On May 10, 2011, the Government Accountability Office issued GAO-11-657, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives. This is an important report for owners and operators of regulated facilities and vessels to consider.
To boil it down to essentials, the report addresses the vexing question, does the TWIC program do what it is supposed to do, does it produce reasonable assurance that unescorted access to secure areas of MTSA-regulated facilities and vessels is limited to qualified individuals? To come to an answer, GAO studies the TWIC program from from November 2009 through March 2011 and used the following data and procedures to come to their conclusions:
- · reviewed applicable laws, regulations, and policies.
- · reviewed documentation provided by TSA on the TWIC program systems and processes, such as the TWIC User Manual for Trusted Agents, Statement of Objectives, and Concept of Operations.
- · reviewed the processes and data sources with TWIC program management from TSA and Lockheed Martin (the contractor responsible for implementing the program).
- ·met with (1) the Director of Vetting Operations at TSA’s Colorado Springs Operations Center (CSOC), where background checks for links to terrorism and continual vetting of TWIC holders is to take place;
- met with the Operations Manager for the Adjudication Center, where secondary background checks are to be conducted for applicants with identified criminal or immigration issues;
- met with the Director at DHS’s Screening Coordination Office responsible for overseeing credentialing programs across DHS.
- met with the Criminal Justice Information Services Division at the Federal Bureau of Investigation (FBI) to discuss criminal vetting processes and policies
- evaluated the processes against the TWIC program’s mission needs and Standards for Internal Control in the Federal Government.
- visited four TWIC enrollment and activation centers located in areas with high population density and near ports participating in the TWIC pilot to observe how TWIC enrollments are conducted.
- had GAO investigators conduct covert testing at enrollment center(s) operating at the time to identify whether individuals providing fraudulent information could acquire an authentic TWIC.
- visited or met with officials at each of the seven original pilot sites being used to test TWIC card readers, interviewed port security officials at two additional ports responsible for implementing TWIC at their port, and met with nine maritime or transportation industry associations to obtain information on (1) the use of TWIC as a flashpass and with biometric readers where they are in use, (2) experiences with TWIC card performance, and (3) any suspected or reported cases of TWIC card fraud.
- met with TWIC program officials from TSA and the Coast Guard, as well as Coast Guard officials responsible for assessing maritime security risk, and reviewed related documents, to identify how TWIC is to enhance maritime security.
- met with Coast Guard TWIC program officials, data management staff, and Coast Guard officials stationed at four port areas across the United States with enforcement responsibilities to assess the agency’s approach to enforcing compliance with TWIC regulations and measuring program effectiveness.
- reviewed the type and substance of management information available to the Coast Guard for assessing compliance with TWIC.
- evaluated the Coast Guard’s practices against TWIC program mission needs and Standards for Internal Control in the Federal Government. (pp. 4-7.)
GAO notes that the information they gained at the port visits cannot be generalized across the system as a whole but that “the ports we visited accounted for 56 percent of maritime container trade in the United States, and the ports our investigators visited as part of our covert testing efforts accounted for 54 percent of maritime container trade in the United States in 2009.” p.6.
Within the broad regulatory requirement of the provision of a common credential for all transportation workers across the United States who require unescorted access to secure areas at MTSA-regulated maritime facilities and vessels, the TWIC program also seeks to:
1. Positively identify authorized individuals who require unescorted access to secure areas of the nation’s transportation system.
2. Determine the eligibility of individuals to be authorized unescorted access to secure areas of the transportation system by conducting a security threat assessment.
3. Ensure that unauthorized individuals are not able to defeat or otherwise compromise the access system in order to be granted permissions that have been assigned to an authorized individual.
4. Identify individuals who fail to maintain their eligibility requirements subsequent to being permitted unescorted access to secure areas of the nation’s transportation system and immediately revoke the individual’s permissions. (p.9.)
According to the GAO, how well is the program meeting these goals? The agency identified the following major weaknesses:
- Internal controls in the enrollment and background checking processes are not designed to provide reasonable assurance that (1) only qualified individuals can acquire TWICs; (2) adjudicators follow a process with clear criteria for applying discretionary authority when applicants are found to have extensive criminal convictions; or (3) once issued a TWIC, TWIC holders have maintained their eligibility. An example of this weakness is the admission by TSA that if a worker obtains a valid TWIC by fraudulent means, that person is deemed not to be a security threat to the maritime environment because a holder of a valid TWIC is presumed to have met TWIC-related qualifications during a background check. The report contains the following startling statement: “TWIC program officials told us that control weaknesses were not addressed prior to initiating the TWIC program because they had not previously identified them, or because they would be too costly to address. “ p.17. GAO investigators went to TWIC enrollment centers, declared themselves US citizens who needed a TWIC, passed the process, and received their cards. During this enrollment, the GAO investigators provided counterfeit or fraudulently acquired documents, but they were not detected. The trusted agents performing the enrollment are given rudimentary training in detecting fraudulent documents. Proof of citizenship is also an issue. As of December 1, 2010, nearly 86 percent of approved TWIC enrollments were by self-identified United States citizens or nationals asserting that they were born in the United States or a United States territory. p. 19. The TWIC program does not require that applicants claiming to be U.S.-born citizens or nationals provide identity documents that demonstrate proof of citizenship, or lawful status in the United States. p.19 49 CFR require the applicant to disclose the reason that he needs the card, and the locations where it will be used, but this provision is not enforced in the enrollment process. There is no way to tell if persons being issued TWICS really need them.
- “In determining whether an applicant poses a security threat, TSA officials stated that adjudicators have the discretion to consider the totality of an individual’s criminal record, including criminal offenses not defined as a permanent or interim disqualifying criminal offenses, such as theft or larceny…TSA may determine that an applicant poses a security threat if the search conducted reveals extensive foreign or domestic criminal convictions.” p.24-25. TSA has not developed guidance for adjudicators to apply consistently across the system when dealing with the totality of an individual’s criminal record. This is especially important when viewed in the light of the fact, that, at the time of enrollment, approximately 27 percent of individuals approved for a TWIC had a criminal record based on results obtained from the FBI. p.25. Difficult as it is to believe, out of the universe of 460,786 applications with criminal records, 1 application was denied because of an offense not designed as a permanent or interim offense. p.26.
- In order to determine if a cardholder has committed a prohibited offense after obtaining a TWIC, TSA conducts name-based checks against federal wants and warrants. TSA is unable to run a more accurate fingerprint-based FBI check if the prints are more than a year old because the FBI would charge TSA $17.25 per check. p.. 27. GAO states that TSA has not explored other less costly means of verification, such as tapping into means already available to maritime stakeholders.
- If a person obtains a TWIC card on the strength of a visa that is about to expire, TSA does not require that person to show proof that they have legal status in the U. S.
- GAO investigators used counterfeit TWIC’s, valid TWIC’s acquired through fraudulent means, and fraudulent reasons for needing unescorted access to access secure areas of MTSA facilities. In cases where a secondary port identity card was needed, they were not able to obtain unescorted access. P. 30.
- GAO states that “DHS has not demonstrated that TWIC, as currently implemented and planned with readers, is more effective than prior approaches used to limit access to ports and facilities, such as using facility specific identity credentials with business cases.“ p.32. GAO suggests that DHS conduct a risk-informed cost-benefit analysis as part of the regulatory analysis required by the next rulemaking on TWIC. The Coast Guard also needs to revise its MISLE data collection system in order to “identify and assess TWIC-related compliance and enforcement trends, and to obtain management information needed to assess and understand existing vulnerabilities with the use of TWIC.” P.38.
Overall, this is a discouraging review of a program that many good people have worked long and hard to implement. It is worth reading in its entirety, both for the wealth of details about the TWIC program as well as for the bad news bombs delivered on nearly every page.