The Transportation Security Administration (TSA) is constantly working to identify screening issues, but while covert tests have improved, the Government Accountability Office (GAO) attests that operations could be bettered, especially since one new process used by TSA is not working correctly.
In a review of 26 TSA covert tests, guidance and test data from the last three years, GAO reviewed how TSA tests are risk-informed, the quality of information produced from such tests, and how TSA uses test results to address security vulnerabilities.
Risk assessment guides are in place to allow investigators to do their job. However, security operations officials are largely given free rein with their own professional judgment on scenarios considered for covert testing. It is hardly a risk-informed approach, which limits effectiveness. The inspection side of TSA is the only part to have created a new process which brought in quality test results since TSA first identified deficiencies in its covert testing process back in 2015. Security operations are lacking in the ability to ensure the quality of their test results, leaving a gaping vulnerability.
Unfortunately, TSA has not been quick even in countering problems it knows about. GAO found that officials overseeing the Security Vulnerability Management Process took up to seven months to even assign an office to begin mitigation efforts, largely because they did not have to. No timeframes or milestones were established under which they must make a demonstrable change, meaning change is not happening quickly.
In all, GAO made nine recommendations to turn this around. The first calls for TSA’s Administrator to document rationale for key decisions linked to the organization’s risk-informed approach on selecting covert test scenarios. The second presses for a more risk-informed approach on the Security Operations side of TSA. They also want to see the current covert testing process assessed and changed to improve the quality of test data. They ask that Security Operations guidance should likewise be assessed to determine the cause of their test failures and find ways to better their efforts.
Steps should be taken to document efforts as part of quality assurance and timeframes/milestones in the Security Vulnerability Management Process should be implemented. GAO also called for revision of existing guidance of that process, to make and define a process for escalating cases when milestones aren’t reached. Further, they want to see processes for conducting and reporting to relevant stakeholders. Finally, GAO wants TSA to create a standard process for documenting and releasing practices for conducting covert tests and using results to Federal Security Directors.