This is the accessible text file for GAO report number GAO-08-992 entitled 'Aviation Security: TSA Is Enhancing Its Oversight of Air Carrier Efforts to Identify Passengers on the No Fly and Selectee Lists, but Expects Ultimate Solution to Be Implementation of Secure Flight' which was released on September 10, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Committees: September 2008: Aviation Security: TSA Is Enhancing Its Oversight of Air Carrier Efforts to Identify Passengers on the No Fly and Selectee Lists, but Expects Ultimate Solution to Be Implementation of Secure Flight: Aviation Security and Watch List Matching: GAO-08-992: GAO Highlights: Highlights of GAO-08-992, a report to congressional committees. Why GAO Did This Study: Air carriers remain a front-line defense against acts of terrorism that target the nation’s civil aviation system. A key responsibility of air carriers is to check passengers’ names against terrorist watch-list records to identify persons who should be prevented from boarding (the No Fly List) or who should undergo additional security scrutiny (the Selectee List). Eventually, the Transportation Security Administration (TSA) is to assume this responsibility through its Secure Flight program. However, due to program delays, air carriers retain this role. You asked GAO to review domestic air carriers’ watch-list-matching processes. GAO examined (1) the watch-list-matching requirements air carriers must follow that have been established by TSA, and (2) the extent to which TSA has assessed air carriers’ compliance with these requirements. GAO reviewed TSA’s security directives, internal guidance used by TSA’s inspectors to assess air carriers’ compliance with requirements, and inspection results, as well as interviewed staff from 14 of 95 domestic air carriers (selected to reflect a range in operational sizes). This report is the public version of a restricted report (GAO-08-453SU) issued in July 2008. What GAO Found: TSA’s requirements for domestic air carriers to conduct watch-list matching include a requirement to identify passengers whose names are either identical or similar to those on the No Fly and Selectee lists. Similar-name matching is important because individuals on the watch list may try to avoid detection by making travel reservations using name variations. According to TSA’s Office of Intelligence, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA’s security directives did not specify what types of similar-name variations were to be considered by air carriers. Thus, in interviews with 14 air carriers GAO found inconsistent approaches to conducting similar-name matching. Due to such inconsistency, a passenger could be identified as a match by one air carrier and not by another. In addition, not every air carrier reported conducting similar name comparisons. Further, in January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar-name matching. Shortly thereafter, in April 2008, TSA revised the No Fly List security directive to specify a baseline capability for conducting watch-list matching, and TSA reported that it planned to similarly revise the Selectee List security directive. Because the baseline capability requires that air carriers compare only the types of name variations specified in the directive, TSA recognizes that the new baseline capability will not address all vulnerabilities. However, TSA emphasized that establishing the baseline capability should improve air carriers’ performance of watch-list matching and, in TSA’s view, is the best interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers’ compliance with watch-list matching requirements; however, until 2008, TSA had conducted limited testing of air carriers’ similar-name- matching capability. In 2005, for instance, TSA conducted an evaluation to determine whether air carriers had the capability to identify names that were identical—but not similar—to those on the No Fly List. Also, regarding regularly conducted inspections, TSA’s guidance did not specifically direct inspectors to test air carriers’ similar-name- matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA’s database for regular inspections conducted during 2007 made reference to name-match testing in 61 of the 1,145 watch-list-related inspections that GAO reviewed. Without criteria or standards for air carriers to follow in comparing name variations, TSA did not have a uniform basis for assessing compliance and addressing deficiencies. However, during the course of GAO’s review and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers’ compliance with security directives. Although TSA has plans to strengthen its oversight of air carriers’ compliance with the revised security directives, it is too early to assess the extent of such oversight since TSA’s efforts are ongoing and not completed. What GAO Recommends: GAO is not making any recommendations because TSA initiated actions in April 2008 to strengthen watch-list-matching requirements and its oversight of air carriers’ implementation of these requirements. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-992]. For more information, contact Cathleen A. Berrick at (202) 512-3404 or berrickc@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: TSA Took Action in 2008 to Enhance Watch-List Matching Conducted by Air Carriers but Believes the Ultimate Solution Will Be Implementation of Secure Flight: Until a 2008 Special Emphasis Inspection, TSA Had Conducted Limited Testing of Air Carriers' Capability to Perform Similar-Name Matching: Concluding Observations: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Overview of Selected Domestic Air Carriers' Watch-List- Matching Processes: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: TSA Watch-List-Matching Requirements Prior to the April 2008 Revision to the No Fly List Security Directive: Table 2: Requirements for Matching Passenger Data to No Fly and Selectee Lists and Inspection Guidelines Used to Assess Compliance with the Requirements: Table 3: Watch-List-Matching Requirements and the Related Inspection Guidelines (Fiscal Year 2007): Figure: Figure 1: Overview of the Current Passenger Watch-List-Matching Process: Abbreviations: CAPPS: Computer Assisted Passenger Prescreening System: DHS: Department of Homeland Security: FBI: Federal Bureau of Investigation: PARIS: Performance and Results Information System: PNR: passenger name record: TRIP: Traveler Redress Inquiry Program: TSA: Transportation Security Administration: [End of section] United States Government Accountability Office: Washington, DC 20548: September 9, 2008: Congressional Committees: Currently, more than 6 years after the terrorist attacks on September 11, 2001, air carriers remain a front-line defense against acts of terrorism that target the nation's civil aviation system. A key aspect of air carriers' security responsibilities is to conduct preboarding checks of all passengers' personal information against terrorist watch- list records that contain information on thousands of individuals with known or potential links to terrorism. This process, referred to hereafter as watch-list matching, involves comparing passenger data-- most prominently name and date of birth--against the No Fly List to identify individuals who should be prevented from boarding an aircraft, and against the Selectee List to identify individuals who must undergo enhanced screening at the checkpoint prior to boarding.[Footnote 1] The Transportation Security Administration (TSA) requires that domestic air carriers operating to, from, and within the United States conduct watch-list matching.[Footnote 2] Data compiled by TSA's Office of Intelligence indicate that, at times, these air carriers have failed to identify individuals who are on the No Fly List. For instance, for the 3-year period from January 2005 through December 2007, TSA documented several known incidents involving individuals on the No Fly List who, because of failures of domestic air carriers' watch-list-matching processes, were allowed to board international flights traveling to or from the United States.[Footnote 3] Data for these types of incidents, referred to as false negative watch-list-matching results, generally are not available for domestic flights--that is, domestic air carrier operations between two points within the United States or its territories.[Footnote 4] Nevertheless, because the requirements for air carriers to conduct watch-list matching are generally the same irrespective of the departure or arrival location, false negative incidents may be occurring on domestic flights if watch-listed individuals attempt to fly domestically. At present, domestic air carriers generally conduct watch-list matching in accordance with requirements that TSA sets forth in security directives--a regulatory tool through which TSA may impose security measures on a regulated entity, in this case air carriers, generally in response to an immediate or imminent threat.[Footnote 5] For example, security directives require that air carriers execute comparisons of passenger information with No Fly and Selectee list information within 24 hours of a flight's scheduled departure. TSA also has responsibility for overseeing how air carriers implement the requirements set forth in security directives. Critical to this effort are the agency's aviation security inspectors, who oversee air carrier efforts at air carriers' corporate security offices (principal security inspectors) and at airport locations (transportation security inspectors). As required by law, TSA is to take over from air carriers the function of matching passenger information to the No Fly and Selectee lists for domestic flights.[Footnote 6] Since 2003, we have been assessing TSA's efforts to develop such a watch-list-matching program, currently known as Secure Flight, and have reported that significant challenges, including the need to follow a more structured systems development approach and to fully address how the program would protect passengers' privacy rights, have delayed its implementation.[Footnote 7] In April 2008, we reported that TSA has made significant progress in developing Secure Flight, but that challenges remained in a number of areas, including the need to develop more robust cost and schedule estimates. [Footnote 8] We are continuing to review TSA's development and implementation of Secure Flight in response to requests from the U.S. Senate (Committee on Commerce, Science, and Transportation, and its Subcommittee on Aviation Operations, Safety, and Security; Committee on Appropriations, Subcommittee on Homeland Security; Committee on Homeland Security and Governmental Affairs; and Committee on the Judiciary) and the U.S. House of Representatives (Committee on Transportation and Infrastructure, Committee on Homeland Security, and the Committee on Oversight and Government Reform). In addition, the Consolidated Appropriations Act, 2008, requires that we report to the Committees on Appropriations of the Senate and House of Representatives on the Department of Homeland Security's (DHS) certification of 10 conditions outlined in section 522(a) of the Department of Homeland Security Appropriations Act, 2005, related to the development and implementation of the Secure Flight program.[Footnote 9] The report is to be submitted 90 days after the DHS's Secretary certifies that all 10 conditions have been successfully met. Pending Secure Flight's implementation, air carriers will continue to have primary responsibility for the watch-list-matching function. In conjunction with our ongoing evaluation of Secure Flight, we testified in June 2006 that due to delays and uncertainty surrounding Secure Flight's implementation, some air carriers were enhancing their watch- list-matching processes. We further identified that these improvements, though beneficial to the respective air carrier's operations, could further exacerbate differences that currently exist among the various air carriers, and could result in varying levels of effectiveness across air carriers in matching passenger information to the No Fly and Selectee lists.[Footnote 10] Due to the importance of identifying passengers who may pose a threat to commercial aviation, we were asked to review the current processes that domestic air carriers use to conduct watch-list matching for domestic flights.[Footnote 11] Accordingly, this report addresses the following questions: * What are TSA's requirements for domestic air carriers to conduct watch-list matching for domestic flights? * To what extent has TSA assessed domestic air carriers' compliance with watch-list-matching requirements? This report is a public version of the restricted report (GAO-08-453SU) that we provided to you on July 10, 2008. DHS and TSA deemed some of the information in the restricted report as Sensitive Security Information, which must be protected from public disclosure. Therefore, this report omits this information, such as the specific details associated with the current processes that domestic air carriers use to conduct watch-list matching. Although the information provided in this report is more limited in scope, it addresses the same principal questions as the restricted report. Also, the overall methodology used for both reports is generally the same. To determine TSA's requirements for matching passenger information against the No Fly and Selectee lists for domestic flights, we reviewed TSA's security directives, policies, and other guidance applicable to watch-list matching. We also interviewed officials at TSA's Office of Transportation Sector Network Management, Office of Security Operations, Office of Intelligence, and Office of Chief Counsel. We also reviewed key policy documents for Secure Flight, as well as our most recent reports and testimonies on the program to determine the planned matching process. In addition, to identify the composition and use of the No Fly and Selectee lists, we interviewed officials with the Department of Justice, Federal Bureau of Investigation's (FBI) Terrorist Screening Center, which has responsibility for managing the use of terrorist information in screening processes.[Footnote 12] We also contacted officials from a federally sponsored working group on identity matching to discuss the challenges associated with name-based matching. Moreover, to understand how air carriers have responded to watch-list-matching requirements, we conducted telephone interviews with officials from 14 domestic air carriers.[Footnote 13] Our selection of air carriers was based, in part, on operational size with the goal of obtaining a range of sizes based on operating revenue. For example, the Department of Transportation classifies eight of the air carriers in our review as major air carriers that provide service to locations across the nation and, with the exception of one air carrier, around the world.[Footnote 14] The remaining six air carriers had comparatively smaller business operations that generally provided service covering a geographical area, such as the Pacific Northwest, or commuter service.[Footnote 15] Although the 14 air carriers we spoke with represent a range in the types of air carriers that conduct watch- list matching, and, according to our calculations, accounted for approximately 70 percent of all passengers that boarded domestic flights in 2005, the results of our telephone interviews are not generalizable to the domestic operations of all domestic air carriers. However, our selection allowed us to understand how watch-list matching was performed for the majority of passengers flying domestically in 2005. In addition, although our work summarizes the 14 air carriers' watch-list-matching capabilities as described to us in interviews, we did not independently verify each air carrier's reported method of implementation to determine the reliability of the data. To determine the extent to which TSA has assessed domestic air carriers' compliance with watch-list-matching requirements in the No Fly and Selectee list security directives,[Footnote 16] we first assessed TSA's inspection process, including the focus of inspections and inspection methods. We also examined TSA's national inspection plans and related guidance and policy documents. Further, at TSA headquarters, we interviewed officials responsible for developing and implementing inspection guidance and compiling and analyzing inspection results. Specifically, we interviewed representatives from the Office of Security Operations and the Office of Transportation Sector Network Management. We analyzed the results of both regular inspections (i.e., inspections conducted in conjunction with annual inspection plans) and nonroutine watch-list-related inspections that TSA conducted. For instance, we analyzed regular watch-list-related inspections that TSA conducted during fiscal year 2007 to ensure that air carriers were in compliance with applicable requirements. Although we concluded that these regular inspection data were sufficiently reliable for the purposes of this report, we have concerns about the potential for error based on TSA's process for querying its inspection database (we discuss these concerns in more detail in app. I). To assess data reliability, we performed electronic testing, discussed the data system and any data inconsistencies we found with knowledgeable TSA officials, and reviewed existing information about the data system. We also reviewed results from a special emphasis assessment that TSA conducted in 2005, and a special emphasis inspection it conducted in January 2008, both of which addressed air carriers' capability to conduct watch-list matching. [Footnote 17] We determined that the sampling and related procedures used for the special emphasis assessment were insufficient for providing a reliable estimate of the success rate of all attempted matches by air carriers. We did not assess the initial data TSA provided in February 2008 for the special emphasis inspection it conducted the previous month.[Footnote 18] We conducted this performance audit from July 2006 to September 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on the audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on the audit objectives. More details about the scope and methodology of our work are presented in appendix I. Results in Brief: TSA has issued two security directives (one for the No Fly List and another for the Selectee List) that delineate requirements related to air carrier watch-list matching, including the identification of passengers with names similar to those on the lists. Identifying passengers with names similar to those on the No Fly and Selectee lists--a process TSA refers to as similar-name matching--is a critical component of watch-list matching because individuals may travel using abbreviated name forms or other variations of their names. Therefore, searching for only an exact match of the passenger's name may not result in identifying all watch-listed individuals. There have been incidents, according to TSA's Office of Intelligence, of air carriers failing to identify potential matches by not successfully conducting similar-name matching. Before revisions to the security directives were initiated in 2008, TSA expected air carriers to find similar names but provided no specificity on the extent to which air carriers should make these comparisons. The 14 air carriers we interviewed reported implementing varied approaches to similar-name matching. Because air carriers used different approaches, a passenger could be identified as a match to a watch-list record by one carrier and not by another carrier, which results in uneven effectiveness of watch-list matching. Generally, TSA had been aware that air carriers were not using equivalent processes to compare passenger names with names on the No Fly and Selectee lists. However, in early 2008 the significance of such differences was crystallized during the course of our review and following TSA's special emphasis inspection of air carriers' name- matching capability. On the basis of these inspection results, TSA issued a revised security directive governing the use of the No Fly List in April 2008 to establish a baseline capability for similar-name matching to which all air carriers must conform. Also, TSA announced that it plans to revise the Selectee List security directive to similarly require the new baseline capability.[Footnote 19] According to TSA officials, the new baseline capability is intended to improve the effectiveness of watch-list matching, particularly for those air carriers that did not compare the types of name variations specified by the new baseline capability or that compared none at all. However, TSA officials noted that the new baseline is not intended to address all possible types of name variations and the related security vulnerabilities. Agency officials explained that based on their analysis of the No Fly and Selectee lists and interviews with intelligence community officials, the newly established baseline covers the most critical types of name variations. TSA officials further stated that this is an interim solution that will strengthen security while not requiring air carriers to invest in significant modifications to their watch-list-matching processes, given TSA's expected implementation of Secure Flight beginning in 2009. These officials added that when implemented, Secure Flight will be better able to use passenger names and other identifying information to more accurately match passengers to the subjects of watch-list records. TSA has undertaken various efforts to assess domestic air carriers' compliance with watch-list-matching requirements in the No Fly and Selectee list security directives; however, until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability. In 2005, for instance, TSA conducted a special emphasis assessment that focused on air carriers' capability to prescreen passengers for exact-name matches with the No Fly List, but did not address the air carriers' capability to conduct similar-name comparisons. Regarding inspections conducted as part of regular inspection cycles, TSA's guidance establishes that regulatory requirements encompassing critical layers of security need intensive oversight, and that testing is the preferred method for validating compliance. However, before being revised in 2008, TSA's inspection guidelines (called PARIS prompts)[Footnote 20] for watch-list-related inspections were broadly stated and did not specifically direct inspectors to test air carriers' similar-name-matching capability. Moreover, TSA's guidance provided no baseline criteria or standards regarding the number or types of such variations that must be assessed. In response to our inquiry, 6 of TSA's 9 principal security inspectors told us that their assessments during annual inspection cycles have not included examining air carriers' capability to conduct certain basic types of similar-name comparisons. Also, in reviewing documentation of the results of the most recent inspection cycle (fiscal year 2007), we found that available records in TSA's database made references to name- matching tests in 6 of the 36 watch-list-related inspections that principal security inspectors conducted, and in 55 of the 1,109 inspections that transportation security inspectors conducted.[Footnote 21] Without baseline criteria or standards for air carriers to follow in conducting similar-name comparisons, TSA has not had a uniform basis for assessing compliance. Further, without routinely and uniformly testing how effectively air carriers are conducting similar-name matching, TSA may not have had an accurate understanding of the quality of air carriers' watch-list-matching processes. However, TSA began taking corrective actions during the course of our review and after it found deficiencies in the capability of air carriers to conduct similar- name matching during a January 2008 special emphasis inspection. [Footnote 22] More specifically, following the January 2008 inspection, TSA officials reported that TSA immediately began working with individual air carriers to address deficiencies. Also, officials reported that, following the issuance of TSA's revised No Fly List security directive in April 2008, the agency had plans to assess air carriers' progress in meeting the baseline capability specified in the new security directive after 30 days, and that the annual inspection plan for transportation security inspectors would be revised to help ensure compliance by air carriers with requirements in the new security directive. In September 2008, TSA provided us with results from a May 2008 special emphasis assessment of seven air carriers' compliance with the revised No Fly List security directive. Although the details of this special emphasis assessment are classified, TSA generally characterized the results as positive. Further, the TSA officials noted that the agency's internal handbook-- which provides guidance to transportation security inspectors on how to inspect air carriers' performance of various requirements, including watch-list-matching requirements--was being revised and was expected to be released later this year. Thus, the TSA officials stated that the new inspection guidance would be used in conjunction with the nationwide regulatory activities plan for fiscal year 2009. While these actions and plans are positive developments, it is too early to determine the extent to which TSA will assess air carriers' compliance with watch-list-matching requirements moving forward since these efforts are still underway. We provided a draft of our restricted report to DHS and the Department of Justice for review and comment. DHS had no comments. The Department of Justice provided technical comments to the restricted version of this report, which we incorporated where appropriate. Background: TSA uses a layered system of defense to secure civil aviation whereby additional layers provide security when any one security measure may fail. Watch-list matching is one such layer of defense. Air carriers began checking passenger names against government-supplied terrorist watch lists (compiled by the FBI and distributed by the Federal Aviation Administration) in the early 1990s. After the attacks of September 11, 2001, and the subsequent establishment of TSA during the same year, primary responsibility for civil aviation security, including overseeing the watch-list-matching process, fell to TSA. [Footnote 23] The Aviation and Transportation Security Act, enacted in November 2001, requires that a system be used to evaluate all passengers before they board an aircraft and ensure that selected individuals and their carry-on and checked baggage are adequately screened.[Footnote 24] TSA fulfilled this mandate by continuing to require and oversee air carrier operation of the Computer Assisted Passenger Prescreening System (CAPPS)--an electronic application that selects individuals for enhanced screening at the passenger checkpoint based on certain travel characteristics identified by TSA as indicating potential risk--and by issuing security directives in April 2002 that continued and amended the requirements that domestic air carriers match passenger information against the No Fly and Selectee lists. These security directives are the No Fly List Procedures security directive, requiring domestic air carriers to conduct checks of passenger information against the No Fly List to identify individuals who should be precluded from boarding flights, and the Selectee List Procedures security directive, directing domestic air carriers to conduct checks of passenger information against the Selectee List to identify individuals who should receive enhanced screening (e.g., additional physical screening or a hand-search of carry-on baggage) before proceeding through the security checkpoint.[Footnote 25] Since 2002, TSA has issued numerous revisions to the No Fly and Selectee list security directives to strengthen and clarify requirements, and has issued guidance to assist air carriers in implementing their watch- list-matching processes.[Footnote 26] So that they may carry out watch-list-matching requirements, TSA provides air carriers with access to the No Fly and Selectee lists-- subsets of the terrorist screening database managed by the FBI's Terrorist Screening Center. The terrorist screening database is composed of records that contain identifying information (e.g., name and date of birth) on both foreign and U.S. citizens with known or appropriately suspected links to terrorism. Only those nominations in the terrorist screening database submitted by elements within the intelligence community, including the FBI, that meet criteria specified by the Homeland Security Council[Footnote 27] relating to the threat that an individual poses to civil aviation are exported as records to be included on the No Fly or Selectee lists.[Footnote 28] At present, the Terrorist Screening Center forwards the No Fly and Selectee lists to TSA's Office of Intelligence, which generally posts new lists daily to a secure Web board that air carriers may access to retrieve the lists.[Footnote 29] The Terrorist Screening Center provides TSA's Office of Intelligence with new No Fly and Selectee lists on a daily basis as well as any time a nominating entity submits additions and deletions that require immediate notification to the aviation community. TSA's Regulatory Inspection Framework: TSA is responsible for ensuring air carriers' compliance with regulatory requirements, including requirements reflected in TSA security directives and TSA-approved security programs. According to TSA inspection guidance, compliance with regulatory requirements may be validated in various ways, depending on the risk associated with the requirements. For example, when regulatory requirements are largely administrative and encompass the least critical layers of security, compliance may be validated largely through inspections based on documentation reviews. However, when regulatory requirements encompass more critical layers of security, more intensive oversight is needed, and compliance typically is to be validated through testing, inspections, surveillance, special emphasis assessments, and special emphasis inspections. TSA conducts inspections of air carriers throughout the year as part of regular inspection cycles based on annual inspection plans. These inspections are based on inspection guidelines known as PARIS prompts, which address a broad range of regulatory requirements (including airport perimeter security and cargo security, as well as screening of employees, baggage, and passengers). With respect to watch-list matching, an inspection guideline (PARIS prompt) instructs inspectors to determine, for example, whether the air carrier is comparing the names of all passengers against names on the most current No Fly and Selectee lists in accordance with the procedures outlined in TSA's security directives. TSA conducts watch-list-related inspections at air carriers' corporate security offices (where policies and procedures are established on how watch-list matching is to be performed) and at airports (where policies and procedures for responding to a potential match are implemented). TSA's principal security inspectors are responsible for conducting inspections at domestic air carriers' corporate headquarters. These inspectors assess air carriers' compliance with security requirements and provide direct oversight of air carriers' implementation of and compliance with TSA-approved security programs. TSA considers principal security inspectors to be subject-matter experts for the air carrier community concerning implementation of and compliance with security programs and other requirements. As of January 2008, nine principal security inspectors were responsible for assessing the compliance of domestic air carriers with requirements in the No Fly and Selectee list security directives (as well as with other regulatory requirements pertaining to commercial aviation). Each of these inspectors has responsibility for one or more domestic air carriers. For fiscal year 2007, there were 72 domestic air carriers to which the No Fly and Selectee list security directives applied. Field inspectors--known as transportation security inspectors--conduct watch-list-related inspections at airports. They are responsible for a multitude of TSA-related activities, including conducting inspections and investigations of airports and air carriers, monitoring compliance with applicable civil aviation security policies and regulations, resolving routine situations that may be encountered in the assessment of airport security, participating in testing of security systems in connection with compliance inspections, identifying when enforcement actions should be initiated, and providing input on the type of action and level of penalty commensurate with the nature and severity of a violation that is ultimately recommended to TSA's Office of Chief Counsel. As of June 2008, there were 681 transportation security inspectors responsible for 459 commercial airports across the United States. Secure Flight: Development of a Government-Run Watch-List-Matching Process: TSA began developing a program to take over watch-list-matching capability from air carriers in March 2003.[Footnote 30] TSA cancelled this earlier effort, known as CAPPS II, due to development challenges and privacy concerns. In July 2004, the National Commission on Terrorist Attacks Upon the United States (the 9/11 Commission) recommended that the federal government take over the watch-list- matching function from air carriers.[Footnote 31] Subsequently, the Intelligence Reform and Terrorism Prevention Act of 2004 required that TSA develop such a watch-list-matching capability.[Footnote 32] Shortly after suspending work on the CAPPS II program in August 2004, TSA initiated development of Secure Flight, a program that the agency expects will allow the federal government to perform watch-list matching for passengers on all flights within the United States and ultimately for international flights with departures from or arrivals in the United States. In February 2006, we testified that although some progress had been made in developing Secure Flight, long-standing issues related to systems development and testing, program management, privacy protections, and redress remained.[Footnote 33] We reported in testimony that as a result of these deficiencies the program was at risk of failure. Following our February 2006 testimony, TSA announced a temporary suspension of Secure Flight's development to reassess program goals and capabilities. TSA completed this reassessment in January 2007, moved forward to complete its concept-of-operations plan for the Secure Flight program and strengthen systems development efforts, and, in August 2007, issued a notice of proposed rulemaking describing the requirements TSA will expect air carriers to implement to facilitate the government-run prescreening process.[Footnote 34] TSA expects that, beginning in early calendar year 2009, the Secure Flight program will begin assuming from air carriers the watch-list-matching responsibility for domestic flights. At some point following this assumption for domestic flights, TSA plans to assume from U.S. Customs and Border Protection this watch-list-matching function for international flights that depart from or arrive in the United States. However, we testified in February 2008 that despite significant progress in the development of Secure Flight, TSA did not fully follow best practices for developing Secure Flight's life-cycle cost and schedule estimates, and that failure to do so put the program at risk of cost overruns, missed deadlines, and performance shortfalls, among other issues.[Footnote 35] TSA Took Action in 2008 to Enhance Watch-List Matching Conducted by Air Carriers but Believes the Ultimate Solution Will Be Implementation of Secure Flight: Through its security directives, TSA has issued requirements for watch- list matching, which include identifying passengers with names similar to those on the No Fly and Selectee lists--a process TSA refers to as similar-name matching. Before undertaking revisions of the relevant security directives in 2008, TSA expected air carriers to conduct similar-name matching but TSA's security directives did not specify how many and what types of such name variations air carriers should compare. Consequently, some of the 14 air carriers we interviewed reported that they compared more name variations than others. Air carriers that do not conduct similar-name comparisons and carriers that conduct relatively limited comparisons are less effective in identifying watch-listed individuals who travel under name variations. Also, due to inconsistent air carrier processes, a passenger could be identified as a match by one carrier and not by another. In April 2008, during the course of our review, TSA revised and issued the No Fly List security directive to specify a baseline capability for similar-name matching to which all air carriers must conform. Also, in April 2008, TSA officials reported that the agency had plans to similarly revise the Selectee List security directive to require the same baseline capability.[Footnote 36] TSA officials acknowledged that the new baseline capability will not address all vulnerabilities identified by TSA. However, the officials stated that the new baseline capability was their best interim approach for improving air carriers' matching efforts because, among other reasons, it will strengthen watch-list matching without requiring considerable investment in a solution that will be replaced when Secure Flight is implemented. TSA officials further stated that the longer term solution for watch-list matching is Secure Flight, which will have the capability to undertake more advanced searches for individuals on the No Fly and Selectee lists. Prior to April 2008, TSA Watch-List-Matching Requirements Were Broad and Allowed Air Carriers to Implement Less Effective Processes: Prior to a revision of the No Fly List security directive in April 2008--and a similar revision planned for the Selectee List security directive--TSA's watch-list-matching requirements for domestic flights (summarized in table 1) addressed five key processes: (1) retrieval of the No Fly and Selectee lists, (2) the matching of passenger and list information, (3) the use of TSA's Cleared List,[Footnote 37] (4) notification procedures, and (5) record-keeping activities.[Footnote 38] In April 2008, TSA revised the No Fly List security directive for watch-list matching and also reported plans for similarly revising the Selectee List security directive. The security directive revisions-- discussed later in this section--still address the five key process areas, but provide greater specificity on TSA's requirements for matching passenger and watch-list information (the second key process shown in table 1).[Footnote 39] Prior to the April 2008 revision of the No Fly List security directive, TSA's requirements in this area lacked specificity for purposes of implementation, although the then-current security directives addressed the need for air carriers to identify passengers with names that are either identical or similar to those on the No Fly List or the Selectee List. To identify passengers with similar names--an activity known as similar-name matching--air carriers' automated programs or manual reviews were expected to capture No Fly and Selectee list names that are variations of the name on the passenger's reservation. Table 1: TSA Watch-List-Matching Requirements Prior to the April 2008 Revision to the No Fly List Security Directive: Requirements (key processes): (1) Retrieving the No Fly and Selectee lists; Discussion: * Air carriers must monitor the TSA Web board throughout the day for the most recent postings of the No Fly and Selectee lists. Requirements (key processes): (2) Matching passenger data to No Fly and Selectee lists; Discussion: * Within 24 hours of scheduled flight departure time, but no later than passenger check-in, air carriers are to compare records from the most recently issued No Fly and Selectee lists with identifying information on passengers found in the respective air carrier's reservation system and offered by passengers at the time of check-in; * When comparing data, air carriers must identify name matches to the No Fly and Selectee lists. To identify similar-name matches, automated and manual processes are expected to have the capability to compare name variations; * To determine which passengers are matches, a passenger's name and one piece of identifying information (found either within the air carrier's reservation system or supplied by the passenger at check-in) must match with corresponding information provided on the No Fly or Selectee lists. Requirements (key processes): (3) Using the TSA Cleared List[A]; Discussion: * When making determinations on matches, air carriers must use the TSA Cleared List, which is composed of names and other personal-identifying information on individuals whom the Department of Homeland Security has reviewed and determined are not individuals on the No Fly or Selectee lists. Individuals determined to be on the TSA Cleared List should be accepted for travel and not be subject to further procedures for handling matches to No Fly or Selectee lists identified in the security directives. Requirements (key processes): (4) Notifying authorities; Discussion: * Upon identifying a passenger whose information matches with the No Fly or Selectee lists and who is not on the TSA Cleared List, air carriers must follow certain notification procedures, such as to contact the federal security director and the appropriate local law enforcement officer (for matches to the No Fly List) or to designate the passenger as a selectee for enhanced checkpoint screening procedures (for matches to the Selectee List). Requirements (key processes): (5) Keeping records; Discussion: * Air carriers must keep records on the results of watch-list matching for specified time periods--for example, air carriers must keep a record of all flights operated with passengers designated as selectees for 7 calendar days from the date of the flight's departure. Sources: GAO analysis of TSA's No Fly List Procedures security directive (SD 1544-01-20 series) and Selectee List Procedures security directive (SD 1544-01-21 series), versions dated July 8, 2004, and March 8, 2007. [A] Security directives in effect prior to the April 2008 revision of the No Fly List Procedures security directive referenced a "cleared column," a format for clearing passengers. TSA eventually replaced this format with the Cleared List, and revised language for the April 2008 No Fly List security directive. [End of table] Air carriers must conduct similar-name matching because watch-listed individuals may travel using variations of the names attributed to them on the No Fly or Selectee lists and, thus, would not be identified if air carriers searched only for an exact-name match. At present, TSA does not require that air carriers collect the full name from passengers making travel reservations, thus, passengers may travel using variations of their legally documented names; for example, abbreviated name forms or portions of their names. Such name variations may arise due to unintentional errors--for example, a travel agent mistakenly books travel for "Jon" when the name spelling is actually "John," or the agent accidentally transposes a passenger's first and middle names for a flight reservation. Traveling under a name variation could also represent a watch-listed individual's intentional effort to evade detection. For example, an individual identified as John Robert Smith on his driver's license may make a travel reservation using a common name variation--such as using his middle and last names (Robert Smith) or his initials and last name (J.R. Smith). If the John Robert Smith in this example were a name on the No Fly List, an exact, letter- for-letter comparison of the passenger's reservation name (either Robert Smith or J.R. Smith) with the No Fly List would fail to identify the watch-listed individual. However, a comparison of possible variations of the watch-list name (John Robert Smith) could identify either Robert Smith or J.R. Smith as a potential match--that is, an individual who is a possible match to the No Fly List or Selectee List and whose personal identifying information requires further review before a match can be determined. Before 2008, TSA's Security Directives Allowed Air Carriers More Discretion in Comparing Name Variations: Regarding similar-name matching, before 2008, TSA's security directives had broad requirements that allowed air carriers discretion in determining the extent to which they compared name variations. For instance, to identify watch-listed individuals who travel using variations of their name, TSA's security directives did not specify how many possible combinations of name elements should be compared. TSA officials explained that the agency initially issued broad security directives to allow air carriers flexibility in implementing requirements and--until the April 2008 revision of the No Fly List security directive--left the directives relatively unchanged because the agency was developing a government-run capability to take over this function. The operations of those air carriers that are subject to the watch-list-matching requirements of TSA's security directives range from commuter providers to international-service providers. According to TSA officials, broad security directive requirements permit air carriers with such diverse operations to implement processes that best meet their operational needs and technological capabilities. Officials further explained that TSA's focus has been on developing its own watch-list-matching capability (now Secure Flight) since 2003. TSA officials noted that, though not an impetus for making requirements broad when first articulated in 2002, this focus on developing a government-run watch-list-matching program is one reason why these requirements remained relatively unchanged until April 2008. Failure to Conduct Similar-Name Matching or Comparing Name Variations to a Lesser Extent Reduces the Effectiveness of Watch-List Matching: The 14 air carriers we interviewed reported adopting different approaches to name matching. Although each of the 14 air carriers we spoke with during our review reported conducting comparisons to identify exact-name matches of passengers and names on the No Fly List or the Selectee List, not every air carrier reported conducting similar- name comparisons.[Footnote 40] Those air carriers that conducted similar-name comparisons reported using various approaches, some of which compared more name variations than others. According to air carriers, a critical factor affecting their implementation of similar-name-matching requirements was their observation that conducting more comparisons for variations results in longer lines at ticket counters and passenger inconvenience. Specifically, 10 air carriers commented that conducting similar-name comparisons resulted in more passengers being identified as potential matches. At the time of check-in, air carriers must perform additional checks at the ticket counter of each potentially matched passenger's government-issued identification against data on the No Fly and Selectee lists. Therefore, according to 12 of the 14 air carriers we spoke with, a large number of potential matches can lead to congestion at the ticket counter and longer wait times for all passengers. Inconsistent approaches to conducting similar-name matching could lead a passenger to be identified as a match by one air carrier and not by another. Further, not conducting similar-name matching--or conducting such matching to only a very limited extent--compromises the usefulness of the No Fly List and Selectee List. There have been incidents, according to TSA's Office of Intelligence, of air carriers failing to identify potential matches by not effectively conducting similar-name matching. In these incidents, the air carriers' processes led to false negative watch-list-matching results--that is, individuals who were on the No Fly List and were not identified by the respective air carrier's watch-list-matching process. In some of these incidents, the individual's flight reservation contained a name that varied somewhat from the name on the No Fly List, and the air carrier's watch-list- matching process did not identify the name as a possible match. In most of these cases, the failures of the air carriers to identify the potential matches were discovered as a result of the U.S. Customs and Border Protection's comparison of passenger and watch-list data for international flights. Specifically, TSA learned of the failures through U.S. Customs and Border Protection, which identified the No Fly listed individual when conducting its own comparison of passenger information against the No Fly and Selectee lists for international flights.[Footnote 41] These comparisons, performed as part of U.S. Customs and Border Protection's border security mission, took place after the air carriers completed their comparisons, in effect constituting a second check of passenger and watch-list information. U.S. Customs and Border Protection does not screen passengers on domestic flights; thus, there is no opportunity for a second comparison of passenger information against the No Fly and Selectee lists for domestic flights. Therefore, it is difficult to determine the extent to which domestic air carriers may be failing to identify watch-listed individuals who are able to board domestic flights. In October 2007, we reported that of the known cases in which individuals on the No Fly List flew on international flights bound to or from the United States, some were allowed to fly because the respective air carrier's process failed to identify the passenger's name as a match.[Footnote 42] Although these individuals were subsequently identified in-flight by other means, the onboard security threats required an immediate counterterrorism response, which in some instances resulted in diverting the aircraft to a location other than its original destination.[Footnote 43] According to TSA's Office of Intelligence, some of these incidents may be attributed to air carriers' inability to identify similar-name matches when passengers travel using variations of their name. TSA had been aware that air carriers were not using equivalent processes to compare passenger names with names on the No Fly and Selectee lists. For instance, in June 2006, we reported that the improvements air carriers were making to their individual watch-list- matching processes, though beneficial to the respective air carrier's operations, could further exacerbate differences that currently exist among the various air carriers and could result in varying levels of effectiveness across air carriers in matching passenger information to the No Fly and Selectee lists.[Footnote 44] Furthermore, TSA's March 2007 Secure Flight Program Baseline explained "because each aircraft operator conducts its own matching process, the ability to conduct watch-list matching and coordinate law enforcement responses is not consistent across the aviation industry."[Footnote 45] Moreover, in several interviews over the course of our work, TSA officials acknowledged that in general, some air carriers were performing more similar-name comparisons than other air carriers. TSA's understanding of the significance of these differences was crystallized in January 2008, when results of a special emphasis inspection identified deficiencies in air carriers' similar-name-matching capability. To Address Deficiencies in Air Carriers' Similar-Name-Matching Capability, TSA Issued a Revised No Fly List Security Directive in April 2008 to Provide More Specific Requirements: During the course of our work and in response to findings of the January 2008 special emphasis inspection that identified deficiencies in air carriers' similar-name-matching capability, TSA officials reported that the agency immediately began to assess options for corrective actions to implement across the aviation industry. In doing so, officials noted that they consulted with representatives from the intelligence community, the Secure Flight program, and the aviation industry. On the basis of its assessment, TSA revised the No Fly List security directive in April 2008 to establish a specific baseline capability for air carriers in conducting similar-name matching. Also, in April 2008, TSA officials reported that the agency had plans to similarly revise the Selectee List security directive to require the same baseline capability.[Footnote 46] TSA officials acknowledged that the new baseline capability will not address all vulnerabilities identified by TSA. However, TSA officials explained that they expect the new similar-name matching baseline capability to strengthen the watch-list matching currently performed by air carriers. In particular, the officials expect the newly established baseline capability to improve the matching processes of those air carriers that do not compare the kinds of variations required by the new baseline or that compare none at all. Furthermore, according to agency officials, the variations specified by the new baseline address the types of situations air carriers will encounter due to passengers making their own reservations. Accordingly, TSA concluded that requiring air carriers to conduct similar-name comparisons beyond the baseline capability specified in the revised No Fly List security directive was not warranted for the interim period pending the implementation of Secure Flight. TSA was not able to provide us with data or analysis to support this assertion, and we did not undertake an independent analysis to determine the sufficiency of the newly established baseline. TSA officials also explained they determined that revising the security directives to be the most feasible approach for strengthening the current watch-list-matching process over other options because it was expedient and would have the least negative impact on air carriers' operations. Specifically, TSA officials determined that upon issuing the revised No Fly List security directive, air carriers would need only 2 to 4 weeks to implement new requirements. When considering how this option would affect air carrier operations, TSA officials explained that they considered the number of potential matches that likely would be generated by the new baseline capability. As previously discussed, air carriers reported that comparing more name variations results in more passengers being identified as potential matches, who then must go to the ticket counter to obtain their boarding passes. Thus, large numbers of potential matches could overwhelm air carriers' check-in operations. TSA officials explained that the industry officials with whom they consulted in developing the new baseline capability believed it would produce a manageable number of potential matches. In exploring actions to strengthen the watch-list-matching process, TSA considered two other options--one that would have required each air carrier to contract with third-party providers to develop customized watch-list-matching software, and another that involved the creation of an expanded version of the No Fly and Selectee lists to include name variations so that air carriers need only conduct comparisons to identify an identical match. TSA identified significant obstacles to implementing these options. Specifically, TSA determined that contracting with third-party vendors was impracticable due to availability and timing concerns. For instance, identifying appropriate vendors and implementing vendor-provided solutions could take almost 2 years--an unrealistic time frame given that Secure Flight's implementation is scheduled to begin in 2009. In this regard, TSA officials also expressed reluctance to requiring air carriers to undertake the expense of contracting with third-party vendors for an interim approach, while at the same time requiring that air carriers invest in system changes for Secure Flight. With regard to the option of adding name variations to the No Fly and Selectee lists, according to TSA officials, creating these variations would have greatly expanded the total size of the No Fly List, which could overwhelm the name- matching capability of some air carriers and could potentially send an unmanageable number of potential matches to the ticket counters of air carriers. As previously discussed, in our air carrier interviews, 10 of the 14 air carriers reported that searching for more name variations leads to the identification of more potential matches. In this regard, there is some support for TSA's determination that expansion of the No Fly and Selectee lists could produce an unmanageable number of potential matches. However, we did not independently assess this issue. Although TSA officials characterized the new baseline capability as a good interim solution for strengthening watch-list matching--one that balances TSA's need to strengthen watch-list matching with the air carriers' need for efficient operations--they stressed that the Secure Flight program is ultimately the solution. For example, in its development of Secure Flight, TSA plans to develop a name-matching process that will have the capability to identify name variations beyond those specified by the new baseline. Further, according to TSA, Secure Flight will be better able to use passenger names and other identifying information (such as date of birth and gender) to more accurately match passengers to the subjects of watch-list records and, thereby, further reduce the risks of false negatives without unacceptably increasing the number of false positives (mistakenly identifying a passenger's name as a potential match with watch-list records). Until a 2008 Special Emphasis Inspection, TSA Had Conducted Limited Testing of Air Carriers' Capability to Perform Similar-Name Matching: Although TSA assessed air carriers' compliance with watch-list-matching requirements through a special emphasis assessment conducted in 2005 and through planned inspections conducted in conjunction with annual inspection cycles, the agency had tested similar-name matching to a limited extent until 2008. For instance, the 2005 special emphasis assessment focused on air carriers' capability to identify passenger names that were exact matches with names on the No Fly List, but did not address the capability to conduct similar-name matching. Also, during the most recent annual inspection cycle (fiscal year 2007), although some TSA inspectors tested air carriers' effectiveness in conducting similar-name matching, the inspectors did so at their own discretion and without specific evaluation criteria. However, during a special emphasis inspection conducted in January 2008, TSA found deficiencies in the capability of air carriers to conduct similar-name matching.[Footnote 47] Thereafter, following TSA's revision of the No Fly List security directive in April 2008, officials planned to issue new guidance for inspectors to better ensure compliance by air carriers with requirements in the new security directive (e.g., by providing uniform evaluation criteria consistent with the new requirements). In response to our request for updated information on its oversight efforts, TSA provided us the results of a special emphasis assessment (conducted in May 2008) of seven air carriers' compliance with the revised No Fly List security directive. Although the details of this special emphasis assessment are classified, TSA officials generally characterized the results as positive. Further, TSA's noted that the agency's internal handbook--which provides guidance to transportation security inspectors on how to inspect air carriers' performance of various requirements, including watch-list-matching requirements--was being revised and was expected to be released later this year. Thus, TSA indicated that the new inspection guidance would be used in conjunction with the nationwide regulatory activities plan for fiscal year 2009. While these actions and plans are positive developments, it is too soon to determine the extent to which air carriers' compliance with watch-list-matching requirements will be assessed based on the new security directives since these efforts are still underway. TSA's Special Emphasis Assessment in 2005 Focused on Air Carriers' Exact-Name-Matching Capability: TSA conducted a special emphasis assessment in 2005 that tested the capability of domestic air carriers to find passenger names that were exact matches to names on the No Fly List. The 2005 special emphasis assessment was undertaken at the request of the TSA Administrator due to serious failures in air carriers' watch-list-matching processes, according to a senior TSA official. To conduct the assessment, TSA inspectors made flight reservations using the exact name of an individual who was on the No Fly List and not on the TSA Cleared List. If the air carrier identified the name on the reservation as a potential match to the individual on the No Fly List--and the check-in agent identified through the reservation system that further assistance was needed to finish the check-in process (e.g., to call security)--the test was considered to be successfully completed. According to TSA data: * air carriers passed a large majority of the initial tests conducted in June and July 2005, although several air carriers failed one or more tests and: * those air carriers that failed a test were retested in September 2005, and a large majority of these air carriers passed the tests. [Footnote 48] Although TSA conducted a large number of tests, TSA officials stated-- and our own analyses confirmed--that results from this special emphasis assessment would not produce a reliable estimate of the success rate of all attempted matches by air carriers because TSA did not randomly select the air carriers, airports, or individual flights for review. As a result, the findings from this assessment cannot be used to infer overall or individual rates of success in identifying exact name matches in accordance with the No Fly and Selectee list security directives. That is, although the 2005 special emphasis assessment provided insight into air carriers' effectiveness in conducting a basic form of name matching, the picture provided was incomplete. Moreover, the air carriers' failure rates may have been considerably higher had the special emphasis assessment tested similar-name-matching capability, given that this capability involves more than finding a name that is a letter-for-letter match to another name. However, TSA officials told us that at the time of the special emphasis assessment in 2005, exact-name matching was the agency's focus. TSA Conducted Planned Watch-List-Related Inspections throughout the Year, but Inspectors Tested Air Carriers' Effectiveness at Similar-Name Matching at Their Own Discretion and without Baseline Evaluation Criteria: Since issuing the No Fly and Selectee list security directives in 2002, TSA has incorporated watch-list-related inspections into its regular inspection cycle, but inspectors tested air carriers' effectiveness in similar-name matching during these planned inspections to a limited extent and without specific evaluation criteria. In the most recent annual inspection cycle (fiscal year 2007), TSA conducted 1,145 inspections of air carriers' compliance with watch-list-related requirements in the No Fly and Selectee security directives; 1,109 of these inspections were conducted at air carriers' airport locations by transportation security inspectors and 36 at air carriers' corporate security offices by principal security inspectors.[Footnote 49] The 1,145 inspections covered 60 of the 72 domestic air carriers to which the security directives applied during fiscal year 2007, and most of the carriers were inspected multiple times that year.[Footnote 50] TSA found air carriers in compliance with required procedures in 1,133 (99 percent) of the 1,145 inspections.[Footnote 51] These inspections were based on one or more inspection guidelines (called PARIS prompts) and were sometimes conducted in combination with inspections related to other regulatory requirements, such as performing criminal history record checks on employees or implementing CAPPS procedures. Table 2 presents the inspection guidelines TSA used to assess a key security directive requirement that we reviewed-- matching passenger names to the No Fly and Selectee lists.[Footnote 52] Additional guidelines used to assess other requirements in our review are presented in appendix I.[Footnote 53] Table 2: Requirements for Matching Passenger Data to No Fly and Selectee Lists and Inspection Guidelines Used to Assess Compliance with the Requirements: Requirements for matching passenger data to No Fly and Selectee lists: * Within 24 hours of scheduled flight departure time, air carriers are to compare records from the most recently issued No Fly and Selectee lists with identifying information on passengers found in the respective air carrier's reservation system and offered by passengers at the time of check-in; * When comparing data, air carriers must identify name matches (including similar-name matches) to the No Fly and Selectee lists; * To determine which passengers are matches, a passenger's name and one piece of identifying information (found either within the air carriers' reservation system or supplied by the passenger at check-in) must match with corresponding information provided on the No Fly or Selectee lists; Inspection guidelines: Transportation security inspectors: * All passenger names are compared to the most current No Fly and Selectee lists; * The aircraft operator is comparing all passenger names to the most current No Fly and Selectee lists in accordance with the procedures outlined in Security Directive 1544-01-20 series (No Fly) and Security Directive 1544-01-21 series (Selectee); Inspection guidelines: Principal security inspectors: * Procedures are in place to ensure the most recently issued No Fly List is utilized within 24 hours of receipt; * Procedures are in place to ensure the most recently issued Selectee List is utilized within 24 hours of receipt; * Procedures are in place to contact the Federal Security Director, local law enforcement, the FBI, and TSA Office of Intelligence for matches to the No Fly List; * Records are maintained of all flights operated with passengers who were determined by local law enforcement, U.S. legal attaché, or TSA Office of Intelligence not to be a match. Sources: GAO analysis of TSA's No Fly List Procedures security directive (SD 1544-01-20 series) and Selectee List Procedures security directive (SD 1544-01-21 series), versions dated July 8, 2004, and March 8, 2007, and inspection guidelines applicable during fiscal year 2007. [End of table] The inspections conducted by transportation security inspectors at airports used the guidelines in table 2 to assess air carriers' compliance in matching passenger data to the No Fly and Selectee lists in fiscal year 2007. However, these inspectors tested exact-name and similar-name matching during these inspections at their own discretion; moreover, an official in TSA's Office of Security Operations, Compliance Division, stated that, generally, transportation security inspectors test exact-name-matching capability only. This inspection guideline is broadly written and does not specify the methods for validating compliance with the requirement to perform name comparisons. According to a TSA official in the Office of Security Operations, field inspectors may validate compliance by asking check-in agents to demonstrate that they have access to the current No Fly and Selectee lists and that any hard copies of the lists are properly protected; they may also interview check-in agents to ensure that they understand the security directive requirements, observe them as they process passengers who have been identified as Selectee or No Fly individuals, and/or test the air carriers' system by requesting a gate pass in the name of an individual on the watch list. We found evidence of field inspectors testing air carriers' name matching systems in 55 of the 1,109 inspections they conducted in fiscal year 2007 (such tests may have been administered during the other inspections conducted in fiscal year 2007 but were not documented). For the 36 inspections conducted by principal security inspectors at air carriers' corporate security offices, we found 6 inspection records that referred to tests of exact-name and similar-name matching capability (they may have administered such tests during the other inspections they conducted that year but did not document the tests). Principal security inspectors did not have an inspection guideline directing them to assess exact-name and similar-name matching capability specifically--thus they tested this capability at their own initiative, and then reported their methods and results in conjunction with one of the four guidelines presented in table 2. Further, in response to our inquiry, 6 of TSA's 9 principal security inspectors told us that their assessments have not included examining air carriers' capability to conduct certain basic types of similar-name comparisons. TSA establishes in guidance for inspections (including watch-list- related inspections) that testing is the preferred method for assessing air carriers' compliance with regulations whenever possible and that it is only through testing that security can be assured.[Footnote 54] TSA further establishes in inspection guidance that when regulatory requirements encompass critical layers of security, more intensive oversight is needed, and compliance typically is to be validated through testing, inspections, surveillance, special emphasis assessments, and special emphasis inspections.[Footnote 55] Without routinely testing air carriers' compliance with the similar-name- matching requirement, TSA may not have reliable data on the effectiveness of air carriers' watch-list-matching processes and could be hindered in taking timely action to address any deficiencies. Inspectors who have tested air carriers' effectiveness in performing similar-name matching have done so without specific evaluation criteria. As discussed earlier, for any given name there are a number of possible name variations that could be used for travel, but TSA inspectors did not have baseline criteria on the number or types of such variations that must be evaluated. In the absence of specific standards for similar-name matching that all air carriers must follow, TSA has had no assurance that its inspections are based on uniform evaluation criteria. The inspections may not have been conducted uniformly and may have produced inconsistent results, given the absence of specific standards. In fall 2007, TSA began to review the adequacy of inspection guidance used by principal security inspectors, including guidance for watch-list-related inspections. As discussed in the following section, TSA expects to provide baseline criteria on the number and types of such variations inspectors must evaluate, but had not completed these efforts as of early September 2008. A Special Emphasis Inspection Conducted in 2008 Found Deficiencies in Air Carriers' Similar-Name-Matching Capabilities, and TSA Has Plans for Corrective Actions: During the course of our review and following TSA's discovery of a major air carrier's inability to effectively conduct both exact-name and similar-name-matching against the No Fly List, TSA initiated a 3- day, special emphasis inspection in January 2008 that tested the capability of 83 air carriers to conduct watch-list matching.[Footnote 56] According to TSA officials, this inspection covered 52 domestic air carriers and 31 foreign air carriers. To implement the special emphasis inspection, TSA used 100 names on the No Fly List to test the 83 air carriers' capability to identify both exact-name and similar-name matches based on various types of possible name variations. On the basis of test results, a senior TSA official stated that the agency has confidence in air carriers' capability to identify exact-name matches. Regarding the capability to identify similar-name matches, TSA found that no air carrier was successful in identifying matches involving all types of name variations, although some carriers were more effective than others. On the basis of this inspection, TSA officials stated that they began to strengthen oversight of air carriers' similar-name-matching capability. For example, the TSA officials explained that--after a 30- day period following issuance of the revised No Fly List security directive in April 2008--the agency's inspectors would begin to evaluate air carriers' performance in complying with the new requirements. TSA officials explained that these initial inspections would be conducted at air carriers' corporate security offices and at airports. Officials further stated that after these initial inspections, others would be conducted periodically and, if applicable, TSA would impose progressively stronger enforcement actions against air carriers that are not successful in meeting the new standards. In September 2008, in response to our request for updated information on the status of its oversight efforts, TSA provided us the results of a special emphasis assessment (conducted during May 20-29, 2008) of seven air carriers' compliance with new requirements in the No Fly List security directive. Although the details of this special emphasis assessment are classified, TSA generally characterized the results as positive. Also, TSA plans to work with individual air carriers, as applicable, to analyze specific failures, improve system performance, and conduct follow-up testing as needed. In further reference to revision of the No Fly List security directive in April 2008, TSA officials stated that the agency's internal guidance is being updated to align inspection guidance with the revised directive. The officials elaborated that the new inspection guidance will place more emphasis on testing the effectiveness of security measures rather than using a checklist approach to determine whether an air carrier has a particular procedure in place. Regarding the emphasis on testing, our review noted that the draft guidance being developed for principal security inspectors included testing scenarios based on the types of name variations that air carriers must be capable of conducting in accordance with the revised watch-list-matching requirements. Also, according to TSA, guidance for transportation security inspectors is being developed (as part of the 2009 Regulatory Activities Plan) to provide more specific direction to inspectors for assessing name-matching capability. In September 2008, in response to our inquiry, TSA noted that the agency's internal handbook--which provides guidance to transportation security inspectors on how to inspect air carriers' performance of various requirements, including watch-list-matching requirements--was being revised and was expected to be released later this year. Thus, TSA indicated that the new inspection guidance would be used in conjunction with the nationwide regulatory activities plan for fiscal year 2009. Overall, the actions taken (and planned to be taken) by TSA are positive developments, although it is too soon to determine the extent to which TSA will assess air carriers' compliance with the revised watch-list-matching requirements. According to TSA officials, there were other benefits stemming from the January 2008 special emphasis inspection. For example, officials stated that in considering options for corrective actions, TSA consulted with representatives from the intelligence community, which is responsible for identifying names (and variations of names)[Footnote 57] for inclusion on the No Fly and Selectee lists. According to TSA, these discussions enhanced the intelligence community's understanding of how air carriers use the No Fly and Selectee lists, and as a result, the intelligence community is better positioned to carefully consider which name variations are appropriate for being added to the lists and whether these variations would be helpful for the purposes of watch- list matching. Further, TSA officials noted that such considerations, in turn, could benefit air carriers and the public by limiting the number of passengers who are misidentified as being potential matches with watch-list records. TSA officials added that insights regarding the extent to which name variations exist on the No Fly and Selectee lists also have benefited ongoing efforts to design and implement the Secure Flight program. Specifically, officials explained that TSA now has a fuller understanding of the types of name variations presently contained in watch-list records and, in turn, a fuller understanding of what types of comparisons Secure Flight should be capable of performing. Concluding Observations: Shortcomings that have national security implications exist in the watch-list-matching capability of domestic air carriers, as confirmed by the results of TSA's recent special emphasis inspection. Specifically, TSA found differences among air carriers in the thoroughness and effectiveness of their processes for comparing passengers' names with those on the No Fly List. A particular concern involves similar-name comparisons. However, TSA's April 2008 revision of the No Fly List security directive establishes a baseline name- matching capability by specifying the types of name variations that air carriers' processes must be capable of identifying. Effective implementation of the baseline capability should strengthen watch-list- matching processes, especially for those air carriers that had been using less thorough approaches for identifying similar-name matches. Concurrently, revised internal guidance for TSA's inspectors can help ensure that compliance decisions are based upon testing and that these tests are carried out regularly, using the standards specified within the security directives as evaluation criteria. Also, if properly documented in inspection reports, the results of these tests could give TSA management better information on the quality of watch-list matching being conducted by air carriers, thereby improving TSA's monitoring of the overall security posture of the aviation sector. At the time of our review, TSA's process for revising its guidance was in the initial stages; thus it is too early to determine the extent to which updated guidance for principal security inspectors and transportation security inspectors would strengthen oversight of air carriers' compliance with the security directive requirements. Given continued delays in the implementation of the Secure Flight program, TSA's oversight of air carriers' compliance with watch-list-matching requirements remains an important responsibility. TSA officials acknowledge that the baseline capability specified in the revised No Fly List security directive and the similar revision planned for the Selectee List security directive- -while an improvement--does not address all vulnerabilities identified by TSA and does not provide the level of risk mitigation that is expected to be achieved from Secure Flight. Thus, TSA intends to deploy the Secure Flight program beginning in January 2009 so that it may implement this more robust matching capability. Agency Comments: We provided a draft of our restricted report (GAO-08-453SU) to the Department of Homeland Security and the Department of Justice for review and comment. The Department of Homeland Security had no comments. The Department of Justice provided technical comments on the restricted version of this report, which we incorporated where appropriate. We will send copies of this report to the appropriate congressional committees; the Secretary of Homeland Security; and the U.S. Attorney General. We will make copies available to others upon request. The report will also be available at no charge on our Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report or wish to discuss the matter further, please contact me at (202) 512-3404 or berrickc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Signed by: Cathleen A. Berrick: Director, Homeland Security and Justice Issues: List of Congressional Committees: The Honorable Robert C. Byrd: Chairman: The Honorable Thad Cochran: Ranking Member: Committee on Appropriations: United States Senate: The Honorable Daniel K. Inouye: Chairman: The Honorable Kay Bailey Hutchison: Ranking Member: Committee on Commerce, Science, and Transportation: United States Senate: The Honorable Joseph I. Lieberman: Chairman: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Patrick J. Leahy: Chairman: The Honorable Arlen Specter: Ranking Member: Committee on the Judiciary: United States Senate: The Honorable John D. Rockefeller, IV: Chairman: The Honorable Kay Bailey Hutchison: Ranking Member: Subcommittee on Aviation Operations, Safety, and Security: Committee on Commerce, Science, and Transportation: United States Senate: The Honorable Dave Obey: Chairman: The Honorable Jerry Lewis: Ranking Member: Committee on Appropriations: House of Representatives: The Honorable Bennie G. Thompson: Chairman: The Honorable Peter T. King: Ranking Member: Committee on Homeland Security: House of Representatives: The Honorable Henry A. Waxman: Chairman: The Honorable Tom Davis: Ranking Member: Committee on Oversight and Government Reform: House of Representatives: The Honorable James L. Oberstar: Chairman: The Honorable John L. Mica: Ranking Republican Member: Committee on Transportation and Infrastructure: House of Representatives: The Honorable David E. Price: Chairman: The Honorable Harold Rogers: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: The Honorable Judd Gregg: United States Senate: The Honorable Don Young: House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: Objectives: To examine the current processes that domestic air carriers use to conduct watch-list matching for domestic flights, we addressed the following questions: (1) What are TSA's requirements for domestic air carriers to conduct watch-list matching for domestic flights? (2) To what extent has TSA assessed domestic air carriers' compliance with watch-list-matching requirements? Scope and Methodology: In addressing the principal questions, we drew upon our previous work and reports on aviation security--specifically, reports covering TSA's inspection process, Secure Flight, and other passenger prescreening programs. We also consulted our most recent reports and testimonies on terrorist watch lists. In addition, we reviewed relevant studies conducted by other governmental agencies, including the Congressional Research Service and the Department of Justice's Office of Inspector General. This report is a public version of the restricted report that we provided to congressional committees in July 2008.[Footnote 58] More details about the scope and methodology of our work to address each of the principal questions are presented in the following sections, respectively. TSA's Requirements for Air Carriers to Conduct Watch-List Matching for Domestic Flights: To determine TSA's requirements for air carriers to match passenger information against the No Fly List and the Selectee List for domestic flights, we assessed two key TSA documents--the No Fly List Procedures security directive and the Selectee List Procedures security directive. [Footnote 59] We reviewed versions of these security directives-- including the revisions made in April 2008--to identify applicable requirements for watch-list matching. For the purposes of this report, we considered applicable requirements to be those that, according to TSA, would be assumed by the Secure Flight program, once operational, and those that TSA had itself identified for its oversight activities.[Footnote 60] Thus, we identified the following requirements (or key processes) as being within this scope (see table 1, which is presented earlier in this report): (1) the retrieval of the No Fly and Selectee lists, (2) the matching of passenger and watch-list information, (3) the use of the TSA Cleared List, (4) procedures for notifying authorities, and (5) keeping appropriate records.[Footnote 61] To further our understanding of these requirements, we reviewed TSA policies and other guidance applicable to watch-list matching. We also interviewed officials from TSA's Office of Security Operations, which had primary responsibility for writing the security directives, and officials from two TSA offices that collaborated with the Office of Security Operations in crafting critical sections of the directives-- the Office of Transportation Sector Network Management and the Office of Intelligence. To better understand TSA's rationale for similar-name- matching requirements as well as the challenges associated with name- based matching, we attended meetings of the interagency Federal Identity Match Search Engine Performance Standards Working Group, which was organized by the Terrorist Screening Center to help ensure awareness of best practices with regard to identity matching among federal agencies, and spoke with one of the group's experts working in the field of name matching.[Footnote 62] To obtain information on the composition and use of the No Fly and Selectee lists, we spoke with officials from the Department of Justice's Terrorist Screening Center and TSA's Office of Intelligence. Further, to understand how TSA compiles and disseminates its Cleared List to air carriers, we spoke with officials from the Department of Homeland Security's Traveler Redress Inquiry Program (TRIP) and TSA's Office of Transportation Security Redress, which share responsibility for managing the TSA Cleared List for the current watch-list-matching process. Finally, to compare the current watch-list-matching process with that proposed once the federal government performs watch-list matching, we reviewed recent Secure Flight program documents.[Footnote 63] To generally understand how domestic air carriers have responded to TSA's requirements, we selected for interviews a nonprobability sample of 14 air carriers from a TSA-provided list of 95 air carriers that were subject to the watch-list-matching security directives for fiscal year 2005. To ensure that our sample of air carriers reflected a range of operational sizes, we based our selections partly on data from the U.S. Department of Transportation, which places air carriers in size categories based on operating revenue. Specifically, we selected 8 that were considered "major" air carriers, each having more than $1 billion in operating revenue in 2005; all but one of these 8 major air carriers flew internationally. In addition, we selected 3 air carriers the Department of Transportation identified as "national" air carriers, each having more $100 million to $1 billion in operating revenue in 2005, and 1 air carrier the department identified as a "regional" air carrier, with $100 million or less in operating revenue. We also selected two air carriers from the list that were not included in the Department of Transportation's revenue groupings, given the small scale of their operations, but were identified by the department as air carriers that provide commuter service. National, regional, and commuter air carriers--which generally provided service covering a geographical area, such as the Pacific Northwest--had comparatively smaller business operations. In selecting the 14 air carriers, we also considered the number of passengers transported. To determine this number, we used the Department of Transportation's data for number of revenue passengers who enplaned (boarded) domestic air carriers during calendar year 2005- -the most recent year for which data were available when making our selections in 2006.[Footnote 64] To the extent possible, we identified the number of domestic enplanements for those air carriers required to perform watch-list matching in 2005, identified within the previously cited TSA list. According to our calculations, the 14 air carriers in our study accounted for approximately 70 percent of all passengers who boarded domestic air carriers' flights during calendar year 2005, and thus, our selection allowed us to understand how watch-list matching was performed for the majority of passengers flying domestically in 2005. Although the 14 domestic air carriers we selected represent a range in size of air carrier operations and transported a majority of passengers that boarded domestic flights in calendar year 2005, the results of our interviews are not generalizable to all domestic air carriers. To help ensure consistency in conducting our interviews with air carriers, we developed a data collection instrument with questions focusing on air carriers' implementation of certain requirements of the No Fly and Selectee list security directives. We conducted four of these interviews in person at the air carriers' headquarters and the rest via telephone. In addition, to clarify our understanding of air carriers' processes, we conducted follow-up phone interviews with four selected air carriers and received written answers to our follow-up questions from an additional four selected air carriers. The air carrier officials who answered our questions generally held positions in corporate security and regulatory affairs; however, half of the air carriers also had information technology systems specialists participate to answer technical questions related to automated name- matching systems. We did not audit or independently verify each air carrier's implementation of TSA's security directive requirements; rather, our work summarizes the capabilities as reported by officials at the 14 air carriers. Finally, to understand challenges air carriers have experienced in implementing watch-list-matching requirements, we examined TSA's case files on all regulatory violations of the No Fly List Procedures and the Selectee List Procedures security directives reported since the directives were first issued by TSA in 2002 to the time TSA provided us with the data in November 2007--a total of 32 cases.[Footnote 65] We reviewed these case files, which contained documentation and other legal analyses pertaining to TSA's inspection findings following the discovery of the violation, to determine the nature and causes (i.e., human or electronic) of the violations and to identify any patterns among the cases. Finally, to clarify the agency's process for investigating and adjudicating security directive violations, we spoke with officials from TSA's Office of Chief Counsel. Extent to Which TSA Has Assessed Domestic Air Carriers' Compliance with Watch-List-Matching Requirements for Prescreening Passengers: To address this objective, we first obtained an overview of TSA's plans and guidance for assessing air carriers' compliance with regulatory requirements. For instance, to understand the inspection process, the focus of inspections, and inspection methods, we reviewed TSA's National Inspection Manual, the Principal Security Inspector Handbook, and related implementing guidance and policy documents. Further, we interviewed or received written responses to our submitted questions from the general manager of TSA's Office of Transportation Sector Network Management, the two branch chiefs in the office's Commercial Aviation Sector, and all nine of the office's principal security inspectors. We particularly focused on contacting the principal security inspectors because they are responsible for conducting inspections at air carriers' corporate security offices (where watch- list-matching policies and procedures are formulated) that apply across an air carrier's operations. In addition, to obtain information on the creation of inspection plans and guidance and the compilation and analysis of inspection data, we spoke with individuals in the Office of Security Operations and the Office of Transportation Sector Network Management. Also, to obtain management's perspectives on inspections, we spoke with the assistant general managers of the Office of Security Operations' Compliance Division and its Procedures Division. We also interviewed two federal security directors[Footnote 66] and two transportation security inspectors, also within TSA's Office of Security Operations and who were located in the Washington, D.C., metropolitan area, on planning and conducting inspections. After obtaining an understanding of TSA's plans and guidance for assessing air carriers' compliance with regulatory requirements, we reviewed the results of TSA inspections that are scheduled on a regular basis in conjunction with annual inspection plans. In conducting inspections each year, TSA's inspectors use an extensive list of inspection guidelines (known as PARIS prompts)[Footnote 67] that cover a broad range of applicable topics--including topics outside the scope of our review, such as airport perimeter security and cargo security, as well as screening of employees and baggage.[Footnote 68] As presented in table 3, we determined that TSA used 11 inspection guidelines during fiscal year 2007 that were relevant to the objectives of our review.[Footnote 69] Of these, guidelines 1, 2, and 6 through 11 were applicable to inspections conducted by principal security inspectors, while guidelines 3 through 5 were applicable to inspections conducted by transportation security inspectors. Table 3: Watch-List-Matching Requirements and the Related Inspection Guidelines (Fiscal Year 2007): Requirements (key processes): Retrieving the No Fly and Selectee lists; Inspection guidelines (prompts): 1. Procedures are in place to ensure the most recently issued No Fly List is utilized within 24 hours of receipt; 2. Procedures are in place to ensure the most recently issued Selectee List is utilized within 24 hours of receipt. Requirements (key processes): Matching passenger data to No Fly and Selectee lists; Inspection guidelines (prompts): 3. All passenger names are compared to the most current No Fly and Selectee lists in accordance with the Private Charter Standard Security Program; 4. The aircraft operator is comparing all passenger names to the most current No Fly and Selectee lists in accordance with the procedures outlined in Security Directive 1544-01-20 series (No Fly) and Security Directive 1544-01-21 series (Selectee). Requirements (key processes): Using the TSA Cleared List; Inspection guidelines (prompts): 5. A passenger identified as a match on the Selectee List is cleared, along with his or her accessible property. Requirements (key processes): Notifying authorities; Inspection guidelines (prompts): 6. Procedures are in place to contact the federal security director, local law enforcement, FBI, and TSA Office of Intelligence for matches to the No Fly List; 7. Procedures are in place to contact the TSA Office of Intelligence for matches to the Selectee List. Requirements (key processes): Keeping records[A]; Inspection guidelines (prompts): 8. Records are maintained of all flights operated with passengers who were determined by a local law enforcement, U.S. legal attaché, or TSA Office of Intelligence not to be a match; 9. Records are maintained of every flight operated with passengers who are designated as selectees; 10. Records are maintained of every flight with an individual who is cleared to fly utilizing data in the TSA Cleared List including the name of the cleared individual and the accepting aircraft operator representative[B] (No Fly List); 11. Records are maintained of every flight with an individual who is cleared to fly utilizing data in the TSA Cleared List including the name of the cleared individual and the accepting aircraft operator representative[B] (Selectee List). Sources: GAO analysis of TSA's security directives and related guidance. [A] Maintaining accurate records, according to TSA officials, provides a starting point for an investigation in the event of a terrorist incident. [B] This inspection guideline reflects the current process, which is to use the TSA Cleared List. Security directives in effect prior to April 2008 referenced a "cleared column," a format for clearing passengers. TSA eventually replaced this format with the Cleared List and updated language in the April 2008 revision of the No Fly List Procedures security directive to reflect the new process. [End of table] In reference to the 12 inspection guidelines--the 11 guidelines listed in table 3 and the 1 guideline discussed in footnote 12 of this appendix--TSA queried its PARIS database to identify all inspections of domestic air carriers conducted during fiscal year 2007 that used at least one of these guidelines. In addition to determining the number of inspections, we reviewed the fiscal year 2007 inspection data to calculate compliance rates.[Footnote 70] We did not evaluate the substantive basis for the inspectors' assessment decisions regarding compliance with requirements. To determine whether and to what extent TSA's inspectors tested the air carriers' capability to conduct exact-name and similar-name matching, we also reviewed documentation of testing in a data field (in the PARIS database) that allowed inspectors to enter narrative comments regarding similar-name matching, among other inspection activities. In doing so, we conducted a formal content analysis by having two analysts independently review comments in the data field and then resolve any inconsistencies between the two sets of analytical observations. Moreover, we submitted written questions to each of TSA's nine principal security inspectors asking them to describe their practices for testing air carriers' capability to identify similar-name variations. In contrast to these regular inspections, TSA also conducted a special emphasis assessment and a special emphasis inspection, nonroutine activities conducted at the direction of TSA headquarters. A special emphasis assessment addresses a vulnerability that generally is not tied to a regulation, while a special emphasis inspection is tied to a regulatory requirement. TSA provided us information on the scope, methodology, and results of a special emphasis assessment that TSA conducted during June, July, and September 2005. We reviewed the scope, methodology, and results of this assessment with our methodologists and with TSA officials. We determined that the sampling and related procedures used for the special emphasis assessment were insufficient for providing a reliable estimate of the success rate of all attempted matches by air carriers; thus, the results cannot be used to infer overall or individual rates of compliance with the name-matching requirements in TSA's security directives. In February 2008, TSA provided us a briefing on the scope and methodology of a special emphasis inspection conducted the month before in which the similar-name-matching capability of 52 domestic air carriers and 31 foreign air carriers was tested. The briefing also covered analyses of the results to date of the special emphasis inspection and a discussion of the corrective actions that TSA was planning to implement to address deficiencies. In April 2008, TSA provided us with an updated briefing on its plans for corrective actions. In September 2008, we requested information on TSA's progress with these corrective actions. In response, TSA provided us the results of a special emphasis assessment (conducted during May 20-29, 2008) of seven air carriers' compliance with requirements in the April 2008 No Fly List security directive. We did not assess the reliability of the data TSA collected during the January 2008 special emphasis inspection nor the May 2008 special emphasis assessment. Reliability of Fiscal Year 2007 Inspections Data: In assessing the reliability of the fiscal year 2007 data that TSA provided us for watch-list-related inspections based on annual inspection cycles, we performed electronic testing, discussed the data system and any data inconsistencies we found with knowledgeable TSA officials, and reviewed existing information about the system. Although we determined that the data were reliable for the purposes of this report, we have concerns about TSA's process for querying its inspection database, and the potential for faulty output. The process is cumbersome and prone to user error due, in part, to differences that occur in the verbiage of inspection guidelines and types of inspections as they are revised over time. We conducted this performance audit from July 2006 to September 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on the audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on the audit objectives. [End of section] Appendix II: Overview of Selected Domestic Air Carriers' Watch-List- Matching Processes: TSA's watch-list-matching requirements for domestic flights address five key process areas: (1) retrieval of the No Fly and Selectee lists, (2) the matching of passenger and list information, (3) the use of TSA's Cleared List, (4) notification procedures, and (5) record-keeping activities (see table 1).[Footnote 71] To generally understand how TSA's requirements for watch-list matching were being implemented, we reviewed documents in which TSA provided general information on air carriers' processes. We also interviewed 14 domestic air carriers with operations ranging in size from international to commuter service about their watch-list-matching processes. All 14 air carriers were subject to TSA's requirements for comparing passenger information with records on the No Fly and Selectee lists and the TSA Cleared List.[Footnote 72] We asked each of the 14 to describe their processes for meeting TSA's requirements.[Footnote 73] The air carriers' implementation of these requirements can be discussed in reference to three time periods--before passenger check-in, at passenger check-in, and after passenger check-in--as reflected in the following sections, respectively, and as illustrated in figure 1. Before Passenger Check-in: Retrieving the No Fly and Selectee Lists and Executing Name Comparisons: The 14 air carriers told us that they obtain new versions of the No Fly and Selectee lists through one or both of the following methods (1) assigning an employee to monitor TSA's Web board for new postings at certain intervals throughout the day, and (2) receiving an e-mail message from TSA to the respective air carrier's security staff informing them of new No Fly and Selectee lists. Also, all 14 air carriers reported using passenger name record (PNR) data--data collected from the passenger at the time a reservation is made--to make comparisons against the No Fly and Selectee lists. Specifically, the air carriers said that they have implemented procedures to execute comparisons of PNR and watch-list data prior to scheduled flight departure. Most of the air carriers told us they do this by using computerized matching programs that automatically execute comparisons. Because the 14 air carriers we interviewed did not collect date of birth (an identifying data element that air carriers receive on the No Fly and Selectee lists) within PNR data, this information generally was not available for matching purposes prior to check-in. However, as discussed later in this appendix, several air carriers reported developing systems capable of accessing passenger date-of-birth information collected and stored outside of PNR data for use in comparisons conducted prior to check-in, but this information was not available for all of their passengers. Thus, the 14 air carriers we spoke with were limited to performing name-only comparisons--that is, comparisons of passenger names with names on the No Fly and Selectee lists--prior to check-in for at least some, if not all, passengers. All 14 air carriers we spoke with reported conducting comparisons to identify exact-name matches of passengers and watch-list names. However, not every air carrier reported conducting comparisons to identify similar-name matches. At Passenger Check-in: Completing Comparisons of Passenger and Watch- List Information and Using TSA's Cleared List: In accordance with TSA requirements, air carriers are to collect additional identifying information at check-in to assist in identifying passengers who are matches with information on the No Fly or Selectee lists. Air carriers collect additional identifying information at check- in only for those passengers identified as potential matches to the No Fly or Selectee lists through the name-only comparisons they conduct prior to check-in. To prevent individuals who are potential matches from checking in by other means, such as using Internet or airport kiosk check-in, air carriers with automated systems place an automatic "lock" on boarding passes (see fig. 1).[Footnote 74] By doing so, the air carriers force all potentially matched passengers to check in at the ticket counter, where an agent is to collect a valid form of identification with date of birth (typically, a government-issued identification document such as a driver's license or passport) to complete the comparison of passenger and watch-list information. To check the potentially matched passenger's date of birth information against the No Fly and Selectee lists, most of the 14 air carriers we interviewed reported comparing the two dates manually, and the other air carriers reported keying the passenger's date of birth into a computer system that would automatically execute the comparison. [Footnote 75] The 14 air carriers reported that if they determine that the dates of birth do not match, they unlock the boarding pass without consulting TSA, in accordance with TSA requirements, thereby allowing the passenger to continue the boarding process (see fig. 1, post-check- in number 1).[Footnote 76] However, if a passenger's date of birth matches with that of an individual on the No Fly or Selectee lists, the 14 air carriers said that they consider the passenger to be a match and followed the procedures outlined in TSA's security directives for handling matches to the No Fly or Selectee lists (see fig. 1, post- check-in numbers 2 and 3). Figure 1: Overview of the Current Passenger Watch-List-Matching Process: [See PDF for image] This figure is an illustration of the current passenger watch-list- matching process, as follows: Precheck-in: * Passenger makes reservation; PNR is created; * TSA posts No Fly, Selectee, and TSA Cleared lists to secure Web board; * Air carrier retrieves list data; * Air carrier system compares PNR data to List data. * Potential match: Yes, proceed to check-in. Check-in: * Clearance process for locked PNRs (system match during comparison)? - Passengers present government ID at ticket counter; Agent compares passenger’s ID to No Fly, Selectee, and TSA Cleared list data. * Check-in process for Nonlocked PNRs (not a potential match in system comparison): Internet, kiosk or ticket counter. Post Check-in: * Matching results: 1. Cleared: Passenger identified as not being on No Fly or Selectee list; Passenger identified as a match to cleared list: * PNR unlocked; Checkpoint screening; Passenger proceeds to flight. 2. Selectee match: Passenger identified as a match to Selectee list: * PNR unlocked; Additional screening; Checkpoint screening; Passenger proceeds to flight. 3. No Fly: Passenger identified as a match to No Fly list: * Air carrier contacts appropriate officials; - Not cleared; PNR locked; Boarding pass denied; Or: - PNR unlocked; Cleared; PNR unlocked; downgraded to selectee; Additional screening; Checkpoint screening; Passenger proceeds to flight; Or: - PNR unlocked; Cleared; Additional screening; Checkpoint screening; Passenger proceeds to flight. Source: GAO analysis. [End of figure] Also, 10 air carriers reported using the TSA Cleared List to identify and clear passengers misidentified as a match to the No Fly List or the Selectee List, generally at the time of check in. The other 4 air carriers reported not using the list--despite TSA's requirement that all air carriers do so. In addition, of the 10 air carriers that reported using the cleared list, 2 reported using the list in conjunction with their independently developed processes to "pre-clear" individuals (discussed below). Development of such processes was undertaken to allow air carriers to identify and clear misidentified passengers without requiring them to check in at the ticket counter. Specifically, 11 of the 14 air carriers we interviewed reported that individuals on the TSA Cleared List still must approach the ticket counter at check in.[Footnote 77] Consequently, 6 of the 14 air carriers that we interviewed reported developing alternative clearance processes to decrease the number of potentially matched individuals who are required to check in at the ticket counter. These 6 carriers explained that their internally developed clearance processes operate by using additional data sources, such as passenger information collected in frequent flier databases, to resolve potential matches prior to check in. For example, if an air carrier collected date of birth within its frequent flier database, its internal clearance system would compare the date of birth of a potentially matched passenger who had entered a frequent flier number when making a reservation with the date of birth of the respective individual on the No Fly List or the Selectee List.[Footnote 78] After Passenger Check in: Implementing the Notification and Record- Keeping Procedures Specified in TSA's No Fly and Selectee Security Directives: For match determinations made at the time of passenger check in, TSA's No Fly and Selectee list security directives require that air carriers follow certain notification and record-keeping procedures. With regard to notification procedures: * If the air carrier identifies a passenger as a potential match to the No Fly List, the air carrier must contact both the applicable federal security director and the appropriate law enforcement officer. Then, if the law enforcement officer confirms that the passenger is a match, the air carrier is to contact the local Federal Bureau of Investigation (FBI) field office and TSA's Office of Intelligence. * If the air carrier identifies a passenger as a potential match to the Selectee List, the air carrier must mark the passenger's boarding pass to indicate to checkpoint screeners that the passenger should be subject to enhanced checkpoint screening. Also, the air carrier must notify TSA's Office of Intelligence that the passenger has been matched with the Selectee List. With regard to record-keeping procedures, TSA's security directives require that air carriers maintain a record of (1) all passengers cleared using the TSA Cleared List, (2) all flights that had potentially matched passengers who were determined by local law enforcement not to be a match to the No Fly List, and (3) all passengers identified as matches with the Selectee List. Generally, the 14 air carriers told us that they followed the notification and record-keeping requirements specified in TSA's security directives, but reported having different procedures in place to implement these requirements. For example, upon identifying a potential match to the No Fly List, 5 air carriers reported requiring their ticket agents to notify their respective air carrier's ground security coordinator, who would then make the necessary calls to the applicable TSA federal security director and to local law enforcement. Three other air carriers reported requiring that ticket agents contact security staff at a centralized call center, and these staff would then make the necessary notifications.[Footnote 79] In addition, some of the carriers reported using some slight deviations from the stated requirements. For example, rather than notifying the local FBI field office and TSA's Office of Intelligence of a match only after a local law enforcement officer has confirmed the match, 8 air carriers reported contacting TSA's Office of Intelligence for every passenger whose information matched the No Fly List, regardless of the local law enforcement officer's input. [Footnote 80] [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Cathleen A. Berrick, (202) 512-3404 or berrickc@gao.gov: Staff Acknowledgments: In addition to the contact named above, Danny Burton and Christine Fossett (Assistant Directors) and Mona Blake and Mike Bollinger (Analysts-in-Charge) managed this assignment. Suzanne Heimbach, Matt Mohning, Justin Monroe, Alison Sands, and Susan Woodward made significant contributions to the work. David Alexander, Michele Fejfar, and Rich Hung assisted with design, methodology, and data analysis. Tom Lombardi and David Plocher provided legal support. Richard Ascarate, Ryan Consaul, Kevin Copping, Kristen Jensen, Lara Kaskie, Maria Soriano, William D. Updegraff, and Margaret Vo provided assistance in report preparation. [End of section] Footnotes: [1] Watch-list matching is one of two TSA-mandated prescreening processes conducted by air carriers. The other mandated prescreening activity is the Computer Assisted Passenger Prescreening System, discussed later this report, which does not involve matching passenger information against the No Fly and Selectee lists. These lists contain applicable records from the Terrorist Screening Center's consolidated database of known or appropriately suspected terrorists. See GAO, Terrorist Watch List Screening: Recommendations to Promote a Comprehensive and Coordinated Approach to Terrorist-Related Screening, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-253T] (Washington, D.C.: Nov. 8, 2007). [2] The number of domestic air carriers has varied over time, for example, from 95 in 2005 to about 70 in 2007. For the purposes of this report, domestic air carriers are those with operations based in the United States that maintain full security programs in accordance with 49 C.F.R. part 1544. Foreign air carriers--air carriers with operations based outside the United States--must also comply with U.S. security regulations, including applicable requirements for watch-list matching, when operating flights to or from the United States in accordance with 49 C.F.R. part 1546. Both domestic and foreign air carriers may conduct international flights to and from the United States; however, these operations are outside the scope of this report. [3] See GAO, Terrorist Watch List Screening: Opportunities Exist to Enhance Management Oversight, Reduce Vulnerabilities in Agency Screening Processes, and Expand Use of the List, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-110] (Washington, D.C.: Oct. 11, 2007). We reported that TSA's Office of Intelligence documented various incidents (for the period January 1, 2005, through June 3, 2007) in which air carriers--both domestic and foreign--allowed individuals on the No Fly List to board international flights traveling to or from the United States. Several of these incidents involved flights of domestic air carriers. We asked TSA's Office of Intelligence to identify any additional incidents in which a No Fly listed individual flew on a domestic air carrier for the period June 4, 2007, through December 31, 2007, and TSA identified no additional incidents occurring within this time period. [4] This issue of false negatives is addressed later in this report. [5] See, e.g., 49 C.F.R. § 1544.305. Although generally issued in response to an immediate or imminent threat, security directives may be effective for an indefinite duration if TSA determines that a continuing need for such measures exists. In some cases, aviation- related measures implemented through a security directive have been discontinued, amended, or incorporated into air carrier security programs. [6] See 49 U.S.C. 44903(j)(2)(C). [7] GAO, Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-385] (Washington, D.C.: Feb. 13, 2004); Aviation Security: Management Challenges Remain for the Transportation Security Administration's Secure Flight Program, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-864T] (Washington, D.C.: June 14, 2006); and Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviation Security Programs, but More Work Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-456T] (Washington, D.C.: Feb. 28, 2008). [8] GAO, Transportation Security: Efforts to Strengthen Aviation and Surface Transportation Security Continue to Progress, but More Work Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-651T] (Washington, D.C.: Apr. 15, 2008). [9] See Pub. L. No. 110-161, Div. E, § 513, 121 Stat. 1844, 2072-73 (2007). [10] GAO, Aviation Security: Management Challenges Remain for the Transportation Security Administration's Secure Flight Program, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-864T] (Washington, D.C.: June 14, 2006). [11] We are conducting this review in response to requests from the House of Representatives (Committee on Transportation and Infrastructure, Committee on Homeland Security, and Committee on Oversight and Government Reform). These requesters asked that we review the current passenger prescreening system in conjunction with our ongoing work related to TSA's progress with Secure Flight. In addition, we are reporting on this issue to the U.S. Senate requesters and the mandate committees associated with our Secure Flight work. [12] Pursuant to Homeland Security Presidential Directive 6, dated September 16, 2003, the Terrorist Screening Center--an entity that has been operational since December 2003 under the administration of the FBI--was established to develop and maintain the U.S. government's consolidated terrorist screening database (the watch list) and to provide for the use of watch-list records during security-related screening processes. [13] All 14 air carriers we interviewed operate under full security programs in accordance with 49 C.F.R. part 1544 and conduct watch-list matching in accordance with the No Fly and Selectee list security directives issued by TSA. [14] The Department of Transportation groups U.S.-based air carriers according to their operating revenue. In the 2005 groupings, each of the "major" air carriers had over $1 billion in operating revenue. [15] Of these six, the Department of Transportation's 2005 revenue groupings identified three as "national" air carriers, with each having over $100 million to $1 billion in operating revenue, and one as a "regional" air carrier, with $100 million or less in operating revenue. The other two air carriers were not included in the department's revenue groupings, given the small scale of operations, but were identified by the department as air carriers that provide commuter service. Major air carriers have over $1 billion in operating revenue. [16] The No Fly and Selectee list security directives also address the screening of air carrier employees against the No Fly and Selectee lists, but our scope was confined to the passenger-specific prescreening requirements in the security directives. [17] Special emphasis assessments and special emphasis inspections are nonroutine activities undertaken at the direction of TSA headquarters. According to TSA, a special emphasis assessment addresses a vulnerability that generally is not tied to a regulation, while a special emphasis inspection is tied to a regulatory requirement. [18] In September 2008, TSA provided us the results of a special emphasis assessment (conducted during May 2008) of seven air carriers' compliance with new requirements in the No Fly List security directive, which was revised in April 2008 to specify a baseline capability for conducting watch-list matching. This special emphasis assessment is discussed later in this report. [19] In September 2008, TSA informed us that the revised Selectee List security directive was still in the agency's internal clearance process but did not provide us a targeted issuance date. [20] PARIS is the acronym for the Performance and Results Information System, which is TSA's inspections database. This database assists TSA management by providing factual and analytical information on the compliance of TSA-regulated entities. There are approximately 1,700 PARIS prompts, which serve as guidelines for TSA inspectors. [21] According to TSA data, these 1,145 watch-list-related inspections (36 plus 1,109) covered 60 domestic air carriers, and most of the air carriers were inspected multiple times. [22] TSA reported that the January 2008 special emphasis inspection covered 52 domestic air carriers and 31 foreign air carriers. [23] In accordance with 49 U.S.C. § 114(h), TSA adopted policies and procedures for ensuring that air carriers use information from government agencies to identify individuals on passenger lists who may be a threat to civil aviation or national security and, if such an individual is identified, notify appropriate law enforcement agencies, prevent the individual from boarding an aircraft, or take other appropriate action with respect to that individual. [24] Pub. L. No. 107-71, § 136, 115 Stat. 597, 637 (2001) (codified at 49 U.S.C. § 44903(j)(2)(A)) (requiring use of the Computer Assisted Passenger Prescreening System or any successor system). [25] For the purposes of this report, we address policies and procedures applicable to air carriers regulated under 49 C.F.R. part 1544 (U.S.-flagged air carriers), which we refer to as domestic air carriers. For these air carriers, we limit our discussion to the watch- list matching TSA requires to secure the aviation sector for domestic flights--air carrier operations between two points within the United States or its territories. TSA requirements also address the international operations of domestic air carriers, and the operations of foreign-flagged air carriers flying to and from destinations within the United States and its territories in accordance with 49 U.S.C. part 1546; however, these requirements are outside the scope of our review. [26] The most recent version of the No Fly List Procedures security directive is SD 1544-01-20F, dated April 9, 2008, and the most recent version of the Selectee List Procedures security directive is SD 1544- 01-21F, dated March 8, 2007. [27] On June 10, 2008, the Department of Justice provided us comments on a draft of the restricted version of this report (GAO-08-453SU) and noted that the Principals Committee, which is a senior interagency forum under the Homeland Security Council, had approved additional criteria that the Terrorist Screening Center would begin implementing on June 23, 2008. The Homeland Security Council was established to ensure coordination of all homeland-security-related activities among executive departments and agencies and promote the effective development and implementation of all homeland security policies. See The White House, Homeland Security Presidential Directive/HSPD-1, Organization and Operation of the Homeland Security Council (Washington, D.C.: Oct. 29, 2001). [28] Each watch-list record, however, does not necessarily indicate a separate individual on the list. Some listed individuals have multiple records attributed to them due to the inclusion of known aliases and name variations. [29] The lists may also be provided via password-protected e-mail. [30] TSA initiated this effort in response to the Aviation and Transportation Security Act, which requires that TSA ensure that a system is used to evaluate all passengers before they board an aircraft and ensure that selected individuals and their carry-on and checked baggage are adequately screened. See Pub. L. No. 107-71, § 136, 115 Stat. at 637 (codified at 49 U.S.C. § 44903(j)(2)(A)). [31] The National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report - Final Report of the National Commission on Terrorist Attacks Upon the United States (Washington, D.C.: 2004), p. 393. [32] Pub. L. No. 108-458, § 4012(a)(1), 118 Stat. 3638, 3714-17 (2004) (codified at 49 U.S.C. § 44903(j)(2)(C) (2004)). A separate provision enacted at section 4012(a)(2) addressed the predeparture screening of international passengers, with the Secretary of Homeland Security giving this responsibility to U.S. Customs and Border Protection. See 49 U.S.C. § 44909(c)(6). [33] With regard to redress protections, DHS must have a process whereby aviation passengers determined to pose a threat to aviation security by Secure Flight may appeal that determination and correct erroneous information contained within the prescreening system. See GAO, Aviation Security: Significant Management Challenges May Adversely Affect Implementation of the Transportation Security Administration's Secure Flight Program, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-06-374T] (Washington, D.C.: Feb. 9, 2006). [34] See 72 Fed. Reg. 48,356 (Aug. 23, 2007). Requirements described in the notice of proposed rulemaking are subject to revisions based on various considerations, including input that TSA received during the public comment period. As of the date of this report's issuance, DHS had not issued a final Secure Flight rule. [35] GAO, Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviations Security Programs, but More Work Remains, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-08-465T] (Washington, D.C.: Feb. 28, 2008). [36] In September 2008, TSA informed us that the revised Selectee List security directive was still in the agency's internal clearance process but did not provide us a targeted issuance date. [37] When making determinations on matches, air carriers must use the TSA Cleared List, which is composed of names and other personal- identifying information on individuals whom the Department of Homeland Security has reviewed and determined are not individuals on the No Fly or Selectee lists. [38] Specifically, we reviewed and discussed the No Fly and Selectee list security directives and identified within each the key requirements pertaining to domestic flights. Although the same requirements generally apply to the international flights of both domestic and foreign air carriers, such operations fall outside the scope of our review. For more information on how we identified requirements for watch-list matching, see appendix I. [39] TSA's revised No Fly List Procedures security directive (SD 1544- 01-20F) is dated April 9, 2008. Also, in April 2008, TSA reported that the current Selectee List Procedures security directive (SD 1544-01- 21F) would be similarly revised. In September 2008, TSA informed us that the revised Selectee List security directive was still in the agency's internal clearance process but did not provide us a targeted issuance date. [40] We did not independently verify the air carriers' approaches to watch-list matching. Unless noted otherwise, our summary of the air carriers' approaches is based on system capabilities reported to us in 14 separate interviews with the respective air carriers. Appendix II provides more detail on the 14 air carriers' reported approaches to watch-list matching. [41] Some of these flights involved passengers who flew from one domestic location to another domestic location, where they boarded an international flight. TSA learned that the individual on the No Fly List flew domestically after U.S. Customs and Border Protection identified the individual on the international leg. [42] GAO, Terrorist Watch List Screening: Opportunities Exist to Enhance Management Oversight, Reduce Vulnerabilities in Agency Screening Processes, and Expand the Use of the List, GAO-08-110 (Washington, D.C.: Oct. 11, 2007). [43] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-110]. [44] GAO, Aviation Security: Management Challenges Remain for the Transportation Security Administration's Secure Flight Program, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-864T] (Washington, D.C.: June 14, 2006). [45] Upon completing a reassessment of the Secure Flight program in February 2007, TSA produced this document to identify decisions made about Secure Flight's capabilities during the reassessment. See TSA, Secure Flight Program Baseline (Washington, D.C.: March 2007), p. 5. [46] As mentioned previously, in September 2008, TSA informed us that the revised Selectee List security directive was still in the agency's internal clearance process but did not provide us a targeted issuance date. [47] TSA reported that the January 2008 special emphasis inspection covered 52 domestic air carriers and 31 foreign air carriers. [48] According to TSA officials, the agency had planned to conduct tests of all 81 domestic air carriers that were subject to the No Fly List Procedures security directive at that time. However, the officials explained that due to limited resources, initial testing covered 63 air carriers (encompassing operations at 354 airports), and the retesting covered 36 air carriers (encompassing operations at 290 airports). [49] As noted earlier, we concluded that these inspection data were sufficiently reliable for the purposes of this report, but we have concerns about the potential for error based on TSA's process for querying its inspection database (we discuss these concerns in more detail in app. I). [50] Regarding the air carriers that did not receive a watch-list- related inspection during fiscal year 2007, TSA does not require inspectors to inspect each air carrier every year in terms of watch- list-related requirements. However, a senior TSA official in the compliance area who supervises inspectors stated that annually inspecting every air carrier is a goal, at least for principal security inspectors. [51] We did not evaluate the basis for the inspectors' assessment decisions regarding compliance with requirements. Although TSA's security directives require comparisons of passenger and employee names to the No Fly and Selectee lists, our review was confined to requirements related to passengers only. [52] To report their findings in TSA's automated database, inspectors select one of four options from a computer-generated list: not inspected, not applicable, not in compliance, and in compliance. If the inspectors wish to add narrative to describe their findings, they can do so in a data field reserved for comments. [53] In appendix I, see table 3. [54] TSA, National Inspection Manual, 2007. Inspections for all regulated areas (not just watch-list-related inspections) generally incorporate all of four methods--testing, document review, interviews, and surveillance. [55] TSA, Regulatory Activities Plan for Transportation Security Inspectors Fiscal Year 2008. [56] We briefed the TSA Administrator and other senior officials on the results of our work in November 2007. [57] As noted previously, each watch-list record does not necessarily indicate a separate individual on the list. Some listed individuals have multiple records attributed to them due to the inclusion of known aliases and name variations. [58] GAO, Aviation Security: Pending Implementation of Secure Flight, TSA Is Enhancing Its Oversight of Air Carrier Efforts to Identify Passengers on the No Fly and Selectee Lists, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-453SU] (Washington, D.C.: July 10, 2008). [59] These directives apply to domestic air carriers--that is, U.S. air carriers that maintain security programs in accordance with 49 C.F.R. part 1544. The directives govern watch-list matching for flights operating between two points within the United States or its territories. Although outside the scope of our review, the directives also apply to domestic air carriers' international operations. At the start of our review, we based our analysis on the No Fly List Procedures (1544-01-20D) security directive and the Selectee List Procedures (1544-01-21E) security directive, both dated July 8, 2004. Over the course of our review, TSA first issued revised security directives in 2007 and has undertaken to revise them again in April 2008. The 2007 revisions of the No Fly and Selectee list security directives (SD 1544-01-20E and SD1544-01-21F, respectively) clarified certain elements of the directives but resulted in no substantive changes in the requirements. Generally, in this report, we focus on the changes in requirements resulting from revisions undertaken in April 2008 (SD 1544-01-20F and anticipated SD 1544-01-21G (Selectee List), respectively). [60] We based our understanding of TSA's planned capabilities for Secure Flight on our February 2006 testimony before the Senate Committee on Commerce, Science, and Transportation, our most recent, comprehensive testimony on the program when we initiated our work in July 2006. See GAO, Aviation Security: Significant Management Challenges May Adversely Affect Implementation of the Transportation Security Administration's Secure Flight Program, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-374T] (Washington, D.C.: Feb. 9, 2006). [61] Although addressed in the security directives, other requirements that we excluded from our scope involved, for example, procedures involving the screening of employees and procedures related to the international operations of domestic air carriers. We did not consider requirements for domestic air carriers' international flights as part of our review because at the time we were planning our review, TSA intended for Secure Flight to take over the watch-list-matching function for only domestic flights. U.S. Customs and Border Protection was expected to conduct the watch-list-matching function for flights arriving from or departing to locations outside the United States, not Secure Flight. However, in February 2008 we reported in testimony that, as agreed to by the respective agencies, TSA will also take over the matching of international passengers against the No Fly and Selectee lists from U.S. Customs and Border Protection. GAO, Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviation Security Programs, but More Work Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-465T] (Washington, D.C.: Feb. 28, 2008). [62] One objective of the Federal Identity Match Search Engine Performance Standards Working Group is to provide guidance to improve the effectiveness of the automated search engines that federal agencies use for conducting identity matching. The group began meeting in December 2005. It included representatives from the departments of Homeland Security, State, and Defense; FBI; the intelligence community; and the National Institute of Standards and Technology. [63] Specifically, we reviewed the Secure Flight notice of proposed rulemaking (72 Fed. Reg. 48,356 (Aug. 23, 2007)) and final concept of operations for Secure Flight (dated Mar. 9, 2007). We also reviewed our most recent reports and testimonies on the program. [64] Specifically, the data reflect the number of domestic passengers who boarded (enplaned) at a flight's point of origin in calendar year 2005. The data include only revenue passengers, or passengers from whom the air carrier received payment. As such, the data exclude passengers using frequent flier vouchers, infants, air carrier employees, etc. [65] The earliest case was dated December 3, 2003; the most recent was dated August 24, 2007. Because some domestic air carriers that are subject to security directives fly internationally, 7 of the 32 cases involved flights arriving from or departing to international locations. Although we excluded such flights from our review of watch-list- matching requirements, as mentioned previously, we retained these 7 cases in our analysis of regulatory violations. We did so because (1) the requirements for air carriers to perform watch-list matching for flights involving an international location are, for the most part, the same as those for air carrier operations between two points within the United States or its territories, and (2) in August 2007, TSA announced that Secure Flight would eventually assume watch-list matching for passengers on flights arriving from or departing to locations outside the United States. [66] Federal security directors are responsible for leading and coordinating TSA security activities at airports across the nation. [67] The Performance and Results Information System (PARIS) is an inspections database that assists TSA management by providing factual and analytical information on the compliance of TSA-regulated entities. [68] As mentioned previously, the watch-list-matching requirements relevant to the objectives of our review are shown in table 1, which is presented earlier in this report. [69] TSA provided us with data for 12 inspection guidelines. These 12 are the 11 guidelines shown in table 3--plus the following guideline, which was replaced in March 2007 with guideline 4 in table 3: "All passenger names are compared to the most current No Fly and Selectee Lists in accordance with the procedures outlined in Security Directive 1544-01-20 series (No Fly) and Security Directive 1544-01-21 series (Selectee)." Because these two guidelines were used for the same purpose but at different times during fiscal year 2007, we combined the data associated with each one and treated them as one inspection guideline for the purposes of this report. [70] Our calculations were based only on the 12 inspection guidelines relevant to our review. [71] To identify these requirements, we reviewed the No Fly List Procedures and Selectee List Procedures security directives (series SD 1544-01-20 and SD 1544-01-21, respectively). This report discusses only the requirements within the two security directives pertaining to domestic flights (defined as flights occurring between points within the United States and its territories), though these same requirements generally apply to the international flights of both domestic and foreign air carriers. For more information on how we identified requirements for watch-list matching, see appendix I. [72] For information on our methodology for selecting the 14 air carriers and conducting the interviews, see appendix I. [73] The implementation methods described in this appendix are based on descriptions obtained from the 14 air carriers. We did not undertake audits of the air carriers' processes to confirm that the processes functioned as described in the interviews. Specifically, we asked air carriers questions on methods for securing the most recent No Fly and Selectee lists, executing comparisons within required time frames, determining valid matches, and implementing required notification and reporting procedures. [74] The one air carrier in our review without an automated system reported requiring all passengers, regardless of whether they were a potential match, to check in at the ticket counter. To identify those passengers who should submit additional information for further comparison against the No Fly and Selectee lists at check-in, this air carrier reported having its employee in charge of watch-list matching make a written notation next to the name of all identified potential matches on a printed list of passengers with reservations. [75] In addition, to check potentially matched passenger information against the No Fly and Selectee lists, three air carriers reported that they had developed kiosks with capabilities to read electronic date of birth information from certain forms of identification that are machine readable. [76] After this point, the passenger generally experiences no further inconvenience due to watch-list matching. However, the passenger may be selected for enhanced checkpoint screening as a result of the Computer Assisted Passenger Prescreening System (CAPPS)--an electronic application that selects individuals for enhanced screening at the passenger checkpoint based on certain travel characteristics identified by TSA as indicating potential risk. [77] These individuals are required to check in at the ticket counter because the air carrier must confirm that the passenger is the cleared individual by comparing the passenger's legal identifying documentation with the TSA Cleared List. [78] Air carriers with frequent flier programs generally have the capability to collect a frequent flier number within the PNR; therefore, unlike date of birth information, frequent flier numbers are available to air carriers prior to a passenger's arrival at check-in and can be used to assist in the confirmation of a passenger's identity because of the presence of date of birth information in the passenger's frequent flier account. [79] Another air carrier reported requiring the ticket agent to make these notifications; the other five air carriers we interviewed did not discuss this aspect of the watch-list-matching process. [80] Two air carriers reported that (per the security directive requirement) they waited for local law enforcement officer confirmation before calling the FBI field office or TSA's Office of Intelligence. One air carrier reported that it could not answer the question; that is, having never identified an individual as a name and date of birth match to the No Fly List, the air carrier could not say what its actions would be. During our interviews, three air carriers did not discuss this aspect of the watch-list-matching process. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: