GAO-08-133T, Transportation Security: TSA Has Made Progress in Implementing the Transportation Worker Identification Credential Program, but Challenges Remain

This is the accessible text file for GAO report number GAO-08-133T entitled 'Transportation Security: TSA Has Made Progress in Implementing the Transportation Worker Identification Credential Program, but Challenges Remain' which was released on October 31, 2007.

This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.

United States Government Accountability Office:
GAO:

Testimony before the Committee on Homeland Security, House of
Representatives:

For Release on Delivery:
Expected at 10:00 a.m. EDT:
Wednesday, October 31, 2007:

Transportation Security:

TSA Has Made Progress in Implementing the Transportation Worker
Identification Credential Program, but Challenges Remain:

Statement of Cathleen A. Berrick:
Director:
Homeland Security and Justice Issues:

GAO-08-133T:

GAO Highlights:

Highlights of GAO-08-133T, a testimony to the Committee on Homeland Security, House of Representatives.

Why GAO Did This Study:

The Transportation Security Administration (TSA) is developing the Transportation Worker Identification Credential (TWIC) to help ensure that only workers who are not known to pose a terrorist threat are allowed to enter secure areas of the nation’s transportation facilities. This testimony is based primarily on GAO’s September 2006 report on the TWIC program, and interviews with TSA and maritime industry officials conducted in September and October 2007 to obtain updates on the TWIC program. Specifically, this testimony addresses (1) the progress TSA has made since September 2006 in implementing the TWIC program and addressing GAO recommendations; and (2) some of the remaining challenges that TSA and the maritime industry must overcome to ensure the successful implementation of the program.

What GAO Found:

Since GAO reported on TWIC in September 2006, TSA has made progress in implementing the program. Although GAO has not yet independently assessed the effectiveness of these efforts, TSA has taken actions to address legislative requirements to implement and test the program as well as address GAO’s recommendations related to conducting additional systems testing, strengthening contractor oversight, and improving coordination with stakeholders. Specifically, TSA has:

* issued a rule in January 2007 that sets forth the requirements for enrolling maritime workers in the TWIC program and issuing cards to these workers, and awarded a $70 million dollar contract to begin enrolling workers;
* reported conducting performance testing of the technologies that will be used to enroll workers in the TWIC program to ensure that they work effectively before implementation;
* begun planning a pilot program to test TWIC access control technologies at 5 maritime locations in accordance with the Security and Accountability for Every Port Act;
* begun enrolling workers and issuing TWIC cards at the port of Wilmington, Delaware on October 16, 2007, and plans to do so at 11 additional ports by November 2007;
* added additional staff with program and contract management expertise to help oversee the TWIC enrollment contract; and
* stated that they have taken actions to improve communication and coordination with maritime stakeholders.

As TSA moves forward with TWIC, it and maritime industry stakeholders will be faced with addressing the following key challenges that can affect the programs’ successful implementation.

* TSA and its contractor will need to transition from testing of the TWIC program to successful implementation of the program on a larger scale covering 770,000 workers at about 3,200 maritime facilities and 5,300 vessels.
* TSA and its contractor will need to educate workers on new TWIC requirements, ensure that enrollments begin in a timely manner, and efficiently process background checks, appeals, and waivers.
* TSA and industry stakeholders will need to ensure that TWIC access control technologies work effectively in the maritime environment, and balance new security requirements while facilitating maritime commerce.

What GAO Recommends:

GAO has previously recommended that TSA develop a comprehensive plan for managing the TWIC program, conduct additional testing of the TWIC program to help ensure that all key components work effectively, strengthen contract planning and oversight practices, and develop a plan for communicating and coordinating with stakeholders. TSA agreed with these recommendations and has initiated actions to address them.

To view the full product, including the scope and methodology, click on [hyperlink, http://www.GAO-08-133T]. For more information, contact Cathleen A. Berrick, (202) 512-3404 or berrickc@gao.gov.

[End of section]

Mr. Chairman and Members of the Committee:

Thank you for inviting me to participate in today's hearing on the
status of the Transportation Security Administration's (TSA)
Transportation Worker Identification Credential (TWIC) program.
Ensuring that only workers that do not pose a terrorist threat are
allowed access to secure areas of the nation's transportation
facilities is a key measure in securing the homeland. The TWIC program
was created to help protect these facilities from the threat of
terrorism by issuing identification cards only to workers who are not
known to pose a terrorist threat, and allow these workers unescorted
access to secure areas of the transportation system. To accomplish this
objective, the TWIC program will include the collection of personal and
biometric information to validate workers' identities, background
checks on transportation workers to ensure they do not pose a security
threat, issuance of tamper-resistant biometric credentials that cannot
be counterfeited, verification of these credentials using biometric
access control systems before a worker is granted unescorted access to
a secure area, and revocation of credentials if disqualifying
information is discovered, or if a card is lost, damaged, or stolen.
The TWIC program is ultimately intended to support all modes of
transportation, however, TSA, in partnership with the Coast Guard, is
focusing initial implementation in the maritime sector.

In December 2004, September 2006, and April 2007, we reported on the
status of the development and testing of the TWIC program.[Footnote 1]
Our 2004 report identified challenges that TSA faced in developing
regulations and a comprehensive plan for managing the program, as well
as several factors that caused TSA to miss initial deadlines for
issuing TWIC cards. In our September 2006 report, we identified the
challenges that TSA encountered during TWIC program testing, and
several problems related to contract planning and oversight. In August
2006, TSA decided that the TWIC program would be implemented in the
maritime sector using two separate rules. TSA issued the first rule in
January 2007 which requires worker enrollment and card issuance, and
plans to issue a proposed rule on access control technologies in 2008.
Since September 2006, Congress passed the Security and Accountability
for Every (SAFE) Port Act of 2006, which directed TSA, among other
things, to implement the TWIC program at the 10 highest risk ports by
July 1, 2007.[Footnote 2] In January 2007, TSA awarded a $70 million
contract to begin enrolling workers and issuing TWIC cards to workers
at these 10 ports.

My testimony today focuses on: (1) the progress TSA has made since
September 2006 in implementing the TWIC program and addressing GAO
recommendations, and (2) some of the remaining challenges that TSA and
the maritime industry must overcome to ensure the successful
implementation of the program. My comments are based primarily on our
September 2006 report on the TWIC program, which reflects work
conducted at TSA and the Coast Guard, as well as site visits to
transportation facilities that participated in testing the TWIC
program. In addition, in September and October 2007, we interviewed TSA
officials regarding the agency's efforts to implement the TWIC program
and our prior recommendations. We also interviewed officials at port
facilities in Wilmington, Delaware and Los Angeles, California, as well
as Maritime Exchange of the Delaware River and Bay officials, in
October 2007 to obtain their views on the TWIC program. We conducted
our work in accordance with generally accepted government auditing
standards.

Summary:

* issued a TWIC rule in January 2007 that sets forth the requirements
for enrolling maritime workers in the TWIC program and issuing cards to
these workers, and awarded a $70 million dollar contract in January
2007 to begin enrolling workers;

* reported conducting performance testing of the technologies that will
be used to enroll workers in the TWIC program to ensure that they work
effectively before implementation;

* begun planning a pilot program to test TWIC access control
technologies, such as biometric card readers, at 5 maritime locations
to address requirements of the SAFE Port Act;

* begun enrolling workers and issuing TWIC cards at the port of
Wilmington, Delaware on October 16, 2007, and plans to do so at 11
additional ports by November 2007;

* added staff with program and contract management expertise to help
oversee the TWIC enrollment contract, and developed additional controls
to help ensure that contract requirements are met; and:

* stated that they have taken actions to improve communication and
coordination with maritime stakeholders, including plans for conducting
public outreach and education efforts.

As TSA moves forward with TWIC, it will be important that it work with
maritime industry stakeholders to address the following key challenges
that can affect the programs' successful implementation.

* TSA and its enrollment contractor will need to transition from
testing of the TWIC program to successful implementation of the program
on a much larger scale covering 770,000 workers at about 3,200 maritime
facilities and 5,300 vessels. While TSA and the enrollment contractor
report conducting performance testing of the TWIC enrollment and card
issuance systems, it remains to be seen how these systems will perform
during full scale implementation.

* TSA and its enrollment contractor will need to educate workers on new
TWIC requirements, ensure that enrollments begin in a timely manner,
and effectively and efficiently process background checks, appeals, and
waivers.

* TSA and industry stakeholders will need to ensure that TWIC access
control technologies will work effectively in the maritime environment,
be compatible with TWIC cards that will be issued, ensure that
facilities and vessels can effectively and economically obtain
information on workers that may post a threat, and balance security
requirements while facilitating maritime commerce.

Background:

Securing transportation systems and facilities is complicated,
requiring balancing security to address potential threats while
facilitating the flow of people and goods. These systems and facilities
are critical components of the U.S. economy and are necessary for
supplying goods throughout the country and supporting international
commerce. U.S. transportation systems and facilities move over 30
million tons of freight and provide approximately 1.1 billion passenger
trips each day. The Ports of Los Angeles and Long Beach estimate that
they alone handle about 43 percent of the nation's oceangoing cargo.
The importance of these systems and facilities also makes them
attractive targets to terrorists. These systems and facilities are
vulnerable and difficult to secure given their size, easy
accessibility, large number of potential targets, and proximity to
urban areas. A terrorist attack on these systems and facilities could
cause a tremendous loss of life and disruption to our society. An
attack would also be costly. According to testimony by a Port of Los
Angeles official, a 2002 labor dispute which led to a 10-day shutdown
of West Coast port operations cost the nation's economy an estimated
$1.5 billion per day.[Footnote 3] A terrorist attack at a port facility
could have a similar or greater impact.

One potential security threat stems from those individuals who work in
secure areas of the nation's transportation system, including seaports,
airports, railroad terminals, mass transit stations, and other
transportation facilities. It is estimated that about 6 million
workers, including longshoreman, mechanics, aviation and railroad
employees, truck drivers, and others access secure areas of the
nation's estimated 4,000 transportation facilities each day while
performing their jobs. Some of these workers, such as truck drivers,
regularly access secure areas at multiple transportation facilities.
Ensuring that only workers who are not known to pose a terrorism
security risk are allowed unescorted access to secure areas is
important in helping to prevent an attack. According to TSA and
transportation industry stakeholders, many individuals that work in
secure areas are currently not required to undergo a background check
or a stringent identification process in order to access secure areas.
In addition, without a standard credential that is recognized across
modes of transportation and facilities, many workers must obtain
multiple credentials to access each transportation facility they enter,
which could result in the inconvenience and cost of obtaining duplicate
credentials.

TWIC Program History:

In the aftermath of the September 11, 2001, terrorist attacks, the
Aviation and Transportation Security Act (ATSA) was enacted in November
2001.[Footnote 4] Among other things, ATSA required TSA to work with
airport operators to strengthen access control points in secure areas
and consider using biometric access control systems to verify the
identity of individuals who seek to enter a secure airport area. In
response to ATSA, TSA established the TWIC program in December 2001 to
mitigate the threat of terrorists and other unauthorized persons from
accessing secure areas of the entire transportation network, by
creating a common identification credential that could be used by
workers in all modes of transportation.[Footnote 5] In November 2002,
the Maritime Transportation Security Act of 2002 (MTSA) was enacted and
required the Secretary of Homeland Security to issue a maritime worker
identification card that uses biometrics, such as fingerprints, to
control access to secure areas of seaports and vessels, among other
things.[Footnote 6] In October 2006, the SAFE Port Act was enacted and
required, among other things, the issuance of regulations to begin
implementing the TWIC program and issuing TWIC cards to workers at the
10 highest-risk ports by July 1, 2007, conduct a pilot program to test
TWIC access control technologies in the maritime environment, issue
regulations requiring TWIC card readers based on the findings of the
pilot, and periodically report to Congress on the status of the
program.

The responsibility for securing the nation's transportation system and
facilities is shared by federal, state, and local governments, as well
as the private sector. At the federal government level, TSA, the agency
responsible for the security of all modes of transportation, has taken
the lead in developing the TWIC program, while the Coast Guard is
responsible for developing maritime security regulations and ensuring
that maritime facilities and vessels are in compliance with these
regulations. As a result, TSA and the Coast Guard are working together
to implement TWIC in the maritime sector. Most seaports, airports, mass
transit stations, and other transportation systems and facilities in
the United States are owned and operated by state and local government
authorities and private companies. As a result, certain components of
the TWIC program, such as installing card readers, will be the
responsibility of these state and local governments and private
industry stakeholders.

TSA--through a private contractor--tested the TWIC program from August
2004 to June 2005 at 28 transportation facilities around the nation,
including 22 port facilities, 2 airports, 1 rail facility, 1 maritime
exchange, 1 truck stop, and a U.S. postal service facility. In August
2005, TSA and the testing contractor completed a report summarizing the
results of the TWIC testing. TSA also hired an independent contractor
to assess the performance of the TWIC testing contractor. Specifically,
the independent contractor conducted its assessment from March 2005 to
January 2006, and evaluated whether the testing contractor met the
requirements of the testing contract. The independent contractor issued
its final report on January 25, 2006.

Since its creation, the TWIC program has received about $103 million in
funding for program development. (See table 1.)

Table 1: TWIC Program Funding from Fiscal Years 2002 to 2007 (Dollars
in millions):

Fiscal Year: 2002.
Appropriated: 0;
Reprogramming: 0;
Adjustments: 0;
Total funding: 0.

Fiscal Year: 2003.
Appropriated: 5.0;
Reprogramming: 0;
Adjustments: 20;
Total funding: 25.0.

Fiscal Year: 2004.
Appropriated: 49.7;
Reprogramming: 0;
Adjustments: 0;
Total funding: 49.7.

Fiscal Year: 2005.
Appropriated: 5.0;
Reprogramming: 0;
Adjustments: 0;
Total funding: 5.0.

Fiscal Year: 2006.
Appropriated: 0;
Reprogramming: 15.0;
Adjustments: 0;
Total funding: 15.0.

Fiscal Year: 2007.
Appropriated: 0;
Reprogramming: 4.0;
Adjustments: 4.7;
Total funding: 8.7*.

Fiscal Year: Total.
Appropriated: 59.7;
Reprogramming: 19.0;
Adjustments: 24.7;
Total funding: 103.4.

Source: TSA.

*According to TSA, the agency has paid the enrollment contractor about
$8 million since January 2007. The remainder of the $70 million
enrollment contract will be paid in the future through user fees
collected from workers that enroll in the TWIC program.

Note: According to TSA, the agency received authority from both the
House and Senate Appropriations Committees to reallocate $20 million in
unassigned carryover funding to the TWIC program in Fiscal Year 2008.
TSA's fiscal year 2008 congressional justification includes $26.5
million in authority to collect fees from transportation workers for
TWIC cards.

[End of table]

Key Components of the TWIC Program:

The TWIC program is designed to enhance security using several key
components. These include:

* Enrollment: Transportation workers will be enrolled in the TWIC program at enrollment centers by providing personal information, such as a social security number and address, and will be photographed and
fingerprinted. For those workers who are unable to provide quality
fingerprints, TSA is to collect an alternate authentication identifier.

* Background checks: TSA will conduct background checks on each worker to ensure that individuals do not pose a security threat. These will
include several components. First, TSA will conduct a security threat
assessment that may include, for example, checks of terrorism databases
or watch lists, such as TSA's No-fly and selectee lists. Second, a
Federal Bureau of Investigation criminal history records check will be
conducted to identify if the worker has any disqualifying criminal
offenses. Third, workers' immigration status and mental capacity will
be checked. Workers will have the opportunity to appeal the results of
the threat assessment or request a waiver in certain limited
circumstances.

* TWIC card production: After TSA determines that a worker has passed the background check, the worker's information is provided to a federal
card production facility where the TWIC card will be personalized for
the worker, manufactured, and then sent back to the enrollment center.

* Card issuance: Transportation workers will be informed when their cards are ready to be picked up at enrollment centers. Once a card has been issued, workers will present their TWIC cards to security officials when they seek to enter a secure area, and in the future will enter secure areas through biometric card readers.

TSA Has Made Progress Since September 2006 in Implementing the TWIC
Program and Addressing GAO Recommendations:

Since we reported on the TWIC program in September 2006, TSA has made
progress in implementing the program. Although we have not yet
independently assessed the effectiveness of these efforts, TSA has
taken actions to address legislative requirements to implement and test
the program and our recommendations regarding conducting additional
systems testing to ensure that TWIC technologies work effectively,
strengthening contractor oversight, and improving communication and
coordination efforts with maritime stakeholders. In January 2007, TSA
and the Coast Guard issued a TWIC rule that sets forth the requirements
for enrolling workers and issuing TWIC cards to workers in the maritime
sector, and awarded a $70 million contract for enrolling workers in the
TWIC program. TSA missed the July 1, 2007, SAFE Port Act deadline to
implement the TWIC program at the 10 highest risk ports, citing the
need to conduct additional tests to ensure that the enrollment and card
issuance systems work effectively. However, TSA recently announced that
this testing is complete, and began enrolling and issuing TWIC cards to
workers at the port of Wilmington, Delaware on October 16, 2007. TSA
also plans to begin enrolling workers at 11 additional ports by
November 2007. In addition, TSA has also begun planning a pilot program
to test TWIC access control technologies in the maritime environment as
required by the SAFE Port Act.

TSA Issued a TWIC Rule and Awarded a Contract to Begin Enrolling
Workers and Issuing TWIC Cards:

On January 25, 2007, TSA and the Coast Guard issued a rule that sets
forth the regulatory requirements for enrolling workers and issuing
TWIC cards to workers in the maritime sector. Specifically, the TWIC
rule provides that workers and merchant mariners requiring unescorted
access to secure areas of maritime facilities and vessels must enroll
in the TWIC program, undergo a background check, and obtain a TWIC card
before such access is granted. In addition, the rule requires owners
and operators of maritime facilities and vessels to change their
existing access control procedures to ensure that merchant mariners and
any other individual seeking unescorted access to a secure area of a
facility or vessel has a TWIC. Table 2 describes the specific
requirements in the TWIC rule.

Table 2: Requirements in the TWIC Rule:

Requirement: Transportation workers;
Description of requirement: Individuals who require unescorted access to secure areas of maritime facilities and vessels, and all merchant mariners, must obtain a TWIC card before such access is granted.

Requirement: Fees;
Description of requirement: All workers applying for a TWIC card will pay a fee of $132.50 to cover the costs associated with the TWIC program. Workers that have already undergone a federal threat assessment comparable to the one required to obtain a TWIC will pay a reduced fee of $105.25. The replacement fee for a TWIC card will be $60.

Requirement: Access to secure areas of maritime facilities and vessels;
Description of requirement: By no later than September 25, 2008,
facilities and vessels currently regulated by the Maritime
Transportation Security Act must change their current access control
procedures to ensure that any individual or merchant mariner seeking
unescorted access to a secure area has a TWIC card.

Requirement: Newly hired workers and escorting procedures;
Description of requirement: Newly hired workers, who have applied for, but have not received their TWIC card, will be allowed access to secure areas for 30 days as long as they meet specified criteria, such as passing a TSA name-based background check, and only while accompanied by another employee with a TWIC card. Individuals that need to enter a secure area but do not have a TWIC card must be escorted at all times by individuals with a TWIC card.

Requirement: Background checks;
Description of requirement: All workers applying for a TWIC card must provide certain personal information and fingerprints to TSA so that they can conduct a security threat assessment, which includes a Federal Bureau of Investigation fingerprint-based criminal history records check, and an immigration status check. In order to receive a TWIC card, workers must not have been incarcerated or convicted of certain crimes within prescribed time periods, must have legal presence or authorization to work in the United States, must have no known connection to terrorist activity, and cannot have been found as lacking mental capacity or have been committed to a mental health facility.

Requirement: Appeals and waiver process;
Description of requirement: All TWIC applicants will have the opportunity to appeal a background check disqualification through TSA, or apply to TSA for a waiver, either during the application process or after being disqualified for certain crimes, mental incapacity, or if they are aliens in Temporary Protected Status. Applicants who apply for a waiver and are denied a TWIC card by TSA, or applicants who are disqualified based on connections to terrorism, may seek review by a Coast Guard administrative law judge.

Requirement: Access control systems;
Description of requirement: The Coast Guard will conduct unannounced checks to confirm the identity of TWIC card holders using hand-held biometric card readers to check the biometric on the TWIC card against the person presenting the card. In addition, security personnel will conduct visual inspections of the TWIC cards and look for signs of tampering or forgery when a worker enters a secure area.

Source: GAO analysis of TWIC rule and TSA information.

[End of table]

The TWIC rule does not include requirements for owners and operators of
maritime facilities and vessels to purchase and install TWIC access
control technologies, such as biometric TWIC card readers. As a result,
the TWIC card will initially serve as a visual identity badge until TSA
requires that access control technologies be installed to verify the
credentials when a worker enters a secure area. According to TSA,
during the program's initial implementation, workers will present their
TWIC cards to authorized security personnel, who will compare the
cardholder to his or her photo and inspect the card for signs of
tampering. In addition, the Coast Guard will verify TWIC cards when
conducting vessel and facility inspections and during spot checks using
hand-held biometric card readers to ensure that credentials are valid.
According to TSA, the requirements for TWIC access control technologies
will be set forth in a second proposed rule to be issued during 2008,
at which time TSA will solicit public comments and hold public
meetings.

Following the issuance of the TWIC rule in January 2007, TSA awarded a
$70 million contract to a private company to enroll the estimated
770,000 workers required to obtain a TWIC card. According to TSA
officials, the contract costs include $14 million for the operations
and maintenance of the TWIC identity management system that contains
information on workers enrolled in the TWIC program, $53 million for
the cost of enrolling workers, and $3 million designated to award the
enrollment contractor in the event of excellent performance.

TSA Attributes Missed Deadlines to the Need for Additional Testing and
Has Begun Planning a Pilot Program to Test TWIC Access Control
Technologies:

TSA did not meet the July 1, 2007 deadline in the SAFE Port Act to
implement the TWIC program at the 10 highest risk ports. According to
TSA officials, the deadline was not met because the agency and the TWIC
enrollment contractor needed to conduct additional tests of the
software and equipment that will be used to enroll and issue cards to
workers to ensure that they work effectively before implementation. In
our September 2006 report, we recommended that TSA conduct testing to
ensure that the TWIC program will be capable of efficiently enrolling
and issuing TWIC cards to large number of workers before proceeding
with implementation. TSA officials stated that such testing was needed
to ensure that these systems will work effectively when implemented and
will be able to handle the capacity of enrolling as many as 5,000
workers per day, conducting background checks on these workers in a
timely manner, and efficiently producing TWIC cards for each worker. In
October 2007, TSA announced that this testing was complete and began
enrolling and issuing TWIC cards to workers at the Port of Wilmington,
Delaware on October 16, 2007. TSA also plans to begin implementing TWIC
at 11 additional ports by November 2007. In addition, TSA and Port of
Wilmington officials stated that the enrollment contractor has already
successfully enrolled and issued TWIC cards to those individuals that
will be responsible for enrolling port workers as well as certain
federal employees, such as TSA and Coast Guard officials.

TSA has also begun planning a pilot to test TWIC access control
technologies, such as biometric card readers, in the maritime
environment as required by the SAFE Port Act. According to TSA, the
agency is partnering with the Port Authorities of Los Angeles, Long
Beach, Brownsville, and New York and New Jersey, in addition to
Watermark Cruises in Annapolis, Maryland, to test the TWIC access
control technologies in the maritime environment and is still seeking
additional participants. TSA's objective is to include pilot test
participants that are representative of a variety of facilities and
vessels in different geographic locations and environmental conditions.
TSA officials stated that pilot participants will be responsible for
paying for the costs of the pilot and will likely use federal port
security grant funds for this purpose. According to TSA officials, the
agency plans to begin the pilot in conjunction with the issuance of
TWIC cards so the access control technologies can be tested with the
cards that are issued to workers. In addition, in September 2007, TSA
published the TWIC card reader specifications, which outline the
requirements for biometric TWIC card readers that will be used by
maritime locations participating in pilot testing. These specifications
will enable these maritime locations to begin purchasing and installing
card readers in preparation for testing. TSA officials stated that the
results of the pilot program will help the agency issue future
regulations that will require the installation of access control
systems necessary to read the TWIC cards.

TSA Has Taken Steps to Strengthen Contract Planning and Oversight and
Better Coordinate with Maritime Industry Stakeholders:

Since we issued our report in September 2006, TSA has taken several
steps designed to strengthen contract planning and oversight, although
we have not yet independently assessed the effectiveness of these
efforts. We previously reported in September 2006 that TSA experienced
problems in planning for and overseeing the contract to test the TWIC
program, which contributed to a doubling of TWIC testing contract costs
and a failure to test all key components of the TWIC program. We
recommended that TSA strengthen contract planning and oversight before
awarding a contract to implement the TWIC program. TSA acknowledged
these problems and has taken steps to address our recommendations.
Specifically, TSA has taken the following steps designed to strengthen
contract planning and oversight:

* Added staff with expertise in technology, acquisitions, and contract
and program management to the TWIC program office.

* Established a TWIC program control office to help oversee contract
deliverables and performance.

* Established monthly performance management reviews and periodic site
visits to TWIC enrollment centers to verify performance data reported
by the contractor.

* Required the enrollment contactor to survey customer satisfaction as
part of contract performance.

In addition to these steps, TSA established a TWIC quality assurance
surveillance plan that is designed to allow TSA to track the enrollment
contractor's performance in comparison to acceptable quality levels.
This plan is designed to provide financial incentives for exceeding
these quality levels and disincentives, or penalties, if they are not
met. According to the plan, the contractor's performance will be
measured against established milestones and performance metrics that
the contractor must meet for customer satisfaction, enrollment time,
number of failures to enroll, and TWIC help desk response times, among
others. TSA plans to monitor the contractor's performance through
monthly performance reviews and by verifying information on performance
metrics provided by the contractor. In addition, TSA officials stated
that they have hired an independent contractor to help provide
oversight of the enrollment contract and ensure that the enrollment
contractor fulfills contract requirements and achieves established
performance metrics.

In addition to contract planning and oversight, TSA has also taken
steps to address our previous recommendations regarding improving
communication and coordination with maritime stakeholders. We
previously reported that stakeholders at all 15 TWIC testing locations
that we visited cited poor communication and coordination by TSA during
testing of the TWIC program. For example, according to stakeholders,
TSA never provided the final results or report on TWIC testing to
stakeholders that participated in the test. Some stakeholders also
stated that communication from TSA would stop for months at a time
during testing. We recommended that TSA closely coordinate with
maritime industry stakeholders and establish a communication and
coordination plan to capture and address the concerns of stakeholders
during implementation. TSA acknowledged that the agency could have
better communicated with stakeholders at TWIC testing locations and has
reported taking several steps to strengthen communication and
coordination since September 2006. For example, TSA officials told us
that the agency developed a TWIC communication strategy and plan that
describes how the agency will communicate with the owners and operators
of maritime facilities and vessels, TWIC applicants, unions, industry
associations, Coast Guard Captains of the Port, and other interested
parties. In addition, TSA required that the enrollment contractor
establish a plan for communicating with stakeholders.

TSA, the Coast Guard, and the enrollment contractor have taken
additional steps designed to ensure needed coordination and
communication with the maritime industry. These steps include:

* posting frequently asked questions on the TSA and Coast Guard Web-
sites;

* participating in maritime stakeholder conferences and briefings;

* working with Coast Guard Captains of the Ports and the National
Maritime Security Advisory Committee to communicate with local
stakeholders;

* conducting outreach with maritime facility operators and port
authorities, including informational bulletins and fliers; and:

* creating a TWIC stakeholder communication committee chaired by TSA, the
Coast Guard, and enrollment contractor, with members from 15 maritime
industry stakeholder groups. According to TSA, this committee will meet
twice per month during the TWIC implementation.

Stakeholders from the Ports of Wilmington, Delaware; Los Angeles,
California; and the Maritime Exchange of the Delaware River and Bay
with whom we spoke in October 2007 stated that TSA and its enrollment
contractor have placed a greater emphasis on communicating and
coordinating with stakeholders and on correcting past problems. For
example, an official from the Port of Wilmington stated that, thus far,
communication, coordination, and outreach by TSA and its enrollment
contractor have been excellent, and far better than during TWIC
testing. In addition, TSA reported that the TWIC enrollment contactor
has hired a separate subcontractor to conduct a public outreach
campaign to inform and educate the maritime industry and individuals
that will be required to obtain a TWIC card about the program. Port of
Wilmington officials stated that the subcontractor is developing a list
of trucking companies that deliver to the port so that information on
the TWIC enrollment requirements can be mailed to truck drivers.

TSA and Industry Stakeholders Will Need to Address Challenges to Ensure
the TWIC Program Is Implemented Successfully:

As we reported in September 2006 and April 2007, TSA and maritime
industry stakeholders will need to address several challenges to help
ensure that the TWIC program will be implemented successfully. As we
reported in September 2006, TSA and its enrollment contractor must
transition from testing of the TWIC program to successful
implementation of the program on a much larger scale covering 770,000
workers at about 3,200 maritime facilities and 5,300 vessels. While TSA
and the enrollment contractor report conducting performance testing of
the TWIC enrollment and card issuance systems, it remains to be seen
how these systems will perform as TSA begins enrolling large numbers of
workers at ports nationwide. In addition, maritime stakeholders with
whom we spoke in September and October 2007 identified the need for TSA
and its enrollment contractor to educate workers on the new TWIC
requirements, ensure that the contractor conducts enrollments in a
timely manner, and process numerous background checks, appeals, and
waiver applications. Furthermore, TSA and industry stakeholders will
need to ensure that TWIC access control technologies work effectively
in the maritime environment, will be compatible with TWIC cards that
will be issued soon, and balance security requirements while
facilitating maritime commerce. As a result, it will be important that
TSA's TWIC access control technology pilot comprehensively test the
TWIC program in an operational environment to ensure that it works
effectively with the least negative impact on maritime commerce.

TSA and Its Contractor Will Have to Enroll and Issue TWIC Cards to
Large Populations of Workers at Numerous Port Facilities and Vessels:

In September 2006, we reported that TSA faced the challenge of
enrolling and issuing TWIC cards to a significantly larger population
of workers in a timely manner than was done during testing of the TWIC
program. In testing the TWIC program, TSA enrolled and issued TWIC
cards to only about 1,700 workers at 19 facilities, well short of its
goal of 75,000. According to TSA and the testing contractor, the lack
of volunteers to enroll in the TWIC program testing and technical
difficulties in enrolling workers, such as difficulty in obtaining
workers' fingerprints to conduct background checks, led to fewer
enrollments than expected. TSA reports that it used the testing
experience to make improvements to the enrollment and card issuance
process and has taken steps to address the challenges that we
previously identified. For example, TSA officials stated that the
agency will use a faster and easier method of collecting fingerprints
than was used during testing, and will enroll workers individually
during implementation, as opposed to enrolling in large groups as was
done during testing. In addition, the TWIC enrollment contract
Statement of Work required the contractor to develop an enrollment test
and evaluation program to ensure that enrollment systems function as
required under the contract. As previously stated, TSA officials
reported that the enrollment contractor and the agency have conducted
performance testing of the TWIC enrollment systems to ensure that they
work effectively and are able to handle the full capacity of
enrollments during implementation. In September 2006, we also reported
that TSA will need to ensure that workers are not providing false
information and counterfeit identification documents when they enroll
in the TWIC program. According to TSA, the TWIC enrollment process to
be used during implementation will use document scanning and
verification software to help determine if identification documents are
fraudulent, and personnel responsible for enrolling workers will be
trained to identify fraudulent documents.

In March and April 2007, and again in October 2007, we spoke with some
maritime stakeholders that participated in TWIC testing and that will
be involved in the initial implementation of the program to discuss
their views on the enrollment and issuance of TWIC cards to workers.
These stakeholders expressed concerns related to the following issues:

Educating workers: TSA and its enrollment contractor will need to
identify all workers that are required to obtain a TWIC card, educate
them about how to enroll and receive a TWIC card, and ensure that they
enroll and receive a TWIC card by the deadlines to be established by
TSA and the Coast Guard. For example, while longshoremen who work at a
port every day may be aware of the new TWIC requirements, truck divers
that deliver to the port may be located in different states or
countries, and may not be aware of the requirements.

Timely enrollments: Maritime stakeholders expressed concern about the
ability of the enrollment contactor to enroll workers at his port in a
timely manner. For example, at this port, the enrollment contactor has
not yet begun to lease space to install enrollment centers--which at
this port could be a difficult and time-consuming task due to the
shortage of space. Stakeholders with whom we spoke also suggested that
until TSA establishes a deadline for when TWIC cards will be required
at ports, workers will likely procrastinate in enrolling, which could
make it difficult for the contractor to enroll large populations of
workers in a timely manner.

Background checks: Some maritime organizations are concerned that many
of their workers will be disqualified from receiving a TWIC card by the
background check. These stakeholders emphasized the importance of TSA
establishing a process to ensure timely appeals and waivers processes
for the potentially large population of workers that do not pass the
check. According to TSA, the agency has already established processes
for conducting background checks, appeals, and waivers for other
background checks of transportation workers. In addition, TSA officials
stated that the agency has established agreements with the Coast Guard
to use their administrative law judges for appeal and waiver cases, and
plans to use these processes for the TWIC background check.

TSA and Industry Stakeholders Must Ensure That TWIC Access Control
Technologies Work Effectively and Balance Security with the Flow of
Maritime Commerce:

In our September 2006 report, we noted that TSA and maritime industry
stakeholders faced significant challenges in ensuring that TWIC access
control technologies, such as biometric card readers, work effectively
in the maritime sector. Few facilities that participated in TWIC
testing used biometric card readers that will be required to read the
TWIC cards in the future. As a result, TSA obtained limited information
on the operational effectiveness of biometric card readers,
particularly when individuals use these readers outdoors in the harsh
maritime environment, where they can be affected by dirt, salt, wind,
and rain. In addition, TSA did not test the use of biometric card
readers on vessels, although they will be required on vessels in the
future. Also, industry stakeholders with whom we spoke were concerned
about the costs of implementing and operating TWIC access control
systems, linking card readers to their local access control systems,
obtaining information from TSA on workers who may pose a threat to
security, how biometric card readers would be implemented and used on
vessels, and how these vessels would obtain information on workers that
may post a threat. For example, in October 2007, we spoke with maritime
industry officials from the Port of Wilmington and the Maritime
Exchange of the Delaware River and Bay regarding the process for
obtaining information from TSA on workers that may pose a threat to
security. TSA plans to provide a secure Web site, whereby port
officials can log in and obtain the most recent list of workers
enrolled in the TWIC program that have been subsequently identified as
a threat to security. Maritime industry officials stated that it was
not clear how often they will have to access this Web site and whether
the list provided by TSA could be efficiently compared to workers with
access to secure areas of the port facility or vessel to ensure that
none of these workers are granted access to secure areas. Instead, port
officials will have to manually compare the list of workers to those at
the port or provide the list to security guards to check each worker as
they enter secure areas of the port facility or vessel--a labor
intensive and potentially costly process. Maritime officials stated
that TSA should clarify these requirements and develop a process to
allow port facilities and vessels to regularly update their access
control systems, in an automated fashion, with lists of workers that
may pose a threat in the second rule pertaining to TWIC access control
technologies.

Because of comments regarding TWIC access control technologies that TSA
received from maritime industry stakeholders on the TWIC proposed rule,
TSA decided to exclude all access control requirements from the TWIC
rule issued in January 2007. Instead, TSA plans to issue a second
proposed rule pertaining to access control requirements some time
during 2008, which should allow more time for maritime stakeholders to
comment on the technology requirements and TSA to address these
comments.

In September 2006, we reported that TSA and industry stakeholders will
need to consider the security benefits of the TWIC program and the
impact the program could have on maritime commerce. If implemented
effectively, the security benefits of the TWIC program in preventing a
terrorist attack could save lives and avoid a costly disruption in
maritime commerce. Alternatively, if key components of the TWIC
program, such as biometric card readers, do not work effectively, they
could slow the daily flow of commerce. For example, if workers or truck
drivers have problems with their fingerprint verifications on biometric
card readers, they could create long queues delaying other workers or
trucks waiting in line to enter secure areas. Such delays could be very
costly in terms of time and money to maritime facilities. Some
stakeholders we spoke to also expressed concern with applying TWIC
access control requirements to small facilities and vessels. For
example, smaller vessels could have crews of less than 10 persons, and
checking TWIC cards each time a person enters a secure area may not be
necessary. TSA acknowledged the potential impact that the TWIC program
could have on the flow of commerce, and stated that it plans to obtain
additional public comments on this issue from industry stakeholders in
the second rulemaking on access control technologies.

In our September 2006 report, we recommended that TSA conduct
additional testing to ensure that TWIC access control technologies work
effectively and that the TWIC program balances the security benefits of
the program with the impact that it could have on the flow of maritime
commerce. As required by the SAFE Port act, TSA plans to conduct a
pilot program to test TWIC access control technologies in the maritime
environment. According to TSA, the pilot will test the performance of
biometric card readers at various maritime facilities and on vessels,
as well as the impact that these access control systems have on
facilities and vessel business operations. TSA plans to use the results
of this pilot to develop the requirements and procedures for
implementing and using TWIC access control technologies in the second
rulemaking. The SAFE Port Act requires TSA to issue a final rule
containing the requirements for installing and using TWIC access
control technologies no later than two years after the initiation of
the pilot.

Concluding Observations:

Preventing unauthorized persons from entering secure areas of the
nation's ports and other transportation facilities is a key component
of securing the homeland. The TWIC program was initiated in December
2001 to mitigate the threat of terrorists accessing secure areas. Since
we reported on this program in September 2006, TSA has made progress
towards implementing the program, including issuing a TWIC rule, taking
steps to implement requirements of the SAFE Port Act, awarding a
contract to enroll workers in the program, and beginning to enroll
workers in the TWIC program. TSA has also taken actions to address
legislative requirements to implement and test the program and our
previous recommendations to improve the TWIC program regarding
conducting additional testing, strengthening contractor oversight, and
improving communication and coordination with maritime stakeholders.
While the additional testing that TSA reports conducting and the
actions it has taken should help address the problems that we have
previously identified, the effectiveness of these efforts will not be
clear until the program further matures. In addition, TSA and its
contractor must enroll about 770,000 persons at about 3,200 facilities
in the TWIC program. As a result, it is important that TSA and the
enrollment contractor effectively communicate and coordinate to help
ensure that all individuals and organizations affected by the TWIC
program are aware of their responsibilities. Finally, it will be
critical that TSA ensures that the TWIC access control technology pilot
fully tests the TWIC program in an operational maritime environment and
the results be used to help ensure a successful implementation of these
technologies in the future.

Mr. Chairman, this concludes my statement. I would be pleased to answer
any questions that you or other members of the committee may have at
this time.

Contact Information:

For further information on this testimony, please contact Cathleen A.
Berrick at (202) 512-3404 or at berrickc@gao.gov. Individuals making
key contributions to this testimony include John Hansen, Chris Currie,
and Geoff Hamilton.

[End of section]

(440666):

Footnotes:

[1] GAO, Port Security: Better Planning Needed to Develop and Operate
Maritime Worker Identification Card Program, GAO-05-106 (Washington,
D.C.: December 2004), GAO, Transportation Security: DHS Should Address
Key Challenges before Implementing the Transportation Worker
Identification Credential Program, GAO-06-982 (Washington, D.C.:
September 2006), and GAO, Transportation Security: TSA has made
progress in implementing the Transportation Worker Identification
Credential, but Challenges Remain, GAO-07-681T (Washington, D.C.: April
12, 2007).

[2] Pub. L. No.109-347,120 Stat.1884,1889 (2006).

[3] Testimony of the Director of Homeland Security, Port of Los
Angeles, before the United States Senate Committee on Commerce,
Science, and Transportation, May 16, 2006.

[4] Pub. L. No. 107-71, 115 Stat. 597 (2001).

[5] TSA was transferred from the Department of Transportation to the
Department of Homeland Security pursuant to requirements in the
Homeland Security Act of 2002 (Pub. L. No. 107-296, 116 Stat. 2135
(2002).

[6] Pub. L. No. 107-295, 116 Stat. 2064 (2002).

[End of section]

GAO's Mission:

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday,
GAO posts newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to [hyperlink, http://www.gao.gov] and select "Subscribe to Updates."

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:

U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:

To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:

Congressional Relations:

Gloria Jarmon, Managing Director, JarmonG@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:

Public Affairs:

Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: