Friday, January 18, 2019
Tuesday, January 15, 2019
A Summary of Department of Homeland Security Office of Inspector General (OIG) Report OIG-19-16, DHS’ and TSA’s Compliance with Public Law 114-278
Please note: The opinions in this post are solely the author’s and do not reflect the opinion of the University of Findlay or anyone’s opinion but the author’s.
On Dec. 14, 2018 the Department of Homeland Security Office of Inspector General (OIG) published OIG-19-16, DHS’ and TSA’s Compliance with Public Law 114-278, Transportation Security Card Program Assessment. This audit was performed to determine DHS’ and TSA’s conformity with the public law’s requirements. P.L. 114-278 required the two agencies to undertake actions to improve the TWIC vetting process, and to conduct an overall assessment of the TWIC program effectiveness. The words “audit” and “report” are used interchangeably and designate the findings related in 19-16.
The law has four sections:
(a) Credential Improvements
(b) Comprehensive Security Assessment of the Transportation Security Card Program
(c) Corrective Action Plan; Program Reforms
(d) Inspector General Review
Actions that TSA were required to undertake to improve the vetting process/credential improvements (section a) include a risk analysis of the TWIC security threat assessment; implementing additional internal controls and best practices; improving fraud detection techniques; updating the guidance provided to Trusted Agents (TAs) regarding the vetting process and related regulations; finalizing a manual for Trusted Agents and adjudicators on the vetting process, and establishing quality controls for consistency in adjudication decisions.
The overall effectiveness review (section b) includes an evaluation of both the credentialing and the renewal process. It also includes a detailed analysis of the security value of the program, by evaluating the extent to which the program addresses security risks in the maritime environment; by evaluating the possibility of non-biometric credential alternatives; by identifying the technology, business process, and operational impacts of the use of the TWIC card and readers; by assessing the costs and benefits of the program; and evaluating the extent to which DHS has addressed the deficiencies in the Program identified by the Government Accountability Office (GAO) and the OIG before the date of enactment of the law. The risk analysis of the security threat assessment and the overall effectiveness review were awarded the Homeland Security Operational Analysis Center (HSOAC), operated by the RAND Corporation.
The assessment mandated under the law was to have begun in February 2017 and be completed in a year, with the results submitted to Congress in April 2018.
Two months after the date on which the assessment was completed, DHS was supposed to submit to Congress a corrective action plan addressing any deficiencies. The law required the DHS OIG to evaluate TSA’s implementation of the actions required by the law and submit a report to Congress no later than December 16, 2018. Please note: a complete text of P.L. 114-278 is included in this post under footnote 1.
The OIG’s report 19-16 evaluates DHS’ compliance with the requirements of P.L. 144-278. The report contains some very alarming (and sometimes hard to believe) language. Persons who are affected by the TWIC program should read the entire report. Below are highlights.
There were six actions that TSA was required to perform to improve the vetting process, (a)(2) A – F. Although the OIG describes TSA as partly complying with A and B ad complying with C – E, the report also states “We were not able to fully address Congress’ requirement to evaluate TSA’s implementation of the required actions identified in the public law because TSA is still in the process of implementing elements of the required actions in the TWIC program. However, we have concerns with aspects of TSA’s responses to all of the required actions.” The report then describes TSA’s compliance by each individual required action.
In action B, implementing additional internal controls, the report states “Until TSA addresses all 19 recommendations, it may be overlooking vulnerabilities in the STA [security threat assessment] process and opportunities to improve the TWIC program. This may result in individuals obtaining TWIC cards who may pose a security risk to our Nation’s maritime facilities and vessels.” The language under Action C, improve fraud detection techniques, is especially troubling. There is a subset of recommendations under this required action. Under improving fraud detection techniques by establishing benchmarks and a process for electronic document verification, TSA implemented the birth verification service as one of the fraud detection techniques; however, TSA uses it in a “limited capacity.” Under the requirement that Trusted Agents (TA) receive annual training in fraud detection, the OIG “was provided a copy of the contract for enrollment services that requires annual training to enhance the knowledge of TAs in identifying potentially fraudulent identity documents.” A copy of a contract does not verify that training is being performed; it merely indicates that someone has drawn up a contract and that someone else has signed it. (Throughout this document, there is language that indicates that OIG conducted this audit by high-level interviews and limited (if any) auditing in the field. There is nothing in the methodology that indicates that the OIG went into the field to confirm the HSOAC findings.)
The final comment on fraud detection needs to be reproduced in its entirety:
Lastly, TSA also complied with the requirement to review relevant security threat information provided by the TAs. According to TSA, if TAs suspect a fraudulent document, they note their concerns in the system for TSA’s Program Management Office to review. Even though TAs may include comments about potential fraudulent documents, the application process continues. If, following a review of the TA comments, TSA confirms that fraudulent documents were used, it can take one of four actions depending on the status of the applicant’s adjudication: stop the enrollment, stop the credential’s production, pull the credential from the Enrollment Center card batch, or cancel the TWIC card after production.
This seems to indicate that no matter how sloppily fraudulent the document offered up by an enrollee to obtain a credential, the enrollment process must go on.
In reviewing Action E, finalize a manual for trusted agents and adjudicators, the audit states, “We still found the manual disorganized and some guidance was duplicative, contradictory, and outdated. A disorganized training manual with outdated policies, procedures, and guidance may hinder adjudicators’ ability to make appropriate, timely, and consistent decisions.”
In reviewing Action F, establish quality controls to ensure consistent procedures to review adjudication decisions and terrorism vetting decisions, the OIG stated,
Although TSA has QA SOPs [quality assurance standard operating procedures] for both adjudication decisions and terrorism vetting decisions, we could not test to verify whether TSA consistently applied these quality assurance procedures in its reviews. We found the QA SOPs did not contain sufficient details on all procedures, such as a random sampling methodology for adjudication cases… Without consistent procedures and quality controls in QA reviews, TSA may be missing errors made by the adjudicators and terrorism vetting analysts. As a result, TSA may inadvertently issue TWIC cards to individuals who might pose security risks to our maritime transportation sector.
TSA was a year late submitting the required report on the overall effectiveness of the program required in section (b) of the law. The reason for this delay: DHS “experienced challenges identifying an office responsible for the effort.” The assessment’s estimated completion date is April 27, 2019.  Per the law, if the results of this assessment indicate deficiencies, a corrective action plan needs to be implemented, but DHS has not designated a point of contact to oversee preparation of this plan.
Discussion. I approach any document related to the TWIC program from the perspective of a supporter of the program and of a security services provider and Facility Security Officer for smaller facilities. Before TWIC, we did not have a nationwide check, albeit a snapshot at the time of enrollment, of the background of persons being granted unescorted access to secure areas of regulated facilities and vessels. Larger ports and facilities have a much wider array of tools in their toolkit to provide personnel security. Many smaller facilities use the credential as a key layer of defense, especially for threats involving non-employees.
So, as a supporter of the program, I am disturbed that the OIG described the training manual for TAs as containing material that is contradictory and outdated. I am disturbed by the possibility that DHS and TSA seem to have difficulty designating a person responsible for the corrective action plan mandated by the law. And I was very disturbed by the language stating that individuals who may pose a risk to the nation’s marine terminals and vessels are being granted credentials because of the identified shortcomings of the program; this language appears in several places in the document.
I am also disturbed by the apparent lack of consequences for the problems identified in this document. Because it contains no recommendations, DHS and TSA did not provide any responses. DHS did not award a work order for the assessment for more than a year after the deadline. As an FSO, if I am late for many regulatory requirements – drills, exercises, security inspections, annual Facility Security Plan (FSP) audits, TWIC renewals, five-year FSP approvals, to name just a few – there are immediate and unpleasant consequences from the regulators. The FSP language must be clear and concise – if it is contradictory or outdated, as the OIG found the TSA manuals to be, the USCG petty officers will let me know. Regulatory agencies like TSA and the wider DHS, however, seem to be held to a different, sloppier standard.
The problems identified in the OIG report are described as having the capability of allowing individuals to obtain TWIC cards who may pose a security risk to our Nation’s maritime facilities and vessels. That’s the bad news. The good news is that P.L. 114-278 is in place to provide fixes/improvements for the TWIC program, and contains the oversight provision that generated OIG 19-16. TSA is required to perform actions immediately to improve the program (section a), and the OIG looks over their shoulder to report compliance. The RAND corporation is reporting on the security effectiveness of the program required in section b. (DHS will eventually overcome their challenges in identifying who is responsible for what.) Section c requires a corrective action plan, which the OIG will also review. The mission of the OIG is to “provide independent oversight and promote excellence, integrity, and accountability within DHS.” Sometimes accountability is achieved by revealing unpleasant truths, as OIG 19-16 does.
As a final thought, some other wider issues need to be considered when reflecting on the problems raised by the OIG report. TSA has a major role in the TWIC program but the agency’s main focus is on the aviation sector. Personnel distribution within the agency confirms this. More than 43,000 transportation security officers and more than 600 aviation transportation security inspectors ensure security at the 440 federalized airports.  Describing its multimodal security efforts, TSA states that it utilizes approximately 250 surface transportation inspectors to conduct annual inspections in support of risk-based security of more than 4 million miles of roadways, nearly 140,000 miles of railroad track, approximately 612,000 bridges and more than 470 tunnels, approximately 360 maritime ports, and approximately 2.75 million miles of pipeline. “TSA has an annual surface security operating budget of around $111 million, which represents approximately 3 percent of TSA’s total budget, while the remainder of the budget is dedicated primarily to aviation operations”, according to the Government Accountability Office.
More critically, key people may not be in place at DHS or TSA to make decisions, sign off on important documents, and generally oversee the progress of important programs like TWIC. In August 2018, approximately 30% of the top positions in DHS remained unfilled. Furthermore, the administration has chosen not to staff an essential White House office responsible for personnel decisions. The White House Office of Presidential Personnel
…oversees the selection process for Presidential appointments and works to recruit candidates to serve the President in departments and agencies throughout the Executive Branch. Presidential Personnel staff present candidates for PAS [Presidential Appointment needing Senate confirmation] positions to the Senate for confirmation after they have been approved by the President and have gone through Personnel’s selection and clearance process. Additionally, the office is responsible for thousands of lower level appointees. 
In March 2018, National Review described the White House personnel office: “Compared with President Bill Clinton’s administration at a similar point in his presidency, Trump’s personnel office has fewer than a fourth the number of staffers to process paperwork and interview applicants. Several of the offices at the personnel department are empty most of the day.” There is no evidence that this short-staffing has been remedied; there is evidence that it is continuing to affect the maritime security of the United States.
 Congress.gov. Public Law 144-278, Dec. 16, 2016. To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes.
Public Law 114–278
To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL SECURITY CARD PROGRAM IMPROVEMENTS AND ASSESSMENT.
(a) CREDENTIAL IMPROVEMENTS.—
(1) IN GENERAL.—Not later than 60 days after the date of enactment of this Act, the Administrator of the Transportation Security Administration shall commence actions, consistent with section 70105 of title 46, United States Code, to improve the Transportation Security Administration’s process for vetting individuals with access to secure areas of vessels and maritime facilities.
(2) REQUIRED ACTIONS.—The actions described under paragraph (1) shall include—
(A) conducting a comprehensive risk analysis of security threat assessment procedures, including—
(i) identifying those procedures that need additional internal controls; and
(ii) identifying best practices for quality assurance at every stage of the security threat assessment;
(B) implementing the additional internal controls and best practices identified under subparagraph (A);
(C) improving fraud detection techniques, such as—
(i) by establishing benchmarks and a process for electronic document validation;
(ii) by requiring annual training for Trusted Agents; and
(iii) by reviewing any security threat assessment related information provided by Trusted Agents and incorporating any new threat information into updated guidance under subparagraph (D);
(D) updating the guidance provided to Trusted Agents regarding the vetting process and related regulations;
(E) finalizing a manual for Trusted Agents and adjudicators on the vetting process; and
(F) establishing quality controls to ensure consistent procedures to review adjudication decisions and terrorism
(3) REPORT.—Not later than 2 years after the date of enactment of this Act, the Inspector General of the Department of Homeland Security shall submit a report to Congress that evaluates the implementation of the actions described in paragraph (1).
(b) COMPREHENSIVE SECURITY ASSESSMENT OF THE TRANSPORTATION SECURITY CARD PROGRAM.—
(1) IN GENERAL.—Not later than 60 days after the date of enactment of this Act, the Secretary of Homeland Security shall commission an assessment of the effectiveness of the transportation security card program (referred to in this section as ‘‘Program’’) required under section 70105 of title 46, United States Code, at enhancing security and reducing security risks for facilities and vessels regulated under chapter 701 of that title.
(2) LOCATION.—The assessment commissioned under paragraph (1) shall be conducted by a research organization with significant experience in port or maritime security, such as—
(A) a national laboratory;
(B) a university-based center within the Science and Technology Directorate’s centers of excellence network; or
(C) a qualified federally-funded research and development center.
(3) CONTENTS.—The assessment commissioned under paragraph (1) shall—
(A) review the credentialing process by determining—
(i) the appropriateness of vetting standards;
(ii) whether the fee structure adequately reflects the current costs of vetting;
(iii) whether there is unnecessary redundancy or duplication with other Federal- or State-issued transportation security credentials; and
(iv) the appropriateness of having varied Federal and State threat assessments and access controls;
(B) review the process for renewing applications for Transportation Worker Identification Credentials,
including the number of days it takes to review application, appeal, and waiver requests for additional information;
(C) review the security value of the Program by—
(i) evaluating the extent to which the Program, as implemented, addresses known or likely security risks in the maritime and port environments;
(ii) evaluating the potential for a non-biometric credential alternative;
(iii) identifying the technology, business process, and operational impacts of the use of the transportation
security card and transportation security card readers in the maritime and port environments;
(iv) assessing the costs and benefits of the Program, as implemented; and
(v) evaluating the extent to which the Secretary of Homeland Security has addressed the deficiencies
in the Program identified by the Government Accountability Office and the Inspector General of the Department of Homeland Security before the date of enactment of this Act.
(4) DEADLINES.—The assessment commissioned under paragraph (1) shall be completed not later than 1 year after the date on which the assessment is commissioned.
(5) SUBMISSION TO CONGRESS.—Not later than 60 days after the date that the assessment is completed, the Secretary of Homeland Security shall submit to the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Transportation and Infrastructure of the House of Representatives the results of the assessment commissioned under this subsection.
(c) CORRECTIVE ACTION PLAN; PROGRAM REFORMS.—If the assessment commissioned under subsection (b) identifies a deficiency in the effectiveness of the Program, the Secretary of Homeland Security, not later than 60 days after the date on which the assessment is completed, shall submit a corrective action plan to the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Homeland Security and the Committee on Transportation and Infrastructure of the House of Representatives that—
(1) responds to findings of the assessment;
(2) includes an implementation plan with benchmarks;
(3) may include programmatic reforms, revisions to regulations, or proposals for legislation; and
(4) shall be considered in any rulemaking by the Department of Homeland Security relating to the Program.
(d) INSPECTOR GENERAL REVIEW.—If a corrective action plan is submitted under subsection (c), the Inspector General of the Department of Homeland Security shall—
(1) not later than 120 days after the date of such submission, review the extent to which such plan implements the
requirements under subsection (c); and
(2) not later than 18 months after the date of such submission, and annually thereafter for 3 years, submit a report
to the congressional committees set forth in subsection (c) that describes the progress of the implementation of such plan.
Approved December 16, 2016.
U.S. Department of Homeland Security. Office of the Inspector General. 2018. https://www.oig.dhs.gov/about
 U.S. Department of Homeland Security. Transportation Security Administration. Factsheet: TSA by the Numbers. 2019. https://www.tsa.gov/sites/default/files/resources/tsabythenumbers_factsheet.pdf
 United States Government Accountability Office. Transportation Security Administration: Surface
Transportation Inspector Activities Should Align More Closely With Identified Risks. GAO-18-180. December 2017. https://www.gao.gov/assets/690/689031.pdf
 Clark, Charles S. Vacancy Rate for Top Agency Jobs Continues to Set Records. Government Executive. August 1, 2018.
 The White House. White House Internship Program. Presidential Departments. 2018. https://www.whitehouse.gov/get-involved/internships/presidential-departments/
 Fund, John. Trump Is Running a ‘Home Alone’ Administration. National Review. March 25, 2018. https://www.nationalreview.com/2018/03/trump-administration-staff-vacancies-leave-career-civil-servants-in-place/