A Summary of Department of Homeland Security Office of Inspector General (OIG) Report
OIG-19-16, DHS’ and TSA’s Compliance with Public Law 114-278
Please note:
The opinions in this post are solely the author’s and do not reflect the
opinion of the University of Findlay or anyone’s opinion but the author’s.
On Dec. 14,
2018 the Department of Homeland Security Office of Inspector General (OIG)
published OIG-19-16, DHS’ and TSA’s Compliance with Public Law 114-278[1],
Transportation Security Card Program Assessment. This audit was performed to
determine DHS’ and TSA’s conformity with the public law’s requirements. P.L.
114-278 required the two agencies to undertake actions to improve the TWIC vetting
process, and to conduct an overall assessment of the TWIC program effectiveness.
The words “audit” and “report” are used interchangeably and designate the
findings related in 19-16.
The law has
four sections:
(a)
Credential Improvements
(b) Comprehensive
Security Assessment of the Transportation Security Card Program
(c) Corrective
Action Plan; Program Reforms
(d) Inspector
General Review
Actions that
TSA were required to undertake to improve the vetting process/credential
improvements (section a) include a risk analysis of the TWIC security threat
assessment; implementing additional internal controls and best practices; improving
fraud detection techniques; updating the guidance provided to Trusted Agents
(TAs) regarding the vetting process and related regulations; finalizing a
manual for Trusted Agents and adjudicators on the vetting process, and
establishing quality controls for consistency in adjudication decisions.
The overall
effectiveness review (section b) includes an evaluation of both the
credentialing and the renewal process. It also includes a detailed analysis of
the security value of the program, by evaluating the extent to which the program
addresses security risks in the maritime environment; by evaluating the
possibility of non-biometric credential alternatives; by identifying the
technology, business process, and operational impacts of the use of the TWIC
card and readers; by assessing the costs and benefits of the program; and
evaluating the extent to which DHS has addressed the deficiencies in the
Program identified by the Government Accountability Office (GAO) and the OIG before
the date of enactment of the law. The risk analysis of the security threat
assessment and the overall effectiveness review were awarded the Homeland
Security Operational Analysis Center (HSOAC), operated by the RAND Corporation.
The assessment
mandated under the law was to have begun in February 2017 and be completed in a
year, with the results submitted to Congress in April 2018.
Two months
after the date on which the assessment was completed, DHS was supposed to
submit to Congress a corrective action plan addressing any deficiencies. The
law required the DHS OIG to evaluate TSA’s implementation of the actions required
by the law and submit a report to Congress no later than December 16,
2018. Please note: a complete text of
P.L. 114-278 is included in this post under footnote 1.
The OIG’s
report 19-16 evaluates DHS’ compliance with the requirements of P.L. 144-278.
The report contains some very alarming (and sometimes hard to believe) language. Persons who are affected by the TWIC program should
read the entire report. Below are
highlights.
There were
six actions that TSA was required to perform to improve the vetting process,
(a)(2) A – F. Although the OIG describes TSA as partly complying with A and B
ad complying with C – E, the report also states “We were not able to fully
address Congress’ requirement to evaluate TSA’s implementation of the required
actions identified in the public law because TSA is still in the process of
implementing elements of the required actions in the TWIC program. However, we
have concerns with aspects of TSA’s responses to all of the required actions.”[2]
The report then describes TSA’s compliance by each individual required action.
In action B, implementing additional internal controls,
the report states “Until TSA addresses all 19 recommendations, it may be
overlooking vulnerabilities in the STA [security threat assessment] process and
opportunities to improve the TWIC program. This may result in individuals
obtaining TWIC cards who may pose a security risk to our Nation’s maritime
facilities and vessels.” The language under Action C, improve fraud detection techniques, is especially troubling. There is a subset of recommendations under
this required action. Under improving
fraud detection techniques by establishing benchmarks and a process for
electronic document verification, TSA implemented the birth verification
service as one of the fraud detection techniques; however, TSA uses it in a “limited
capacity.”[3]
Under the requirement that Trusted Agents (TA) receive annual training in fraud
detection, the OIG “was provided a copy
of the contract for enrollment services that requires annual training to
enhance the knowledge of TAs in identifying potentially fraudulent identity
documents.[4]”
A copy of a contract does not verify that training is being performed; it
merely indicates that someone has drawn up a contract and that someone else has
signed it. (Throughout this document, there is language that indicates that OIG
conducted this audit by high-level interviews and limited (if any) auditing in
the field. There is nothing in the methodology that indicates that the OIG went
into the field to confirm the HSOAC findings.)
The final
comment on fraud detection needs to be reproduced in its entirety:
Lastly, TSA also complied with the
requirement to review relevant security threat information provided by the TAs.
According to TSA, if TAs suspect a fraudulent document, they note their
concerns in the system for TSA’s Program Management Office to review. Even
though TAs may include comments about potential fraudulent documents, the
application process continues. If, following a review of the TA comments, TSA
confirms that fraudulent documents were used, it can take one of four actions
depending on the status of the applicant’s adjudication: stop the enrollment,
stop the credential’s production, pull the credential from the Enrollment
Center card batch, or cancel the TWIC card after production.[5]
This seems to indicate that no matter how sloppily fraudulent the document
offered up by an enrollee to obtain a credential, the enrollment process must
go on.
In reviewing
Action E, finalize a manual for trusted agents
and adjudicators, the audit states, “We still found the manual disorganized
and some guidance was duplicative, contradictory, and outdated. A disorganized
training manual with outdated policies, procedures, and guidance may hinder
adjudicators’ ability to make appropriate, timely, and consistent decisions.”[7]
In reviewing
Action F, establish quality controls to
ensure consistent procedures to review adjudication decisions and terrorism
vetting decisions, the OIG stated,
Although TSA has QA SOPs [quality
assurance standard operating procedures] for both adjudication decisions and
terrorism vetting decisions, we could not test to verify whether TSA
consistently applied these quality assurance procedures in its reviews. We
found the QA SOPs did not contain sufficient details on all procedures, such as
a random sampling methodology for adjudication cases… Without consistent
procedures and quality controls in QA reviews, TSA may be missing errors made
by the adjudicators and terrorism vetting analysts. As a result, TSA may
inadvertently issue TWIC cards to individuals who might pose security risks to
our maritime transportation sector.[8]
TSA was a
year late submitting the required report on the overall effectiveness of the
program required in section (b) of the law. The reason for this delay: DHS
“experienced challenges identifying an office responsible for the effort.” The
assessment’s estimated completion date is April 27, 2019. [9]
Per the law, if the results of this assessment indicate deficiencies, a
corrective action plan needs to be implemented, but DHS has not designated a
point of contact to oversee preparation of this plan.
Discussion. I approach any document related to the TWIC
program from the perspective of a supporter of the program and of a security
services provider and Facility Security Officer for smaller facilities. Before
TWIC, we did not have a nationwide check, albeit a snapshot at the time of
enrollment, of the background of persons being granted unescorted access to
secure areas of regulated facilities and vessels. Larger ports and facilities
have a much wider array of tools in their toolkit to provide personnel security.
Many smaller facilities use the credential as a key layer of defense,
especially for threats involving non-employees.
So, as a
supporter of the program, I am disturbed that the OIG described the training
manual for TAs as containing material that is contradictory and outdated. I am
disturbed by the possibility that DHS and TSA seem to have difficulty
designating a person responsible for the corrective action plan mandated by the
law. And I was very disturbed by the language stating that individuals who may
pose a risk to the nation’s marine terminals and vessels are being granted
credentials because of the identified
shortcomings of the program; this language appears in several places in
the document.
I am also
disturbed by the apparent lack of consequences for the problems identified in
this document. Because it contains no recommendations, DHS and TSA did not
provide any responses. DHS did not award a work order for the assessment for
more than a year after the deadline. As an FSO, if I am late for many regulatory
requirements – drills, exercises, security inspections, annual Facility
Security Plan (FSP) audits, TWIC renewals, five-year FSP approvals, to name
just a few – there are immediate and unpleasant consequences from the
regulators. The FSP language must be clear and concise – if it is contradictory
or outdated, as the OIG found the TSA manuals to be, the USCG petty officers
will let me know. Regulatory agencies like TSA and the wider DHS, however, seem
to be held to a different, sloppier standard.
The problems
identified in the OIG report are described as having the capability of allowing
individuals to obtain TWIC cards who may pose a security risk to our Nation’s
maritime facilities and vessels. That’s the bad news. The good news is that P.L.
114-278 is in place to provide fixes/improvements for the TWIC program, and
contains the oversight provision that generated OIG 19-16. TSA is required to
perform actions immediately to improve the program (section a), and the OIG
looks over their shoulder to report compliance. The RAND corporation is
reporting on the security effectiveness of the program required in section b. (DHS
will eventually overcome their challenges in identifying who is responsible for
what.) Section c requires a corrective action plan, which the OIG will also
review. The mission of the OIG is to “provide independent oversight and promote
excellence, integrity, and accountability within DHS.”[10]
Sometimes accountability is achieved by revealing unpleasant truths, as OIG
19-16 does.
As a final thought, some other wider issues need to be
considered when reflecting on the problems raised by the OIG report. TSA has a major role in the TWIC program but
the agency’s main focus is on the aviation sector. Personnel distribution
within the agency confirms this. More than 43,000 transportation security
officers and more than 600 aviation transportation security inspectors ensure
security at the 440 federalized airports. [11]
Describing its multimodal security efforts, TSA states that it utilizes
approximately 250 surface transportation inspectors to conduct annual
inspections in support of risk-based security of more than 4 million miles of
roadways, nearly 140,000 miles of railroad track, approximately 612,000 bridges
and more than 470 tunnels, approximately 360 maritime ports, and approximately
2.75 million miles of pipeline.[12]
“TSA has an annual surface security operating budget of around $111 million,
which represents approximately 3 percent of TSA’s total budget, while the remainder
of the budget is dedicated primarily to aviation operations”, according to the
Government Accountability Office.[13]
More critically, key people may not be in place at DHS or TSA
to make decisions, sign off on important documents, and generally oversee the
progress of important programs like TWIC. In August 2018, approximately 30% of
the top positions in DHS remained unfilled.[14]
Furthermore, the administration has chosen not to staff an essential White
House office responsible for personnel decisions. The White House Office of
Presidential Personnel
…oversees the selection process
for Presidential appointments and works to recruit candidates to serve the
President in departments and agencies throughout the Executive Branch.
Presidential Personnel staff present candidates for PAS [Presidential
Appointment needing Senate confirmation] positions to the Senate for
confirmation after they have been approved by the President and have gone
through Personnel’s selection and clearance process. Additionally, the office
is responsible for thousands of lower level appointees. [15]
In March 2018, National
Review described the White House personnel office: “Compared with President
Bill Clinton’s administration at a similar point in his presidency, Trump’s
personnel office has fewer than a fourth the number of staffers to process
paperwork and interview applicants. Several of the offices at the personnel
department are empty most of the day.” [16]There
is no evidence that this short-staffing has been remedied; there is evidence
that it is continuing to affect the maritime security of the United States.
[1] Congress.gov.
Public Law 144-278, Dec. 16, 2016. To require the Secretary of Homeland
Security to prepare a comprehensive security assessment of the transportation
security card program, and for other purposes.https://www.congress.gov/114/plaws/publ278/PLAW-114publ278.pdf
Public Law 114–278
114th Congress
An Act
To require the Secretary of Homeland Security to
prepare a comprehensive security assessment of the transportation security card
program, and for other purposes.
Be it enacted by the Senate and House of
Representatives of the United States of America in Congress assembled,
SECTION 1. TRANSPORTATION WORKER IDENTIFICATION
CREDENTIAL SECURITY CARD PROGRAM IMPROVEMENTS AND ASSESSMENT.
(a) CREDENTIAL IMPROVEMENTS.—
(1) IN GENERAL.—Not later than 60 days after the date
of enactment of this Act, the Administrator of the Transportation Security
Administration shall commence actions, consistent with section 70105 of title
46, United States Code, to improve the Transportation Security Administration’s
process for vetting individuals with access to secure areas of vessels and maritime
facilities.
(2) REQUIRED ACTIONS.—The actions described under
paragraph (1) shall include—
(A) conducting a comprehensive risk analysis of
security threat assessment procedures, including—
(i) identifying those procedures that need additional
internal controls; and
(ii) identifying best practices for quality assurance
at every stage of the security threat assessment;
(B) implementing the additional internal controls and
best practices identified under subparagraph (A);
(C) improving fraud detection techniques, such as—
(i) by establishing benchmarks and a process for
electronic document validation;
(ii) by requiring annual training for Trusted Agents;
and
(iii) by reviewing any security threat assessment
related information provided by Trusted Agents and incorporating any new threat
information into updated guidance under subparagraph (D);
(D) updating the guidance provided to Trusted Agents
regarding the vetting process and related regulations;
(E) finalizing a manual for Trusted Agents and
adjudicators on the vetting process; and
(F) establishing quality controls to ensure consistent
procedures to review adjudication decisions and terrorism
vetting decisions.
(3) REPORT.—Not later than 2 years after the date of
enactment of this Act, the Inspector General of the Department of Homeland Security shall submit a report to
Congress that evaluates the implementation of the actions described in
paragraph (1).
(b) COMPREHENSIVE SECURITY ASSESSMENT OF THE
TRANSPORTATION SECURITY CARD PROGRAM.—
(1) IN GENERAL.—Not later than 60 days after the date
of enactment of this Act, the Secretary of Homeland Security shall commission
an assessment of the effectiveness of the transportation security card program
(referred to in this section as ‘‘Program’’) required under section 70105 of
title 46, United States Code, at enhancing security and reducing security risks
for facilities and vessels regulated under chapter 701 of that title.
(2) LOCATION.—The assessment commissioned under
paragraph (1) shall be conducted by a research organization with significant
experience in port or maritime security, such as—
(A) a national laboratory;
(B) a university-based center within the Science and
Technology Directorate’s centers of excellence network; or
(C) a qualified federally-funded research and
development center.
(3) CONTENTS.—The assessment commissioned under
paragraph (1) shall—
(A) review the credentialing process by determining—
(i) the appropriateness of vetting standards;
(ii) whether the fee structure adequately reflects the
current costs of vetting;
(iii) whether there is unnecessary redundancy or
duplication with other Federal- or State-issued transportation security
credentials; and
(iv) the appropriateness of having varied Federal and
State threat assessments and access controls;
(B) review the process for renewing applications for
Transportation Worker Identification Credentials,
including the number of days it takes to review
application, appeal, and waiver requests for additional information;
and
(C) review the security value of the Program by—
(i) evaluating the extent to which the Program, as
implemented, addresses known or likely security risks in the maritime and port
environments;
(ii) evaluating the potential for a non-biometric credential alternative;
security card
and transportation security card readers in the maritime and port environments;
(iv) assessing
the costs and benefits of the Program, as implemented; and
(v) evaluating
the extent to which the Secretary of Homeland Security has addressed the
deficiencies
in the Program
identified by the Government Accountability Office and the Inspector General of
the Department of Homeland Security before the date of enactment of this Act.
(4)
DEADLINES.—The assessment commissioned under paragraph (1) shall be completed
not later than 1 year after the date on which the assessment is commissioned.
(5) SUBMISSION TO CONGRESS.—Not later than 60 days
after the date that the assessment is completed, the Secretary of Homeland
Security shall submit to the Committee on Commerce, Science, and Transportation
and the Committee on Homeland Security and Governmental Affairs of the Senate
and the Committee on Homeland Security and the Committee on Transportation and
Infrastructure of the House of Representatives the results of the assessment
commissioned under this subsection.
(c) CORRECTIVE ACTION PLAN; PROGRAM REFORMS.—If the
assessment commissioned under subsection (b) identifies a deficiency in the
effectiveness of the Program, the Secretary of Homeland Security, not later
than 60 days after the date on which the assessment is completed, shall submit
a corrective action plan to the Committee on Commerce, Science, and
Transportation and the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Homeland Security and
the Committee on Transportation and Infrastructure of the House of
Representatives that—
(1) responds to findings of the assessment;
(2) includes an implementation plan with benchmarks;
(3) may include programmatic reforms, revisions to
regulations, or proposals for legislation; and
(4) shall be considered in any rulemaking by the
Department of Homeland Security relating to the Program.
(d) INSPECTOR GENERAL REVIEW.—If a corrective action
plan is submitted under subsection (c), the Inspector General of the Department
of Homeland Security shall—
(1) not later than 120 days after the date of such
submission, review the extent to which such plan implements the
requirements under subsection (c); and
(2) not later than 18 months after the date of such
submission, and annually thereafter for 3 years, submit a report
to the congressional committees set forth in subsection
(c) that describes the progress of the implementation of such plan.
Approved December 16, 2016.
[2]
Ibid.
[3]
Ibid.
[4]
Ibid.
[5]
Ibid.
[7]
Ibid.
[8]
Ibid.
[9]
Ibid.
[10]U.S.
Department of Homeland Security. Office
of the Inspector General. 2018. https://www.oig.dhs.gov/about
[11] U.S.
Department of Homeland Security. Transportation Security Administration.
Factsheet: TSA by the Numbers. 2019.
https://www.tsa.gov/sites/default/files/resources/tsabythenumbers_factsheet.pdf
[12]
Ibid.
[13] United
States Government Accountability Office. Transportation Security
Administration: Surface
Transportation Inspector Activities Should Align More
Closely With Identified Risks. GAO-18-180. December 2017. https://www.gao.gov/assets/690/689031.pdf
[14]
Clark, Charles S. Vacancy Rate for Top Agency Jobs Continues to Set Records.
Government Executive. August 1, 2018.
https://www.govexec.com/management/2018/08/vacancy-rate-top-agency-jobs-continues-set-records/150224/
[15]
The White House. White House Internship Program. Presidential Departments.
2018. https://www.whitehouse.gov/get-involved/internships/presidential-departments/
[16]
Fund, John. Trump Is Running a ‘Home Alone’ Administration. National Review.
March 25, 2018. https://www.nationalreview.com/2018/03/trump-administration-staff-vacancies-leave-career-civil-servants-in-place/
No comments:
Post a Comment