GAO-07-681T, Transportation Security: TSA Has Made Progress in Implementing the Transportation Worker Identification Credential Program, but Challenges Remain


This is the accessible text file for GAO report number GAO-07-681T 
entitled 'Transportation Security: TSA Has Made Progress in 
Implementing the Transportation Worker Identification Credential 
Program, but Challenges Remain' which was released on April 12, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony before the Committee on Commerce, Science, and 
Transportation, U.S. Senate: 

United States Government Accountability Office: 

GAO: 

For Release on Delivery Expected at 10:00 a.m. EDT: 

Thursday, April 12, 2007: 

Transportation Security: 

TSA Has Made Progress in Implementing the Transportation Worker 
Identification Credential Program, but Challenges Remain: 

Statement of Norman J. Rabkin, Managing Director: 
Homeland Security and Justice Issues: 

GAO-07-681T: 

GAO Highlights: 

Highlights of GAO-07-681T, a testimony before the Committee on 
Commerce, Science, and Transportation, U.S. Senate 

Why GAO Did This Study: 

The Transportation Security Administration (TSA) is developing the 
Transportation Worker Identification Credential (TWIC) to ensure that 
only workers that do not pose a terrorist threat are allowed to enter 
secure areas of the nation’s transportation facilities. This testimony 
is based primarily on GAO’s December 2004 and September 2006 reports on 
the TWIC program and interviews with TSA and port officials conducted 
in March and April 2007 to obtain updates on the TWIC program. 
Specifically, this testimony addresses (1) the progress TSA has made 
since September 2006 in implementing the TWIC program; and (2) some of 
the remaining challenges that TSA and the maritime industry must 
overcome to ensure the successful implementation of the TWIC program. 

What GAO Found: 

Since we issued our report on the TWIC program in September 2006, TSA 
has made progress toward implementing the TWIC program and addressing 
several of the problems that we previously identified regarding 
contract oversight and planning and coordination with stakeholders. 
Specifically, TSA has 

* issued a TWIC rule that sets forth the requirements for enrolling 
workers and issuing TWIC cards to workers in the maritime sector;
* awarded a $70 million dollar contract for enrolling workers in the 
TWIC program; 
* developed a schedule for enrolling workers and issuing TWIC cards at 
ports and conducting a pilot program to test TWIC access control 
technologies; 
* added additional staff with program and contract management expertise 
to help oversee the TWIC enrollment contract; and
* developed plans to improve communication and coordination with 
maritime stakeholders, including plans for conducting public outreach 
and education efforts. 

TSA and maritime industry stakeholders still face several challenges to 
ensuring that the TWIC program can be implemented successfully: 

* TSA and its enrollment contractor need to transition from limited 
testing of the TWIC program to successful implementation of the program 
on a much larger scale covering 770,000 workers at about 3,500 maritime 
facilities and 5,300 vessels.
* TSA and its enrollment contractor will need to educate workers on the 
new TWIC requirements, ensure that enrollments begin in a timely 
manner, and process numerous background checks, appeals, and waivers.
* TSA and industry stakeholders will need to ensure that TWIC access 
control technologies will work effectively in the maritime environment, 
be compatible with TWIC cards that will be issued, and balance security 
with the flow of maritime commerce. 

As TSA works to implement the TWIC program and begin enrolling workers, 
it will be important that the agency establish clear and reasonable 
time frames and ensure that all aspects of the TWIC program, including 
the TWIC access control technologies, are fully tested in the maritime 
environment. 

What GAO Recommends: 

GAO has previously recommended that TSA develop a comprehensive plan 
for managing the TWIC program, conduct additional testing of the TWIC 
program to ensure that all key components work effectively, strengthen 
contract planning and oversight practices, and develop a plan for 
communicating and coordinating with stakeholders. TSA agreed with these 
recommendations. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO--07-681T]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Norm Rabkin, 202-512-
8777, rabkinn@gao.gov. 

[End of section] 

Mr. Chairman and Members of the Committee: 

Thank you for inviting me to participate in today's hearing on the 
status of the Transportation Security Administration's (TSA) 
Transportation Worker Identification Credential (TWIC) program. 
Ensuring that only workers that do not pose a terrorist threat are 
allowed access to secure areas of the nation's transportation 
facilities is critical to helping prevent a terrorist attack. The TWIC 
program was created to help protect these facilities from the threat of 
terrorism by issuing identification cards only to workers who do not 
pose a terrorist threat and allow these workers unescorted access to 
secure areas of the transportation system. To accomplish this 
objective, the TWIC program will include collection of personal and 
biometric information to validate workers' identities, background 
checks on transportation workers to ensure they do not pose a threat to 
security, issuance of tamper-resistant biometric credentials that 
cannot be counterfeited, verification of these credentials using 
biometric access control systems before a worker is granted unescorted 
access to a secure area, and revocation of credentials if disqualifying 
information is discovered, or if a card is lost, damaged, or stolen. 
The TWIC program was initially intended to serve all modes of 
transportation; however, TSA, in partnership with the Coast Guard, is 
focusing initial implementation on the maritime sector and is planning 
to implement the program in other modes in the future. 

In December 2004 and September 2006, we reported on the status of the 
development and testing of the TWIC program.[Footnote 1] Our 2004 
report identified the challenges TSA faced in developing regulations 
and a comprehensive plan for managing the TWIC program and several 
factors that caused TSA to miss initial deadlines for issuing TWIC 
cards. Our September 2006 report identified the challenges encountered 
during TWIC program testing and several problems related to TWIC 
contract planning and oversight. In August 2006, TSA decided that the 
TWIC program would be implemented in the maritime sector using two 
separate rules. TSA issued the first rule in January 2007 requiring 
worker enrollment and card issuance and plans to issue a proposed rule 
on access control technologies in 2008. Since our September 2006 
report, the Congress passed the Security and Accountability for Every 
(SAFE) Port Act of 2006, directing TSA, among other things, to 
implement the TWIC program at the 10 highest risk ports by July 1, 
2007.[Footnote 2] In January 2007, TSA awarded a $70 million contract 
to begin enrolling workers and issuing TWIC cards to workers at these 
maritime facilities. 

My testimony today focuses on two key areas: (1) the progress TSA has 
made since September 2006 in implementing the TWIC program and (2) some 
of the remaining challenges that TSA and the maritime industry must 
overcome to ensure the successful implementation of the TWIC program. 
My comments are based primarily on our December 2004 and September 2006 
reports on the TWIC program, which reflect work conducted at TSA and 
the Coast Guard, as well as site visits to transportation facilities 
that participated in testing the TWIC program. In addition, in March 
and April 2007, we interviewed TSA officials and obtained some 
supporting documentation regarding the agency's efforts to implement 
the TWIC program. We also interviewed officials at port facilities in 
California, Delaware, and Florida that participated in TWIC testing 
concerning the implementation of the TWIC program. We conducted our 
work in accordance with generally accepted government auditing 
standards. 

Summary: 

Since we issued our report on the TWIC program in September 2006, TSA 
has made progress toward implementing the TWIC program and addressing 
several of the problems that we previously identified regarding 
contract oversight and planning and coordination with stakeholders. 
Specifically, TSA has: 

* issued a TWIC rule that sets forth the requirements for enrolling 
workers and issuing TWIC cards to workers in the maritime sector; 

* awarded a $70 million contract for enrolling workers in the TWIC 
program, 

* established a schedule for enrolling workers and issuing TWIC cards 
at ports and conducting a pilot program to test TWIC access control 
technologies, 

* added staff with program and contract management expertise to help 
oversee the TWIC enrollment contract, and: 

* developed plans to improve communication and coordination with 
maritime stakeholders, including plans for conducting public outreach 
and education efforts. 

TSA and maritime industry stakeholders still face several challenges to 
ensuring that the TWIC program can be implemented successfully: 

* TSA and its enrollment contractor need to transition from limited 
testing of the TWIC program to successful implementation of the program 
on a much larger scale covering 770,000 workers at about 3,500 maritime 
facilities and 5,300 vessels.[Footnote 3] 

* TSA and its enrollment contractor will need to educate workers on the 
new TWIC requirements, ensure that enrollments begin in a timely 
manner, and process numerous background checks, appeals, and waivers. 

* TSA and industry stakeholders will need to ensure that TWIC access 
control technologies will work effectively in the maritime environment, 
be compatible with TWIC cards that will be issued, and balance security 
with the flow of maritime commerce. 

As TSA works to implement the TWIC program and begin enrolling workers, 
it will be important that the agency establish clear and reasonable 
time frames and ensure that all aspects of the TWIC program, including 
the TWIC access control technologies, are fully tested in the maritime 
environment. 

Background: 

Securing transportation systems and facilities is complicated, 
requiring balancing security to address potential threats while 
facilitating the flow of people and goods. These systems and facilities 
are critical components of the U.S. economy and are necessary for 
supplying goods throughout the country and supporting international 
commerce. U.S. transportation systems and facilities move over 30 
million tons of freight and provide approximately 1.1 billion passenger 
trips each day. The Ports of Los Angeles and Long Beach estimate that 
they alone handle about 43 percent of the nation's oceangoing cargo. 
The importance of these systems and facilities also makes them 
attractive targets to terrorists. These systems and facilities are 
vulnerable and difficult to secure given their size, easy 
accessibility, large number of potential targets, and proximity to 
urban areas. A terrorist attack at these systems and facilities could 
cause a tremendous loss of life and disruption to our society. An 
attack would also be costly. According to testimony by a Port of Los 
Angeles official, a 2002 labor dispute led to a 10-day shutdown of West 
Coast port operations, costing the nation's economy an estimated $1.5 
billion per day.[Footnote 4] A terrorist attack to a port facility 
could have a similar or greater impact. 

One potential security threat stems from those individuals who work in 
secure areas of the nation's transportation system, including seaports, 
airports, railroad terminals, mass transit stations, and other 
transportation facilities. It is estimated that about 6 million 
workers, including longshoreman, mechanics, aviation and railroad 
employees, truck drivers, and others access secure areas of the 
nation's estimated 4,000 transportation facilities each day while 
performing their jobs. Some of these workers, such as truck drivers, 
regularly access secure areas at multiple transportation facilities. 
Ensuring that only workers that do not pose a terrorism security risk 
are allowed unescorted access to secure areas is important in helping 
to prevent an attack. According to TSA and transportation industry 
stakeholders, many individuals that work in secure areas are currently 
not required to undergo a background check or a stringent 
identification process in order to access secure areas. In addition, 
without a standard credential that is recognized across modes of 
transportation and facilities, many workers must obtain multiple 
credentials to access each transportation facility they enter. 

TWIC Program History: 

In the aftermath of the September 11, 2001, terrorist attacks, the 
Aviation and Transportation Security Act (ATSA) was enacted in November 
2001.[Footnote 5] Among other things, ATSA required TSA to work with 
airport operators to strengthen access control points in secure areas 
and consider using biometric access control systems to verify the 
identity of individuals who seek to enter a secure airport area. In 
response to ATSA, TSA established the TWIC program in December 2001 to 
mitigate the threat of terrorists and other unauthorized persons from 
accessing secure areas of the entire transportation network, by 
creating a common identification credential that could be used by 
workers in all modes of transportation.[Footnote 6] In November 2002, 
the Maritime Transportation Security Act of 2002 (MTSA) was enacted and 
required the Secretary of Homeland Security to issue a maritime worker 
identification card that uses biometrics, such as fingerprints, to 
control access to secure areas of seaports and vessels, among other 
things.[Footnote 7] 

The responsibility for securing the nation's transportation system and 
facilities is shared by federal, state, and local governments, as well 
as the private sector. At the federal government level, TSA, the agency 
responsible for the security of all modes of transportation, has taken 
the lead in developing the TWIC program, while the Coast Guard is 
responsible for developing maritime security regulations and ensuring 
that maritime facilities and vessels are in compliance with these 
regulations. As a result, TSA and the Coast Guard are working together 
to implement TWIC in the maritime sector. Most seaports, airports, mass 
transit stations, and other transportation systems and facilities in 
the United States are owned and operated by state and local government 
authorities and private companies. As a result, certain components of 
the TWIC program, such as installing card readers, will be the 
responsibility of these state and local governments and private 
industry stakeholders. 

TSA--through a private contractor--tested the TWIC program from August 
2004 to June 2005 at 28 transportation facilities around the nation, 
including 22 port facilities, 2 airports, 1 rail facility, 1 maritime 
exchange, 1 truck stop, and a U.S. postal service facility. In August 
2005, TSA and the testing contractor completed a report summarizing the 
results of the TWIC testing. TSA also hired an independent contractor 
to assess the performance of the TWIC testing contractor. Specifically, 
the independent contractor conducted its assessment from March 2005 to 
January 2006, and evaluated whether the testing contractor met the 
requirements of the testing contract. The independent contractor issued 
its final report on January 25, 2006. 

Since its creation, the TWIC program has received about $79 million in 
funding for program development. (See table 1.) 

Table 1: TWIC Program Funding from Fiscal Years 2002 to 2007 (Dollars 
in millions): 

Fiscal Year: 2002; 
Appropriated: 0; 
Reprogramming: 0; 
Adjustments: 0; 
Total funding: 0. 

Fiscal Year: 2003; 
Appropriated: $5.0; 
Reprogramming: 0; 
Adjustments: 0; 
Total funding: $5.0. 

Fiscal Year: 2004; 
Appropriated: $49.7; 
Reprogramming: 0; 
Adjustments: 0; 
Total funding: $49.7. 

Fiscal Year: 2005; 
Appropriated: $5.0; 
Reprogramming: 0; 
Adjustments: 0; 
Total funding: $5.0. 

Fiscal Year: 2006; 
Appropriated: 0; 
Reprogramming: $15.0; 
Adjustments: 0; 
Total funding: $15.0. 

Fiscal Year: 2007; 
Appropriated: 0; 
Reprogramming: 0; 
Adjustments: $4.7; 
Total funding: $4.7. 

Fiscal Year: Total; 
Appropriated: $59.7; 
Reprogramming: $15.0; 
Adjustments: $4.7; 
Total funding: $79.4. 

Source: TSA. 

Note: TSA's fiscal year 2008 congressional justification includes $26.5 
million in authority to collect fees from transportation workers for 
TWIC cards. 

[End of table] 

Key Components of the TWIC Program: 

The TWIC program is designed to enhance security using several key 
components (see fig. 1). These include: 

* Enrollment: Transportation workers will be enrolled in the TWIC 
program at enrollment centers by providing personal information, such 
as a social security number and address, and be photographed and 
fingerprinted. For those workers who are unable to provide quality 
fingerprints, TSA is to collect an alternate authentication identifier. 

* Background checks: TSA will conduct background checks on each worker 
to ensure that individuals do not pose a security threat. These will 
include several components. First, TSA will conduct a security threat 
assessment that may include, for example, terrorism databases or 
terrorism watch lists, such as TSA's No-fly and selectee lists. Second, 
a Federal Bureau of Investigation criminal history records check will 
be conducted to identify if the worker has any disqualifying criminal 
offenses. Third, workers' immigration status and mental capacity will 
be checked. Workers will have the opportunity to appeal the results of 
the threat assessment or request a waiver in certain limited 
circumstances. 

* TWIC card production: After TSA determines that a worker has passed 
the background check, the worker's information is provided to a federal 
card production facility where the TWIC card will be personalized for 
the worker, manufactured, and then sent back to the enrollment center. 

* Card issuance: Transportation workers will be informed when their 
cards are ready to be picked up at enrollment centers. Once a card has 
been issued, workers will present their TWIC cards to security 
officials when they seek to enter a secure area and in the future will 
enter secure areas through biometric card readers. 

Figure 1: Overview of the TWIC process: 

[See PDF for image] 

Source: GAO analysis of TSA information. 

[End of figure] 

TSA Has Made Progress since September 2006 in Implementing the TWIC 
Program: 

Since we issued our report on the TWIC program in September 2006, TSA 
has made progress toward implementing the TWIC program and addressing 
several of the problems that we previously identified regarding 
contract oversight and planning and coordination with stakeholders. In 
January 2007, TSA and the Coast Guard issued a TWIC rule that sets 
forth the requirements for enrolling workers and issuing TWIC cards to 
workers in the maritime sector and awarded a $70 million contract for 
enrolling workers in the TWIC program. TSA is also taking steps 
designed to address requirements in the SAFE Port Act regarding the 
TWIC program, such as establishing a rollout schedule for enrolling 
workers and issuing TWIC cards at ports and conducting a pilot program 
to test TWIC access control technologies. TSA has also taken steps to 
strengthen TWIC contract planning and oversight and improve 
communication and coordination with its maritime stakeholders. Since 
September 2006, TSA reported that it has added staff with program and 
contract management expertise to help oversee the TWIC enrollment 
contract and taken additional steps to help ensure that contract 
requirements are met. In addition, TSA has also focused on improving 
communication and coordination with maritime stakeholders, such as 
developing plans for conducting public outreach and education efforts. 

TSA Issued a TWIC Rule and Awarded a Contract to Begin Enrolling 
Workers and Issuing TWIC Cards This Year: 

On January 25, 2007, TSA and the Coast Guard issued a rule that sets 
forth the regulatory requirements for enrolling workers and issuing 
TWIC cards to workers in the maritime sector. Specifically, the TWIC 
rule provides that workers and merchant mariners requiring unescorted 
access to secure areas of maritime facilities and vessels must enroll 
in the TWIC program, undergo a background check, and obtain a TWIC card 
before such access is granted. In addition, the rule requires owners 
and operators of maritime facilities and vessels to change their 
existing access control procedures to ensure that merchant mariners and 
any other individual seeking unescorted access to a secure area of a 
facility or vessel has a TWIC. Table 2 describes the specific 
requirements in the TWIC rule. 

Table 2: Requirements in the TWIC Rule: 

Requirement: Transportation workers; 
Description of requirement: Individuals who require unescorted access 
to secure areas of maritime facilities and vessels and all merchant 
mariners must obtain a TWIC card before such access is granted. 

Requirement: Fees; 
Description of requirement: All workers applying for a TWIC card will 
pay a fee of $137 to cover the costs associated with the TWIC program. 
Workers that have already undergone a federal threat assessment 
comparable to the one required to obtain a TWIC will pay a reduced fee 
of $105. The interim replacement fee for a TWIC card will be $36. 

Requirement: Access to secure areas of maritime facilities and vessels; 
Description of requirement: By no later than September 25, 2008, 
facilities and vessels currently regulated by the Maritime 
Transportation Security Act must change their current access control 
procedures to ensure that any individual or merchant mariner seeking 
unescorted access to a secure area has a TWIC card. 

Requirement: Newly hired workers and escorting procedures; 
Description of requirement: Newly hired workers, who have applied for, 
but have not received their TWIC card, will be allowed access to secure 
areas for 30 days as long as they meet specified criteria, such as 
passing a TSA name-based background check, and only while accompanied 
by another employee with a TWIC card. Individuals that need to enter a 
secure area but do not have a TWIC card must be escorted at all times 
by individuals with a TWIC card. 

Requirement: Background checks; 
Description of requirement: All workers applying for a TWIC card must 
provide specific types of personal information and fingerprints to TSA 
to conduct a security threat assessment, that includes an FBI 
fingerprint-based criminal history records check, and an immigration 
status check. In order to receive a TWIC card, workers must not have 
been incarcerated or convicted of certain crimes within prescribed time 
periods, must have legal presence or authorization to work in the 
United States, have no connection to terrorist activity, and cannot 
have been found as lacking lack mental capacity or have been committed 
to a mental health facility. 

Requirement: Appeals and waiver process; 
Description of requirement: All TWIC applicants will have the 
opportunity to appeal a background check disqualification through TSA 
or apply to TSA for a waiver, either during the application process, or 
after being disqualified for certain crimes, mental incapacity, or are 
aliens in Temporary Protected Status. Applicants who appeal or seek a 
waiver and are denied by TSA may seek review by an administrative law 
judge. 

Requirement: Access control systems; 
Description of requirement: The Coast Guard will conduct unannounced 
checks to confirm the identity of TWIC card holders using hand-held 
biometric card readers to check the biometric on the TWIC card against 
the person presenting the card. In addition, security personnel will 
conduct visual inspections of the TWIC cards and look for signs of 
tampering or forgery when a worker enters a secure area. 

Source: GAO analysis of TWIC rule. 

[End of table] 

The TWIC rule does not include the requirements for owners and 
operators of maritime facilities and vessels to purchase and install 
TWIC access control technologies, such as biometric TWIC card readers. 
As a result, the TWIC card will initially serve as a visual identity 
badge until access control technologies are required to verify the 
credentials when a worker enters a secure area. According to TSA, 
during the program's initial implementation, workers will present their 
TWIC cards to authorized security personnel, who will compare the 
cardholder to his or her photo and inspect the card for signs of 
tampering. In addition, the Coast Guard will verify TWIC cards when 
conducting vessel and facility inspections and during spot checks using 
hand-held biometric card readers to ensure that credentials are valid. 
According to TSA, the requirements for TWIC access control technologies 
will be set forth in a second proposed rule to be issued in 2008, at 
which time TSA will solicit public comments and hold public meetings. 

As part of the TWIC rule, TSA is also taking steps designed to address 
various requirements of the SAFE Port Act including that it implement 
TWIC at the 10 highest risk ports by July 1, 2007. According to TSA, 
the agency has categorized ports based on risk and has developed a 
schedule for implementing TWIC at these ports to address the deadlines 
in the SAFE Port Act. In addition, TSA is currently planning to conduct 
a pilot program at five maritime locations to test TWIC access control 
technologies, such as biometric card readers, in the maritime 
environment. According to TSA, the agency is partnering with the ports 
of Los Angeles and Long Beach to test TWIC access control technologies 
and plans to select additional ports to participate in the pilot in the 
near future. TSA and Port of Los Angeles officials told us that ports 
participating in the pilot will be responsible for paying for the costs 
of the pilot and plan to use federal port security grant funds for this 
purpose. According to TSA, the agency plans to begin the pilot in 
conjunction with the issuance of TWIC cards so the access control 
technologies can be tested with the cards that are issued to workers. 
Once the pilot has been completed, TSA plans to use the results in 
developing its proposed rule on TWIC access control technologies. 

Following the issuance of the TWIC rule in January 2007, TSA awarded a 
$70 million contract to a private company to enroll the estimated 
770,000 workers required to obtain a TWIC card. According to TSA 
officials, the contract costs include $14 million for the operations 
and maintenance of the TWIC identity management system that contains 
information on workers enrolled in the TWIC program, $53 million for 
the cost of enrolling workers, and $3 million designated to award the 
enrollment contractor in the event of excellent performance. TSA 
officials stated that they are currently transitioning the TWIC systems 
to the enrollment contractor and testing these systems to ensure that 
they will function effectively during nationwide implementation. TSA 
originally planned to begin enrolling workers at the first port by 
March 26, 2007--the effective date of the TWIC rule. However, according 
to TSA officials, initial enrollments have been delayed. While TSA 
officials did not provide specific reasons for the delay, officials 
from the port where enrollments were to begin told us that software 
problems were the cause of the delay, and could postpone the first 
enrollments until May 2007. In addition, TSA and the Coast Guard have 
not set a date by which workers will be required to posses a TWIC card 
to access secure areas of maritime facilities and vessels. According to 
the TWIC rule, once the agency determines at which ports TWIC will be 
implemented and by what date, this schedule will be posted to the 
Federal Register. 

TSA Has Taken Steps to Strengthen Contract Planning and Oversight and 
Better Coordinate with Maritime Industry Stakeholders: 

Since we issued our September 2006 report, TSA has taken several steps 
designed to strengthen contract planning and oversight. We previously 
reported that TSA experienced problems in planning for and overseeing 
the contract to test the TWIC program, which contributed to a doubling 
of TWIC testing contract costs and a failure to test all key components 
of the TWIC program. We recommended that TSA strengthen contract 
planning and oversight before awarding a contract to implement the TWIC 
program. TSA acknowledged these problems and has taken steps to address 
our recommendations. Specifically, TSA has taken the following steps 
designed to strengthen contract planning and oversight. 

* Added staff with expertise in technology, acquisitions, and contract 
and program management to the TWIC program office. 

* Established a TWIC program control office to help oversee contract 
deliverables and performance. 

* Established monthly performance management reviews and periodic site 
visits to TWIC enrollment centers to verify performance data reported 
by the contractor. 

* Required the enrollment contactor to survey customer satisfaction as 
part of contract performance. 

In addition to these steps, TSA has established a TWIC quality 
assurance surveillance plan that is designed to allow TSA to track the 
enrollment contractor's performance in comparison to acceptable quality 
levels. This plan is designed to provide financial incentives for 
exceeding these quality levels and disincentives, or penalties, if they 
are not met. According to the plan, the contractor's performance will 
be measured against established milestones and performance metrics that 
the contractor must meet for customer satisfaction, enrollment time, 
number of failures to enroll, and TWIC help desk response times, among 
others. TSA plans to monitor the contractor's performance through 
monthly performance reviews and by verifying information on performance 
metrics provided by the contractor. 

In addition to contract planning and oversight, TSA has also taken 
steps designed to address problems that were identified in our 
September 2006 report regarding communication and coordination with 
maritime stakeholders. We previously reported that stakeholders at all 
15 TWIC testing locations that we visited cited poor communication and 
coordination by TSA during testing of the TWIC program. For example, 
TSA never provided the final results or report on TWIC testing to 
stakeholders that participated in the test, and some stakeholders 
stated that communication from TSA would stop for months at a time 
during testing. We recommended that TSA closely coordinate with 
maritime industry stakeholders and establish a communication and 
coordination plan to capture and address the concerns of stakeholders 
during implementation. TSA acknowledged that the agency could have 
better communicated with stakeholders at TWIC testing locations and has 
reported taking several steps to strengthen communication and 
coordination since September 2006. For example, TSA officials told us 
that the agency developed a TWIC communication strategy and plan that 
describes how the agency will communicate with the owners and operators 
of maritime facilities and vessels, TWIC applicants, unions, industry 
associations, Coast Guard Captains of the Port, and other interested 
parties. In addition, TSA required that the enrollment contractor 
establish a plan for communicating with stakeholders. 

TSA, the Coast Guard, and the enrollment contractor have taken 
additional steps designed to ensure close coordination and 
communication with the maritime industry. These steps include: 

* Posting frequently asked questions on the TSA and Coast Guard Web- 
sites. 

* Participating in maritime stakeholder conferences and briefings. 

* Working with Coast Guard Captains of the Ports and the National 
Maritime Security Advisory Committee to communicate with local 
stakeholders. 

* Conducting outreach with maritime facility operators and port 
authorities, including informational bulletins and fliers. 

* Creating a TWIC stakeholder communication committee chaired by TSA, 
the Coast Guard, and enrollment contractor, with members from 15 
maritime industry stakeholder groups. According to TSA, this committee 
will meet twice per month during the TWIC implementation. 

Several stakeholders we recently spoke to confirmed that TSA and its 
enrollment contractor have placed a greater emphasis on communicating 
and coordinating with stakeholders during implementation and on 
correcting past problems. For example, an official from the port where 
TWIC will first be implemented stated that, thus far, communication, 
coordination, and outreach by TSA and its enrollment contractor have 
been excellent, and far better than during TWIC testing. In addition, 
the TWIC enrollment contactor has hired a separate subcontractor to 
conduct a public outreach campaign to inform and educate the maritime 
industry and individuals that will be required to obtain a TWIC card 
about the program. For example, the port official stated that the 
subcontractor is developing a list of trucking companies that deliver 
to the port, so information on the TWIC enrollment requirements can be 
mailed to truck drivers. 

TSA and Industry Stakeholders Need to Address Challenges to Ensure the 
TWIC Program Is Implemented Successfully: 

TSA and maritime industry stakeholders need to address several 
challenges to ensure that the TWIC program can be implemented 
successfully. As we reported in September 2006, TSA and its enrollment 
contractor face the challenge of transitioning from limited testing of 
the TWIC program to successful implementation of the program on a much 
larger scale covering 770,000 workers at about 3,500 maritime 
facilities and 5,300 vessels. Maritime stakeholders we spoke to 
identified additional challenges to implementing the TWIC program that 
warrant attention by TSA and its enrollment contractor, including 
educating workers on the new TWIC requirements, ensuring that 
enrollments begin in a timely manner, and processing numerous 
background checks, appeals, and waiver applications. Furthermore, TSA 
and industry stakeholders also face difficult challenges in ensuring 
that TWIC access control technologies will work effectively in the 
maritime environment, be compatible with TWIC cards that will be issued 
soon, and balance security with the flow of maritime commerce. 

TSA and Its Contractor Face Challenges in Enrolling and Issuing TWIC 
Cards to Large Populations of Workers at Numerous Port Facilities and 
Vessels: 

In September of 2006, we reported that TSA faced the challenge of 
enrolling and issuing TWIC cards to a significantly larger population 
of workers in a timely manner than was done during testing of the TWIC 
program. In testing the TWIC program, TSA enrolled and issued TWIC 
cards to only about 1,700 workers at 19 facilities, well short of its 
goal of 75,000. According to TSA and the testing contractor, the lack 
of volunteers to enroll in the TWIC program testing and technical 
difficulties in enrolling workers, such as difficulty in obtaining 
workers' fingerprints to conduct background checks, led to fewer 
enrollments than expected. TSA reports that it used the testing 
experience to make improvements to the enrollment and card issuance 
process and has taken steps to address the challenges that we 
previously identified. For example, TSA officials stated that the 
agency will use a faster and easier method of collecting fingerprints 
than was used during testing and will enroll workers individually 
during implementation, as opposed to enrolling in large groups, as was 
done during testing. In addition, the TWIC enrollment contract 
Statement of Work requires the contractor to develop an enrollment test 
and evaluation program to ensure that enrollment systems function as 
required under the contract. Such a testing program will be valuable to 
ensure that these systems work effectively prior to full-scale 
implementation. We also reported that TSA faced the challenge of 
ensuring that workers are not providing false information and 
counterfeit identification documents when they enroll in the TWIC 
program. According to TSA, the TWIC enrollment process to be used 
during implementation will use document scanning and verification 
software to help determine if identification documents are fraudulent, 
and personnel responsible for enrolling workers will be trained to 
identify fraudulent documents. 

Since we issued our report in September 2006, we have also identified 
additional challenges to implementing the TWIC program that warrant 
attention by TSA and its enrollment contractor. We recently spoke with 
some maritime stakeholders that participated in TWIC testing and that 
will be involved in the initial implementation of the program to 
discuss their views on the challenges of enrolling and issuing TWIC 
cards to workers. These stakeholders expressed concerns regarding the 
following issues: 

Educating workers: TSA and its enrollment contractor face a challenge 
in identifying all workers that are required to obtain a TWIC card, 
educating them about how to enroll and receive a TWIC card, and 
ensuring that they enroll and receive a TWIC card by the deadlines to 
be established by TSA and the Coast Guard. For example, while 
longshoremen who work at a port every day may be aware of the new TWIC 
requirements, truck divers that deliver to the port may be located in 
different states or countries, and may not be aware of the 
requirements. 

Timely enrollments: One stakeholder expressed concern about the 
challenges the enrollment contactor faces in enrolling workers at his 
port. For example, at this port, the enrollment contactor has not yet 
begun to lease space to install enrollment centers--which at this port 
could be a difficult and time-consuming task due to the shortage of 
space. Stakeholders we spoke to also suggested that until TSA 
establishes a deadline for when TWIC cards will be required at ports, 
workers will likely procrastinate in enrolling, which could make it 
difficult for the contractor to enroll large populations of workers in 
a timely manner. 

Background checks: Some maritime organizations are concerned that many 
of their workers will be disqualified from receiving a TWIC card by the 
background check. These stakeholders emphasized the importance of TSA 
establishing a process to ensure timely appeals and waivers process for 
the potentially large population of workers that do not pass the check. 
According to TSA, the agency already has established processes for 
conducting background checks, appeals, and waivers for other background 
checks of transportation workers. In addition, TSA officials stated 
that the agency has established agreements with the Coast Guard to use 
their administrative law judges for appeal and waiver cases and plans 
to use these processes for the TWIC background check. 

TSA and Industry Stakeholders Face Challenges in Ensuring That TWIC 
Access Control Technologies Work Effectively and Balancing Security 
with the Flow of Maritime Commerce: 

In our September 2006 report, we noted that TSA and maritime industry 
stakeholders faced significant challenges in ensuring that TWIC access 
control technologies, such as biometric card readers, worked 
effectively in the maritime sector. Few facilities that participated in 
TWIC testing used biometric card readers that will be required to read 
the TWIC cards in the future. As a result, TSA obtained limited 
information on the operational effectiveness of biometric card readers, 
particularly when individuals use these readers outdoors in the harsh 
maritime environment, where they can be affected by dirt, salt, wind, 
and rain. In addition, TSA did not test the use of biometric card 
readers on vessels, although they will be required on vessels in the 
future. Also, industry stakeholders we spoke to were concerned about 
the costs of implementing and operating TWIC access control systems, 
linking card readers to their local access control systems, connecting 
to TSA's national TWIC database to obtain updated security information 
on workers, and how biometric card readers would be implemented and 
used on vessels and how these vessels would communicate with TSA's 
national TWIC database remotely. Because of comments regarding TWIC 
access control technology challenges that TSA received from maritime 
industry stakeholders on the TWIC proposed rule, TSA decided to exclude 
all access control requirements from the TWIC rule issued in January 
2007. Instead, TSA plans to issue a second proposed rule pertaining to 
access control requirements in 2008, which will allow more time for 
maritime stakeholders to comment on the technology requirements and TSA 
to address the challenges that we and stakeholders identified. 

Our September 2006 report also highlighted the challenges that TSA and 
industry stakeholders face in balancing the security benefits of the 
TWIC program with the impact the program could have on maritime 
commerce. If implemented effectively, the security benefits of the TWIC 
program in preventing a terrorist attack could save lives and avoid a 
costly disruption in maritime commerce. Alternatively, if key 
components of the TWIC program, such as biometric card readers, do not 
work effectively, they could slow the daily flow of maritime commerce. 
For example, if workers or truck drivers have problems with their 
fingerprint verifications on biometric card readers, they could create 
long queues delaying other workers or trucks waiting in line to enter 
secure areas. Such delays could be very costly in terms of time and 
money to maritime facilities. Some stakeholders we spoke to also 
expressed concern with applying TWIC access control requirements to 
small facilities and vessels. For example, smaller vessels could have 
crews of less than 10 persons, and checking TWIC cards each time a 
person enters a secure area may not be necessary. TSA acknowledged the 
potential impact that the TWIC program could have on the flow of 
maritime commerce and plans to obtain additional public comments on 
this issue from industry stakeholders and develop solutions to these 
challenges in the second rulemaking on access control technologies. 

In our September 2006 report, we recommended that TSA conduct 
additional testing to ensure that TWIC access control technologies work 
effectively and that the TWIC program balances the added security of 
the program with the impact that it could have on the flow of maritime 
commerce. As required by the SAFE Port act, TSA plans to conduct a 
pilot program to test TWIC access control technologies in the maritime 
environment. According to TSA, the pilot will test the performance of 
biometric card readers at various maritime facilities and on vessels as 
well as the impact that these access control systems have on facilities 
and vessel business operations. TSA plans to use the results of this 
pilot to develop the requirements and procedures for implementing and 
using TWIC access control technologies in the second rulemaking. 

Conclusion: 

Preventing unauthorized persons from entering secure areas of the 
nation's ports and other transportation facilities is critical to 
preventing a terrorist attack. The TWIC program was initiated in 
December 2001 to mitigate the threat of terrorists accessing secure 
areas. Since our September 2006 report, TSA has made progress toward 
implementing the program, including issuing a TWIC rule, taking steps 
to implement requirements of the SAFE Port Act, and awarding a contract 
to enroll workers in the program. While TSA plans to begin enrolling 
workers and issuing TWIC cards in the next few months, it is important 
that the agency establish clear and reasonable timeframes for 
implementing TWIC. TSA officials told us that the agency has taken 
steps to improve contract oversight and communication and coordination 
with its maritime TWIC stakeholders since September 2006. While the 
steps that TSA reports taking should help to address the contract 
planning and oversight problems that we have previously identified and 
recommendations we have made, the effectiveness of these steps will not 
be clear until implementation of the TWIC program begins. In addition, 
significant challenges remain in enrolling about 770,000 persons at 
about 3,500 facilities in the TWIC program. As a result, it is 
important that TSA and the enrollment contractor make communication and 
coordination a priority to ensure that all individuals and 
organizations affected by the TWIC program are aware of their 
responsibilities. Further, TSA and industry stakeholders need to 
address challenges regarding enrollment and TWIC access control 
technologies to ensure that the program is implemented effectively. It 
is important that TSA and the enrollment contractor develop a strategy 
to ensure that any potential problems that these challenges could cause 
are addressed during TWIC enrollment and card issuance. Finally, it 
will be critical that TSA ensure that the TWIC access control 
technology pilot program fully test all aspects of the TWIC program on 
a full scale in the maritime environment and the results be used to 
ensure a successful implementation of these technologies in the future. 

Mr. Chairman, this concludes my statement. I would be pleased to answer 
any questions that you or other members of the committee may have at 
this time. 

Contact Information: 

For further information on this testimony, please contact Norman J. 
Rabkin at (202) 512-8777 or at rabkinn@gao.gov. Individuals making key 
contributions to this testimony include John Hansen, Chris Currie, 
Nicholas Larson, and Geoff Hamilton. 

FOOTNOTES 

[1] GAO, Port Security: Better Planning Needed to Develop and Operate 
Maritime Worker Identification Card Program, GAO-05-106 (Washington, 
D.C.: December 2004), and Transportation Security: DHS Should Address 
Key Challenges before Implementing the Transportation Worker 
Identification Credential Program, GAO-06-982 (Washington, D.C.: 
September 2006). 

[2] Pub. L. No.109-347,120 Stat.1884,1889 (2006). 

[3] TSA estimated the total number of workers, facilities, and vessels 
affected by the TWIC rule in the Regulatory Impact Assessment of the 
TWIC rule. 

[4] Testimony of the Director of Homeland Security, Port of Los 
Angeles, before the United States Senate Committee on Commerce, 
Science, and Transportation, May 16, 2006. 

[5] Pub. L. No. 107-71, 115 Stat. 597 (2001). 

[6] TSA was transferred from the Department of Transportation to the 
Department of Homeland Security pursuant to requirements in the 
Homeland Security Act of 2002 (Pub. L. No. 107-296, 116 Stat. 2135 
(2002). 

[7] Pub. L. No. 107-295, 116 Stat. 2064 (2002). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates.": 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm: 

E-mail: fraudnet@gao.gov: 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: 

U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800: 

U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: