identifying security concerns. We have ongoing work that is examining general aviation security in further detail. Aviation Security Funding: TSA faces two key funding and accountability challenges in securing the commercial aviation system: (1) paying for increased aviation security and (2) ensuring that these costs are controlled. The costs associated with the equipment and personnel needed to screen passengers and their baggage alone are huge. The Department of Homeland Security appropriation includes $3.7 billion for aviation security for fiscal year 2004, with about $1.8 billion for passenger screening and $1.3 billion for baggage screening. ATSA created a passenger security fee to pay for the costs of aviation security, but the fee has not generated enough money to do so. The Department of Transportation's Inspector General reported that the security fees are estimated to generate only about $1.7 billion during fiscal year 2004. A major funding challenge is paying for the purchase and installation of the remaining explosives detection systems, including integration into airport baggage-handling systems. Integrating the equipment with the baggage-handling systems is expected to be costly because it will require major facility modifications. For example, modifications needed to integrate the equipment at Boston's Logan International Airport are estimated to cost $146 million. Modifications for Dallas/Fort Worth International Airport are estimated to cost $193 million. According to TSA and the Department of Transportation's Inspector General, the cost of integrating the equipment nationwide could be $3 billion. A key question that must be addressed is how to pay for these installation costs. The Federal Aviation Administration's Airport Improvement Program (AIP) and passenger facility charges have been eligible sources for funding this work.[Footnote 37] During fiscal year 2002, AIP grant funds totaling $561 million were used for terminal modifications to enhance security. However, using these funds for security reduced the funding available for other airport development and rehabilitation projects. To provide financial assistance to airports for security-related capital investments, such as the installation of explosives detection equipment, proposed aviation reauthorization legislation would establish an aviation security capital fund that would authorize $2 billion over the next 4 years. The funding would be made available to airports in letters of intent, and large and medium hub airports would be expected to provide a match of 10 percent of a project's costs. A 5 percent match would be required for all other airports. In February 2003, we identified letters of intent as a funding option that has been successfully used to leverage private sources of funding.[Footnote 38] TSA has since signed letters of intent covering seven airports--Boston Logan, Dallas/Fort Worth, Denver, Los Angeles, McCarran (Las Vegas), Ontario (California), and Seattle/Tacoma international airports. Under the agreements, TSA will pay 75 percent of the cost of integrating the explosives detection equipment into the baggage-handling systems. The payments will stretch out over 3 to 4 years. TSA officials have identified more airports that would be candidates for similar agreements. Another challenge is ensuring continued investment in transportation research and development. For fiscal year 2003, TSA was appropriated about $110 million for research and development, of which $75 million was designated for the next-generation explosives detection systems. However, TSA proposed to reprogram $61.2 million of these funds to be used for other purposes, leaving about $12.7 million to be spent on research and development in that year. This proposed reprogramming could limit TSA's ability to sustain and strengthen aviation security by continuing to invest in research and development for more effective equipment to screen passengers, their carry-on and checked baggage, and cargo. In ongoing work, we are examining the nature and scope of research and development work by TSA and the Department of Homeland Security, including their strategy for accelerating the development of transportation security technologies. Human Capital Management: As it organizes itself to protect the nation's transportation system, TSA faces the challenge of strategically managing its workforce of about 60,000 people--more than 80 percent of whom are passenger and baggage screeners. Additionally, over the next several years, TSA faces the challenge of sizing and managing this workforce as efficiency is improved with new security-enhancing technologies, processes, and procedures. For example, as explosives detection systems are integrated with baggage-handling systems, the use of more labor-intensive screening methods, such as trace detection techniques and manual bag searches, can be reduced. Other planned security enhancements, such as CAPPS II and the registered traveler program, also have the potential to make screening more efficient. Further, if airports opt out of the federal screener program and use their own or contract employees to provide screening instead of TSA screeners, a significant impact on TSA staffing could occur. To assist agencies in managing their human capital more strategically, we have developed a model that identifies cornerstones and related critical success factors that agencies should apply and steps they can take.[Footnote 39] Our model is designed to help agency leaders effectively lead and manage their people and integrate human capital considerations into daily decision making and the program results they seek to achieve. In January 2003, we reported that TSA was addressing some critical human capital success factors by using a wide range of tools available for hiring, and beginning to link individual performance to organizational goals.[Footnote 40] However, concerns remain about the size and training of that workforce, the adequacy of the initial background checks for screeners, and TSA's progress in setting up a performance management system. TSA is currently developing a human capital strategy, which it expects to be completed by the end of this year. TSA has proposed cutting the screener workforce by an additional 3,000 during fiscal year 2004. This planned reduction has raised concerns about passenger delays at airports and has led TSA to begin hiring part-time screeners to make more flexible and efficient use of its workforce. In addition, TSA used an abbreviated background check process to hire and deploy enough screeners to meet ATSA's screening deadlines during 2002. After obtaining additional background information, TSA terminated the employment of some of these screeners. TSA reported 1,208 terminations as of May 31, 2003, that it ascribed to a variety of reasons, including criminal offenses and failures to pass alcohol and drug tests. Furthermore, the national media have reported allegations of operational and management control problems that emerged with the expansion of the Federal Air Marshal Service, including inadequate background checks and training, uneven scheduling, and inadequate policies and procedures. We reported in January 2003 that TSA had taken the initial steps in establishing a performance management system linked to organizational goals. Such a system will be critical for TSA to motivate and manage staff, ensure the quality of screeners' performance, and, ultimately, restore public confidence in air travel. In ongoing work, we are examining the effectiveness of TSA's efforts to train, equip, and supervise passenger screeners, and we are assessing the effects of expansion on the Federal Air Marshal Service.[Footnote 41] Concluding Observations: As TSA moves forward in addressing aviation security concerns, it needs the information and tools necessary to ensure that its efforts are appropriately focused, strategically sound, and achieving expected results. Without knowledge about the effectiveness of its programs and a process for prioritizing planned security initiatives, TSA and the public have little assurance regarding the level of security provided, and whether TSA is using its resources to maximize security benefits. Additionally, as TSA implements new security initiatives and addresses associated challenges, measuring program effectiveness and prioritizing efforts will help it focus on the areas of greatest importance. We are encouraged that TSA is undertaking efforts to develop the information and tools needed to measure its performance and focus its efforts on those areas of greatest need. Mr. Chairman, this concludes my statement. I would be pleased to answer any questions that you or other members of the Committee may have. Contact Information: For further information on this testimony, please contact Cathleen A. Berrick at (202) 512-8777. Individuals making key contributions to this testimony include Mike Bollinger, Lisa Brown, Jack Schulze, Maria Strudwick, and Susan Zimmerman. [End of section] Related GAO Products: Airport Passenger Screening: Preliminary Observations on Progress Made and Challenges Remaining. GAO-03-1173. Washington, D.C.: September 24, 2003. Aviation Security: Progress since September 11, 2001, and the Challenges Ahead. GAO-03-1150T. Washington, D.C.: September 9, 2003: Transportation Security: Federal Action Needed to Help Address Security Challenges. GAO-03-843. Washington, D.C.: June 30, 2003. Transportation Security: Post-September 11th Initiatives and Long-Term Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003. Aviation Security: Measures Needed to Improve Security of Pilot Certification Process. GAO-03-248NI. Washington, D.C.: February 3, 2003 (NOT FOR PUBLIC DISSEMINATION). Aviation Security: Vulnerabilities and Potential Improvements for the Air Cargo System. GAO-03-286NI. Washington, D.C.: December 20, 2002 (NOT FOR PUBLIC DISSEMINATION). Aviation Security: Vulnerabilities and Potential Improvements for the Air Cargo System. GAO-03-344. Washington, D.C.: December 20, 2002. Aviation Security: Vulnerability of Commercial Aviation to Attacks by Terrorists Using Dangerous Goods. GAO-03-30C. Washington, D.C.: December 3, 2002: Aviation Security: Registered Traveler Program Policy and Implementation Issues. GAO-03-253. Washington, D.C.: November 22, 2002. Aviation Security: Transportation Security Administration Faces Immediate and Long-Term Challenges. GAO-03-971T. Washington, D.C.: July 25, 2002. Aviation Security: Information Concerning the Arming of Commercial Pilots. GAO-02-822R. Washington, D.C.: June 28, 2002. Aviation Security: Deployment and Capabilities of Explosive Detection Equipment. GAO-02-713C. Washington, D.C.: June 20, 2002 (CLASSIFIED). Aviation Security: Information on Vulnerabilities in the Nation's Air Transportation System. GAO-01-1164T. Washington, D.C.: September 26, 2001 (NOT FOR PUBLIC DISSEMINATION). Aviation Security: Information on the Nation's Air Transportation System Vulnerabilities. GAO-01-1174T. Washington, D.C.: September 26, 2001 (NOT FOR PUBLIC DISSEMINATION). Aviation Security: Vulnerabilities in, and Alternatives for, Preboard Screening Security Operations. GAO-01-1171T. Washington, D.C.: September 25, 2001. Aviation Security: Weaknesses in Airport Security and Options for Assigning Screening Responsibilities. GAO-01-1165T. Washington, D.C.: September 21, 2001. Aviation Security: Terrorist Acts Demonstrate Urgent Need to Improve Security at the Nation's Airports. GAO-01-1162T. Washington, D.C.: September 20, 2001. Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in Aviation Security. GAO-01-1166T. Washington, D.C.: September 20, 2001. Responses of Federal Agencies and Airports We Surveyed about Access Security Improvements. GAO-01-1069R. Washington, D.C.: August 31, 2001. Responses of Federal Agencies and Airports We Surveyed about Access Security Improvements. GAO-01-1068R. Washington, D.C.: August 31, 2001 (RESTRICTED). FAA Computer Security: Recommendations to Address Continuing Weaknesses. GAO-01-171. Washington, D.C.: December 6, 2000. Aviation Security: Additional Controls Needed to Address Weaknesses in Carriage of Weapons Regulations. GAO/RCED-00-181. Washington, D.C.: September 29, 2000. FAA Computer Security: Actions Needed to Address Critical Weaknesses That Jeopardize Aviation Operations. GAO/T-AIMD-00-330. Washington, D.C.: September 27, 2000. FAA Computer Security: Concerns Remain due to Personnel and Other Continuing Weaknesses. GAO/AIMD-00-252. Washington, D.C.: August 16, 2000. Aviation Security: Long-Standing Problems Impair Airport Screeners' Performance. GAO/RCED-00-75. Washington, D.C.: June 28, 2000. Aviation Security: Screeners Continue to Have Serious Problems Detecting Dangerous Objects. GAO/RCED-00-159. Washington, D.C.: June 22, 2000 (NOT FOR PUBLIC DISSEMINATION). Security: Breaches at Federal Agencies and Airports. GAO-OSI-00-10. Washington, D.C.: May 25, 2000. Aviation Security: Screener Performance in Detecting Dangerous Objects during FAA Testing Is Not Adequate. GAO/T-RCED-00-143. Washington, D.C.: April 6, 2000 (NOT FOR PUBLIC DISSEMINATION). FOOTNOTES [1] P.L. 107-71. [2] A risk management approach is a systematic process to analyze threats, vulnerabilities, and the criticality (or relative importance) of assets to better support key decisions by linking resources with prioritized efforts. [3] CAPPS II is a system intended to perform a risk assessment of all airline passengers to identify those requiring additional security attention. [4] General aviation consists of all civil aircraft and excludes commercial and military aircraft. [5] P.L. No. 107-296. [6] An annual performance plan is to provide the direct linkage between the strategic goals outlined in the agencies' strategic plan and the day-to-day activities of managers and staff. Additionally, annual performance plans are to include performance goals for an agency's program activities as listed in the budget, a summary of the necessary resources that will be used to measure performance, and a discussion of how the performance information will be verified. An annual performance report is to review and discuss an agency's performance compared with the performance goals it established in its annual performance plan. [7] U.S. General Accounting Office, Airport Passenger Screening: Preliminary Observations on Progress Made and Challenges Remaining, GAO-03-1173 (Washington, D.C.: Sept. 24, 2003). [8] The original Computer Assisted Passenger Screening System is a stand-alone application residing in an air carrier's reservation system that analyzes certain behavioral patterns to score and calculate each passenger's need for additional screening. [9] Currently, the Office of Internal Affairs and Program Review has 7 team leaders assigned full-time to covert testing and plans to have a total of 14 full-time team leaders by the end of December 2003. The team leaders draw from the remaining staff within the office, such as auditors and analysts, to perform the testing. According to TSA officials, overall, 95 percent of the staff in the Office of Internal Affairs and Program Review participate in covert testing as a collateral responsibility. [10] TIP is designed to test screeners' detection capabilities by projecting threat images, including guns and explosives, into bags as they are screened. Screeners are responsible for positively identifying the threat image and calling for the bag to be searched. Once prompted, TIP identifies to the screener whether the threat is real and then records the screener's performance in a database that could be analyzed for performance trends. [11] Federal security directors oversee security at each of the nation's commercial airports. [12] The Performance Management Information System also contains metrics on human resources, sizing, checkpoint, feedback, and incidents. [13] ATSA requires TSA to implement a pilot program using contract screeners at five commercial airports--one in each of the five airport categories. The purpose of the pilot program is to determine the feasibility of using private screening companies rather than federal screeners. [14] According to the August 8, 2003, request for quotation for the evaluation of the contract screening pilot program, BearingPoint must include informed performance comparisons, both quantitative and qualitative, of private versus federal screeners overall and within different sizes and categories of airports. [15] Based on the time frames established in the request for quotation, BearingPoint, Inc. is required to develop a project plan and evaluation model no later than December 12, 2003. [16] TSA's request for proposal for the pilot program evaluation notes that there are a significant number of operational and managerial elements at the discretion of the private screening companies that should be considered in the evaluation, including supervision, overhead, materials, recruiting, and scheduling. [17] The Government Performance and Results Act of 1993 shifts the focus of government operations from process to results by establishing a foundation for examining agency mission, performance goals and objectives, and results. Under the Act, agencies are to prepare 5-year strategic plans that set the general direction for their efforts, and annual performance plans that establish connections between the long- term strategic goals outlined in the strategic plans and the day-to-day activities of managers and staff. Finally, the Act requires that each agency report annually on the extent to which it is meeting its annual performance goals and the actions needed to achieve or modify those goals that have not been met. [18] TSA is also developing a National Transportation Security System Plan, a draft of which is currently under review within TSA. TSA plans to promote consistent and mutually supporting intermodal planning in cooperation with administrators and in collaboration with key stakeholders from all modes of transportation. TSA designed the plan for use by agencies, owners, and operators of the transportation system to guide them as they develop their individual security plans. Accordingly, the National Transportation System Security Plan will include national modal plans to capture and tailor transportation security requirements for each mode of transportation, with particular emphasis on intermodal connections. Each modal plan will focus on security for people (workforce and passengers), cargo (baggage and shipments), infrastructure (vehicles, facilities, and right of ways), and response preparedness. [19] U.S. General Accounting Office, Transportation Security Administration: Actions and Plans to Build a Results-Oriented Culture, GAO-03-190 (Washington, D.C.: Jan. 17, 2003). [20] U.S. General Accounting Office, Homeland Security: A Risk Management Approach Can Guide Preparedness Efforts, GAO-02-208T (Washington, D.C.: Oct. 31, 2001); and GAO-03-344. [21] A vulnerability assessment using the TRAVEL tool requires the participation of TSA subject matter experts along with representatives from the transportation asset. Operations management, facilities management, security personnel, and law enforcement agents are examples of the individuals involved in analyzing each threat scenario and corresponding security system. [22] TSA's Maritime Self-Assessment Risk Module was developed in response to requirements outlined in the Maritime Transportation Security Act of 2002. The Act mandates that any facility or vessel that the Secretary believes might be involved in a transportation security incident will be subject to a vulnerability assessment and must submit a security plan to the United States Coast Guard by January 1, 2004. [23] Explosives detection systems use probing radiation to examine objects inside baggage and identify the characteristic signatures of threat explosives. EDS equipment operates in an automated mode. [24] Explosive trace detection works by detecting vapors and residues of explosives. Human operators collect samples by rubbing bags with swabs, which are chemically analyzed to identify any traces of explosive materials. [25] Positive passenger bag match is an alternative method of screening checked baggage, which requires that the passenger be on the same aircraft as the checked baggage. [26] In-line screening involves incorporating EDS machines into airport baggage handling systems to improve throughput of baggage and to streamline airport operations. [27] A letter of intent represents a nonbinding commitment from an agency to provide multiyear funding to an entity beyond the current authorization period. Thus, that letter allows an airport to proceed with a project without waiting for future federal funds because the airport and investors know that allowable costs are likely to be reimbursed. [28] U.S. General Accounting Office, Airport Finance: Past Funding Levels May Not Be Sufficient to Cover Airports' Planned Capital Development, GAO-03-497T (Washington, D.C.: Feb. 25, 2003). [29] The seven airports include Denver International Airport, Las Vegas McCarran International Airport, Los Angeles International Airport, Ontario International Airport, Seattle/Tacoma International Airport, Dallas/Fort Worth International Airport, and Boston Logan International Airport. The purpose is to help defray the costs of installing permanent explosive detection systems that are integrated with airports' checked baggage conveyor systems. [30] U.S. General Accounting Office, Security: Breaches at Federal Agencies and Airports, GAO\T-OSI-00-10 (Washington, D.C.: May 25, 2000). [31] U.S. General Accounting Office, Transportation Security: Federal Action Needed to Help Address Security Challenges, GAO-03-843 (Washington, D.C.: June 30, 2003). [32] Congressional Research Service, Air Cargo Security, September 11, 2003. [33] U.S. General Accounting Office, Aviation Security: Vulnerabilities and Potential Improvements for the Air Cargo System, GAO-03-344 (Washington, D.C.: Dec. 20, 2002). [34] See footnote 33. [35] Of the 19,000 general aviation airports, 5,400 are publicly owned. TSA is currently focusing its efforts on these publicly owned airports. TSA is still unclear about its role in inspecting privately owned general aviation airports. [36] U.S. General Accounting Office, Aviation Security: Progress since Septermber 11TH, and the Challenges Ahead, GAO-03-1150T (Washington, D.C.: September 9, 2003). [37] The Airport Improvement Program trust fund is used to fund capital improvements to airports, including some security enhancements, such as terminal modifications to accommodate explosive detection equipment. [38] U.S. General Accounting Office, Airport Financing: Past Funding Levels May Not Be Sufficient to Cover Airports' Planned Capital Development, GAO-03-497T (Washington, D.C.: Feb. 25, 2003). [39] U.S. General Accounting Office, A Model of Strategic Human Capital Management, GAO-02-373SP (Washington, D.C.: March 2002). [40] U.S. General Accounting Office, Transportation Security Administration: Actions and Plans to Build a Results-Oriented Culture, GAO-03-190 (Washington, D.C.: Jan. 13, 2003). [41] The Federal Air Marshal Service has been transferred out of TSA and into the Department of Homeland Security's Bureau of Immigration and Customs Enforcement.