This is the accessible text file for GAO report number GAO-04-838 entitled 'Maritime Security: Substantial Work Remains to Translate New Planning Requirements into Effective Port Security' which was released on June 30, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States General Accounting Office: GAO: June 2004: Maritime Security: Substantial Work Remains to Translate New Planning Requirements into Effective Port Security: GAO-04-838: GAO Highlights: Highlights of GAO-04-838, a report to congressional requesters Why GAO Did This Study: The Maritime Transportation Security Act of 2002, as implemented by the Coast Guard, calls for owners and operators of about 3,150 port facilities (such as shipping terminals or factories with hazardous materials) and about 9,200 vessels (such as cargo ships, ferries, and tugs and barges) to develop and implement security plans by July 1, 2004. The Coast Guard intends to conduct on-site compliance inspections of all facilities by January 1, 2005, and all vessels by July 1, 2005, to ensure plans are adequately implemented. The Coast Guard estimated the act’s security improvements would cost $7.3 billion over 10 years— most of it borne by facility and vessel owners and operators. GAO was asked to assess (1) the progress towards developing, reviewing, and approving plans by July 1, 2004, (2) the Coast Guard’s monitoring and oversight strategy for ensuring that plans are implemented, and (3) the accuracy of the Coast Guard’s cost estimate. What GAO Found: Owners and operators have made progress in developing security plans for their port facilities and vessels. However, the extent to which the Coast Guard will have reviewed and approved the approximately 12,300 individual plans by July 1, 2004, varies considerably. About 5,900 plans were being developed under an option allowing owners and operators to self-certify that they would develop and implement plans by July 1, using industry-developed, Coast Guard-approved standards and templates. These individual plans will not be reviewed before July 1 unless owners or operators choose to submit them for review. The remaining 6,400 plans went through a review process established by the Coast Guard. Every plan required revisions, some of which were significant. As of June 2004—1 month before the deadline for implementation—more than half of the 6,400 plans were still in process. The Coast Guard took steps to speed up the process and to allow facilities and vessels to continue operating with less than full plan approval after July 1, as long as the Coast Guard was satisfied with their progress. The Coast Guard’s strategy for monitoring and overseeing security plan implementation will face numerous challenges. Whether the Coast Guard will be able to conduct timely on-site compliance inspections of all facilities and vessels is uncertain because questions remain about whether the Coast Guard will have enough inspectors; a training program sufficient to overcome major differences in experience levels; and adequate guidance to help inspectors conduct thorough, consistent reviews. Another challenge is to ensure inspections reflect assessments of the normal course of business at facilities and aboard vessels. The accuracy of the Coast Guard’s $7.3 billion estimate for implementing security improvements is likewise uncertain. The estimate, while a good-faith effort on the Coast Guard’s part, is based on limited data and on assumptions that are subject to error. The estimate should be viewed more as a rough indicator than a precise measure of costs. Port facilities pose many security concerns, given their size, accessibility, and attractiveness as terrorist targets. Facilities like these must have a security plan in place by July 1, 2004. [See PDF for image] [End of figure] What GAO Recommends: GAO recommends that the Coast Guard evaluate its initial compliance efforts and use them to strengthen the compliance process for its long- term strategy. As part of this strategy, the Coast Guard should clearly define inspector qualifications and consider including unscheduled and unannounced inspections and covert testing. The Coast Guard agreed. www.gao.gov/cgi-bin/getrpt?GAO-04-838. To view the full product, including the scope and methodology, click on the link above. For more information, contact Margaret Wrightson at (415) 904-2200 or wrightsonm@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Extent of Coast Guard Review and Approval of Individual Plans Varies Widely: Strategy for Monitoring and Oversight of Plan Implementation Faces Numerous Challenges: Cost to Comply with MTSA Is Uncertain: Conclusions: Recommendation for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Required Security Plan Items: Appendix III: Analysis of Coast Guard's Compliance Cost Estimates: Estimates Required Assumptions about Many Important Components: Many Assumptions Carry Limitations: Limited Time to Estimate Costs Precluded More Extensive Data Collection and Analysis of Uncertainty: Cost Estimate Spans Only 10 Years and Does Not Include All Costs: Questions Remain about Adequacy of Public Comments to Validate Cost Estimate: Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Tables: Table 1: Progress of Facility and Vessel Security Plan Review Under Option A as of June 2004: Table 2: Port Stakeholders GAO Contacted at Port Locations Reviewed: Table 3: Coast Guard Assumptions about Extent of Prior Security Preparation: Figures: Figure 1: Location of U.S. Ports: Figure 2: Overview of the Two Options for Developing Security Plans: Figure 3: Distribution of Individual Security Plans by Development Option: Figure 4: Projection of Estimated Costs, 2012-2022: Abbreviations: AMSC: Area Maritime Security Committee: ASP: Alternative Security Program: IMO: International Maritime Organization: ISPS: International Ship and Port Facility Security Code: MARSEC: Maritime Security Condition System: MTSA: Maritime Transportation Security Act: SOLAS: International Convention for Safety of Life at Sea: United States General Accounting Office: Washington, DC 20548: June 30, 2004: The Honorable Don Young: Chairman, Committee on Transportation and Infrastructure: House of Representatives: The Honorable Frank A. LoBiondo: Chairman, Subcommittee on Coast Guard and Maritime Transportation: Committee on Transportation and Infrastructure: House of Representatives: Since the terrorist attacks of September 11, 2001, the nation's 361 ports have increasingly been viewed as potential targets for future attacks for many reasons. For example, security experts remain concerned about the potential for using the maritime transportation system as a conduit for smuggling weapons of mass destruction or other dangerous materials into the country. Further, cargo and cruise ships present potentially desirable terrorist targets, given the potential for loss of life, ecological destruction, or disruption of commerce. And ports often are not only gateways for the movement of goods, but also industrial hubs and close to population centers, presenting additional opportunities for terrorists bent on urban destruction. Coordinating a security response for this myriad of potential targets is a daunting proposition, in part because so many different stakeholders are involved. These stakeholders include law enforcement and other government agencies at every level (federal, state, and local); vessel owners and operators; railroads; port authorities; factories and other businesses; and people who work in port areas or live nearby. Although perspectives may vary, the specter of further terrorist incidents has led to widespread agreement that port security should be strengthened--and soon. The Maritime Transportation Security Act (MTSA)[Footnote 1] contains much of the federal government's approach to addressing these security vulnerabilities. Enacted in November 2002 and largely administered by the United States Coast Guard, an agency within the Department of Homeland Security, MTSA is designed, in part, to help protect the nation's ports and waterways from terrorist attacks through a wide range of security improvements. One of its central maritime transportation security provisions is a requirement that security plans be developed and implemented for specific facilities (such as factories, cargo terminals, and power plants); certain individual cargo and passenger vessels; and entire ports.[Footnote 2] The basic aim of such plans is to address potential vulnerabilities that could be exploited to kill people, cause environmental damage, or disrupt transportation systems and the economy, by developing measures to mitigate these vulnerabilities. The Coast Guard established regulations determining which facilities and vessels were to be covered by these security planning requirements[Footnote 3] and consistent with MTSA, set a deadline of July 1, 2004, for facility and vessel owners and operators to operate under an approved or self-certified security plan. Further, the Coast Guard intends to conduct on-site compliance inspections of all facilities by January 1, 2005, and all vessels by July 1, 2005, to ensure that they have satisfactorily implemented their plans. This aggressive timeline for both developing and implementing security plans reflects the seriousness of the port security issue. However, the timeline also creates a substantial and immediate workload for the Coast Guard and for owners and operators who collectively must develop plans for thousands of facilities and vessels. The Coast Guard estimated that the security improvements imposed by these requirements would likely cost port stakeholders $7.3 billion over 10 years--most of it borne by facility and vessel owners and operators.[Footnote 4] You asked us to examine the efforts of stakeholders and the Coast Guard in carrying out these security plan requirements. Our objectives were to assess (1) the progress made to develop, review, and approve facility and vessel security plans by July 1, 2004; (2) the Coast Guard's monitoring and oversight strategy for ensuring that facility and vessel security plans are implemented; and (3) the accuracy of the Coast Guard's estimates of costs for complying with MTSA security planning and implementation requirements. To address the first two objectives, we analyzed Coast Guard documents and spoke with officials at Coast Guard headquarters with responsibilities for the security planning process. We also visited seven port areas around the country, choosing locations that reflected diversity in strategic importance, geographic location, and local characteristics.[Footnote 5] During our visits, we spoke with Coast Guard Captains of the Port;[Footnote 6] numerous local stakeholders in the private sector; and government officials at the local, state, and federal levels, to understand what progress had been made to develop and implement security plans. We visited Coast Guard officials and contractor staff responsible for reviewing and approving MTSA-required security plans and examined the review and approval process used by the Coast Guard to determine what internal controls were in place to monitor the consistency of the process and ensure compliance with pertinent MTSA requirements. Our work did not include reviewing ports outside the United States or any "foreign-flagged" vessels--vessels registered in countries other than the United States. To address the third objective, we interviewed Coast Guard staff in charge of creating estimates of compliance costs and performed economic simulations to examine the impact of changing the assumptions the Coast Guard used in making its estimates. We asked Coast Guard officials responsible for these cost estimates what steps they took to ensure the reliability of the underlying data on which the estimates were based. We also reviewed the public comments provided to the Coast Guard on its estimates. Our work, which was conducted from June 2003 through June 2004, was done in accordance with generally accepted government auditing standards. Results in Brief: Although owners and operators have made progress in developing security plans, the extent to which the Coast Guard will have reviewed and approved the approximately 12,300 individual facility or vessel plans by July 1, 2004, varies considerably. Owners and operators are developing about 5,900 plans under an option allowing them to self- certify that the plans will be developed and implemented by July 1. In doing so, they are using standards and templates their trade association had developed and the Coast Guard had approved. Owners and operators who chose this option did not have to submit their plans for review and approval. The Coast Guard's first look at many of these plans will likely not come until after July 1, when inspectors begin compliance inspections to ensure that plans have been implemented. The remaining 6,400 plans, which were not developed through the self- certification process, underwent a detailed review process for which the Coast Guard hired contractors with security experience. The contractors conducting much of the review found that all of these plans needed to be revised, some extensively, and the Coast Guard concurred with the contractors' findings. As of June 2004--1 month before the deadline---more than half of these plans were still in process. To speed up the process, the Coast Guard added more personnel and began working more directly with owners and operators. Nonetheless, many of these plans will not be approved by July 1. Under MTSA and Coast Guard regulations, facilities and vessels without approved plans would have to cease operations. However, MTSA and the regulations also allow the Coast Guard to grant permission to such facilities and vessels to continue operating for up to 1 year after the plans are submitted on the condition that they continue to make sufficient progress through the review process toward the approval of their plans. The Coast Guard is currently allowing such facilities and vessels to operate through October 31, 2004. In late May 2004, the Coast Guard issued its strategy for ensuring that facility and vessel owners and operators implement the security activities identified in their plans. It is clear that this strategy will face several challenges, both in the short and longer term. One challenge is the sheer size of the immediate effort: between July and December 2004, the Coast Guard plans to conduct on-site inspections of every facility and as many vessels as possible to ensure that owners and operators are complying with the actions called for in their security plans. Inspectors will have to make decisions about whether owners and operators have identified all vulnerabilities and adequately addressed them. These decisions are complicated, in part because owners and operators have considerable choice in how to mitigate vulnerabilities and because the Coast Guard will be seeing many of these plans for the first time. Other challenges include ensuring that enough inspectors are available, training them adequately, and equipping them with useful guidance for making on-site inspection decisions. In the short term, these challenges are formidable, because the Coast Guard expects to handle the added July-December inspection load mainly by using reservists with widely varying degrees of training and experience. In the longer term, when the Coast Guard plans to conduct annual compliance inspections for the approximately 12,300 facilities and vessels, it faces the challenge of ensuring that owners and operators continue implementing their plans. In this regard, our work has shown that there are options the Coast Guard could consider beyond regularly scheduled visits, such as unscheduled, unannounced visits and covert testing to help ensure owners and operators do not mask security problems in ways that do not represent the normal course of business. The accuracy of the Coast Guard's $7.3 billion estimate of maritime industry costs for developing and implementing their security plans is uncertain. An estimate's accuracy is often tied to such factors as the complexity or straightforwardness of the issue, the quality of data and validity of assumptions, and the length of time available to conduct the work. The Coast Guard was heavily limited in all these factors. First, the issue was complex: for example, facilities and vessels are very diverse and they vary greatly in the degree to which they already have security measures in place. Second, to account for such differences, the Coast Guard was faced with having to develop many assumptions, and while the Coast Guard used government and industry expertise to help make these assumptions, it had limited data with which to work, and the potential margin for error was considerable. Our analysis found that changes in the Coast Guard's assumptions could raise or lower the estimate by more than $1 billion. Third, the Coast Guard had only a few months to develop the estimate. The Coast Guard vetted the estimate with stakeholders as a way of testing its reliability, but stakeholders were basically in no better position than the Coast Guard to generalize from their own specific situations. The Coast Guard appeared to make a good-faith effort to prepare an estimate and seek review of it from port stakeholders, but the limiting factors discussed here indicate the result can be viewed more as a rough indicator of costs, not a precise measure. We recommend that the Coast Guard evaluate the compliance inspection efforts it takes during the initial 6-month period after July 1 and use the results as a means to strengthen its long-term strategy for ensuring compliance. As part of this strategy, the Coast Guard should clearly define inspector qualifications, link these qualifications to a certification process, and consider including unscheduled and unannounced inspections and covert testing. The Coast Guard reviewed our report and generally agreed with the facts and recommendation. Background: MTSA mandated major changes in the nation's approach to maritime security. The act called for a comprehensive security framework--one that included planning, personnel security, and careful monitoring of vessels and cargo. Among its specific provisions were the development of systems for tracking vessels, identifying maritime workers, and assessing foreign ports for security risks they posed for the United States. One of MTSA's central components is a systematic approach to strengthening security throughout the nation's port areas--a difficult task, given the tremendous size and variety of activities and user groups involved. Ports present attractive targets: they are sprawling, easily accessible by water and land, close to crowded metropolitan areas, and interwoven with complex transportation networks designed to move cargo and commerce as quickly as possible. They contain not only terminals where goods bound for import or export are unloaded or loaded onto vessels, but also other facilities critical to the nation's economy, such as refineries, factories, and power plants. Facilities and vessels can be vulnerable on many security-related fronts. Facilities such as container terminals, where containers are transferred between ships and railroad cars or trucks, must be able to screen vehicles entering the facility and routinely check cargo for evidence of tampering. Chemical factories and other installations where hazardous materials are present must be able to control access to areas containing dangerous goods or hazardous substances. Vessels, ranging from oil tankers and freighters to tugboats and passenger ferries, must be able to restrict access to areas on board the vessel such as the bridge or other control stations critical to the vessel's operation. To reduce the opportunity for terrorists to exploit these vulnerabilities, as well as to help minimize the effects of accidents or natural disasters, facilities and vessels need to take mitigation steps. For example, fences, security guards, and monitoring cameras can all be used to reduce the potential for unauthorized entry and help prevent vulnerabilities from being exploited. Dealing with such vulnerabilities involves a careful balance between the benefits of added security and the potential economic impacts of security enhancements. While there is broad support for greater security, this task is a difficult one because the nation relies heavily on a free and expeditious flow of goods. Particularly with "just in time" deliveries, which require a smooth and expeditious flow through the transportation system, delays or disruptions in the supply chain could have serious economic impacts. Striking the right balance between increasing security and protecting economic vitality of the national economy and individual port stakeholders will remain an important and difficult task. It is also important to keep in mind that total security cannot be bought no matter how much is spent on it. It is difficult if not impossible to successfully anticipate and thwart all types of potential terrorist threats that highly motivated, well skilled, and adequately funded terrorist groups could devise. In this environment, MTSA required owners and operators of facilities and vessels to conduct assessments that would identify their security vulnerabilities and to develop security plans to mitigate these vulnerabilities. Under the Coast Guard's implementing regulations, these plans are to include such items as measures for access control, responses to security threats, and drills and exercises to train staff and test the plan. [Footnote 7] The plans are "performance-based," meaning that the security outcomes were specified, but the stakeholders were free to identify and implement whatever measures they desired as long as these measures achieved the specified outcomes. MTSA tasked the Secretary of the Department of Homeland Security with responsibility for reviewing, approving, and overseeing the implementation of these plans, and the Secretary delegated this task to the Coast Guard. MTSA imposed a specific date, July 1, 2004, for facilities and vessels to begin operating in compliance with the plans. The Coast Guard decided to adopt a schedule that would align the United States with ongoing international improvements in maritime security as well as the act. In December 2002, members of the International Maritime Organization (IMO) adopted the International Ship and Port Facility Security (ISPS) Code, an international agreement that called for security plans to be in place by July 1, 2004.[Footnote 8] The Coast Guard had to decide which facilities and vessels were subject to MTSA's requirements and develop an approach for reviewing and approving the plans. The categories of facilities and vessels were specified in implementing regulations, issued in final form on October 22, 2003.[Footnote 9] Overall, approximately 3,150 facilities and 9,200 vessels operating in more than 300 ports around the nation were required to comply with these requirements. The ports included not only those on the Atlantic, Gulf, and Pacific coasts, but also ports in the Great Lakes and various inland waterways like the Mississippi and Ohio rivers. (See fig. 1.) Figure 1: Location of U.S. Ports: [See PDF for image] [End of figure] The key dates in the process established by the Coast Guard included the following: * By December 31, 2003, those facilities and vessels subject to MTSA's security plan requirements had to submit security plans to the Coast Guard for review or self-certify that their plans would be developed and implemented by July 1. * By July 1, 2004, the Coast Guard intends to complete its review and approval of the security plan materials from all facilities and vessels. On that date, facilities and vessels are to have their security plans implemented. * By January 1, 2005, the Coast Guard intends to conduct on-site inspections of each facility subject to the security plan requirements, along with as many vessels as possible, to ensure that the steps called for in the security plan are actually in place.[Footnote 10] * By July 1, 2005, the Coast Guard intends to complete the remaining on-site compliance inspections for vessels it is not able to inspect by January 1, 2005. The Coast Guard took a number of steps to help stakeholders understand and comply with requirements. The Coast Guard issued updated guidance and established a "help desk" to provide stakeholders with a single point of contact, both through the Internet and over the telephone. At the local level, Coast Guard marine safety offices[Footnote 11] at the ports provided stakeholders operating within their ports additional information and assistance through forums, training sessions, e-mails, letters, and telephone calls. The Coast Guard also hired two contractors[Footnote 12] to provide expertise in reviewing the facility and vessel security plans. In issuing the final rules, the Coast Guard also developed an estimate of the cost to implement MTSA's port security provisions. The Coast Guard estimated that implementing the various port and vessel security provisions, including the security plans, would cost $7.3 billion over 10 years.[Footnote 13] In fiscal years 2002-2004, the federal government awarded $516 million in grant funds for improvements in port security; in fiscal year 2005, the Department of Homeland Security expects another $50 million to be made available through federal grants to implement security improvements identified in the plans. However, the bulk of the cost burden is likely to be borne by facility and vessel owners and operators. Extent of Coast Guard Review and Approval of Individual Plans Varies Widely: While the Coast Guard expects owners and operators to implement the approximately 12,300 facility and vessel plans by July 1, 2004, the extent it will have reviewed and approved these plans varies widely, for two main reasons. First, about 5,900 of these plans were developed under an option that essentially deferred Coast Guard review of individual plans until after July 1. Under this option, owners and operators self-certified that their plans would be based on industry- developed, Coast Guard-approved standards and templates. Owners and operators choosing this option did not have to submit their plans for review. Second, while the remaining 6,400 plans did undergo detailed review, all of them had deficiencies, and many are not likely to be corrected and fully approved by July 1. Under MTSA and Coast Guard regulations, facilities and vessels without fully approved plans would have to cease operations on July 1. However, the Coast Guard has put procedures in place to allow such facilities and vessels to continue operating after the deadline, provided certain conditions are met. Two Options for Developing Security Plans Varied in Key Respects: The Coast Guard established two options, referred to in this report as options A and B, which owners and operators could follow in developing their plans. (See fig. 2.) These options differed in the documents that had to be supplied to the Coast Guard and the extent of review that would be applied to individual plans by July 1. * Option A: Owners or operators who chose this option had to develop their own security plans according to the requirements in the final rules and submit them to the Coast Guard for review by December 31, 2003. These plans were then subject to detailed review by the Coast Guard and its contractors. * Option B: Owners or operators who were members of certain industry groups could choose this option to develop plans by using Coast Guard approved security programs established by their industry groups, such as an association of chemical manufacturers or passenger vessel operators. To accommodate widespread interest from owners and operators in being able to use such standards to meet MTSA requirements, the Coast Guard allowed trade organizations to submit security standards, including templates[Footnote 14] for developing security plans, for consideration as "alternative security programs" (ASP). The Coast Guard then reviewed each organization's application and approved those it determined would provide an equivalent level of security to the standards being applied under option A at all threat levels within the nation's Maritime Security Condition System. Members of the industry or trade association then self-certified to the Coast Guard that they were using the standards and templates to develop security plans for their facilities or vessels. Figure 2: Overview of the Two Options for Developing Security Plans: [See PDF for image] [End of figure] These two options both involved review by the Coast Guard, but there was considerable difference in what was being reviewed before the start of the compliance phase on July 1, 2004. Under option A, the Coast Guard and its contractors would review the individual plans themselves; under option B, Coast Guard review would center on the organization's standards and templates and would not extend to the individual plans.[Footnote 15] These reviews were not the same, in that industry standards and templates are a framework for developing a plan, but are not analogous to individual vessel or facility security plans. To adapt the standards and templates to specific facilities and vessels, owners and operators still need to do considerable work. Coast Guard records indicate that 90 percent of facilities and vessels met the December 31, 2003, deadline for complying with one of the two options. Most owners and operators who did not meet the December 31 deadline subsequently complied. However, the Coast Guard issued notices of violation with a $10,000 penalty assessment against owners or operators of 67 facilities and 90 vessels who had not responded by February 1. Eight of these owners or operators received a subsequent $25,000 penalty assessment for not responding by March 1. Nearly Half of All Plans Will Be Developed under the Option with No Review of Individual Plans: In all, plans for 5,923 facilities or vessels are being prepared under option B. Of these, 234 were facilities and 5,689 were vessels. The Coast Guard granted approval to standards and templates submitted by nine trade organizations, most of them vessel-related,[Footnote 16] and the plans being developed under this option reflect the larger number of vessel-related groups. Overall, about 7 percent of facility plans are being developed under this option, compared with 62 percent of all vessel plans. (See fig. 3.) Figure 3: Distribution of Individual Security Plans by Development Option: [See PDF for image] [End of figure] The extensive use of option B meant that nearly half of the individual plans were not directly reviewed by the Coast Guard before they were to be implemented on July 1, 2004. Users of option B had to send the Coast Guard a letter stating which alternative security program they planned to use. The Coast Guard was to check to ensure that the owners or operators were members of the organization that developed the program. Inasmuch as option B reduced the number of individual plans to be reviewed, it lessened the Coast Guard's review workload. However, option B also had the effect of deferring review of these individual plans into the next phase of the process--the on-site compliance inspections to be conducted starting July 1. For these facilities and vessels, the Coast Guard's first look at the plans will occur when inspectors arrive to ensure that the plans have been implemented.[Footnote 17] All Plans Undergoing Individual Review Had Deficiencies that Affected Final Approval: For plans submitted under option A, the Coast Guard established a comprehensive review and approval process that relies on contractors with security planning expertise to review and evaluate the plans. Plans move through a two-or three-stage process, depending on whether they are for vessels or facilities. In stage I, at least two contract personnel independently reviewed the plans to ensure they contain material covering all required items such as measures for access control, responses to security threats, and drills and exercises to train staff and test the plan. Plans passing this stage move to stage II, where comprehensive assessments are conducted as to whether the plans address all of MTSA's requirements. Vessel plans are approved once the Coast Guard determines they have passed this stage II review. Facility plans continue on to a stage III review, in which the local Coast Guard marine safety office verifies the information in the security assessment against the facility's physical characteristics and determines whether the plan is adequate to meet security needs. This last stage may include an on-site visit, but if conducted, this verification review is not the same as the post-July 1 compliance inspection for determining whether the facility has implemented the plan. Facility plans are approved once the Coast Guard determines they have passed this stage III review. This review and approval process flagged problems. Every one of the more than 6,400 facility and vessel plans submitted under this option had deficiencies that needed to be revised before the plan could be approved. As table 1 shows, of the 2,913 facility plans and 3,505 vessel plans submitted under option A, more than half were still undergoing the detailed review as of June 2004. Most of these plans still in review were facility security plans. Table 1: Progress of Facility and Vessel Security Plan Review Under Option A as of June 2004: Facility security plans; Stage I: 80; Stage II: 1,637; Stage III: 1,076; Approved: 120; Totals: 2,913. Vessel security plans; Stage I: 23; Stage II: 750; Stage III: [A]; Approved: 2,732; Totals: 3,505. Source: GAO presentation of Coast Guard data. Note: Facility security plan numbers are as of June 14, 2004; vessel security plan numbers are as of June 4, 2004. [A] Vessel security plans are approved once the Coast Guard determines they have passed stage II. [End of table] The problems identified through this process resulted from a variety of deficiencies in the plans developed under option A. The most common deficiency identified for both facility and vessel plans during stage I, according to the Coast Guard, was the failure to address or inadequately address all of the required security plan sections specified in regulations. For example, some owners and operators simply restated the text in the regulations or excluded some plan elements such as the security assessment. Common stage II deficiencies for facility plans included providing insufficient detail describing steps to be taken for elevated MARSEC threat levels or security measures to be put in place for control of access to the facility. For vessel security plans, common deficiencies identified at this level were inadequate descriptions of the steps for conducting security drills and exercises, insufficient measures for controlling access, or inadequate descriptions of the qualifications and responsibilities of those in charge of security programs. Resolving such deficiencies has kept many plans at stage II of the review. After reviewing the contactor's findings, the Coast Guard notified the owner or operator about the deficiencies and any deadline for submitting revisions.[Footnote 18] While owners and operators could correct some deficiencies easily, such as adding a missing telephone number or name of a security officer, other corrections required more work, such as providing more detail about access control procedures or measures. Plans could not proceed to the next stage until the Coast Guard was satisfied they were complete--a process that has sometimes required repeated revision. Correcting these deficiencies has taken longer than the Coast Guard anticipated.[Footnote 19] Process Exists to Allow Facilities and Vessels with Unapproved Plans to Continue Operating: Under MTSA and Coast Guard regulations, facilities and vessels can be shut down if they have not complied with the requirements called for under options A or B by July 1, 2004. Facilities and vessels with plans still in revision under option A could thus face closure. To speed up the overall process, the Coast Guard adopted a strategy called "compliance through engagement." Instead of sending deficiency letters, the Coast Guard began calling owners and operators directly to review deficiencies, explain regulatory requirements, and answer questions. The Coast Guard also advised Captains of the Port to encourage facility owners or operators still in stage I to make needed revisions so the plan could pass to stage II. Staffing was also increased at the center reviewing facility security plans to help speed review.[Footnote 20] According to the Coast Guard, this strategy significantly improved turnaround time for receiving revised plans from owners and operators. Anticipating that plans for some facilities and vessels would still be in process on July 1, the Coast Guard also took steps to allow most of them to continue operating as allowed by MTSA and the regulations.[Footnote 21] The steps vary depending on whether the plan covers a facility or vessel and how far along it is in the process. * Facilities that have received an initial stage II review can receive interim approval of their plan through October 31, 2004, pending final approval of the security plan. Rather than waiting to conduct on-site verification reviews until plans move to stage III, the Coast Guard advised Captains of the Port to have their inspectors begin visiting all facilities that had received a stage II review, regardless of whether the facility had revised the deficiencies identified through the review. During these visits, Coast Guard personnel are to verify that (1) the plan accurately reflects the facility and its operations, (2) the proposed security measures are realistic, and (3) deficiencies will either be addressed by July 1 or satisfactory interim measures will be in place. If these conditions are met and the changes to the plan are administrative in nature, the Coast Guard may issue interim approval allowing continued operations. * Vessels that have received an initial stage II review can receive similar interim approval of their plans through October 31, 2004. The Coast Guard Marine Safety Center reviewing vessel plans can issue such approvals provided they are satisfied that the plans are sufficiently complete and any needed changes are administrative in nature.[Footnote 22] * Facilities and vessels that are not far enough along to receive interim approval of their plans--for example, still making substantial revisions to their plans--can also receive permission to continue operations. The process is much the same as that described earlier for interim approval. For facilities, after an on-site visit the Captain of the Port may issue a letter to the owner or operator, identifying the areas of the plan requiring significant revision and allowing the facility to continue operations through October 31, on the condition that temporary security measures are implemented while the security plan continues to be reviewed. For vessels, the Marine Safety Center reviewing the plans may similarly issue a letter authorizing a vessel to continue operating, as long as conditions specified in the letter are met while review of the plan continues. * These approaches do not extend to facilities or vessels that have not completed stage I of the review process. The Coast Guard will not allow those facilities and vessels to operate after June 30, 2004. Thus, owners or operators who have not submitted a complete facility plan for Coast Guard review are to be shut down. According to the Coast Guard, MTSA provides the Coast Guard with the necessary legal authority to shut down any facilities or vessels in this situation, if necessary.[Footnote 23] Strategy for Monitoring and Oversight of Plan Implementation Faces Numerous Challenges: In late May 2004, the Coast Guard issued its strategy for monitoring and overseeing the implementation of security plans after July 1.[Footnote 24] It is clear that this strategy faces a number of challenges both in the short and longer term. The first challenge is the amount of work required to conduct the initial review of compliance inspections. Between July and December, the Coast Guard plans to inspect every one of the 3,147 facilities and as many of the 9,194 vessels as possible to ensure that owners and operators are complying with the actions called for in their security plans.[Footnote 25] These inspections will need to determine whether vessel and facility operators have identified all vulnerabilities and adequately addressed them--a task made more difficult by the fact that most of the 5,923 plans developed under option B will not have received detailed review. Other challenges facing the Coast Guard include ensuring that enough inspectors are available, training them appropriately, and equipping them with sufficient guidance to make difficult judgments about whether owners and operators have taken adequate steps to address vulnerabilities. The Coast Guard's attention has been understandably focused on how to meet these challenges in the immediate "surge" of monitoring activity between July and December.[Footnote 26] However, in the longer term, when the Coast Guard plans to conduct annual compliance inspections for the more than 12,300 facilities and vessels, it faces the challenge of developing a strategy to ensure that owners and operators continue implementing their plans. Workload for Compliance Inspections Is Substantial, Potential Exists for Finding More Vulnerabilities, and Assessing the Adequacy of Security Preparation Is Difficult: The initial volume of compliance inspections to be done is large and time is limited. The Coast Guard expects to complete the first round of on-site inspections of all 3,147 facilities, as well as the inspection of as many vessels as possible, by January 1, 2005. During these compliance inspections, inspectors are to assess the steps that each port stakeholder has taken to put a security plan into place, such as the extent to which access controls like fences, guards, gates, and cameras are in place, or the extent to which the security drills written in the plan are actually being conducted.[Footnote 27] Since most of the 5,923 plans developed under option B were not reviewed by the Coast Guard or its contractors, inspectors will also have to consider not only whether these plans have been implemented but also whether they adequately identify relevant vulnerabilities and specify sufficient steps to address them. One reason for caution with regard to the adequacy of option B plans is that there are indications that some owners and operators using option B may not be fully aware of what they have to do to develop sufficient plans, or, if they are aware of it, may be slow in complying. For example: * According to the Coast Guard's MTSA security plan program manager, the agency's interactions with option B users showed that some of them erroneously believed that membership in an industry or trade organization with approved standards and templates satisfied their obligation to implement a security plan. * In some cases, the use of option B appeared to be a way of postponing the completion of a security plan. For example, after being advised by the Coast Guard that he missed the deadline for submitting a security plan, one stakeholder joined an industry organization for the sole purpose of using option B to avoid having to immediately write a security plan. Another vessel operator we visited 2 weeks before the deadline to submit security plans said he was using option B as a means to gain an extra 6 months to complete the security plan. Even among plans developed and reviewed under option A, there are indications that the inspections may reveal additional vulnerabilities or, for cost reasons, the disparity between actions prescribed in the plans and actions actually implemented. For example: * An official at a major port told us that more security vulnerabilities were known than were included in the facility security plan, these vulnerabilities were not included because money was not available to address them. This port official said the port would await the Coast Guard's review to see if the Coast Guard would identify any of these vulnerabilities and require mitigating actions. * Several owners and operators of facilities and vessels also told us that funding was a major challenge. Although they did not indicate that they omitted vulnerabilities from their plans, these owners and operators told us that it would be difficult to obtain the financial resources to fully mitigate their known vulnerabilities. Compliance inspections will also be challenging because they involve subjective evaluations about the adequacy of security measures. The facility and vessel plans created by port stakeholders are performance- based, meaning the Coast Guard has specified the outcomes it is seeking to achieve and has given port stakeholders responsibility for identifying and delivering the measures needed to achieve these outcomes. While this approach provides flexibility to owners and operators in designing and implementing their plans, it also places a premium on the skills and experience of inspectors to identify deficiencies and recommend corrective action. For example, inspectors will have to determine if the security measures outlined in the approved security plan adequately address the security vulnerabilities identified in the security assessment, which the Coast Guard regards as by far the most difficult step in the compliance inspection process. Whether Sufficient Inspection Personnel Will Be Available Is Not Clear: Another challenge the Coast Guard faces is ensuring that it has enough qualified inspectors to complete all the inspections required during the surge period. The Coast Guard estimated the need for and then allocated an additional 282 positions, or "billets," to local marine safety offices to supplement existing inspectors during this period. The Coast Guard did not have a great deal of workload data to use in making this estimate; as we have pointed out in other reports, the agency does not have a system in place for determining how much time its personnel are spending on specific duties.[Footnote 28] The Coast Guard told us that it made its determination of how many additional positions would be needed by using working groups, expert panels, available data, and information about resources in port security missions since the September 11, 2001, terrorist attacks.[Footnote 29] While the Coast Guard thus had some basis for determining how many more staff it should assign to complete the work on time, the approach stops well short of providing demonstrable evidence of its validity. The Coast Guard based its projection in part on past experiences with environmental and safety inspections, but whether those types of inspections are analogous is unclear. Further, the Coast Guard could not provide documentation of the approach it used, limiting its ability to assess the adequacy of its decision. The Coast Guard also faces challenges in ensuring that it has the right mix of skills and experience among these additional personnel. The Coast Guard's staffing estimate does not specify what rank or type of personnel are required to complete the surge inspections. According to Coast Guard documents, none of the job functions for the additional 282 personnel working on compliance inspections have been detailed. Further, of the additional 282 positions, about 75 percent are reservists who are scheduled to be available for only a limited time. Most are scheduled for deactivation in October 2004 - in the middle of the surge period - though the Coast Guard has the ability to extend their tour of duty. All of these challenges - the uncertainty of the estimate, the lack of specificity about what personnel are needed, and the reliance on personnel who may become unavailable --increase the overall challenge of ensuring that the first round of compliance inspections is effective, especially given the subjective evaluations that are required. Training Will Need to Overcome Disparity in Skills and Experience among Inspectors: The skills and prior inspection experience of the reservists who will be assigned to supplement existing inspectors varies widely. Some have graduate degrees in security management, while others have no formal security training or prior experience. For example, in New Orleans, 1 of 7 reservists assigned to support local inspectors had previous inspection experience, while in New York, at least 9 out of 19 reservists assigned to this task had previous inspection experience. The disparity in experience levels raises the possibility that personnel with little inspection experience will be less able or equipped to identify deficiencies or assess the adequacy of security efforts. This has implications for creating variation in the rigorousness with which inspections are conducted from location to location and port to port. The Coast Guard has acknowledged this disparity and is taking steps to address it, but these steps still carry challenges: * The Coast Guard developed required training for all staff who would be conducting port security compliance inspections. This training lasted for 5 days and consisted of computer-based instruction, classroom training from security experts, and other coursework.[Footnote 30] It could be completed either by attending program sessions at various locations or through tutoring from other staff who had attended the training. As of mid-June, the Coast Guard reported that more than 500 persons had completed this training. Whether this training will be sufficient to overcome the skill and experience disparities among inspection staff remains uncertain, particularly since some inexperienced staff may receive the training second-hand. Coast Guard officials said that one reservist with little experience might be sent to the training, while another with similar experience might be taught by a fellow reservist who attended. Thus, a challenge the Coast Guard faces is to discern the extent to which each inspector has mastery of the subject matter. * To emphasize on-the-job-training and to try to improve the consistency during the compliance inspection process, the Coast Guard plans to pair inspectors with little previous experience with more experienced inspectors. This will be especially critical when reviewing the 234 facilities and 5,689 vessels using option B plans, since those plans did not undergo a detailed review. However, the time that reservists will need for such on-the-job experience before they can contribute to the inspection process is unknown and could affect the quality of the inspections and the Coast Guard's ability to complete all of the inspections during this surge period. Developing Inspection Guidance for a Performance-Based Inspection Process Is Difficult: A concern consistently raised by stakeholders is that if enforcement of the security requirements varies from port to port, there will not be a uniform standard of security across the nation. This inconsistency has two main effects: First, it may create the potential for disparities in stakeholder compliance and gaps in security. Second, aside from the potential implications on security, stakeholders operating in a port where enforcement is more rigorous could be put at a competitive disadvantage, in that they may have to spend more money implementing security measures than required of similar stakeholders in other locations. Stakeholders are concerned that such disparities could affect competitiveness among companies in the same industry or, on a broad level, competition among ports themselves. The Coast Guard is aware of this issue, and its preparations include ways to make the security inspection process more uniform. In addition to the training program, the Coast Guard issued an inspection guide that all inspectors will use during on-site inspections.[Footnote 31] The primary tool in the guide is a checklist that inspectors can use as a "roadmap" to ensure that all areas of the security plans are covered when inspecting a facility or vessel. The guide also provides inspectors with scalable recommended penalty measures to consider, given the severity and nature of the deficiencies found during an inspection. While a compliance guide is likely to provide some assistance to the inspector, a key challenge to its usefulness during this surge inspection period is the performance-based nature of the evaluation, which makes it difficult to cover all the circumstances an inspector may encounter. Inspectors will not check for compliance with a specific procedure; instead, they will have to make a judgment about whether the steps the owner or operator has taken, considered together, provide adequate security. Although the security plans are required to contain similar elements, they do not have to be identical, nor do they need to address security vulnerabilities using the same mitigations. Facilities and vessels may have different - yet reasonable - methods for addressing the same vulnerability. This subjective nature of the evaluation process has raised concerns among port stakeholders. Given their experience with existing Coast Guard safety and environmental inspection programs, several local port stakeholders we spoke with said they did not think the Coast Guard had been consistent in its administration of regulations across inspectors and offices. These port stakeholders said they did not think the same standards had been applied to other, similar operations as were applied to their own organization. We did not assess the validity of these concerns, but the Coast Guard regards this issue as the greatest implementation challenge the agency faces. Lessons Learned during Surge Period Should Help in the Development of Strategy for Longer-Term Monitoring and Oversight Responsibilities: While the Coast Guard is understandably focused on the initial surge period for compliance inspections, it will soon need to decide how to staff and conduct inspections on a longer-term basis. Accordingly, what Coast Guard officials learn during the surge phase should help them determine how to staff and conduct effective compliance inspections. Many of the elements of this longer-term strategy will likely have to deal with the same basic challenges faced during the surge period: ensuring that enough personnel are available, training them well, and equipping them with necessary guidance. These challenges will be particularly important to overcome considering the frequency with which Coast Guard personnel rotate to new positions within the Coast Guard.[Footnote 32] Port stakeholders told us that the discontinuity caused by these rotations creates gaps in expertise among personnel, which ultimately leads to inconsistent application of the regulations. According to Coast Guard officials, becoming a fully proficient inspector takes time, and when inspectors do become proficient they often face reassignment. To address MTSA requirements and coordinate with its other annual inspections, the Coast Guard plans to conduct security plan compliance inspections annually for each of the more than 12,300 facilities and vessels. MTSA requires that facility and vessel owners and operators update and resubmit their security plans to the Coast Guard every 5 years or whenever a substantial change is made to their facility or vessel. As another component of its longer-term compliance strategy, the Coast Guard stated in its recently issued guidance that Captains of the Port may verify continued compliance with the security plans at any time through intervening inspections between the required annual inspections. This critical responsibility of providing effective national maritime security through monitoring and oversight emphasizes the importance of a sound longer-term strategy. While the strategy has yet to be implemented, it is important that challenges be overcome in order to help ensure detection of noncompliance with MTSA requirements. As the Coast Guard continues to enhance its strategy, there are other options it can consider besides regularly scheduled annual compliance inspections and the intervening inspections. For example, our work assessing other areas such as airport security and regulatory compliance[Footnote 33] has identified approaches for ensuring compliance and improving and strengthening security such as unscheduled and unannounced inspections, on weekends or after normal working hours,[Footnote 34] and covert testing.[Footnote 35] In fact, Coast Guard officials responsible for facility and vessel inspections indicated that unscheduled inspections would be a positive component of a longer-term strategy because informing owners or operators of annual inspections can allow them to mask security problems by preparing for inspections in ways that do not represent the normal course of business. Cost to Comply with MTSA Is Uncertain: Although the Coast Guard made a good-faith effort in preparing its estimate of $7.3 billion for maritime industry compliance with MTSA security-related requirements, the estimate needs to be viewed with some caution, because (1) the Coast Guard had to assume values for a number of cost factors for which there was incomplete data and (2) it had limited time to prepare the estimate. The Coast Guard was unable to gather further information to ensure the accuracy of these values or to determine how other values for these same factors would affect cost. The $7.3 billion estimate covers a 10-year period of time (2003-2012) and more than 90 percent of it is for the costs to be incurred by vessel and facility owners to increase security. The Coast Guard estimated the cost of securing facilities at $5.4 billion and the cost of securing vessels at $1.4 billion. (The remaining portion of the estimate was for outer continental shelf facility security, area maritime security, and automatic identification system requirements.) Appendix III explains how the Coast Guard developed these estimates. The accuracy of an estimate is often tied to such factors as the complexity or straightforwardness of the issue, the quality of data and validity of the underlying assumptions, and the length of time available to do the work. The Coast Guard faced a number of challenges in dealing with each of these factors. Major challenges included the following: * Limited opportunity for expert involvement. Although the Coast Guard worked with a panel of experts to develop the estimate, Coast Guard officials said that time limitations precluded making the panel as widely representative of industry and government as possible. They also said that time limitations precluded an extensive set of meetings over the course of many months, which would have allowed the expert panel to make more useful contributions. * Limited opportunity to analyze data or to test the uncertainty of estimates. The Chief of the Standards Evaluation and Analysis Division, who was the official responsible for developing the estimate, said that if more time had been available, the Coast Guard would have analyzed more data. Moreover, he said, the Coast Guard would have conducted a sensitivity analysis of the estimate to determine how changes in the underlying assumptions would affect the size of the estimate. Analyzing uncertainty in this way is consistent with best practices for preparing benefit-cost analysis of significant regulatory actions called for by Executive Order No.12866, which applies to the Coast Guard's analysis.[Footnote 36] For illustrative purposes, we conducted such an analysis and found that the Coast Guard's cost estimate of $7.3 billion could be more than $1 billion higher or lower, using generalized assumptions about cost uncertainty. That is, the estimate of $5.4 billion for securing facilities could range from $4.5 billion to $6.4 billion, and the estimate of $1.4 billion for securing vessels could range from $1.2 billion to $1.5 billion. * Questionable validity of some key assumptions. The estimated $5.4 billion for securing facilities--the single biggest item--depends on key assumptions, which the Coast Guard has acknowledged are of questionable validity. For example, facilities are likely to vary in the extent to which they already have adequate security measures in place, and since no comprehensive data existed on the security preparations in place, Coast Guard officials had to make an educated guess about the extent of progress and the amount of additional security steps that would need to be taken. This is significant because the Coast Guard assumes facilities have already spent $17 billion on these security measures before MTSA requirements take effect. Thus, variation in these percentages can potentially have a sizable effect on costs. Another example is the Coast Guard also assumed that one-third of all facilities will have to spend about 60 percent more on security equipment than the remaining two-thirds of facilities will have to spend. However, some of the facilities in the lower-cost group will expand in the future to handle additional cargo resulting from economic growth, requiring more security and, therefore, placing more facilities than currently assumed in the higher-cost group. This can also have a substantial effect on costs. For example, assuming that 40 percent, rather than 33 percent, of all facilities fit in the higher-cost category, adds over $350 million to the costs of implementing these rules. * Limited span of time included in the analysis. The Coast Guard's estimate covers a 10-year period beginning in 2003 and ending in 2012. However, MTSA security-related requirements are not limited to a 10- year period. Extending the period of analysis is also consistent with best practices for preparing economic analysis of significant regulatory actions called for by Executive Order No.12866.[Footnote 37] Extending the Coast Guard's analysis by 10 years to 2022 raises the estimate of total costs by nearly 50 percent to $10.7 billion. Total costs continue to rise past 2012 because another $884 million in operation and maintenance, equipment replacement, and security guard costs are incurred with each additional year.[Footnote 38] * Some potential costs not considered. The Coast Guard's estimate does not include costs associated with possible delays in moving goods through more secure facilities, or account for higher prices for goods and services that could result if the maritime transportation industry tries to pass along higher security costs to its customers. For example, higher shipping rates could mean reduced water transportation services and reduced consumption and production of goods dependent on those services and associated economic losses.[Footnote 39] In the absence of complete data, the Coast Guard relied on public and stakeholder comments to determine if its estimate was valid. The Coast Guard held seven public meetings to discuss its estimate and said it received few negative comments. Given the limited time available, relying on such comments to identify large errors makes practical sense. There likely are limitations, however, in the extent to which the various stakeholders were in a position to comment on the validity of the estimate. For example, large cost differences between individual facilities or vessels could make it difficult to judge the accuracy of the Coast Guard's estimates of average facility or vessel costs. The net effect of these limitations on the Coast Guard's estimate is unknown. However, it should also be pointed out that enhancing security could lower costs to society at large if implementing MTSA foils a terrorist attack and thereby prevents a costly disruption. For example, in 2002, U.S. ports handled $764 billion in international trade, or more than $2 billion per day. An event that disrupts this trade could have a substantial effect on the flow of goods, as well as a substantial impact on the larger economy. Conclusions: The vulnerability of the nation's ports and the importance of addressing these vulnerabilities cannot be overemphasized. Since MTSA's enactment in November 2002, the Coast Guard has worked hard to address these vulnerabilities by spurring the development of meaningful security plans for thousands of facilities and vessels in the nation's ports. Progress has been made, though the extent to which all facilities and vessels will have adequate plans ready to implement as of July 1, 2004, is still unclear. This is particularly true for the thousands of self-certified plans. The Coast Guard has approved the guidelines and templates for these plans, but in most instances it has not seen the plans themselves. As hard as the Coast Guard has worked to ensure that plans are developed, the most important part of the process still lies ahead because plans mean little if they do not actually produce better security. Many challenges lie ahead as the Coast Guard attempts to develop a complete picture of the security environment at the nation's seaports and take whatever actions are needed, when they are needed to protect those ports. The uncertainty about whether the Coast Guard will be able to meet its timeframes for conducting on-site compliance inspections of the more than 12,300 facilities and vessels and questions about whether it will have enough staff and a sufficient experience base to handle so many inspections will undoubtedly challenge management and staff to effectively implement the strategy. In addition, the complexity of compliance inspections that call for sophisticated judgments about vulnerabilities and the actions taken to address them will likely create the need for up-to-date training and guidance to help ensure that such decisions are thorough and consistent. During the initial surge period, these challenges make it important for the Coast Guard to carefully evaluate its efforts, so that problems or inadequacies can be identified. In the longer term, the Coast Guard can benefit from the lessons learned from this evaluation and use them to refine its long-term inspection strategy. Several points stand out in particular as important in this evaluation effort. * First, the inspection program the Coast Guard has established is an important feature of its strategy to improve port security. Having qualified inspectors is key to this effort. While the training the Coast Guard has adopted is an important step to build inspector skills and compensate for differences in their skills and experience, training alone does not provide assurance that those who conduct inspections are qualified. Nor does it substitute for policies on the professional development standards inspectors must meet. Filling these gaps takes on added significance given the criticality of inspectors' roles and the discretion they are anticipated to exercise. * Second, the long-term strategy also needs to reflect a way to ensure that the security inspections assess conditions that represent the normal course of business at facilities and aboard vessels. One way to do this is to include conducting unscheduled and unannounced inspections and covert testing to provide additional information that, taken together with the results of annual compliance inspections, should provide better assurance that MTSA requirements are being implemented effectively. Recommendation for Executive Action: To better ensure that MTSA requirements are being implemented effectively, we recommend that the Secretary of Homeland Security direct the Commandant of the Coast Guard to: * conduct a formal evaluation of compliance inspection efforts taken during the initial 6-month surge period, including the adequacy of security inspection staffing, training, and guidance, and use this evaluation as a means to strengthen the compliance process for the longer term. As part of this strategy, the Coast Guard should clearly define the minimum qualifications for inspectors and link these qualifications to a certification process. The Coast Guard should also consider including unscheduled and unannounced inspections and covert testing as part of its inspection strategy to provide better assurance that the security environment at the nation's seaports meets the nation's expectations. Agency Comments: We provided a draft of this report to the Department of Homeland Security and the Coast Guard for their review and comment. The Coast Guard generally agreed with the facts presented in the report and with the recommendation we made. The Coast Guard said our recommendation was reasonable and that the Coast Guard should certainly study its progress and make changes when necessary. Coast Guard officials also provided a number of technical clarifications, which we incorporated to ensure the accuracy of our report. In its response, the Coast Guard raised one area where it disagreed with our presentation. This disagreement focused on how to characterize the Coast Guard's review of the Option B plans, which the Coast Guard refers to as "alternative security programs." The Coast Guard contended that its work on ASPs amounted to an approval of the plans themselves. The Coast Guard's comments in this regard were as follows: "GAO states ASPs provide a 'template' and 'framework' for a plan, but not an actual plan. The ASPs were developed in the months leading up to the 31 December 2003 plan submission deadline, and hundreds of personnel-hours were spent working with the many industry associations used to ensure the template, when properly completed with appropriate details for a specific vessel/facility, would be a viable security plan to mitigate vulnerabilities for the vessel or facility type identified by the industry association. In fact, more hours were dedicated to each ASP than any individual plan, and as a result, the ASP templates produced a repeatable security plan precluding the need to have each completed template individually review by 1 July. Indeed, the CG considers them as approved security plans that must be implemented by 1 July. Primary burden is on the owners to comply with all applicable regulations. Our role is to ensure it is being done; 'Trust, but Verify'." While we agree that the Coast Guard spent considerable time and effort reviewing and approving the templates and that this approach was understandable given the limited time available, we disagree with the Coast Guard's view that its actions should be considered as reviewing and approving the 5,900 individual Option B plans. The Coast Guard did not individually review and approve these plans; it reviewed and approved only the templates. The Coast Guard notes that Option B security plans would be viable only when "properly completed with appropriate details for a specific vessel/facility". Since the Coast Guard did not individually review the Option B plans; it does not know whether the plans have been properly completed. This is more than a technical issue: We believe the distinction is important because the missing reviews add to the challenges the Coast Guard will face in its post-July 1 workload. The Coast Guard's extensive review of the 6,400 individual Option A plans found deficiencies in every single plan, raising concerns about how complete the 5,900 individual Option B plans are likely to be when Coast Guard inspectors arrive to conduct their inspections. Our discussions with Coast Guard officials and our visits to seven ports around the country provided indications that some owners and operators using Option B may not be fully aware of what they have to do to develop sufficient plans, or if they are aware of it, may be slow in complying. For example, the Coast Guard program manager stated that interactions with Option B users showed that some of them erroneously believed that membership in an industry or trade organization with approved standards and templates satisfied their obligation to implement a security plan. During our site visits, some port stakeholders told us that they were using Option B as a means to avoid preparing a security plan until July 1 while remaining in compliance with Coast Guard requirements. For all of these reasons, we chose not to change this aspect of our report. If you or your staffs have any questions about this report, please contact me at (415) 904-2200 or at wrightsonm@gao.gov or Steve Calvo, Assistant Director, at (206) 287-4800 or at calvos@gao.gov. Key contributors to this report are listed in appendix IV. This report will also be available at no charge on the GAO Web site at http:// www.gao.gov. Signed by: Margaret T. Wrightson, Director, Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Our first two objectives involved the security plans being developed for facilities and vessels. Specifically, * assessing the progress made to develop, review, and approve the security plans for facilities and vessels by July 1, 2004. * assessing the U.S. Coast Guard's monitoring and oversight strategy for ensuring that all necessary port security improvements are implemented. We conducted a variety of work to assess key steps in the Coast Guard process for developing, reviewing, approving, and overseeing the implementation of security plans. These key steps in the process included the following: * Identifying all the vessels and facilities that are subject to the requirement to develop plans. * Ensuring that all identified parties have submitted plans for Coast Guard review. * Reviewing all plans, identifying any deficiencies and ensuring their correction, and approving the completed plan. * Establishing resources and an action plan to monitor implementation and compliance with requirements. We carried out part of our work at Coast Guard headquarters or in consultation with headquarters officials. In this regard, we reviewed pertinent legislation, guidance, rules, and implementation documents to identify the purpose, objectives, process, enforcement strategy, and resources required to review and approve the security plans. We spoke with headquarters officials and reviewed relevant documentation to determine the management and methodology being used to address the implementation of the Maritime Transportation Security Act (MTSA). We met with MTSA's program manager and team to determine how they expected to review and approve the security plans before the July 2004 deadline, what resources and action plans are in place to oversee implementation after July 2004, what training program was needed to produce capable staff to perform inspections, how the staffing estimate for MTSA implementation was made, and what guidance would be provided to local inspectors and Captains of the Port to carry out MTSA implementation. As part of our work in evaluating the process for reviewing security plans, we visited the Coast Guard's contractors at the Marine Safety Center in Washington, D.C., and the National Facility Security Plan Review Center in Overland Park, Kansas. During these visits, we also talked with contractor management and staff to determine how the review process worked, what reviewers were finding in the plans during their reviews, how deficient plans were dealt with, and what internal controls and quality assurance mechanisms were in place to ensure consistency during the review process. We also interviewed Coast Guard staff with the contractor staff at the review centers to determine the extent of their oversight roles and responsibilities in monitoring the contractors' performance. We reviewed more site-specific planning and implementation activity through work conducted at seven specific maritime port areas. We selected these seven ports to provide a diverse sample of security environments and perspectives, basing our selections on such matters as geographic location, varying levels of strategic importance, and unique local characteristics. The seven ports and some of our reasons for choosing them are as follows: * Corpus Christi, Texas: a Gulf Coast port that is a major port for military loadouts and important site for petroleum refining and chemical production. * Huntington, West Virginia: a major inland river port and has a significant presence of critical chemical and petroleum producers. * Los Angeles/Long Beach, California: the largest container port in the country. * San Diego, California: a port that includes many military facilities and installations. * Seattle/Tacoma, Washington: the third largest container traffic port in the country, and the port with the country's largest passenger ferry system. * New Orleans, Louisiana: a large river port with many types of industrial and other facilities. * New York, New York: another of the nation's largest container ports, and the site of the September 11th terrorist attacks. During each of our visits to these seven ports we met with port stakeholders, Coast Guard marine safety offices, and Captains of the Port. The specific stakeholders we talked with at each port are listed in table 3. When we met with these stakeholders, we discussed the security assessments they had conducted, the facility or vessel security plans they were developing, any problems they had in developing those plans, and any assistance provided by the local Coast Guard during the process. When we met with Captains of the Port and marine safety offices, we discussed the extent to which they had identified all facilities and vessels under MTSA regulations within their port area, the outreach they provided to help stakeholders meet the statutory deadlines and understand MTSA requirements, the process they will use to ensure compliance after July 2004, and their general perspectives on MTSA requirements. We also attended several meetings put on by local marine safety offices, including a MTSA stakeholder forum, Area Maritime Security Committee (AMSC) meetings, and AMSC subcommittee meetings. Table 2: Port Stakeholders GAO Contacted at Port Locations Reviewed: Port area: Corpus Christi, Texas; Stakeholders: United States Coast Guard Marine Safety Office Corpus Christi. Stakeholders: The Port of Corpus Christi. Stakeholders: Occidental Chemical Corporation. Stakeholders: Sherwin Alumina Company. Stakeholders: Valero Refining-Texas, LP. Stakeholders: Aransas-Corpus Christi Pilots. Stakeholders: Kirby Inland Marine, LP. Stakeholders: Union Pacific Railroad. Stakeholders: United States Bureau of Immigration and Customs Enforcement. Stakeholders: Boyd-Campbell Company. Stakeholders: Flint Hills Resources, LP. Port area: Huntington, West Virginia; Stakeholders: United States Coast Guard Marine Safety Office Huntington. Stakeholders: West Virginia Department of Transportation, Public Port Authority. Stakeholders: Union Carbide Corp. Stakeholders: Sunoco, Inc. (Haverhill, OH). Stakeholders: American Electric Power (Columbus, OH). Stakeholders: Bayer CropScience. Stakeholders: Marathon Ashland Petroleum, LLC (Catlettsburg, KY). Stakeholders: United States Army Corps of Engineers. Stakeholders: West Virginia Office of Emergency Services. Stakeholders: Kirby Inland Marine, LP. Port area: Los Angeles, California; Stakeholders: United States Coast Guard Marine Safety Office Los Angeles/Long Beach. Stakeholders: The Port of Los Angeles. Stakeholders: The Port of Long Beach. Stakeholders: Marine Exchange of Southern California. Stakeholders: Long Beach Container Terminal, Inc. Stakeholders: Crowley Marine Services, Inc. Stakeholders: APL Limited. Stakeholders: Union Pacific Railroad. Port area: San Diego, California; Stakeholders: United States Coast Guard Marine Safety Office San Diego. Stakeholders: Port of San Diego. Stakeholders: United States Navy. Stakeholders: California Highway Patrol. Stakeholders: San Diego Harbor Police. Stakeholders: National Steel and Shipbuilding Co. Stakeholders: Continental Maritime. Stakeholders: San Diego Harbor Excursion. Stakeholders: United States Customs and Border Protection. Port area: Puget Sound, Washington; Stakeholders: United States Coast Guard Marine Safety Office Puget Sound. Stakeholders: Port of Seattle. Stakeholders: Port of Tacoma. Stakeholders: Washington State Ferries. Stakeholders: Cruise Terminals of America. Stakeholders: Husky Terminal & Stevedoring, Inc. Port area: New Orleans, Louisiana; Stakeholders: United States Coast Guard Marine Safety Office New Orleans. Stakeholders: Port of New Orleans. Stakeholders: Port of South Louisiana. Stakeholders: Union Carbide Corporation. Stakeholders: Upper St. Rose Fleeting Co. Stakeholders: Plaquemine Parish Ferry Department. Stakeholders: Zen-Noh Grain Corporation. Stakeholders: Chalmette Refining, L.L.C. Stakeholders: Shell Exploration and Production Company. Stakeholders: P & O Ports North America, Inc. Stakeholders: United States Bureau of Immigration and Customs Enforcement. Port area: New York/New Jersey; Stakeholders: United States Coast Guard Activities New York. Stakeholders: The Port Authority of New York & New Jersey. Stakeholders: General Chemical. Stakeholders: Staten Island Ferry System. Stakeholders: Lincoln Harbor Yacht Club. Stakeholders: Maersk, Inc. Stakeholders: Howland Hook Container Terminal, Inc. Stakeholders: Maher Terminals, Inc. Source: GAO. [End of table] We also met with officials from industry trade groups such as the American Chemistry Council, American Association of Port Authorities, and the Association of American Railroads to determine their perception of MTSA requirements and the extent of interaction between port stakeholders and Coast Guard nationwide. Finally, we followed-up with all the ports we visited to collect updated information on their respective progress in regard to our objectives. We then compared the information gathered through interviews and document analysis against pertinent criteria specified in MTSA, the final rule, and other Coast Guard guidance to determine the progress being made to develop vessel and facility maritime security plans and determine the sufficiency of Coast Guard resources and action plan to ensure that security plans are completed, reviewed, approved, and implemented in a timely manner. Our third report objective was to determine the accuracy of the Coast Guard's estimates of the cost to comply with MTSA security planning and implementation requirements. To address this objective, we reviewed cost spreadsheets prepared by the Coast Guard documenting how cost estimates were developed. We identified key cost assumptions and the basis for the values assumed. Based on information about the basis for these assumed values, we conducted Monte Carlo simulations to determine the sensitivity of costs for facilities and vessels to generalized assumptions about cost uncertainty. As part of this review, we interviewed Coast Guard analysts responsible for these cost estimates. Besides reviewing the cost spreadsheets, we reviewed documentation provided by the Coast Guard to support its choice of assumed values. We also asked Coast Guard officials responsible for these cost estimates what steps they took to ensure the reliability of the underlying data on which the estimates were based. Our review was limited to security plans for facilities and vessels operating in domestic ports and did not include foreign ports, foreign flagged vessels, or the other security programs called for under MTSA. We conducted our work from June 2003 to June 2004 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Required Security Plan Items: Vessel security plans: A vessel owner or operator must ensure that his or her plan consists of the individual sections listed below: (1) Security organization of the vessel; (2) Personnel training; (3) Drills and exercises; (4) Records and documentation; (5) Response to change in MARSEC level; (6) Procedures for interfacing with facilities and other vessels; (7) Declarations of Security; (8) Communications; (9) Security systems and equipment maintenance; (10) Security measures for access control; (11) Security measures for restricted areas; (12) Security measures for handling cargo; (13) Security measures for delivery of vessel stores and bunkers; (14) Security measures for monitoring; (15) Security incident procedures; (16) Audits and Vessel Security Plan amendments; (17) Vessel Security Assessment Report; Facility security plans: A facility owner or operator must ensure that his or her plan consists of the individual sections listed below: (1) Security administration and organization of the facility; (2) Personnel training; (3) Drills and exercises; (4) Records and documentation; (5) Response to change in MARSEC level; (6) Procedures for interfacing with vessels; (7) Declaration of Security; (8) Communications; (9) Security systems and equipment maintenance; (10) Security measures for access control, including designated public access areas; (11) Security measures for restricted areas; (12) Security measures for handling cargo; (13) Security measures for delivery of vessel stores and bunkers; (14) Security measures for monitoring; (15) Security incident procedures; (16) Audits and security plan amendments; (17) Facility Security Assessment Report; (18) Facility Vulnerability and Security Measures Summary (Form CG- 6025). Source: 33 C.F.R. 104.405 and 33 C.F.R. 105.405. [End of table] [End of section] Appendix III: Analysis of Coast Guard's Compliance Cost Estimates: The Coast Guard estimated the maritime transportation industry will spend $7.3 billion to develop and implement security plans through the year 2012.[Footnote 40] Of this amount, the estimate for owners and operators of facilities was $5.4 billion, and the estimate for owners and operators of vessels was $1.4 billion. The remainder--about $500 million--was for outer continental shelf facility and area maritime security and automatic identification system requirements. This appendix focuses on how the estimates for facilities and vessels were derived. To make these estimates, the Coast Guard had to make a variety of assumptions about such matters as how many facilities and vessels would be affected, how extensive the planning and implementation efforts would have to be, and how much of a security framework was already in place that would go towards meeting MTSA requirements. The Coast Guard had to develop its estimates within a relatively short time, and it had limited amounts of data on which to base many of these assumptions. Factors that need to be kept in mind in considering the estimates include the uncertainties inherent in many of these assumptions, over what time period the costs were calculated, and the extent to which industry stakeholders had sufficient knowledge of their own to comment meaningfully on the Coast Guard's results. Estimates Required Assumptions about Many Important Components: Several basic pieces of information were needed to compute the cost of developing and implementing security plans for facilities and vessels, and deriving these basic pieces of information involved making a variety of assumptions. The nation's ports and waterways are sprawling and diverse, and the facilities and vessels that are affected by MTSA requirements vary greatly in size and complexity. Facilities, for example, include not only port-operated docks and intermodal transfer stations, but also petrochemical facilities, power plants, and factories with hazardous materials. Developing the estimates involved making educated guesses about such things as how much effort they would have to expend on developing plans, what equipment and manpower would be called for in their plans, and how far along they already were. Number of Facilities and Vessels: The Coast Guard first needed information on how many facilities and vessels would be affected by the regulation. The Coast Guard counted 4,965 facilities and 10,234 vessels affected by the regulation and assumed this tally would remain constant during the 10-year period of analysis from 2003 to 2012. According to the Coast Guard, these numbers were based on its Marine Safety Management System database, U.S. Army Corps of Engineer's waterborne statistics data, and a Department of Transportation database on ferries and terminals. The Coast Guard cited two previous studies to support its assumption that the number of facilities and vessels remain constant. First, in studying response plans for oil spills, the Coast Guard said it had found little yearly variation in facility numbers, because purchasing land and negotiating permits is time-consuming and prohibits significant numbers of facilities from entering and leaving the population. Second, in analyzing fire suppression on towing vessels, the Coast Guard reported very few vessels entering the domestic fleet, with the limited numbers largely being offset by vessels exiting the fleet. Extent of Security Planning and Implementation Efforts: The Coast Guard next needed to determine how long it would take for facilities and vessels to complete security plans and what types of security measures they would need to take. Given the diversity of facilities and vessels, the Coast Guard assumed that some would require much more planning time and security measures than others. For facilities, the Coast Guard assumed that one-third of the total (1,638 of the 4,965 facilities) would require more time to draft security assessments and plans and would implement more security measures than the remaining 3,327 facilities. For example, the Coast Guard assumed that the 1,638 facilities would take 160 hours, on average, to draft security assessments and plans, compared with 80 hours for 3,327 other facilities.[Footnote 41] Regarding the security measures that would need to be taken, the largest differences were in assumptions about the number of security guards. The Coast Guard tailored requirements for eight different facility types, such as container or break bulk facilities, hazardous substance facilities, and ferry and passenger terminals. For container or break bulk facilities, for example, the Coast Guard assumed that those facilities that had greater security needs would have 15 security guards, on average, compared with 4 security guards for those facilities with less extensive security needs. Similarly, the Coast Guard assumed different types of vessels will require varying amounts of time to draft security assessments and plans and varying amounts of security measures. All told, the Coast Guard tailored security requirements by 26 vessel types. For these various types of vessels, the Coast Guard established estimates for the amount of planning time involved, the number of security personnel that would be needed, and average requirements for such security equipment as metal detectors, intrusion alarms, hand-held radios, locks, and lights. The Coast Guard also assumed nontowing vessels will need more security than towboats and barges and that companies with more than 10 vessels will need more security than companies with 10 or fewer vessels. To establish many of these facility and vessel security requirements, the Coast Guard convened a self-described informal expert panel of economists, program managers, and other Coast Guard personnel with extensive field experience, including personnel currently stationed in field units. This group estimated the type and number of pieces of equipment and number of personnel required to comply with the requirements based on the type and configuration of a vessel or facility, locations of facilities, the average crew size aboard vessels, and how the Coast Guard envisioned vessels and facilities complying with the requirements. Because its requirements do not mandate specific equipment or personnel but set performance standards, the Coast Guard reported that it had to make broad assumptions about how industry would comply with these regulations. Costs for Security Planning and Implementation: To translate the planning and implementation steps into a cost estimate, the Coast Guard also needed to establish assumptions about labor costs for each hour spent on security assessments and plans and costs per unit for each type of security measure. According to the Coast Guard, salaries for some personnel were based on previous analyses for salvage and marine firefighting and requirements for mechanical recovery and dispersants. Costs for security guards and other security personnel for facilities were based on national data from the Bureau of Labor Statistics along with a "loaded" labor factor to account for fringe benefits to these personnel. Equipment costs were based on product research and limited data received from industry during comment periods. When these cost factors were applied, the results indicated that the one-third of facilities assumed to have more extensive planning and security needs would spend about 60 percent more on security equipment than the lower-cost group. Similarly, spending for security equipment varied considerably between vessel types. Extent to Which Adequate Security Measures Were Already in Place: Another important assumption deals with the extent to which facilities would already have security measures in place and, therefore, would not incur additional costs to comply with MTSA requirements. Among facilities, the Coast Guard assumed the level of prior investment varied substantially, both by type of facility and by type of equipment. According to the Coast Guard, many facilities, such as oil terminals, cruise terminals, and those dealing with hazardous materials, were already required to implement security measures under preexisting regulation by states or various federal agencies. Table 3 presents the Coast Guard's assumptions about the percentage of facilities that would need to purchase or enhance their security measures. For example, the Coast Guard assumed that most ferry terminals would need improvements with regard to gates, fencing, and number of security guards, but that no ferry terminals would need to improve their communications system. Table 3: Coast Guard Assumptions about Extent of Prior Security Preparation: Type of facility: Container or break bulk; Percentage of facilities needing to purchase or enhance security measures: Communications system: 5%; Gates: 30%; Radio: 5%; CCTV: 5%; Lights: 5%; Fencing: 5%; Guards: 30%. Type of facility: Dry bulk; Percentage of facilities needing to purchase or enhance security measures: Communications system: 0%; Gates: 70%; Radio: 70%; CCTV: 10%; Lights: 60%; Fencing: 20%; Guards: 70%. Type of facility: Hazardous bulk liquid; Percentage of facilities needing to purchase or enhance security measures: Communications system: 5%; Gates: 10%; Radio: 5%; CCTV: 5%; Lights: 5%; Fencing: 5%; Guards: 10%. Type of facility: Hazardous substance (other); Percentage of facilities needing to purchase or enhance security measures: Communications system: 5%; Gates: 5%; Radio: 5%; CCTV: 5%; Lights: 5%; Fencing: 5%; Guards: 5%. Type of facility: Nonhazardous bulk liquid; Percentage of facilities needing to purchase or enhance security measures: Communications system: 10%; Gates: 10%; Radio: 10%; CCTV: 10%; Lights: 10%; Fencing: 10%; Guards: 10%. Type of facility: Fleeting areas; Percentage of facilities needing to purchase or enhance security measures: Communications system: 5%; Gates: 0%; Radio: 5%; CCTV: 10%; Lights: 0%; Fencing: 0%; Guards: 10%. Type of facility: Ferry terminals Group A; Percentage of facilities needing to purchase or enhance security measures: Communications system: 0%; Gates: 60%; Radio: 5%; CCTV: 10%; Lights: 10%; Fencing: 50%; Guards: 60%. Type of facility: Ferry terminals Group B; Percentage of facilities needing to purchase or enhance security measures: Communications system: 0%; Gates: 80%; Radio: 5%; CCTV: 10%; Lights: 10%; Fencing: 50%; Guards: 80%. Type of facility: Passenger terminals; Percentage of facilities needing to purchase or enhance security measures: Communications system: 5%; Gates: 5%; Radio: 5%; CCTV: 5%; Lights: 5%; Fencing: 5%; Guards: 5%. Source: GAO analysis of Coast Guard data. [End of table] Many Assumptions Carry Limitations: Many of these assumptions carry limitations that need to be kept in mind in assessing the reliability of the estimate. For example, the assumptions reflected in table 3 above are based on incomplete data and a response rate from Coast Guard field units that the Coast Guard acknowledges seriously limit the reliability of any results. This is significant because the Coast Guard assumes facilities have already spent $17 billion on these security measures before MTSA requirements take effect. Thus, variations in the percentages shown in table 3 can have a potentially huge effect on costs. Actual costs to comply with the final rules could thus differ substantially from what the Coast Guard estimated because of simplifying assumptions that had to be made in the absence of complete data. In a number of cases, the Coast Guard cannot say if the value it assumed for a particular cost factor is the most likely one to occur, or likely to be too low or high. Even relatively small changes in some of these assumptions can have a substantial effect on results. One example can be seen in changing the assumption about the percentage of facilities needing more extensive security measures. The Chief of the Standards Evaluation and Analysis Division said that some facilities would likely expand in the future to handle additional cargo resulting from economic growth. This expansion, in turn, could require more security and potentially place more facilities than currently assumed in this higher-need group. For example, assuming that 40 percent of facilities should be in this higher-need group rather than the current 33 percent increases the cost estimate by over $350 million. Limited Time to Estimate Costs Precluded More Extensive Data Collection and Analysis of Uncertainty: According to Coast Guard officials, the agency had only a matter of weeks to prepare its cost estimate, and the estimate had to be prepared without the benefit of extensive background research, vendor surveys, and field inventories. The Chief of the Standards Evaluation and Analysis Division, the Coast Guard official responsible for estimating costs, explained that had the Coast Guard more time they would have analyzed more data. Likewise, while the Coast Guard took the step of working with an expert panel, Coast Guard officials said this effort was not as extensive or sustained as under ideal circumstances. Time permitting, Coast Guard officials said, they would have convened an expert panel that included members of industry, nongovernmental organizations, and other government agencies, and this panel would have met multiple times over the course of many months, if not years. Coast Guard officials also said that if time had permitted, they would have analyzed uncertainty in their estimate by conducting sensitivity or other analyses to determine how variations in these assumptions would change the cost estimate. Analyzing uncertainty in this way is consistent with best practices for preparing economic analysis of significant regulatory actions called for by Executive Order 12866, which applies to the Coast guard's analysis.[Footnote 42] For illustrative purposes, we conducted a Monte Carlo analysis using the Coast Guard's cost models for facilities and vessels.[Footnote 43] We found that the Coast Guard's cost estimate of $7.3 billion could be more than $1 billion higher or lower using generalized assumptions about cost uncertainty. This results from finding that the Coast Guard estimate of $5.4 billion to secure facilities could range from $4.5 billion to $6.4 billion, and its estimate of $1.4 billion to secure vessels could range from $1.2 billion to $1.5 billion. Cost Estimate Spans Only 10 Years and Does Not Include All Costs: The Coast Guard has estimated it will cost $7.3 billion to develop and implement security plans from 2003 to 2012, but MTSA security related requirements are not limited to a 10-year period. Extending Coast Guard's analysis by 10 years to 2022 raises total costs by nearly 50 percent to $10.7 billion. Extending the period of analysis is consistent with best practices for preparing economic analysis of significant regulatory actions called for by Executive Order 12866.[Footnote 44] Figure 4 shows the trajectory of total costs as the time period of analysis is extended, holding the number of facilities and vessels constant. Total costs continue to rise past 2012 because another $884 million in operation and maintenance, equipment replacement, and security guard costs are incurred with each additional year.[Footnote 45] Figure 4: Projection of Estimated Costs, 2012-2022: [See PDF for image] [End of figure] The Coast Guard's estimate also does not include several types of costs: * The estimate does not extend to costs beyond the maritime transportation industry. For example, it does not include costs associated with possible delays experienced by users in gaining access to more secure port facilities and the services they provide. It also does not include incremental costs borne by the Coast Guard to develop and enforce these new requirements. * The estimate does not address higher prices for goods and services as the maritime transportation industry tries to pass along higher security costs to its customers. For example, higher shipping rates could mean reduced water transportation services and reduced consumption and production of goods and services dependent on those transportation services and associated economic losses.[Footnote 46] * The Coast Guard has also estimated an additional $5 billion to meet an elevated threat level, which is not included in its $7.3 billion estimate.[Footnote 47] It assumed a code orange alert occurs twice a year, with each elevated alert lasting 21 days. Increased personnel time is the primary cost. For example, vessel security officers and key crewmembers are assumed to work 16 hours per day during each elevation. For facilities, the number of security guards is doubled. While the points noted above would add to the cost estimate, it should also be noted that other considerations could have the opposite effect. For example: * Some facility and vessel owners may take steps to exempt themselves from the requirements, thereby lowering total costs. For example, some passenger vessel operators could elect to transport fewer people, placing their vessels into categories that do not have to comply with MTSA requirements. Other vessel operators could choose to no longer transport certain types of cargo and thus similarly become exempt. However, these mitigating actions on the part of vessel and facility owners may not be costless. For example, restrictive actions like those described may result in added costs to users of these transportation services. * On the facilities side, companies will have an incentive to collaborate in designing collective security systems where opportunities exist to enhance security at less cost than if each company acted alone. For example, adjoining facilities may have opportunities to exploit possible cost economies in surveillance, access control, and communications. Moreover, because requirements to develop and implement security plans incorporate a performance-standard approach, there is flexibility in how a facility or vessel can comply, which could encourage lower-cost solutions than assumed by the Coast Guard. In addition, re-examining existing security arrangements as a result of the new requirements could lead to replacing some older, less cost-effective measures. * Steps to enhance security could also lower costs to society at large if implementing security plans foils a security incident and prevents much larger costs. For example, in 2002, $764 billion in international trade was handled by U.S. ports, or more than $2 billion per day. Disruptions to this trade could have a large impact on the economy. In addition, security improvements from implementing security plans could have collateral benefits such as reducing nonsecurity related risks from theft and fire. Finally, if better security enhances demand for maritime transportation services, facility and vessel owners have positive incentives to comply. Questions Remain about Adequacy of Public Comments to Validate Cost Estimate: In the absence of complete data, the Coast Guard relied on public comments to validate its cost estimate of $7.3 billion and ensure reliability of data used in that estimate. The extent to which the public comment process was up to this task is debatable. For instance, the Coast Guard acknowledged that on a vessel-by-vessel or facility-by- facility basis, its cost assumptions probably carry a large margin of error. Coast Guard analysts said the problem in estimating costs for facilities is that there is no typical facility. In turn, large cost differences for individual vessels and facilities could make it difficult for individual stakeholders to judge the accuracy of Coast Guard's estimates of average facility and vessel costs. In addition, the Coast Guard acknowledged that a key cost driver in the facility estimate--the national percentage of facilities requiring higher rather than lower costs to ensure security--is likely to rise over time. These issues call into question the adequacy of public comments to validate the estimate and ensure data reliability. However, given the limited time the Coast Guard had to gather data and make an estimate, relying on public comments to identify large errors made practical sense. The Coast Guard vetted its cost estimate in seven public meetings and said it received few negative comments. For instance, some stakeholders commented that foreign-flag vessels should be included in the cost analysis, but, according to the Coast Guard, foreign-flag vessels are already required by the International Ship & Port Facility Security Code to meet these security requirements. On the other hand, the Coast Guard revised its cost values for portable vapor detectors and operations and maintenance for equipment after receiving comments that these values were too low. To help validate cost assumptions, the Coast Guard also established a proprietary docket where industry could provide it with cost data without worrying about disclosure in the public domain. However, not much data were submitted. [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Margaret Wrightson (415) 904-2200 Steven Calvo (206) 287-4800: Staff Acknowledgments: In addition to those named above, Chuck Bausell, Jason Berman, Geoffrey Hamilton, Christopher Hatscher, Nicholas Larson, and Stan Stenersen made key contributions to this report. FOOTNOTES [1] P.L. 107-295, 116 Stat. 2064, 2066 (2002). [2] The portwide security plan, called an Area Maritime Security Plan, is to be developed by the Coast Guard's local Captains of the Port and a committee comprised of federal, state, and local agencies; law enforcement and security agencies; and other port stakeholders such as owners and operators of facilities and vessels, trade and labor organizations, and railroad and trucking companies among others. The plan is designed to provide a framework for communication and coordination among port stakeholders and law enforcement officials. Our review focused on plans being developed by entities other than the Coast Guard, and we, therefore, do not discuss these area plans in this report. We will, however, be addressing aspects of these plans in a subsequent report. [3] See generally 33 C.F.R. Parts 101, 104, and 105. Motorboats and other pleasure craft, for example, are generally, not subject to security plan requirements, as are a variety of other types of vessels below certain prescribed lengths or weights. [4] This is the present value of costs incurred from 2003 to 2012. Unless otherwise noted, all cost figures cited are present values. [5] Appendix I describes our scope and methodology in more detail and contains a list of ports we visited and port stakeholders we interviewed. [6] The Captain of the Port is a Coast Guard officer who provides direction to Coast Guard law enforcement activities within the general proximity of the port in which assigned. Captains of the Port enforce, within their respective areas, port safety and security and marine environmental protection regulations. There are 45 Captains of the Port nationwide. [7] The requirements for security plans are found in 33 C.F.R. Part 104, Subpart D for vessels and 33 C.F.R. Part 105, Subpart D for facilities. See appendix II for a listing of required security plan contents. [8] IMO is responsible for improving maritime safety, including combating acts of violence or crime at sea. The United States is a member. In November 2001, the Commandant of the Coast Guard addressed IMO's General Assembly, urging that body to consider an international scheme for port and shipping security. Recommendations and proposals for comprehensive security requirements, including amendments to International Convention for Safety of Life at Sea, 1974, (SOLAS) and the new ISPS Code, were developed at a series of intersessional maritime security work group meetings held at the direction of IMO's Maritime Safety Committee. [9] Prior to issuing the final regulation, the Coast Guard issued an interim final rule on July 1, 2003. [10] The Coast Guard also intends to complete on-site inspections of "uninspected vessels" by December 31, 2004. These "uninspected vessels" include some towing vessels, most fishing industry vessels, some freight barges, and certain passenger vessels, among others that were not required to submit a security plan but did so voluntarily. [11] Marine safety offices are located at coastal ports and on inland waterways and are responsible for the overall safety and security of maritime activities and for environmental protection in their geographic areas. [12] The Coast Guard hired Black and Veatch Corporation, an engineering consulting and construction company with expertise in facility security, to conduct the facility security plan reviews. The Coast Guard also hired George G. Sharp, Inc., a maritime engineering, safety, and security company with expertise in vessel security, to conduct the vessel security plan reviews. The Coast Guard is reviewing the security plans with the contractors in two locations: The National Facility Security Plan Review Center in Overland Park, Kansas, and the Marine Safety Center (for vessels) in Washington, D.C. [13] The estimate of $7.3 billion applies to compliance costs at Maritime Security Condition System (MARSEC) Level 1. MARSEC is a three- tiered system developed by the Coast Guard to communicate the prevailing threat environment to the marine elements of the national transportation system, including ports, vessels, facilities, and critical assets and infrastructure. The levels align closely with DHS's color-coded Homeland Security Alert System in the following way: MARSEC Level 1 applies when threat conditions Green, Blue, or Yellow are set; MARSEC Level 2 applies when threat condition Orange is set; and MARSEC Level 3 applies when threat condition Red is set. [14] A template is a document that owners or operators can use to develop and implement security plans by tailoring it to the specific circumstances of their operation. [15] Under both options, facilities also had to submit a "Vulnerability and Security Measures Summary" (Form CG-6025), which lists the vulnerabilities and specific security measures to be taken. Owners and operators submitting plans under option A also had to submit a security assessment report, a document based on background information and an on-scene survey, identifying possible threats, vulnerabilities, consequences, and existing protective measures. Those who chose option B did not have to submit this report. [16] Trade or industry organizations with approved "alternative security programs" include: American Chemistry Council, American Gaming Association, American Waterways Operators, Lake Carriers' Association, Offshore Marine Service Association, and the Passenger Vessel Association. Other organizations that received interim approval: the North American Grain Export Association & National Grain and Feed Association, Greater New Orleans Barge Fleeting Association, and Washington State Ferries. [17] The Coast Guard has issued guidance to Captains of the Port to encourage them to "engage" with users of option B to review their progress prior to July 1, 2004. However, these users are not required to agree to these reviews. [18] For revisions to facility security plans, 30 calendar days were allowed for revisions to be made and resubmitted to the Coast Guard. No time limit was specified for revisions to vessel security plans. [19] Some owners or operators with plans undergoing the review process have commented that the Coast Guard's contractors have been unnecessarily "nitpicky" or have gone beyond regulations, resulting in what the owners or operators consider to be excessive deficiencies. While we did not evaluate the validity of these comments, Coast Guard officials have publicly defended the quality of the contractors' performance. [20] The Coast Guard is reviewing the facility security plans with the contractor at the National Facility Security Plan Review Center in Overland Park, Kansas. [21] MTSA allows the Coast Guard, under certain circumstances, to grant permission to facilities and vessels with plans still in process to continue operating for up to 1 year after the plans were submitted. [22] Vessels in international trade were given priority since all vessels subject to the SOLAS/ISPS codes must be in compliance with an approved security plan by July 1, 2004. [23] In addition, the Captain of the Port has the authority under 33 C.F.R. Part 6 to establish security zones and prevent access to any vessel or facility whenever he or she believes such action may be necessary to prevent damage or injury. [24] The guidelines for this strategy were contained in Navigation and Vessel Inspection Circulars (NVIC), an approach the Coast Guard uses to provide detailed guidance about enforcement or compliance with certain federal marine safety regulations and Coast Guard marine safety programs. [25] The Coast Guard plans to complete all vessel inspections by July 1, 2005, and as soon after July 1, 2004, as possible. Each vessel will receive a security compliance inspection concurrently with its annual Certificate of Inspection visit conducted by the Coast Guard between July 1, 2004, and July 1, 2005. However, under three situations vessels will receive inspections earlier. First, all inspections for SOLAS vessels (i.e., U.S. registered vessels operating internationally) must be completed by July 1, 2004. Second, at the discretion of the Captain of the Port, certain vessels of interest will be inspected shortly after July 1, 2004. Finally, the Coast Guard will inspect any vessel whose owners or operators request an early security compliance inspection. [26] The Coast Guard refers to this initial 6-month period as a surge effort because of the amount of work demanded in a short time frame. The Coast Guard regards the facility compliance inspections, which must be completed in full within this period, as particularly time- consuming. [27] A drill is a training event that tests at least one component of the vessel or facility security plan and is used to maintain a high- level of security readiness. According to the Coast Guard regulations, at least one security drill is to be conducted by owners and operators every 3 months. [28] U.S. General Accounting Office, Coast Guard: Relationship Between Resources Used and Results Achieved Needs to Be Clearer, GAO-04-432 (Washington, D.C.: March 22, 2004). [29] The working groups were comprised of Coast Guard headquarters, area, district, and field office staff. The historical information came from the Coast Guard's implementation of the Oil Pollution Act of 1990, Public Law 101-380, 104 Stat. 484 (1990). [30] The first 2 days of the 5-day training were not required for those personnel with prior inspection experience because the first 2 days covered "basic" elements of conducting inspections. [31] The inspection guide, checklists, and other enforcement guidance were included in a series of NVICs issued by the Coast Guard. The NVICs that included the inspection guides were issued in May 2004. [32] Every 2 to 4 years, the Coast Guard rotates its staff among various duty stations, such as search and rescue, high-and medium- endurance cutters, and buoy tenders. The Coast Guard also rotates its staff within duty stations, such as moving facility security inspectors to noninspection duties within a marine safety office. [33] U.S. General Accounting Office, Aviation Security: Further Steps Needed to Strengthen the Security of Commercial Airport Perimeters and Access Controls, GAO-04-728 (Washington, D.C.: June 4, 2004). [34] Since facilities and vessels are often staffed differently on weekends, evenings, and nights, this approach is intended to allow inspectors a better opportunity to identify the actual operating conditions of facilities and vessels. [35] Covert testing would involve Coast Guard agents working undercover to evaluate, among other things, the effectiveness of security processes and procedures. [36] A significant regulatory action is defined as likely to result in, among other things, a rule having an annual effect on the economy of $100 million or more or other serious effects. The Coast Guard has estimated that its rule for facilities and vessels will have an annual cost of $832 million in real, undiscounted dollars. [37] Guidance on implementing this executive order notes that the ending point of the analysis should be far enough in the future to encompass all the significant benefits and costs likely to result from the rule. [38] The $884 million is in real, undiscounted dollars. [39] The net effect of these considerations on overall costs is unclear. [40] This estimate is based on costs to maintain security at MARSEC Level 1, which encompasses the Low (Green), Guarded (Blue), and Elevated (Yellow) designations of the Homeland Security Advisory System. The Coast Guard estimated that meeting a more extensive threat level, which the Coast Guard defined as two 21-day periods at MARSEC Level 2, the equivalent to the Department of Homeland Security's Advisory System's orange threat level (high risk of terrorist attack) each year, would cost an additional $5 billion. [41] Not counting the number of hours spent annually on these documents. [42] A significant regulatory action is defined as likely to result in, among other things, a rule having an annual effect on the economy of $100 million or more or other serious effects. The Coast Guard has estimated that its rule for facilities and vessels will have an annual cost of $832 million in real, undiscounted dollars. [43] Our analysis was conducted using what is called Monte Carlo simulation, which uses random numbers to measure the effects of uncertainty. Because the Coast Guard was unable to provide additional information, our simulation is based on some general assumptions about the probability distributions characterizing values used by the Coast Guard for cost factors. [44] Guidance on implementing this executive order notes that the ending point of the analysis should be far enough in the future to encompass all the significant benefits and costs likely to result from the rule. [45] The $884 million is in real, undiscounted dollars. [46] The net effect of these considerations on overall costs is unclear. [47] At MARSEC Level 2, which is the equivalent to the Department of Homeland Security's Advisory System orange level. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: