GAO-08-1151T, Transportation Security: Transportation Worker Identification Credential: A Status Update


This is the accessible text file for GAO report number GAO-08-1151T 
entitled 'Transportation Security: Transportation Worker Identification 
Credential: A Status Update' which was released on September 19, 2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Subcommittee on Border, Maritime and Global 
Counterterrorism, Committee on Homeland Security, House of 
Representatives: 

United States Government Accountability Office: 

GAO: 

For Release on Delivery Expected at 10:00 a.m. EDT: 

Wednesday, September 17, 2008: 

Transportation Security: 

Transportation Worker Identification Credential: A Status Update: 

Statement of Stephen M. Lord, Acting Director Homeland Security and 
Justice Issues: 

GAO-08-1151T: 

GAO Highlights: 

Highlights of GAO-08-1151T, a testimony before the Subcommittee on 
Border, Maritime, and Global Counterterrorism, Committee on Homeland 
Security, House of Representatives. 

Why GAO Did This Study: 

U.S. transportation systems and the estimated 4,000 transportation 
facilities move over 30 million tons of freight and provide an 
estimated 1.1 billion passenger trips each day. Since 2001 the 
Transportation Security Administration (TSA), part of the Department of 
Homeland Security (DHS) has protected these systems and facilities from 
terrorist attack. One program TSA utilizes is the Transportation Worker 
Identification Credential (TWIC) program, through which a common 
credential is being developed for transportation workers with access to 
secure areas. Ultimately planned for all transportation sectors, TSA, 
in cooperation with the U.S. Coast Guard, is initially focusing the 
TWIC program on the maritime sector. 

This testimony discusses (1) the progress made in implementing the TWIC 
program and (2) some of the remaining program challenges. This 
testimony is based on GAO’s September 2006 TWIC report, as well as 
selected updates and ongoing work. To conduct this work, GAO reviewed 
program requirements and guidance, documentation on the status of the 
TWIC program, and interviewed program officials from TSA and the Coast 
Guard. 

What GAO Found: 

Since GAO’s 2006 report on the TWIC program, TSA and the Coast Guard 
have made progress in addressing legislative requirements and 
implementing and testing the program through a prototype and pilot, as 
well as addressing GAO recommendations related to conducting additional 
systems testing. Although GAO has not yet evaluated the effectiveness 
of TSA’s and the Coast Guard’s efforts, the two agencies have taken the 
following actions to continue to implement the TWIC program: 

* In January 2007, TSA and the Coast Guard issued the first rule in 
federal regulation to govern the TWIC program, setting the requirements 
for enrolling maritime workers in the TWIC program and issuing TWICs to 
these workers. The Coast Guard issued complementary guidance in July 
2007 to explain how the maritime industry is to comply with these 
requirements. 

* Enrollment efforts began at the Port of Wilmington, Delaware, in 
October 2007, and additional enrollments are under way through a 
contractor. Of the 1.2 million identified TWIC users, 492,928 (41 
percent) were enrolled as of September 12, 2008. 

* The TWIC program has initiated its TWIC Reader pilot to test card 
reader technology for use in controlling access to secure areas of 
maritime transportation facilities and vessels, and assess the impact 
of their installation on maritime operations. This pilot is expected to 
inform the development of a second TWIC rule on implementing access 
controls in the maritime environment. 

TSA and the maritime industry continue to face two potential challenges 
in implementing the TWIC program. 

* TSA and its enrollment contractor continue to face challenges in 
enrolling and issuing TWICs to a significantly larger population than 
was done during TWIC program prototype testing. TSA and its enrollment 
contractor now plan to enroll and issue TWICs to an estimated target 
population of 1.2 million workers by April 15, 2009, compared to 
770,000 workers estimated in January 2007. Over 700,000 additional 
workers (59 percent of projected enrollees) still need to be enrolled 
in the program by the April 15, 2009 deadline. 

* TSA and industry stakeholders will need to ensure that TWIC access 
control technologies perform effectively in the harsh maritime 
environment and balance security requirements with the flow of maritime 
commerce. While testing is underway, the lessons learned of the ongoing 
tests remain to be distilled and used to inform the development of 
additional regulatory requirements 

What GAO Recommends: 

GAO has previously recommended that TSA conduct additional testing of 
the TWIC program to help ensure that all key components work 
effectively. TSA agreed with this recommendation and has taken action 
to implement it. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1151T]. For more 
information, contact Stephen M. Lord at (202) 512-4379 or 
lords@gao.gov. 

[End of section] 

Madame Chairwoman and Members of the Subcommittee: 

Thank you for inviting me to participate in today's hearing on the 
status of the Transportation Security Administration's (TSA) 
Transportation Worker Identification Credential (TWIC) program. The 
TWIC program was created to help protect the nation's transportation 
facilities from the threat of terrorism by issuing identification cards 
only to workers who are not known to pose a terrorist threat and 
allowing these workers unescorted access to secure areas of the 
transportation system. Key aspects of the TWIC program include 
collecting personal and biometric information, such as fingerprints, to 
validate workers' identities; conducting background checks on 
transportation workers to ensure that they do not pose a security 
threat; and issuing tamper-resistant, biometric credentials, such as 
identification cards, for use in granting workers unescorted access to 
secure areas. The TWIC program is ultimately intended to support all 
modes of transportation. However, TSA, in partnership with the Coast 
Guard, is focusing initial implementation on the maritime sector. 

The TWIC program was established to respond to the provisions of 
several pieces of legislation and subsequent programming decisions. In 
the aftermath of the September 11, 2001, terrorist attacks, the 
Aviation and Transportation Security Act (ATSA)[Footnote 1] was enacted 
in November 2001 and, among other things, requires TSA, an agency 
within the Department of Homeland Security (DHS), to work with airport 
operators to strengthen access control points in secure areas and 
consider using biometric access control systems[Footnote 2] to verify 
the identity of individuals who seek to enter a secure airport area. In 
response to ATSA, TSA established the TWIC program in December 2001. 
Enacted in November 2002, the Maritime Transportation Security Act of 
2002 (MTSA)[Footnote 3] required the Secretary of Homeland Security to 
issue a maritime worker identification card that uses biometrics to 
control access to secure areas of maritime transportation facilities 
and vessels. In addition, the Security and Accountability For Every 
(SAFE) Port Act of 2006 amended MTSA to direct the Secretary of 
Homeland Security to, among other things, implement the TWIC Program at 
the 10 highest-risk ports by July 1, 2007.[Footnote 4] TSA's 
responsibilities include enrolling TWIC users, conducting security 
threat assessments, and processing appeals to adverse TWIC 
qualification decisions. The Coast Guard is responsible for developing 
maritime security regulations and ensuring that maritime facilities and 
vessels are in compliance with these regulations. 

We have reported on the status of the development and testing of the 
TWIC program several times. Our 2004 report[Footnote 5] identified 
challenges that TSA faced in developing regulations and a comprehensive 
plan for managing the program, as well as several factors that caused 
TSA to miss initial deadlines for issuing TWICs. In September 2006, we 
reported[Footnote 6] on challenges TSA encountered during TWIC program 
testing and several problems related to contract planning and 
oversight. We have since provided updates to this work in April and 
October 2007.[Footnote 7] 

My testimony today focuses on (1) the progress made since September 
2006 in implementing the TWIC program and (2) some of the remaining 
challenges that TSA, the Coast Guard, and the maritime industry must 
overcome to ensure the successful implementation of the program. 
Today's observations are based on our September 2006 TWIC report, which 
reflects work conducted at TSA and the Coast Guard, as well as site 
visits to transportation facilities that participated in testing the 
TWIC program; our subsequent updates to this work issued in April and 
October 2007; and our ongoing review of the TWIC program initiated in 
July 2008. This current review of the implementation of the TWIC 
program will be published in 2009, and is being conducted for the 
Senate Committee on Commerce, Science, and Transportation; the House 
Committee on Homeland Security; and the House Committee on 
Transportation and Infrastructure. As part of our current engagement, 
we reviewed program documentation on the status of TWIC implementation; 
related guidance provided by the Coast Guard; information from maritime 
industry stakeholders, such as TWIC Stakeholder Communication Committee 
meeting minutes and reporting by the National Maritime Security 
Advisory Committee--an advisory council to DHS. In addition, we 
interviewed TWIC program officials from TSA--including the TWIC Program 
Director--and the Coast Guard regarding their efforts to implement the 
TWIC program and our prior recommendations although we did not 
independently assess the effectiveness of these efforts. We requested 
and received comments on the draft statement from TSA. We conducted 
this work from July 2008 through September 2008 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

Summary: 

Since we reported on the TWIC program in September 2006,[Footnote 8] 
progress has been made in implementing the program. Although we have 
not yet independently assessed the effectiveness of these efforts, TSA 
and the Coast Guard have taken action to address legislative 
requirements to implement and test the program as well as our 
recommendations related to conducting additional systems testing. 
Specifically: 

* TSA and the Coast Guard issued the first TWIC rule in January 2007, 
which sets forth the requirements for enrolling maritime workers in the 
TWIC program and issuing TWICs to these workers. In July 2007 the Coast 
Guard issued guidance complementing the January 2007 TWIC rule. This 
guidance provides additional context for how the maritime industry is 
to comply with this TWIC rule. 

* Enrollment efforts have been underway. As of September 12, 2008, 
492,928 enrollees, or 41 percent of the anticipated 1.2 million TWIC 
users, have enrolled in the TWIC program. Further, 318,738 TWICs have 
been activated and issued. 

* The TWIC program initiated the TWIC reader pilot to test TWIC access 
control technologies and their impact on maritime operations. A second 
rule is planned to be issued on the use of TWIC access control 
technologies,[Footnote 9] including TWIC readers, for confirming the 
identity of the TWIC holder against the biometric information on the 
TWIC. However, TSA has not established a date for completing the pilot. 

TSA and maritime industry stakeholders face two potential challenges in 
implementing the TWIC program. 

* As we have previously reported, TSA and its enrollment contractor 
continue to face the challenge of enrolling and issuing TWICs to a 
significantly larger population of workers than was previously 
estimated. TSA and its enrollment contractor now plan to enroll and 
issue TWICs to an estimated target population of 1.2 million workers by 
April 15, 2009, compared to 770,000 workers estimated in January 
2007.[Footnote 10] While 492,928 enrollments (41 percent) out of an 
estimated target population of 1.2 million had been processed as of 
September 12, 2008, an additional 707,072 workers (59 percent) still 
need to be enrolled in the program by the April 15, 2009, deadline. 

* As highlighted in our prior work, TSA and industry stakeholders will 
need to ensure that TWIC readers perform effectively in the harsh 
maritime environment and balance security requirements with the flow of 
maritime commerce. However, since testing of how this technology works 
in practice and accumulating the lessons learned remains ongoing, TSA 
and Coast Guard have yet to incorporate the results of these tests into 
the second rule establishing the requirements and time frames for 
implementing TWIC access control technologies. Our ongoing work will 
assess how the results of this testing is used to inform the 
development of a second TWIC rule, and help ensure an appropriate 
balance between security and commerce requirements. 

Background: 

Securing transportation systems and facilities is complicated, 
requiring balancing security to address potential threats while 
facilitating the flow of people and goods. These systems and facilities 
are critical components of the U.S. economy and are necessary for 
supplying goods throughout the country and supporting international 
commerce. U.S. maritime transportation systems and facilities[Footnote 
11] move over 30 million tons of freight and provide approximately 1.1 
billion passenger trips each day. The ports of Los Angeles and Long 
Beach estimate that they alone handle about 43 percent of the nation's 
oceangoing cargo. The importance of these systems and facilities also 
makes them attractive targets to terrorists. 

These systems and facilities are vulnerable and difficult to secure 
given their size, easy accessibility, large number of potential 
targets, and proximity to urban areas. A terrorist attack on these 
systems and facilities could cause a tremendous loss of life and 
disruption to our society. An attack would also be costly. According to 
testimony by a Port of Los Angeles official, a 2002 labor dispute that 
led to a 10-day shutdown of West Coast port operations cost the 
nation's economy an estimated $1.5 billion per day.[Footnote 12] A 
terrorist attack at a port facility could have a similar or greater 
impact. 

One potential security threat stems from those individuals who work in 
secure areas of the nation's transportation system, including maritime 
transportation facilities, airports, railroad terminals, mass transit 
stations, and other transportation facilities. It is estimated that 
about 6 million workers, including longshoremen, mechanics, aviation 
and railroad employees, truck drivers, and others access secure areas 
of the nation's estimated 4,000 transportation facilities each day 
while performing their jobs. Some of these workers, such as truck 
drivers, regularly access secure areas at multiple transportation 
facilities. Ensuring that only workers who are not known to pose a 
terrorism security risk are allowed unescorted access to secure areas 
is important in helping to prevent an attack. 

TWIC Program History: 

In the aftermath of the September 11, 2001, terrorist attacks, the TWIC 
program was established in December 2001 to mitigate the threat of 
terrorists and other unauthorized persons from accessing secure areas 
of the entire transportation network, by creating a common 
identification credential that could be used by workers in all modes of 
transportation.[Footnote 13] As of September 2008 appropriated funds 
for the program totaled $103.4 million. Below are a number of key 
actions taken with respect to the implementation of the TWIC program. 

* November 2002: Enactment of the Maritime Transportation Security Act 
of 2002, which required the Secretary of Homeland Security to issue a 
maritime worker identification card that uses biometrics to control 
access to secure areas of maritime transportation facilities and 
vessels. 

* August 2004 through June 2005: As part of its prototype testing, TSA-
-through a private contractor--tested the TWIC program at 28 
transportation facilities across the country. 

* August 2006: TSA decided that the TWIC program would be implemented 
in the maritime sector using two separate rules. The first rule covers 
use of TWICs as a credential for gaining access to facilities and 
vessels. The second rule is planned to address the use of access 
control technologies, such as TWIC readers, for confirming the identity 
of the TWIC holder against the biometric information on the TWIC. 

* October 2006: The SAFE Port Act directed the Secretary of Homeland 
Security to, among other things, implement the TWIC program at the 10 
highest-risk ports by July 1, 2007, and to conduct a pilot program to 
test TWIC access control technologies, such as TWIC readers, in the 
maritime environment. 

* January 2007: TSA and the Coast Guard issued a rule requiring worker 
enrollment and TWIC issuance. TSA also awarded a $70 million contract 
to begin enrolling workers and issuing TWICs to workers. 

* July 2007: The Coast Guard issued guidance on how the maritime 
industry is to comply with the January 2007 TWIC rule and how the Coast 
Guard will implement TWIC compliance efforts. 

* June 2008: As part of the TWIC reader pilot, TSA issued an agency 
announcement calling for biometric card readers to be submitted for 
assessment as TWIC readers. 

Key Components of the TWIC Program: 

The TWIC program includes several key components: 

* Enrollment: Transportation workers will be enrolled in the TWIC 
program at enrollment centers by providing personal information, such 
as name, date of birth, and address, and will be photographed and 
fingerprinted. For those workers who are unable to provide quality 
fingerprints, TSA is to collect an alternate authentication identifier. 

* Background checks: TSA will conduct background checks on each worker 
to ensure that individuals do not pose a security threat. These will 
include several components. First, TSA will conduct a security threat 
assessment that may include, for example, checks of terrorism databases 
or watch lists, such as TSA's No-fly and selectee lists. Second, a 
Federal Bureau of Investigation criminal history records check will be 
conducted to identify if the worker has any disqualifying criminal 
offenses. Third, the worker's immigration status and prior 
determinations related to mental capacity will be checked. Workers will 
have the opportunity to appeal negative results of the threat 
assessment or request a waiver in certain circumstances. 

* TWIC production: After TSA determines that a worker has passed the 
background check, the worker's information is provided to a federal 
card production facility where the TWIC will be personalized for the 
worker, manufactured, and then sent back to the enrollment center. 

* Card issuance: Transportation workers are to be informed when their 
TWICs are ready to be picked up at enrollment centers. Once a TWIC has 
been activated and issued, workers may present their TWICs to security 
officials when they seek to enter a secure area, and in the future may 
use biometric card readers to verify identify. 

Progress Has Been Made in Implementing the TWIC Program: 

Several positive steps have been taken since our September 2006 
report[Footnote 14] toward successfully implementing the TWIC program. 
One key step was the issuance of the first TWIC rule by TSA and the 
Coast Guard in January 2007 establishing requirements for providing 
workers and merchant mariners access to maritime transportation 
facilities and vessels. To help facilitate the rule's implementation, 
in July 2007 the Coast Guard issued complementary guidance to help the 
maritime industry comply with the new TWIC regulations and facilitate 
the Coast Guard's implementation of TWIC-related compliance efforts. In 
addition, enrollment efforts have been under way, and 41 percent of the 
estimated 1.2 million people needing TWICs have been enrolled. Finally, 
the TWIC program has initiated the TWIC reader pilot and is moving 
forward in testing TWIC access control technologies and their impact on 
maritime operations. However, TSA has not established time frames for 
completing this pilot program, the results of which will be used to 
inform the second rulemaking related to TWIC access control 
technologies. 

TSA and the Coast Guard Issued a TWIC Rule, and Coast Guard Has Issued 
Complementary Guidance to Facilitate TWIC's Implementation: 

On January 25, 2007, TSA and the Coast Guard issued the first TWIC rule 
that, among other things, sets forth the regulatory requirements for 
enrolling workers and issuing TWICs to workers in the maritime sector. 
Specifically, this TWIC rule provides that workers and merchant 
mariners requiring unescorted access to secure areas of maritime 
transportation facilities and vessels must enroll in the TWIC program, 
undergo a background check, and obtain a TWIC before such access is 
granted. In addition, the rule requires owners and operators of MTSA- 
regulated maritime transportation facilities and vessels to change 
their existing access control procedures to ensure that a merchant 
mariner and any other individual seeking unescorted access to a secure 
area of a facility or vessel has a TWIC.[Footnote 15] Table 1 describes 
the key requirements in the first TWIC rule. 

Table 1: Key Requirements in the January 2007 TWIC Rule: 

Requirement: Transportation workers; 
Description of requirement: Individuals who require unescorted access 
to secure areas of maritime transportation facilities and vessels, and 
all merchant mariners, must obtain a TWIC before such access is 
granted. 

Requirement: Fees; 
Description of requirement: All workers applying for a TWIC will pay a 
fee of $132.50 to cover the costs associated with the TWIC program. 
Workers that have already undergone a federal threat assessment 
comparable to the one required to obtain a TWIC will pay a reduced fee 
of $105.25. The replacement fee for a TWIC will be $60. 

Requirement: Access to secure areas of maritime facilities and vessels; 
Description of requirement: By no later than April 15, 2009, facilities 
and vessels currently regulated under the Maritime Transportation 
Security Act must change their current access control procedures to 
ensure that any individual or merchant mariner seeking unescorted 
access to a secure area has a TWIC. 

Requirement: Newly hired workers and escorting procedures; 
Description of requirement: Newly hired workers who have applied for, 
but have not received, their TWIC, will be allowed access to secure 
areas for 30 days as long as they meet specified criteria, such as 
passing a TSA name-based background check, and only while accompanied 
by another employee with a TWIC. Individuals that need to enter a 
secure area but do not have a TWIC must be escorted at all times by 
individuals with a TWIC. 

Requirement: Background checks; 
Description of requirement: All workers applying for a TWIC must 
provide certain personal information and fingerprints to TSA so that 
they can conduct a security threat assessment, which includes a Federal 
Bureau of Investigation fingerprint-based criminal history records 
check, and an immigration status check. In order to qualify for a TWIC, 
workers must not have been incarcerated or convicted of certain 
disqualifying crimes must, have legal presence or authorization to work 
in the United States, must have no known connection to terrorist 
activity, and cannot have been adjudicated as lacking mental capacity 
or have been committed to a mental health facility. 

Requirement: Appeals and waiver process; 
Description of requirement: All TWIC applicants will have the 
opportunity to appeal a background check disqualification through TSA, 
or apply to TSA for a waiver of certain disqualifying factors, either 
during the application process or after being disqualified for certain 
crimes, mental incapacity, or if they are aliens in Temporary Protected 
Status. Applicants who apply for a waiver and are denied a TWIC by TSA, 
or applicants who are disqualified based on a determination that he or 
she poses a security threat, may, after an appeal, seek review by a 
Coast Guard administrative law judge. 

Requirement: Access control systems; 
Description of requirement: The Coast Guard will conduct unannounced 
inspections to confirm the identity of TWIC holders using hand-held 
biometric card readers (i.e., TWIC readers) to check the biometric on 
the TWIC against the person presenting the TWIC. In addition, security 
personnel will conduct visual inspections of the TWICs and look for 
signs of tampering or forgery when a worker enters a secure area. 

Source: GAO analysis of TWIC rule and TSA information. 

[End of table] 

The January 2007 TWIC rule does not currently require owners and 
operators of maritime transportation facilities and vessels to employ 
TWIC readers to verify the biometric feature (e.g., TWIC holder's 
fingerprints) of the TWIC. These requirements are to be issued under a 
second rule at a later date. As a result, the TWIC will initially serve 
as a visual identity badge (i.e., a "flash pass") until the new rule 
requires that TWIC access control technologies, such as TWIC readers, 
be installed to verify the credentials when a worker enters a secure 
area. According to TSA, during initial implementation, workers will 
present their TWICs to authorized security personnel, who will compare 
each TWIC holder to his or her photo and inspect the card for signs of 
tampering. In addition, the Coast Guard will verify TWICs when 
conducting vessel and facility inspections and during spot checks using 
handheld TWIC readers to ensure that credentials are valid. 

On July 2, 2007, the Coast Guard also issued some supplementary 
guidance to help facilitate implementation of the January 2007 TWIC 
rule. Among other issues, the Coast Guard's Navigation and Vessel 
Inspection Circular (NVIC) Number 03-07 is designed to clarify the TWIC 
enrollment and issuance process, the waiver and application process, 
and approaches for enforcing TWIC program compliance. For instance, 
with regard to TWIC enrollment, the NVIC provides guidance on applying 
for appeals to disqualification decisions. The NVIC also provides 
guidance for escorting non-TWIC holders in secure areas. Under current 
procedures, one TWIC holder is allowed to escort 10 non-TWIC holders in 
secure areas of a facility. 

TWIC Enrollment Efforts Are Progressing: 

As we reported in October 2007,[Footnote 16] following the issuance of 
the first TWIC rule in January 2007, TSA awarded a $70 million contract 
to a private contractor to enroll the then estimated 770,000 workers 
required to obtain TWICs. Since our last update, enrollment in the TWIC 
program has progressed. TSA began enrolling and issuing TWICs to 
workers at the Port of Wilmington, Delaware, on October 16, 2007. Since 
then, 148 of 149 enrollment centers have been opened to meet TWIC 
enrollment demand, with the remaining center scheduled to be opened by 
September 17, 2008. Additionally, according to TSA, mobile centers have 
been deployed on an as-needed basis. As of September 12, 2008, TSA 
reports 492,928 enrollments and 318,738 TWICs activated and issued. All 
maritime workers are expected to hold TWICs by the January 2007 TWIC 
rule's revised compliance deadline of April 15, 2009. 

TWIC Reader Pilot Has Been Initiated to Test TWIC-Related Access 
Control Technologies: 

In response to our recommendation,[Footnote 17] and as required by the 
Safe Port Act,[Footnote 18] TSA has initiated a pilot, known as the 
TWIC reader pilot, to test TWIC-related access control technologies. 
This pilot is intended to test the business processes, technology, and 
operational impacts resulting from the deployment of TWIC readers at 
secure areas of the marine transportation system. As such, the pilot is 
expected to test the viability of existing biometric card readers for 
use in reading TWICs within the maritime environment. It will also test 
the technical aspects of connecting existing access control systems at 
maritime transportation facilities and vessels to TWIC readers and 
databases containing the required biometric information, for confirming 
the identity of the TWIC holder against the biometric information on 
the TWIC. After the pilot has concluded, the results are expected to 
inform the development of the second rule requiring the deployment of 
TWIC readers for use in controlling access in the maritime environment. 
However, at this time, TSA officials do not yet have a date established 
for the completion of this pilot. Further, time frames for completing 
the second rule are not set. 

The TWIC reader pilot consists of three assessments with the results of 
each assessment intended to inform subsequent assessments. This testing 
is currently under way, and we will analyze the test results as part of 
our ongoing work. The three assessments are as follows: 

* Initial technical testing: This assessment is laboratory-based and is 
designed to determine if selected biometric card readers meet TWIC card-
reader specifications.[Footnote 19] These specifications include 
technical and environmental requirements deemed necessary for use in 
the harsh maritime environment. At the completion of initial technical 
testing, a formal test report will be developed to prioritize all 
problems with readers based on their potential to adversely impact the 
maritime transportation facility or vessel. Based on this assessment, 
readers with problems that would severely impact maritime operations 
are not to be recommended for use in the next phase of testing. At this 
time, TSA is conducting the initial technical testing portion of the 
TWIC reader pilot. As part of this assessment, in June 2008, TSA issued 
an announcement calling for biometric card readers to be submitted for 
assessment as TWIC readers. According to the TWIC Program Director, an 
initial round of TWIC reader testing has been completed and a second 
round of testing has been initiated. This is expected to provide a 
broader range of readers to be used as part of subsequent assessments. 

* Early operational assessment: This assessment is to evaluate the 
impact of TWIC reader implementation on the flow of commerce. Key 
results to be achieved as part of this assessment include obtaining 
essential data to inform development of the second rule, assessing 
reader suitability and effectiveness, and further refining reader 
specifications. As part of this process, maritime transportation 
facilities and vessels participating in the pilot are to select the 
readers they plan to test and install, and test readers as part of the 
test site's normal business and operational environment. In preparation 
for the early operational assessment segment of this pilot, the TWIC 
Program Director stated that program staff have started working with 
pilot participants to review test plans and expect to initiate the 
early operational assessment portion of the pilot in early 2009. As 
part of this pilot, TSA is partnering with maritime transportation 
facilities at five ports as well as three vessel operators.[Footnote 
20] TSA's objective is to include pilot test participants that are 
representative of a variety of maritime transportation facilities and 
vessels in different geographic locations and environmental conditions. 

* System test and evaluation: Building on the results of the initial 
technical testing and the early operational assessment, the system test 
and evaluation is intended to evaluate the full impact of maritime 
transportation facility and vessel operators complying with a range of 
requirements anticipated to be included in the second TWIC rule, such 
as TWIC reader effectiveness, suitability, and supportability. In 
addition, this evaluation is expected to establish a test protocol for 
evaluating readers prior to acquiring them for official TWIC 
implementation. 

Our ongoing review of the TWIC program will provide additional details 
on the results of the TWIC reader pilot and how these results helped 
inform the anticipated second TWIC rule. 

TSA and Maritime Industry Stakeholders Face Two Potential Challenges in 
Implementing the TWIC Program: 

TSA and maritime industry stakeholders face two potential challenges in 
ensuring that the TWIC program will be implemented successfully. TSA 
and its enrollment contractor are planning to enroll and issue TWICs to 
a significantly larger population of workers than was originally 
estimated. Specifically, TSA estimates that it will need to issue TWICs 
to 1.2 million workers by April 15, 2009.[Footnote 21] This target 
population is significantly larger than the estimated target population 
identified in the January 2007 rule. Further, TSA and maritime industry 
stakeholders also face challenges in ensuring that TWIC access control 
technologies, such as biometric card readers, work effectively in the 
harsh maritime environment and ensuring that security requirements are 
balanced with the flow of commerce. However, since TSA is still testing 
this technology and accumulating the lessons learned from this testing, 
it is unclear how effectively this technology works in practice. These 
testing results will be used to help inform the development of the 
second rule establishing the requirements and time frames for 
implementing TWIC access control technologies. Our ongoing work will 
assess how the results of this testing are used to inform the 
development of the second rule and help ensure an appropriate balance 
between security and commerce. 

Increase in estimated target population one of Several Issues 
Identified During the Initial Enrollment Process: 

In September 2006 we reported[Footnote 22] that TSA faced the challenge 
of enrolling and issuing TWICs in a timely manner to a significantly 
larger population of workers than was done during the TWIC prototype 
test, which was conducted from August 2004 through June 2005. Since 
then, steps have been taken to improve the enrollment and TWIC issuance 
process. For example, according to TSA officials, the TWIC enrollment 
systems were tested to ensure that they would work effectively and be 
able to handle the full capacity of enrollments during implementation. 

Despite these positive steps, there have been issues associated with 
the TWIC enrollment process. As documented in TWIC program 
documentation, enrollment issues include miscommunication about the 
wait time for TWICs to be available, such as enrollees being told that 
TWICs would be available in 10 to 30 days rather than 6 to 8 weeks. In 
addition, help desk issues existed, such as approximately 70 percent of 
calls placed to the help desk being abandoned and call wait times 
reported to be as long as 20 minutes when they were planned for 3 
minutes. According to TSA officials, actions have been taken to address 
these problems. 

Additionally, in July 2008, the National Maritime Security Advisory 
Committee--chartered to advise, consult with, report to, and make 
recommendations to the Secretary of the Department of Homeland Security 
on matters relating to maritime security--reported[Footnote 23] on 
several unresolved problems, which it contends help to foster an 
unfavorable sentiment among stakeholders.[Footnote 24] Among other 
issues, the committee report noted: 

* poor communication and outreach regarding the trucking and merchant 
mariner communities, and whether these communities are fully aware of 
TWIC program requirements, and: 

* technical issues whereby biometric scanning equipment did not 
accurately record and process enrollee fingerprint templates. 

TWIC program management disputed the National Maritime Security 
Advisory Committee's findings, stating that some of the findings in the 
report are outdated or inaccurate. For instance, according to the TWIC 
Program Director, the fingerprint rejection rates for the program are 
within acceptable standards as defined in the contract and are 
consistent with other government experiences. Moreover, the Program 
Director noted that to be helpful, the committee needs to prioritize 
the issues it identified. TSA plans to meet with the committee on 
September 18, 2008 to respond to the report. 

Nevertheless, TWIC program management and the contractor report that 
they have taken action to remediate several of the problems identified 
above. For example, to address the issues related to the help desk, 
TWIC program management reports that it worked with its contractor to 
add additional resources at the help desk to meet call volume demand. 
Similarly, to counter the lack of access or parking at enrollment 
centers at the Port of Los Angeles, TSA's contractor opened an 
additional enrollment facility with truck parking access as well as 
extended operating hours. 

Additional Steps Are Being Taken to Clarify Final Enrollment Figures 
and Address Enrollment Challenges: 

To help meet the challenge of enrolling and issuing TWICs to an 
estimated 1.2 million workers by April 15, 2009, TSA and the Coast 
Guard are working to update estimates for the number of people 
requiring TWICs. TWIC program management does not have a precise 
estimate of the total number and location of potential enrollees. For 
instance, while the January 2007 TWIC rule identifies that 770,000 TWIC 
enrollments were anticipated, that number has been revised to 
approximately 1.2 million--nearly double the original estimate. 
According to the TWIC Program Director, it is difficult to know how 
many individuals will enroll in the program as no association, port 
owner, or government agency previously tracked this information. The 
Program Director also told us that some anticipated enrollees may have 
been double counted. Therefore, the number of enrollees that actually 
enroll may be fewer than the estimated 1.2 million. As part of an 
effort to develop better enrollee estimates, TSA reports that it is 
currently completing a contingency analysis in coordination with the 
Coast Guard that will better identify the size of its target enrollee 
population at major ports. For example, in preparation for meeting 
enrollment demands at the Port of Houston, TWIC program officials are 
updating prior estimates of maritime workers requiring TWICs for access 
to this port's facilities. To better meet possible short-term spikes in 
enrollment application demand--such as in final weeks before individual 
ports must meet final TWIC enrollment requirements--the TWIC program is 
promoting the use of mobile enrollment centers whereby temporary 
centers are set up to help enroll employees for TWICs. 

However, given that 492,928 enrollments (41 percent) out of an 
estimated target population of 1.2 million had been processed as of 
September 12, 2008, an additional 707,072 workers (59 percent) still 
need to be enrolled in the program by the April 15, 2009 deadline. 
Further, assuming the current rate of enrollment, there will be an 
estimated shortfall of 393,391 TWIC enrollees in April 2009. As such, 
meeting final enrollment and TWIC issuance requirements by April 15, 
2009, could pose a challenge. We will continue to monitor these efforts 
as part of our ongoing engagement. 

TSA and Industry Stakeholders Taking Steps to Ensure That TWIC Access 
Control Technologies Work Effectively in a Harsh Maritime Environment: 

In our September 2006 report,[Footnote 25] we noted that TSA and 
maritime industry stakeholders faced significant challenges in ensuring 
that TWIC access control technologies, such as biometric card readers, 
work effectively in the maritime sector. Few facilities that 
participated in the TWIC prototype tested the use of biometric card 
readers. As a result, TSA obtained limited information on the 
operational effectiveness of biometric card readers for use with TWICs, 
particularly when individuals use these readers outdoors in the harsh 
maritime environment, where they can be affected by dirt, salt, wind, 
and rain. In addition, TSA did not test the use of biometric card 
readers on vessels, although they will be required on vessels in the 
future. Further, industry stakeholders with whom we spoke were 
concerned about: 

* the costs of implementing and operating TWIC access control systems, 

* linking card readers to their local access control systems, and: 

* how biometric card readers would be implemented and used on vessels. 

Because of comments received from maritime industry stakeholders prior 
to issuing its January 2007 TWIC rule, TSA and Coast Guard excluded all 
access control requirements from this rule. Instead, TSA and Coast 
Guard now plan to issue a second TWIC rule pertaining to access control 
requirements, such as TWIC readers. 

In our September 2006 report, we noted[Footnote 26] that TSA and 
industry stakeholders will need to consider the security benefits of 
the TWIC program and the impact the program could have on maritime 
commerce. According to TSA, if implemented effectively, the security 
benefits of the TWIC program in preventing a terrorist attack could 
save lives and avoid a costly disruption in maritime commerce. 
Alternatively, if key components of the TWIC program, such as biometric 
card readers, do not work effectively, they could slow the daily flow 
of commerce. 

Our September 2006 report[Footnote 27] also recommended that TSA 
conduct additional testing to ensure that TWIC access control 
technologies work effectively and that the TWIC program balances the 
security benefits of the program with the impact that it could have on 
the flow of maritime commerce. In response to our recommendation and to 
address SAFE Port Act requirements,[Footnote 28] TSA has initiated a 
TWIC reader pilot that, as previously discussed, includes an assessment 
of card readers against TWIC technical and environmental 
specifications. In addition, the pilot will include testing at various 
maritime transportation facilities and vessels to assess the 
performance of biometric card readers as well as the impact TWIC use 
will have on operations when used as part of existing maritime 
transportation facility and vessel access control systems. The results 
of this pilot are to be used to help develop the second TWIC rule on 
TWIC access control technologies, such as TWIC readers. However, as 
discussed earlier, this testing is still under way and TSA has not 
established a date for completing the pilot program. Moreover, a date 
has not been set for issuing the second TWIC rule on the requirements 
and time frames for implementing the TWIC access control technology. 
Our ongoing work will assess how the lessons learned from the testing 
are used to inform the development of the second rule and help ensure 
an appropriate balance between security and commerce. 

Concluding Observations: 

Addressing the issue of maritime security is a major challenge given 
the size and complexity of the maritime transportation network. Since 
we first reported on the TWIC program in December 2004, [Footnote 29] 
TSA has made progress toward implementing the program, including 
issuing a TWIC rule, enrolling some workers in the program, and 
conducting additional testing at several key maritime transportation 
facilities and vessels. While the additional testing that TSA reports 
conducting and the actions it has taken should help address the 
challenges that we have previously identified, the effectiveness of 
these efforts will not be clear until the program further matures. TSA 
still faces the challenges of clarifying the size of its target 
enrollee population and ensuring that the lessons learned from the 
ongoing TWIC pilot are distilled and used to inform the development of 
additional regulatory requirements. Given the looming April 2009 
enrollment deadline and that more than 700,000 workers still need to be 
enrolled in the program, a late enrollment surge could potentially 
impact maritime security and trade. Successfully addressing these 
challenges will help ensure that TWIC meets the goal of establishing an 
interoperable security network based on a common identification 
credential. 

Madame Chairwoman, this concludes my statement. I would be pleased to 
answer any questions that you or other members of the subcommittee may 
have at this time. 

Contacts and Acknowledgments: 

For further information on this testimony, please contact Stephen M. 
Lord at (202) 512-4379 or at lords@gao.gov. Individuals making key 
contributions to this testimony include Cathleen Berrick, David Bruno, 
Chris Currie, Joseph Cruz, Lemuel Jackson, Sally Williamson, Geoffrey 
Hamilton, and Julie Silvers. 

[End of section] 

Footnotes: 

[1] Pub. L. No. 107-71, 115 Stat. 597 (2001). 

[2] A biometric access control system consists of technology that 
determines an individual's identity by detecting and matching unique 
physical or behavioral characteristics, such as fingerprint or voice 
patterns, as a means of verifying personal identity. 

[3] Pub. L. No. 107-295, 116 Stat. 2064 (2002). 

[4] Pub. L. No. 109-347, 120 Stat. 1884 (2006). 

[5] GAO, Port Security: Better Planning Needed to Develop and Operate 
Maritime Worker Identification Card Program, GAO-05-106 (Washington, 
D.C.: Dec. 10, 2004). 

[6] GAO, Transportation Security: DHS Should Address Key Challenges 
before Implementing the Transportation Worker Identification Credential 
Program, GAO-06-982 (Washington, D.C.: Sept. 29, 2006). 

[7] GAO, Transportation Security: TSA Has Made Progress in Implementing 
the Transportation Worker Identification Credential, but Challenges 
Remain, GAO-07-681T (Washington, D.C.: Apr. 12, 2007), and GAO, 
Transportation Security: TSA Has Made Progress in Implementing the 
Transportation Worker Identification Credential Program, but Challenges 
Remain, GAO-08-133T (Washington, D.C.: Oct. 31, 2007). 

[8] GAO-06-982. 

[9] With regard to TWICs, access control technologies include, for 
example, card readers capable of reading TWICs, existing systems for 
controlling access at maritime transportation facilities and vessels, 
the TWIC database containing biometric information, and the interface 
between existing access control systems and the TWIC database. 

[10] The January 2007 TWIC rule established that all maritime workers 
were expected to hold TWICs by September 25, 2008; however, the final 
compliance date has been extended from September 25, 2008 to April 15, 
2009, pursuant to 73 Fed. Reg. 25562. 

[11] For the purposes of this report, the term maritime transportation 
facilities refers to seaports, inland ports, offshore facilities, and 
facilities located on the grounds of ports. 

[12] Testimony of the Director of Homeland Security, Port of Los 
Angeles, before the United States Senate Committee on Commerce, 
Science, and Transportation, May 16, 2006. 

[13] TSA was transferred from the Department of Transportation to DHS 
pursuant to requirements in the Homeland Security Act of 2002 (Pub. L. 
No. 107-296, 116 Stat. 2135 (2002)). 

[14] GAO-06-982. 

[15] Persons not required to obtain or possess TWICs before accessing 
secure areas include, for example, federal officials with specified 
types of credentials, state or local law enforcement officials, and 
state or local emergency responders. 

[16] GAO-08-133T. 

[17] GAO-06-982. 

[18] Pub. L. No. 109-347, 120 Stat. 1884, 1889-90 (2006). 

[19] TWIC Card Reader Specifications were first published in September 
of 2007 and last updated on May 30, 2008. 

[20] Port test participants include the port authorities of Los 
Angeles, Long Beach, Brownsville, New York, and New Jersey. In 
addition, vessel operation participants include the Staten Island Ferry 
in Staten Island, New York; Magnolia Marine Transports in Vicksburg, 
Mississippi; and Watermark Cruises in Annapolis, Maryland. 

[21] As previously noted, the final compliance date has been extended 
from September 25, 2008, to April 15, 2009 (73 Fed. Reg. 25562 (May 7, 
2008)). 

[22] GAO-06-982. 

[23] National Maritime Security Advisory Committee, TWIC Working Group, 
Discussion Items, as amended July 30, 2008. 

[24] The National Maritime Security Advisory Committee was established 
under the authority of the Maritime Transportation Security Act of 2002 
to provide advice and make recommendations to the Secretary of Homeland 
Security via the Commandant of the Coast Guard on national maritime 
security matters. 

[25] GAO-06-982. 

[26] GAO-06-982. 

[27] GAO-06-982. 

[28] The SAFE Port Act requires TSA to issue a final rule containing 
the requirements for installing and using TWIC access control 
technologies no later than two years after the initiation of the pilot. 

[29] GAO-05-106.

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: